Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes
Several healthcare groups have expressed concern about the HIPAA Privacy Rule changes proposed by the Department of Health and Human Services (HHS) in December 2020 and published in the Federal Register in January. The HHS has received comments from more than 1,400 individuals and organizations and will now review all feedback before issuing a final rule or releasing a new proposed rule. There have been calls for changes to the HIPAA Privacy Rule to be made to align it more closely with other regulations, such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder (SUD) treatment programs, and for there to be greater alignment with state health data privacy laws. Some of the proposed HIPAA Privacy Rule changes are intended to remove barriers to data sharing for care coordination, but the changes may still conflict with state laws, especially in relation to SUD treatment. There is concern that poor alignment with other regulations could be a major cause of confusion and could create new privacy and security risks. Another area...
CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert about DarkSide ransomware in the wake of the cyberattack on Colonial Pipeline. The cyberattack caused major disruption to fuel supplies to the East Coast. Colonial Pipeline was forced to shut down systems to contain the threat, including the operational technology of its 5,500-mile pipeline which supplies diesel, gasoline, and jet fuel to the U.S. East Coast. The four main pipelines were shut down over the weekend, and while smaller pipelines were quickly restored, the main pipelines have remained shut down pending safety assessments. The pipelines transport around 2.5 million barrels of fuel a day and provide 45% of the East Coast’s fuel. The attack affected Colonial Pipeline’s information technology network, but its operational technology network was not affected. The DarkSide ransomware gang issued a statement shortly after the attack explaining the attacks was conducted purely for financial reasons and not for political reasons or to cause economic or...
University of Florida Health Shands Employee Accessed PHI Without Authorization for 2 Years
University of Florida Health Shands has discovered a former employee has accessed the medical records of 1,562 patients without authorization. The HIPAA violations were discovered on April 7, 2021 and the employee’s access to medical records was immediately terminated pending an investigation. The investigation confirmed the employee had been accessing patient medical records without a work reason for doing so from March 30, 2019 to April 6, 2021. The types of information that could have been viewed included names, addresses, phone numbers, birth dates, and lab test results, but no Social Security numbers, financial information, or health insurance information was compromised. University of Florida Health Shands does not believe any PHI has been stolen or further disclosed; however, out of an abundance of caution, affected individuals have been offered one year of complimentary credit monitoring services. Third Party Breach Affects St. Paul’s PACE Patients Community Eldercare of San Diego, dba St. Paul’s PACE, has been affected by a breach at one of its vendors. PeakTPA is a...
Ransomware Attack on New York Medical Group Impacts 330K Patients
The New York medical group practice, Orthopedic Associates of Dutchess County, has announced the protected health information of certain patients was potentially stolen in a recent cyberattack. The security incident was detected on March 5, 2021 when suspicious activity was identified in its systems. An investigation into the incident confirmed its systems had been accessed by unauthorized individuals on or around March 1, 2021. The attackers gained access to certain systems and encrypted files and issued a ransom demand for the keys to unlock the encrypted files. The attackers claimed they had stolen sensitive data prior to the encryption of files, although it was not possible to determine which files had been stolen. A review of the systems accessed by the attackers revealed they contained files that included protected health information such as names, addresses, contact telephone numbers, email addresses, emergency contact information, diagnoses, treatment information, medical record numbers, health insurance information, payment details, dates of birth, and Social Security...
Pennsylvania Department of Health and Insight Global Sued over 72,000-Record Data Breach
The Pennsylvania Department of Health and its COVID-19 contact tracing vendor are being sued over a breach of the personal and health data of 72,000 Pennsylvanians. The breach in question was announced by Insight Global and the Department of Health on April 29, 2021. Insight Global, an IT service management and staffing firm, had been awarded the contract for the state’s contact tracing program and had been given access to personal and health data to provide those services. The information was used to contact individuals potentially exposed to COVID-19 to identify and address the need for specific support services and to help slow the spread of COVID-19. Insight Global had implemented secure communication channels for its contact tracers and had security protocols in place, but it was discovered that some employees had “disregarded security protocols established in the contract and created unauthorized documents.” Those documents, including spreadsheets, had been shared between contact tracers using personal email accounts and consumer versions of cloud services such as Google...



