Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA
The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) recently released a draft consumer privacy framework for health data to address gaps in legal protections for the health data of consumers that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Rules require healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of health data. There are restrictions on uses and disclosures of healthcare data and Americans are also given rights over how their protected health information is used, to whom that information may be disclosed, and they have the right to access their health data. Many organizations collect, use, store, and transmit many of the data elements within the category of ‘protected health information’, yet if they are not HIPAA-covered entities or business associates of HIPAA-covered entities, HIPAA Rules will not apply. The eHI/CDT...
PHI of Almost 140,000 Individuals Potentially Compromised in Imperium Health Phishing Attack
Imperium Health Management, a Louisville, KY-based provider of development services to Accountable Care Organizations (ACOs), is notifying 139,114 individuals that some of their protected health information was potentially compromised in a recent phishing attack. Imperium Health learned of the attack on April 23, 2020. The investigation revealed one email account was breached on April 21, 2020 and a second email account was breached on April 24, 2020 due to the employees responding to phishing emails. The emails contained links that appeared to be legitimate but directed the employees to a website where their email credentials were harvested. A review of the compromised email accounts revealed they contained protected health information such as patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which can include Social Security numbers), and limited clinical and treatment information. Imperium Health was notified that the accounts contained PHI on June 18, 2020....
CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity
The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued guidance for network defenders and incident response teams on identifying malicious activity and mitigating cyberattacks. The guidance details best practices for detecting malicious activity and step-by-step instructions for investigating potential security incidents and securing compromised systems. The purpose of the guidance is “to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.” The guidance will help incident response teams collect the data necessary to investigate suspicious activity within the network, such as host-based artifacts, conduct a host analysis review and analysis of network activity, and take the right actions to mitigate a cyberattack. The guidance document was created in collaboration with cybersecurity authorities in the United States, United Kingdom, Australia, New Zealand, and Canada and includes technical help for security teams to help them identify malicious attacks in progress and mitigate...
OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers
The Department of Health and Human Services’ Office for Civil Rights has announced it has published additional resources for mobile health app developers and has updated and renamed its Health App Developer Portal. The portal – Resources for Mobile Health Apps Developers – provides guidance for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules and how they apply to mobile health apps and application programming interfaces (APIs). The portal includes a guidance document on Health App Use Scenarios and HIPAA, which explains when mHealth applications must comply with the HIPAA Rules and if an app developer will be classed as a business associate. “Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected,” explained OCR. “Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.” The portal provides access to...
Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million
The number of healthcare providers confirmed to have been affected by the Blackbaud ransomware attack and data breach is growing, with a further four healthcare providers issuing breach notifications in the past few days. Yesterday we reported Northwestern Memorial HealthCare had been affected and the personal information of 55,983 individuals was compromised. Now the Department of Health and Human Services’ Office for Civil Rights breach portal shows 179,189 MultiCare Health System donors and potential donors have been affected, as have 52,500 donors to Spectrum Health Lakeland Foundation, and 22,718 donors to the Richard J. Caron Foundation. Earlier this month, Northern Light Health Foundation confirmed that the information of 657,392 donors was compromised in the breach. Catholic Health and its foundations, the University of Detroit Mercy, and Children’s Hospital of Pittsburgh Foundation are also known to have been affected by the Blackbaud data breach. The total number of healthcare organizations affected by the breach is still not known, nor the total number of individuals...



