Aetna Settles HIPAA Violation Case with State AGs
Oct15

Aetna Settles HIPAA Violation Case with State AGs

In 2017, errors occurred with two Aetna mailings that resulted in the impermissible disclosure of the protected health information of plan members, including HIV statuses and AFib diagnoses. A class action lawsuit was filed on behalf of the victims of the HIV status breach which was settled for $17 million in January. Now Aetna has reached settlements with the attorneys general for New Jersey, Connecticut, and the District of Columbia to resolve the alleged HIPAA violations discovered during an investigation into the privacy breaches. The first mailing was sent on July 28, 2017 by an Aetna business associate. Over-sized windowed envelopes were used for the mailing, through which it was possible to see the names and addresses of plan members along with the words “HIV Medications.” Approximately 12,000 individuals received the mailing. In September, a second mailing was sent on behalf of Aetna to 1,600 individuals. This similarly resulted in an impermissible disclosure of PHI. In addition to names and addresses, the logo of an IMPACT AFib study was visible, which suggested the...

Read More
Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised
Oct12

Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised

The Minnesota Department of Human Services has mailed letters to approximately 21,000 individuals on medical assistance to alert them to a possible breach of their protected health information (PHI) due to two recent phishing attacks. Two DHS employees’ email accounts have been confirmed as having been compromised as a result of the employees clicking on links in phishing emails. The investigation into the breach determined that the attackers accessed both email accounts although it was not possible to determine which, if any, emails in the account had been accessed or copied by the attackers. Minnesota DHS has reason to believe that other employees may also have been targeted and could also have clicked on links in phishing emails, but it has not yet been confirmed whether their accounts have been breached. The investigation into the phishing attacks is ongoing. The two email account breaches occurred on June 28 and July 9, 2018, although the IT department only determined that the accounts had been breached in August. Upon discovery of the phishing attack, both accounts were...

Read More
HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia
Oct12

HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia

Following the presidential declaration of public health emergencies in the states of Florida and Georgia in the wake of hurricane Michael, secretary of the Department of Health and Human Services (HHS) Alex Azar has followed suit in both states and has exercised his authority to waive HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule in the disaster areas. The HHS announced the public health emergency in Florida on October 9, and Georgia on October 11. The HIPAA Privacy Rule does permit healthcare providers to share protected health information during disasters to assist patients and ensure they receive the care they need, including sharing information with friends, family members and other individuals directly involved in a patient’s care. The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief...

Read More
California HIV Patient PHI Breach Lawsuit Allowed to Move Forward
Oct08

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss. The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco. In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information. A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities. It was...

Read More
Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC
Oct08

Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC

The Healthcare & Public Health Sector Coordinating Council (HSCC) has announced it will shortly issue voluntary cybersecurity best practices for medical device manufacturers and healthcare provider organizations to help them improve their security posture. HSCC will also publish a voluntary curriculum that can be adopted by medical schools to help them train clinicians how to manage electronic health records, medical devices, and IT systems in a secure and responsible way. The announcement coincides with National Cyber Security Awareness Month and includes an update on the progress that has been made over the past 12 months and the work that the HSCC still intends to complete. HSCC explained that the global cyberattacks of 2017 involving WannaCry and NotPetya malware served as a wake-up call to the healthcare industry and demonstrated the potential harm that could be caused if an attack proved successful. Many large companies were crippled by the attacks for weeks. Fortunately, the healthcare industry in the United States escaped the attacks relatively unscathed, although the...

Read More
Summary of Recent Healthcare Data Breaches
Oct05

Summary of Recent Healthcare Data Breaches

A round up of healthcare data breaches recently announced by healthcare providers and business associates of HIPAA covered entities. Tillamook Chiropractic Clinic Discovers 26-Month Malware Infection The medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, OR have been stolen as a result of a malware infection. On August 3, 2018, the clinic conducted an internal security audit which showed that malware had been installed on its network, even though a firewall was in place, antivirus and antimalware software were installed and up to date, and its software was fully patched. An investigation into the security breach revealed the malware had been installed on May 24, 2016 and had remained undetected for 26 months. The malware had been installed on the primary insurance billing system, which the clinic reports was used as a staging area by the attackers to collect patient records before exfiltrating the data. The information believed to have been stolen includes full names, home addresses, work addresses, dates of birth, phone numbers, diagnoses, lab...

Read More
Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards
Oct04

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019. The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring. To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention. Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions...

Read More
FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
Oct03

FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook

On October 1, 2018, the U.S. Food and Drug Administration released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook for healthcare delivery organizations to help them prepare for and respond to medical device cybersecurity incidents. The playbook is intended to help healthcare delivery organizations develop a preparedness and response framework to ensure they are prepared for medical device security incidents, can detect and analyze security breaches quickly, contain incidents, and rapidly recover from attacks. The playbook was developed by MITRE Corp., which worked closely with the FDA, healthcare delivery organizations, researchers, state health departments, medical device manufacturers and regional healthcare groups when developing the document. The past 12 months have seen many vulnerabilities identified in medical devices which could potentially be exploited by hackers to gain access to healthcare networks, patient health information, or to cause harm to patients. While the FDA has not received any reports to suggest an attack has been...

Read More
Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency
Oct02

Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency

The healthcare industry is extensively targeted by phishers who frequently gain access to healthcare data stored in email accounts. In some cases, those email accounts contain considerable volumes of highly sensitive protected health information. Phishing is one of the leading causes of healthcare data breaches. In August 2018, Augusta University Healthcare System announced that it was the victim of a phishing attack that saw multiple email accounts compromised. The breached email accounts contained the PHI of 417,000 patients. The incident stood out due to the number of individuals impacted by the breach, but it was just one of several healthcare organizations to fall victim to phishing attacks in August. Data from the HHS’ Office for Civil Rights shows email is the most common location of breached PHI. In July, 14 healthcare data breaches out of 28 involved email, compared to 6 network server PHI breaches – The second most common location of breached PHI. It was a similar story in May and June with 9 and 11 email breaches reported respectively. Cofense Research Shows Healthcare...

Read More
NIST Releases Guidance on Managing IoT Cybersecurity and Privacy
Oct01

NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce. The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail. “IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST. In the guidance document, NIST identifies three high-level...

Read More
Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017
Sep28

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health. The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017. “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study. Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or...

Read More
HIPAA Quiz Launched by Compliancy Group
Sep26

HIPAA Quiz Launched by Compliancy Group

A new HIPAA Quiz has been launched by the Compliancy Group, which serves as a quick and easy free tool to assess the current state of HIPAA compliance in an organization.   Healthcare organizations that have implemented policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA) Rules may think that they are fully compliant with all provisions of the HIPAA Privacy, Security, and Breach Notification Rules. However, HHS’ Office for Civil Rights (OCR) compliance audits and investigations into data breaches and complaints often reveal certain requirements of HIPAA have been missed or misinterpreted. OCR investigates all breaches of more than 500 records and so far in 2018, six financial penalties have been issued to HIPAA covered entities to resolve HIPAA violations. The average settlement/civil monetary penalty in 2018 is $1,491,166. State attorneys general also investigate data breaches and complaints and can also issue fines for noncompliance with HIPAA Rules. There have been five fines issued by state attorneys general in 2018 to resolve...

Read More
UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations
Sep24

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information. In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names. It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security...

Read More
August 2018 Healthcare Data Breach Report
Sep21

August 2018 Healthcare Data Breach Report

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches. There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached. Causes of Healthcare Data Breaches in August 2018 Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks. Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare...

Read More
$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations
Sep20

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules. This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients. Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a). Brigham and Women’s Hospital (BWH) settled its HIPAA violations...

Read More
California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt
Sep19

California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt

In June 2018, the legislature in California passed the California Consumer Privacy Act (CCPA) which introduced major changes to state law to protect the privacy of consumers. CCPA introduced new privacy protections and rights for consumers, several of which are similar to those introduced in Europe in the General Data Protection Regulation (GDPR). The CCPA does not go as far as GDPR and only applies to for-profit companies that hold the data of more than 50,000 individuals, but many of the new rights are similar, including the right to request access to personal data stored by a business, the right to be informed about the data that will be collected, the right to be informed whether personal data will be sold or disclosed, the right to have personal data deleted and to prevent personal data from being sold. The CCPA has been heavily criticized, especially by tech firms such as Facebook, Google and PayPal. A 38-page letter was sent to lawmakers in California by 38 trade groups who have voiced considerable concerns over the requirements of the CCPA, including sections of the law...

Read More
CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent
Sep17

CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent

The HHS’ Centers for Medicare and Medicaid Services (CMS) has investigated Fairview Southdale Hospital in Edina, MN over an alleged violation of patient privacy. The CMS confirmed that patients were videotaped during psychiatric evaluations in the emergency department without their knowledge or consent.  The hospital was cited for violating patient privacy. According to the Star Tribune, the CMS launched an investigation following a complaint from a patient who had been taken to the hospital for a psychiatric evaluation against her will in May 2017. The patient was escorted to the hospital as police officers were concerned about her state of mental health and feared she may cause harm to herself or others. After being released, the patient took legal action over her admission to the hospital and how she was treated by the police. As part of that lawsuit, the patient requested a copy of the security camera footage from the hospital. While the patient expected to receive a copy of the videotape from the front of the hospital showing her entering the facility, the videotape showed her...

Read More
Texas Nurse Fired for Social Media HIPAA Violation
Sep13

Texas Nurse Fired for Social Media HIPAA Violation

A nurse at a Texas children’s hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. The pediatric ICU/ER nurse worked at Texas Children’s Hospital and posted a series of comments on Facebook about a rare case of measles at the hospital. The nurse was an anti-vaxxer and posted about the experience of seeing a boy at the hospital suffering from the disease – a disease that could have been prevented through vaccination. Her comments explained how the disease was much worse that she expected it to be, having not encountered anyone with the measles in the past.  She explained that it was a “rough” experience seeing the boy suffering from the disease. She also explained in one of her posts, “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” according to the Houston Chronicle, which obtained screenshots of her Facebook posts. “By no means have I changed my vax stance, and I never will. But this...

Read More
Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information
Sep13

Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information

On Wednesday, September 12, 2018, President Trump approved a request for a federal emergency declaration in the state of Virginia and made FEMA resources available for the state. The Secretary of the U.S. Department of Health and Human Services, Alex Azar, has also declared a Public Health Emergency in Virginia, North Carolina, and South Carolina. The Secretarial declaration eases certain HIPAA restrictions and helps Centers for Medicare & Medicaid Services’ (CMS) beneficiaries and their healthcare providers prepare for the possible impact of Hurricane Florence and provides greater flexibility to meet emergency health needs. During severe disasters and public emergencies healthcare providers face increased challenges and may struggle to continue to meet all requirements of the HIPAA Privacy Rule. In emergency situations, such as during hurricanes, the HIPAA Privacy Rule still applies; however, Alex Azar’s declaration of a Public Health Emergency means certain provisions of the Privacy Rule have been relaxed under the Project Bioshield Act of 2004 (PL 108-276) and section...

Read More
NIST to Launch Privacy Framework to Help Companies Protect the Privacy of Customers and Employees
Sep12

NIST to Launch Privacy Framework to Help Companies Protect the Privacy of Customers and Employees

In 2014, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework – A framework of computer security guidance to help private sector companies assess their security policies and improve their ability to prevent, detect, and respond to cyberattacks. The Framework has been a huge success. Figures from Gartner suggest it has already been adopted by 30% of companies, and adoption of the Framework is mandatory for all federal agencies. Now NIST plans to start working on a new Framework to help companies protect the privacy of employees and customers in what has become an increasingly connected and complex environment. The NIST Privacy Framework will be a voluntary enterprise-level tool that will detail privacy outcomes and approaches to help organizations develop strategies for implementing flexible privacy protection solutions. The aim is to ensure that individuals can benefit from the use of innovative technologies such as IoT an AI, with the confidence that their privacy will be protected. Adopting the Privacy Framework will help organizations...

Read More
Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI
Sep06

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices. Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen. Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions...

Read More
NY Attorney General Fines Arc of Erie County $200,000 for Security Breach
Sep04

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients. In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines. The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained. In total, 3,751 clients in New York had...

Read More
NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
Aug31

NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

The National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) have released the final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in healthcare delivery organizations. Wireless infusion pumps are no longer standalone devices. They can be connected to a range of different healthcare systems, networks, and other devices and can be a major cybersecurity risk. If malicious actors are able to gain access to the wireless infusion pump ecosystem, settings could be altered on the pumps or malware could be installed that causes the devices to malfunction, resulting in operational and safety risks. An attack on the devices could result in patients coming to harm, protected health information could be exposed, and a compromise could result in disruption to healthcare services, reputation damage, and considerable financial costs. Securing wireless infusion pumps is a challenge. Standard cybersecurity solutions such as anti-virus software may affect the ability of the device to function correctly...

Read More
Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure
Aug27

Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure

Following the accidental drowning of their adopted son, Denise and Wayne Russell were contacted by the child’s birth mother who made threats against their family. The phone call from the birth mother came shortly after their son was admitted to McAlester Regional Health Center following a tragic swimming pool accident. Their 2-year old child had fallen into the pool after the gate to the pool area had been accidentally left open. The parents administered CPR at the scene until the paramedics arrived and the child was rushed to hospital where he was later confirmed to have died. Shortly after their son died, the Russells received the telephone call from the birth mother. When asked how she knew about the accident and death of the child, she confirmed that she had been informed by the hospital. The birth month screamed at the Russells and made multiple threats, according to Denise Russell, including a threat to kill their other son. The situation became so bad that a protective order was filed against their son’s birth mother. The Russells had taken care of their adopted son Keon...

Read More
July 2018 Healthcare Data Breach Report
Aug24

July 2018 Healthcare Data Breach Report

July 2018 was the worst month of 2018 for healthcare data breaches by a considerable distance. There were 33 breaches reported in July – the same number of breaches as in June – although 543.6% more records were exposed in July than the previous month. The breaches reported in July 2018 impacted 2,292,552 patients and health plan members, which is 202,859 more records than were exposed in April, May, and June combined. A Bad Year for Patient Privacy So far in 2018 there have been 221 data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the protected health information of 6,112,867 individuals being exposed, stolen, or impermissibly disclosed. To put that figure into perspective, it is 974,688 more records than were exposed in healthcare data breaches in all of 2017 and there are still five months left of 2018. Largest Healthcare Data Breaches of 2018 (Jan-July) Entity Name Entity Type Records Exposed Breach Type UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident CA...

Read More
Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI
Aug21

Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI

Legacy Health has discovered an unauthorized individual has gained access to its email system and the protected health information (PHI) of approximately 38,000 patients. The Portland, OR-based health system operates two regional hospitals, four community hospitals, and 70 clinics in Oregon, Southwest Washington, and the and the Mid-Willamette Valley and is the second largest health system in the Portland Metro Area. The data breach was discovered on June 21, 2018, although the email accounts were first accessed by an unauthorized individual in May. Legacy Health determined that access was gained to the email accounts as a result of employees being duped by phishing emails. Email breaches can take a considerable amount of time to investigate. While tools are available to scan email accounts for protected health information, many of the emails in compromised accounts need to be individually checked, which can involve manual checks of hundreds of thousands of messages.  According to Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to...

Read More
9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach
Aug20

9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach

The Gordon Schanzlin New Vision Institute in La Jolla, CA, is alerting thousands of patients that their medical records may have been stolen after files containing protected health information were discovered in the possession of an individual unauthorized to hold the information. The data breach came to light following an investigation conducted by the U.S. Postal Inspection Service. A raid was conducted on a property in Southern California and a box of medical records was discovered in the property. The files contained information such as names, dates of service, addresses, health insurance information, Social Security numbers, and health and clinical information. Gordon Schanzlin was notified of the discovery on June 15, 2018, and an internal investigation was immediately launched to determine the nature and scope of the breach and how the medical records had been stolen. While it could not be confirmed with 100% certainty, Gordon Schanzlin believes the medical records were part of a batch of files that were stolen from a storage unit that was broken into in October 2017. The...

Read More
Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System
Aug16

Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of Maryland’s Medicaid system. The audit was conducted as part of the HHS OIG’s efforts to oversee states’ use of various Federal programs and to determine whether appropriate security controls had been implemented to protect its Medicaid Management Information System (MMIS) and Medicaid data. The audit consisted of interviews with staff members, a review of supporting documentation, and use of vulnerability scanning software on network devices, servers, websites, and databases that supported its MMIS. The audit uncovered multiple system security weaknesses that could potentially be exploited by threat actors to gain access to Medicaid data and disrupt critical Medicaid operations. Collectively, and in some cases individually, the vulnerabilities were ‘significant’ and could have compromised the integrity of the state’s Medicaid program. Details of the vulnerabilities uncovered by auditors were not disclosed publicly, although OIG did explain that the...

Read More
ICS-CERT Warns of Vulnerabilities in Philips IntelliSpace Cardiovascular Products
Aug16

ICS-CERT Warns of Vulnerabilities in Philips IntelliSpace Cardiovascular Products

ICS-CERT has issued an advisory about two vulnerabilities that have been identified in Philips IntelliSpace Cardiovascular products, one of which has been given a high severity rating and could allow a threat actor to elevate privileges and gain full control of a vulnerable device. The improper privilege management vulnerability (CVE-2018-14787) is present in IntelliSpace Cardiovascular cardiac image and information management software version 2.x and earlier releases and Xcelera V4.1 and earlier versions. The vulnerability could not be exploited remotely. Local access is required, and an authenticated user would need to have write privileges. If exploited, privileges could be escalated and access gained to folders containing executables. Arbitrary code could be executed to give the attacker full control of the system. The vulnerability has been assigned a CVSS v3 severity score of 7.3. An unquoted search path or element vulnerability (CVE-2018-14789) is present in IntelliSpace Cardiovascular Version 3.1 and earlier versions and Xcelera Version 4.1 and earlier versions. This flaw...

Read More
Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data
Aug14

Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data

Despite many alternative communication methods being available, healthcare organizations still extensively use faxes to communicate. Some estimates suggest as many as 75% of all communications occur via fax in the healthcare industry. While fax machines would not rank highly on any list of possible attack vectors, new research shows that flaws in the fax protocol could be exploited to launch attacks on businesses and gain network access. The flaws were detected by researchers at Check Point who successfully exploited them to create a backdoor into a network which was used to steal information through the fax. The researchers believe there are tens of millions of vulnerable fax machines are currently in use around the world. To exploit the flaw, the researchers sent a specially crafted image file through the phone line to a target fax machine. The fax machine decoded the image and uploaded it to the memory and the researchers’ script triggered a buffer overflow condition that allowed remote code execution. The researchers were able to gain full control of the fax machine and, using...

Read More
APWG Detects 46% Rise in Phishing Websites in Q1, 2018
Aug10

APWG Detects 46% Rise in Phishing Websites in Q1, 2018

The Anti-Phishing Working Group has released its Q1, 2018 Phishing Activity Trends Report which shows there was a substantial increase in unique phishing sites detected in the first few months of 2018 compared to the final quarter of 2017. The report explores phishing attacks and methods used between January 1 and March 31, 2018. In Q1, 263,538 unique phishing sites were identified – a 46% increase from the 180,577 unique sites identified in Q4, 2017 and a 38% increase from the 190,942 sites detected in Q3, 2017. There were 60,887 unique phishing sites detected in January 2018 which was on a par with December 2017, although a substantial increase in February (88,754) and a further major increase in March (113,897). The number of unique phishing campaigns reported by APWG customers remained broadly the same in January (89,250) and February (89,010) with a slight fall in March (84,444). 235 brands were spoofed in January, rising to 273 in February, and falling to 238 in March. APWG member MarkMonitor tracked the industry sectors that were most heavily targeted in phishing campaigns....

Read More
At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018
Aug09

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018. The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients. Q2 2018 Healthcare Data Breaches Month Data Breaches Records Exposed April 45 919,395 May 50 1,870,699 June 47 353,548   Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary. It is unclear if any healthcare...

Read More
More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched
Aug09

More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched

OpenEMR is an open-source electronic health record management system that is used by many thousands of healthcare providers around the world. It is the leading free-to-use electronic medical record platform and is extremely popular. Around 5,000 physician offices and small healthcare providers in the United States are understood to be using OpenEMR and more than 15,000 healthcare facilities worldwide have installed the platform. Around 100 million patients have their health information stored in the database. Recently, the London-based computer research organization Project Insecurity uncovered a slew of vulnerabilities in the source code which could potentially be exploited to gain access to highly sensitive patient information, and potentially lead to the theft of all patients’ health information. The Project Insecurity team chose to investigate EMR and EHR systems due to the large number of healthcare data breaches that have been reported in recent years. OpenEMR was the natural place to start as it was the most widely used EMR system and with it being open-source, it was easy...

Read More
Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps
Aug08

Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps

An advisory has been issued by ICS-CERT about vulnerabilities in MedTronic MyCareLink Patient Monitors and the MiniMed 508 Insulin Pump. This is the second advisory to be issued about MyCareLink Patient Monitors in the past six weeks. In June, ICS-CERT issued a warning about the use of a hard-coded password (CVE-2018-8870) and an exposed dangerous method or function vulnerability (CVE-2018-8868). The latest vulnerabilities to be discovered are an insufficient verification of data authenticity flaw (CVE-2018-10626) and the storage of passwords in a recoverable format (CVE-2018-10622). The vulnerabilities are present in all versions of the Medtronic MyCareLink 24950 and 24952 Patient Monitors. If an attacker were to obtain per-product credentials from the monitor and the paired implanted cardiac device, it would be possible for invalid data to be uploaded to the Medtronic Carelink network due to insufficient verification of the authenticity of uploaded data. The vulnerability has been assigned a CVSS v3 score of 4.4 (medium severity). The way that passwords are stored could allow...

Read More
Healthcare Organizations Reminded of HIPAA Rules for Disposing of Electronic Devices
Aug07

Healthcare Organizations Reminded of HIPAA Rules for Disposing of Electronic Devices

In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media. Prior to electronic equipment being scrapped, decommissioned, returned to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a secure manner. HIPAA Rules for disposing of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes. Healthcare organizations also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which store data on internal hard drives. These devices in particular carry a high risk of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI. If electronic devices are not disposed of securely...

Read More
NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices
Aug06

NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices

The HIPAA Security Rule requires HIPAA-covered entities to ensure the confidentiality, integrity, and availability of electronic protected health information at all times. Healthcare organizations must ensure patients’ health is not endangered, their privacy is protected, and their identities are not compromised. A range of physical, technical, and administrative controls can be implemented to secure ePHI on servers and desktop computers, but ensuring the same level of security for mobile devices can be a major challenge. Mobile devices offer many benefits for healthcare providers. They can improve access to protected health information, ensure that data can be accessed anywhere, and they help healthcare providers improve coordination of care. However, when ePHI is stored on mobile devices such as laptops, tablets and mobile phones, or is transmitted using those devices, it is particularly vulnerable. Mobile devices are easy to lose, are often stolen, and data transmitted through mobile devices can also be vulnerable to interception. In healthcare, mobile device security is a major...

Read More
Consumers More Worried About Exposure of Financial Information Than Health Data
Aug01

Consumers More Worried About Exposure of Financial Information Than Health Data

The privacy and security of health data is less of a concern for consumers than the privacy and security of financial information such as credit card numbers, according to a recent survey by the healthcare marketing agency SCOUT. The Harris Poll survey was conducted on 2,033 adults from May 10-14, 2018 as part of a new research series called SCOUT Rare Insights. The survey revealed fewer than half of consumers (49%) were very concerned about the privacy and security of their health data, whereas more than two thirds of consumers (69%) were very concerned about the privacy and security of their financial data such as credit/debit card numbers and bank account information. Consumers are often covered by insurance policies on their credit cards and can reclaim losses in many cases. A new credit card number can be issued in cases of theft and there are laws that limit personal liability. However, if health insurance information and Social Security numbers are stolen, breach victims can suffer severe losses that may not be recoverable. Medical identity theft can also cause patients...

Read More
1.4 Million Patients Warned About UnityPoint Health Phishing Attack
Jul31

1.4 Million Patients Warned About UnityPoint Health Phishing Attack

A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers. This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May. This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016. Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled by email impersonation scams. Business email...

Read More
Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform
Jul30

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform. The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein. Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats. Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams. However, security teams can struggle to...

Read More
HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules
Jul30

HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules

At a July 27 address at The Heritage Foundation, Secretary of the Department of Health and Human Services (HHS), Alex Azar, explained that the HHS will be undertaking several updates to health privacy regulations over the coming months, including updates to the Health Insurance Portability and Accountability Act (HIPAA) and 45 CFR Part 2 (Part 2) regulations. The process is expected to commence in the next couple of months. Requests for information on HIPAA and Part 2 will be issued, following which action will be taken to reform both sets of rules to remove obstacles to value-based care and support efforts to combat the opioid crisis. Rule changes are also going to be made to remove some of the barriers to data sharing which are currently hampering efforts by healthcare providers to expand the use of electronic health technology. These requests for information are part of a comprehensive review of current regulations that are hampering the ability of doctors, hospitals, and payers to improve the quality healthcare services and coordination of care while helping to reduce...

Read More
Bill Proposes 18 Months Free Credit Monitoring Services for Data Breach Victims in Massachusetts
Jul25

Bill Proposes 18 Months Free Credit Monitoring Services for Data Breach Victims in Massachusetts

A new bill has been introduced in Massachusetts that seeks to improve protections for consumers affected by data breaches. The bill calls for free credit monitoring services to offered to individuals whose personal information was exposed in a security breach. The bill (H.4806) was filed on Tuesday by a House-Senate conference committee chaired by Rep. Tackey Chan and Sen. Barbara L’Italien and is a compromise bill between competing data security bills that were sent to the committee on May 3. The House Bill required consumers to be provided with a year of credit monitoring services following a data breach whereas the Senate bill required consumers to be provided with 2 years of credit monitoring services following a data breach. The conference committee bill takes the middle ground, requiring 18 months of credit monitoring services to be provided to consumers free of charge following a standard security breach. However, a data breach at a credit monitoring company (Equifax, Experian, TransUnion) would require affected consumers to be provided with 42 weeks of credit...

Read More
FDA Issues New Guidance on Use of EHR Data in Clinical Investigations
Jul19

FDA Issues New Guidance on Use of EHR Data in Clinical Investigations

The U.S. Food and Drug Administration has released new guidance on the use of EHR data in clinical investigations and emphasized that appropriate controls should be put in place to ensure the confidentiality, integrity, and availability of data. While the guidance is non-binding, it provides healthcare organizations with valuable information on steps to take when deciding whether to use EHRs as a source of data for clinical investigations, how to use them and ensure the quality and integrity of EHR data, and how to make sure that any data collected and used as an electronic source of data meets the FDA’s inspection, recordkeeping and data retention requirements. The aim of the guidance is to promote the interoperability of EHR and EDC systems and facilitate the use of EHR data in clinical investigations, such as long-term studies on the safety and effectiveness of drugs, medical devices, and combination products. The guidance does not apply to data collected for registries and natural history studies, the use of EHR data to evaluate the feasibility of trial design or as a...

Read More
New York Physician Notifies Patients of Exposure of their PHI
Jul19

New York Physician Notifies Patients of Exposure of their PHI

A New York physician has started notifying patients that their protected health information has been exposed and has been potentially accessed unauthorized individuals. Ruben U. Carvajal, MD was alerted to a possible privacy breach on January 3, 2018 and was informed that some of his patients’ health information was accessible over the Internet. An investigation into the possible privacy breach was launched and the matter was reported to the New York Police Department and the Federal Bureau of Investigation (FBI). FBI investigators visited his office and examined his computer. On February 18, 2018, the FBI confirmed that the EMR program on his computer had been accessed by an unauthorized individual. A forensic investigator was called in to conduct a thorough investigation to determine the nature and scope of the breach. On May 22, 2018 the forensic investigator determined that the physician’s computer had been accessed by an unauthorized individual between December 16, 2017 and January 3, 2018. Any individual that gained access to the physicians’ computer could have gained access...

Read More
Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center
Jul19

Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center

Certain employees of a Canandaigua, NY nursing home have been using their smartphones to take photographs and videos of at least one resident and have shared those images and videos with others on Snapchat – a violation of HIPAA and serious violation of patient privacy. The privacy breaches occurred at Thompson Health’s M.M. Ewing Continuing Care Center and involved multiple employees. Thompson Health has already taken action and has fired several workers over the violations. Now the New York Department of Health and the state attorney general’s office have got involved and are conducting investigations. The state attorney general’s Deputy Press Secretary, Rachel Shippee confirmed to the Daily Messenger that an investigation has been launched, confirming “The Medicaid Fraud Control Unit’s mission includes the protection of nursing home residents from abuse, neglect and mistreatment, including acts that violate a resident’s rights to dignity and privacy.” Thompson Health does not believe the images/videos were shared publicly and sharing was restricted to a group of employees at the...

Read More
June 2018 Healthcare Breach Report
Jul18

June 2018 Healthcare Breach Report

There was a 13.8% month-over-month increase in healthcare data breaches in June 2018. Data breaches were up, but the breaches were far less severe in June, with 42.48% fewer healthcare records exposed or stolen than in May. In June there were 33 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and those breaches saw 356,232 healthcare records exposed or stolen – the lowest number of records exposed in healthcare data breaches since March 2018. Healthcare Data Breaches (January-June 2018) Healthcare Records Exposed (January-June 2018) Causes of Healthcare Data Breaches (June 2018) Unauthorized access/disclosure incidents were the biggest problem area in June, followed by hacking IT incidents. As was the case in May, there were 15 unauthorized access/disclosure breaches and 12 hacking/IT incidents. The remaining six breaches involved the theft of electronic devices (4 incidents) and paper records (2 incidents). There were no reported losses of devices or paperwork and no improper disposal incidents. Healthcare Records Exposed...

Read More
LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach
Jul17

LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach

LabCorp, one of the largest clinical laboratories in the United States, has experienced a cyberattack that has potentially resulted in hackers gaining access to patients’ sensitive information; however, data theft appears unlikely as the cyberattack has now been confirmed as being a ransomware attack. It has been suggested that variant of SamSam ransomware was used in the brute force RDP attack, although this has not been confirmed by LabCorp. The Burlington, NC-based company runs 36 primary testing laboratories throughout the United States and the Los Angeles National Genetics Institute. The company performs standard blood and urine tests, HIV tests and specialty diagnostic testing services and holds vast quantities of highly sensitive data. The cyberattack occurred over the weekend of July 14, 2018 when suspicious system activity was identified by LabCorp’s intrusion detection system within 50 minutes of the attack commencing. Prompt action was taken to terminate access to its servers and systems were taken offline to contain the attack. With its systems offline, this naturally...

Read More
Children’s Mercy Hospital Sued for 63,000-Record Data Breach
Jul13

Children’s Mercy Hospital Sued for 63,000-Record Data Breach

Legal action has been taken over a phishing attack on Children’s Mercy that resulted in the theft of 63,049 patients’ protected health information. In total, five email accounts were compromised between December 2017 and January 2018. On December, 2, 2017  two email accounts were discovered to have been accessed by an unauthorized individual as a result of employees responding to phishing emails. Links in the emails directed the employees to a website where they were fooled into disclosing their email account credentials. Two weeks later, two more email accounts were compromised in a similar attack, with a fifth and final account compromised in early January. The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, resulting in the unauthorized disclosure of patients’ protected health information. Patients were notified of the breach via a substitute breach notice on the Children’s Mercy website and notification letters were sent by mail. Due to the number of people impacted, the letters were sent out in batches. According to a recent...

Read More
Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record
Jul12

Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record

A recent study conducted by the Ponemon Institute on behalf of IBM Security has revealed the hidden cost of data breaches, and for the first time, the cost of mitigating 1 million-record+ data breaches. The study provides insights into the costs of resolving data breaches and the full financial impact on organizations’ bottom lines. For the global study, 477 organizations were recruited and more than 2,200 individuals were interviewed and asked about the data breaches experienced at their organizations and the associated costs. The breach costs were calculated using the activity-based costing (ABC) methodology. The average number of records exposed or stolen in the breaches assessed in the study was 24,615 and 31,465 in the United States. Last year, the Annual Cost of a Data Breach Study by the Ponemon Institute/IBM Security revealed the cost of breaches had fallen year over year to $3.62 million. The 2018 study, conducted between February 2017 and April 2018, showed data breach costs have risen once again. The average cost of a data breach is now $3.86 million – An annual increase...

Read More
Patient Privacy and Security Are Greatest Healthcare Concerns for Consumers
Jul10

Patient Privacy and Security Are Greatest Healthcare Concerns for Consumers

A recent survey conducted by the health insurer Aetna explored consumers’ attitudes to healthcare, their relationships with their providers, and what they view as the most important aspects of healthcare. The Health Ambitions Study was conducted on 1,000 consumers aged 18 and above, with a corresponding survey conducted on 400 physicians – 200 primary care doctors and 200 specialists. The consumer survey showed consumers are paying attention to their healthcare. A majority pay attention to holistic health and seek resources that support better health and wellbeing. 60% of respondents to the survey said that if they were given an extra hour each day they would spend it doing activities that improved their health or mental health. 67% of women and 44% of men would devote the hour to these activities. Fewer women believed their physicians understood their health needs than men. 65% of women and 80% of men said their doctor is familiar with their health goals. Women find it harder than men to talk to their physicians about their lifestyle habits (70% vs 81%) and women were much less...

Read More
Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data
Jul10

Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data

The UK’s National Health Service (NHS) has announced that approximately 150,000 patients who had opted out of having their health data shared for the purposes of clinical research and planning have had their data shared against their wishes. In the UK, there are two types of opt-outs patients can choose if they do not want their confidential health data shared. A type 1 opt-out allows patients to stop the health data held in their general practitioner (GP) medical record from being used for anything other than their individual care. A Type 2 opt-out is used to prevent health care data being shared by NHS Digital for purposes other than providing individual care. 150,000 patients who had registered a Type 2 opt-out have had their data shared. The impermissible sharing of health data occurred as a result of an error by one of its EHR vendors, TPP. TPP provides the NHS with the SystmOne EHR system, which is use in many GP practices throughout the UK. A coding error in the system meant that these Type 2 requests were not passed on to NHS Digital, and as a result, NHS Digital was...

Read More
HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks
Jul06

HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks

HIMSS has released its June Healthcare and Cross-Sector Cybersecurity Report in which healthcare organizations are warned about the risk of exploitation of vulnerabilities in application programming interfaces, man-in the middle attacks, cookie tampering, and distributed denial of service (DDoS) attacks. Healthcare organizations have also been advised to be alert to the possibility of USB devices being used to gain access to isolated networks and the increase in used of Unicode characters to create fraudulent domains for use in phishing attacks. API Attacks Could Be the Next Big Attack Vector Perimeter defenses are improving, making it harder for cybercriminals to gain access to healthcare networks. However, alternative avenues are being explored by hackers looking for an easier route to gain access to sensitive data. Vulnerabilities in API’s could be a weak point and several cybersecurity experts believe APIs could well prove to be the next biggest cyber-attack vector. API usage in application development has become the norm, after all, it is easier to use a third-party solution...

Read More
AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule
Jul05

AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule

The American Hospital Association (AHA) has voiced the concerns of its members about the HHS’ Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system proposed rule for fiscal year 2019, including the requirement to allow any health app of a patient’s choosing to connect to healthcare providers’ APIs. Consumer Education Program Required to Explain that HIPAA Doesn’t Apply to Health Apps Mobile health apps can con collect and store a considerable amount of personal and health information – in many cases, the same information that would be classed as protected Health Information (PHI) under Health Insurance Portability and Accountability Act (HIPAA) Rules. However, HIPAA does not usually apply to health app developers and therefore the health data collected, stored, and transmitted by those apps may not be protected to the level demanded by HIPAA. When consumers enter information into the apps, they may not be aware that the safeguards in place to protect their privacy may not be as stringent as those implemented by their healthcare providers. There...

Read More
Healthcare Worker Charged with Criminally Violating HIPAA Rules
Jul03

Healthcare Worker Charged with Criminally Violating HIPAA Rules

A former University of Pittsburgh Medical Center patient information coordinator has been indicted by a federal grand jury over criminal violations of HIPAA Rules, according to an announcement by the Department of Justice on June 29, 2018. Linda Sue Kalina, 61, of Butler, Pennsylvania, has been charged in a six-count indictment that includes wrongfully obtaining and disclosing the protected health information of 111 patients. Kalina worked at the University of Pittsburgh Medical Center and the Allegheny Health Network between March 30, 2016 and August 14, 2017. While employed at the healthcare organizations, Kalina is alleged to have accessed the protected health information (PHI) of those patients without authorization or any legitimate work reason for doing so. Additionally, Kalina is alleged to have stolen PHI and, on four separate occasions between December 30, 2016, and August 11, 2017, disclosed that information to three individuals with intent to cause malicious harm. Kalina was arrested following an investigation by the Federal Bureau of Investigation. The case was taken up...

Read More
California Passes GDPR-Style Data Privacy Law
Jul02

California Passes GDPR-Style Data Privacy Law

AB 375, the California Consumer Privacy Act of 2018, has been signed into law. The bill was signed by California governor Jerry Brown on Thursday after the state Senate and Assembly passed the bill unanimously. California already has some of the strictest privacy laws in the United States. Under existing legislation, companies that experience a breach of personal information must notify affected individuals if their computerized data is exposed or stolen. This law takes privacy protections much further and gives state residents several new GDPR-style privacy rights, including: The right to request information from businesses about the types of personal data that are collected and processed and the source of that information Be informed about the purpose for collecting, using, and selling personal data Categories of third parties with whom the information is shared The right to request a copy of all personal information collected by a business The right to have all personal information deleted on request The right to request personal information is not sold The right to initiate...

Read More
Protected Health Information Sent to Incorrect Fax Recipient Over Several Months
Jun27

Protected Health Information Sent to Incorrect Fax Recipient Over Several Months

Faxes containing the protected health information (PHI) of a patient have been sent to an incorrect recipient by OhioHealth’s Grant Medical Center over a period of several months – A violation of patient privacy and the Health Insurance Portability and Accountability Act (HIPAA). The recipient of the faxes, Elizabeth Spilker, tried on numerous occasions to notify Grant Medical Center about the problem and stop the faxes being sent, but her efforts were unsuccessful. She tried faxing back a message on the same number requesting a change to the programmed fax number and tried contacting the medical center by telephone. Spilker later notified ABC6 about the issue and the story was covered in a June 18 report. In the report, Spilker explained that faxes had been received from Grant Medical Center for more than a year. The messages contained a range of protected health information including name, age, weight, medical history, medications prescribed, and other sensitive health information. Typically, the faxes were received at the end of the day. Repeated attempts were made to send the...

Read More
Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist
Jun26

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems. Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri. Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software. In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages...

Read More
District Court Ruling Confirms No Private Cause of Action in HIPAA
Jun25

District Court Ruling Confirms No Private Cause of Action in HIPAA

Patients who believe HIPAA Rules have been violated can submit a compliant to the Department of Health and Human Services’ Office for Civil Rights, but they do not have the right to take legal action, at least not for the HIPAA violation. There is no individual private cause of action under HIPAA law. Several patients have filed lawsuits over alleged HIPAA violations, although the cases have not proved successful. A recent case has confirmed once again that there is no private cause of action in HIPAA, and lawsuits filed solely on the basis of a HIPAA violation are extremely unlikely to succeed. Ms. Hope Lee-Thomas filed the lawsuit for an alleged HIPAA violation that occurred at Providence Hospital in Washington D.C., where she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, claims that while at the hospital on June 15, 2017, a LabCorp employee instructed her to enter her protected health information at a computer intake station. Ms. Lee-Thomas told the LabCorp employee that the information was in full view of another person at a different...

Read More
Overdose Prevention and Patient Safety Act Passed by House
Jun22

Overdose Prevention and Patient Safety Act Passed by House

The Overdose Prevention and Patient Safety Act – H.R. 6082 – aims to ease restrictions on the sharing of health records of patients with addictions, aligning 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records – with HIPAA. Currently, 42 CFR Part 2 only permits the disclosure of health records of patients with substance abuse disorder without written consent to medical staff in emergency situations, to specified individuals for research and program evaluations, or if required to do so by means of a court order. Under current regulations, a special release form must be signed by a patient authorizing the inclusion of substance abuse disorder information in their medical record. Preventing doctors from having access to a patient’s entire medical history means decisions could be taken without full understanding of their potential consequences. If details of substance abuse disorder can be accessed, doctors will be able to make more informed decisions which will help them to safely and effectively treat patients. The Overdose Prevention and Patient Safety...

Read More
Common Rule Compliance Date Delayed Until January 2019
Jun22

Common Rule Compliance Date Delayed Until January 2019

On June 19, 2018, the federal government published the final rule for the Federal Policy for the Protection of Human Subjects – The Common Rule. The aim of the Common Rule is to protect individuals who voluntarily participate in research, while also reducing the administrative and regulatory burdens for low-risk research. A revised Common Rule was due to take effect on January 19, 2018 with an effective compliance date on the same date. However, an interim final rule was published on January 17, 2018 delaying the effective date for six months – The new compliance date was due to be July 19, 2018. On April 20, 2018, a notice of proposed rulemaking was published seeking comments about whether the new Common Rule requirements should be delayed for a further six months. After assessing the comments received on the notice of proposed rulemaking, the proposals made in that NPRM have been adopted and the compliance date has now been extended until January 21, 2019. In the final rule it was noted, “We acknowledge that the timing of the interim final rule was not ideal and led to...

Read More
Washington Health System Suspends Several Employees for Inappropriate PHI Access
Jun21

Washington Health System Suspends Several Employees for Inappropriate PHI Access

Following the alleged inappropriate accessing of patient health records by employees, Washington Health System has taken the decision to suspend several employees while the privacy breach is investigated. While it has not been confirmed how many employees have been suspended, Washington Health System VP of strategy and clinical services, Larry Pantuso, issued a statement to the Observer Reporter indicating around a dozen employees have been suspended, although at this stage, no employees have been fired for inappropriate medical record access. The privacy breaches are believed to relate to the death of an employee of the WHS Neighbor Health Center. Kimberly Dollard, 57, was killed when an out of control car driven by Chad Spence, 43, rammed into the building where she worked. Spence and one other individual were admitted to the hospital after sustaining injuries in the accident. Pantuso did not confirm that this was the incident that prompted the employees to access patients’ medical records, although he did confirm that the alleged inappropriate access related to a “high profile...

Read More
May 2018 Healthcare Data Breach Report
Jun19

May 2018 Healthcare Data Breach Report

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April. There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April. In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records. Causes of May 2018 Healthcare Data Breaches Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices...

Read More
OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center
Jun19

OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center

The Department of Health and Human Services’ Office for Civil Rights has announced its fourth largest HIPAA violation penalty has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been ordered to pay $4,348,000 in civil monetary penalties to resolve the HIPAA violations related to three data breaches experienced in 2012 and 2013. MD Anderson is an academic institution and a cancer treatment and research center based at the Texas Medical Center in Houston, TX. Following the submission of three breach reports in 2012 and 2013, OCR launched an investigation to determine whether the breaches were caused as a result of MD Anderson having failed to comply with HIPAA Rules. The breaches in question were the theft of an unencrypted laptop computer from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives, each of which contained the electronic protected health information (ePHI) of its patients. In total, the PHI of 34,883 patients was exposed and could potentially have been viewed by unauthorized individuals....

Read More
More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes
Jun12

More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes

90% of hospitals and 94% of physicians have adopted mobile technology and say it is helping to improve patient safety and outcomes, according to a recent survey conducted by Black Book Research. The survey was conduced on 770 hospital-based users and 1,279 physician practices between Q4, 2017 and Q1, 2018. The survey revealed 96% of hospitals are planning on investing in a new clinical communications platform this year or have already adopted a new, comprehensive communications platform. 85% of surveyed hospitals and 83% of physician practices have already adopted a secure communication platform to improve communications between care teams, patients, and their families. Secure text messaging platform are fast becoming the number one choice due to the convenience of text messages, the security offered by the platforms, and the improvements they make to productivity and profitability. 98% of hospitals and 77% of physician practices said they have implemented secure, encrypted email and are using intrusion detection systems to ensure breaches are detected rapidly. Many providers of...

Read More
12-Month Suspension for Nurse Who Provided Patient Information to New Employer
Jun08

12-Month Suspension for Nurse Who Provided Patient Information to New Employer

The New York State Education Department has suspended the license of a nurse practitioner for violating the privacy of patients by providing their contact information to her new employer. In April 2015, Martha C. Smith-Lightfoot took a spreadsheet containing the personally identifiable information of approximately 3,000 patients of University of Rochester Medical Center (URMC) and gave that information to her new employer, Greater Rochester Neurology. The privacy violation was uncovered when several patients complained to URMC about being contacted by Greater Rochester Neurology about switching providers. Prior to leaving URMC, Smith-Lightfoot requested information on patients she has treated in order to ensure continuity of care.  URMC provider her with a spreadsheet that contained names, addresses, dates of birth, and diagnoses. URMC did not authorize Smith-Lightfoot to take the spreadsheet with her when she left employment. The provision of the patient list to Greater Rochester Neurology was an impermissible disclosure of PHI and a violation of the HIPAA Privacy Rule. When it...

Read More
Healthcare Employees Accused of Taking PHI to New Employers
Jun07

Healthcare Employees Accused of Taking PHI to New Employers

Two HIPAA-covered entities are notifying patients that former employees have accessed databases and stolen protected health information to take to new employers. Former Hair Free Forever Employee Contacts Patients to Solicit Customers Hair Free Forever, a Ventura, CA-based provider of permanent hair removal treatments, has announced that a former employee has stolen patient information and has been contacting its patients in an attempt to solicit customers. The company uses Thermolysis to permanently remove hair. Since the technique is classed as a medical procedure, Hair Free Forever and its employees are required to comply with HIPAA Rules. In a data breach notice provided to the California attorney general, Hair Free Forever’s Cheryl Conway informs patients that the former employee accessed patient files and the company’s database and stole patients’ protected health information, in clear violation of HIPAA Rules. The data theft came to light when complaints were received from customers who had been contacted and told about the former employee’s new practice. An investigation...

Read More
Colorado Governor Signs Data Protection Bill into Law
Jun05

Colorado Governor Signs Data Protection Bill into Law

Colorado Governor John Hickenlooper has signed a bill – HB 1128 – into law that strengthens protections for consumer data in the state of Colorado. The bipartisan bill, sponsored by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously passed by the Legislature. The bill will take effect from September 1, 2018. The bill requires organizations operating in the state of Colorado to implement reasonable security measures and practices to ensure the personal identifying information (PII) of state residents is protected. The bill also reduces the time for notifying the state attorney general about breaches of PII and introduces new rules for disposing of PII when it is no longer required. Personal information is classed as first name and last name or first initial and last name in combination with any of the following data elements (when not encrypted, redacted, or secured by another means that renders the information unreadable): Social Security number Student ID number Military ID number Passport number Driver’s license number or...

Read More
Could Law Firms Targeting Patients in ER Rooms Using Geofencing Technology Violate HIPAA?
Jun01

Could Law Firms Targeting Patients in ER Rooms Using Geofencing Technology Violate HIPAA?

Questions are being raised about whether HIPAA Rules are being violated when attorneys send text messages and push notifications to patients who have visited emergency rooms and other medical facilities using geofencing technology. Marketers are using a range of clever tactics to sell products and services such as remarketing – The displaying of advertisements on websites to individuals who have previously viewed products on another website but not made a purchase. Similarly, the use of geofencing is growing in popularity. Geofencing is the creation of a digital fence around a specific location. When an individual crosses that invisible boundary, a push notification is sent to the users mobile phone. That location could be a store or any location. Retailers have been using the technology for some time, Google sends push notifications based on location, and now attorneys are getting in on the act. This tactic of targeting specific individuals is being offered by at least one digital marketing firm and the service is being offered to attorneys. In this case the geofence is around...

Read More
Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach
Jun01

Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach

There have been further developments in the ongoing legal battles over a 2017 privacy breach experienced by Aetna involving the exposure of patients’ sensitive health information. A further lawsuit has been filed by the insurer in an attempt to recover the costs incurred as a result of the breach. Ongoing Legal Battles Over the Exposure of Patients’ HIV Statuses In 2017, the health insurer Aetna experienced a data breach that saw highly sensitive patient information impermissibly disclosed to other individuals. A mailing vendor sent letters to patients using envelopes with clear plastic windows and information about HIV medications were allegedly visible. The mailings related to HIV medications used to treat patients who had already contracted HIV and individuals who were taking drugs as pre-exposure prophylaxis. Approximately 12,000 patients received the mailing. Lawsuits were filed on behalf of patients whose HIV positive status was impermissibly disclosed, which were settled in January for $17.2 million. A settlement was agreed with the New York state attorney general for a...

Read More
OCR Reminds Covered Entities Not to Overlook Physical Security Controls
May31

OCR Reminds Covered Entities Not to Overlook Physical Security Controls

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reminded covered entities that HIPAA not only requires technical controls to be implemented to ensure the confidentiality, integrity, and availability of protected health information, but also appropriate physical security controls. Physical controls are often the simplest and cheapest forms of protection to keep PHI private and confidential, yet these security controls are often overlooked. Some physical security controls cost nothing – such as ensuring portable electronic devices (laptop computers, portable storage devices, and pen drives) are locked away when they are not in use. While this is a very basic form of security, it is one of the most effective ways of preventing theft and one that can prove incredibly costly if overlooked. OCR draws attention to a 2015 HIPAA breach settlement with Lahey Hospital and Medical Center. An unencrypted laptop computer was stolen from the Tufts Medical School affiliated teaching hospital resulting in the exposure 599 patients’ ePHI. The laptop computer was used...

Read More
Lack of Visibility into Employee Activity Leaves Organizations Vulnerable to Data Breaches
May30

Lack of Visibility into Employee Activity Leaves Organizations Vulnerable to Data Breaches

The 2018 Insider Threat Intelligence Report from Dtex Systems shows how a lack of visibility into employee activities is preventing security teams from acting on serious data security threats. The report is based on data gathered from risk assessments performed on the firm’s customers and prospective customers. Those risk assessments highlighted just how common it is for employees to attempt to bypass security controls, download shadow IT, and violate company policies. If your risk assessment has identified employees attempting to bypass security controls, you are not alone. According to the Dtex Systems report, 60% of risk assessments uncovered attempts by employees to bypass an organization’s security controls, use of private and anonymous browsers, or cases where employees had researched how to bypass security controls. In most cases, employees are attempting to bypass security controls to gain access to websites that breach acceptable internet usage policies – such as adult content, gaming, and gambling sites, and to access P2P file sharing websites. 67% of companies discovered...

Read More
HITRUST Now Offers NIST Cybersecurity Framework Certification
May24

HITRUST Now Offers NIST Cybersecurity Framework Certification

The security and privacy standards development and accreditation organization HITRUST has started offering certification for the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The certification program makes it easier for healthcare organizations to report progress to management, business partners, and regulators and verify they have met NIST cybersecurity framework controls. The NIST Cybersecurity Framework is a set of standards and best practices that help organizations improve security, manage cybersecurity risk, and protect critical infrastructure. Many healthcare organizations have adopted the NIST cybersecurity framework but are unsure how they are doing in the cybersecurity categories. Through the HITRUST CSF Assurance Program, healthcare organizations can assess whether they have met the requirements in each of the NIST categories. The HITRUST CSF now includes a scorecard that allows organizations to check how their security program maps to the core subcategories of the...

Read More
OCR Plans to Share HIPAA Violation Settlements with Breach Victims
May23

OCR Plans to Share HIPAA Violation Settlements with Breach Victims

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 and includes a provision that calls for the Department of Health and Human Services to share a percentage of HIPAA settlements with victims of HIPAA violations and data breaches. This month has seen some progress in that area. The Department of Health and Human Services’ Office for Civil Rights has announced it is planning on issuing an advance notice of proposed rulemaking in November about sharing a percentage of the fines it collects through its HIPAA enforcement activities with the victims of data breaches. OCR officials have previously made it clear that steps will be taken to meet the requirements of this HITECH provision, but little progress has been made. This is not the first time that OCR has announced it plans to issue an advance notice of proposed rulemaking on the matter only for the advance notice of proposed rulemaking to be delayed. If OCR follows through on its plans this fall, feedback will be sought from the public and industry stakeholders on how it can achieve...

Read More
Healthcare Data Breach Report: April 2018
May18

Healthcare Data Breach Report: April 2018

April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March. There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records. Healthcare Data Breach Trends For the past four months, the number of healthcare data breaches reported to OCR has increased month over month. For the third consecutive month, the number of records exposed in healthcare data breaches has increased. Causes of Healthcare Data Breaches in April 2018 The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees....

Read More
Warnings Issued Over Vulnerable Medical Devices
May14

Warnings Issued Over Vulnerable Medical Devices

Warnings have been issued by the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) about vulnerabilities in several medical devices manufactured by Silex Technology, GE Healthcare, and Phillips. If the vulnerabilities were to be exploited, an unauthorized individual could potentially take control of the devices. Phillips Brilliance CT Scanners In early May, Phillips alerted the National Cybersecurity and Communications Integration Center (NCCIC) about security vulnerabilities affecting its Brilliance CT scanners. Phillips has been working to remediate the vulnerabilities and has been working with DHS to alert users of its devices to help them reduce risk. There have been no reports received to suggest any of the vulnerabilities have been exploited in the wild. Three vulnerabilities have been discovered to affect the following scanners: Brilliance 64 version 2.6.2 and below Brilliance iCT versions 4.1.6 and below Brillance iCT SP versions 3.2.4 and below Brilliance CT Big Bore 2.3.5 and below See ICS-CERT advisory...

Read More
Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed
May10

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised. Recent Email Hacking and Phishing Attacks on Healthcare Organizations HIPAA-Covered Entity Records Exposed Inogen Inc. 29,529 Knoxville Heart Group 15,995 USACS Management Group Ltd 15,552 UnityPoint Health 16,429 Texas Health Physicians Group 3,808 Scenic Bluffs Health Center 2,889 ATI Holdings LLC 1,776 Worldwide Insurance Services 1,692 Billings Clinic 949 Diagnostic Radiology & Imaging, LLC 800 The Oregon Clinic Undisclosed   So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in...

Read More
DoD IG Discovers Serious Flaws in Navy and Air Force EHR and Security Systems and Potential HIPAA Violations
May09

DoD IG Discovers Serious Flaws in Navy and Air Force EHR and Security Systems and Potential HIPAA Violations

A Department of Defense Inspector General (DoDIG) audit of the electronic health record (EHR) and security systems at the Defense Health Agency (DHA), Navy, and Air Force has uncovered serious security vulnerabilities that could potentially be exploited to gain access to systems and protected health information (PHI). This is the second DoDIG report from recent audits of military training facilities (MTFs). The first report revealed the DHA and Army had failed to consistently implement security protocols to safeguard EHRs and systems that stored, processed, or transmitted PHI. The latest report, which covers the DHA, Navy, and Air Force, has revealed serious vulnerabilities in 11 different areas. Inconsistency of implementing security protocols to protect EHRs and PHI, and the ineffective administrative, technical, and physical safeguards deployed constitute violations of Health Insurance Portability and Accountability Act (HIPAA) Rules. Those violations could attract financial penalties of up to $1.5 million per violation category. The DoDIG visited three Navy and two Air Force...

Read More
Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack
May08

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals. As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018. HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights. Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for...

Read More
Massachusetts Physician Convicted for Criminal HIPAA Violation
May04

Massachusetts Physician Convicted for Criminal HIPAA Violation

Criminal penalties for HIPAA violations are relatively rare, although the Department of Justice does pursue criminal charges for HIPAA violations when there has been a serious violation of patient privacy, such as an impermissible disclosure of protected health information for financial gain or malicious purposes. One such case has resulted in two criminal convictions – a violation of the Health Insurance Portability and Accountability Act and obstructing a criminal healthcare investigation. The case relates to the DOJ investigation of the pharmaceutical firm Warner Chilcott over healthcare fraud. In 2015, Warner Chilcott plead guilty to paying kickbacks to physicians for prescribing its drugs and for manipulating prior authorizations to induce health insurance firms to pay for prescriptions. The case was settled with the DOJ for $125 million. Last week, a Massachusetts gynecologist, Rita Luthra, M.D., 67, of Longmeadow, was convicted for violating HIPAA by providing a Warner Chilcott sales representative with access to the protected health information of patients for a period of...

Read More
Study Reveals Healthcare Industry Employees Struggling to Understand Data Security Risks
Apr30

Study Reveals Healthcare Industry Employees Struggling to Understand Data Security Risks

The recently published Beyond the Phish Report from Wombat Security, now a division of Proofpoint, has revealed healthcare employees have a lack of understanding of common security threats. For the report, Wombat Security compiled data from nearly 85 million questions and answers posed to customers’ end users across 12 categories and 16 industries. Respondents were asked about security best practices that would help them avoid ransomware attacks, malware installations, and phishing attacks and established the level of expertise at protecting confidential information, defending against email and web-based scams, securing mobile devices, working safely in remote locations, identifying physical risks, disposing of sensitive information securely, using strong passwords, and safe use of social media and the web. Overall, the healthcare industry performed second worst for security awareness, just ahead of the hospitality industry, with the survey highlighting several areas of weakness that could potentially be exploited by cybercriminals to gain access to healthcare networks and...

Read More
How to Defend Against Insider Threats in Healthcare
Apr26

How to Defend Against Insider Threats in Healthcare

One of the biggest data security challenges is how to defend against insider threats in healthcare. Insiders are responsible for more healthcare data breaches than hackers, making the industry unique. Verizon’s Protected Health Information Data Breach Report highlights the extent of the problem. The report shows 58% of all healthcare data breaches and security incidents are the result of insiders. Healthcare organizations also struggle to detect insider breaches, with many breaches going undetected for months or even years. One healthcare employee at a Massachusetts hospital was discovered to have been accessing healthcare records without authorization for 14 years before the privacy violations were detected, during which time the records of more than 1,000 patients had been viewed. Healthcare organizations must not only take steps to reduce the potential for insider breaches, they should also implement technological solutions, policies, and procedures that allow breaches to be detected rapidly when they do occur. What are Insider Threats? Before explaining how healthcare...

Read More
Report: Healthcare Data Breaches in Q1, 2018
Apr24

Report: Healthcare Data Breaches in Q1, 2018

The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017. There was a 10.5% fall in the number of data breaches reported quarter over quarter, but the severity of breaches increased. The mean breach size increased by 130.57% and there was a 15.37% increase in the median breach size. In Q4, 2017, the mean breach size was 6,048 healthcare records and the median breach size was 1,666 records. In Q1, 2018, the mean breach size was 13,945 records and the median breach size was 1,922 records. Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017. Individuals Impacted by Healthcare Data Breaches in Q1, 2018 Throughout 2017, healthcare data breaches were occurring at a rate of more than one per day. Compared to 2017,...

Read More
Healthcare Compliance Programs Not In Line With Expectations of Regulators
Apr23

Healthcare Compliance Programs Not In Line With Expectations of Regulators

Healthcare compliance officers are prioritizing compliance with HIPAA Privacy and Security Rules, even though the majority of Department of Justice and the HHS Office of Inspector General enforcement actions are not for violations of HIPAA or security breaches, but corrupt arrangements with referral sources and false claims. There are more penalties issued by regulators for these two compliance failures than penalties for HIPAA violations. HIPAA enforcement by the HHS’ Office for Civil Rights has increased, yet the liabilities to healthcare organizations from corrupt arrangements with referral sources and false claims are far higher. Even so, these aspects of compliance are relatively low down the list of priorities, according to a recent survey of 388 healthcare professionals conducted by SAI Global and Strategic Management Services. The survey was conducted on compliance officers from healthcare organizations of all sizes, from small physician practices to large integrated hospital systems. The aim of the study was to identify the key issues faced by compliance officers and...

Read More
FDA Develops Five-Point Action Plan for Improving Medical Device Cybersecurity
Apr20

FDA Develops Five-Point Action Plan for Improving Medical Device Cybersecurity

The past few years have seen an explosion in the number of medical devices that have come to market. While those devices have allowed healthcare providers and patients to monitor and manage health in more ways that has ever been possible, concerns have been raised about medical device cybersecurity. Medical devices collect, store, receive, and transmit sensitive information either directly or indirectly through the systems to which they connect. While there are clear health benefits to be gained from using these devices, any device that collects, receives, stores, or transmits protected health information introduces a risk of that information being exposed. The FDA reports that in the past year, a record number of novel devices have been approved for use in the United States and that we are currently enjoying “an unparalleled period of invention in medical devices.” The FDA is encouraging the development of novel devices to address health needs, while balancing the risks and benefits. The FDA has been working closely with healthcare providers, patients, and device manufacturers to...

Read More
Version 1.1 of the NIST Cybersecurity Framework Released
Apr18

Version 1.1 of the NIST Cybersecurity Framework Released

On April 16, 2018, The National Institute of Standards and Technology released an updated version of its Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The Cybersecurity Framework was first issued in February 2014 and has been widely adopted by critical infrastructure owners and public and private sector organizations to guide their cybersecurity programs. While intended for use by critical infrastructure industries, the flexibility of the framework means it can also be adopted by a wide range of businesses, large and small, including healthcare organizations. The Cybersecurity Framework incorporates guidelines, standards, and best practices and offers a flexible approach to cybersecurity. There are several ways that the Framework can be used with ample scope for customization. The Framework helps organizations address different threats and vulnerabilities and matches various levels of risk tolerance. The Framework was intended to be a living document that can be updated and improved over time in response to feedback from users, changing...

Read More
Analysis of March 2018 Healthcare Data Breaches
Apr16

Analysis of March 2018 Healthcare Data Breaches

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February. Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February. Causes of March 2018 Healthcare Data Breaches March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March. The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause...

Read More
HHS Report Offers Tips to Prevent and Block SamSam Ransomware Attacks
Apr13

HHS Report Offers Tips to Prevent and Block SamSam Ransomware Attacks

The high volume of SamSam ransomware attacks on healthcare and government organizations in recent months has prompted the Department of Health and Human Services’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) to issue a report of ongoing SamSam ransomware campaigns. The report includes tips to help organizations detect and block SamSam ransomware attacks. There Have Been 10 Major SamSam Ransomware Attacks in the Past 4 Months Since December 2017, there have been 10 major attacks, mostly on government and healthcare organizations in the United States. Additional attacks have been reported in Canada and India. In January 2018, the EHR provider AllScripts experienced an attack that saw its systems taken out of action for several days, preventing around 1,500 medical practices from accessing patient data. In some cases, those practices were prevented from accessing patient data for as long as a week. In March 2018, the City of Atlanta was forced to shut down its IT systems to halt the spread of the ransomware. In that case, the attack leveraged a Windows Server...

Read More
How Long Does It Take to Breach a Healthcare Network?
Apr13

How Long Does It Take to Breach a Healthcare Network?

A recent survey of hackers, incident responders, and penetration testers has revealed the majority can gain access to a targeted system within 15 hours, but more than half of hackers (54%) take less than five hours to gain access to a system, and identify and exfiltrate sensitive data. 61% of Surveyed Hackers Took Less than 15 Hours to Obtain Healthcare Data The data comes from the second annual Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were based in the United States. Respondents were asked about the time it takes to conduct attacks and steal data, the motivations for attacks, the techniques used, and the industries that offered the least resistance. While the least protected industries were hospitality, retail, and the food and beverage industry, healthcare organizations were viewed as particularly soft targets. Healthcare, along with law firms, manufacturers, and sports and entertainment companies had below average results and were relatively easy to attack. As Nuix points out, many of the industries that were rated as soft targets are...

Read More
GAO Discovers Inconsistencies in CMS Oversight of Medicare Beneficiary Data Security
Apr12

GAO Discovers Inconsistencies in CMS Oversight of Medicare Beneficiary Data Security

In response to recent data breaches, the chairmen of the U.S Senate Committee on Finance, the House Committee on Ways and Means, and the House Committee on Energy and Commerce requested the U.S. Government Accountability Office conduct a study of HHS’ Centers for Medicare and Medicaid Services (CMS) to assess its efforts to protect Medicare beneficiary data accessed by external entities. The study had three main objectives: To determine the major external entities that collect, store, and share Medicare beneficiary data, to determine whether the requirements for protection of Medicare data align with federal guidance, and to assess CMS oversight of the implementation of those requirements. The study revealed the CMS has only established security requirements that align with federal guidance for some external entities and oversight of the implementation of security controls by external entities has been inconsistent. The CMS shares Medicare beneficiary data with three main types of external entities: Medicare Administrative Contractors (MACs), research organizations, and public or...

Read More
Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks
Apr09

Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks

A recent study conducted by the Ponemon Institute on behalf of Merlin International has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve their security posture. Phishing is a major security threat and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations’ security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and get their emails delivered. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware. Phishing is used in a high percentage of cyberattacks on healthcare organizations. Research conducted by Cofense (formerly PhishMe) suggests as many as 91% of cyberattacks start with a phishing email. While security solutions can be implemented to block the majority of phishing emails from being delivered to end users’ inboxes, it is not possible to block 100% of...

Read More
HIPAA Compliance for Pharmacies
Apr06

HIPAA Compliance for Pharmacies

HIPAA is a federal law that establishes the acceptable uses and disclosures of protected health information (PHI), sets standards for the secure storage and transmission of PHI, and gives patients the right to obtain copies of their PHI. HIPAA compliance for pharmacies is not an option. The penalties for failing to comply with HIPAA can be severe. Key Elements of HIPAA Compliance for Pharmacies The combined text of HIPAA Rules published by the Department of Health and Human Services’ Office for Civil Rights is 115 pages, so covering all elements of HIPAA compliance for pharmacies is beyond the scope of this post; however, some of the key elements of HIPAA compliance for pharmacies have been outlined below. Conduct risk analyses – A comprehensive, organization wide risk analysis must be conducted to identify all risks to the confidentiality, integrity, and availability of ePHI. Any risks identified must be subjected to a HIPAA-compliant risk management process. A risk analysis is not a onetime checkbox item. Risk analyses must be conducted regularly, such as when there is a change...

Read More
Alabama Governor Enacts Data Breach Notification Act
Apr04

Alabama Governor Enacts Data Breach Notification Act

Alabama has become the 50th state to require companies to issue breach notifications to individuals whose personal information has been exposed or compromised as a result of a data breach. Governor Kay Ivey signed the act into law on March 28. The effective date is May 1, 2018. The data breach notification law has taken a long time to be enacted although Alabama residents will now have some of the best protections in the country, with the law one of the strictest introduced in any state. While every state now has a data breach notification law that requires notifications to be issued to all individuals impacted by a data breach, only 28% of U.S. states – including Alabama – also require ‘covered entities’ to maintain reasonable security measures to protect the confidentiality of sensitive personally identifying information of state residents. Service providers must also be contractually required to maintain appropriate safeguards. Sensitive personally identifying information is classed as a state resident’s first name or first initial and last name in combination with any of...

Read More
Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches
Apr03

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI. For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents. In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents. The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted...

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996, and was updated by the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI). One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for...

Read More
What is Protected by HIPAA?
Mar31

What is Protected by HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an important legislative Act that requires healthcare organizations that conduct transactions electronically to develop and implement controls to ensure the privacy of patients and security of healthcare data is safeguarded, but specifically, what is protected by HIPAA? What is Protected by HIPAA and How Must PHI be Safeguarded? All HIPAA covered entities should be well aware of the types of data that must be safeguarded in order to comply with HIPAA Rules, but many patients are unsure exactly what is protected by HIPAA. The HIPAA Privacy Rule requires HIPAA covered entities and their business associates to protect virtually all individually identifiable health information that is created, stored, maintained, or transmitted by HIPAA covered entities – typically healthcare providers, health plans and healthcare clearinghouses – and their business associates. The HIPAA Privacy Rule refers to individually identifiable health information as ‘Protected Health Information’ which includes past, present, and future...

Read More
Security Breaches in Healthcare in the Last Three Years
Mar30

Security Breaches in Healthcare in the Last Three Years

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years. There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017. More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years. In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were...

Read More
Legislation Changes and New HIPAA Regulations in 2018
Mar29

Legislation Changes and New HIPAA Regulations in 2018

The policy of two out for every new regulation introduced means there are likely to be few, if any, new HIPAA regulations in 2018. However, that does not mean it will be all quiet on the HIPAA front. HHS’ Office for Civil Rights (OCR) director Roger Severino has indicated there are some HIPAA changes under consideration. OCR is planning on removing some of the outdated and labor-intensive elements of HIPAA that provide little benefit to patients, although before HIPAA changes are made, OCR will seek feedback from healthcare industry stakeholders. As with previous updates, OCR will submit notices of proposed rulemaking and will seek comment on the proposed changes. Those comments will be carefully considered before any HIPAA changes are made. The full list of proposed changes to the HIPAA Privacy Rule have not been made public, although Severino did provide some insight into what can be expected in 2018 at a recent HIPAA summit in Virginia. Severino explained there were three possible changes to HIPAA regulations in 2018, the first relates to enforcement of HIPAA Rules by OCR. Since...

Read More
Study Suggests Improper Disposal of PHI is Commonplace
Mar29

Study Suggests Improper Disposal of PHI is Commonplace

A recent study (published in JAMA) has highlighted just how frequently hospitals are disposing of PHI in an insecure manner. While the study was conducted in Canada, which is not covered by HIPAA, the results highlight an important area of PHI security that is often overlooked. Improper Disposal of PHI is More Common than Previously Thought Researchers at St. Michael’s Hospital in Toronto checked recycled paperwork at five teaching hospitals in Canada. Each of the five hospitals had policies covering the secure disposal of documents containing PHI and separate recycling bins were provided for general paperwork and documents containing sensitive information. The latter were shredded before disposal. Despite the document disposal policies, paperwork containing personally identifiable information (PII) and personal health information (PHI) were often incorrectly placed in the bins. The researchers identified 2,867 documents containing PII and 1,885 items containing personally identifiable health information in the standard recycling bins. 1,042 documents contained high sensitivity...

Read More
South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill
Mar28

South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill

South Dakota has been slow to introduce legislation to improve protections for consumers affected by breaches of their personal information. Laws have already been introduced in 48 states that require individuals and companies that store personal information to issue notifications to breach victims when that information is compromised. Last week, South Dakota residents were given similar protections to those in place in neighboring states. On March 21, 2018, South Dakota attorney general Marty Jackley issued a statement confirming SB 62 had been signed by Governor Daugaard and will take effect on July 1, 2018. The bipartisan bill requires entities that experience a breach of personal information to issue notifications to affected state residents within 60 days of discovery of the breach – The same time frame as HIPAA. Personal information is classed as the full name or first initial and last name of a state resident in combination with either a government ID number, Social Security number, driver’s license number, credit/debit card number (with an associated code that allows the...

Read More
HIPAA Rules on Contingency Planning
Mar27

HIPAA Rules on Contingency Planning

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame. A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order. Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters. Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and...

Read More
ATI Physical Therapy Data Breach Impacts 35,000 Patients
Mar22

ATI Physical Therapy Data Breach Impacts 35,000 Patients

ATI Physical Therapy has discovered the protected health information of more than 35,000 patients has potentially been compromised when threat actors gained access to the email accounts of some of its employees. A security breach was identified on January 18, 2018 when ATI Physical Therapy discovered the direct deposit information of some of its employees had been changed in its payroll platform. Prompt action was taken to protect its employees and external forensic investigators were called in to determine the full extent and scope of the breach. The investigation revealed the email accounts of certain employees had been compromised and were accessed by unauthorized individuals between January 9 and January 12, 2018. An analysis of the emails in the accounts revealed they contained the protected health information of tens of thousands of patients. The types of information potentially compromised varied per impacted individual, but may have included names, dates of birth, credit/debit card numbers, driver’s license numbers, state ID numbers, Social Security numbers,...

Read More
Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack
Mar22

Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack

According to a financial report issued by Banner Health, OCR is investigating the colossal 2016 Banner Health data breach which saw the protected health information of 3.7 million patients exposed. The breach involved Banner Health facilities at 27 locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada, and Wyoming and resulted in the exposure of highly sensitive protected health information including names, dates of birth, Social Security numbers, and health insurance information. The attackers gained access to the payment processing system used in its food and beverage outlets with a view to obtaining credit card numbers. However, once access to the network was gained, they also accessed servers containing PHI. Banner Health reports that it has cooperated with OCR’s investigation into the breach and has supplied information as requested. However, OCR was not satisfied with its response and the evidence supplied on its HIPAA compliance efforts. Specifically, OCR was not satisfied with the documentation supplied to demonstrate “past security assessment activities”...

Read More
Jail Terms for HIPAA Violations by Employees
Mar22

Jail Terms for HIPAA Violations by Employees

The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information. HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft. This month there have been two notable cases of HIPAA violations by employees, one of which has resulted in a fine and imprisonment, with the other likely to result in a longer spell in prison when sentencing takes place in June. Jail Term for Former Transformations Autism Treatment Center Employee In February, a former behavioral analyst at the Transformations Autism Treatment Center (TACT) was discovered to have stolen the protected health information of patients following termination. Jeffrey Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients following termination and downloaded the PHI of 300 current and former patients onto his personal computer. Approximately one month after Luke was terminated, TACT discovered patient information had...

Read More
Insider Data Breaches Continue to Plague the Healthcare Industry
Mar21

Insider Data Breaches Continue to Plague the Healthcare Industry

Protenus has published its February Healthcare Breach Barometer Report. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights or disclosed to the media in February 2018. The report, compiled from data collected from databreaches.net, indicates at least 348,889 healthcare records were confirmed as breached in February, although that figure will be considerably higher as the number of people affected by 11 breaches is not yet known. There were 39 security breaches involving protected health information in February – a slight rise from the 37 breaches reported in January, although the number of records exposed was down from January’s total of 473,807 records. Insider breaches continue to pose problems for healthcare providers with 16/39 incidents (41%) involving insiders. Those incidents resulted in the exposure/theft of 51% of all records confirmed as having been exposed or stolen in February. Protenus notes that 94% of insider breaches were the result of errors by healthcare employees, with only one confirmed...

Read More
How to Become HIPAA Compliant
Mar21

How to Become HIPAA Compliant

If you would like to start doing business with healthcare organizations you will need to know how to become HIPAA compliant, what HIPAA compliance entails, and how you can prove to healthcare organizations that you have implemented all the required safeguards and privacy controls to ensure the confidentiality, integrity, and availability of any protected health information you will be provided with or given access to. How to Become HIPAA Compliant There are no shortcuts if you want to become HIPAA compliant. HIPAA compliance means implementing controls and safeguards to ensure the confidentiality, integrity, and availability of protected health information and developing policies and procedures in line with the Healthcare Insurance Portability and Accountability Act (1996), the HIPAA Privacy Rule (2000), the HIPAA Security Rule (2003), the Health Information Technology for Economic and Clinical Health Act (2009), and the Omnibus Final Rule (2013). To become HIPAA compliant, you will need to study the full text of HIPAA (45 CFR Parts 160, 162, and 164) – which the Department...

Read More
Healthcare Data Breach Statistics
Mar20

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website. The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR. Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published. There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches...

Read More
Analysis of February 2018 Healthcare Data Breaches
Mar19

Analysis of February 2018 Healthcare Data Breaches

Our February 2018 healthcare data breach report details the major data breaches reported by healthcare providers, health plans, and business associates in February 2018. Summary of February 2018 Healthcare Data Breaches February may have been a shorter month, but there was an increase in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered entities and business associates reported 25 breaches – a 19% month on month increase in breaches. While there was a higher breach tally this month, the number of healthcare records exposed as a result of healthcare data breaches fell by more than 100,000. In January 428,643 healthcare records were exposed. February 2018 healthcare data breaches saw 308,780 healthcare records exposed. Largest Healthcare Data Breaches of February 2018 The largest healthcare data breaches reported to the Office for Civil Rights in February are listed below. Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI St. Peter’s Surgery...

Read More
Is Zendesk HIPAA Compliant?
Mar16

Is Zendesk HIPAA Compliant?

Is Zendesk HIPAA compliant? Can Zendesk products be used by healthcare organizations in the United States for communicating with patients? In this post we explore the Zendesk platform and assess whether it has the necessary privacy and security controls to comply with HIPAA and if the company’s products can be used in connection with electronic protected health information. What is Zendesk? Zendesk is a San Francisco based customer service software and support ticketing system provider used by more than 200,000 companies for managing customer queries, providing support, and building customer relationships. The platform incudes Zendesk Support – a call center and ticketing system; Zendesk Chat – a web and mobile messaging system, and the customer service analytics solution Zendesk Insights. Zendesk Privacy and Security Controls Zendesk has implemented physical security controls at its facilities to prevent unauthorized data access and has round the clock surveillance and uses multi-factor authentication. Its network is protected by firewalls, with DoS and DDoS prevention solutions...

Read More
When Did HIPAA Take Effect?
Mar16

When Did HIPAA Take Effect?

The Health Insurance Portability and Accountability Act was a landmark piece of legislation that was originally intended to simplify the administration of healthcare, eliminate wastage and prevent healthcare fraud, and to ensure insurance coverage was not lost when employees were between jobs. When Did HIPAA Take Effect? HIPAA was signed into law by President Clinton on August 21, 1996, although HIPAA has been updated several times over the past 20 years and many new provisions have been incorporated to improve privacy protections and security to ensure health information remains confidential. The main updates to HIPAA are summarized below. The HIPAA Privacy Rule The HIPAA Privacy Rule was a major update to HIPAA and introduced many of the aspects for which HIPAA is known today. The HIPAA Privacy Rule defined ‘Protected Health Information (PHI), patients were given the right to obtain copies of their protected health information from HIPAA covered entities, and strict rules were introduced on the allowable uses and disclosures of PHI. When did the Privacy Rule of HIPAA Take...

Read More
OIG FISMA Compliance Review of HHS Shows Improvements Made but Vulnerabilities Remain
Mar15

OIG FISMA Compliance Review of HHS Shows Improvements Made but Vulnerabilities Remain

The Department of Health and Human Services’ Office of Inspector General has published the findings of its 2017 fiscal review of HHS compliance with the Federal Information Security Modernization Act of 2014. The FISMA compliance review revealed the HSS is continuing to make improvements to its information security program, although OIG identified several areas of weakness. The findings from the latest FISMA compliance review highlighted similar vulnerabilities and weaknesses to the review conducted for fiscal 2016. A department-wide Continuous Diagnostics and Mitigation (CDM) program is being developed by the HHS which will allow it to monitor its networks, information systems, and personnel activity and information security programs have been strengthened since the review was last conducted. However, OIG identified several areas where improvements could be made. Weaknesses and vulnerabilities were found in HHS risk management, identity and access management, configuration management, security training, incident response, contingency planning and information security continuous...

Read More
Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year
Mar14

Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year

A recent Ponemon Institute survey has revealed 62% of healthcare organizations have experienced a data breach in the past 12 months. More than half of those organizations experienced data loss as a result. The Merlin International sponsored survey was conducted on 627 healthcare industry leaders from hospitals and payer organizations. 67% of respondents worked in hospitals with 100-500 beds and had an estimated 10,000 to 100,000 networked devices. Last year more than 5 million healthcare records were exposed or stolen, and the healthcare was the second most targeted industry behind the business sector. 2017 was the fourth consecutive year that the healthcare industry has been second for data breaches and there are no signs that cyberattacks are likely to reduce over the coming year. Even though there is a high probability of experiencing a cyberattack, 51% of surveyed organizations have yet to implement an incident response program. This lack of preparedness can hamper recovery if a cyberattack is experienced. As the Cost of a Data Breach Study by the Ponemon Institute showed, a...

Read More
What is a HIPAA Violation?
Mar14

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs? What is a HIPAA Violation? The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The combined text of all HIPAA regulations published by the Department of Health and Human Services...

Read More
Is it a HIPAA Violation to Email Patient Names?
Mar14

Is it a HIPAA Violation to Email Patient Names?

We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information. Is it a HIPAA Violation to Email Patient Names? Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule. HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data. It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected...

Read More
2018 HIPAA Changes and Enforcement Outlook
Mar13

2018 HIPAA Changes and Enforcement Outlook

Are there likely to be major 2018 HIPAA changes? What does this year have in store in terms of new HIPAA regulations? OCR Director Roger Severino has hinted there could be some 2018 HIPAA changes and that HIPAA enforcement in 2018 is unlikely to slowdown. Are Major 2018 HIPAA Changes Likely? The Trump administration has made it clear that there should be a decrease rather than an increase in regulation in the United States. In January 2017, Trump signed an executive order calling for a reduction in regulation, which was seen to be hampering America’s economic growth. At the time Trump said, “If there’s a new regulation, they have to knock out two. But it goes far beyond that, we’re cutting regulations massively for small business and for large business.” While Trump was not specifically referring to healthcare, it is clear we are currently in a period of deregulation. Trump’s words were recently echoed by Severino at the HIMSS conference who confirmed the HSS understands deregulation in some areas is required before further regulations can be introduced. Therefore, there are...

Read More
PHI of 33,420 BJC Healthcare Patients Exposed on Internet for 8 Months
Mar13

PHI of 33,420 BJC Healthcare Patients Exposed on Internet for 8 Months

The protected health information of 33,420 patients of BJC Healthcare has been accessible on the Internet for eight months without any need for authentication to view the information. BJC Healthcare is one of the largest not-for profit healthcare systems in the United States. The St. Louis-based healthcare organization runs two nationally recognized hospitals in Missouri – Barnes-Jewish Hospital and St. Louis Children’s Hospital along with 13 others. The health system employs more than 31,000 individuals, has over 154,000 hospital admissions and performs more than 175,000 home health visits a year. On January 23, 2018, BJC Healthcare performed a security scan which revealed one of its servers had been misconfigured which allowed sensitive information to be accessed without authentication. Action was immediately taken to reconfigure and secure the server to prevent data from being accessed. The investigation revealed an error had been made configuring the server on May 9, 2017, leaving documents and copies of identification documents accessible. Highly sensitive...

Read More
HIPAA Social Media Rules
Mar12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations. There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media The first rule of using social media in healthcare is to never disclose...

Read More
HIMSS Survey Reveals Top Healthcare Security Threats
Mar09

HIMSS Survey Reveals Top Healthcare Security Threats

HIMSS has published the results of its annual healthcare cybersecurity survey, which provides insights into the state of cybersecurity in healthcare and identifies the top healthcare security threats. The HIMSS 2018 cybersecurity survey was conducted on 239 respondents from the healthcare industry between December 2017 and January 2018. The results of the survey were announced at the HIMSS 2018 Conference & Exhibition in Las Vegas. 36.8% of respondents had positions in executive management and 37.2% were employed in non-executive management positions. The remaining 25.9% were in non-management positions such as cybersecurity specialists and analysts. 41.2% of respondents were primarily responsible for cybersecurity, 32.6% had some responsibility, and 11.8% sometimes had responsibility for cybersecurity. Most Healthcare Organizations Have Experienced a Significant Security Incident in the Past 12 Months The threat of healthcare cyberattacks is greater than ever and the past 12 months has been a torrid year. In the past 12 months, 75.7% of respondents said they had experienced a...

Read More
Why is HIPAA Important to Patients?
Mar08

Why is HIPAA Important to Patients?

Most Americans have heard of HIPAA and know that the legislation applies to healthcare organizations, but many do not understand why HIPAA is important to patients. The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 – or HIPAA – is a federal law that applies to healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically. HIPAA also applies to vendors – business associates – that perform functions on behalf of HIPAA-covered entities that requires them to have access to protected health information (PHI) or be provided with copies of PHI. (See What is Protected Health Information). HIPAA was signed into law by Bill Clinton in 1996, although the legislation has had some significant updates over the years, notably the HIPAA Privacy Rule in 2000, the Security Rule in 2003, and the Breach Notification Rule in 2009. (See our HIPAA History page for more information) Initially HIPAA was intended to improve the health insurance system and simplify the administration of...

Read More
Alabama Data Breach Notification Act Passed by State Senate
Mar08

Alabama Data Breach Notification Act Passed by State Senate

The Alabama Data Breach Notification Act (Senate Bill 318) has advanced for consideration by the House of Representatives after being unanimously passed by the Alabama Senate last week. Alabama is one of two states that has yet to introduce legislation that requires companies to issue notifications to individuals whose personal information is exposed in data breaches. The other state – South Dakota – is also considering introducing similar legislation to protect state residents. The Alabama Data Breach Notification Act, proposed by Sen. Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to issue notifications to state residents when their sensitive personal information has been exposed and it is reasonably likely to result in breach victims coming to substantial harm. Entities that would be required to comply with the Alabama Data Breach Notification Act are persons, sole proprietorships, partnerships, government entities, corporations, non-profits, trusts, estates, cooperative associations, and other business entities that acquire or use sensitive...

Read More
Is a HIPAA Violation Grounds for Termination?
Mar07

Is a HIPAA Violation Grounds for Termination?

Is a HIPAA violation grounds for termination? What actions are healthcare organizations likely to take if they discover an employee has violated HIPAA Rules? Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations. Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy? Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination? Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations. When a HIPAA violation is reported – by an employee, colleague or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for...

Read More
Is Google Calendar HIPAA Compliant?
Mar07

Is Google Calendar HIPAA Compliant?

Is Google Calendar HIPAA compliant? Can the time management and calendar scheduling service be used by healthcare organizations or would use of the service be considered a violation of HIPAA Rules? This post explores whether Google supports HIPAA compliance for the Google Calendar service.   Google Calendar was launched in 2006 and is part of Google’s G Suite of products and services. Google Calendar could potentially be used for scheduling appointments, which may require protected health information to be added. Uploading any protected health information to the cloud is not permitted by the HIPAA Privacy Rule unless certain HIPAA requirements have first been satisfied. A risk analysis must be conducted to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and reduced to an acceptable level. Access controls must be implemented to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to prevent unauthorized disclosures, and an...

Read More
EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach
Mar07

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General. While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members. Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information. The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law §...

Read More
What is HIPAA Certification?
Mar06

What is HIPAA Certification?

Many vendors would like HIPAA certification to confirm they are fully compliant with HIPAA Rules and understand all aspects of the Health Insurance Portability and Accountability Act (HIPAA), but is it possible to obtain HIPAA certification to confirm HIPAA compliance? What is HIPAA Certification? In an ideal world, HIPAA certification would confirm that all aspects of HIPAA Rules are understood and being followed. If a third-party vendor such as a transcription company was HIPAA certified, it would make it easier for healthcare organizations looking for such as service to select an appropriate vendor. Many companies claim they have been certified as HIPAA compliant or in some cases, that they are ‘HIPAA Certified’. However, ‘HIPAA Certified’ is a misnomer. There is no official, legally recognized HIPAA compliance certification process or accreditation. There is a good reason why this is the case. HIPAA compliance is an ongoing process. An organization may be determined to be in compliance with HIPAA Rules today, but that does not mean that they will be tomorrow or at some point in...

Read More
How to Report a HIPAA Violation Anonymously
Mar06

How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization. When Can an Alleged HIPAA Violation be Reported? Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules. However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted. Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those...

Read More
New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach
Mar05

New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach

A malware infection at St. Peter’s Surgery & Endoscopy Center in New York has potentially allowed hackers to gain access to the medical records of almost 135,000 patients. This is the second largest healthcare data breach of 2018, the largest to hit New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016, and the fifth largest healthcare data breach in New York since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries in October 2009. The data breach at St. Peter’s Surgery & Endoscopy Center was discovered on January 8, 2018: The same day as hackers gained access to its server. The rapid detection of the malware limited the time the hackers had access to the server and potentially prevented patients’ data from being viewed or copied. However, while no evidence of data access or data theft was discovered, it was not possible to rule either out with a high degree of certainty. In its substitute branch notice, St. Peter’s Surgery & Endoscopy Center says the servers it uses...

Read More
Is Google Slides HIPAA Compliant?
Mar05

Is Google Slides HIPAA Compliant?

Is Google Slides HIPAA compliant? Can Google Slides be used by healthcare organizations without violating HIPAA Rules? This post explores whether Google Slides is HIPAA compliant and whether it is possible to use the presentation editor in connection with electronic protected health information. Google Slides is a presentation editor that allows users to create slide shows, training material, and project presentations. It is an ideal option for users who do not regularly create slide shows or presentations and do not have a software package that offers the same functionality. Google Slides is available free of charge for consumers to use and is equivalent to Microsoft’s PowerPoint. Healthcare organizations that are looking to create training courses and slideshows that involve the use of data protected by HIPAA need to exercise caution. Use of Google Slides with electronic protected health information could potentially violate HIPAA Rules and patient privacy. That could all too easily result in a financial penalty. Google Slides is a web-based presentation program that is not...

Read More
Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members
Mar02

Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members

Tufts Health Plan is alerting 70,320 of its members that their health plan member ID numbers have been exposed. A mailing vendor used by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage members between December 11, 2017 and January 2, 2018. Window envelopes were used which naturally allowed plan members’ names and addresses to be seen, but Tufts Health Plan member IDs were also visible through the plastic windows of the envelopes. The mailing error was discovered by Tufts Health Plan on January 18. Tufts Health Plan notes that its member IDs are not comprised of Social Security numbers or Medicare numbers, but potentially the member ID numbers could be misused by individuals to receive services covered by the health plan. Legal experts were consulted about the breach to assess the potential risk to plan members. The risk of misuse of the numbers is believed to be very low as the only individuals likely to see the member IDs would be employees of the postal service. Plan members have been told that in the unlikely event that their member IDs are misused...

Read More
Hacking Responsible for 83% of Breached Healthcare Records in January
Mar01

Hacking Responsible for 83% of Breached Healthcare Records in January

The latest installment of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that overall, at least 473,807 patient records were exposed or stolen in January, although the number of individuals affected by 11 of the 37 breaches is not yet known. The actual total is likely to be considerably higher, possibly taking the final total to more than half a million records. The report shows insiders are continuing to cause problems for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches. While insiders were the main cause of breaches, the incidents affected a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. 7 incidents were attributed to insider error and five were due to insider wrongdoing. Protenus has drawn attention to one particular insider breach. A nurse...

Read More
Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year
Feb27

Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year

According to a recent report in the Post and Courier, the Medical University of South Carolina (MUSC) terminated 13 employees last year for violating HIPAA Rules by snooping on patient records. In total, there were 58 privacy violations in 2017 at MUSC, all of which have been reported to the Department of Health and Human Services’ Office for Civil Rights. All of the breaches affected only small numbers of patients. Out of the 58 breaches, 11 incidents were categorized as snooping on medical records. Other breaches were unauthorized disclosures such as when the health information of a patient is accidentally sent or faxed to the wrong person. Over the past five years, there have been 307 breaches detected at MUSC, resulting in 30 members of non-physician staff being fired. None of the breaches have been listed on the OCR breach portal, which only shows breaches impacting 500 or more individuals. Under HIPAA Rules, all PHI breaches must be reported, although it is only large breaches of more than 500 records that are made public and are detailed on the breach portal. The revelations...

Read More
OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit
Feb26

OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit

The U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG) has issued a Flash Audit Alert alleging Health Net of California has refused to cooperate with a recent security audit. Health Net provides benefits to federal employees, and under its contract with OPM, is required to submit to audits. OPM has been conducting security audits on FEHBP insurance carriers for the past 10 years, which includes scanning for vulnerabilities that could potentially be exploited to gain access to the PHI of FEHBP members. When OPM conducts audits, it is focused on the information systems that are used to access or store the data of Federal Employee Health Benefit Program (FEHBP) members. However, OPM points out that many insurance carriers do not segregate the data of FEHBP members from the data of commercial and other Federal customers. Audits of technical infrastructure need to be conducted on all parts of the system that have a logical or physical nexus with FEHBP data. Consequently, systems containing data other than that of FEHBP members will similarly...

Read More
Is Google Sheets HIPAA Compliant?
Feb26

Is Google Sheets HIPAA Compliant?

Is Google Sheets HIPAA compliant? Can HIPAA-covered entities use Google Sheets to create, view, or share spreadsheets containing identifiable protected health information or would using Google Sheets violate HIPAA Rules? In this post we assess whether Google Sheets supports HIPAA compliance.  Under HIPAA Rules, healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of PHI. While it is straightforward to implement controls internally to keep data secure, oftentimes third parties are contracted to provide services that require access to PHI. They too must abide by HIPAA Rules covering privacy, security, and breach notifications. A third-party that requires access to PHI – or copies of health data – to perform services on behalf of a covered entity is considered a business associate. A covered entity and business associate must enter into a contract – a business associate agreement – in which the business associate agrees to comply with certain aspects of the HIPAA Privacy, Security, and Breach Notification...

Read More
Is IBM Cloud HIPAA Compliant?
Feb23

Is IBM Cloud HIPAA Compliant?

Is IBM Cloud HIPAA compliant? Is the cloud platform suitable for healthcare organizations in the United States to host infrastructure, develop health applications and store files? In this post we assess whether the IBM Cloud supports HIPAA compliance and the platform’s suitability for use by healthcare organizations. IBM offers a cloud platform to help organizations develop their mobile and web services, build native cloud apps, and host their infrastructure along with a wide range of cloud-based services for the capture, analysis, and processing of data. The platform has already been adopted by many healthcare providers, payers, and health plans, and applications and portals have been developed to provide patients with better access to their health information. IBM Cloud Security IBM is a leader in the field of network and data security, and its expertise has meant its cloud platform is highly secure. Security is built into the core of all of the firm’s software and services to ensure that sensitive data remains confidential and cannot be accessed by unauthorized individuals. Its...

Read More
1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware
Feb22

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection. The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients. The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician. Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23,...

Read More
Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days
Feb22

Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days

In January, a new data breach notification bill was introduced in Colorado that proposed updates to state laws to improve protections for residents affected by data breaches. The bill introduced a maximum time frame of 45 days for companies to notify individuals whose personal information was exposed or stolen as a result of a data breach. The definition of personal information was also updated to include a much wider range of information including data covered by HIPAA – medical information, health insurance information, and biometric data. Last week, Colorado’s House Committee on State, Veterans, and Military Affairs unanimously passed an updated version of the bill, which has now been passed to the Committee on Appropriations for consideration. The updated bill includes further new additions to the list of data elements classed as personal information – passport numbers, military, and student IDs. There has also been a shortening of the time frame organizations have to issue notifications. Instead of the 45 days proposed in the original bill, the time frame has been cut to just...

Read More
Research Institutions Given Additional 6 Months to Comply with Updated Common Rule
Feb21

Research Institutions Given Additional 6 Months to Comply with Updated Common Rule

Updates to the Common Rule – The Federal Policy for the Protection of Human Subjects – that were initially due to come into effect on January 19, 2018 have been delayed by 6 months, giving research organizations more time to comply with the new provisions. The new compliance date is July 19, 2018, although the provision covering cooperative research still has a compliance date of Jan 20, 2020. Several healthcare organizations, including the American Medical Informatics Association (AMIA), the Associated of American Medical Colleges (AAMC), and the Association of American Universities (AAU), called for the compliance date to be pushed back due to uncertainty surrounding the final rule. A delay would allow institutions additional time to ensure compliance and would allow federal agencies more time to issue guidance to researchers to help them implement the updated regulations. 16 federal departments, including the Department of Health and Human Services, made revisions to the Common Rule. In a notice of proposed Rulemaking, the need for the delay to the compliance date was...

Read More
AJMC Study Reveals Common Characteristics of Hospital Data Breaches
Feb20

AJMC Study Reveals Common Characteristics of Hospital Data Breaches

The American Journal of Managed Care has published a study of hospital data breaches in the United States. The aim of the study was to identify common characteristics of hospital data breaches, what the biggest problem areas are, the main causes of security incidents and the types of information most at risk. The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30% of all large healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights by providers between 2009 and 2016. Over that 7-year time period there were 215 breaches reported by 185 nonfederal acute care hospitals and 30 hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals experienced 2 breaches. In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the theft/exposure of the highest number of health records. While...

Read More
Is Yammer HIPAA Compliant?
Feb20

Is Yammer HIPAA Compliant?

Is Yammer HIPAA compliant? Does the platform incorporate all the necessary administrative and technical controls to meet HIPAA requirements? This post explores whether Yammer supports HIPAA compliance and assesses whether the platform can be used by healthcare organizations without violating HIPAA Rules. What is Yammer? Yammer has been a standalone social networking and collaboration platform since 2008. Its popularity and potential were noticed by Microsoft, which purchased the company in 2012. Today the platform is used by 85% of Fortune 500 companies. The freemium platform allows company employees to communicate with each other, collaborate on projects, share knowledge, and ask and get quick answers from co-workers.  Due to similarities in its architecture and functionality, it is often referred to as ‘Twitter for companies’. In contrast to other social media platforms, communications are private and are not published online. The platform can be kept as a strictly internal communication and collaboration tool, although it is also possible to use the platform to communicate with...

Read More
What Covered Entities Should Know About Cloud Computing and HIPAA Compliance
Feb19

What Covered Entities Should Know About Cloud Computing and HIPAA Compliance

Healthcare organizations can benefit greatly from transitioning to the cloud, but it is essential to understand the requirements for cloud computing to ensure HIPAA compliance. In this post we explain some important considerations for healthcare organizations looking to take advantage of the cloud, HIPAA compliance considerations when using cloud services for storing, processing, and sharing ePHI, and we will dispel some of the myths about cloud computing and HIPAA compliance. Myths About Cloud Computing and HIPAA Compliance There are many common misconceptions about the cloud and HIPAA compliance, which in some cases prevent healthcare organizations from taking full advantage of the cloud, and in others could result in violations of HIPAA Rules. Some of the common myths about cloud computing and HIPAA compliance are detailed below: Use of a ‘HIPAA compliant’ cloud service provider will ensure HIPAA Rules are not violated False: A cloud service provider can incorporate all the necessary safeguards to ensure the service or platform can be used in a HIPAA compliant manner, but it is...

Read More
January 2018 Healthcare Data Breach Report
Feb14

January 2018 Healthcare Data Breach Report

Our January 2018 Healthcare Data Breach Report details the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights in January 2018. There were 21 security breaches reported to OCR in January which is a considerable improvement on the 39 incidents reported in December 2017. Last month saw 428,643 healthcare records exposed. While there was a 46.15% drop in the number of healthcare data breaches reported in January month over month, 87,022 more records were exposed or stolen than in December. January was the third consecutive month where the number of breached records increased month over month. The mean breach size in January was 20,412 records – very similar to the mean breach size in December 2017 (20,487 records). However, the high mean value was due to a particularly large breach of 279,865 records reported by Oklahoma State University Center for Health Sciences. In January, the healthcare data breaches reported were far less severe than in December. In January the median breach size was 1,500 records. In December it was...

Read More
Is eFileCabinet HIPAA Compliant?
Feb14

Is eFileCabinet HIPAA Compliant?

eFileCabinet is a document management and storage solution for businesses that offers on-site and cloud storage, but is the service suitable for the healthcare industry? Is eFileCabinet HIPAA compliant or will using the platform be considered a violation of HIPAA Rules? What are Document Management Systems? Document management systems allow organizations to carefully manage electronic documents and store them securely in one location. With huge volumes of documents being created, such systems take the stress out of document management and can help HIPAA covered entities share documents containing ePHI securely and avoid HIPAA violations. There are many document management systems on the market, but not all support HIPAA compliance, so what about eFileCabinet? Is eFileCabinet HIPAA compliant? eFileCabinet Security and Privacy Controls Security controls include the encryption of data in transit and at rest with 256-bit encryption. Sensitive data can be securely shared with third-parties and remote employees via the company’s SecureDrawer feature. SecureDrawer allows files to be...

Read More
$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes
Feb14

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses close the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading. FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations. An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork. That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In...

Read More
Is Box HIPAA Compliant?
Feb13

Is Box HIPAA Compliant?

Is Box HIPAA compliant? Can Box be used by healthcare organizations for the storage of documents containing protected health information or would doing so be a violation of HIPAA Rules? An assessment of the security controls of the Box cloud storage and content management service and its suitability for use in healthcare. What is Box? Box is a cloud storage and content management service that supports collaboration and file-sharing. Users can share files, invite others to view, edit or upload content. Box can be used for personal use; however, businesses need to sign up for either a business, enterprise, or elite account. Is Box Covered by the Conduit Exception Rule? The HIPAA conduit exception rule was introduced to allow HIPAA covered entities to use certain communications channels without having to obtain a business associate agreement. The conduit exception rule applies to telecoms companies and Internet service providers that act as conduits through which data flows. Cloud storage services are not covered under the HIPAA conduit exception rule, even if those entities claim...

Read More
Healthcare Industry Scores Poorly on Employee Security Awareness
Feb13

Healthcare Industry Scores Poorly on Employee Security Awareness

A recent report published by security awareness training company MediaPro has revealed there is still a lack of preparedness to deal with common cyberattack scenarios and privacy and security threats are still not fully understood by healthcare professionals. For MediaPro’s 2017 State of Privacy and Security Awareness Report, the firm surveyed 1,009 US healthcare industry employees to assess their level of security awareness. Respondents were asked questions about common privacy and security threats and were asked to provide answers on several different threat scenarios to determine how they would respond to real world threats. Based on the responses, MediaPro assigned respondents to one of three categories. Heroes were individuals who scored highly and displayed a thorough understanding of privacy and security threats by answering 93.5%-100% of questions correctly. Novices showed a reasonable understanding of threats, answering between 77.4% and 90.3% of answers correctly. The lowest category of ‘Risks’ was assigned to individuals with poor security awareness, who scored 74.2% or...

Read More
Is Ademero HIPAA Compliant?
Feb12

Is Ademero HIPAA Compliant?

Ademero is a document management software (DMS) provider whose platform helps businesses keep track of large quantities of documents and transition to a paperless environment, but is Ademero HIPAA compliant? Can its DMS be used by healthcare organizations without violating HIPAA Rules? Ademero and HIPAA The HIPAA Security Rule includes required and addressable implementation specifications. Any implementation specification that is required must be implemented to comply with HIPAA Rules. Addressable implementation specifications are not required, strictly speaking. Those implementation specifications include some flexibility. For instance, data encryption is not a required element, but that does not mean it can be ignored. If the decision is taken not to encrypt data that is acceptable provided that decision was based on a risk analysis and the decision not to use encryption is documented. Alternative controls must also be put in place that provide an equivalent level of protection. Software solutions that support HIPAA compliance will have appropriate controls in place to satisfy...

Read More
How Many HIPAA Violations in 2017 Resulted in Financial Penalties?
Feb11

How Many HIPAA Violations in 2017 Resulted in Financial Penalties?

We are often asked about healthcare data breaches and HIPAA violations and two of the most recent questions are how many HIPAA violations in 2017 resulted in data breaches and how many HIPAA violations occurred in 2017. How Many HIPAA Violations Occurred in 2017? The problem with determining how many HIPAA violations occurred in 2017 is many violations are not reported, and out of those that are, it is only the HIPAA breaches that impact more than 500 individuals that are published by the Department of Health and Human Services’ Office for Civil Rights on its breach portal – often incorrectly referred to as the “Wall of Shame”. To call it a ‘Wall of Shame’ is not fair on healthcare organizations because the breach reports show organizations that have experienced data breaches, NOT organizations that have violated HIPAA Rules. Even organizations with multi-million-dollar cybersecurity budgets, mature security defenses, and advanced employee security awareness training programs can experience data breaches. All it takes if for a patch not to be applied immediately or an employee to...

Read More
Texas HB300 Compliance
Feb10

Texas HB300 Compliance

Texas HB300 (Texas House Bill 300) was signed into law by State governor Rick Perry in June 2011. The Bill made significant changes to state laws covering the privacy and security of protected health information (PHI) for individuals and organizations that assemble, collect, analyze, store, or transmit PHI. The Texas HB300 compliance date was September 1, 2012. Texas HB300 Introduced Stricter Privacy and Security Protections than HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) already requires covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and protect the privacy of patients and health plan members. Texas HB300 takes those requirements a step further, introducing even stricter requirements for covered entities, which under the new laws, also includes individuals and organizations not covered by HIPAA Rules. The existing laws updated by Texas HB300 were: Texas Health Code,...

Read More
Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed
Feb02

Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed

Massachusetts Attorney General Maura Healey has announced the launch of a new online data breach reporting tool. The aim is to make it as easy as possible for breached entities to submit breach notifications to the Attorney General’s office. Under Massachusetts data breach notification law (M.G.L. c. 93H), organizations experiencing a breach of personal information must submit a notification to the Massachusetts attorney general’s office as soon as it is practicable to do so and without unnecessary delay. Breaches must also be reported to the Director of the Office of Consumer Affairs and Business Regulation (OCABR) and notifications must be issued to affected individuals. “Data breaches are damaging, costly and put Massachusetts residents at risk of identity theft and financial fraud – so it’s vital that businesses come forward quickly after a breach to inform consumers and law enforcement,” said Healey. “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.” Regarding the latter, the Mass. Attorney...

Read More
$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches
Feb01

$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches

The first HIPAA settlement of 2018 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). Fresenius Medical Care North America (FMCNA) has agreed to pay OCR $3.5 million to resolve multiple potential HIPAA violations that contributed to five separate data breaches in 2012. The breaches were experienced at five separate covered entities, each of which was owned by FMCNA. Those breached entities were: Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval) Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove) Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin) Fresenius Vascular Care Augusta, LLC (FVC Augusta) WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island) Breaches Experienced by FMCNA HIPAA Covered Entities The five security breaches were experienced by the FMCNA covered entities over a period of four months...

Read More
Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case
Jan25

Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones. Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis. The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $1.15 million settlement with the New York Attorney General to resolve violations of federal and state laws. Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had...

Read More
Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records
Jan25

Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records

The Topeka, KS-based healthcare company Pearlie Mae’s Compassion and Care LLC and its owners have been fined by the Kansas Attorney General for failing to protect patient and employee records. The owners have agreed to pay a civil monetary penalty of $8,750. The HITECH Act gave attorneys general the authority to enforce HIPAA rules and take action against HIPAA-covered entities and business associates that are discovered not to be in compliance with HIPAA regulations. Only a handful of state attorneys general have exercised those rights, with many opting to pursue privacy violations under state laws. In this case, Attorney General Derek Schmidt issued the civil monetary penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act. Special agents of the Kansas attorney general’s office were assisting the Topeka Police Department execute a search warrant in June 2017 at the home of Ann Marie Kaiser, one of the owners of Pearlie Mae’s Compassion and Care. Kaiser’s home was used as an office location for the company. While at the property, the...

Read More
Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill
Jan24

Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill

The Senate Attorney Judiciary Committee in South Dakota has overwhelmingly voted in favor of introducing data breach notification legislation. The bill, introduced by the Committee on Judiciary at the request of the Attorney General Marty Jackley, advanced after a 7-0 vote. Currently there are only two states in the US that have yet to introduce data breach legislation to protect state residents. With South Dakota now looking likely to introduce new protections for state residents, Alabama looks like it will be the only state lacking a data breach notification law. The Bill – South Dakota Senate Bill No. 62 – requires notifications to be issued to state residents and the Attorney General following a breach that impacts 250 or more state residents. The breach notifications would need to be issued without unnecessary delay and no later than 45 days following the discovery of a breach, unless a delay is requested by law enforcement. Breach notifications would not be required if the breached entity, along with the attorney general, determines that consumers would be unlikely to be...

Read More