Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules
Apr16

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules. For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules. The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year. Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%). Out of the five...

Read More
March 2019 Healthcare Data Breach Report
Apr15

March 2019 Healthcare Data Breach Report

In March 2019, healthcare data breaches continued to be reported at a rate of one a day. 31 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is almost 14% higher than the average of the past 60 months.   The number of reported breaches fell by 3.12% month over month and there was a 56.79% decrease in the number of breached healthcare records. March saw the healthcare records of 912,992 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches. Causes of March 2019 Healthcare Data Breaches The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 88.40% of all compromised records (807,128 records). There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft...

Read More
OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits
Apr04

OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits

The HHS’ Office for Civil Rights has raised awareness of the risk of advanced persistent threats and zero-day exploits in its spring cybersecurity newsletter. Healthcare organizations are attractive targets for hackers due to quantity of sensitive data they store. Individual’s protected health information is highly valuable as it can be used for many different purposes, including identity theft, tax fraud, and gaining access to medical services. Sensitive information about medical conditions can also be used to blackmail individuals. Healthcare organizations also store research data, genetic data, and data from experimental treatments, all of which are of great value cybercriminals. The information can be used by foreign governments to drive innovation. There are many techniques that hackers use to break through defenses and silently gain access to networks, two of the most serious threats being advanced persistent threats and zero-day exploits. An advanced persistent threat (APT) is a term used to refer to repeated cyberattacks that attempt to exploit vulnerabilities to gain...

Read More
Amazon Launches New System for De-identifying Medical Images
Apr02

Amazon Launches New System for De-identifying Medical Images

Amazon has announced that it has developed a new system that allows identifying protected health information contained in medical images to be automatically removed to prevent patients from being identified from the images. Medical images often have patients’ protected health information stored as text within the image, including the patient’s name, date of birth, age, and other metrics. Prior to the images being used for research, authorization must be obtained from the patient or all identifying data must be permanently removed.  Removing PHI from images requires a manual check and alteration of the image to redact the PHI and that can be an expensive and time-consuming process, especially when large number of images must be de-identified. The new system uses Amazon’s Rekognition machine-learning service, which can detect and extract text from images. The text is then fed through Amazon Comprehend Medical to identify any PHI. In combination with Python code it is possible to quickly redact any PHI in the images. The system works on PNG, JPEG, and DICOM images. A confidence score...

Read More
Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations
Apr01

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed. According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego. During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped. A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts. The lawsuit states that, “At times,...

Read More
Health Apps Share User Data but Lack Transparency About the Practice
Mar29

Health Apps Share User Data but Lack Transparency About the Practice

Mobile health apps are commonly used to track health metrics and promote healthier lifestyles, and as such, they record a range of sensitive health information. What consumers may be unaware of is how that data is used and with whom the information is shared. Information entered into an app is commonly shared with multiple third parties and the data is often monetized, but consumers are left in the dark about the practice. A study of data sharing practices by medicines-related apps, published in the BMJ, revealed that out of 24 apps that were studied, 19 (79%) shared user data with third parties. The types of apps that were assessed pertained to dispensing, administration, prescribing or use of medicines. Each app was subjected to simulated real world use with four dummy scripts. The researchers found user data was shared with 55 different entities, from 46 parent companies, which either received or processed the data. Those entities included app developers, parent companies, and third-party service providers. 67% of the third parties provided services related to the collection or...

Read More
Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices
Mar27

Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices

Earlier this month, the eHealth Initiative Foundation and Manatt Health issued a brief that calls for the introduction of a values framework to better protect health information collected, stored, and used by organizations that are not required by law to comply with Health Insurance Portability and Accountability Act (HIPAA) Rules. Health information is increasingly being collected by a wide range of apps and consumer devices. In many cases, the types of data collected by these apps and devices are the same as those collected and used by healthcare organizations. While healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of health information and uses and disclosures of that information are restricted, the same rules do not cover the data if the information is collected by other entities. It doesn’t matter what type of organization stores or uses the data. If that information is exposed it can cause considerable harm, yet this is currently something of a gray area that current regulations do not cover properly. At...

Read More
Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach
Mar27

Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients. The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015. OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules. DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. There had also been a failure to implement appropriate...

Read More
D.C. Attorney General Proposes Tougher Breach Notification Laws
Mar25

D.C. Attorney General Proposes Tougher Breach Notification Laws

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach. On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach. Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers. If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information. Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches...

Read More
Concerns Raised with FDA over Medical Device Security Guidance
Mar22

Concerns Raised with FDA over Medical Device Security Guidance

The U.S. Food and Drug Administration (FDA) is reviewing feedback on the guidance for medical device manufacturers issued in October 2018. Comments have been submitted on the guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, by more than 40 groups and healthcare companies before the commenting period closed on March 18. Feedback will be taken on board and the guidance will be updated accordingly. The final version of the guidance is expected to be released later this year. The requirement for medical device manufacturers to submit a ‘Cybersecurity Bill of Materials’ to the FDA as part of the premarket review has been broadly praised. The CBOM needs to include a list of software and hardware components which have vulnerabilities or are susceptible to vulnerabilities. The CBOM will help healthcare organizations assess and manage risk. However, concerns have been raised by several groups about having to include all hardware components, as it may not even be possible for device manufacturers to provide that information. If hardware...

Read More
Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs
Mar22

Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs

Two vulnerabilities have been identified in the Conexus telemetry protocol used by Medtronic MyCarelink monitors, CareLink monitors, CareLink 2090 programmers, and 17 implanted cardiac devices. Both vulnerabilities require a low level of skill to exploit, although adjacent access to a vulnerable device would be required to exploit either vulnerability. The most serious vulnerability, rated critical, is a lack of authentication and authorization controls in the Conexus telemetry protocol which would allow an attacker with adjacent short-range access to a vulnerable device to inject, replay, modify, and/or intercept data within the telemetry communication when the product’s radio is turned on. An attacker could potentially change memory in a vulnerable implanted cardiac device which could affect the functionality of the device. The vulnerability is being tracked as CVE-2019-6538 and has been assigned a CVSS v3 base score of 9.3. A second, medium severity vulnerability concerns the transmission of sensitive information in cleartext. Since the Conexus telemetry protocol does not use...

Read More
February 2019 Healthcare Data Breach Report
Mar18

February 2019 Healthcare Data Breach Report

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January. The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month. Causes of Healthcare Data Breaches in February 2019 Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports. 75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents. There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The...

Read More
HIPAA Compliant Online Forms
Mar12

HIPAA Compliant Online Forms

Web forms offer healthcare organizations an easy way to digitally collect information from patients, but care must be taken not to violate HIPAA Rules. To collect any health data, HIPAA compliant online forms must be used. HIPAA Compliant Online Forms Must be Used for Collecting Health Information The HIPAA Privacy and Security Rules requires all HIPAA-covered entities and business associates to implement a range of safeguards to ensure the confidentiality, integrity, and availability of protected health information. Online forms are not specifically mentioned in the HIPAA text, but the Privacy and Security Rules do apply to online forms. Large healthcare organizations are more likely to have in-house staff with the skills to create forms that comply with HIPAA Rules, but many covered entities take advantage of the convenience of third-party webform solutions. There are many companies that offer HIPAA compliant online forms software that allows forms to be quickly spun up and used for a wide range of purposes such as onboarding new patients, obtaining consent, collecting payments,...

Read More
Lawmakers Propose Florida Biometric Information Privacy Act
Mar12

Lawmakers Propose Florida Biometric Information Privacy Act

Senator Gary Farmer (D-FL) and Representative Bobby DuBose (D-FL) have proposed new bills (SB 1270 /HB 1153) that require all private entities to obtain written consent from consumers prior to collecting or using their biometric data. The Florida Biometric Information Privacy Act is similar to the Illinois Biometric Information Privacy Act which was signed into law in 2008 and would require private entities to notify consumers about the reasons for collecting biometric information and the proposed uses of that information when obtaining consent. Policies covering data retention and disposal of the information would also need to be made available to the public. Private entities would also be prohibited from profiting from an individual’s biometric information and must not sell, lease, or trade biometric information. Private entities will be required to implement safeguards to protect stored biometric information to ensure the information remains private and confidential. When the purpose for collecting the information has been achieved, or after three years following the last...

Read More
25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months
Mar11

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

The Verizon Mobile Security Index 2019 report indicates 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months. All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation. Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months. While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices. 85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to...

Read More
IRS Issues Warning About Tax-Related Phishing Scams
Mar05

IRS Issues Warning About Tax-Related Phishing Scams

The IRS has launched its 2019 ‘Dirty Dozen’ campaign warning taxpayers about the most common tax-related phishing scams that lead to tax fraud and identity theft. Each year the IRS provides taxpayers, businesses, and tax professionals with information on the 12 most common phishing and tax scams to raise awareness of the most prevalent threats. During tax season, cybercriminals are highly active and seek tax information to commit identity theft and submit fraudulent tax returns. Each year, many consumers are fooled into disclosing their personal information and scores of organizations fall victim to these scams and disclose the tax information of employees to scammers. The scams are conducted over the phone, via text messages, on social media platforms, websites, and via email. On March 4, 2019, the IRS launched this year’s Dirty Dozen campaign with a warning about the most serious threat during tax season – phishing. On each of the following 11 weekdays, the IRS will highlight a different scam. Tax-related phishing scams are often cleverly disguised. Emails are sent that appear to...

Read More
Nevada Senator Proposes New Federal Data Privacy Act
Mar04

Nevada Senator Proposes New Federal Data Privacy Act

Nevada Senator Catherine Cortex Masto, (D-NV) has introduced a bill – the Data Privacy Act – which calls for greater accountability and transparency for data collection practices, improved privacy protections for consumers, and the prohibition of discriminatory data practices. HIPAA-covered entities are required to obtain consent from patients prior to using or disclosing their health information for reasons other than the provision of healthcare, payment for healthcare, or for healthcare operations. However, companies not bound by HIPAA Rules do not have the same restrictions in place. Several states have introduced or are considering introducing laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, currently protection is provided by patchwork of state laws. Privacy protections can vary greatly depending on where a person lives. The bill – The Digital Accountability and Transparency to Advance Privacy (DATA...

Read More
New HIPAA Regulations in 2019
Mar04

New HIPAA Regulations in 2019

While there were expected to be some 2018 HIPAA updates, the wheels of change move slowly. OCR has been considering HIPAA updates in 2018 although it is likely to take until the middle of 2019 before any proposed HIPAA updates in 2018 are signed into law. Further, the Trump Administration’s policy of two regulations out for every new one introduced means any new HIPAA regulations in 2019 are likely to be limited. First, there will need to be some easing of existing HIPAA requirements. HIPAA updates in 2018 that were under consideration were changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS was considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of  substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. Other potential changes to HIPAA regulations in 2018 included the removal of aspects of HIPAA that impede the ability of doctors and hospitals to coordinate to deliver...

Read More
Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity
Feb28

Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity

Senator Mark Warner (D-Va) has written letters to leaders of the Department of Health and Human Services (HHS), the Food and Drug Administration (FDA), the Centers for Medicare and Medicaid Services (CMS), the National Institute of Standards and Technology (NIST), and 12 healthcare associations requesting answers to a list of healthcare cybersecurity questions. Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, is deeply concerned about the state of cybersecurity in healthcare and is calling for a collaborative effort “to develop a short- and long-term strategy [for] reducing cybersecurity vulnerabilities in the health care sector” and “develop a national strategy that improves the safety, resilience, and security of our healthcare industry.” The healthcare industry is being targeted by cybercriminals and those attacks are succeeding far too frequently. 2014 was the sixth successive year to see an annual increase in healthcare data breaches. In 2015, another record was broken. The most healthcare records ever breached. 113 million...

Read More
Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices
Feb27

Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices

Several healthcare associations have requested a safe harbor for healthcare organizations that would prevent OCR and state attorneys general from issuing financial penalties for breaches of protected health information if the breached entity has met certain standards for safeguarding protected health information (PHI). The suggestions were made in response to the Department of Health and Human Services’ request for information (RFI) on potential changes to HIPAA to reduce the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS received more than 1,300 comments on possible changes prior to the February 12, 2019 deadline. The safe harbor was suggested by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA). Healthcare organizations can adopt cybersecurity frameworks, create layered...

Read More
New Cybersecurity Requirements for Ohio Health Insurers
Feb27

New Cybersecurity Requirements for Ohio Health Insurers

From March 20, 2019, insurance companies in Ohio will be subject to a new law (Senate Bill 273) that requires them to develop and implement a written information security program to safeguard business and personal information. The information security program must include a comprehensive internal risk assessment to identify risk and threats to systems and data. Following the risk assessment, safeguards must be implemented to protect all nonpublic information that would cause a material adverse impact to business operations or could cause harm to customers if the information were to be exposed or accessed by unauthorized individuals. Nonpublic information includes financial information, health information, and identifiers such as Social Security numbers, driver’s license numbers, state ID cards, biometric information, account numbers, credit/debit card numbers, security/access codes that permit access to a financial account, and any information (except age or gender) that is created by or derived from a healthcare provider or consumer that could be used to identify an individual in...

Read More
New York State Departments Investigate Facebook Over Health Data Sharing Practices
Feb26

New York State Departments Investigate Facebook Over Health Data Sharing Practices

A recent analysis of Facebook’s data collection practices has revealed sensitive health data is obtained by Facebook from third party apps, even if the user has not logged in via Facebook or does not even have a Facebook account. Private information including blood pressure measurements, heart rate data, menstrual cycle data, and other health metrics are provided to Facebook, often without the user’s knowledge or any specific disclosure that data provided by users or collected directly by the apps are shared with the ocial media platform. The investigation was conducted by the Wall Street Journal, which conducted tests on various health-related apps. While it was known that some of those apps send data to Facebook about when they are used, the extent of data sharing was not well understood. The report revealed that 11 popular smartphone apps have been passing sensitive data to Facebook without apparently obtaining consent from users. One app, Flo Period & Ovulation Tracker, shares dates of a user’s last period with Facebook and the predicted date when the user is ovulating. The...

Read More
NHS to Phase Out Pagers by End of 2021
Feb26

NHS to Phase Out Pagers by End of 2021

The National Health Service (NHS) has commissioned a report on the costs of pagers and the extent of their use in NHS Trusts in the UK. The study revealed around 130,000 pagers are used in NHS Trusts – Approximately 10% of the world’s pagers – and the annual cost is around £6.6 million ($8.73 million). Advantages and Disadvantages of Pagers in Healthcare Pagers have served the healthcare industry well for several decades and they are still useful devices. Pagers are easy to use, they are small, easy to carry, and batteries can last months between charges. The pager system uses its own transmitters and frequencies and the signals can pass through structures. Consequently, coverage is excellent, and communication is fast and reliable. Pagers have one function and they perform that task very well. However, there are many drawbacks to pagers in healthcare. Most of the pagers used by NHS Trusts do not support two-way communication. When a message is received, a doctor must find a phone and call a number to receive the message. When an immediate response is not possible, messages are...

Read More
January 2019 Healthcare Data Breach Report
Feb25

January 2019 Healthcare Data Breach Report

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day in January. There were 33 healthcare data breaches reported in January 2019. January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed. Largest Healthcare Data Breaches in January 2019   Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident 2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft 3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident 4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident 5 Managed Health Services Health Plan 31300 Hacking/IT Incident 6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident 7 Dr....

Read More
Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups
Feb21

Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups

A complaint has been filed with the FTC over misleading practices by Facebook. The complaint alleges health information disclosed in closed, supposedly anonymous and private Facebook groups has been exposed. Congress is calling for Facebook to provide answers about the alleged privacy violations involving the Facebook PHR (Groups) platform. Leaders from the House Committee on Energy & Commerce have written to Facebook CEO Mark Zuckerberg requesting an urgent response to the privacy complaint filed with the FTC by users of Facebook Groups. The complaint was sent to the FTC in December and was made public this week. In the complaint letter, security researcher Fred Trotter and members of a Facebook health group allege that personal health information disclosed by users of closed Facebook groups has been exposed. As a result, members of the groups are at risk of harassment and discrimination. Closed Facebook groups are used by sufferers of health and mental health conditions to get support. Many support groups have been sent up on the platform specifically for that purpose....

Read More
2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records
Feb13

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018. The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches. According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018. In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased...

Read More
OCR Settles Cottage Health HIPAA Violation Case for $3 Million
Feb08

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000. Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital. In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients. In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information. Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed...

Read More
Wyoming Considers Repealing Hospital Records Act
Feb06

Wyoming Considers Repealing Hospital Records Act

Wyoming is considering repealing the Hospital Records Act of 1991, an act that was introduced to ensure the privacy of patient information was protected. The law was enacted before the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and provided protections that did not previously exist at the state or federal level. The Hospital Records Act introduced similar protections for patients to those provided by HIPAA. The Act covered disclosures of patient information by hospitals, authorizations from patients prior to disclosure of patient information, the publishing notices of privacy practices, the persons authorized to act on behalf of patients, and security safeguards and rules covering record retention. The Hospital Records Act was effective at the time but following the enactment of HIPAA and its subsequent Privacy and Security Rules, it became redundant. While the requirements of both the federal and state laws are similar, there are several discrepancies between the two laws and the compliance requirements differ slightly. The Hospital Records Act is seen to...

Read More
Legal Action Over Illinois Biometric Information Privacy Act Violations Possible Without Actual Harm
Feb01

Legal Action Over Illinois Biometric Information Privacy Act Violations Possible Without Actual Harm

The Illinois Supreme Court has ruled that individuals whose privacy has been violated through a breach of the Illinois Biometric Information Privacy Act can take legal action against a private entity, even if the violation of BIPA has not resulted in actual harm. The Illinois Biometric Information Privacy Act, enacted in 2008, requires private entities to inform a person in writing that their biometric information will be collected or stored. The purpose for the collection or storage of that data and the length of time the information will be retained must also be explained. The entity must also obtain written authorization from an individual or that individual’s legal representative before biometric data can be collected or stored. Biometric data includes fingerprints, voiceprints, hand scans, iris scans, and other biometric means of identifying a person. In contrast to HIPAA, which has no private cause of action, individuals can sue companies for Illinois Biometric Information Privacy Act (BIPA) violations. Illinois is unique in that respect. Other states such as Texas and...

Read More
Aetna Settles HIV Status Breach Case with California AG for $935,000
Feb01

Aetna Settles HIV Status Breach Case with California AG for $935,000

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy breach that exposed state residents’ HIV status. On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California. The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution. In...

Read More
Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data
Jan31

Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data

The Oregon Health Information Property Act proposes patients should be allowed to authorize their healthcare providers to sell their health data and for them to be financially compensated if their health information is sold to a third party. Currently, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule limits the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered entities are only permitted to use or disclose PHI for purposes related to the provision of treatment, payment for healthcare, or healthcare operations. While there are some exceptions, other uses and disclosures are prohibited unless consent is first obtained from patients. The HIPAA Privacy Rule covers PHI, which is identifiable patient information. If PHI is stripped of information that allow an individual to be identified, it is no longer considered PHI and is no longer subject to Privacy Rule controls. That means that if a HIPAA-covered entity de-identifies PHI, they can then sell that information on for profit. That information can be valuable to research...

Read More
Expected HIPAA Updates and HIPAA Changes in 2019
Jan31

Expected HIPAA Updates and HIPAA Changes in 2019

The Health Insurance Portability and Accountability Act was signed into law in 1996 and while there have been some significant HIPAA updates over the last two decades, the last set of major HIPAA updates occurred in 2013 with the introduction of the HIPAA Omnibus Final Rule. Further updates to HIPAA are now long overdue, but what can be expected in terms of HIPAA changes in 2019? Major HIPAA Updates in the Past 20 Years Since HIPAA was signed into law there have been some major HIPAA updates. The HIPAA Privacy and Security Rules were followed by the incorporation of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach Notification Rule in 2009 and the Omnibus Final Rule in 2013. Such major HIPAA updates placed a significant burden on HIPAA covered entities and considerable time and effort was required to introduce new policies and procedures to ensure continued compliance. It is now almost 6 years since the last major HIPAA updates were enacted. Over those six years, various issues have arisen with...

Read More
New Cybersecurity Framework for Medical Devices Issued by HSCC
Jan30

New Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle. The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector. More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing...

Read More
Patches Released to Mitigate KRACK Vulnerabilities Affecting Stryker Medical Beds
Jan30

Patches Released to Mitigate KRACK Vulnerabilities Affecting Stryker Medical Beds

Stryker has identified nine vulnerabilities that affect some of its Medical Beds. The vulnerabilities could potentially be exploited in a man-in-the-middle attack by an attacker within radio range of vulnerable product to replay, decrypt, or spoof frames. The vulnerabilities are present in the four-way handshake used by WPA and WPA2 wireless security protocols which allow nonce reuse in Key Reinstallation (KRACK) attacks. Similar vulnerabilities have been identified in a wide range of wireless devices. The nine vulnerabilities are summarized below: CVE-2017-13077: Reinstallation of pairwise key in the four-way handshake. CVE-2017-13078: Reinstallation of group key in the four-way handshake. CVE-2017-13079: Reinstallation of Integrity Group Temporal Key in the four-way handshake. CVE-2017-13080: Reinstallation of group key in the group key handshake. CVE-2017-13081: Reinstallation of Integrity Group Temporal Key in the group key handshake. CVE-2017-13082: Reinstallation of Pairwise Transient Key Temporal Key in the fast BSS transmission handshake. CVE-2017-13086: Reinstallation of...

Read More
GDPR Incorporated into the HITRUST CSF
Jan29

GDPR Incorporated into the HITRUST CSF

HITRUST has combined the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST CSF) and is working toward the creation of a single framework and assessment covering all regulatory requirements. Many countries have introduced new data privacy and security regulations that require companies to implement new policies, procedures, and technologies to keep consumers’ and customers’ data private and confidential. Organizations that wish to conduct business globally must ensure they comply with these country-specific regulations and should conduct assessments to make sure they are fully compliant. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater. Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible. “As countries around the world continue to adopt and advance...

Read More
Multiple Flaws Identified in LabKey Server Community Edition
Jan29

Multiple Flaws Identified in LabKey Server Community Edition

Security researchers at Tenable Research have discovered multiple flaws in LabKey Server Community Edition 18.2-60106.64 which could be exploited to steal user credentials, access medical data, and run arbitrary code through the Labkey browser. LabKey Server is an open source collaboration tool that allows scientists to integrate, analyze, and share biomedical research data. While the platform serves as a secure data repository, vulnerabilities have been identified that allow security controls to be bypassed. CVE-2019-3911 – Reflected XSS Multiple flaws have been identified in all versions of LabKey Server Community Edition prior to v 18.3.0 related to the validation and sanitization of query functions, in particular, the query.sort parameter. The parameter is reflected in output to the user and is interpreted by the browser, which opens to door for a cross site scripting attack. If the flaws are exploited, an attacker could run arbitrary code within the context of the browser. Attacks are possible with and without authentication. CVE-2019-3912 – Open Redirects Open redirects via...

Read More
Analysis of 2018 Healthcare Data Breaches
Jan28

Analysis of 2018 Healthcare Data Breaches

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR). 2018 Was a Record-Breaking Year for Healthcare Data Breaches Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States. The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year. In 2018, 365 healthcare data breaches of 500 or more records were reported, up almost 2% from the...

Read More
December 2018 Healthcare Data Breach Report
Jan22

December 2018 Healthcare Data Breach Report

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January. In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11. Largest Healthcare Data Breaches in December 2018 Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure 2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890...

Read More
Revised Common Rule Now Effective
Jan21

Revised Common Rule Now Effective

The updated Federal Policy for the Protection of Human Subjects (45 CFR part 46), otherwise known as the Common Rule, is now in effect. The compliance date of the revised Common Rule was January 21, 2019. The Common Rule governs federally funded research on human subjects and was introduced in 1991. The Common Rule was amended in 2015 and underwent a major revision in 2017 to improve protections for research subjects while easing the administrative burden on researchers, especially for low-risk research. The compliance date of the revised Common Rule was initially January 19, 2018; however, two days before the compliance date, an interim final rule was published which delayed the compliance date initially for six months, and subsequently for another six months. Regulated entities were required to comply with the pre-2018 version of the Common Rule until January 20, 2019, with the exception of three provisions of the revised Common Rule which aimed to reduce the administrative burden on researchers. Those three provisions, which could be adopted between July 2019 and January 20,...

Read More
State AG Proposes Tougher Data Breach Notification Laws in North Carolina
Jan21

State AG Proposes Tougher Data Breach Notification Laws in North Carolina

Following an increase in data breaches affecting North Carolina residents in 2017, state Attorney General Josh Stein and state representative Jason Saine introduced a bill to update data breach notification laws in North Carolina and increase protections for state residents. The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed changes to state laws that would have made North Carolina breach notification laws some of the toughest in the country. The January 2018 version of the bill proposed an expansion of the definition of a breach, changes to the definition of personal information, and a maximum of 15 days from the discovery of a breach to issue notifications to breach victims. Attorney General Stein and Rep. Saine unveiled a revised version of the bill on January 17, 2019. While some of the proposed updates have been scaled back, new requirements have also been introduced to increase protections for state residents. The updated bill coincides with the release of the state’s annual security breach report for 2018. The report shows...

Read More
Physician Receives Probation for Criminal HIPAA Violation
Jan18

Physician Receives Probation for Criminal HIPAA Violation

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation and has escaped a jail term and fine. The case concerned the wrongful disclosure of patients’ PHI to a pharmaceutical firm. The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion. In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug. Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability. The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules...

Read More
CMS Completes Rollout of New Medicare Cards 3 Months Ahead of Schedule
Jan18

CMS Completes Rollout of New Medicare Cards 3 Months Ahead of Schedule

Individuals with Medicare have been provided with new Medicare cards without Social Security numbers as part of the Centers for Medicare & Medicaid Services (CMS) efforts to combat fraud and abuse and protect against identity theft. Instead of Social Security numbers, the new Medicare cards use unique, randomly generated Medicare Beneficiary Identifiers that include a combination of numbers and letters. CMS has issued more than 61 million new cards over the course of the past 9 months and has now completed the rollout three months ahead of the April 2019 deadline set by Congress in the Medicare Access and CHIP Reauthorization Act (MACRA) of 2015. “Safeguarding our beneficiaries’ personal information continues to be one of our top priorities,” explained CMS Administrator Seema Verma in a January 16 press release. “The Trump Administration is committed to modernizing Medicare and has expedited this process to ensure the protection of Medicare beneficiaries and taxpayer dollars from the potential for fraud and abuse due to personal information that existed on the old cards.” More...

Read More
New Massachusetts Data Breach Notification Law Enacted
Jan16

New Massachusetts Data Breach Notification Law Enacted

A new Massachusetts data breach notification law has been enacted. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019 and will come into effect on April 11, 2019. The new legislation updates existing Massachusetts data breach notification law and introduces new requirements for notifications. Under Massachusetts law, a breach is defined as the unauthorized acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. Notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name. Social Security number Driver’s license number State issued ID card number Financial account number, or credit/ debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. As with the previous law, there is no set timescale for issuing breach...

Read More
OCR Seeks Permanent Deputy Director for Health Information Privacy
Jan15

OCR Seeks Permanent Deputy Director for Health Information Privacy

The U.S. Department of Health and Human Services’ Office for Civil Rights has advertised for a permanent Deputy Director for Health Information Privacy. The position was posted on USAJOBS on January 14, 2019. The last permanent Deputy Director was Deven McGraw, who left OCR in October 2017 for the private sector. Iliana Peters, OCR’s Senior Advisor for Compliance and Enforcement, took on the role of acting Deputy Director for Health Information Privacy but also left the post for the private sector in February 2018. Timothy Noonan, the former regional manager for the HHS Office for Civil Rights in Atlanta, replaced Peters in February 2018. The role involves leading OCR’s day-to-day HIPAA privacy and security program operations, development of privacy and security policies, administrative rulemaking, interpretation of current regulations, providing technical assistance to the department’s regional offices, and coordinating HIPAA Privacy and Security Rule compliance activities to ensure consistent application of policies across all regional offices. The Deputy Director for Health...

Read More
Advertising Expenditures Increase 64% Following a Healthcare Data Breach
Jan07

Advertising Expenditures Increase 64% Following a Healthcare Data Breach

A recent study has explored the relationship between advertising expenditures and healthcare data breaches. The study shows hospitals significantly increase advertising spending following a data breach. Healthcare Data Breaches Are the Costliest to Mitigate Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. According to the Ponemon Institute/IBM Security’s 2018 cost of a data breach study, healthcare data breaches cost, on average, $408 per lost or stolen record. The costs are double, or in some cases almost triple, those in other industry sectors. Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. Click To Tweet In addition to the high costs of mitigating the breaches, the same study confirmed that loss of patients to competitors is a very real threat. Data breaches cause damage to a brand and trust in an organization can be easily lost when confidential personal information is exposed or stolen. The Ponemon Institute study revealed healthcare organizations...

Read More
Summary of 2018 HIPAA Fines and Settlements
Jan03

Summary of 2018 HIPAA Fines and Settlements

This post summarizes the 2018 HIPAA fines and settlements that have resulted from the enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. Another Year of Heavy OCR HIPAA Enforcement In 2016, there was a significant increase in HIPAA files and settlements compared to the previous year. In 2016, one civil monetary penalty was issued by OCR and 12 settlements were agreed with HIPAA covered entities and their business associates. In 2015, OCR only issued 6 financial penalties. The high level of HIPAA enforcement continued in 2017 with 9 settlements agreed and one civil monetary penalty issued. While there were two settlements agreed in February 2018 to resolve HIPAA violations, there were no further settlements or penalties until June. By the end of the summer it was looking like OCR had eased up on healthcare organizations that failed to comply with HIPAA Rules. However, in September, a trio of settlements were agreed with hospitals that had allowed a film crew to record footage of patients without first...

Read More
IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity
Jan03

IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity

The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) has issued an alert about increased Chinese malicious cyber activity targeting IT service providers such as Managed Service Provider (MSPs), Managed Security Service Providers (MSSPs), Cloud Service Providers (CSPs) and their customers. The attacks take advantage of trust relationships between IT service providers and their customers. A successful cyberattack on a CSP, MSP or MSSP can give the attackers access to healthcare networks and sensitive patient data. The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued technical details on the tactics and techniques used by Chinese threat actors to gain access to services providers’ networks and the systems of their customers. The information has been shared to allow network defenders to take action to block the threats and reduce exposure to the Chinese threat actors’ activities. Guidance has been released for IT service providers and their customers on the steps that should be taken to improve security to prevent...

Read More
HHS Publishes Cybersecurity Best Practices for Healthcare Organizations
Jan02

HHS Publishes Cybersecurity Best Practices for Healthcare Organizations

The U.S. Department of Health and Human Services has issued voluntary cybersecurity best practices for healthcare organizations and guidelines for managing cyber threats and protecting patients. Healthcare technologies are essential for providing care to patients, yet those technologies introduce risks. If those risks are not properly managed they can result in disruption to healthcare operations, costly data breaches, and harm to patients. The HHS notes that $6.2 billion was lost by the U.S. Health Care System in 2016 as a result of data breaches and 4 out of 5 physicians in the United States have experienced some form of cyberattack. The average cost of a data breach for a healthcare organization is now $2.2 million. “Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems...

Read More
What is Texas HB 300?
Dec28

What is Texas HB 300?

What is Texas HB 300, who is required to comply with the legislation, and what are the penalties for noncompliance? This post answers these and other important questions about Texas HB 300. What is Texas HB 300? The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets minimum privacy and security standards for healthcare organizations. HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health data is concerned which are detailed in Texas HB 300 (Texas House Bill 300). Texas HB 300 was passed by the Texas legislature in June 2011 and was signed into law by Texas Governor Rick Perry. The compliance date for Texas HB 300 was September 1, 2012. Texas HB 300 amended four laws in Texas: The Texas Health Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for health...

Read More
Most Common Security Weaknesses in Healthcare Identified
Dec28

Most Common Security Weaknesses in Healthcare Identified

The most common security weaknesses in healthcare have been identified by Clearwater. Clearwater analyzed data from IRM analyses conducted over the past six years. Millions of risk records were assessed from hospitals, Integrated Delivery Networks, and business associates of those entities to identify the most common security vulnerabilities in healthcare. The analysis revealed almost 37% of high and critical risks were in three areas: User authentication Endpoint leakage Excessive user permissions The most common security weaknesses in healthcare were deficiencies in user authentication. These are failures to correctly authenticate users and verify the level of access that users should have to an organization’s resources. These deficiencies include the use of default passwords and generic user IDs, writing down passwords and posting them on computer monitors or hiding them under keyboards, and the transmission of user credentials via email in plain text. User authentication deficiencies were most commonly associated with servers and SaaS solutions. Clearwater also notes that more...

Read More
NIST Releases Final Version of Updated Risk Management Framework
Dec27

NIST Releases Final Version of Updated Risk Management Framework

The National Institute of Standards and Technology (NIST) has released the final version of its updated Risk Management Framework (RMF 2.0). RMF 2.0 (SP 800-37 Revision 2: Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) addresses privacy and security concerns in IT risk management. One key change in the updated version of the RMF is the introduction of a ‘Prepare’ step. This additional step involves assigning responsibilities to specific individuals, enabling enterprise-wide privacy and security controls, eliminating unnecessary functions, publishing common controls, prioritizing resources for high value assets, and establishing communication channels to ensure effective communication between the C-Suite and employees. The ‘Prepare’ step, which comes before the Categorize step, was introduced to help organizations “achieve more effective, efficient, and cost-effective security and privacy risk management processes.” RMF 2.0 requires maximum use of automation in executing the framework rules to allow...

Read More
Largest Healthcare Data Breaches of 2018
Dec27

Largest Healthcare Data Breaches of 2018

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records. 2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records. A Bad Year for Healthcare Data Breaches As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records. It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017. In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in...

Read More
LifeBridge Health Sued for 18-Month Malware That Allowed Theft of 530,000 Patients’ PHI
Dec24

LifeBridge Health Sued for 18-Month Malware That Allowed Theft of 530,000 Patients’ PHI

A lawsuit has been filed on behalf of patients who had their protected health information stolen as a result of a malware infection at the Baltimore-based healthcare provider LifeBridge Health. LifeBridge Health discovered the malware infection in March 2018; however, an investigation of the breach revealed the malware had been installed on one of its servers on or around September 27, 2016. The server hosted LifeBridge Health electronic medical records and its patient registration and billing systems. During the 18 months that the malware was on its server, the protected health information of approximately 530,000 patients was allegedly stolen – Information such as names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses, and treatment information. According to the lawsuit, filed by law firm Murphy, Falcon & Murphy, the malware was installed as a result of “LifeBridge’s failure to ensure the integrity of its servers and to properly safeguard patients’ highly sensitive and confidential information.” The lawsuit claims the...

Read More
Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital
Dec21

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients. McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center. The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an...

Read More
When Did HIPAA Become Law?
Dec21

When Did HIPAA Become Law?

The Health Insurance Portability and Accountability Act (HIPAA) helped reform the healthcare industry, but when did HIPAA become law and what are the key dates in the history of HIPAA? In this post we give a short history of HIPAA, including key updates to the legislation over the past two decades. When Did HIPAA Become Law? HIPAA was signed into law by president Clinton on August 21, 1996; however, HIPAA has received several major updates over the following years. These were: The HIPAA Privacy Rule The HIPAA Security Rule The HITECH Act The HIPAA Breach Notification Rule The HIPAA Omnibus Rule When Did the HIPAA Privacy Rule Become Law? The HIPAA Privacy Rule was signed into law on December 28, 2000, although modifications were made and the final rule was published on August 14, 2002. The HIPAA Privacy Rule introduced standards for the privacy of individually identifiable health information, stipulated the allowed uses and disclosures of health information, and gave patients the right to obtain copies of their health data. The HIPAA Privacy Rule also required business associates...

Read More
November 2018 Healthcare Data Breach Report
Dec20

November 2018 Healthcare Data Breach Report

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed. November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November. To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018. There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported. Largest Healthcare Data Breaches in November 2018 The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records....

Read More
27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year
Dec19

27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year

According to a new report from Kaspersky Lab, 27% of healthcare employees said their organization had experienced at least one ransomware attack in the past year and 33% of those respondents said their organization had experienced multiple ransomware attacks. In its report – Cyber Pulse: The State of Cybersecurity in Healthcare – Kaspersky lab explained that up until January 1, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights has been notified of more than 110 hacking/IT-related data breaches that have affected more than 500 individuals. The impact of those breaches can be serious for the organizations concerned. Not only can breaches result in millions of dollars in costs, they can permanently damage the reputation of a healthcare organization and can result in harm being caused to patients. To investigate the state of cybersecurity in healthcare, Kaspersky Lab commissioned market research firm Opinion Matters to conduct a survey of healthcare employees in the United States and Canada to explore the perceptions of healthcare employees regarding...

Read More
Vulnerability Identified in Medtronic Encore and Carelink Programmers
Dec18

Vulnerability Identified in Medtronic Encore and Carelink Programmers

ICS-CERT has issued an advisory about a vulnerability that has been identified in certain Medtronic CareLink and Encore Programmers. Some personally identifiable information (PII) and protected health information (PHI) stored on the devices could potentially be accessed due to a lack of encryption for data at rest. The programmers are used in hospitals to program and manage Medtronic cardiac devices and may store reports containing patients’ PII/PHI. An attacker with physical access to one of the vulnerable programmers could access the reports and view patients PII/PHI. The vulnerability would require a low level of skill to exploit. The vulnerability, tracked as CVE-2018-18984 (CWE-311), was identified by security researchers Billy Rios and Jonathan Butts of Whitescope LLC who discovered encryption was either missing or stored PII/PHI was not sufficiently encrypted. The vulnerability has been assigned a CVSS V3 base score of 4.6. The vulnerability is present in all versions of CareLink 2090 Programmers, CareLink 9790 Programmers, and the 29901 Encore Programmers. Medtronic has...

Read More
Federal GDPR-Style Data Privacy Bill Introduced
Dec17

Federal GDPR-Style Data Privacy Bill Introduced

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act. The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm. The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions. As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data. The bill would also require companies...

Read More
EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach
Dec11

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members. On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members. The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents. The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised. That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed...

Read More
Vulnerability Identified in Philips HealthSuite Health Android App
Dec07

Vulnerability Identified in Philips HealthSuite Health Android App

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about a vulnerability that has been identified in the Philips HealthSuite Health Android App. The Philips HealthSuite Health Android App records body measurements and health data to allow users to track activities to help them achieve their health goals. The app is used by individuals in the United States, Netherlands, Germany and the United Kingdom. User data stored by the app is encrypted to prevent unauthorized access; however, a security researcher discovered the method used to encrypt data is too simplistic and does not offer a sufficiently high level of protection. As a result, an attacker with physical access to the app could exploit the vulnerability to gain access to a user’s data. The vulnerability could not be exploited remotely so the risk to users is low. The vulnerability, tracked as CVE-2018-19001, has been assigned a CVSS v3 base score of 3.5. Philips will be releasing a new version of the app in the first quarter of 2019 which will...

Read More
First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine
Dec07

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system. Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system. CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data. The failure to implement appropriate access controls is a violation of...

Read More
UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court
Nov28

UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court

A lawsuit filed by employees affected by a data breach at University of Pennsylvania Medical Center (UPMC) has been revived by the Pennsylvania Supreme Court. The lawsuit was filed after hackers stole the information of approximately 62,000 current and former UPMC employees in a data breach discovered by UPMC in February 2014. The stolen information included names, addresses, Social Security numbers, tax information, and bank account numbers. The information was used to file fraudulent tax returns in employees’ names to receive tax refunds. According the lawsuit, “As a result of UPMC’s negligence, employees incurred damages relating to fraudulently filed tax returns and are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.” UPMC argued that there is no cause of action for negligence as no property damage or physical injury was alleged by its employees. In Pennsylvania, no cause of action exists for negligence that solely results in economic losses. The lawsuit was thrown out by two lower courts; however, last week the lawsuit was...

Read More
2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach
Nov28

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

AccuDoc Solutions Inc., a provider of healthcare billing services, has experienced a major data breach in which the protected health information of 2,650,000 patients of Atrium Health was exposed. Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia. On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018. An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels. AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has...

Read More
OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure
Nov26

OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Hartford allergy practice $125,000 over alleged violations of the HIPAA Privacy Rule. On October 6, 2015, OCR received a copy of a civil rights complaint that had been filed with the Department of Justice (DOJ). The complainant alleged Allergy Associates of Hartford – A Connecticut healthcare provider that specializes in treating patients with allergies – had impermissibly disclosed her protected health information to a TV reporter. The complainant had previously contacted a local TV station after she had been turned away from the allergy practice because of her service animal. The TV reporter subsequently contacted the practice seeking comment. A physician at the practice spoke to the reporter and impermissibly disclosed some of the patient’s protected health information. OCR’s investigation confirmed there had been an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a). The physician in question had already been advised by the practice’s...

Read More
NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity
Nov23

NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has released a draft paper covering the privacy and security risks of telehealth and remote monitoring devices along with best practices for securing the telehealth and remote monitoring ecosystem. Patient monitoring systems have traditionally been deployed within healthcare facilities; however, there has been an increase in the use of remote patient monitoring systems in patients’ homes in recent years. While these systems are straightforward to secure in a controlled environment such as a hospital, the use of these systems in patients’ homes introduces new risks. Managing the risks and ensuring the remote monitoring systems and devices have an equivalent level of security as in-house systems can be a major challenge. The purpose of the paper is to create a reference architecture which addresses the security and privacy risks and provides practical steps that can be taken to improve the overall security of the remote patient monitoring environment. The paper addresses...

Read More
53% Of Healthcare Data Breaches Due to Insiders and Negligence
Nov22

53% Of Healthcare Data Breaches Due to Insiders and Negligence

The healthcare industry has had more than its fair share of hacking incidents, but the biggest threat comes from within. The actions of healthcare providers, health insurers, and their employees cause more breaches than hacking, malware, and ransomware attacks. Researchers at Michigan State University and Johns Hopkins University analyzed data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and found that more than half of breaches were the result on internal negligence. The research study, which was recently published in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the risk of hospital data breaches and the types of hospitals that were most prone to data breaches. While the previous research cast light on which hospitals were most vulnerable, little information was available on the main causes of the breaches. The latest study addresses that gap in knowledge. The researchers performed a retrospective analysis of the 1,183 healthcare data breaches reported to OCR between...

Read More
OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS
Nov22

OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS

The Department of Health and Human Services’ Office of Inspector General (OIG) has published its annual report on the top management and performance challenges faced by the HHS. The report lists 12 major challenges that the HHS must overcome to ensure the department achieves its aims. Given the scale of the current opioid crisis in the United States and its impact, the prevention and treatment of opioid misuse has topped this year’s list. The report also draws attention to the importance of cybersecurity protections to mitigate threats to be confidentiality, integrity, and availability of health data. Protecting HHS data, systems, and beneficiaries from cybersecurity threats made 10th spot in this year’s list. In the report, OIG explained that “data management, use, and security are essential to the effective and efficient operation of HHS’ agencies and programs.” Ensuring the integrity of IT systems and the confidentiality and availability of healthcare data are critically important to the health and well-being of Americans. The HHS has a $5 billion annual budget for IT; a...

Read More
October 2018 Healthcare Data Breach Report
Nov21

October 2018 Healthcare Data Breach Report

Our October 2018 healthcare data breach report shows there has been a month-over-month increase in healthcare data breaches with October seeing more than one healthcare data breach reported per day. 31 healthcare data breaches were reported by HIPAA-covered entities and their business associates in October – 6 incidents more than the previous month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches. The number of breached records in September (134,006) was the lowest total for 6 months, but the downward trend did not continue in October. There was a massive increase in exposed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly disclosed – 1,474% more than the previous month. In October, the average breach size was 68,055 records and the median was 4,058 records. Largest Healthcare Data Breaches in October 2018 There were 11 healthcare data breaches of more than 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The...

Read More
AMIA Calls for Greater Alignment of Federal Data Privacy Rules
Nov20

AMIA Calls for Greater Alignment of Federal Data Privacy Rules

The American Medical Informatics Association (AMIA) is calling for the Trump Administration to tighten data privacy rules through greater alignment of HIPAA and the Common Rule and recommends adoption of a more integrated approach to privacy that includes both the healthcare and consumer sectors. The call follows a request for comment by the NTIA to initiate a conversation about consumer privacy. In a letter to the National Telecommunications and Information Administration (NTIA), a division of the Department of Commerce, AMIA explained that its comments are informed by extensive experience of dealing with both the Health Insurance Portability and Accountability Act and the Federal Protections for Human Subjects Research (Common Rule). Currently, there is a patchwork of federal and state regulations that complicates compliance and creates information sharing challenges which results in ‘perverse outcomes’ due to different interpretations of existing privacy policies. AMIA illustrated the problem of the current patchwork of privacy policies using Pennsylvania and New Jersey as an...

Read More
Do HIPAA Rules Create Barriers That Prevent Information Sharing?
Nov19

Do HIPAA Rules Create Barriers That Prevent Information Sharing?

The HHS has drafted a Request for Information (RFI) to discover how HIPAA Rules are hampering patient information sharing and are making it difficult for healthcare providers to coordinate patient care. HHS wants comments from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors. The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, the aim of which is to remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected. The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care. The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued. Certain provisions of...

Read More
Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS
Nov15

Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS

The U.S. Department of Homeland Security will be forming a new agency solely focused on cybersecurity following the passing of new legislation by Congress. The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act) amends the Homeland Security Act of 2002 can calls for DHS to form a new Cybersecurity and Infrastructure Security Agency. The CISA Act was unanimously passed by the House of Representatives and just awaits the president’s signature. The new agency will be formed through the reorganization of the National Protection and Programs Directorate (NPPD) and will have the same status as other DHS agencies such as the U.S. Secret Service. The NPPD is already responsible for reducing and eliminating threats to U.S. critical physical and cyber infrastructure, with cybersecurity elements covered by the Office of Cybersecurity and Communications and the National Risk Management Center. NPPD currently coordinates IT security initiatives with other entities, local, state, tribal and territorial governments and the private sector and oversees cybersecurity at federal...

Read More
HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals
Nov15

HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals

Last month, the Centers for Medicare & Medicaid Services (CMS) announced that the HealthCare.gov website had been hacked and the sensitive data of approximately 75,000 individuals had potentially been compromised. This week, the CMS issued an update on the breach confirming more people had been affected than was initially thought. The revised estimate has seen the number of breach victims increased to 93,689. The initial breach announcement was light on details about the exact nature of the breach and the types of information that had potentially been compromised. In the initial announcement the CMS explained that suspicious activity was detected on the site on October 13 and on October 16 a breach was confirmed. Steps were immediately taken to secure the site and prevent any further data access or data theft. The CMS started sending out breach notification letters on November 7 which explain the breach in more detail, including the types of information that were potentially accessed. CMS explained that the ‘suspicious activity’ it detected was certain agent and broker accounts...

Read More
OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices
Nov08

OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices

The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase.  Several deficiencies in FDA policies and procedures were identified by OIG auditors. Ensuring the safety, security, and effectiveness of medical devices is a key management challenge for the Department of Health and Human Services. It is the responsibility of the U.S. Food and Drug Administration (FDA) to ensure all medical devices that come to market are secure and incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices which could cause harm to patients. The FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market and the agency has plans and processes for addressing medical device issues, such as cybersecurity incidents, in the postmarket stage. However, OIG determined that those plans and practices are insufficient in several areas. One area of weakness concerns...

Read More
Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches
Nov07

Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches

The latest installment of the Breach Barometer Report from Protenus shows there was a quarterly fall in the number of healthcare data breaches compared to Q2, 2018; however, the number of healthcare records exposed, stolen, or impermissibly disclosed increased in Q3. In each quarter of 2018, the number of healthcare records exposed in data breaches has risen. Between January and March 1,129,744 healthcare records were exposed in 110 breaches. Between April and June, 3,143,642 records were exposed in 142 breaches, and 4,390,512 healthcare records were exposed, stolen, or impermissibly disclosed between July and September in 117 breaches. The largest healthcare data breach in Q3 was reported by the Iowa Health System UnityPoint Health. The breach was due to a phishing attack that saw multiple email accounts compromised. Those accounts contained the protected health information of more than 1.4 million patients. That breach was the second phishing attack experienced by UnityPoint Health. An earlier phishing attack resulted in the exposure of 16,400 healthcare records. In Q3, hacking...

Read More
Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program
Nov06

Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program

An alarming number of healthcare organizations do not have comprehensive cybersecurity programs in place, according to the recently published 2018 CHIME Healthcare’s Most Wired survey. The annual CHIME survey explores the extent to which healthcare organizations have adopted health information technology and draws attention to those that are ‘Most Wired’ and have the broadest, deepest IT infrastructure. This year’s report highlights gaps in foundational technologies and strategies for security and disaster recovery. “Before provider organizations can achieve outcomes with their strategies for population health management, value-based care, patient engagement, and telehealth, they must first ensure that foundational pieces such as integration, interoperability, security, and disaster recovery are in place,” explained CHIME. The attack surface has grown considerably in recent years due to increased adoption of networked medical devices and IoT technology. Threats to the privacy of sensitive information and security of systems and devices have grown and security is now a major...

Read More
$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach
Nov05

$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach

New Jersey Attorney General Gurbir S. Grewal has announced a $200,000 settlement has been agreed with Best Medical Transcription to resolve violations of the Health Insurance Portability and Accountability Act that were discovered during an investigation of a 2016 breach of 1,650 individuals’ protected health information. Protected Health Information of 1,654 Patients Was Accessible Through Search Engines Best Medical Transcription was a business associate of Virtua Medical Group, a network of medical and surgical practices in southern New Jersey. Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians. In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website that was accessible over the Internet without the need for any authentication. The files had been indexed by Google and could be found using search terms including information contained in the files. Password-protection had been removed when software on the website was...

Read More
Cybersecurity Best Practices for Healthcare Organizations
Nov01

Cybersecurity Best Practices for Healthcare Organizations

The Department of Health and Human Services’ Office for Civil Rights has drawn attention to basic cybersecurity safeguards that can be adopted by healthcare organizations to improve cyber resilience and reduce the impact of attempted cyberattacks. The advice comes at the end of cybersecurity awareness month – a four-week coordinated effort between government and industry organizations to raise awareness of the importance of cybersecurity. While all organizations need to implement policies, procedures, and technical solutions to make it harder for hackers to gain access to their systems and data, this is especially important in the healthcare industry. Hackers are actively targeting healthcare organizations as they store large quantities of highly sensitive and valuable data. Healthcare organization need to ensure that their systems are well protected against cyberattacks, which means investing in technologies to secure the network perimeter, detect intrusions, and block malware and phishing threats. Large healthcare organizations have the resources to invest heavily in...

Read More
OCR Launches Campaign to Raise Awareness of Civil Rights Protections for Patients Being Treated for Opioid Use Disorder
Oct29

OCR Launches Campaign to Raise Awareness of Civil Rights Protections for Patients Being Treated for Opioid Use Disorder

On October 26, 2017, President Donald Trump declared the opioid crisis a national public health emergency. The one-year anniversary of that declaration has seen a new opioid bill signed into law. On October 24, 2018, President Donald Trump added his signature to the Substance Use–Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act – or “SUPPORT for Patients and Communities Act” for short. The Act will help strengthen the government’s response to the opioid crisis, improve access to addiction treatment services, and expand data sharing in cases of opioid abuse. There have been calls for changes to be made to 42 CFR Part 2 to align the legislation with the HIPAA Privacy Rule and allow the sharing of information about a patient’s substance abuse treatment, without consent, for the purposes of treatment, payment or healthcare operations. The SUPPORT for Patients and Communities Act does go that far, although the new law does allow information relating to opioid use disorder and treatment – and details of treatment for abuse of other...

Read More
Study Reveals 75% of Employees Lack Security Awareness
Oct25

Study Reveals 75% of Employees Lack Security Awareness

For the past three years, security awareness training company MediaPRO has conducted an annual study of employees’ security awareness and knowledge of cybersecurity best practices. The study measures the susceptibility of employees to a wide range of security threats and assesses their ability to identify phishing threats, possible malware infections, and cloud computing and social media risks. Their knowledge of best practices concerning physical security, working remotely, and reporting security incidents is also tested. This year, 1,024 employees from 7 industry sectors took part in the State of Privacy and Security Awareness study and were asked questions relating to all of the above aspects of privacy and security. MediaPRO assigned each participant a category based on the percentage of questions they got right: Hero – An individual with an excellent understanding of security and how to protect assets. Novice – Someone that has a reasonable understanding of the basics of security but needs to improve their knowledge in key areas. Risk – An individual whose lack of...

Read More
September 2018 Healthcare Data Breach Report
Oct23

September 2018 Healthcare Data Breach Report

For the second consecutive month there has been a reduction in both the number of reported healthcare data breaches and the number of exposed healthcare records. In September, there were 25 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights – the lowest breach tally since February. There was also a substantial reduction in the number of exposed/stolen healthcare records in September. Only 134,000 healthcare records were exposed/stolen in September – A 78.5% reduction in compared to August. Fewer records were exposed in September than in any other month in 2018. Causes of September 2018 Healthcare Data Breaches In August, hacking/IT incidents dominated the healthcare breach reports, but there was a major increase (55.55%) in unauthorized access/disclosure breaches in September, most of which involved paper records. There were no reported cases of lost paperwork or electronic devices containing ePHI, nor any improper disposal incidents. While there were fewer hacking/IT incidents than unauthorized access/disclosure...

Read More
OIG Publishes 2016 Medicaid Data Breach Report
Oct23

OIG Publishes 2016 Medicaid Data Breach Report

A new report released by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed the vast majority of Medicaid data breaches are relatively minor and only affect an extremely limited number of individuals. For the study, OIG assessed all breaches reported by Medicaid agencies and their contractors in 2016. According to the report, the records of 515,000 Medicaid beneficiaries were exposed in 2016, spread across 1,260 data breaches. Almost two thirds of Medicaid data breaches reported in 2016 affected a single person with a further 29% of breaches affecting between 1 and 9 individuals. Large-scale breaches, which resulted in the data of 500 or more beneficiaries being exposed, accounted for 1% of the annual total. While the breach causes were highly varied, the majority of incidents were the result of simple errors such as misaddressing a letter, fax, or email. Those breaches only resulted in a very limited amount of PHI being exposed, such as a beneficiary name and Medicaid or other ID number. Out of the 1,260 breaches only 303 resulted in the...

Read More
CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System
Oct22

CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System

The Centers for Medicaid & Medicare Services (CMS) has discovered hackers have gained access to a health insurance system that interacts with the HealthCare.gov website and accessed files containing the sensitive information of approximately 75,000 individuals. On October 13, 2018, CMS staff discovered anomalous activity in the Federally Facilitated Exchanges system and the Direct enrollment pathway used by agents and brokers to sign their customers up for health insurance coverage. On October 16, the CMS confirmed there had been a data breach and a public announcement about the cyberattack was made on Friday October 19, 2018. While the number of files accessed only represents a small fraction of the total number of consumer records stored in the system, it is still a sizable and serious data breach. The files contained information supplied by consumers when they apply for healthcare plans through agents and brokers, including names, telephone numbers, addresses, Social Security numbers, and income details. While the CMS has confirmed that the files have been accessed by...

Read More
Aetna Settles HIPAA Violation Case with State AGs
Oct15

Aetna Settles HIPAA Violation Case with State AGs

In 2017, errors occurred with two Aetna mailings that resulted in the impermissible disclosure of the protected health information of plan members, including HIV statuses and AFib diagnoses. A class action lawsuit was filed on behalf of the victims of the HIV status breach which was settled for $17 million in January. Now Aetna has reached settlements with the attorneys general for New Jersey, Connecticut, and the District of Columbia to resolve the alleged HIPAA violations discovered during an investigation into the privacy breaches. The first mailing was sent on July 28, 2017 by an Aetna business associate. Over-sized windowed envelopes were used for the mailing, through which it was possible to see the names and addresses of plan members along with the words “HIV Medications.” Approximately 12,000 individuals received the mailing. In September, a second mailing was sent on behalf of Aetna to 1,600 individuals. This similarly resulted in an impermissible disclosure of PHI. In addition to names and addresses, the logo of an IMPACT AFib study was visible, which suggested the...

Read More
Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised
Oct12

Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised

The Minnesota Department of Human Services has mailed letters to approximately 21,000 individuals on medical assistance to alert them to a possible breach of their protected health information (PHI) due to two recent phishing attacks. Two DHS employees’ email accounts have been confirmed as having been compromised as a result of the employees clicking on links in phishing emails. The investigation into the breach determined that the attackers accessed both email accounts although it was not possible to determine which, if any, emails in the account had been accessed or copied by the attackers. Minnesota DHS has reason to believe that other employees may also have been targeted and could also have clicked on links in phishing emails, but it has not yet been confirmed whether their accounts have been breached. The investigation into the phishing attacks is ongoing. The two email account breaches occurred on June 28 and July 9, 2018, although the IT department only determined that the accounts had been breached in August. Upon discovery of the phishing attack, both accounts were...

Read More
HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia
Oct12

HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia

Following the presidential declaration of public health emergencies in the states of Florida and Georgia in the wake of hurricane Michael, secretary of the Department of Health and Human Services (HHS) Alex Azar has followed suit in both states and has exercised his authority to waive HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule in the disaster areas. The HHS announced the public health emergency in Florida on October 9, and Georgia on October 11. The HIPAA Privacy Rule does permit healthcare providers to share protected health information during disasters to assist patients and ensure they receive the care they need, including sharing information with friends, family members and other individuals directly involved in a patient’s care. The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief...

Read More
California HIV Patient PHI Breach Lawsuit Allowed to Move Forward
Oct08

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss. The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco. In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information. A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities. It was alleged...

Read More
Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC
Oct08

Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC

The Healthcare & Public Health Sector Coordinating Council (HSCC) has announced it will shortly issue voluntary cybersecurity best practices for medical device manufacturers and healthcare provider organizations to help them improve their security posture. HSCC will also publish a voluntary curriculum that can be adopted by medical schools to help them train clinicians how to manage electronic health records, medical devices, and IT systems in a secure and responsible way. The announcement coincides with National Cyber Security Awareness Month and includes an update on the progress that has been made over the past 12 months and the work that the HSCC still intends to complete. HSCC explained that the global cyberattacks of 2017 involving WannaCry and NotPetya malware served as a wake-up call to the healthcare industry and demonstrated the potential harm that could be caused if an attack proved successful. Many large companies were crippled by the attacks for weeks. Fortunately, the healthcare industry in the United States escaped the attacks relatively unscathed, although the...

Read More
Summary of Recent Healthcare Data Breaches
Oct05

Summary of Recent Healthcare Data Breaches

A round up of healthcare data breaches recently announced by healthcare providers and business associates of HIPAA covered entities. Tillamook Chiropractic Clinic Discovers 26-Month Malware Infection The medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, OR have been stolen as a result of a malware infection. On August 3, 2018, the clinic conducted an internal security audit which showed that malware had been installed on its network, even though a firewall was in place, antivirus and antimalware software were installed and up to date, and its software was fully patched. An investigation into the security breach revealed the malware had been installed on May 24, 2016 and had remained undetected for 26 months. The malware had been installed on the primary insurance billing system, which the clinic reports was used as a staging area by the attackers to collect patient records before exfiltrating the data. The information believed to have been stolen includes full names, home addresses, work addresses, dates of birth, phone numbers, diagnoses, lab...

Read More
Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards
Oct04

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019. The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring. To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention. Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions...

Read More
FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
Oct03

FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook

On October 1, 2018, the U.S. Food and Drug Administration released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook for healthcare delivery organizations to help them prepare for and respond to medical device cybersecurity incidents. The playbook is intended to help healthcare delivery organizations develop a preparedness and response framework to ensure they are prepared for medical device security incidents, can detect and analyze security breaches quickly, contain incidents, and rapidly recover from attacks. The playbook was developed by MITRE Corp., which worked closely with the FDA, healthcare delivery organizations, researchers, state health departments, medical device manufacturers and regional healthcare groups when developing the document. The past 12 months have seen many vulnerabilities identified in medical devices which could potentially be exploited by hackers to gain access to healthcare networks, patient health information, or to cause harm to patients. While the FDA has not received any reports to suggest an attack has been...

Read More
Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency
Oct02

Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency

The healthcare industry is extensively targeted by phishers who frequently gain access to healthcare data stored in email accounts. In some cases, those email accounts contain considerable volumes of highly sensitive protected health information. Phishing is one of the leading causes of healthcare data breaches. In August 2018, Augusta University Healthcare System announced that it was the victim of a phishing attack that saw multiple email accounts compromised. The breached email accounts contained the PHI of 417,000 patients. The incident stood out due to the number of individuals impacted by the breach, but it was just one of several healthcare organizations to fall victim to phishing attacks in August. Data from the HHS’ Office for Civil Rights shows email is the most common location of breached PHI. In July, 14 healthcare data breaches out of 28 involved email, compared to 6 network server PHI breaches – The second most common location of breached PHI. It was a similar story in May and June with 9 and 11 email breaches reported respectively. Cofense Research Shows Healthcare...

Read More
NIST Releases Guidance on Managing IoT Cybersecurity and Privacy
Oct01

NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce. The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail. “IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST. In the guidance document, NIST identifies three high-level...

Read More
Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017
Sep28

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health. The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017. “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study. Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or...

Read More
HIPAA Quiz Launched by Compliancy Group
Sep26

HIPAA Quiz Launched by Compliancy Group

A new HIPAA Quiz has been launched by the Compliancy Group, which serves as a quick and easy free tool to assess the current state of HIPAA compliance in an organization.   Healthcare organizations that have implemented policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA) Rules may think that they are fully compliant with all provisions of the HIPAA Privacy, Security, and Breach Notification Rules. However, HHS’ Office for Civil Rights (OCR) compliance audits and investigations into data breaches and complaints often reveal certain requirements of HIPAA have been missed or misinterpreted. OCR investigates all breaches of more than 500 records and so far in 2018, six financial penalties have been issued to HIPAA covered entities to resolve HIPAA violations. The average settlement/civil monetary penalty in 2018 is $1,491,166. State attorneys general also investigate data breaches and complaints and can also issue fines for noncompliance with HIPAA Rules. There have been five fines issued by state attorneys general in 2018 to resolve...

Read More
UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations
Sep24

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information. In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names. It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security...

Read More
August 2018 Healthcare Data Breach Report
Sep21

August 2018 Healthcare Data Breach Report

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches. There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached. Causes of Healthcare Data Breaches in August 2018 Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks. Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare...

Read More
$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations
Sep20

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules. This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients. Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a). Brigham and Women’s Hospital (BWH) settled its HIPAA violations...

Read More
California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt
Sep19

California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt

In June 2018, the legislature in California passed the California Consumer Privacy Act (CCPA) which introduced major changes to state law to protect the privacy of consumers. CCPA introduced new privacy protections and rights for consumers, several of which are similar to those introduced in Europe in the General Data Protection Regulation (GDPR). The CCPA does not go as far as GDPR and only applies to for-profit companies that hold the data of more than 50,000 individuals, but many of the new rights are similar, including the right to request access to personal data stored by a business, the right to be informed about the data that will be collected, the right to be informed whether personal data will be sold or disclosed, the right to have personal data deleted and to prevent personal data from being sold. The CCPA has been heavily criticized, especially by tech firms such as Facebook, Google and PayPal. A 38-page letter was sent to lawmakers in California by 38 trade groups who have voiced considerable concerns over the requirements of the CCPA, including sections of the law...

Read More
CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent
Sep17

CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent

The HHS’ Centers for Medicare and Medicaid Services (CMS) has investigated Fairview Southdale Hospital in Edina, MN over an alleged violation of patient privacy. The CMS confirmed that patients were videotaped during psychiatric evaluations in the emergency department without their knowledge or consent.  The hospital was cited for violating patient privacy. According to the Star Tribune, the CMS launched an investigation following a complaint from a patient who had been taken to the hospital for a psychiatric evaluation against her will in May 2017. The patient was escorted to the hospital as police officers were concerned about her state of mental health and feared she may cause harm to herself or others. After being released, the patient took legal action over her admission to the hospital and how she was treated by the police. As part of that lawsuit, the patient requested a copy of the security camera footage from the hospital. While the patient expected to receive a copy of the videotape from the front of the hospital showing her entering the facility, the videotape showed her...

Read More
Texas Nurse Fired for Social Media HIPAA Violation
Sep13

Texas Nurse Fired for Social Media HIPAA Violation

A nurse at a Texas children’s hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. The pediatric ICU/ER nurse worked at Texas Children’s Hospital and posted a series of comments on Facebook about a rare case of measles at the hospital. The nurse was an anti-vaxxer and posted about the experience of seeing a boy at the hospital suffering from the disease – a disease that could have been prevented through vaccination. Her comments explained how the disease was much worse that she expected it to be, having not encountered anyone with the measles in the past.  She explained that it was a “rough” experience seeing the boy suffering from the disease. She also explained in her posts, “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” and “By no means have I changed my vax stance, and I never will. But this poor kid was bad off and as a parent, I could see vaccinating out of fear,” as reported by...

Read More
Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information
Sep13

Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information

On Wednesday, September 12, 2018, President Trump approved a request for a federal emergency declaration in the state of Virginia and made FEMA resources available for the state. The Secretary of the U.S. Department of Health and Human Services, Alex Azar, has also declared a Public Health Emergency in Virginia, North Carolina, and South Carolina. The Secretarial declaration eases certain HIPAA restrictions and helps Centers for Medicare & Medicaid Services’ (CMS) beneficiaries and their healthcare providers prepare for the possible impact of Hurricane Florence and provides greater flexibility to meet emergency health needs. During severe disasters and public emergencies healthcare providers face increased challenges and may struggle to continue to meet all requirements of the HIPAA Privacy Rule. In emergency situations, such as during hurricanes, the HIPAA Privacy Rule still applies; however, Alex Azar’s declaration of a Public Health Emergency means certain provisions of the Privacy Rule have been relaxed under the Project Bioshield Act of 2004 (PL 108-276) and section...

Read More
NIST to Launch Privacy Framework to Help Companies Protect the Privacy of Customers and Employees
Sep12

NIST to Launch Privacy Framework to Help Companies Protect the Privacy of Customers and Employees

In 2014, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework – A framework of computer security guidance to help private sector companies assess their security policies and improve their ability to prevent, detect, and respond to cyberattacks. The Framework has been a huge success. Figures from Gartner suggest it has already been adopted by 30% of companies, and adoption of the Framework is mandatory for all federal agencies. Now NIST plans to start working on a new Framework to help companies protect the privacy of employees and customers in what has become an increasingly connected and complex environment. The NIST Privacy Framework will be a voluntary enterprise-level tool that will detail privacy outcomes and approaches to help organizations develop strategies for implementing flexible privacy protection solutions. The aim is to ensure that individuals can benefit from the use of innovative technologies such as IoT an AI, with the confidence that their privacy will be protected. Adopting the Privacy Framework will help organizations...

Read More
Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI
Sep06

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices. Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen. Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions...

Read More
NY Attorney General Fines Arc of Erie County $200,000 for Security Breach
Sep04

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients. In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines. The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained. In total, 3,751 clients in New York had...

Read More
NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
Aug31

NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

The National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) have released the final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in healthcare delivery organizations. Wireless infusion pumps are no longer standalone devices. They can be connected to a range of different healthcare systems, networks, and other devices and can be a major cybersecurity risk. If malicious actors are able to gain access to the wireless infusion pump ecosystem, settings could be altered on the pumps or malware could be installed that causes the devices to malfunction, resulting in operational and safety risks. An attack on the devices could result in patients coming to harm, protected health information could be exposed, and a compromise could result in disruption to healthcare services, reputation damage, and considerable financial costs. Securing wireless infusion pumps is a challenge. Standard cybersecurity solutions such as anti-virus software may affect the ability of the device to function correctly...

Read More
Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure
Aug27

Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure

Following the accidental drowning of their adopted son, Denise and Wayne Russell were contacted by the child’s birth mother who made threats against their family. The phone call from the birth mother came shortly after their son was admitted to McAlester Regional Health Center following a tragic swimming pool accident. Their 2-year old child had fallen into the pool after the gate to the pool area had been accidentally left open. The parents administered CPR at the scene until the paramedics arrived and the child was rushed to hospital where he was later confirmed to have died. Shortly after their son died, the Russells received the telephone call from the birth mother. When asked how she knew about the accident and death of the child, she confirmed that she had been informed by the hospital. The birth month screamed at the Russells and made multiple threats, according to Denise Russell, including a threat to kill their other son. The situation became so bad that a protective order was filed against their son’s birth mother. The Russells had taken care of their adopted son Keon...

Read More
July 2018 Healthcare Data Breach Report
Aug24

July 2018 Healthcare Data Breach Report

July 2018 was the worst month of 2018 for healthcare data breaches by a considerable distance. There were 33 breaches reported in July – the same number of breaches as in June – although 543.6% more records were exposed in July than the previous month. The breaches reported in July 2018 impacted 2,292,552 patients and health plan members, which is 202,859 more records than were exposed in April, May, and June combined. A Bad Year for Patient Privacy So far in 2018 there have been 221 data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the protected health information of 6,112,867 individuals being exposed, stolen, or impermissibly disclosed. To put that figure into perspective, it is 974,688 more records than were exposed in healthcare data breaches in all of 2017 and there are still five months left of 2018. Largest Healthcare Data Breaches of 2018 (Jan-July) Entity Name Entity Type Records Exposed Breach Type UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident CA...

Read More
Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI
Aug21

Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI

Legacy Health has discovered an unauthorized individual has gained access to its email system and the protected health information (PHI) of approximately 38,000 patients. The Portland, OR-based health system operates two regional hospitals, four community hospitals, and 70 clinics in Oregon, Southwest Washington, and the and the Mid-Willamette Valley and is the second largest health system in the Portland Metro Area. The data breach was discovered on June 21, 2018, although the email accounts were first accessed by an unauthorized individual in May. Legacy Health determined that access was gained to the email accounts as a result of employees being duped by phishing emails. Email breaches can take a considerable amount of time to investigate. While tools are available to scan email accounts for protected health information, many of the emails in compromised accounts need to be individually checked, which can involve manual checks of hundreds of thousands of messages.  According to Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to...

Read More
9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach
Aug20

9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach

The Gordon Schanzlin New Vision Institute in La Jolla, CA, is alerting thousands of patients that their medical records may have been stolen after files containing protected health information were discovered in the possession of an individual unauthorized to hold the information. The data breach came to light following an investigation conducted by the U.S. Postal Inspection Service. A raid was conducted on a property in Southern California and a box of medical records was discovered in the property. The files contained information such as names, dates of service, addresses, health insurance information, Social Security numbers, and health and clinical information. Gordon Schanzlin was notified of the discovery on June 15, 2018, and an internal investigation was immediately launched to determine the nature and scope of the breach and how the medical records had been stolen. While it could not be confirmed with 100% certainty, Gordon Schanzlin believes the medical records were part of a batch of files that were stolen from a storage unit that was broken into in October 2017. The...

Read More
Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System
Aug16

Significant Vulnerabilities Identified in Maryland’s Medicaid Management Information System

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of Maryland’s Medicaid system. The audit was conducted as part of the HHS OIG’s efforts to oversee states’ use of various Federal programs and to determine whether appropriate security controls had been implemented to protect its Medicaid Management Information System (MMIS) and Medicaid data. The audit consisted of interviews with staff members, a review of supporting documentation, and use of vulnerability scanning software on network devices, servers, websites, and databases that supported its MMIS. The audit uncovered multiple system security weaknesses that could potentially be exploited by threat actors to gain access to Medicaid data and disrupt critical Medicaid operations. Collectively, and in some cases individually, the vulnerabilities were ‘significant’ and could have compromised the integrity of the state’s Medicaid program. Details of the vulnerabilities uncovered by auditors were not disclosed publicly, although OIG did explain that the...

Read More
ICS-CERT Warns of Vulnerabilities in Philips IntelliSpace Cardiovascular Products
Aug16

ICS-CERT Warns of Vulnerabilities in Philips IntelliSpace Cardiovascular Products

ICS-CERT has issued an advisory about two vulnerabilities that have been identified in Philips IntelliSpace Cardiovascular products, one of which has been given a high severity rating and could allow a threat actor to elevate privileges and gain full control of a vulnerable device. The improper privilege management vulnerability (CVE-2018-14787) is present in IntelliSpace Cardiovascular cardiac image and information management software version 2.x and earlier releases and Xcelera V4.1 and earlier versions. The vulnerability could not be exploited remotely. Local access is required, and an authenticated user would need to have write privileges. If exploited, privileges could be escalated and access gained to folders containing executables. Arbitrary code could be executed to give the attacker full control of the system. The vulnerability has been assigned a CVSS v3 severity score of 7.3. An unquoted search path or element vulnerability (CVE-2018-14789) is present in IntelliSpace Cardiovascular Version 3.1 and earlier versions and Xcelera Version 4.1 and earlier versions. This flaw...

Read More
Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data
Aug14

Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data

Despite many alternative communication methods being available, healthcare organizations still extensively use faxes to communicate. Some estimates suggest as many as 75% of all communications occur via fax in the healthcare industry. While fax machines would not rank highly on any list of possible attack vectors, new research shows that flaws in the fax protocol could be exploited to launch attacks on businesses and gain network access. The flaws were detected by researchers at Check Point who successfully exploited them to create a backdoor into a network which was used to steal information through the fax. The researchers believe there are tens of millions of vulnerable fax machines are currently in use around the world. To exploit the flaw, the researchers sent a specially crafted image file through the phone line to a target fax machine. The fax machine decoded the image and uploaded it to the memory and the researchers’ script triggered a buffer overflow condition that allowed remote code execution. The researchers were able to gain full control of the fax machine and, using...

Read More
APWG Detects 46% Rise in Phishing Websites in Q1, 2018
Aug10

APWG Detects 46% Rise in Phishing Websites in Q1, 2018

The Anti-Phishing Working Group has released its Q1, 2018 Phishing Activity Trends Report which shows there was a substantial increase in unique phishing sites detected in the first few months of 2018 compared to the final quarter of 2017. The report explores phishing attacks and methods used between January 1 and March 31, 2018. In Q1, 263,538 unique phishing sites were identified – a 46% increase from the 180,577 unique sites identified in Q4, 2017 and a 38% increase from the 190,942 sites detected in Q3, 2017. There were 60,887 unique phishing sites detected in January 2018 which was on a par with December 2017, although a substantial increase in February (88,754) and a further major increase in March (113,897). The number of unique phishing campaigns reported by APWG customers remained broadly the same in January (89,250) and February (89,010) with a slight fall in March (84,444). 235 brands were spoofed in January, rising to 273 in February, and falling to 238 in March. APWG member MarkMonitor tracked the industry sectors that were most heavily targeted in phishing campaigns....

Read More
At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018
Aug09

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018. The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients. Q2 2018 Healthcare Data Breaches Month Data Breaches Records Exposed April 45 919,395 May 50 1,870,699 June 47 353,548   Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary. It is unclear if any healthcare...

Read More
More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched
Aug09

More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched

OpenEMR is an open-source electronic health record management system that is used by many thousands of healthcare providers around the world. It is the leading free-to-use electronic medical record platform and is extremely popular. Around 5,000 physician offices and small healthcare providers in the United States are understood to be using OpenEMR and more than 15,000 healthcare facilities worldwide have installed the platform. Around 100 million patients have their health information stored in the database. Recently, the London-based computer research organization Project Insecurity uncovered a slew of vulnerabilities in the source code which could potentially be exploited to gain access to highly sensitive patient information, and potentially lead to the theft of all patients’ health information. The Project Insecurity team chose to investigate EMR and EHR systems due to the large number of healthcare data breaches that have been reported in recent years. OpenEMR was the natural place to start as it was the most widely used EMR system and with it being open-source, it was easy...

Read More
Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps
Aug08

Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps

An advisory has been issued by ICS-CERT about vulnerabilities in MedTronic MyCareLink Patient Monitors and the MiniMed 508 Insulin Pump. This is the second advisory to be issued about MyCareLink Patient Monitors in the past six weeks. In June, ICS-CERT issued a warning about the use of a hard-coded password (CVE-2018-8870) and an exposed dangerous method or function vulnerability (CVE-2018-8868). The latest vulnerabilities to be discovered are an insufficient verification of data authenticity flaw (CVE-2018-10626) and the storage of passwords in a recoverable format (CVE-2018-10622). The vulnerabilities are present in all versions of the Medtronic MyCareLink 24950 and 24952 Patient Monitors. If an attacker were to obtain per-product credentials from the monitor and the paired implanted cardiac device, it would be possible for invalid data to be uploaded to the Medtronic Carelink network due to insufficient verification of the authenticity of uploaded data. The vulnerability has been assigned a CVSS v3 score of 4.4 (medium severity). The way that passwords are stored could allow...

Read More
Healthcare Organizations Reminded of HIPAA Rules for Disposing of Electronic Devices
Aug07

Healthcare Organizations Reminded of HIPAA Rules for Disposing of Electronic Devices

In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media. Prior to electronic equipment being scrapped, decommissioned, returned to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a secure manner. HIPAA Rules for disposing of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes. Healthcare organizations also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which store data on internal hard drives. These devices in particular carry a high risk of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI. If electronic devices are not disposed of securely...

Read More
NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices
Aug06

NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices

The HIPAA Security Rule requires HIPAA-covered entities to ensure the confidentiality, integrity, and availability of electronic protected health information at all times. Healthcare organizations must ensure patients’ health is not endangered, their privacy is protected, and their identities are not compromised. A range of physical, technical, and administrative controls can be implemented to secure ePHI on servers and desktop computers, but ensuring the same level of security for mobile devices can be a major challenge. Mobile devices offer many benefits for healthcare providers. They can improve access to protected health information, ensure that data can be accessed anywhere, and they help healthcare providers improve coordination of care. However, when ePHI is stored on mobile devices such as laptops, tablets and mobile phones, or is transmitted using those devices, it is particularly vulnerable. Mobile devices are easy to lose, are often stolen, and data transmitted through mobile devices can also be vulnerable to interception. In healthcare, mobile device security is a major...

Read More
Consumers More Worried About Exposure of Financial Information Than Health Data
Aug01

Consumers More Worried About Exposure of Financial Information Than Health Data

The privacy and security of health data is less of a concern for consumers than the privacy and security of financial information such as credit card numbers, according to a recent survey by the healthcare marketing agency SCOUT. The Harris Poll survey was conducted on 2,033 adults from May 10-14, 2018 as part of a new research series called SCOUT Rare Insights. The survey revealed fewer than half of consumers (49%) were very concerned about the privacy and security of their health data, whereas more than two thirds of consumers (69%) were very concerned about the privacy and security of their financial data such as credit/debit card numbers and bank account information. Consumers are often covered by insurance policies on their credit cards and can reclaim losses in many cases. A new credit card number can be issued in cases of theft and there are laws that limit personal liability. However, if health insurance information and Social Security numbers are stolen, breach victims can suffer severe losses that may not be recoverable. Medical identity theft can also cause patients...

Read More
1.4 Million Patients Warned About UnityPoint Health Phishing Attack
Jul31

1.4 Million Patients Warned About UnityPoint Health Phishing Attack

A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers. This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May. This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016. Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled in a business email compromise attack....

Read More
Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform
Jul30

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform. The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein. Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats. Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams. However, security teams can struggle to...

Read More
HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules
Jul30

HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules

At a July 27 address at The Heritage Foundation, Secretary of the Department of Health and Human Services (HHS), Alex Azar, explained that the HHS will be undertaking several updates to health privacy regulations over the coming months, including updates to the Health Insurance Portability and Accountability Act (HIPAA) and 45 CFR Part 2 (Part 2) regulations. The process is expected to commence in the next couple of months. Requests for information on HIPAA and Part 2 will be issued, following which action will be taken to reform both sets of rules to remove obstacles to value-based care and support efforts to combat the opioid crisis. Rule changes are also going to be made to remove some of the barriers to data sharing which are currently hampering efforts by healthcare providers to expand the use of electronic health technology. These requests for information are part of a comprehensive review of current regulations that are hampering the ability of doctors, hospitals, and payers to improve the quality healthcare services and coordination of care while helping to reduce...

Read More
Bill Proposes 18 Months Free Credit Monitoring Services for Data Breach Victims in Massachusetts
Jul25

Bill Proposes 18 Months Free Credit Monitoring Services for Data Breach Victims in Massachusetts

A new bill has been introduced in Massachusetts that seeks to improve protections for consumers affected by data breaches. The bill calls for free credit monitoring services to offered to individuals whose personal information was exposed in a security breach. The bill (H.4806) was filed on Tuesday by a House-Senate conference committee chaired by Rep. Tackey Chan and Sen. Barbara L’Italien and is a compromise bill between competing data security bills that were sent to the committee on May 3. The House Bill required consumers to be provided with a year of credit monitoring services following a data breach whereas the Senate bill required consumers to be provided with 2 years of credit monitoring services following a data breach. The conference committee bill takes the middle ground, requiring 18 months of credit monitoring services to be provided to consumers free of charge following a standard security breach. However, a data breach at a credit monitoring company (Equifax, Experian, TransUnion) would require affected consumers to be provided with 42 weeks of credit...

Read More
FDA Issues New Guidance on Use of EHR Data in Clinical Investigations
Jul19

FDA Issues New Guidance on Use of EHR Data in Clinical Investigations

The U.S. Food and Drug Administration has released new guidance on the use of EHR data in clinical investigations and emphasized that appropriate controls should be put in place to ensure the confidentiality, integrity, and availability of data. While the guidance is non-binding, it provides healthcare organizations with valuable information on steps to take when deciding whether to use EHRs as a source of data for clinical investigations, how to use them and ensure the quality and integrity of EHR data, and how to make sure that any data collected and used as an electronic source of data meets the FDA’s inspection, recordkeeping and data retention requirements. The aim of the guidance is to promote the interoperability of EHR and EDC systems and facilitate the use of EHR data in clinical investigations, such as long-term studies on the safety and effectiveness of drugs, medical devices, and combination products. The guidance does not apply to data collected for registries and natural history studies, the use of EHR data to evaluate the feasibility of trial design or as a...

Read More
New York Physician Notifies Patients of Exposure of their PHI
Jul19

New York Physician Notifies Patients of Exposure of their PHI

A New York physician has started notifying patients that their protected health information has been exposed and has been potentially accessed unauthorized individuals. Ruben U. Carvajal, MD was alerted to a possible privacy breach on January 3, 2018 and was informed that some of his patients’ health information was accessible over the Internet. An investigation into the possible privacy breach was launched and the matter was reported to the New York Police Department and the Federal Bureau of Investigation (FBI). FBI investigators visited his office and examined his computer. On February 18, 2018, the FBI confirmed that the EMR program on his computer had been accessed by an unauthorized individual. A forensic investigator was called in to conduct a thorough investigation to determine the nature and scope of the breach. On May 22, 2018 the forensic investigator determined that the physician’s computer had been accessed by an unauthorized individual between December 16, 2017 and January 3, 2018. Any individual that gained access to the physicians’ computer could have gained access...

Read More
Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center
Jul19

Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center

Certain employees of a Canandaigua, NY nursing home have been using their smartphones to take photographs and videos of at least one resident and have shared those images and videos with others on Snapchat – a violation of HIPAA and serious violation of patient privacy. The privacy breaches occurred at Thompson Health’s M.M. Ewing Continuing Care Center and involved multiple employees. Thompson Health has already taken action and has fired several workers over the violations. Now the New York Department of Health and the state attorney general’s office have got involved and are conducting investigations. The state attorney general’s Deputy Press Secretary, Rachel Shippee confirmed to the Daily Messenger that an investigation has been launched, confirming “The Medicaid Fraud Control Unit’s mission includes the protection of nursing home residents from abuse, neglect and mistreatment, including acts that violate a resident’s rights to dignity and privacy.” Thompson Health does not believe the images/videos were shared publicly and sharing was restricted to a group of employees at the...

Read More
June 2018 Healthcare Breach Report
Jul18

June 2018 Healthcare Breach Report

There was a 13.8% month-over-month increase in healthcare data breaches in June 2018. Data breaches were up, but the breaches were far less severe in June, with 42.48% fewer healthcare records exposed or stolen than in May. In June there were 33 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and those breaches saw 356,232 healthcare records exposed or stolen – the lowest number of records exposed in healthcare data breaches since March 2018. Healthcare Data Breaches (January-June 2018) Causes of Healthcare Data Breaches (June 2018) Unauthorized access/disclosure incidents were the biggest problem area in June, followed by hacking IT incidents. As was the case in May, there were 15 unauthorized access/disclosure breaches and 12 hacking/IT incidents. The remaining six breaches involved the theft of electronic devices (4 incidents) and paper records (2 incidents). There were no reported losses of devices or paperwork and no improper disposal incidents. Healthcare Records Exposed by Breach Type While unauthorized...

Read More
LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach
Jul17

LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach

LabCorp, one of the largest clinical laboratories in the United States, has experienced a cyberattack that has potentially resulted in hackers gaining access to patients’ sensitive information; however, data theft appears unlikely as the cyberattack has now been confirmed as being a ransomware attack. It has been suggested that variant of SamSam ransomware was used in the brute force RDP attack, although this has not been confirmed by LabCorp. The Burlington, NC-based company runs 36 primary testing laboratories throughout the United States and the Los Angeles National Genetics Institute. The company performs standard blood and urine tests, HIV tests and specialty diagnostic testing services and holds vast quantities of highly sensitive data. The cyberattack occurred over the weekend of July 14, 2018 when suspicious system activity was identified by LabCorp’s intrusion detection system within 50 minutes of the attack commencing. Prompt action was taken to terminate access to its servers and systems were taken offline to contain the attack. With its systems offline, this naturally...

Read More
Children’s Mercy Hospital Sued for 63,000-Record Data Breach
Jul13

Children’s Mercy Hospital Sued for 63,000-Record Data Breach

Legal action has been taken over a phishing attack on Children’s Mercy that resulted in the theft of 63,049 patients’ protected health information. In total, five email accounts were compromised between December 2017 and January 2018. On December, 2, 2017  two email accounts were discovered to have been accessed by an unauthorized individual as a result of employees responding to phishing emails. Links in the emails directed the employees to a website where they were fooled into disclosing their email account credentials. Two weeks later, two more email accounts were compromised in a similar attack, with a fifth and final account compromised in early January. The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, resulting in the unauthorized disclosure of patients’ protected health information. Patients were notified of the breach via a substitute breach notice on the Children’s Mercy website and notification letters were sent by mail. Due to the number of people impacted, the letters were sent out in batches. According to a recent...

Read More
Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record
Jul12

Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record

A recent study conducted by the Ponemon Institute on behalf of IBM Security has revealed the hidden cost of data breaches, and for the first time, the cost of mitigating 1 million-record+ data breaches. The study provides insights into the costs of resolving data breaches and the full financial impact on organizations’ bottom lines. For the global study, 477 organizations were recruited and more than 2,200 individuals were interviewed and asked about the data breaches experienced at their organizations and the associated costs. The breach costs were calculated using the activity-based costing (ABC) methodology. The average number of records exposed or stolen in the breaches assessed in the study was 24,615 and 31,465 in the United States. Last year, the Annual Cost of a Data Breach Study by the Ponemon Institute/IBM Security revealed the cost of breaches had fallen year over year to $3.62 million. The 2018 study, conducted between February 2017 and April 2018, showed data breach costs have risen once again. The average cost of a data breach is now $3.86 million – An annual increase...

Read More
Patient Privacy and Security Are Greatest Healthcare Concerns for Consumers
Jul10

Patient Privacy and Security Are Greatest Healthcare Concerns for Consumers

A recent survey conducted by the health insurer Aetna explored consumers’ attitudes to healthcare, their relationships with their providers, and what they view as the most important aspects of healthcare. The Health Ambitions Study was conducted on 1,000 consumers aged 18 and above, with a corresponding survey conducted on 400 physicians – 200 primary care doctors and 200 specialists. The consumer survey showed consumers are paying attention to their healthcare. A majority pay attention to holistic health and seek resources that support better health and wellbeing. 60% of respondents to the survey said that if they were given an extra hour each day they would spend it doing activities that improved their health or mental health. 67% of women and 44% of men would devote the hour to these activities. Fewer women believed their physicians understood their health needs than men. 65% of women and 80% of men said their doctor is familiar with their health goals. Women find it harder than men to talk to their physicians about their lifestyle habits (70% vs 81%) and women were much less...

Read More
Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data
Jul10

Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data

The UK’s National Health Service (NHS) has announced that approximately 150,000 patients who had opted out of having their health data shared for the purposes of clinical research and planning have had their data shared against their wishes. In the UK, there are two types of opt-outs patients can choose if they do not want their confidential health data shared. A type 1 opt-out allows patients to stop the health data held in their general practitioner (GP) medical record from being used for anything other than their individual care. A Type 2 opt-out is used to prevent health care data being shared by NHS Digital for purposes other than providing individual care. 150,000 patients who had registered a Type 2 opt-out have had their data shared. The impermissible sharing of health data occurred as a result of an error by one of its EHR vendors, TPP. TPP provides the NHS with the SystmOne EHR system, which is use in many GP practices throughout the UK. A coding error in the system meant that these Type 2 requests were not passed on to NHS Digital, and as a result, NHS Digital was...

Read More
HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks
Jul06

HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks

HIMSS has released its June Healthcare and Cross-Sector Cybersecurity Report in which healthcare organizations are warned about the risk of exploitation of vulnerabilities in application programming interfaces, man-in the middle attacks, cookie tampering, and distributed denial of service (DDoS) attacks. Healthcare organizations have also been advised to be alert to the possibility of USB devices being used to gain access to isolated networks and the increase in used of Unicode characters to create fraudulent domains for use in phishing attacks. API Attacks Could Be the Next Big Attack Vector Perimeter defenses are improving, making it harder for cybercriminals to gain access to healthcare networks. However, alternative avenues are being explored by hackers looking for an easier route to gain access to sensitive data. Vulnerabilities in API’s could be a weak point and several cybersecurity experts believe APIs could well prove to be the next biggest cyber-attack vector. API usage in application development has become the norm, after all, it is easier to use a third-party solution...

Read More
AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule
Jul05

AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule

The American Hospital Association (AHA) has voiced the concerns of its members about the HHS’ Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system proposed rule for fiscal year 2019, including the requirement to allow any health app of a patient’s choosing to connect to healthcare providers’ APIs. Consumer Education Program Required to Explain that HIPAA Doesn’t Apply to Health Apps Mobile health apps can con collect and store a considerable amount of personal and health information – in many cases, the same information that would be classed as protected Health Information (PHI) under Health Insurance Portability and Accountability Act (HIPAA) Rules. However, HIPAA does not usually apply to health app developers and therefore the health data collected, stored, and transmitted by those apps may not be protected to the level demanded by HIPAA. When consumers enter information into the apps, they may not be aware that the safeguards in place to protect their privacy may not be as stringent as those implemented by their healthcare providers. There...

Read More
Healthcare Worker Charged with Criminally Violating HIPAA Rules
Jul03

Healthcare Worker Charged with Criminally Violating HIPAA Rules

A former University of Pittsburgh Medical Center patient information coordinator has been indicted by a federal grand jury over criminal violations of HIPAA Rules, according to an announcement by the Department of Justice on June 29, 2018. Linda Sue Kalina, 61, of Butler, Pennsylvania, has been charged in a six-count indictment that includes wrongfully obtaining and disclosing the protected health information of 111 patients. Kalina worked at the University of Pittsburgh Medical Center and the Allegheny Health Network between March 30, 2016 and August 14, 2017. While employed at the healthcare organizations, Kalina is alleged to have accessed the protected health information (PHI) of those patients without authorization or any legitimate work reason for doing so. Additionally, Kalina is alleged to have stolen PHI and, on four separate occasions between December 30, 2016, and August 11, 2017, disclosed that information to three individuals with intent to cause malicious harm. Kalina was arrested following an investigation by the Federal Bureau of Investigation. The case was taken up...

Read More
California Passes GDPR-Style Data Privacy Law
Jul02

California Passes GDPR-Style Data Privacy Law

AB 375, the California Consumer Privacy Act of 2018, has been signed into law. The bill was signed by California governor Jerry Brown on Thursday after the state Senate and Assembly passed the bill unanimously. California already has some of the strictest privacy laws in the United States. Under existing legislation, companies that experience a breach of personal information must notify affected individuals if their computerized data is exposed or stolen. This law takes privacy protections much further and gives state residents several new GDPR-style privacy rights, including: The right to request information from businesses about the types of personal data that are collected and processed and the source of that information Be informed about the purpose for collecting, using, and selling personal data Categories of third parties with whom the information is shared The right to request a copy of all personal information collected by a business The right to have all personal information deleted on request The right to request personal information is not sold The right to initiate...

Read More
Protected Health Information Sent to Incorrect Fax Recipient Over Several Months
Jun27

Protected Health Information Sent to Incorrect Fax Recipient Over Several Months

Faxes containing the protected health information (PHI) of a patient have been sent to an incorrect recipient by OhioHealth’s Grant Medical Center over a period of several months – A violation of patient privacy and the Health Insurance Portability and Accountability Act (HIPAA). The recipient of the faxes, Elizabeth Spilker, tried on numerous occasions to notify Grant Medical Center about the problem and stop the faxes being sent, but her efforts were unsuccessful. She tried faxing back a message on the same number requesting a change to the programmed fax number and tried contacting the medical center by telephone. Spilker later notified ABC6 about the issue and the story was covered in a June 18 report. In the report, Spilker explained that faxes had been received from Grant Medical Center for more than a year. The messages contained a range of protected health information including name, age, weight, medical history, medications prescribed, and other sensitive health information. Typically, the faxes were received at the end of the day. Repeated attempts were made to send the...

Read More
Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist
Jun26

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems. Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri. Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software. In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages...

Read More
District Court Ruling Confirms No Private Cause of Action in HIPAA
Jun25

District Court Ruling Confirms No Private Cause of Action in HIPAA

Patients who believe HIPAA Rules have been violated can submit a compliant to the Department of Health and Human Services’ Office for Civil Rights, but they do not have the right to take legal action, at least not for the HIPAA violation. There is no individual private cause of action under HIPAA law. Several patients have filed lawsuits over alleged HIPAA violations, although the cases have not proved successful. A recent case has confirmed once again that there is no private cause of action in HIPAA, and lawsuits filed solely on the basis of a HIPAA violation are extremely unlikely to succeed. Ms. Hope Lee-Thomas filed the lawsuit for an alleged HIPAA violation that occurred at Providence Hospital in Washington D.C., where she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, claims that while at the hospital on June 15, 2017, a LabCorp employee instructed her to enter her protected health information at a computer intake station. Ms. Lee-Thomas told the LabCorp employee that the information was in full view of another person at a different...

Read More
Overdose Prevention and Patient Safety Act Passed by House
Jun22

Overdose Prevention and Patient Safety Act Passed by House

The Overdose Prevention and Patient Safety Act – H.R. 6082 – aims to ease restrictions on the sharing of health records of patients with addictions, aligning 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records – with HIPAA. Currently, 42 CFR Part 2 only permits the disclosure of health records of patients with substance abuse disorder without written consent to medical staff in emergency situations, to specified individuals for research and program evaluations, or if required to do so by means of a court order. Under current regulations, a special release form must be signed by a patient authorizing the inclusion of substance abuse disorder information in their medical record. Preventing doctors from having access to a patient’s entire medical history means decisions could be taken without full understanding of their potential consequences. If details of substance abuse disorder can be accessed, doctors will be able to make more informed decisions which will help them to safely and effectively treat patients. The Overdose Prevention and Patient Safety...

Read More
Common Rule Compliance Date Delayed Until January 2019
Jun22

Common Rule Compliance Date Delayed Until January 2019

On June 19, 2018, the federal government published the final rule for the Federal Policy for the Protection of Human Subjects – The Common Rule. The aim of the Common Rule is to protect individuals who voluntarily participate in research, while also reducing the administrative and regulatory burdens for low-risk research. A revised Common Rule was due to take effect on January 19, 2018 with an effective compliance date on the same date. However, an interim final rule was published on January 17, 2018 delaying the effective date for six months – The new compliance date was due to be July 19, 2018. On April 20, 2018, a notice of proposed rulemaking was published seeking comments about whether the new Common Rule requirements should be delayed for a further six months. After assessing the comments received on the notice of proposed rulemaking, the proposals made in that NPRM have been adopted and the compliance date has now been extended until January 21, 2019. In the final rule it was noted, “We acknowledge that the timing of the interim final rule was not ideal and led to...

Read More
Washington Health System Suspends Several Employees for Inappropriate PHI Access
Jun21

Washington Health System Suspends Several Employees for Inappropriate PHI Access

Following the alleged inappropriate accessing of patient health records by employees, Washington Health System has taken the decision to suspend several employees while the privacy breach is investigated. While it has not been confirmed how many employees have been suspended, Washington Health System VP of strategy and clinical services, Larry Pantuso, issued a statement to the Observer Reporter indicating around a dozen employees have been suspended, although at this stage, no employees have been fired for inappropriate medical record access. The privacy breaches are believed to relate to the death of an employee of the WHS Neighbor Health Center. Kimberly Dollard, 57, was killed when an out of control car driven by Chad Spence, 43, rammed into the building where she worked. Spence and one other individual were admitted to the hospital after sustaining injuries in the accident. Pantuso did not confirm that this was the incident that prompted the employees to access patients’ medical records, although he did confirm that the alleged inappropriate access related to a “high profile...

Read More
May 2018 Healthcare Data Breach Report
Jun19

May 2018 Healthcare Data Breach Report

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April. There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April. In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records. Causes of May 2018 Healthcare Data Breaches Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices...

Read More
OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center
Jun19

OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center

The Department of Health and Human Services’ Office for Civil Rights has announced its fourth largest HIPAA violation penalty has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been ordered to pay $4,348,000 in civil monetary penalties to resolve the HIPAA violations related to three data breaches experienced in 2012 and 2013. MD Anderson is an academic institution and a cancer treatment and research center based at the Texas Medical Center in Houston, TX. Following the submission of three breach reports in 2012 and 2013, OCR launched an investigation to determine whether the breaches were caused as a result of MD Anderson having failed to comply with HIPAA Rules. The breaches in question were the theft of an unencrypted laptop computer from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives, each of which contained the electronic protected health information (ePHI) of its patients. In total, the PHI of 34,883 patients was exposed and could potentially have been viewed by unauthorized individuals....

Read More
More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes
Jun12

More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes

90% of hospitals and 94% of physicians have adopted mobile technology and say it is helping to improve patient safety and outcomes, according to a recent survey conducted by Black Book Research. The survey was conduced on 770 hospital-based users and 1,279 physician practices between Q4, 2017 and Q1, 2018. The survey revealed 96% of hospitals are planning on investing in a new clinical communications platform this year or have already adopted a new, comprehensive communications platform. 85% of surveyed hospitals and 83% of physician practices have already adopted a secure communication platform to improve communications between care teams, patients, and their families. Secure text messaging platform are fast becoming the number one choice due to the convenience of text messages, the security offered by the platforms, and the improvements they make to productivity and profitability. 98% of hospitals and 77% of physician practices said they have implemented secure, encrypted email and are using intrusion detection systems to ensure breaches are detected rapidly. Many providers of...

Read More
12-Month Suspension for Nurse Who Provided Patient Information to New Employer
Jun08

12-Month Suspension for Nurse Who Provided Patient Information to New Employer

The New York State Education Department has suspended the license of a nurse practitioner for violating the privacy of patients by providing their contact information to her new employer. In April 2015, Martha C. Smith-Lightfoot took a spreadsheet containing the personally identifiable information of approximately 3,000 patients of University of Rochester Medical Center (URMC) and gave that information to her new employer, Greater Rochester Neurology. The privacy violation was uncovered when several patients complained to URMC about being contacted by Greater Rochester Neurology about switching providers. Prior to leaving URMC, Smith-Lightfoot requested information on patients she has treated in order to ensure continuity of care.  URMC provider her with a spreadsheet that contained names, addresses, dates of birth, and diagnoses. URMC did not authorize Smith-Lightfoot to take the spreadsheet with her when she left employment. The provision of the patient list to Greater Rochester Neurology was an impermissible disclosure of PHI and a violation of the HIPAA Privacy Rule. When it...

Read More
Healthcare Employees Accused of Taking PHI to New Employers
Jun07

Healthcare Employees Accused of Taking PHI to New Employers

Two HIPAA-covered entities are notifying patients that former employees have accessed databases and stolen protected health information to take to new employers. Former Hair Free Forever Employee Contacts Patients to Solicit Customers Hair Free Forever, a Ventura, CA-based provider of permanent hair removal treatments, has announced that a former employee has stolen patient information and has been contacting its patients in an attempt to solicit customers. The company uses Thermolysis to permanently remove hair. Since the technique is classed as a medical procedure, Hair Free Forever and its employees are required to comply with HIPAA Rules. In a data breach notice provided to the California attorney general, Hair Free Forever’s Cheryl Conway informs patients that the former employee accessed patient files and the company’s database and stole patients’ protected health information, in clear violation of HIPAA Rules. The data theft came to light when complaints were received from customers who had been contacted and told about the former employee’s new practice. An investigation...

Read More
Colorado Governor Signs Data Protection Bill into Law
Jun05

Colorado Governor Signs Data Protection Bill into Law

Colorado Governor John Hickenlooper has signed a bill – HB 1128 – into law that strengthens protections for consumer data in the state of Colorado. The bipartisan bill, sponsored by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously passed by the Legislature. The bill will take effect from September 1, 2018. The bill requires organizations operating in the state of Colorado to implement reasonable security measures and practices to ensure the personal identifying information (PII) of state residents is protected. The bill also reduces the time for notifying the state attorney general about breaches of PII and introduces new rules for disposing of PII when it is no longer required. Personal information is classed as first name and last name or first initial and last name in combination with any of the following data elements (when not encrypted, redacted, or secured by another means that renders the information unreadable): Social Security number Student ID number Military ID number Passport number Driver’s license number or...

Read More
Could Law Firms Targeting Patients in ER Rooms Using Geofencing Technology Violate HIPAA?
Jun01

Could Law Firms Targeting Patients in ER Rooms Using Geofencing Technology Violate HIPAA?

Questions are being raised about whether HIPAA Rules are being violated when attorneys send text messages and push notifications to patients who have visited emergency rooms and other medical facilities using geofencing technology. Marketers are using a range of clever tactics to sell products and services such as remarketing – The displaying of advertisements on websites to individuals who have previously viewed products on another website but not made a purchase. Similarly, the use of geofencing is growing in popularity. Geofencing is the creation of a digital fence around a specific location. When an individual crosses that invisible boundary, a push notification is sent to the users mobile phone. That location could be a store or any location. Retailers have been using the technology for some time, Google sends push notifications based on location, and now attorneys are getting in on the act. This tactic of targeting specific individuals is being offered by at least one digital marketing firm and the service is being offered to attorneys. In this case the geofence is around...

Read More