400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS
Sep18

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, has revealed 24.3 million medical images in medical image storage systems are freely accessible online and require no authentication to view or download the images. Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet. Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers. Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images. PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required...

Read More
NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem
Sep17

NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) has issued draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem. The guidelines – NIST Cybersecurity Practice Guide, SP 1800-24 – have been written for health healthcare delivery organizations (HDOs) to help them secure their PACS and reduce the probability of a data breach and data loss, protect patient privacy, and ensure the integrity of medical images while minimizing disruption to hospital systems. PACS is used by virtually all HDOs for storing, viewing, and sharing digital medical images. The systems make it easy for healthcare professionals to access and share medical images to speed up diagnosis. The system can often be accessed via desktops, laptops, and mobile devices and a PACS may also link to electronic health records, other hospital systems, regulatory registries, and government, academic, and commercial archives. With many users and devices and interactions with multiple systems, HDOs can face challenges securing their PACS ecosystem, especially without...

Read More
Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data
Sep17

Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data

The Consumer Technology Association (CTA) has released data privacy guidelines to help companies better protect health and wellness data. The guidelines have been developed to help CTA members address tangible privacy risks and securely collect, use, and share health and wellness data collected from health/wellness apps, wearable devices, and other digital tools. The guidelines – Guiding Principles for the Privacy of Personal Health and Wellness Information – were developed by the CTA to help members address privacy gaps, discover consumer preferences, and earn consumer trust. “[The] privacy guidelines, developed with consensus among industry stakeholders, will help give both individuals and companies the confidence to invest in innovative technologies which will improve health,” explained CTA president and CEO, Gary Shapiro. “The CTA Privacy Principles demonstrate that health tech companies understand they must be trusted stewards of patient data.” Consumers now have access to a plethora of apps, devices, and digital tools that let them keep track of their health...

Read More
Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets
Sep09

Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets

Becton Dickinson (BD) has discovered a vulnerability in its Pyxis drug dispensing cabinets which could allow an unauthorized individual to use expired credentials to access patient data and medications. The vulnerability was discovered by BD, which self-reported the flaw to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). ICS-CERT has recently issued an advisory about the flaw. The vulnerability affects Pyxis ES versions 1.3.4 to 1.6.1 and Pyxis Enterprise Server with Windows Server versions 4.4 through 4.12. The vulnerability – tracked as CVE-2019-13517 – is a session fixation flaw in which existing access privileges are not properly coordinated with the expiration of access when a vulnerable device is joined to an Active Directory (AD) domain. This means the credentials of a previously authenticated user could be used to gain access to a vulnerable device under certain configurations. This would allow an attacker to obtain the same level of privileges as the user whose credentials are being used, which could give access to patient...

Read More
Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record
Sep06

Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record

A majority of patients are comfortable with sharing their biospecimens and EHR data for research purposes, according to a new study published in JAMA Network Open; however, most patients want to restrict the sharing of at least one part of their medical record. Patients also exhibited preferences as to the institutions with whom their data and biospecimens were shared. Certain legislation covering the use of EHR data and biospecimens allow patient data to be shared for research purposes, either in identifiable or de-identified form, unless the patient explicitly opts out of data sharing. The researchers note that this all or nothing approach is problematic, as many patients are concerned about sharing certain types of information due to fears about secondary uses of their data. The researchers investigated the attitudes of 1,246 adults in the United States about a tiered consent approach to EHR record sharing. This approach splits an individual’s medical records into smaller parts, which allows patients to consent to sharing certain parts of their medical records and restricting...

Read More
Study Confirms Why Prompt Data Breach Notifications Are So Important
Sep05

Study Confirms Why Prompt Data Breach Notifications Are So Important

When healthcare organizations experience a data breach it is understandable that breach victims will be upset and angry. Information is provided to healthcare organizations in the understanding that safeguards have been implemented to keep that information private and confidential. When patients and health plan members learn that their sensitive, private information has been exposed or stolen, many choose to take their business elsewhere. According to a new study* by the credit reporting agency Experian, if the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum. The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires notifications to be issued to breach victims ‘without unreasonable delay’ and no later than 60 days from the discovery of the breach. However, a majority of patients expect to be notified much more quickly. The study showed 73% of patients/plan members expect to be notified about a breach within 24 hours of the...

Read More
82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices
Sep03

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto. For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study. The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine. When asked about the consequences of a cyberattack on IoT devices, the biggest...

Read More
UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit
Sep02

UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit

On June 26, a patient of University of Chicago Medical Center (UCMC) filed a lawsuit against the medical center and Google over an alleged privacy violation related to the sharing of protected health information (PHI) without first properly de-identifying the data. Patient information was shared with Google to assist with the development of its predictive medical data analytics technology. HIPAA does not prohibit the sharing of information with third parties such as technology companies, provided consent is obtained from patients prior to information being shared. Alternatively, healthcare organizations can share patient information provided it is de-identified. Under HIPAA, that means removing 18 identifiers to ensure patients cannot be identified. HIPAA calls for one of two methods to be used to de-identify PHI: Expert determination or the safe harbor method. The latter involves stripping PHI of all 18 identifiers, while the former requires an expert to determine, through recognized statistical and scientific principles, that the risk of patients being re-identified is...

Read More
OCR Offers Advice on Managing Malicious Insider Threats
Aug30

OCR Offers Advice on Managing Malicious Insider Threats

Healthcare organizations can implement robust defenses to prevent hackers from gaining access to sensitive data, but not all threats come from outside the organization. It is also important to implement policies, procedures, and technical solutions to detect and prevent attacks from within. Healthcare employees require access to protected health information (PHI) to perform their work duties. While those individuals may be deemed trustworthy, providing access to PHI exposes the organization to risk. Workers can go rogue and access patient information without authorization and could easily abuse their access rights and steal patient data for financial gain. There will always be the occasional bad apple, but the 2019 Verizon Data Breach Investigations Report suggests the problem is far more prevalent. According to the report, 59% of all security incidents and data breaches analyzed for the report were caused by insiders. Many of those breaches were due to mistakes made by healthcare employees, but a significant percentage were caused by malicious insiders who stole patient...

Read More
Ransomware Attack Impacts More Than 400 U.S. Dental Practices
Aug30

Ransomware Attack Impacts More Than 400 U.S. Dental Practices

A ransomware attack on a medical record backup service has prevented hundreds of dental practices in the United States from accessing their patients’ records. The attack occurred on August 26, 2019 and affected the DDS Safe backup solution developed by Wisconsin-based software company, Digital Dental Record (DDS). The DDS system was accessed via an attack on its cloud management provider, West Allis, WI-based PerCSoft. Ironically, the DDS website states DDS Safe helps to protect dental practices against ransomware attacks. The attack did not affect all dental practices using the DDS Safe solution. Initial reports suggest between 400 and 500 of the 900 dental practices using the solution have been affected by the REvil/Sodinokibi ransomware attack. PerCSoft, assisted by a third-party software company, has obtained a decryptor and is in the process of recovering the encrypted files. According to a statement from DDS, recovery of files is estimated to take between 30 minutes to 4 hours per client. Some dental practices have reported file loss as a result of the attack and others have...

Read More
Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages
Aug28

Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages

A class action lawsuit filed by victims of a June 2016 cyberattack on Athens Orthopedic in Georgia has gone before the Georgia Supreme Court to determine whether breach victims are entitled to recover damages. The cyberattack in question saw the personal information, Social Security numbers, and health insurance information of approximately 200,000 individuals stolen by the hacking group, Dark Overlord. The Dark Overlord has conducted numerous attacks on healthcare organizations in the United States over the past three years. Initially, attacks were conducted to steal sensitive data, which was subsequently sold on dark web marketplaces. More recently, attacks have involved data theft and extortion. A ransom demand is issued to breached entities that must be paid in order to prevent publication of the stolen data.  Athens Orthopedic did not pay the ransom demand. The Dark Overlord gained access to Athens Orthopedic’s systems via an attack on a “nationally-known health care information management contractor,” the login credentials of which were used to steal patient data. Athens...

Read More
July 2019 Healthcare Data Breach Report
Aug26

July 2019 Healthcare Data Breach Report

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July. July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018. July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July. There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year. Causes of July 2019 Healthcare Data Breaches   The main reason for the increase in...

Read More
HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records
Aug23

HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records

The Substance Abuse and Mental Health Services Administration (SAMHSA) has proposed a new rule that loosens restrictions on substance use disorder (SUD) treatment records, aligning Part 2 regulations more closely with HIPAA. The new rule, proposed on August 22, is the first element of the HHS’s Regulatory Sprint to Coordinated Care initiative, which will also see changes made to HIPAA, the Anti-Kickback Statute, and Stark Law. SUD treatment records are covered by Confidentiality of Substance Use Disorder Patient Records regulations – 42 CFR Part 2 (Part 2). Part 2 pre-dates HIPAA by two decades and was introduced at a time when there were no broader privacy and security standards for health data. Part 2 regulations were required to protect the privacy of patients by severely restricting the allowable uses and disclosures of SUD treatment records. When Part 2 was introduced, there was a stigma associated with SUD and without privacy protections, many individuals suffering from the disorder may have avoided seeking treatment. Since 1975, further privacy and security laws have...

Read More
State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA
Aug14

State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA

The National Association of Attorneys General (NAAG) has urged leaders of the House and Senate to make changes to the Confidentiality of Substance Use Disorder Patient Records regulations, known as 42 CFR Part 2. The regulations in question, which NAAG called “cumbersome [and] out-of-date,” restrict the uses and disclosures of substance abuse treatment records. Under HIPAA, protected health information (PHI) can be shared between providers and caregivers for purposes related to treatment, payment, and healthcare operations without first obtaining consent from the patient. 42 CFR Part 2 prohibits the sharing of addiction treatment information by federally assisted treatment programs unless consent to do so has been obtained from the patient. The Part 2 regulations were created more than 40 years ago to ensure the privacy of patients was protected and to ensure that patients would not face any legal or civil consequences from seeking treatment for substance abuse disorder. NAAG argues that the regulations were created at a time when there was an “intense stigma” surrounding substance...

Read More
VA OIG Report Highlights Risk of Medical Device Workarounds
Aug06

VA OIG Report Highlights Risk of Medical Device Workarounds

A recent inspection of a California VA medical center by the Department of Veteran Affairs Office of Inspector General (VA OIG) has revealed security vulnerabilities related to medical device workarounds and multiple areas of non-adherence with Veterans Health Administration (VHA) and VA policies. Tibor Rubin VA Medical Center in Long Beach, California was inspected by the VA OIG after VHA and VA privacy and security policy violations were identified during an unrelated investigation. The auditors identified inappropriate staff workarounds for transferring and integrating information from patient medical devices into the medical center’s EHR system. The auditors also found two potential breaches of patient information while performing the inspection. The medical center did not have an interface between VHA medical devices and its EHR system, which forced staff to use inappropriate workarounds. Biomedical engineering and IT assistance had not fully resolved software interface issues between VHA medical devices and the EHR, and facility staff were using unapproved communication modes...

Read More
Judge Approves $74 Million Premera Blue Cross Data Breach Settlement
Aug05

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records. US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation. The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years. Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that...

Read More
First Half of 2019 Sees 31.6 Million Healthcare Records Breached
Aug02

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May. According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records). One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been...

Read More
HIPAA Compliance and Cloud Computing Platforms
Jul28

HIPAA Compliance and Cloud Computing Platforms

Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure. Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed. A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level. It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform...

Read More
June 2019 Healthcare Data Breach Report
Jul24

June 2019 Healthcare Data Breach Report

For the past two months, healthcare data breaches have been reported at a rate of 1.5 per day – Well above the typical rate of one per day. In June, data breaches returned to more normal levels with 30 breaches of more than 500 healthcare records reported in June – 31.8% fewer than May 2019.   While the number of reported data breaches fell,  June saw a 73.6% increase in the number of health records exposed in data breaches. 3,452,442 healthcare records were exposed in the 30 healthcare data breaches reported in June. Largest Healthcare Data Breaches in June 2019 The increase in exposed records is due to a major breach at the dental health plan provider Dominion Dental Services (Dominion National Insurance Company). Dominion discovered an unauthorized individual had access to its systems and patient data for 9 years. During that time, the protected health information of 2,964,778 individuals may have been stolen. That makes it the largest healthcare data breach to be reported to the Office for Civil Rights so far in 2019 – At least for a month until entities affected by...

Read More
Is IBM Cloud HIPAA Compliant?
Jul23

Is IBM Cloud HIPAA Compliant?

Is IBM Cloud HIPAA compliant? Is the cloud platform suitable for healthcare organizations in the United States to host infrastructure, develop health applications and store files? In this post we assess whether the IBM Cloud supports HIPAA compliance and the platform’s suitability for use by healthcare organizations. IBM offers a cloud platform to help organizations develop their mobile and web services, build native cloud apps, and host their infrastructure along with a wide range of cloud-based services for the capture, analysis, and processing of data. The platform has already been adopted by many healthcare providers, payers, and health plans, and applications and portals have been developed to provide patients with better access to their health information. IBM Cloud Security IBM is a leader in the field of network and data security, and its expertise has meant its cloud platform is highly secure. Security is built into the core of all of the firm’s software and services to ensure that sensitive data remains confidential and cannot be accessed by unauthorized individuals. Its...

Read More
AMCA Victim Count Swells to Almost 25 Million Records
Jul23

AMCA Victim Count Swells to Almost 25 Million Records

The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is now nearing 25 million and 18 healthcare providers are now known to have been affected. The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers. AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and...

Read More
Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules
Jul19

Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules

New rules for hospitals have been implemented in Idaho that give patients new rights. The rules were implemented by the Idaho Department of Health and Welfare (IDHW) and are effective from July 1, 2019. The new rules were suggested by patient advocacy groups and “incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals,” according to IDHW. The policies align with the MyHealthEData initiative, which was launched in 2018 with the aim of removing the barriers to secure access to electronic medical records. Under previous state law, critical access hospitals (CAHs) were not required to comply with many of the regulatory conditions that applied to other healthcare providers. The new rules change that, which will mean new policies and procedures will need to be implemented by CAHs. That will come with a considerable administrative burden. The new rules apply to all hospitals in Idaho as well as any provider that renders services in hospitals. All hospitals and providers have been advised to check their policies...

Read More
HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana
Jul17

HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana

The Secretary of the U.S. Department of Health and Human Services (HHS) has issued a limited waiver of HIPAA sanctions and penalties in Louisiana due to the devastation likely to be caused by Tropical Storm Barry as it made landfall on July 13 as a hurricane. The HHS announced the public health emergency in Louisiana on Friday July 12, 2019. The waiver only applies to healthcare organizations in the emergency area and only for the length of time stated in the declaration. The waiver only applies to specific provisions of the HIPAA Privacy Rule and only for a maximum period of 72 hours after the hospital has implemented its emergency protocol. Once the time period for the waiver ends, healthcare providers will be required once again to comply with all aspects of the HIPAA Privacy Rule, even for patients still under their at the time the declaration ends, even if the 72-hour time window has not expired. While a waiver has been issued, the Privacy Rule does not prohibit the sharing of protected health information during disasters to assist patients and make sure they get the care they...

Read More
Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance
Jul10

Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance

Compliancy Group is offering healthcare professionals an opportunity to take part in a webinar covering the main threats facing the healthcare industry. Threats such as ransomware, malware, and phishing will be discussed by compliance experts in relation to HIPAA and the privacy and security of patient data. Cybersecurity has become more important than ever in healthcare. The industry is seen as a weak target by hackers, large volumes of data are stored, and patient information carries a high value on the black market. April 2019 saw the highest number of healthcare data breaches in a single month and more healthcare data breaches were reported in 2018 than in any other year to date. The increased frequency of attacks on organizations of all sizes highlights just how important cybersecurity has become. Cyberattacks are not only negatively affecting businesses in the healthcare sector, but also place the privacy of patient’s health information at risk. While it was once sufficient to implement standard security tools, the sophisticated nature of attacks today mean new solutions are...

Read More
CMS Uses Weak ID Verification and Has No Plans to Change
Jul02

CMS Uses Weak ID Verification and Has No Plans to Change

According to a recent Government Accountability Office (GAO) audit, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) is using an outdated and weak method of remote ID verification which is no longer considered to provide sufficient protection against fraud. The CMS website, which is used to find federal income-based financial subsidies and private health insurance, uses knowledge-based verification to confirm an individual’s identity. Individuals are asked to confirm their name, address and date of birth and are then asked questions to which only they would know the answer, such as information found in their credit file. While knowledge-based ID verification based on entries in a credit file does provide a good level of security, that all changed with the massive data breach at Equifax. A great deal of personal information was stolen by hackers – information that could be used to answer security questions. Without a more secure system of ID verification, Americans will be at risk of fraud. There are several alternative methods for ID...

Read More
OCR Clarifies Allowable Uses and Disclosures of PHI for Care Coordination and Continuity of Care
Jun27

OCR Clarifies Allowable Uses and Disclosures of PHI for Care Coordination and Continuity of Care

The Department of Health and Human Services’ Office for Civil Rights has issued new HIPAA guidance for health plans on how protected health information can be shared to support care coordination and continuity of care. The guidance, which is in the form of an FAQ, answers two questions commonly asked by health plans: Can PHI be disclosed to another health plan for care coordination purposes? OCR has confirmed that the HIPAA Privacy Rule allows PHI to be used and disclosed for healthcare operations, so it is possible to share PHI with another health plan or other covered entity if doing so is necessary for the entity’s own healthcare operations. PHI can also be shared with another health plan for the recipient’s healthcare operations provided the following conditions are met: Both entities have or had a relationship with the individual, the disclosure pertains to that relationship, and the healthcare operation is one permitted by HIPAA (See 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4)) Case management and care coordination are included in permitted ‘healthcare operations,’ so they...

Read More
Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation
Jun26

Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation

A former patient care coordinator at University of Pittsburgh Medical Center (UPMC) has received a 1-year jail term for accessing the medical records of patients and using that information to cause malicious harm. Sue Kalina, 62, of Butler, PA, had previously worked at UPMC Tri Rivers Musculoskeletal and Allegheny Health Network as a patient care coordinator. On March 30, 2016, while employed by UPMC, Kalina first started accessing patients’ medical records without authorization. She continued to do so until June 15, 2017. Kalina accessed the records of friends, old classmates, and individuals that she had a grievance with. She used information from the medical records in a campaign of vengeance against her former employer, Frank J. Zottola Construction. Kalina had worked at the firm as office manager for 24 years before losing the position and being replaced by a younger woman. Kalina accessed that woman’s medical records and disclosed gynecological information about the woman to the Zottola controller in June 2017. Kalina also left a voicemail message in which the medical...

Read More
2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee
Jun26

2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee

Mishawaka, IN-based Franciscan Health has discovered the protected health information of approximately 2,200 patients has been accessed by a former employee without authorization. The privacy violation was discovered during a routine privacy audit. Franciscan Health announced that it was confirmed on May 24, 2019 that an employee in the quality research department had accessed the electronic medical records of patients without authorization and with no legitimate work reason for doing so. The individual concerned is no longer employed by Franciscan Health and the matter has been reported to law enforcement. While unauthorized PHI access was confirmed, Franciscan Health found no evidence to suggest that the employee copied, transmitted, or disclosed any patient information. Patient information was stored in Franciscan Health’s medical record system, which has been in use since 2012. Through that system, the former employee accessed patient records containing information such as names, addresses, email addresses, dates of birth, phone numbers, gender information, race/ethnicity, last...

Read More
Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches
Jun24

Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches

Cybercriminals are managing to find and exploit vulnerabilities to gain access to healthcare networks and patient data with increasing regularity. The past two months have been the worst and second worst ever months for healthcare data breaches in terms of the number of breaches reported. Phishing attacks on healthcare organizations have increased and email is now the most common location of breached protected health information. However, a recent analysis of the data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the past 12 months has revealed servers to be the biggest risk. Servers were found to be involved in more than half of all healthcare data breaches. Clearwater Cyberintelligence Institute (CCI) analyzed the 90 healthcare data breaches reported to OCR in the past 12 months. Those breaches resulted in the exposure, impermissible disclosure, or theft of the records of more than 9 million individuals. The CCI analysis revealed 54% of all reported breaches of 500 or more healthcare records were in some way related to servers....

Read More
May 2019 Healthcare Data Breach Report
Jun20

May 2019 Healthcare Data Breach Report

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information. On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day. From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year. It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm. May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of...

Read More
Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach
Jun14

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party. Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015. According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson. Deanna Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her ex husband in the custody battle. Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website and disclosed the information to her attorney, Gary Bradshaw.  Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules. After discovering that her...

Read More
Nurse Fired over Alleged Theft and Impermissible Disclosure of PHI
Jun13

Nurse Fired over Alleged Theft and Impermissible Disclosure of PHI

A former employee of a Germantown, MD-based healthcare provider is suspected of accessing the protected health information of up to 16,542 patients and providing that information to a third party for use in fraudulent activities. On April 10, 2019, Takai, Hoover & Hsu, P.A., which runs THH Paediatrics in Germantown, was notified by county and state police that an individual had been arrested as part of an investigation in a matter unrelated to THH. That individual was associated with an employee of THH who is suspected of accessing and impermissibly disclosing patient information including names, dates of birth, Social Security numbers, and addresses of the parents of patients. Immediate action was taken by THH to investigate the allegations. Access to patient data was restricted for the employee, who was placed on leave on April 16 pending the outcome of the internal and law enforcement investigations. The former employee has not been charged at this stage and no direct evidence has been found to suggest that any patient information was taken and misused; however, THH took the...

Read More
AMCA Breach Sparks Flurry of Lawsuits and Investigations
Jun12

AMCA Breach Sparks Flurry of Lawsuits and Investigations

The dust has barely settled after the news of the massive data breach at American Medical Collection Agency (AMCA) broke last week, but already more than a dozen lawsuits have been filed by victims of the breach. The breach was officially announced by Quest Diagnostics on June 3, 2019 through a 8-K filing with the Securities and Exchange Commission (SEC), and a SEC filing by LabCorp on June 4, 2019, shortly followed by BioReference Laboratories. Currently, the personal of up to 20 million individuals has potentially been compromised. The data breach at AMCA was identified by security researchers at Gemini Advisory who found a batch of 200,000 payment card numbers for sale on a popular darknet marketplace. The numbers included dates of birth and Social Security numbers. AMCA and law enforcement were notified, and systems were secured. However, the investigation revealed hackers had access to its web payment portal for 7 months. It would appear that the hackers behind the breach have at least made an effort to monetize some of the stolen data so it is no surprise that there has been...

Read More
Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation
Jun06

Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation

The Supreme Court in Vermont has ruled that a patient can sue a hospital and one of its employees for a privacy violation, despite Vermont law and HIPAA not having a private cause of action for privacy violations. The lawsuit alleges negligence over the disclosure of personal information that was obtained while the patient was being treated in the emergency room. The woman had visited the ER room to receive treatment for a laceration on her arm. The ER nurse who provided care to the patient notified law enforcement that the patient was intoxicated, had driven to the hospital, and intended to drive home after receiving treatment. The nurse had detected an odor of alcohol on the patient’s breath. Using an alco-sensor, the nurse determined the patient had blood alcohol content of 0.215. In Vermont, that blood alcohol level is more than two and a half times the legal limit for driving. A police officer in the lobby of the hospital was notified and the patient was arrested, although charges were later dropped. The women subsequently sued the hospital and the employee for violating her...

Read More
Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering
May28

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000. MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules. Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen. A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in...

Read More
HHS Confirms When HIPAA Fines Can be Issued to Business Associates
May27

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules. On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate. Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.   You can download the HHS Fact Sheet on direct liability of business associates on this link. Penalties for HIPAA Violations by Business Associates The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the...

Read More
Medical Informatics Engineering Settles HIPAA Breach Case for $100,000
May24

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000. MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach. OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules. OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A). As a result of that failure, there was an impermissible disclosure of 3.5 million...

Read More
PHI of 1.5 Million Individuals Exposed Online by Inmediata
May22

PHI of 1.5 Million Individuals Exposed Online by Inmediata

In April, Inmediata, a provider of clearinghouse services to healthcare organizations, announced that the protected health information of certain patients had been exposed online as a result of a misconfigured setting on an internal web page. The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 1,565,338 individuals had their PHI exposed. That makes the data breach the largest to be reported in 2019. The information had been made available to employees through an internal web page, but the failure to configure that page correctly allowed the data to be made accessible over the internet without the need for authentication. The page was indexed by Google and patient information could be found through online searches. The information had been provided by hospitals, health plans, and independent physicians and included names, addresses, dates of birth, gender, claims data and, for a small number of patients, Social Security numbers. Inmediata immediately deactivated the web page when it was discovered...

Read More
AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan
May21

AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan

The American Academy of Neurology (AAN) has voiced concerns about the interoperability plans of the Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC). In February, both ONC and CMS proposed new rules that aim to reduce information blocking and improve interoperability. The AAN supports ONC and CMS efforts to reduce information blocking and improve interoperability. Data blocking and interoperability problems force clinicians to spend more time on clerical work, which means less time is spent providing direct care to patients. The AAN believes many of the provisions in the new rules are necessary for empowering patients and providers by providing comprehensive access to patient data; however, in a recent letter to CMS Administrator Seema Verma, the AAN has expressed concern about patient safety and security if the ONC and CMS interoperability plans are implemented. The AAN supports efforts to advance the use of standardized Fast Healthcare Interoperability Resources (FHIR) based APIs to allow patients to easily gain...

Read More
April 2019 Healthcare Data Breach Report
May20

April 2019 Healthcare Data Breach Report

April was the worst ever month for healthcare data breaches. More data breaches were reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years. While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks. Largest Healthcare Data Breaches in April 2019 Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients. The ransomware was deployed 7 months after the attacker had first gained...

Read More
7 Month Delay Notifying HIV Study Participants About Exposure of their Confidential Information
May16

7 Month Delay Notifying HIV Study Participants About Exposure of their Confidential Information

The sensitive information of 24 women diagnosed with HIV has been made available to individuals unauthorized to access that information. Despite the breach being discovered more than 7 months ago, the affected women have still not been notified. The women were participating in an EmPower Women study at the University of California San Diego (UCSD). All 24 women had been diagnosed with HIV yet had not sought treatment. The HIV research study aimed to explore the reasons why those women had not sought treatment, specifically how substance abuse, domestic violence, trauma, and mental illness affected the decision to seek treatment and commit to treatment programs.  To help recruit patients for the study, UCSD partnered with the non-profit organization Christie’s Place, which provides support to women diagnosed with HIV and AIDS. The plan was to recruit 100 patients for the study and offer half of participants free support and counselling services and the other half were given the option of receiving standard services at Christie’s Place. The researchers would then monitor the outcomes...

Read More
CMS and ONC Tell Senate HELP Committee Rapid Progress is Required to Advance Interoperability
May10

CMS and ONC Tell Senate HELP Committee Rapid Progress is Required to Advance Interoperability

The second Senate HELP Committee hearing on the proposed roles for implementing the electronic medical records provisions of the 21st Century Cures Act has taken place this week. The Committee heard from National Coordinator for Health IT, Donald Rucker, and Director and Center for Medicare And Medicaid Services Chief Medical Officer, Kate Goodrich, M.D. The hearings aim to find a way forward to ensure the efficient accessing and sharing of health information between care providers and patients. The prevention of information blocking is one of the main goals. By allowing health information to flow freely between providers and be shared with patients, the cost of healthcare can be significantly reduced. According to Dr. Brett James of the National Academies, as much as 50% of the costs of healthcare are unnecessary. Patients are having to repeat tests because their information cannot be shared between different healthcare providers and there is considerable duplication of administrative tasks as a result of information blocking. Earlier this year both the CMS and ONC proposed new...

Read More
Key Findings of the 2019 Verizon Data Breach Investigations Report
May08

Key Findings of the 2019 Verizon Data Breach Investigations Report

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe. The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources. The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below: C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees Cyber-espionage related data breaches increased from 13% of breaches in 2017 to 25% in 2018 Nation-state attacks increased from 12% of attacks in 2017 to 23% in 2018 Financially motivated...

Read More
Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures
May06

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach. Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability. On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals. As a result of the lack of access controls, files had...

Read More
Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy
May06

Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy

Facebook is making changes to Facebook Groups used to discuss health conditions. The move comes following criticism that Facebook Groups were being promoted as private and confidential when information about participants in health groups was being made available to third parties for advertising purposes. In January, a complaint was filed with the Federal Trade Commission alleging the content of private Facebook health groups had been shared with third parties. Some members of these health support groups claimed they had been targeted by advertisers who had offered products and services related to health conditions that had only ever been discussed in closed, private Facebook health groups. The groups are used by individuals with health conditions to obtain advice and receive support. Groups have been set up to help people with a wide range of health conditions, including cancer, substance abuse disorder, and mental health issues. Information was being openly discussed by members of the groups in the belief that the groups were confidential. Not only were advertisers able to contact...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Apr26

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
MD Anderson Cancer Center Fires Three Scientists Over Concerns About Theft of Research Data
Apr25

MD Anderson Cancer Center Fires Three Scientists Over Concerns About Theft of Research Data

MD Anderson Cancer Center, the world’s leading cancer research center, has recently fired three scientists over espionage fears after being alerted by the National Institutes of Health (NiH) to irregularities involving grant recipients. NiH, the largest public funder of biomedical research in the United States, had been instructed by federal officials to investigate certain professors who were believed to be in violation of granting agency policies. NiH, assisted by the FBI, discovered potential conflicts of interest and unreported foreign income by five members of MD Anderson staff. NiH sent emails to MD Anderson in 2018 and demanded a response within 30 days. The failure to take action could potentially result in NiH withholding essential funding. MD Anderson received $148 million in NiH grants in 2018. In response to the accusations, MD Anderson conducted an investigation and initiated termination procedures for three professors, two of whom resigned from their posts before proceedings started. The fourth professor was investigated but termination was not deemed to be warranted....

Read More
New Washington Breach Notification Law Unanimously Passed by Legislature
Apr24

New Washington Breach Notification Law Unanimously Passed by Legislature

A new data breach notification law (HB 1071 / SB 5064) has been unanimously passed by the Washington legislature and awaits Washington Governor Jay Inslee’s signature. The law broadens the definition of personal information and shortens the timescale for issuing notifications to 30 days. Currently, data breach notification laws in Washington only require entities to issue notifications in the event of a breach of a state resident’s name along with a Social Security number, state ID, driver’s license number, or credit/debit card number. The updated breach notification law will also require notifications to be issued in the event of a breach of the following data elements: Full date of birth Military ID numbers Biometric data Passport ID numbers Student ID numbers Medical histories Health insurance ID numbers Usernames and email addresses in combination with a password or answers to security questions that would allow an account to be accessed. Keys for electronic signatures With the exception of online account credentials, the new data elements could be classed as personal...

Read More
Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million
Apr23

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017. Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted. The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project. While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the...

Read More
Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules
Apr16

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

A recent study conducted by the consultancy firm CynergisTek has revealed many healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules. For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules. The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year. Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%). Out of the...

Read More
March 2019 Healthcare Data Breach Report
Apr15

March 2019 Healthcare Data Breach Report

In March 2019, healthcare data breaches continued to be reported at a rate of one a day. 31 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is almost 14% higher than the average of the past 60 months.   The number of reported breaches fell by 3.12% month over month and there was a 56.79% decrease in the number of breached healthcare records. March saw the healthcare records of 912,992 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches. Causes of March 2019 Healthcare Data Breaches The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 88.40% of all compromised records (807,128 records). There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft...

Read More
OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits
Apr04

OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits

The HHS’ Office for Civil Rights has raised awareness of the risk of advanced persistent threats and zero-day exploits in its spring cybersecurity newsletter. Healthcare organizations are attractive targets for hackers due to quantity of sensitive data they store. Individual’s protected health information is highly valuable as it can be used for many different purposes, including identity theft, tax fraud, and gaining access to medical services. Sensitive information about medical conditions can also be used to blackmail individuals. Healthcare organizations also store research data, genetic data, and data from experimental treatments, all of which are of great value cybercriminals. The information can be used by foreign governments to drive innovation. There are many techniques that hackers use to break through defenses and silently gain access to networks, two of the most serious threats being advanced persistent threats and zero-day exploits. An advanced persistent threat (APT) is a term used to refer to repeated cyberattacks that attempt to exploit vulnerabilities to gain...

Read More
Amazon Launches New System for De-identifying Medical Images
Apr02

Amazon Launches New System for De-identifying Medical Images

Amazon has announced that it has developed a new system that allows identifying protected health information contained in medical images to be automatically removed to prevent patients from being identified from the images. Medical images often have patients’ protected health information stored as text within the image, including the patient’s name, date of birth, age, and other metrics. Prior to the images being used for research, authorization must be obtained from the patient or all identifying data must be permanently removed.  Removing PHI from images requires a manual check and alteration of the image to redact the PHI and that can be an expensive and time-consuming process, especially when large number of images must be de-identified. The new system uses Amazon’s Rekognition machine-learning service, which can detect and extract text from images. The text is then fed through Amazon Comprehend Medical to identify any PHI. In combination with Python code it is possible to quickly redact any PHI in the images. The system works on PNG, JPEG, and DICOM images. A confidence score...

Read More
Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations
Apr01

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed. According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego. During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped. A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts. The lawsuit states that, “At times,...

Read More
Health Apps Share User Data but Lack Transparency About the Practice
Mar29

Health Apps Share User Data but Lack Transparency About the Practice

Mobile health apps are commonly used to track health metrics and promote healthier lifestyles, and as such, they record a range of sensitive health information. What consumers may be unaware of is how that data is used and with whom the information is shared. Information entered into an app is commonly shared with multiple third parties and the data is often monetized, but consumers are left in the dark about the practice. A study of data sharing practices by medicines-related apps, published in the BMJ, revealed that out of 24 apps that were studied, 19 (79%) shared user data with third parties. The types of apps that were assessed pertained to dispensing, administration, prescribing or use of medicines. Each app was subjected to simulated real world use with four dummy scripts. The researchers found user data was shared with 55 different entities, from 46 parent companies, which either received or processed the data. Those entities included app developers, parent companies, and third-party service providers. 67% of the third parties provided services related to the collection or...

Read More
Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices
Mar27

Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices

Earlier this month, the eHealth Initiative Foundation and Manatt Health issued a brief that calls for the introduction of a values framework to better protect health information collected, stored, and used by organizations that are not required by law to comply with Health Insurance Portability and Accountability Act (HIPAA) Rules. Health information is increasingly being collected by a wide range of apps and consumer devices. In many cases, the types of data collected by these apps and devices are the same as those collected and used by healthcare organizations. While healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of health information and uses and disclosures of that information are restricted, the same rules do not cover the data if the information is collected by other entities. It doesn’t matter what type of organization stores or uses the data. If that information is exposed it can cause considerable harm, yet this is currently something of a gray area that current regulations do not cover properly. At...

Read More
Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach
Mar27

Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients. The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015. OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules. DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. There had also been a failure to implement appropriate...

Read More
D.C. Attorney General Proposes Tougher Breach Notification Laws
Mar25

D.C. Attorney General Proposes Tougher Breach Notification Laws

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach. On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach. Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers. If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information. Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches...

Read More
Concerns Raised with FDA over Medical Device Security Guidance
Mar22

Concerns Raised with FDA over Medical Device Security Guidance

The U.S. Food and Drug Administration (FDA) is reviewing feedback on the guidance for medical device manufacturers issued in October 2018. Comments have been submitted on the guidance, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, by more than 40 groups and healthcare companies before the commenting period closed on March 18. Feedback will be taken on board and the guidance will be updated accordingly. The final version of the guidance is expected to be released later this year. The requirement for medical device manufacturers to submit a ‘Cybersecurity Bill of Materials’ to the FDA as part of the premarket review has been broadly praised. The CBOM needs to include a list of software and hardware components which have vulnerabilities or are susceptible to vulnerabilities. The CBOM will help healthcare organizations assess and manage risk. However, concerns have been raised by several groups about having to include all hardware components, as it may not even be possible for device manufacturers to provide that information. If hardware...

Read More
Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs
Mar22

Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs

Two vulnerabilities have been identified in the Conexus telemetry protocol used by Medtronic MyCarelink monitors, CareLink monitors, CareLink 2090 programmers, and 17 implanted cardiac devices. Both vulnerabilities require a low level of skill to exploit, although adjacent access to a vulnerable device would be required to exploit either vulnerability. The most serious vulnerability, rated critical, is a lack of authentication and authorization controls in the Conexus telemetry protocol which would allow an attacker with adjacent short-range access to a vulnerable device to inject, replay, modify, and/or intercept data within the telemetry communication when the product’s radio is turned on. An attacker could potentially change memory in a vulnerable implanted cardiac device which could affect the functionality of the device. The vulnerability is being tracked as CVE-2019-6538 and has been assigned a CVSS v3 base score of 9.3. A second, medium severity vulnerability concerns the transmission of sensitive information in cleartext. Since the Conexus telemetry protocol does not use...

Read More
February 2019 Healthcare Data Breach Report
Mar18

February 2019 Healthcare Data Breach Report

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January. The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month. Causes of Healthcare Data Breaches in February 2019 Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports. 75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents. There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The...

Read More
HIPAA Compliant Online Forms
Mar12

HIPAA Compliant Online Forms

Web forms offer healthcare organizations an easy way to digitally collect information from patients, but care must be taken not to violate HIPAA Rules. To collect any health data, HIPAA compliant online forms must be used. HIPAA Compliant Online Forms Must be Used for Collecting Health Information The HIPAA Privacy and Security Rules requires all HIPAA-covered entities and business associates to implement a range of safeguards to ensure the confidentiality, integrity, and availability of protected health information. Online forms are not specifically mentioned in the HIPAA text, but the Privacy and Security Rules do apply to online forms. Large healthcare organizations are more likely to have in-house staff with the skills to create forms that comply with HIPAA Rules, but many covered entities take advantage of the convenience of third-party webform solutions. There are many companies that offer HIPAA compliant online forms software that allows forms to be quickly spun up and used for a wide range of purposes such as onboarding new patients, obtaining consent, collecting payments,...

Read More
Lawmakers Propose Florida Biometric Information Privacy Act
Mar12

Lawmakers Propose Florida Biometric Information Privacy Act

Senator Gary Farmer (D-FL) and Representative Bobby DuBose (D-FL) have proposed new bills (SB 1270 /HB 1153) that require all private entities to obtain written consent from consumers prior to collecting or using their biometric data. The Florida Biometric Information Privacy Act is similar to the Illinois Biometric Information Privacy Act which was signed into law in 2008 and would require private entities to notify consumers about the reasons for collecting biometric information and the proposed uses of that information when obtaining consent. Policies covering data retention and disposal of the information would also need to be made available to the public. Private entities would also be prohibited from profiting from an individual’s biometric information and must not sell, lease, or trade biometric information. Private entities will be required to implement safeguards to protect stored biometric information to ensure the information remains private and confidential. When the purpose for collecting the information has been achieved, or after three years following the last...

Read More
25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months
Mar11

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

The Verizon Mobile Security Index 2019 report indicates 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months. All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation. Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months. While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices. 85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to...

Read More
IRS Issues Warning About Tax-Related Phishing Scams
Mar05

IRS Issues Warning About Tax-Related Phishing Scams

The IRS has launched its 2019 ‘Dirty Dozen’ campaign warning taxpayers about the most common tax-related phishing scams that lead to tax fraud and identity theft. Each year the IRS provides taxpayers, businesses, and tax professionals with information on the 12 most common phishing and tax scams to raise awareness of the most prevalent threats. During tax season, cybercriminals are highly active and seek tax information to commit identity theft and submit fraudulent tax returns. Each year, many consumers are fooled into disclosing their personal information and scores of organizations fall victim to these scams and disclose the tax information of employees to scammers. The scams are conducted over the phone, via text messages, on social media platforms, websites, and via email. On March 4, 2019, the IRS launched this year’s Dirty Dozen campaign with a warning about the most serious threat during tax season – phishing. On each of the following 11 weekdays, the IRS will highlight a different scam. Tax-related phishing scams are often cleverly disguised. Emails are sent that appear to...

Read More
Nevada Senator Proposes New Federal Data Privacy Act
Mar04

Nevada Senator Proposes New Federal Data Privacy Act

Nevada Senator Catherine Cortex Masto, (D-NV) has introduced a bill – the Data Privacy Act – which calls for greater accountability and transparency for data collection practices, improved privacy protections for consumers, and the prohibition of discriminatory data practices. HIPAA-covered entities are required to obtain consent from patients prior to using or disclosing their health information for reasons other than the provision of healthcare, payment for healthcare, or for healthcare operations. However, companies not bound by HIPAA Rules do not have the same restrictions in place. Several states have introduced or are considering introducing laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, currently protection is provided by patchwork of state laws. Privacy protections can vary greatly depending on where a person lives. The bill – The Digital Accountability and Transparency to Advance Privacy (DATA...

Read More
New HIPAA Regulations in 2019
Mar04

New HIPAA Regulations in 2019

While there were expected to be some 2018 HIPAA updates, the wheels of change move slowly. OCR has been considering HIPAA updates in 2018 although it is likely to take until the middle of 2019 before any proposed HIPAA updates in 2018 are signed into law. Further, the Trump Administration’s policy of two regulations out for every new one introduced means any new HIPAA regulations in 2019 are likely to be limited. First, there will need to be some easing of existing HIPAA requirements. HIPAA updates in 2018 that were under consideration were changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS was considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of  substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. Other potential changes to HIPAA regulations in 2018 included the removal of aspects of HIPAA that impede the ability of doctors and hospitals to coordinate to deliver...

Read More
Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity
Feb28

Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity

Senator Mark Warner (D-Va) has written letters to leaders of the Department of Health and Human Services (HHS), the Food and Drug Administration (FDA), the Centers for Medicare and Medicaid Services (CMS), the National Institute of Standards and Technology (NIST), and 12 healthcare associations requesting answers to a list of healthcare cybersecurity questions. Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, is deeply concerned about the state of cybersecurity in healthcare and is calling for a collaborative effort “to develop a short- and long-term strategy [for] reducing cybersecurity vulnerabilities in the health care sector” and “develop a national strategy that improves the safety, resilience, and security of our healthcare industry.” The healthcare industry is being targeted by cybercriminals and those attacks are succeeding far too frequently. 2014 was the sixth successive year to see an annual increase in healthcare data breaches. In 2015, another record was broken. The most healthcare records ever breached. 113 million...

Read More
Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices
Feb27

Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices

Several healthcare associations have requested a safe harbor for healthcare organizations that would prevent OCR and state attorneys general from issuing financial penalties for breaches of protected health information if the breached entity has met certain standards for safeguarding protected health information (PHI). The suggestions were made in response to the Department of Health and Human Services’ request for information (RFI) on potential changes to HIPAA to reduce the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS received more than 1,300 comments on possible changes prior to the February 12, 2019 deadline. The safe harbor was suggested by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA). Healthcare organizations can adopt cybersecurity frameworks, create layered...

Read More
New Cybersecurity Requirements for Ohio Health Insurers
Feb27

New Cybersecurity Requirements for Ohio Health Insurers

From March 20, 2019, insurance companies in Ohio will be subject to a new law (Senate Bill 273) that requires them to develop and implement a written information security program to safeguard business and personal information. The information security program must include a comprehensive internal risk assessment to identify risk and threats to systems and data. Following the risk assessment, safeguards must be implemented to protect all nonpublic information that would cause a material adverse impact to business operations or could cause harm to customers if the information were to be exposed or accessed by unauthorized individuals. Nonpublic information includes financial information, health information, and identifiers such as Social Security numbers, driver’s license numbers, state ID cards, biometric information, account numbers, credit/debit card numbers, security/access codes that permit access to a financial account, and any information (except age or gender) that is created by or derived from a healthcare provider or consumer that could be used to identify an individual in...

Read More
New York State Departments Investigate Facebook Over Health Data Sharing Practices
Feb26

New York State Departments Investigate Facebook Over Health Data Sharing Practices

A recent analysis of Facebook’s data collection practices has revealed sensitive health data is obtained by Facebook from third party apps, even if the user has not logged in via Facebook or does not even have a Facebook account. Private information including blood pressure measurements, heart rate data, menstrual cycle data, and other health metrics are provided to Facebook, often without the user’s knowledge or any specific disclosure that data provided by users or collected directly by the apps are shared with the ocial media platform. The investigation was conducted by the Wall Street Journal, which conducted tests on various health-related apps. While it was known that some of those apps send data to Facebook about when they are used, the extent of data sharing was not well understood. The report revealed that 11 popular smartphone apps have been passing sensitive data to Facebook without apparently obtaining consent from users. One app, Flo Period & Ovulation Tracker, shares dates of a user’s last period with Facebook and the predicted date when the user is ovulating. The...

Read More
NHS to Phase Out Pagers by End of 2021
Feb26

NHS to Phase Out Pagers by End of 2021

The National Health Service (NHS) has commissioned a report on the costs of pagers and the extent of their use in NHS Trusts in the UK. The study revealed around 130,000 pagers are used in NHS Trusts – Approximately 10% of the world’s pagers – and the annual cost is around £6.6 million ($8.73 million). Advantages and Disadvantages of Pagers in Healthcare Pagers have served the healthcare industry well for several decades and they are still useful devices. Pagers are easy to use, they are small, easy to carry, and batteries can last months between charges. The pager system uses its own transmitters and frequencies and the signals can pass through structures. Consequently, coverage is excellent, and communication is fast and reliable. Pagers have one function and they perform that task very well. However, there are many drawbacks to pagers in healthcare. Most of the pagers used by NHS Trusts do not support two-way communication. When a message is received, a doctor must find a phone and call a number to receive the message. When an immediate response is not possible, messages are...

Read More
January 2019 Healthcare Data Breach Report
Feb25

January 2019 Healthcare Data Breach Report

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day in January. There were 33 healthcare data breaches reported in January 2019. January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed. Largest Healthcare Data Breaches in January 2019   Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident 2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft 3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident 4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident 5 Managed Health Services Health Plan 31300 Hacking/IT Incident 6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident 7 Dr....

Read More
Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups
Feb21

Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups

A complaint has been filed with the FTC over misleading practices by Facebook. The complaint alleges health information disclosed in closed, supposedly anonymous and private Facebook groups has been exposed. Congress is calling for Facebook to provide answers about the alleged privacy violations involving the Facebook PHR (Groups) platform. Leaders from the House Committee on Energy & Commerce have written to Facebook CEO Mark Zuckerberg requesting an urgent response to the privacy complaint filed with the FTC by users of Facebook Groups. The complaint was sent to the FTC in December and was made public this week. In the complaint letter, security researcher Fred Trotter and members of a Facebook health group allege that personal health information disclosed by users of closed Facebook groups has been exposed. As a result, members of the groups are at risk of harassment and discrimination. Closed Facebook groups are used by sufferers of health and mental health conditions to get support. Many support groups have been sent up on the platform specifically for that purpose....

Read More
2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records
Feb13

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018. The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches. According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018. In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased...

Read More
OCR Settles Cottage Health HIPAA Violation Case for $3 Million
Feb08

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000. Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital. In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients. In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information. Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed...

Read More
Wyoming Considers Repealing Hospital Records Act
Feb06

Wyoming Considers Repealing Hospital Records Act

Wyoming is considering repealing the Hospital Records Act of 1991, an act that was introduced to ensure the privacy of patient information was protected. The law was enacted before the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and provided protections that did not previously exist at the state or federal level. The Hospital Records Act introduced similar protections for patients to those provided by HIPAA. The Act covered disclosures of patient information by hospitals, authorizations from patients prior to disclosure of patient information, the publishing notices of privacy practices, the persons authorized to act on behalf of patients, and security safeguards and rules covering record retention. The Hospital Records Act was effective at the time but following the enactment of HIPAA and its subsequent Privacy and Security Rules, it became redundant. While the requirements of both the federal and state laws are similar, there are several discrepancies between the two laws and the compliance requirements differ slightly. The Hospital Records Act is seen to...

Read More
Legal Action Over Illinois Biometric Information Privacy Act Violations Possible Without Actual Harm
Feb01

Legal Action Over Illinois Biometric Information Privacy Act Violations Possible Without Actual Harm

The Illinois Supreme Court has ruled that individuals whose privacy has been violated through a breach of the Illinois Biometric Information Privacy Act can take legal action against a private entity, even if the violation of BIPA has not resulted in actual harm. The Illinois Biometric Information Privacy Act, enacted in 2008, requires private entities to inform a person in writing that their biometric information will be collected or stored. The purpose for the collection or storage of that data and the length of time the information will be retained must also be explained. The entity must also obtain written authorization from an individual or that individual’s legal representative before biometric data can be collected or stored. Biometric data includes fingerprints, voiceprints, hand scans, iris scans, and other biometric means of identifying a person. In contrast to HIPAA, which has no private cause of action, individuals can sue companies for Illinois Biometric Information Privacy Act (BIPA) violations. Illinois is unique in that respect. Other states such as Texas and...

Read More
Aetna Settles HIV Status Breach Case with California AG for $935,000
Feb01

Aetna Settles HIV Status Breach Case with California AG for $935,000

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy breach that exposed state residents’ HIV status. On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California. The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution. In...

Read More
Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data
Jan31

Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data

The Oregon Health Information Property Act proposes patients should be allowed to authorize their healthcare providers to sell their health data and for them to be financially compensated if their health information is sold to a third party. Currently, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule limits the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered entities are only permitted to use or disclose PHI for purposes related to the provision of treatment, payment for healthcare, or healthcare operations. While there are some exceptions, other uses and disclosures are prohibited unless consent is first obtained from patients. The HIPAA Privacy Rule covers PHI, which is identifiable patient information. If PHI is stripped of information that allow an individual to be identified, it is no longer considered PHI and is no longer subject to Privacy Rule controls. That means that if a HIPAA-covered entity de-identifies PHI, they can then sell that information on for profit. That information can be valuable to research...

Read More
Expected HIPAA Updates and HIPAA Changes in 2019
Jan31

Expected HIPAA Updates and HIPAA Changes in 2019

The Health Insurance Portability and Accountability Act was signed into law in 1996 and while there have been some significant HIPAA updates over the last two decades, the last set of major HIPAA updates occurred in 2013 with the introduction of the HIPAA Omnibus Final Rule. Further updates to HIPAA are now long overdue, but what can be expected in terms of HIPAA changes in 2019? Major HIPAA Updates in the Past 20 Years Since HIPAA was signed into law there have been some major HIPAA updates. The HIPAA Privacy and Security Rules were followed by the incorporation of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach Notification Rule in 2009 and the Omnibus Final Rule in 2013. Such major HIPAA updates placed a significant burden on HIPAA covered entities and considerable time and effort was required to introduce new policies and procedures to ensure continued compliance. It is now almost 6 years since the last major HIPAA updates were enacted. Over those six years, various issues have arisen with...

Read More
New Cybersecurity Framework for Medical Devices Issued by HSCC
Jan30

New Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle. The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector. More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing...

Read More
Patches Released to Mitigate KRACK Vulnerabilities Affecting Stryker Medical Beds
Jan30

Patches Released to Mitigate KRACK Vulnerabilities Affecting Stryker Medical Beds

Stryker has identified nine vulnerabilities that affect some of its Medical Beds. The vulnerabilities could potentially be exploited in a man-in-the-middle attack by an attacker within radio range of vulnerable product to replay, decrypt, or spoof frames. The vulnerabilities are present in the four-way handshake used by WPA and WPA2 wireless security protocols which allow nonce reuse in Key Reinstallation (KRACK) attacks. Similar vulnerabilities have been identified in a wide range of wireless devices. The nine vulnerabilities are summarized below: CVE-2017-13077: Reinstallation of pairwise key in the four-way handshake. CVE-2017-13078: Reinstallation of group key in the four-way handshake. CVE-2017-13079: Reinstallation of Integrity Group Temporal Key in the four-way handshake. CVE-2017-13080: Reinstallation of group key in the group key handshake. CVE-2017-13081: Reinstallation of Integrity Group Temporal Key in the group key handshake. CVE-2017-13082: Reinstallation of Pairwise Transient Key Temporal Key in the fast BSS transmission handshake. CVE-2017-13086: Reinstallation of...

Read More
GDPR Incorporated into the HITRUST CSF
Jan29

GDPR Incorporated into the HITRUST CSF

HITRUST has combined the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST CSF) and is working toward the creation of a single framework and assessment covering all regulatory requirements. Many countries have introduced new data privacy and security regulations that require companies to implement new policies, procedures, and technologies to keep consumers’ and customers’ data private and confidential. Organizations that wish to conduct business globally must ensure they comply with these country-specific regulations and should conduct assessments to make sure they are fully compliant. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater. Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible. “As countries around the world continue to adopt and advance...

Read More
Multiple Flaws Identified in LabKey Server Community Edition
Jan29

Multiple Flaws Identified in LabKey Server Community Edition

Security researchers at Tenable Research have discovered multiple flaws in LabKey Server Community Edition 18.2-60106.64 which could be exploited to steal user credentials, access medical data, and run arbitrary code through the Labkey browser. LabKey Server is an open source collaboration tool that allows scientists to integrate, analyze, and share biomedical research data. While the platform serves as a secure data repository, vulnerabilities have been identified that allow security controls to be bypassed. CVE-2019-3911 – Reflected XSS Multiple flaws have been identified in all versions of LabKey Server Community Edition prior to v 18.3.0 related to the validation and sanitization of query functions, in particular, the query.sort parameter. The parameter is reflected in output to the user and is interpreted by the browser, which opens to door for a cross site scripting attack. If the flaws are exploited, an attacker could run arbitrary code within the context of the browser. Attacks are possible with and without authentication. CVE-2019-3912 – Open Redirects Open redirects via...

Read More
Analysis of 2018 Healthcare Data Breaches
Jan28

Analysis of 2018 Healthcare Data Breaches

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR). 2018 Was a Record-Breaking Year for Healthcare Data Breaches Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States. The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year. In 2018, 365 healthcare data breaches of 500 or more records were reported, up almost 2% from the...

Read More
December 2018 Healthcare Data Breach Report
Jan22

December 2018 Healthcare Data Breach Report

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January. In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11. Largest Healthcare Data Breaches in December 2018 Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure 2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890...

Read More
Revised Common Rule Now Effective
Jan21

Revised Common Rule Now Effective

The updated Federal Policy for the Protection of Human Subjects (45 CFR part 46), otherwise known as the Common Rule, is now in effect. The compliance date of the revised Common Rule was January 21, 2019. The Common Rule governs federally funded research on human subjects and was introduced in 1991. The Common Rule was amended in 2015 and underwent a major revision in 2017 to improve protections for research subjects while easing the administrative burden on researchers, especially for low-risk research. The compliance date of the revised Common Rule was initially January 19, 2018; however, two days before the compliance date, an interim final rule was published which delayed the compliance date initially for six months, and subsequently for another six months. Regulated entities were required to comply with the pre-2018 version of the Common Rule until January 20, 2019, with the exception of three provisions of the revised Common Rule which aimed to reduce the administrative burden on researchers. Those three provisions, which could be adopted between July 2019 and January 20,...

Read More
State AG Proposes Tougher Data Breach Notification Laws in North Carolina
Jan21

State AG Proposes Tougher Data Breach Notification Laws in North Carolina

Following an increase in data breaches affecting North Carolina residents in 2017, state Attorney General Josh Stein and state representative Jason Saine introduced a bill to update data breach notification laws in North Carolina and increase protections for state residents. The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed changes to state laws that would have made North Carolina breach notification laws some of the toughest in the country. The January 2018 version of the bill proposed an expansion of the definition of a breach, changes to the definition of personal information, and a maximum of 15 days from the discovery of a breach to issue notifications to breach victims. Attorney General Stein and Rep. Saine unveiled a revised version of the bill on January 17, 2019. While some of the proposed updates have been scaled back, new requirements have also been introduced to increase protections for state residents. The updated bill coincides with the release of the state’s annual security breach report for 2018. The report shows...

Read More
Physician Receives Probation for Criminal HIPAA Violation
Jan18

Physician Receives Probation for Criminal HIPAA Violation

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation and has escaped a jail term and fine. The case concerned the wrongful disclosure of patients’ PHI to a pharmaceutical firm. The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion. In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug. Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability. The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules...

Read More
CMS Completes Rollout of New Medicare Cards 3 Months Ahead of Schedule
Jan18

CMS Completes Rollout of New Medicare Cards 3 Months Ahead of Schedule

Individuals with Medicare have been provided with new Medicare cards without Social Security numbers as part of the Centers for Medicare & Medicaid Services (CMS) efforts to combat fraud and abuse and protect against identity theft. Instead of Social Security numbers, the new Medicare cards use unique, randomly generated Medicare Beneficiary Identifiers that include a combination of numbers and letters. CMS has issued more than 61 million new cards over the course of the past 9 months and has now completed the rollout three months ahead of the April 2019 deadline set by Congress in the Medicare Access and CHIP Reauthorization Act (MACRA) of 2015. “Safeguarding our beneficiaries’ personal information continues to be one of our top priorities,” explained CMS Administrator Seema Verma in a January 16 press release. “The Trump Administration is committed to modernizing Medicare and has expedited this process to ensure the protection of Medicare beneficiaries and taxpayer dollars from the potential for fraud and abuse due to personal information that existed on the old cards.” More...

Read More
New Massachusetts Data Breach Notification Law Enacted
Jan16

New Massachusetts Data Breach Notification Law Enacted

A new Massachusetts data breach notification law has been enacted. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019 and will come into effect on April 11, 2019. The new legislation updates existing Massachusetts data breach notification law and introduces new requirements for notifications. Under Massachusetts law, a breach is defined as the unauthorized acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. Notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name. Social Security number Driver’s license number State issued ID card number Financial account number, or credit/ debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. As with the previous law, there is no set timescale for issuing breach...

Read More
OCR Seeks Permanent Deputy Director for Health Information Privacy
Jan15

OCR Seeks Permanent Deputy Director for Health Information Privacy

The U.S. Department of Health and Human Services’ Office for Civil Rights has advertised for a permanent Deputy Director for Health Information Privacy. The position was posted on USAJOBS on January 14, 2019. The last permanent Deputy Director was Deven McGraw, who left OCR in October 2017 for the private sector. Iliana Peters, OCR’s Senior Advisor for Compliance and Enforcement, took on the role of acting Deputy Director for Health Information Privacy but also left the post for the private sector in February 2018. Timothy Noonan, the former regional manager for the HHS Office for Civil Rights in Atlanta, replaced Peters in February 2018. The role involves leading OCR’s day-to-day HIPAA privacy and security program operations, development of privacy and security policies, administrative rulemaking, interpretation of current regulations, providing technical assistance to the department’s regional offices, and coordinating HIPAA Privacy and Security Rule compliance activities to ensure consistent application of policies across all regional offices. The Deputy Director for Health...

Read More
Advertising Expenditures Increase 64% Following a Healthcare Data Breach
Jan07

Advertising Expenditures Increase 64% Following a Healthcare Data Breach

A recent study has explored the relationship between advertising expenditures and healthcare data breaches. The study shows hospitals significantly increase advertising spending following a data breach. Healthcare Data Breaches Are the Costliest to Mitigate Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. According to the Ponemon Institute/IBM Security’s 2018 cost of a data breach study, healthcare data breaches cost, on average, $408 per lost or stolen record. The costs are double, or in some cases almost triple, those in other industry sectors. Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. Click To Tweet In addition to the high costs of mitigating the breaches, the same study confirmed that loss of patients to competitors is a very real threat. Data breaches cause damage to a brand and trust in an organization can be easily lost when confidential personal information is exposed or stolen. The Ponemon Institute study revealed healthcare organizations...

Read More
Summary of 2018 HIPAA Fines and Settlements
Jan03

Summary of 2018 HIPAA Fines and Settlements

This post summarizes the 2018 HIPAA fines and settlements that have resulted from the enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. Another Year of Heavy OCR HIPAA Enforcement In 2016, there was a significant increase in HIPAA files and settlements compared to the previous year. In 2016, one civil monetary penalty was issued by OCR and 12 settlements were agreed with HIPAA covered entities and their business associates. In 2015, OCR only issued 6 financial penalties. The high level of HIPAA enforcement continued in 2017 with 9 settlements agreed and one civil monetary penalty issued. While there were two settlements agreed in February 2018 to resolve HIPAA violations, there were no further settlements or penalties until June. By the end of the summer it was looking like OCR had eased up on healthcare organizations that failed to comply with HIPAA Rules. However, in September, a trio of settlements were agreed with hospitals that had allowed a film crew to record footage of patients without first...

Read More
IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity
Jan03

IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity

The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) has issued an alert about increased Chinese malicious cyber activity targeting IT service providers such as Managed Service Provider (MSPs), Managed Security Service Providers (MSSPs), Cloud Service Providers (CSPs) and their customers. The attacks take advantage of trust relationships between IT service providers and their customers. A successful cyberattack on a CSP, MSP or MSSP can give the attackers access to healthcare networks and sensitive patient data. The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued technical details on the tactics and techniques used by Chinese threat actors to gain access to services providers’ networks and the systems of their customers. The information has been shared to allow network defenders to take action to block the threats and reduce exposure to the Chinese threat actors’ activities. Guidance has been released for IT service providers and their customers on the steps that should be taken to improve security to prevent...

Read More
HHS Publishes Cybersecurity Best Practices for Healthcare Organizations
Jan02

HHS Publishes Cybersecurity Best Practices for Healthcare Organizations

The U.S. Department of Health and Human Services has issued voluntary cybersecurity best practices for healthcare organizations and guidelines for managing cyber threats and protecting patients. Healthcare technologies are essential for providing care to patients, yet those technologies introduce risks. If those risks are not properly managed they can result in disruption to healthcare operations, costly data breaches, and harm to patients. The HHS notes that $6.2 billion was lost by the U.S. Health Care System in 2016 as a result of data breaches and 4 out of 5 physicians in the United States have experienced some form of cyberattack. The average cost of a data breach for a healthcare organization is now $2.2 million. “Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems...

Read More
What is Texas HB 300?
Dec28

What is Texas HB 300?

What is Texas HB 300, who is required to comply with the legislation, and what are the penalties for noncompliance? This post answers these and other important questions about Texas HB 300. What is Texas HB 300? The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets minimum privacy and security standards for healthcare organizations. HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health data is concerned which are detailed in Texas HB 300 (Texas House Bill 300). Texas HB 300 was passed by the Texas legislature in June 2011 and was signed into law by Texas Governor Rick Perry. The compliance date for Texas HB 300 was September 1, 2012. Texas HB 300 amended four laws in Texas: The Texas Health Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for health...

Read More
Most Common Security Weaknesses in Healthcare Identified
Dec28

Most Common Security Weaknesses in Healthcare Identified

The most common security weaknesses in healthcare have been identified by Clearwater. Clearwater analyzed data from IRM analyses conducted over the past six years. Millions of risk records were assessed from hospitals, Integrated Delivery Networks, and business associates of those entities to identify the most common security vulnerabilities in healthcare. The analysis revealed almost 37% of high and critical risks were in three areas: User authentication Endpoint leakage Excessive user permissions The most common security weaknesses in healthcare were deficiencies in user authentication. These are failures to correctly authenticate users and verify the level of access that users should have to an organization’s resources. These deficiencies include the use of default passwords and generic user IDs, writing down passwords and posting them on computer monitors or hiding them under keyboards, and the transmission of user credentials via email in plain text. User authentication deficiencies were most commonly associated with servers and SaaS solutions. Clearwater also notes that more...

Read More
NIST Releases Final Version of Updated Risk Management Framework
Dec27

NIST Releases Final Version of Updated Risk Management Framework

The National Institute of Standards and Technology (NIST) has released the final version of its updated Risk Management Framework (RMF 2.0). RMF 2.0 (SP 800-37 Revision 2: Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) addresses privacy and security concerns in IT risk management. One key change in the updated version of the RMF is the introduction of a ‘Prepare’ step. This additional step involves assigning responsibilities to specific individuals, enabling enterprise-wide privacy and security controls, eliminating unnecessary functions, publishing common controls, prioritizing resources for high value assets, and establishing communication channels to ensure effective communication between the C-Suite and employees. The ‘Prepare’ step, which comes before the Categorize step, was introduced to help organizations “achieve more effective, efficient, and cost-effective security and privacy risk management processes.” RMF 2.0 requires maximum use of automation in executing the framework rules to allow...

Read More
Largest Healthcare Data Breaches of 2018
Dec27

Largest Healthcare Data Breaches of 2018

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records. 2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records. A Bad Year for Healthcare Data Breaches As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records. It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017. In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in...

Read More
LifeBridge Health Sued for 18-Month Malware That Allowed Theft of 530,000 Patients’ PHI
Dec24

LifeBridge Health Sued for 18-Month Malware That Allowed Theft of 530,000 Patients’ PHI

A lawsuit has been filed on behalf of patients who had their protected health information stolen as a result of a malware infection at the Baltimore-based healthcare provider LifeBridge Health. LifeBridge Health discovered the malware infection in March 2018; however, an investigation of the breach revealed the malware had been installed on one of its servers on or around September 27, 2016. The server hosted LifeBridge Health electronic medical records and its patient registration and billing systems. During the 18 months that the malware was on its server, the protected health information of approximately 530,000 patients was allegedly stolen – Information such as names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses, and treatment information. According to the lawsuit, filed by law firm Murphy, Falcon & Murphy, the malware was installed as a result of “LifeBridge’s failure to ensure the integrity of its servers and to properly safeguard patients’ highly sensitive and confidential information.” The lawsuit claims the...

Read More
Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital
Dec21

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients. McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center. The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an...

Read More
When Did HIPAA Become Law?
Dec21

When Did HIPAA Become Law?

The Health Insurance Portability and Accountability Act (HIPAA) helped reform the healthcare industry, but when did HIPAA become law and what are the key dates in the history of HIPAA? In this post we give a short history of HIPAA, including key updates to the legislation over the past two decades. When Did HIPAA Become Law? HIPAA was signed into law by president Clinton on August 21, 1996; however, HIPAA has received several major updates over the following years. These were: The HIPAA Privacy Rule The HIPAA Security Rule The HITECH Act The HIPAA Breach Notification Rule The HIPAA Omnibus Rule When Did the HIPAA Privacy Rule Become Law? The HIPAA Privacy Rule was signed into law on December 28, 2000, although modifications were made and the final rule was published on August 14, 2002. The HIPAA Privacy Rule introduced standards for the privacy of individually identifiable health information, stipulated the allowed uses and disclosures of health information, and gave patients the right to obtain copies of their health data. The HIPAA Privacy Rule also required business associates...

Read More
November 2018 Healthcare Data Breach Report
Dec20

November 2018 Healthcare Data Breach Report

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed. November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November. To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018. There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported. Largest Healthcare Data Breaches in November 2018 The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records....

Read More
27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year
Dec19

27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year

According to a new report from Kaspersky Lab, 27% of healthcare employees said their organization had experienced at least one ransomware attack in the past year and 33% of those respondents said their organization had experienced multiple ransomware attacks. In its report – Cyber Pulse: The State of Cybersecurity in Healthcare – Kaspersky lab explained that up until January 1, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights has been notified of more than 110 hacking/IT-related data breaches that have affected more than 500 individuals. The impact of those breaches can be serious for the organizations concerned. Not only can breaches result in millions of dollars in costs, they can permanently damage the reputation of a healthcare organization and can result in harm being caused to patients. To investigate the state of cybersecurity in healthcare, Kaspersky Lab commissioned market research firm Opinion Matters to conduct a survey of healthcare employees in the United States and Canada to explore the perceptions of healthcare employees regarding...

Read More
Vulnerability Identified in Medtronic Encore and Carelink Programmers
Dec18

Vulnerability Identified in Medtronic Encore and Carelink Programmers

ICS-CERT has issued an advisory about a vulnerability that has been identified in certain Medtronic CareLink and Encore Programmers. Some personally identifiable information (PII) and protected health information (PHI) stored on the devices could potentially be accessed due to a lack of encryption for data at rest. The programmers are used in hospitals to program and manage Medtronic cardiac devices and may store reports containing patients’ PII/PHI. An attacker with physical access to one of the vulnerable programmers could access the reports and view patients PII/PHI. The vulnerability would require a low level of skill to exploit. The vulnerability, tracked as CVE-2018-18984 (CWE-311), was identified by security researchers Billy Rios and Jonathan Butts of Whitescope LLC who discovered encryption was either missing or stored PII/PHI was not sufficiently encrypted. The vulnerability has been assigned a CVSS V3 base score of 4.6. The vulnerability is present in all versions of CareLink 2090 Programmers, CareLink 9790 Programmers, and the 29901 Encore Programmers. Medtronic has...

Read More
Federal GDPR-Style Data Privacy Bill Introduced
Dec17

Federal GDPR-Style Data Privacy Bill Introduced

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act. The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm. The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions. As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data. The bill would also require companies...

Read More
EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach
Dec11

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members. On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members. The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents. The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised. That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed...

Read More
Vulnerability Identified in Philips HealthSuite Health Android App
Dec07

Vulnerability Identified in Philips HealthSuite Health Android App

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about a vulnerability that has been identified in the Philips HealthSuite Health Android App. The Philips HealthSuite Health Android App records body measurements and health data to allow users to track activities to help them achieve their health goals. The app is used by individuals in the United States, Netherlands, Germany and the United Kingdom. User data stored by the app is encrypted to prevent unauthorized access; however, a security researcher discovered the method used to encrypt data is too simplistic and does not offer a sufficiently high level of protection. As a result, an attacker with physical access to the app could exploit the vulnerability to gain access to a user’s data. The vulnerability could not be exploited remotely so the risk to users is low. The vulnerability, tracked as CVE-2018-19001, has been assigned a CVSS v3 base score of 3.5. Philips will be releasing a new version of the app in the first quarter of 2019 which will...

Read More
First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine
Dec07

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system. Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system. CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data. The failure to implement appropriate access controls is a violation of...

Read More
UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court
Nov28

UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court

A lawsuit filed by employees affected by a data breach at University of Pennsylvania Medical Center (UPMC) has been revived by the Pennsylvania Supreme Court. The lawsuit was filed after hackers stole the information of approximately 62,000 current and former UPMC employees in a data breach discovered by UPMC in February 2014. The stolen information included names, addresses, Social Security numbers, tax information, and bank account numbers. The information was used to file fraudulent tax returns in employees’ names to receive tax refunds. According the lawsuit, “As a result of UPMC’s negligence, employees incurred damages relating to fraudulently filed tax returns and are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.” UPMC argued that there is no cause of action for negligence as no property damage or physical injury was alleged by its employees. In Pennsylvania, no cause of action exists for negligence that solely results in economic losses. The lawsuit was thrown out by two lower courts; however, last week the lawsuit was...

Read More
2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach
Nov28

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

AccuDoc Solutions Inc., a provider of healthcare billing services, has experienced a major data breach in which the protected health information of 2,650,000 patients of Atrium Health was exposed. Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia. On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018. An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels. AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has...

Read More
OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure
Nov26

OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Hartford allergy practice $125,000 over alleged violations of the HIPAA Privacy Rule. On October 6, 2015, OCR received a copy of a civil rights complaint that had been filed with the Department of Justice (DOJ). The complainant alleged Allergy Associates of Hartford – A Connecticut healthcare provider that specializes in treating patients with allergies – had impermissibly disclosed her protected health information to a TV reporter. The complainant had previously contacted a local TV station after she had been turned away from the allergy practice because of her service animal. The TV reporter subsequently contacted the practice seeking comment. A physician at the practice spoke to the reporter and impermissibly disclosed some of the patient’s protected health information. OCR’s investigation confirmed there had been an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a). The physician in question had already been advised by the practice’s...

Read More
NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity
Nov23

NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has released a draft paper covering the privacy and security risks of telehealth and remote monitoring devices along with best practices for securing the telehealth and remote monitoring ecosystem. Patient monitoring systems have traditionally been deployed within healthcare facilities; however, there has been an increase in the use of remote patient monitoring systems in patients’ homes in recent years. While these systems are straightforward to secure in a controlled environment such as a hospital, the use of these systems in patients’ homes introduces new risks. Managing the risks and ensuring the remote monitoring systems and devices have an equivalent level of security as in-house systems can be a major challenge. The purpose of the paper is to create a reference architecture which addresses the security and privacy risks and provides practical steps that can be taken to improve the overall security of the remote patient monitoring environment. The paper addresses...

Read More
53% Of Healthcare Data Breaches Due to Insiders and Negligence
Nov22

53% Of Healthcare Data Breaches Due to Insiders and Negligence

The healthcare industry has had more than its fair share of hacking incidents, but the biggest threat comes from within. The actions of healthcare providers, health insurers, and their employees cause more breaches than hacking, malware, and ransomware attacks. Researchers at Michigan State University and Johns Hopkins University analyzed data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and found that more than half of breaches were the result on internal negligence. The research study, which was recently published in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the risk of hospital data breaches and the types of hospitals that were most prone to data breaches. While the previous research cast light on which hospitals were most vulnerable, little information was available on the main causes of the breaches. The latest study addresses that gap in knowledge. The researchers performed a retrospective analysis of the 1,183 healthcare data breaches reported to OCR between...

Read More
OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS
Nov22

OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS

The Department of Health and Human Services’ Office of Inspector General (OIG) has published its annual report on the top management and performance challenges faced by the HHS. The report lists 12 major challenges that the HHS must overcome to ensure the department achieves its aims. Given the scale of the current opioid crisis in the United States and its impact, the prevention and treatment of opioid misuse has topped this year’s list. The report also draws attention to the importance of cybersecurity protections to mitigate threats to be confidentiality, integrity, and availability of health data. Protecting HHS data, systems, and beneficiaries from cybersecurity threats made 10th spot in this year’s list. In the report, OIG explained that “data management, use, and security are essential to the effective and efficient operation of HHS’ agencies and programs.” Ensuring the integrity of IT systems and the confidentiality and availability of healthcare data are critically important to the health and well-being of Americans. The HHS has a $5 billion annual budget for IT; a...

Read More
October 2018 Healthcare Data Breach Report
Nov21

October 2018 Healthcare Data Breach Report

Our October 2018 healthcare data breach report shows there has been a month-over-month increase in healthcare data breaches with October seeing more than one healthcare data breach reported per day. 31 healthcare data breaches were reported by HIPAA-covered entities and their business associates in October – 6 incidents more than the previous month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches. The number of breached records in September (134,006) was the lowest total for 6 months, but the downward trend did not continue in October. There was a massive increase in exposed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly disclosed – 1,474% more than the previous month. In October, the average breach size was 68,055 records and the median was 4,058 records. Largest Healthcare Data Breaches in October 2018 There were 11 healthcare data breaches of more than 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The...

Read More
AMIA Calls for Greater Alignment of Federal Data Privacy Rules
Nov20

AMIA Calls for Greater Alignment of Federal Data Privacy Rules

The American Medical Informatics Association (AMIA) is calling for the Trump Administration to tighten data privacy rules through greater alignment of HIPAA and the Common Rule and recommends adoption of a more integrated approach to privacy that includes both the healthcare and consumer sectors. The call follows a request for comment by the NTIA to initiate a conversation about consumer privacy. In a letter to the National Telecommunications and Information Administration (NTIA), a division of the Department of Commerce, AMIA explained that its comments are informed by extensive experience of dealing with both the Health Insurance Portability and Accountability Act and the Federal Protections for Human Subjects Research (Common Rule). Currently, there is a patchwork of federal and state regulations that complicates compliance and creates information sharing challenges which results in ‘perverse outcomes’ due to different interpretations of existing privacy policies. AMIA illustrated the problem of the current patchwork of privacy policies using Pennsylvania and New Jersey as an...

Read More
Do HIPAA Rules Create Barriers That Prevent Information Sharing?
Nov19

Do HIPAA Rules Create Barriers That Prevent Information Sharing?

The HHS has drafted a Request for Information (RFI) to discover how HIPAA Rules are hampering patient information sharing and are making it difficult for healthcare providers to coordinate patient care. HHS wants comments from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors. The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, the aim of which is to remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected. The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care. The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued. Certain provisions of...

Read More
Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS
Nov15

Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS

The U.S. Department of Homeland Security will be forming a new agency solely focused on cybersecurity following the passing of new legislation by Congress. The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act) amends the Homeland Security Act of 2002 can calls for DHS to form a new Cybersecurity and Infrastructure Security Agency. The CISA Act was unanimously passed by the House of Representatives and just awaits the president’s signature. The new agency will be formed through the reorganization of the National Protection and Programs Directorate (NPPD) and will have the same status as other DHS agencies such as the U.S. Secret Service. The NPPD is already responsible for reducing and eliminating threats to U.S. critical physical and cyber infrastructure, with cybersecurity elements covered by the Office of Cybersecurity and Communications and the National Risk Management Center. NPPD currently coordinates IT security initiatives with other entities, local, state, tribal and territorial governments and the private sector and oversees cybersecurity at federal...

Read More
HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals
Nov15

HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals

Last month, the Centers for Medicare & Medicaid Services (CMS) announced that the HealthCare.gov website had been hacked and the sensitive data of approximately 75,000 individuals had potentially been compromised. This week, the CMS issued an update on the breach confirming more people had been affected than was initially thought. The revised estimate has seen the number of breach victims increased to 93,689. The initial breach announcement was light on details about the exact nature of the breach and the types of information that had potentially been compromised. In the initial announcement the CMS explained that suspicious activity was detected on the site on October 13 and on October 16 a breach was confirmed. Steps were immediately taken to secure the site and prevent any further data access or data theft. The CMS started sending out breach notification letters on November 7 which explain the breach in more detail, including the types of information that were potentially accessed. CMS explained that the ‘suspicious activity’ it detected was certain agent and broker accounts...

Read More
OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices
Nov08

OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices

The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase.  Several deficiencies in FDA policies and procedures were identified by OIG auditors. Ensuring the safety, security, and effectiveness of medical devices is a key management challenge for the Department of Health and Human Services. It is the responsibility of the U.S. Food and Drug Administration (FDA) to ensure all medical devices that come to market are secure and incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices which could cause harm to patients. The FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market and the agency has plans and processes for addressing medical device issues, such as cybersecurity incidents, in the postmarket stage. However, OIG determined that those plans and practices are insufficient in several areas. One area of weakness concerns...

Read More
Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches
Nov07

Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches

The latest installment of the Breach Barometer Report from Protenus shows there was a quarterly fall in the number of healthcare data breaches compared to Q2, 2018; however, the number of healthcare records exposed, stolen, or impermissibly disclosed increased in Q3. In each quarter of 2018, the number of healthcare records exposed in data breaches has risen. Between January and March 1,129,744 healthcare records were exposed in 110 breaches. Between April and June, 3,143,642 records were exposed in 142 breaches, and 4,390,512 healthcare records were exposed, stolen, or impermissibly disclosed between July and September in 117 breaches. The largest healthcare data breach in Q3 was reported by the Iowa Health System UnityPoint Health. The breach was due to a phishing attack that saw multiple email accounts compromised. Those accounts contained the protected health information of more than 1.4 million patients. That breach was the second phishing attack experienced by UnityPoint Health. An earlier phishing attack resulted in the exposure of 16,400 healthcare records. In Q3, hacking...

Read More
Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program
Nov06

Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program

An alarming number of healthcare organizations do not have comprehensive cybersecurity programs in place, according to the recently published 2018 CHIME Healthcare’s Most Wired survey. The annual CHIME survey explores the extent to which healthcare organizations have adopted health information technology and draws attention to those that are ‘Most Wired’ and have the broadest, deepest IT infrastructure. This year’s report highlights gaps in foundational technologies and strategies for security and disaster recovery. “Before provider organizations can achieve outcomes with their strategies for population health management, value-based care, patient engagement, and telehealth, they must first ensure that foundational pieces such as integration, interoperability, security, and disaster recovery are in place,” explained CHIME. The attack surface has grown considerably in recent years due to increased adoption of networked medical devices and IoT technology. Threats to the privacy of sensitive information and security of systems and devices have grown and security is now a major...

Read More
$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach
Nov05

$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach

New Jersey Attorney General Gurbir S. Grewal has announced a $200,000 settlement has been agreed with Best Medical Transcription to resolve violations of the Health Insurance Portability and Accountability Act that were discovered during an investigation of a 2016 breach of 1,650 individuals’ protected health information. Protected Health Information of 1,654 Patients Was Accessible Through Search Engines Best Medical Transcription was a business associate of Virtua Medical Group, a network of medical and surgical practices in southern New Jersey. Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians. In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website that was accessible over the Internet without the need for any authentication. The files had been indexed by Google and could be found using search terms including information contained in the files. Password-protection had been removed when software on the website was...

Read More
Cybersecurity Best Practices for Healthcare Organizations
Nov01

Cybersecurity Best Practices for Healthcare Organizations

The Department of Health and Human Services’ Office for Civil Rights has drawn attention to basic cybersecurity safeguards that can be adopted by healthcare organizations to improve cyber resilience and reduce the impact of attempted cyberattacks. The advice comes at the end of cybersecurity awareness month – a four-week coordinated effort between government and industry organizations to raise awareness of the importance of cybersecurity. While all organizations need to implement policies, procedures, and technical solutions to make it harder for hackers to gain access to their systems and data, this is especially important in the healthcare industry. Hackers are actively targeting healthcare organizations as they store large quantities of highly sensitive and valuable data. Healthcare organization need to ensure that their systems are well protected against cyberattacks, which means investing in technologies to secure the network perimeter, detect intrusions, and block malware and phishing threats. Large healthcare organizations have the resources to invest heavily in...

Read More
OCR Launches Campaign to Raise Awareness of Civil Rights Protections for Patients Being Treated for Opioid Use Disorder
Oct29

OCR Launches Campaign to Raise Awareness of Civil Rights Protections for Patients Being Treated for Opioid Use Disorder

On October 26, 2017, President Donald Trump declared the opioid crisis a national public health emergency. The one-year anniversary of that declaration has seen a new opioid bill signed into law. On October 24, 2018, President Donald Trump added his signature to the Substance Use–Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act – or “SUPPORT for Patients and Communities Act” for short. The Act will help strengthen the government’s response to the opioid crisis, improve access to addiction treatment services, and expand data sharing in cases of opioid abuse. There have been calls for changes to be made to 42 CFR Part 2 to align the legislation with the HIPAA Privacy Rule and allow the sharing of information about a patient’s substance abuse treatment, without consent, for the purposes of treatment, payment or healthcare operations. The SUPPORT for Patients and Communities Act does go that far, although the new law does allow information relating to opioid use disorder and treatment – and details of treatment for abuse of other...

Read More
Study Reveals 75% of Employees Lack Security Awareness
Oct25

Study Reveals 75% of Employees Lack Security Awareness

For the past three years, security awareness training company MediaPRO has conducted an annual study of employees’ security awareness and knowledge of cybersecurity best practices. The study measures the susceptibility of employees to a wide range of security threats and assesses their ability to identify phishing threats, possible malware infections, and cloud computing and social media risks. Their knowledge of best practices concerning physical security, working remotely, and reporting security incidents is also tested. This year, 1,024 employees from 7 industry sectors took part in the State of Privacy and Security Awareness study and were asked questions relating to all of the above aspects of privacy and security. MediaPRO assigned each participant a category based on the percentage of questions they got right: Hero – An individual with an excellent understanding of security and how to protect assets. Novice – Someone that has a reasonable understanding of the basics of security but needs to improve their knowledge in key areas. Risk – An individual whose lack of...

Read More
September 2018 Healthcare Data Breach Report
Oct23

September 2018 Healthcare Data Breach Report

For the second consecutive month there has been a reduction in both the number of reported healthcare data breaches and the number of exposed healthcare records. In September, there were 25 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights – the lowest breach tally since February. There was also a substantial reduction in the number of exposed/stolen healthcare records in September. Only 134,000 healthcare records were exposed/stolen in September – A 78.5% reduction in compared to August. Fewer records were exposed in September than in any other month in 2018. Causes of September 2018 Healthcare Data Breaches In August, hacking/IT incidents dominated the healthcare breach reports, but there was a major increase (55.55%) in unauthorized access/disclosure breaches in September, most of which involved paper records. There were no reported cases of lost paperwork or electronic devices containing ePHI, nor any improper disposal incidents. While there were fewer hacking/IT incidents than unauthorized access/disclosure...

Read More
OIG Publishes 2016 Medicaid Data Breach Report
Oct23

OIG Publishes 2016 Medicaid Data Breach Report

A new report released by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed the vast majority of Medicaid data breaches are relatively minor and only affect an extremely limited number of individuals. For the study, OIG assessed all breaches reported by Medicaid agencies and their contractors in 2016. According to the report, the records of 515,000 Medicaid beneficiaries were exposed in 2016, spread across 1,260 data breaches. Almost two thirds of Medicaid data breaches reported in 2016 affected a single person with a further 29% of breaches affecting between 1 and 9 individuals. Large-scale breaches, which resulted in the data of 500 or more beneficiaries being exposed, accounted for 1% of the annual total. While the breach causes were highly varied, the majority of incidents were the result of simple errors such as misaddressing a letter, fax, or email. Those breaches only resulted in a very limited amount of PHI being exposed, such as a beneficiary name and Medicaid or other ID number. Out of the 1,260 breaches only 303 resulted in the...

Read More
CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System
Oct22

CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System

The Centers for Medicaid & Medicare Services (CMS) has discovered hackers have gained access to a health insurance system that interacts with the HealthCare.gov website and accessed files containing the sensitive information of approximately 75,000 individuals. On October 13, 2018, CMS staff discovered anomalous activity in the Federally Facilitated Exchanges system and the Direct enrollment pathway used by agents and brokers to sign their customers up for health insurance coverage. On October 16, the CMS confirmed there had been a data breach and a public announcement about the cyberattack was made on Friday October 19, 2018. While the number of files accessed only represents a small fraction of the total number of consumer records stored in the system, it is still a sizable and serious data breach. The files contained information supplied by consumers when they apply for healthcare plans through agents and brokers, including names, telephone numbers, addresses, Social Security numbers, and income details. While the CMS has confirmed that the files have been accessed by...

Read More
Aetna Settles HIPAA Violation Case with State AGs
Oct15

Aetna Settles HIPAA Violation Case with State AGs

In 2017, errors occurred with two Aetna mailings that resulted in the impermissible disclosure of the protected health information of plan members, including HIV statuses and AFib diagnoses. A class action lawsuit was filed on behalf of the victims of the HIV status breach which was settled for $17 million in January. Now Aetna has reached settlements with the attorneys general for New Jersey, Connecticut, and the District of Columbia to resolve the alleged HIPAA violations discovered during an investigation into the privacy breaches. The first mailing was sent on July 28, 2017 by an Aetna business associate. Over-sized windowed envelopes were used for the mailing, through which it was possible to see the names and addresses of plan members along with the words “HIV Medications.” Approximately 12,000 individuals received the mailing. In September, a second mailing was sent on behalf of Aetna to 1,600 individuals. This similarly resulted in an impermissible disclosure of PHI. In addition to names and addresses, the logo of an IMPACT AFib study was visible, which suggested the...

Read More
Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised
Oct12

Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised

The Minnesota Department of Human Services has mailed letters to approximately 21,000 individuals on medical assistance to alert them to a possible breach of their protected health information (PHI) due to two recent phishing attacks. Two DHS employees’ email accounts have been confirmed as having been compromised as a result of the employees clicking on links in phishing emails. The investigation into the breach determined that the attackers accessed both email accounts although it was not possible to determine which, if any, emails in the account had been accessed or copied by the attackers. Minnesota DHS has reason to believe that other employees may also have been targeted and could also have clicked on links in phishing emails, but it has not yet been confirmed whether their accounts have been breached. The investigation into the phishing attacks is ongoing. The two email account breaches occurred on June 28 and July 9, 2018, although the IT department only determined that the accounts had been breached in August. Upon discovery of the phishing attack, both accounts were...

Read More
HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia
Oct12

HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia

Following the presidential declaration of public health emergencies in the states of Florida and Georgia in the wake of hurricane Michael, secretary of the Department of Health and Human Services (HHS) Alex Azar has followed suit in both states and has exercised his authority to waive HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule in the disaster areas. The HHS announced the public health emergency in Florida on October 9, and Georgia on October 11. The HIPAA Privacy Rule does permit healthcare providers to share protected health information during disasters to assist patients and ensure they receive the care they need, including sharing information with friends, family members and other individuals directly involved in a patient’s care. The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief...

Read More
California HIV Patient PHI Breach Lawsuit Allowed to Move Forward
Oct08

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss. The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco. In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information. A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities. It was alleged...

Read More
Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC
Oct08

Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC

The Healthcare & Public Health Sector Coordinating Council (HSCC) has announced it will shortly issue voluntary cybersecurity best practices for medical device manufacturers and healthcare provider organizations to help them improve their security posture. HSCC will also publish a voluntary curriculum that can be adopted by medical schools to help them train clinicians how to manage electronic health records, medical devices, and IT systems in a secure and responsible way. The announcement coincides with National Cyber Security Awareness Month and includes an update on the progress that has been made over the past 12 months and the work that the HSCC still intends to complete. HSCC explained that the global cyberattacks of 2017 involving WannaCry and NotPetya malware served as a wake-up call to the healthcare industry and demonstrated the potential harm that could be caused if an attack proved successful. Many large companies were crippled by the attacks for weeks. Fortunately, the healthcare industry in the United States escaped the attacks relatively unscathed, although the...

Read More
Summary of Recent Healthcare Data Breaches
Oct05

Summary of Recent Healthcare Data Breaches

A round up of healthcare data breaches recently announced by healthcare providers and business associates of HIPAA covered entities. Tillamook Chiropractic Clinic Discovers 26-Month Malware Infection The medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, OR have been stolen as a result of a malware infection. On August 3, 2018, the clinic conducted an internal security audit which showed that malware had been installed on its network, even though a firewall was in place, antivirus and antimalware software were installed and up to date, and its software was fully patched. An investigation into the security breach revealed the malware had been installed on May 24, 2016 and had remained undetected for 26 months. The malware had been installed on the primary insurance billing system, which the clinic reports was used as a staging area by the attackers to collect patient records before exfiltrating the data. The information believed to have been stolen includes full names, home addresses, work addresses, dates of birth, phone numbers, diagnoses, lab...

Read More
Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards
Oct04

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019. The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring. To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention. Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions...

Read More
FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
Oct03

FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook

On October 1, 2018, the U.S. Food and Drug Administration released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook for healthcare delivery organizations to help them prepare for and respond to medical device cybersecurity incidents. The playbook is intended to help healthcare delivery organizations develop a preparedness and response framework to ensure they are prepared for medical device security incidents, can detect and analyze security breaches quickly, contain incidents, and rapidly recover from attacks. The playbook was developed by MITRE Corp., which worked closely with the FDA, healthcare delivery organizations, researchers, state health departments, medical device manufacturers and regional healthcare groups when developing the document. The past 12 months have seen many vulnerabilities identified in medical devices which could potentially be exploited by hackers to gain access to healthcare networks, patient health information, or to cause harm to patients. While the FDA has not received any reports to suggest an attack has been...

Read More
Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency
Oct02

Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency

The healthcare industry is extensively targeted by phishers who frequently gain access to healthcare data stored in email accounts. In some cases, those email accounts contain considerable volumes of highly sensitive protected health information. Phishing is one of the leading causes of healthcare data breaches. In August 2018, Augusta University Healthcare System announced that it was the victim of a phishing attack that saw multiple email accounts compromised. The breached email accounts contained the PHI of 417,000 patients. The incident stood out due to the number of individuals impacted by the breach, but it was just one of several healthcare organizations to fall victim to phishing attacks in August. Data from the HHS’ Office for Civil Rights shows email is the most common location of breached PHI. In July, 14 healthcare data breaches out of 28 involved email, compared to 6 network server PHI breaches – The second most common location of breached PHI. It was a similar story in May and June with 9 and 11 email breaches reported respectively. Cofense Research Shows Healthcare...

Read More
NIST Releases Guidance on Managing IoT Cybersecurity and Privacy
Oct01

NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce. The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail. “IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST. In the guidance document, NIST identifies three high-level...

Read More
Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017
Sep28

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health. The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017. “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study. Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or...

Read More
HIPAA Quiz Launched by Compliancy Group
Sep26

HIPAA Quiz Launched by Compliancy Group

A new HIPAA Quiz has been launched by the Compliancy Group, which serves as a quick and easy free tool to assess the current state of HIPAA compliance in an organization.   Healthcare organizations that have implemented policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA) Rules may think that they are fully compliant with all provisions of the HIPAA Privacy, Security, and Breach Notification Rules. However, HHS’ Office for Civil Rights (OCR) compliance audits and investigations into data breaches and complaints often reveal certain requirements of HIPAA have been missed or misinterpreted. OCR investigates all breaches of more than 500 records and so far in 2018, six financial penalties have been issued to HIPAA covered entities to resolve HIPAA violations. The average settlement/civil monetary penalty in 2018 is $1,491,166. State attorneys general also investigate data breaches and complaints and can also issue fines for noncompliance with HIPAA Rules. There have been five fines issued by state attorneys general in 2018 to resolve...

Read More
UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations
Sep24

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information. In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names. It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security...

Read More
August 2018 Healthcare Data Breach Report
Sep21

August 2018 Healthcare Data Breach Report

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches. There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached. Causes of Healthcare Data Breaches in August 2018 Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks. Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare...

Read More
$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations
Sep20

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules. This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients. Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a). Brigham and Women’s Hospital (BWH) settled its HIPAA violations...

Read More
California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt
Sep19

California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt

In June 2018, the legislature in California passed the California Consumer Privacy Act (CCPA) which introduced major changes to state law to protect the privacy of consumers. CCPA introduced new privacy protections and rights for consumers, several of which are similar to those introduced in Europe in the General Data Protection Regulation (GDPR). The CCPA does not go as far as GDPR and only applies to for-profit companies that hold the data of more than 50,000 individuals, but many of the new rights are similar, including the right to request access to personal data stored by a business, the right to be informed about the data that will be collected, the right to be informed whether personal data will be sold or disclosed, the right to have personal data deleted and to prevent personal data from being sold. The CCPA has been heavily criticized, especially by tech firms such as Facebook, Google and PayPal. A 38-page letter was sent to lawmakers in California by 38 trade groups who have voiced considerable concerns over the requirements of the CCPA, including sections of the law...

Read More
CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent
Sep17

CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent

The HHS’ Centers for Medicare and Medicaid Services (CMS) has investigated Fairview Southdale Hospital in Edina, MN over an alleged violation of patient privacy. The CMS confirmed that patients were videotaped during psychiatric evaluations in the emergency department without their knowledge or consent.  The hospital was cited for violating patient privacy. According to the Star Tribune, the CMS launched an investigation following a complaint from a patient who had been taken to the hospital for a psychiatric evaluation against her will in May 2017. The patient was escorted to the hospital as police officers were concerned about her state of mental health and feared she may cause harm to herself or others. After being released, the patient took legal action over her admission to the hospital and how she was treated by the police. As part of that lawsuit, the patient requested a copy of the security camera footage from the hospital. While the patient expected to receive a copy of the videotape from the front of the hospital showing her entering the facility, the videotape showed her...

Read More
Texas Nurse Fired for Social Media HIPAA Violation
Sep13

Texas Nurse Fired for Social Media HIPAA Violation

A nurse at a Texas children’s hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. The pediatric ICU/ER nurse worked at Texas Children’s Hospital and posted a series of comments on Facebook about a rare case of measles at the hospital. The nurse was an anti-vaxxer and posted about the experience of seeing a boy at the hospital suffering from the disease – a disease that could have been prevented through vaccination. Her comments explained how the disease was much worse that she expected it to be, having not encountered anyone with the measles in the past.  She explained that it was a “rough” experience seeing the boy suffering from the disease. She also explained in her posts, “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” and “By no means have I changed my vax stance, and I never will. But this poor kid was bad off and as a parent, I could see vaccinating out of fear,” as reported by...

Read More