Our HIPAA news for small and mid-sized practices section covers common aspects of HIPAA Rules that are often neglected by small to medium-sized covered entities. This news section also includes the latest information for healthcare professionals and small to mid-sized clinics that are concerned about HIPAA-compliance and avoiding HIPAA Privacy, Security and Breach Notification Rule violations.

News items have been selected as they are of particular relevance for small to mid-sized healthcare practices.

The news items and articles in this section cover HIPAA violations and data breaches at small to mid-sized healthcare providers, settlements and regulatory fines issued by state attorneys general and the Department of Health and Human Services’ Office for Civil Rights (OCR), new state and federal compliance requirements and the latest news and guidance on HIPAA compliance from OCR and the ONC.

For up to date information delivered direct to your inbox, be sure to sign up for our weekly HIPAA newsletter.

Rise in Business Email Compromise Scams Prompts IC3 Warning
May05

Rise in Business Email Compromise Scams Prompts IC3 Warning

There has been a massive increase in business email compromise scams over the past three years. In the past two years alone, the number of companies that have reported falling for business email comprise scams has increased by 2,370% according to new figures released by the Internet Crime Complaint Center (IC3). In the past three years, cybercriminals have used business email compromise scams to fraudulently obtain more than $5 billion. U.S. organizations lost more than $1.5 billion to BEC scams between October 2013 and December 2016. The rise in BEC attacks has prompted IC3 to issue a new warning to businesses, urging them to implement a range of defenses to mitigate risk. What are Business Email Compromise Scams and How Do They Work? A business email compromise scam – also known as an email account compromise – involves an attacker gaining access to an email account of an executive and sending an email request to a second employee via the compromised email account. The request can be a bank transfer or a request to email data. Since the email comes from within an organization,...

Read More
Bitglass Publishes 2017 Healthcare Data Security Report
May04

Bitglass Publishes 2017 Healthcare Data Security Report

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm. For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights. The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record numbers of healthcare data breaches reported, although the number of healthcare records exposed in 2016 was lower than in 2015. In 2016, 328 healthcare data breaches were reported, up from 268 incidents in 2015. Last year’s healthcare data breaches impacted around 16.6 million Americans. The good news is that while incidents are up, breaches are exposing fewer healthcare records. If the colossal data breach at Anthem Inc., which exposed 78.8 million healthcare records, is considered an anomaly and is excluded from last year’s figures, the number of individuals impacted by healthcare data breaches has fallen for two years in a row. That trend looks set...

Read More
Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure
May04

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and revealed the impact healthcare data breaches have had on consumers. The survey showed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust. Trust in Healthcare Providers and Insurers is High In the United States, trust in healthcare providers’ and health insurers’ ability to keep sensitive data secure is high. 88% of respondents said they trusted their physician or other healthcare providers ‘somewhat’ (53%) or ‘a great deal’ (36%). Trust in hospitals was slightly lower at 84% (54% somewhat / 30% a great deal). Health insurers and laboratories that process medical tests fared slightly worse, both somewhat trusted by 54% of respondents and trusted a great deal by 28% of respondents. Distrust –not at all trusted or not trusted very much – was highest in urgent care clinics (25%), non-medical staff at physicians’ and healthcare providers’ offices (36%)...

Read More
Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million
Apr24

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine. A $2.5 million settlement has been agreed with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider. While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures. In this case, the settlement relates to a data...

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients. OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from...

Read More
Small Business Cybersecurity Bill Heads to Senate
Apr06

Small Business Cybersecurity Bill Heads to Senate

New legislation to help small businesses protect their data and digital assets has been approved by the Senate Commerce, Science and Transportation Committee this week. The new bill, which was introduced by Sen. Brian Schatz (D-Hawaii) last week, will now head to the U.S Senate. The legislation – the MAIN STREET (Making Information Available Now to Strengthen Trust and Resilience and Enhance Enterprise Technology) Cybersecurity Act will require the National Institute of Standards and Technology (NIST) to develop new guidance specifically for small businesses to help them protect themselves against cyberattacks. New NIST guidance should include basic cybersecurity measures that can be adopted to improve resilience against cyberattacks and mitigate basic security risks. Guidance and security frameworks have been developed by NIST to help larger organizations protect their assets and data, although for smaller businesses with limited knowledge of cybersecurity and a lack of trained staff and resources they can be difficult to adopt. What is needed is specific guidance for small...

Read More
Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing
Apr06

Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing

With the healthcare industry under a sustained attack and the cyber threat landscape constantly evolving, law enforcement, the government, and private industry need to collaborate to counter the threat of cyberattacks. Cybercrime cannot be effectively tackled by organizations acting in isolation. The sharing of threat information is essential in the fight against cybercrime. Dissemination of this information makes it easier for law enforcement and government agencies to combat cybercrime. Accessing that information also allows healthcare entities to to take timely action to address vulnerabilities before they are exploited. Government and law enforcement agencies are educating healthcare organizations on the importance of sharing threat intelligence, although currently too few entities are sharing threat information. At a Congressional Energy and Commerce Committee hearing this week, cybersecurity experts made suggestions on how congress can improve threat information sharing and improve healthcare cybersecurity. At the hearing, Denise Anderson, president of the National Health...

Read More
More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack
Apr04

More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack

San Antonio, TX-based ABCD Pediatrics has discovered cybercriminals gained access to its servers and used ransomware to encrypt data, including the protected health information of its patients. The individuals behind the attack may also have gained access to data stored on the healthcare provider’s servers prior to ransomware being deployed. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 55,447 patients have been impacted. The attack involved a variant of CrySiS ransomware called Dharma, which started encrypting data on February 6, 2017. Dharma ransomware is not known to exfiltrate data; however, an analysis of the attack revealed a number of suspicious user accounts on the servers, suggesting access had been gained prior to the ransomware being installed. User logs were also discovered that indicated programs or users may have been on the servers for a limited period of time prior to the ransomware being installed. Fortunately, the encryption process was hampered by the anti-virus solution used by ABCD Pediatrics. ABCD...

Read More
Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud
Apr04

Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed. Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using multiple cloud service providers. 38% of respondents said they had a multi-cloud environment and 63% of respondents said they were planning to use multiple cloud service providers in the future. 63% of healthcare organizations said they were using the public cloud to store data. When asked about their main concerns, data security came top of the list – with 82% of surveyed healthcare organizations rating security as their number one concern. Despite the concerns about data security, encryption is not always employed. As Eric Chiu, co-founder and president of HyTrust explained, “For these care delivery organizations, choosing a flexible cloud security...

Read More
FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks
Mar29

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained. Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a generic password is required, although security researchers have discovered that in many cases, FTP servers can be accessed without a password. The FBI warning cites research conducted by the University of Michigan in 2015 that revealed more than 1 million FTP servers allowed anonymous access to stored data The FBI warns that hackers are targeting these anonymous FTP servers to gain access to the protected health information of patients. PHI carries a high value on the black market as it can be used for identity theft and fraud. Healthcare organizations could also be blackmailed if PHI is stolen. Last year, the hacker operating under the name...

Read More
SAFER Guides Updated by ONC: Ransomware Prevention and Mitigation Strategies Included
Mar28

SAFER Guides Updated by ONC: Ransomware Prevention and Mitigation Strategies Included

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has updated its SAFER Guides to include information to help healthcare providers protect against ransomware infections and mitigate ransomware attacks. The Safety Assurance Factors for Electronic Health Record Resilience (SAFER) Guides were first released in January 2014 to help healthcare providers improve the usability of their EHRs and address the risks that EHR technology can introduce. The SAFER Guides can also be used to reduce the potential for patients to suffer EHR-related harm. The SAFER Guides cover a range of key focus areas and include evidence-based best practices that can be adopted by healthcare providers to improve the usability and safety of their EHRs. Over the past three years, technology has changed as have the threats faced by the healthcare industry. The guides were therefore due an update to keep them useful and relevant. Prior to issuing the updated guides, ONC sought feedback from healthcare providers and developers of EHRs. The comments...

Read More
What Can Small Healthcare Providers Do To Prevent Ransomware Attacks?
Mar23

What Can Small Healthcare Providers Do To Prevent Ransomware Attacks?

Ransomware attacks on healthcare providers are occurring with alarming frequency. Figures from the FBI suggest as many as 4,000 ransomware attacks are occurring every day. Healthcare organizations are targeted because they hold large volumes of data and access to those data is required to provide medical services to patients. Without access to patients’ health information, healthcare services can be severely disrupted. Such reliance on data makes healthcare providers attractive targets as they are more likely than other companies to give in to ransom demands to obtain keys to unlock their data. All businesses, and healthcare organizations especially, should implement a number of defenses to prevent ransomware attacks. Policies and procedures should also be developed to ensure that in the event of an attack, business operations are not severely disrupted and data can be recovered quickly. There is no one technology solution that can be deployed to prevent ransomware attacks from occurring, although there are a number of actions that can be taken to improve resilience against...

Read More
WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks
Mar22

WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks

WEDI, the Workgroup for Electronic Data Interchange, has issued a new white paper exploring some of the common cybersecurity vulnerabilities that are exploited by threat adversaries to gain access to healthcare networks and patient and health plan members’ protected health information. The white paper – The Rampant Growth of Cybercrime in Healthcare – is a follow up to a primer released in 2015 that explored the anatomy of a cyberattack. WEDI points out the seriousness of the threat faced by the healthcare industry. Cyberattacks are costing the healthcare industry around $6.2 billion each year, with the average cost of a healthcare data breach around $2.2 million. Cyberattacks and other security incidents having risen sharply in recent years. More records are now being exposed than at any other time in history and the number of healthcare data incidents being reported reached record levels last year. The Department of Health and Human Services’ Office for Civil Rights received 315 reports of major healthcare data breaches last year and recent research by Fortinet showed that in the...

Read More
Snapshot of Healthcare Data Breaches in February 2017
Mar21

Snapshot of Healthcare Data Breaches in February 2017

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported. The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry. IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous...

Read More
Back Up Drive Stolen: PHI of 1,291 Patients Exposed
Mar20

Back Up Drive Stolen: PHI of 1,291 Patients Exposed

The failure to encrypt backup data on a portable electronic device has resulted in the protected health information of 1,291 individuals being exposed. The device was stolen from Local 693 Plumbers, Pipefitters & HVACR Technicians, a member of the United Association of Journeyman and Apprentices of the Plumbing and Pipefitting Industry of the United States and Canada. The backup device was discovered to be missing on January 23, 2017 following a break-in at Local 693 offices the day before. An investigation revealed the device contained names, telephone numbers, addresses and Social Security numbers of current and former Plumbers & Pipefitters Local 693 Benefit Funds recipients and members of the Plumbers & Pipefitters Local 693 union. The theft has been reported to law enforcement, the Vermont attorney general and the Department of Health and Human Services Office for Civil Rights. While the data on the device could potentially be accessed by unauthorized individuals, an independent information technology consultant who was retained to conduct an investigation...

Read More
Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule
Mar20

Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule

A physician at the Dr. O Medical and Wellness Center in San Antonio, Texas allegedly retaliated against a patient by posting a video of the individual clad only in underwear on Facebook and YouTube. The doctor’s actions, which appear to be a clear violation of the HIPAA Privacy Rule, have resulted in her being sanctioned by the Texas Medical Board following a complaint by the patient. The patient, Clara Aragon-Delk, underwent a series of cosmetic surgery procedures starting in 2015. Non-invasive laser treatments were performed by Dr. Tinuade Olusegun-Gbadehan, and while consent was provided by the patient to have photographs and videos taken, authorization was only given for ‘anonymous use for the purposes of medical audit, education, and promotion.’ The images and video contained full face shots of the patient. Rather than protecting the patient’s privacy by pixelating the patient’s face, a video was posted to Olusegun-Gbadehan’s Facebook page without any attempt to protect the patient’s privacy. From the video, it would appear that the patient was happy with the treatment,...

Read More
Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records
Mar17

Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records

The four-hospital St. Charles Health System in central Oregon has discovered an employee accessed the medical records of almost 2,500 patients without authorization over a period of 27 months from October 2014 to January 2017. On January 16, 2017, the unnamed caregiver was discovered to have improperly accessed the medical records of a single patient, prompting a review of her ePHI access logs. That investigation revealed that this was far from a one-off incident. The improper access dated back to October 8, 2014. During that time, the caregiver was found to have accessed 2,459 patient files with no legitimate work reason for doing so. When confronted about the improper access the female employee said she had accessed the records out of curiosity with no malicious intent. The health system said it took ‘swift and appropriate action’ and the employee was disciplined, although it is unclear what the disciplinary action involved and whether the employee was terminated as a result of her actions. The health system does not consider the employee’s actions were criminal in nature, and a...

Read More
New Mexico Data Breach Notification Bill Moves to Senate Judiciary Committee
Mar15

New Mexico Data Breach Notification Bill Moves to Senate Judiciary Committee

A new data breach notification bill has been unanimously passed by the New Mexico House of Representatives bringing New Mexico one step closer to becoming the 48th state to introduce data breach notification laws.  The bill (House Bill 15) – also known as the Data Breach Notification Act – was sponsored by Republican Rep. William R. Rehm of Bernalillo. The bill will now move on to the Senate Judiciary Committee. This is not the first time that a New Mexico data breach notification law has been sent to the Senate Judiciary Committee. Rehm previously sponsored a similar bill in 2015, yet on two occasions the Senate Judiciary Committee failed to pass the bill onto the senate. The new data breach notification bill covers a range of sensitive data, although medical and insurance information are not included in the definition of personal information. Entities covered by the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act will not be required to comply if the bill is written into state law. Should the legislation be passed by the senate, all other...

Read More
Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants
Mar14

Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants

644 participants of the Raising St. Louis program run by BJC HealthCare have been notified that some of their personally identifiable information has been exposed after it was discovered that protocols for sending sensitive information securely had not been followed. No Social Security numbers, financial information, or test results/treatment data were communicated via unencrypted email, although names, addresses, telephone numbers, dates of birth, visit dates, nursing notes, medication and vaccination information could potentially have been intercepted and viewed by unauthorized individuals. BJC HealthCare has established protocols for communicating sensitive information, although in January it was discovered that those protocols had not been used for communicating personally identifiable information of Raising St. Louis participants to program partners for a period of three years between January 17, 2014 and January 9, 2017. The correct protocol for emailing sensitive data has now been adopted and staff members have been re-educated and instructed to only send sensitive data via...

Read More
Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group
Mar14

Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group

The danger of storing unencrypted protected health information has been highlighted by a recent security incident reported by Texas-based Denton Heart Group – A member of the Health Texas Provider Network. A hard drive containing 7 years of EHR backup data was recently discovered to have been stolen. While the device was stored in a locked closet, the data on the device were not encrypted. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 21,665 individuals were impacted by the breach. The backup files contained a treasure trove of patient data including names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, insurance provider names and policy numbers, physicians’ names, clinic account numbers, medical diagnoses, lab test results, medications and other clinical data. The backups were made between 2009 and 2016. The theft was discovered by the medical group on January 11, 2017 although the device was believed to have been stolen on or around December...

Read More
68% of Healthcare Organizations Have Compromised Email Accounts
Mar10

68% of Healthcare Organizations Have Compromised Email Accounts

Evolve IP has published the results of a new study that has revealed the extent to which healthcare email credentials are being compromised and sold on the dark web. The FBI has also recently warned about Business Email Compromise (BEC). Email credentials are highly valuable to cybercriminals. A compromised email account can be plundered to obtain highly sensitive data and an email account can be used to gain access to healthcare networks. 63% of data breaches in the United States occur as a result of compromised email credentials and healthcare email credentials are being sold freely on the dark web. Evolve used its Dark Web ID analysis technology for the study and reviewed 1,000 HIPAA covered entities and business associates. Evolve discovered 68% of those organizations have employees with visibly compromised email accounts. 76% of those compromised accounts included actionable password information and that information was freely available on the dark web. Depending on the industry segment, between 55.6% and 80.4% of organizations had compromised email accounts. Medical billing...

Read More
Email Error Impacts 6,500 Saliba’s Extended Care Pharmacy Patients
Mar10

Email Error Impacts 6,500 Saliba’s Extended Care Pharmacy Patients

Saliba’s Extended Care Pharmacy in Phoenix, Arizona is alerting more than 6,500 patients to an accidental disclosure of some of their protected health information (PHI). Copies of invoices for December 2016 were sent via Saliba’s Pharmacy’s encrypted email platform to the wrong patients in January. While there is no chance that the emails could have been intercepted by unauthorized individuals, the emails were opened by three patients or their representatives. The incident occurred on January 12, 2017, and Saliba’s Pharmacy discovered the error four days later on January 16. Since HIPAA Rules and patient privacy were accidentally violated, breach notification letters were sent to patients on March 3 to alert them to the incident. Patients have been advised to exercise caution and check their explanation of benefits statements and Saliba’s Pharmacy statements for signs of misuse. However, no reports of any misuse of the information have been received by Saliba’s Pharmacy and the risk of PHI misuse as a result of this impermissible disclosure is believed to be very low. Patients...

Read More
Updated HIPAA Compliance Audit Toolkit Issued by AHIMA
Mar07

Updated HIPAA Compliance Audit Toolkit Issued by AHIMA

Phase 2 of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits are now well underway. Late last year, covered entities were selected for desk audits and the first round of audits have now been completed. Now OCR has moved on to auditing business associates of covered entities. At HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were initially penciled in for Q1, 2017, are to be delayed. This gives covered entities more time to prepare. The phase 2 HIPAA compliance desk audits were more detailed than the first phase of audits conducted in 2011/2012. The desk audits covered a broad range of requirements of the HIPAA Privacy, Security, and Breach Notification Rules, although they only consisted of a documentation check to demonstrate compliance. The onsite audits will be much more thorough and will look much deeper into organizations’ compliance programs. Not only will covered entities be required to show auditors documentation demonstrating compliance with HIPAA Rules, OCR will be looking for evidence of HIPAA in...

Read More
Improper Disposal of PHI Discovered by Minneapolis Heart Institute
Mar06

Improper Disposal of PHI Discovered by Minneapolis Heart Institute

A member of a cleaning crew at the Minneapolis Heart Institute at Abbott Northwestern Hospital accidentally disposed of documents containing PHI with regular trash. Minneapolis Heart Institute has policies and procedures in place that require all documents containing sensitive patient health information to be securely destroyed in accordance with HIPAA Rules. However, a member of the cleaning team was discovered to have emptied a trash container from a physician’s private office before documents could be securely shredded. The incident was discovered on January 20, 2017, although not in time for the documents to be recovered and securely destroyed. The documents had been emptied into a bin bag which was placed in a regular recycling dumpster at the hospital. It is unclear at this stage how many individuals have been impacted, although as a precaution, the Minneapolis Heart Institute is notifying all patients who were part of the physician’s service group between April 17, 2016 and January 17, 2017. Those individuals have been offered credit monitoring and identity theft protection...

Read More
Healthcare Employee Accessed ePHI Without Authorization for 5 Years
Mar06

Healthcare Employee Accessed ePHI Without Authorization for 5 Years

Healthcare professionals must have access to the protected health information of patients in order to provide medical care and perform healthcare operations. Since access to data can be abused by rogue employees, it is essential that controls are put in place to alert healthcare organizations rapidly when improper access occurs. Rapid identification of improper access can greatly reduce the harm caused. In many cases, improper access is discovered during routine audits of access and application logs. When those audits are conducted on an annual basis, employees may be found to have been improperly accessing patient data for many months. Last month, Chadron Community Hospital and Health Services in Nevada discovered that a rogue employee had been accessing ePHI without any legitimate work reason for doing so. What makes this incident stand out, is how long access had been allowed to continue before it was discovered. An investigation conducted by the healthcare provider revealed that the improper access had gone unnoticed for more than 5 years. During that time, the records of more...

Read More
AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA
Mar02

AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data. Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow – further explaining patients’ access rights, what to expect when requests are made to healthcare providers, possible fees, and the timescale for obtaining copies of PHI. AHIMA explains that copies will not be provided immediately. Under HIPAA Rules, healthcare providers have up to 30 days to provide copies of medical records, although many will issue designated record sets well within that timeframe. However, in some cases, provided there is a justifiable reason for doing so, a healthcare provider may request a 30-day extension. In such cases, it may take up to 60 days for patients to obtain copies of their health data. AHIMA has explained to whom...

Read More
Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management
Mar02

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks. While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations following the framework is simply not viable. Smaller healthcare organizations simply don’t have the staff and expertise to follow the full HITRUST CSF framework. While the HITRUST CSF program is beneficial for smaller healthcare organizations, they do not face the same levels of risk as larger organizations. Given that the risks are lower and the requirements to comply with HIPAA already take up a lot of resources, HITRUST has developed a more simplified, streamlined framework which is much better suited to small healthcare organizations. The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more...

Read More
OCR Urges Covered Entities to Monitor and Report Cyber Threats
Feb28

OCR Urges Covered Entities to Monitor and Report Cyber Threats

The healthcare system in the United States has suffered a barrage of cyberattacks in recent years and there is no sign that those attacks will ease. In all likelihood, attacks will increase in both number and severity. To counter the increased threat, healthcare organizations, government agencies, the private sector, and international network defense communities must collaborate, says the Department of Health and Human Services’ Office for Civil Rights in its February newsletter. It is the responsibility of healthcare organizations to keep abreast of the latest cyber threats to enable them to take timely action to mitigate risk. Threat intelligence is available from many organizations, although as a minimum, healthcare organizations should be regularly checking the cyber threats published by the United States Computer Emergency Readiness Team (US-CERT). OCR explains that US-CERT – one of the four branches of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) – provides actionable threat intelligence to the public and private...

Read More
Small Healthcare Data Breach Notification Deadline: March 1, 2017
Feb23

Small Healthcare Data Breach Notification Deadline: March 1, 2017

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires all covered entities to report breaches of unsecured electronic protected health information to the Department of Health and Human Services’ Office for Civil Rights. While large data breaches – those impacting 500 or more individuals – must be reported to OCR within 60 days of the discovery of the breach, covered entities can delay the reporting of smaller data breaches. While patients must be notified of any breach of their ePHI within 60 days – regardless of the number of individuals affected by the breach – notifications of security incidents are not required by OCR until 60 days after the end of the calendar year in which the data breaches were discovered. The deadline for reporting 2016 healthcare data breaches impacting fewer than 500 individuals is March 1, 2017. As with larger data breaches, all smaller incidents must be submitted via the OCR breach reporting tool. While smaller data breaches can be reported together, each breach must be entered into the breach reporting tool...

Read More
New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough
Feb22

New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough

At HIMSS17, OCR’s Deven McGraw shed some light on the HIPAA guidance OCR expects to release in 2017. OCR may be busy with assessing the findings of the HIPAA compliance desk audits of healthcare organizations and their business associates, but a swathe of new HIPAA guidance is set to be released this year. Last year, the Joint Commission lifted the ban on the use of text messages for orders, although within weeks of the announcement the ban was back in place. Late last year, the Joint Commission partially lifted the ban, saying the use of a secure text messaging platform was acceptable for doctors when communicating with each other, although the use of text messages – regardless of whether a secure, HIPAA-compliant platform was used – remained prohibited. OCR receives many questions from physicians and covered entities on the use of text messaging and HIPAA Rules. McGraw has confirmed that in response to the many questions, OCR will be issuing HIPAA guidance on text messaging later this year. In an interview with Information Security Media Group, McGraw explained “There are a...

Read More
American Senior Communities Says 17,000 Employees Impacted by W-2 Scam
Feb21

American Senior Communities Says 17,000 Employees Impacted by W-2 Scam

American Senior Communities, a nursing home chain based in central Indiana, has announced that one of its employees responded to a W-2 phishing email and sent the tax information of more than 17,000 employees to tax fraudsters. There have now been more than 70 organizations that have responded to W-2 Form phishing emails so far this year according to Databreaches.net, although the latest addition to the list is the largest confirmed breach of employee information to have occurred this year. The massive haul of W-2 Form data included employees’ names, Social Security numbers, birth dates, and addresses. An investigation suggests that the individual behind the campaign was based offshore. In many cases, organizations discover they have been scammed soon after the email has been sent, allowing rapid action to be taken to limit the harm caused. However, that was not the case here. The phishing email was sent to a payment processor for American Senior Communities in mid-January; however, the incident was not discovered for a month. The employee’s error was only identified on February 17...

Read More
Onsite HIPAA Audits Could Be Delayed by a Year
Feb21

Onsite HIPAA Audits Could Be Delayed by a Year

In an interview at HIMSS17 with the Information Security Media Group, Deven McGraw, Deputy Director of Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights, explained that the Phase 2 HIPAA compliance audits are progressing, although the onsite audits of covered entities will be delayed. It is currently unclear how much of a delay there will be. The onsite audits were to immediately follow the 211 desk audits that were conducted last year, although the decision has been taken to push back the onsite audits until the reports of the desk audits have been written and analyzed. For the HIPAA compliance desk audits, covered entities and business associates of covered entities were sent notifications that they had been selected for audit. They were asked to supply a range of documentation on various aspects of their HIPAA compliance programs. The documentation has now been assessed and OCR is very close to issuing reports to the 166 covered entities that were audited. Those reports will be sent out in groups, with the first batch hopefully...

Read More
Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam
Feb17

Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam

Another healthcare provider has announced that one of its employees has been fooled by a W-2 phishing scam. Citizens Memorial Hospital in Bolivar, MO., says a request for W-2 Form data was sent to one of its employees by email. The employee responded to the request believing the message was legitimate and had been sent internally. W-2 Forms for all employees at the 86-bed hospital who had taxable earnings for the 2016 fiscal year were sent via email to the scammers as requested. No announcement has been made about the number of employees impacted by the incident. The hospital discovered it was the victim of a scam the following day. The incident has been reported to both the FBI and the IRS and affected employees have been notified and offered 2 years of identity theft protection services without charge through Experian. The incident is not a HIPAA breach as HIPAA Rules do not apply to employee data. To prevent repeat attacks, Citizens Memorial Hospital will be enhancing its data security education programs. Staff will receive further training to help them identify any further...

Read More
Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System
Feb17

Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System

The Department of Health and Human Services’ Office for Civil Rights (OCR) has matched last year’s record HIPAA settlement with Advocate Health. Yesterday, OCR announced that a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. Memorial Healthcare Systems operates six hospitals in South Florida, with its flagship hospital one of the largest in the state. The healthcare system also operates a range of ancillary healthcare facilities, a nursing home, urgent care center, and is affiliated with many physician offices through an Organized Health Care Arrangement (OHCA). In 2012, Memorial Healthcare discovered a breach of ePHI had occurred. The breach was reported to OCR on April 12, 2012.  That breach related to two employees who were discovered to have inappropriately...

Read More
Faxing Error Sees PHI Sent to Local Media Outlet
Feb16

Faxing Error Sees PHI Sent to Local Media Outlet

Seven doctors’ offices in the Fort Worth area of Texas accidentally faxed patients’ protected health information to the wrong fax number. The faxes contained a range of highly sensitive patient information including names, dates of birth, Social Security numbers, medical histories and much more. While such a mistake could potentially see patients’ health information fall into the hands of criminals, in this case the errors saw the faxes sent to local media outlet, WFAA. The faxes received by WFAA related to at least 28 separate patients and should have been sent to Baylor Surgicare of Oakmont. The fax number used by the Fort Worth medical facility was identical to WFAA’s except for a single digit. In this case, the seven doctors’ offices were contacted and informed of the error and the faxes were securely destroyed, although the incident shows how easy it is for sensitive patient data to be sent to incorrect recipients by fax. While an incident such as this is unlikely to result in a HIPAA violation penalty from the Department of Health and Human Services’ Office for Civil Rights,...

Read More
Covered Entities Flirting with Fines for Late Data Breach Reports
Feb14

Covered Entities Flirting with Fines for Late Data Breach Reports

Last month, the Department of Health and Human Services’ Office for Civil Rights sent a message to covered entities regarding the late reporting of data breaches with the announcement of a settlement with Chicago-based healthcare network Presense Health. The settlement was the first reached with a covered entity purely to resolve HIPAA Breach Notification Rule violations. Presense Health had delayed the issuing of breach notification letters to patients. Presense Health agreed to settle with OCR for $475,000 to resolve the potential HIPAA violations. However, since the announcement was made, there have been a number of instances where covered entities have unnecessarily delayed the issuing of breach notification letters to patients and data breach reports to OCR. The January Breach Barometer – released by Protenus yesterday – indicates 40% of data breaches reported in January 2017 had notifications sent outside of the timescale required by the Health Insurance Portability and Accountability Act’s Breach Notification Rule. The loss, theft, or exposure of patients’...

Read More
Summary of January 2017 Healthcare Data Breaches Released
Feb14

Summary of January 2017 Healthcare Data Breaches Released

Protenus, in conjunction with databreaches.net, has released a summary of January 2017 healthcare data breaches. The report shows that 2017 started where 2016 left off, with similarly high numbers of healthcare data breach reported. January 2016 saw the lowest number of data breaches of any month in 2016 (21) and also the lowest number of records exposed of any month in the year (104,056 records). 2017 did not start nearly as well. While lower than the average monthly breaches for 2016 (37.5), January saw 31 healthcare data breaches disclosed. Those breaches resulted in the exposure of 388,307 patient and health plan member records. The largest healthcare data breach of January 2017 affected CoPilot Provider Support Services, Inc. The breach impacted 220,000 individuals. However, the breach actually occurred in October 2015, with CoPilot discovering the incident two months later in December 2015. The Department of Health and Human Services’ Office for Civil Rights was only notified of the incident last month, well outside the 60-day deadline for reporting breaches. That was a...

Read More
Majority of Healthcare Organizations Struggling with EHR Interoperability
Feb13

Majority of Healthcare Organizations Struggling with EHR Interoperability

A recent survey from Black Book Market Research has highlighted what hospital administrators and physicians know all too well. Great strides may have been made toward a fully interoperable healthcare system, but important medical data is still not accessible. There are still many problems getting hold of electronic health record data and making it accessible to the people who need it most. Many EHR systems do not have the required connectivity. Even when data from healthcare providers’ EHR systems does get sent to other providers, the data are often in an unusable or difficult to use format. 3,391 users of EHRs were surveyed for the Black Book survey. 25% of respondents said they are unable to use any data sent by other healthcare providers, while 22% of surveyed hospital administrators said they receive medical record data from other healthcare organizations in a format that does not allow data to be easily incorporated into their own EHR systems. 70% of hospitals were not using external EHR information because the data were missing from their systems’ workflow. Receiving data in...

Read More
Singh and Arora Oncology Hematology Breach Notifications Sent After 5 Months
Feb09

Singh and Arora Oncology Hematology Breach Notifications Sent After 5 Months

A Singh and Arora Oncology Hematology breach is finally being communicated to individuals who had their electronic protected health information exposed, although it has taken 5 months for those letters to be sent. The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires covered entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to send breach notification letters to patients within 60 days of the discovery of an ePHI breach. The Department of Health and Human Services’ Office for Civil Rights (OCR) must also be notified of a breach in the same timeframe. However, in the case of the Singh and Arora Oncology Hematology breach, the Flint, MI-based cancer treatment center discovered that its systems had been breached on August 22, 2016. While OCR was notified of the breach on October 21, 2016, patients have only just started receiving their letters. The Singh and Arora Oncology Hematology breach actually occurred between February 27, 2016 and July 14, 2016. An...

Read More
IRS Issues Warning About W-2 Phishing Scams
Feb07

IRS Issues Warning About W-2 Phishing Scams

W-2 phishing scams increased considerably in 2015 prompting the IRS to issue a warning about the risk of attack. Now, just over 4 weeks into 2017, the IRS has issued a further warning in response to the sheer number of W-2 phishing scams that have been reported so far this year. This type of scam – often referred to as business email compromise (BEC) or business email spoofing (BES) – is simple, but highly effective. The attacker sends an email request to a payroll or HR staff member and requests W-2 Form data for the entire workforce by return. Typically, the request is for the W-2 Forms of all individuals who worked in the previous tax year. The information is often asked for in PDF format. The request appears to come from the company’s CEO, CFO, or another high-ranking executive with authority. Payroll and HR employee respond to the email and send data as requested as the email seems genuine. The individual who appears to have sent the request is likely to have a need for the information. Research is conducted on the company by the attackers. They find out the email...

Read More
Family Medicine East, Chartered Alerts 6,800 Patients to ePHI Exposure
Feb06

Family Medicine East, Chartered Alerts 6,800 Patients to ePHI Exposure

Family Medicine East, Chartered of Wichita, KS, has reported the theft of a computer from its Rock Road facilities. Thieves broke into the locked clinic on December 8, 2016 and stole a desktop computer and a printer. The computer, which was unencrypted, contained the protected health information of almost 7,000 patients. Law enforcement was notified of the break-in and theft, although the individual(s) responsible have not been apprehended and the stolen computer has not been recovered. The data on the computer were backed up so the theft has not resulted in the loss of any ePHI although an investigation of data backups did reveal that a considerable number of images and office notes were stored on the device. The medical notes were mostly transcriptions of dictated physicians’ notes and related to patients that had visited Family Medicine East, Chartered for medical services between 2003 and 2004. The notes contain details of what was discussed during patients’ appointments and included patients’ names, birth dates, appointment dates, physician’s names, symptoms, details of...

Read More
Hacking and Phishing Attacks Continue to Plague Healthcare Organizations
Feb02

Hacking and Phishing Attacks Continue to Plague Healthcare Organizations

Hacks, phishing attacks, malware, ransomware, insider incidents and W-2 scams – Cyberattacks on healthcare organizations are now coming from all angles. Attacks are also happening much more frequently than in years gone by. The healthcare industry is clearly under attack and is being extensively targeted by cybercriminals. As long as it remains profitable to do so, those attacks will continue. The value of healthcare data may have fallen with a glut of stolen data listed for sale on darknet marketplaces, but large healthcare databases still net cybercriminals considerable profits. Furthermore, cyberattacks on healthcare organizations are easy in many cases due to relatively poor defenses, outdated operating systems, poor patch management practices, and a lack of cybersecurity and anti-phishing training for employees. 2016: A Torrid Year for The Healthcare Industry 2016 may not have been the worst year for healthcare industry data breaches in terms of the number of healthcare records stolen, nor did we see the worst ever healthcare industry data security incident; however, 2016 saw...

Read More
$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas
Feb02

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority of cases when serious violations of the Health Insurance Portability and Accountability Act are discovered by OCR investigators, the covered entity in question enters into a voluntary settlement with OCR. Typically, this sees the covered entity pay a lower amount to OCR to resolve the HIPAA violations. OCR attempted to resolve the matter via informal means between November 6, 2015, and August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. In the Notice of Proposed Determination, OCR explained that Children’s Medical Center of Dallas could file a request for a hearing, although no request was received. Consequently,...

Read More
Tax Season Triggers Wave of W-2 Business Email Compromise Attacks
Jan27

Tax Season Triggers Wave of W-2 Business Email Compromise Attacks

Campbell County Health is the latest victim of a W-2 business email compromise attack, which has resulted in the tax information of 1,457 hospital employees being disclosed to a scammer. The Gillette, WY-based healthcare system discovered Wednesday that an employee had responded to an email request for the W-2 form data of hospital employees. As is common in these scams, the attacker impersonated a hospital executive and requested W-2 information for all employees who had taxable earnings in 2016. A 66-year old hospital worker responded to the email and sent the information as requested. However, rather than being sent to the hospital executive, the data was sent to the scammer. Andy Fitzgerald, CEO of Campbell County Health issued a statement confirming “no protected health information for our employees or our patients were released in this incident.” The breach was limited to W-2 data. All affected employees have now been contacted and have been offered identity theft protection services through a leading credit monitoring and identity theft protection company. Law enforcement...

Read More
Healthcare Organizations Warned About Fileless Ransomware Attacks
Jan27

Healthcare Organizations Warned About Fileless Ransomware Attacks

Over the past two years, ransomware has grown to become one of the biggest cybersecurity threats. While most infections are random, the healthcare industry has been targeted in 2016 and the outlook for 2017 remains bleak. Many healthcare organizations attacked with ransomware have been able to make a full recovery by deleting systems and reconstituting data from backups. However, there have been numerous cases over the past 12 months when data restoration from backups has failed. In such cases, healthcare organizations are faced with two options: Accept data loss or pay the attackers for the keys to unlock the encryption. In February, Hollywood Presbyterian Medical Center chose the latter, and paid the attackers $17,000 for the keys to unlock the encryption. 2016 saw major new ransomware variants unleashed, with Locky and Samas (Samsam) two of the biggest threats. Both ransomware variants have been used to attack healthcare providers in 2016, with the former reportedly used to in the HPMC attack and the latter reportedly used in a major attack on Medstar Health in March, 2016. In...

Read More
New Report Reveals 2016 Data Breach Trends
Jan26

New Report Reveals 2016 Data Breach Trends

2016 was a particularly bad year for healthcare data breaches. The healthcare industry was targeted by ransomware gangs, careless employees left healthcare records exposed, and hackers broke through defenses on numerous occasions. 2016 was nowhere near as bad as 2015 in terms of the number of healthcare records stolen or exposed, but more healthcare data breaches were reported in 2016 than in previous years. But how did 2016 compare to other industries? A new data breach report from Risk Based Security highlights recent data breach trends and confirms just how bad 2016 was for cybersecurity incidents. The total number of data breaches reported in 2016 – 4,149 data breaches – was on a par with 2015. However, the severity of data breaches in 2016 was far worse. Until 2016, the worst year in terms of the number of records exposed or stolen was 2013, when the milestone of 1 billion exposed or stolen records was exceeded for the first time. However, in 2016 there were 3.2 billion more records exposed or stolen than that landmark year. More than 4.2 billion records were exposed or...

Read More
Theft of Unencrypted Laptop Exposes Wonderful Health & Wellness Patients’ ePHI
Jan24

Theft of Unencrypted Laptop Exposes Wonderful Health & Wellness Patients’ ePHI

Los Angeles-based Wonderful Health and Wellness has notified patents that their electronic protected health information (ePHI) was exposed in early December, 2016 when an unencrypted laptop computer was stolen from the company’s Wonderful Center for Health Innovation. Staff at the Center discovered the laptop computer was missing on December 12 when they returned to work after the weekend, with the theft having occurred at some point between December 9 and 12. The theft was immediately reported to law enforcement, although the device has not been recovered. The laptop contained a range of protected health information including patients’ names along with their home addresses, telephone numbers, dates of birth, email addresses, clinical account numbers, medical conditions, treatment information, treatment dates, and test results. No Social Security numbers or financial information were stored on the device. While the laptop computer was not encrypted, software had been installed which allows data on the device to be remotely deleted, although only if the laptop is used to connect to...

Read More
NIST Publishes Draft of Updated Cybersecurity Framework
Jan20

NIST Publishes Draft of Updated Cybersecurity Framework

It has been almost three years since the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. This week, NIST published a new draft – the first since the Framework was published in 2014 – which includes a number of tweaks, clarifications, and additions. However, as NIST points out, the new draft contains relatively minor updates. The Framework has not received a complete overhaul. According to Matt Barrett, NIST’s program manager for the Cybersecurity Framework, “We wrote this update to refine and enhance the original document and to make it easier to use.” The new version incorporates feedback received following the December request for comments on how the framework is being used for risk management, the sharing of best practices, long term management of the Framework, and the relative value of different elements of the Framework. The Cybersecurity Framework was originally intended to be used for critical infrastructure to safeguard information assets, although its adoption has been much wider. The Framework is now being used by a wide...

Read More
Hacking Group Attempts to Extort Funds from Cancer Services Provider
Jan20

Hacking Group Attempts to Extort Funds from Cancer Services Provider

TheDarkOverlord has struck again, this time the victim was a small Indiana cancer charity. The attack occurred on January 11 and was accompanied with a 50 Bitcoin ($43,000) ransom demand. Little Red Door Cancer Services of East Central Indiana was threatened with the publication of confidential data if the ransom was not paid. The charitable organization provides a range of services to help victims of cancer live normal lives during treatment, recovery, and at end of life. Little Red Door provides an invaluable service to cancer patients in East Central Indiana, with its limited funds carefully spent to provide the maximum benefit to cancer patients and their families. The payment of a $43,000 ransom would have had a significant impact on the good work the organization does, and would have taken funding away from the people who need it most. Little Red Door followed the advice of the FBI and refused to pay. Little Red Door spokesperson, Aimee Fant, issued a statement saying the organization “will not pay a ransom when all funds raised must instead go to serving families, all stage...

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted. MAPFRE Life reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals. Multiple Areas of Noncompliance with HIPAA Rules Discovered During the course of the investigation,...

Read More
Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach
Jan17

Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach

Wilmington, DE-based healthcare provider Brandywine Pediatrics, P.A. has informed tens of thousands of its patients that some of their protected health information has potentially been accessed by an unknown individual. The security breach involved a computer virus, which was discovered on one of the organization’s file servers. While it has not been explicitly stated that the virus was ransomware, Brandywine Pediatrics has informed patients that the virus rendered ePHI inaccessible. In order to regain access to files it was necessary to restore files from data backups. The virus infection was discovered on October 25, 2016, sparking a full investigation. A third-party computer forensics expert was contracted to conduct an investigation. That investigation revealed that a number of practice files containing ePHI had potentially been accessed. Sensitive data in the files included names, addresses, medical information, and health insurance details of patients. Brandywine Pediatrics has confirmed that Social Security numbers, credit card/debit card numbers and financial data were not...

Read More
OCR Reminds CEs of HIPAA Audit Control Requirements
Jan17

OCR Reminds CEs of HIPAA Audit Control Requirements

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients. Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 12 months. Once case involved the viewing of a celebrity’s medical records by multiple staff members. Late last week, OCR released its January Cyber Awareness Newsletter which explained the importance of implementing audit controls and periodically reviewing application, user, and system-level audit trails. NIST defines audit logs as records of events based on applications, system or users, while audit trails are audit logs of applications, system or users. Most information systems include options for logging user activity, including access and failed access attempts, the devices that have been used to log on,...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily. Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases...

Read More
OCR Updates HIPAA Privacy Rule Guidance for Healthcare Professionals
Jan11

OCR Updates HIPAA Privacy Rule Guidance for Healthcare Professionals

The Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance for healthcare professionals to help clear up confusion about allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones. The majority of healthcare professionals are aware that the HIPAA Privacy Rule permits them to share the protected health information of a patient with a relative or loved one. However, the 2016 Orlando nightclub shooting incident revealed that many healthcare professionals are unsure about how the HIPAA Privacy Rule – 45 CFR 164.510(b) – applies to same sex couples. OCR has confirmed that the Privacy Rule permits a covered entity to “share [PHI] with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care.” OCR has also confirmed that covered entities are allowed to disclose relevant information “to notify, or assist...

Read More
Healthcare Industry Prepares for the HIPAA 2017 Audits
Jan10

Healthcare Industry Prepares for the HIPAA 2017 Audits

Given the number of HIPAA 2017 audits that OCR has planned, the probability of any healthcare organization being selected for a compliance audit is relatively small; however, that does not mean healthcare organizations can afford to be lax when it comes to HIPAA compliance. With onsite audits looming, healthcare organizations need to be prepared. Even if covered entities and business associates have not been selected for a desk audit, they may be selected for a full compliance audit later this year. Should a healthcare organization escape a 2017 HIPAA compliance audit, if a data breach is experienced, OCR will investigate. OCR follows up on all data breaches impacting more than 500 individuals. Covered entities that have experienced a data breach or security incident will be required to demonstrate that HIPAA Rules have not been violated and policies and procedures comply with the HIPAA Rules. The high number of healthcare data breaches reported in recent years shows healthcare organizations need to be prepared for a HIPAA investigation in the event that a security incident is...

Read More
$475,000 Settlement for Delayed HIPAA Breach Notification
Jan10

$475,000 Settlement for Delayed HIPAA Breach Notification

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. Following a breach of PHI, the HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to all affected individuals advising them of the breach. Those letters need to be issued within 60 days of the discovery of the breach, although covered entities should not delay the issuing of breach notifications to patients or health plan members unnecessarily. Additionally, if the breach affects more than 500 individuals, a breach report must be submitted to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered entities to issue a breach notice to...

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited. Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider. Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data. Important Medical Information is Being Withheld by Patients The extent to...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. The largest healthcare data breaches of 2016 were nowhere near the scale of those seen in 2015 – 16,471,765 records were exposed compared to 113,267,174 records in 2015 – but more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year. As of February 6, 2017 there have been 329 reported breaches of more than 500 records that have been uploaded to the OCR breach portal. 2017 looks set to be another particularly bad year for data breaches. 2016 Healthcare Data Breaches of 500 or More Records   Year Number of Breaches (500+) Number of Records Exposed 2016 329 16,471,765 2015 270 113,267,174 2014 307 12,737,973 2013 274 6,950,118 2012 209 2,808,042 2011 196 13,150,298 2010 198 5,534,276 2009 18 134,773 Total 1801 171,054,419   Largest Healthcare Data Breaches of 2016 While the above figures...

Read More
New Report Published on Privacy Risks of Personal Health Wearable Devices
Dec29

New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics. Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data. The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure. If a wearable device is provided to a patient by a HIPAA-covered entity, the...

Read More
Joint Commission Ban on Secure Messaging for Orders Remains in Place
Dec22

Joint Commission Ban on Secure Messaging for Orders Remains in Place

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter. In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain standards to be followed to ensure patient safety was not placed at risk. The ban was originally put in place as SMS messages were not secure. It was also not possible to verify the sender of a message nor for original message to be retained for auditing purposes. Since the original ban was introduced, a number of companies developed secure text messaging platforms that incorporated all of the necessary security features to ensure messages could not be intercepted. Those messaging platforms also allowed the identity of the sender to be verified, ensured that messages were retained for auditing purposes, and a slew of other privacy and security controls...

Read More
Nurse Fired for HIPAA Violation
Dec20

Nurse Fired for HIPAA Violation

Can a nurse be fired for a HIPAA violation? Certainly. Violate HIPAA Rules and having your employment contract terminated may not be the worst thing that will happen. There may also be criminal charges for HIPAA violations. Jail time is likely if protected health information (PHI) is stolen and passed on to an identity thief, although HIPAA Privacy Rule violations alone can result in a jail term. If there is aggregated identity theft, there will be a mandatory two-year sentence tacked on to the sentence. When a nurse is fired for a HIPAA violation, finding alternative employment can be problematic. Few healthcare organizations would be willing to hire an employee that has previously been fired for violated HIPAA Rules. In January this year, a nurse aide was fired from Wayne Memorial Hospital for a HIPAA violation after the inappropriate accessing of 390 patients’ records was discovered. One notable incident in 2011 saw nurses and other healthcare staff snoop on patient records. In that case, there had been a party in a neighboring town where there were multiple drug overdoses....

Read More