New HIPAA-Compliant TeleHealth Service Changes Outpatient Care – Pipeline Magazine (press release)

New HIPAA-Compliant TeleHealth Service Changes Outpatient Care
Pipeline Magazine (press release)
Licensed clinicians use a secure, HIPAA-compliant program to participate in a two-way video chat with patients. Recovery management is critically important following a patient's release from treatment. As thought leaders in the behavioral health field, ...

and more »

Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status

A lawsuit filed by five plaintiffs following a breach of protected health information at Flowers Hospital in 2013 has finally been awarded class-action status.

The lawsuit was filed against Triad of Alabama, the parent company of Flowers Hospital, in 2014. Triad of Alabama submitted motions to dismiss the lawsuit in 2014 and 2015, but the lawsuit survived.

In contrast to many healthcare data breach lawsuits that are filed following cyberattacks by hackers, this incident involved an insider. A phlebotomist employed at Flowers Hospital – Kamarian Millender – stole non-hospital records stored at the hospital. The information in those records was used to file fraudulent tax returns in the names of 124 individuals over two years.

Millender was arrested in 2014 and was found to be in possession of 54 patient records. Millender was subsequently charged with trafficking stolen identities and aggravated identity theft and pled guilty to stealing 73 identities for the purpose of filing fraudulent tax returns.

In total, prosecutors alleged tax returns totaling around $536,000 were submitted to the IRS, although most of those returns were stopped and just $18,915 in refunds were issued.  Millender was sentenced to serve 2 years in prison after pleading guilty. Millender is not believed to have acted alone, but his suspected accomplice remains at large.

While there is no doubt that PHI was stolen and misused and losses were suffered as a direct result, there is some debate as to how many individuals have been impacted. Flowers hospital sent breach notification letters to 1,208 patients after discovering five files were missing, each of which were understood to contain the records of around 100 to 150 patients.

While patients were notified that they were potentially affected, Flowers Hospital only sent the letters to all of those patients ‘out of an abundance of caution’. Not all of those individuals have necessarily had their information stolen and misused. The breach report submitted to OCR indicates 629 individuals were impacted by the breach.

Earlier this week, Chief United States District Judge W. Keith Watkins awarded class action status to the lawsuit, even though it was unclear how many individuals were impacted. The plaintiffs had not shown how many punitive class members were affected, although it is probable that they will number in the hundreds. Judge Watkins said, “[Even if] the class is limited to the 73 victims identified in Millender’s plea agreement, the named plaintiffs have easily satisfied the numerosity requirement.”

Many data breach lawsuits ultimately fail as the plaintiffs are unable to demonstrate that losses have been suffered as a direct result of the theft or exposure of protected health information. In this case, the perpetrator was convicted and it is clear that at least some of the plaintiffs have suffered losses. How many of the class members will be able to demonstrate that harm has been suffered remains to be seen. The lawsuit alleges negligence, breach of contract, violation of the Fair Credit Reporting Act and an invasion of privacy, although the latter claims have now been dismissed.

It is possible that the Judge’s ruling may be challenged so there are potential hurdles ahead. If the lawsuit survives a challenge it will move to the discovery phase. Flowers Hospital/Triad of Alabama have not yet announced their next course of action.

The post Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status appeared first on HIPAA Journal.

What Can Small Healthcare Providers Do To Prevent Ransomware Attacks?

Ransomware attacks on healthcare providers are occurring with alarming frequency. Figures from the FBI suggest as many as 4,000 ransomware attacks are occurring every day.

Healthcare organizations are targeted because they hold large volumes of data and access to those data is required to provide medical services to patients. Without access to patients’ health information, healthcare services can be severely disrupted. Such reliance on data makes healthcare providers attractive targets as they are more likely than other companies to give in to ransom demands to obtain keys to unlock their data.

All businesses, and healthcare organizations especially, should implement a number of defenses to prevent ransomware attacks. Policies and procedures should also be developed to ensure that in the event of an attack, business operations are not severely disrupted and data can be recovered quickly.

There is no one technology solution that can be deployed to prevent ransomware attacks from occurring, although there are a number of actions that can be taken to improve resilience against ransomware attacks and ensure a fast recovery can be made at minimal cost.

How to Prevent Ransomware Attacks

Listed below are some of the steps that healthcare providers should take to improve their defenses against ransomware:

  • Deploy and configure an anti-spam solution – Consider all of the email attachments that are likely to be required by employees and block all others, especially JavaScript (JS) and Visual Basic (VBS) files, executables (.exe), screensaver files (SCR)
  • Configure computers to display file extensions. Double extensions are often used to trick end users into believing files are harmless. Invoice.xlsx.scr for example. Displaying file extensions will help users to identify malicious files
  • Ensure Office installations are configured to block macros, or at least ensure macros must be run manually. Make sure all employees are warned of the dangers of enabling and running macros
  • Ransomware infections often occur via Windows PowerShell. Unless PowerShell is essential, consider disabling it
  • Ensure all software is kept up to date and patches are applied promptly
  • Segment your network – An attack on one device should not allow all of the company’s data to be encrypted
  • Provide training to all employees on security best practices and instruct them never to open email attachment – or visit links – contained in emails from unknown senders
  • Consider an Internet filtering solution that can be used to block end users from visiting malicious websites
  • Ensure anti-virus software is installed and virus definitions are set to update automatically. Consider installing a popup blocker in web browsers
  • Block all unused ports on computers
  • Train all staff members on basic cybersecurity and best practices
  • Conduct dummy phishing email tests to ensure training has been effective
  • Ensure all employees are trained on the correct response to a potential attack. Ensure staff members are made aware of the importance of reporting any suspicious emails and how to respond if they believe they may have inadvertently installed ransomware
  • Ensure that policies and procedures are developed that can be instantly implemented in the event of an attack. Fast reaction can limit the harm caused and will ensure the fastest possible recovery from an attack
  • Consider encrypting data. While this will not prevent a ransomware attack, if an attack does occur and encrypted data are encrypted by ransomware, patient notifications will not need to be issued and a breach report will not need to be submitted to Office for Civil Rights

Most important of all is to ensure data are backed up daily. Backups should be stored securely in the cloud. Local backups should be stored on air-gapped devices. Backup drives should not be left connected after backups have been performed. Backup drives can also be encrypted by ransomware.

Reporting Ransomware Attacks and Notifying Patients

HIPAA Rules require ransomware attacks to be reported if the protected health information of patients has been accessed or encrypted, unless the covered entity can demonstrate there was a low probability that patient data were compromised in an attack.

While some healthcare organizations have disclosed ransomware attacks, many are not reporting the incidents. The failure to report a ransomware attack and notify patients that their ePHI has been compromised can potentially result in financial penalties for noncompliance with HIPAA Rules.

To avoid a HIPAA penalty, a covered entity must be able to demonstrate there was a low probability of patient data being accessed or copied during an attack. The Department of Health and Human Services’ Office for Civil Rights released guidance for covered entities on ransomware infections last year. In the guidance, covered entities are advised of the steps that should be taken following a ransomware attack and the criteria for determining whether patient notifications must be issued. The guidance can be downloaded/viewed on this link.

The post What Can Small Healthcare Providers Do To Prevent Ransomware Attacks? appeared first on HIPAA Journal.