Healthcare Data Privacy

March 2024 Healthcare Data Breach Report

Posted by Steve Alder

March was a particularly bad month for healthcare data breaches with 93 branches of 500 or more records reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), a 50% increase from February and a 41% year-over-year increase from March 2023. The last time more than 90 data breaches were reported in a single month was September 2020.

The reason for the exceptionally high number of data breaches was a cyberattack on the rehabilitation and long-term acute care hospital operator Ernest Health. When a health system experiences a breach that affects multiple hospitals, the breach is usually reported as a single breach. In this case, the breach was reported individually for each of the 31 affected hospitals. Had the breach been reported to OCR as a single breach, the month’s breach total would have been 60, well below the average of 66.75 breaches a month over the past 12 months.

Healthcare data breaches in the past 12 months

 

 

healthcare data breaches in March 2020-2024

While the breach total was high, the number of individuals affected by healthcare data breaches fell for the fourth consecutive month to the lowest monthly total since January 2023. Across the 93 reported data breaches, the protected health information of 2,971, 249 individuals was exposed or impermissibly disclosed – the lowest total for March since 2020.

records compromised in healthcare data breaches in the past 12 months

healthcare records breached in march 2020-2024

Biggest Healthcare Data Breaches in March 2024

18 data breaches were reported in March that involved the protected health information of 10,000 or more individuals, all of which were hacking incidents. The largest breach of the month was reported by the Pennsylvanian dental care provider, Risa’s Dental and Braces.  While the breach was reported in March, it occurred 8 months previously in July 2023. A similarly sized breach was reported by Oklahoma’s largest emergency medical care provider, Emergency Medical Services Authority. Hackers gained access to its network in February and stole files containing names, addresses, dates of birth, and Social Security numbers.

Philips Respironics, a provider of respiratory care products, initially reported a hacking-related breach to OCR involving the PHI of 457,152 individuals. Hackers gained access to the network of the Queens, NY-based billing service provider M&D Capital Premier Billing in July 2023, and stole files containing the PHI of 284,326 individuals, an August 2023 hacking incident was reported by Yakima Valley Radiology in Washington that involved the PHI of 235,249 individuals, and the California debt collection firm Designed Receivable Solutions, experienced a breach of the PHI of 129,584 individuals. The details of the breach are not known as there has been no public announcement other than the breach report to OCR.

 Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Risas Dental & Braces PA Healthcare Provider 618,189 Hacking Incident
Emergency Medical Services Authority OK Healthcare Provider 611,743 Hacking Incident
Philips Respironics PA Business Associate 457,152 Exploited software vulnerability (MoveIT Transfer)
M&D Capital Premier Billing LLC NY Business Associate 284,326 Hacking Incident
Yakima Valley Radiology, PC WA Healthcare Provider 235,249 Hacked email account
Designed Receivable Solutions, Inc. CA Business Associate 129,584 Hacking Incident
University of Wisconsin Hospitals and Clinics Authority WI Healthcare Provider 85,902 Compromised email account
Aveanna Healthcare GA Healthcare Provider 65,482 Compromised email account
Ezras Choilim Health Center, Inc. NY Healthcare Provider 59,861 Hacking Incident (data theft confirmed)
Valley Oaks Health IN Healthcare Provider 50,034 Hacking Incident
Family Health Center MI Healthcare Provider 33,240 Ransomware attack
CCM Health MN Healthcare Provider 28,760 Hacking Incident
Weirton Medical Center WV Healthcare Provider 26,793 Hacking Incident
Pembina County Memorial Hospital ND Healthcare Provider 23,811 Hacking Incident (data theft confirmed)
R1 RCM Inc. IL Business Associate 16,121 Hacking Incident (data theft confirmed)
Ethos, also known as Southwest Boston Senior Services MA Business Associate 14,503 Hacking Incident
Pomona Valley Hospital Medical Center CA Healthcare Provider 13,345 Ransomware attack on subcontractor of a vendor
Rancho Family Medical Group, Inc. CA Healthcare Provider 10,480 Cyberattack on business associate (KMJ Health Solutions)

 

Data Breach Causes and Location of Compromised PHI

As has been the case for many months, hacking incidents dominated the breach reports. 76 of the month’s breaches were classed as hacking/IT incidents, which involved the records of 2,918,585 individuals, which is 98.2% of all records compromised in March. The average breach size was 38,402 records and the median breach size was 3,144 records. The nature of the hacking incidents is getting harder to determine as little information about the incidents is typically disclosed in breach notifications, such as whether ransomware or malware was used. The lack of information makes it hard for the individuals affected by the breach to assess the level of risk they face. Many of these breaches were explained as “cyberattacks that caused network disruption” in breach notices, which suggests they were ransomware attacks.

Causes of March 2024 healthcare data breaches

There were 11 unauthorized access/disclosure incidents reported involving a total of 36,533 records. The average breach size was 3,321 records and the median breach size was 1,956 records. There were 4 theft incidents and 1 loss incident, involving a total of 15,631 records (average: 3,126 records; median 3,716 records), and one improper disposal incident involving an estimated 500 records. The most common location for breached PHI was network servers, which is to be expected based on the number of hacking incidents, followed by compromised email accounts.

Location of breached PHI in March 2024 healthcare data breaches

Where Did the Data Breaches Occur?

The OCR data breach portal shows there were 77 data breaches at healthcare providers (2,030,568 records), 10 breaches at business associates (920,522 records), and 6 data breaches at health plans (20,159 records). As OCR recently confirmed in its Q&A for healthcare providers affected by the Change Healthcare ransomware attack, it is the responsibility of the covered entity to report breaches of protected health information when the breach occurs at a business associate; however, the responsibility for issuing notifications can be delegated to the business associate. In some cases, data breaches at business associates are reported by the business associate for some of the affected covered entity clients, with some covered entities deciding to issue notifications themselves. That means that data breaches at business associates are often not abundantly clear on the breach portal. The HIPAA Journal has determined the location of the breaches, with the pie charts below show where the breaches occurred, rather than the entity that reported the breach.

Data breaches at HIPAA-regulated entities in March 2024

Records breached at HIPAA-regulated entities in March 2024

Geographical Distribution of Healthcare Data Breaches

In March, data breaches were reported by HIPAA-regulated entities in 33 U.S. states. Texas was the worst affected state with 16 breaches reported, although 8 of those breaches were reported by Ernest Health hospitals that had data compromised in the same incident. California experienced 10 breaches, including 3 at Ernest Health hospitals, with New York also badly affected with 7 reported breaches.

State Breaches
Texas 16
California 10
New York 7
Pennsylvania 6
Indiana 5
Colorado & Florida 4
Illinois, Ohio & South Carolina 3
Arizona, Idaho, Massachusetts, Michigan, Minnesota, New Mexico, North Carolina, Oklahoma & Utah 2
Alabama, Georgia, Kansas, Kentucky, Nevada, New Jersey, North Dakota, Oregon, Tennessee, Virginia, Washington, West Virginia, Wisconsin & Wyoming 1

HIPAA Enforcement Activity in March 2024

OCR announced one settlement with a HIPAA-regulated entity in March to resolve alleged violations of the HIPAA Rules. The Oklahoma-based nursing care company Phoenix Healthcare was determined to have failed to provide a daughter with a copy of her mother’s records when the daughter was the personal representative of her mother. It took 323 days for the records to be provided, which OCR determined was a clear violation of the HIPAA Right of Access and proposed a financial penalty of $250,000.

Phoenix Healthcare requested a hearing before an Administrative Law Judge, who upheld the violations but reduced the penalty to $75,000. Phoenix Healthcare appealed the penalty and the Departmental Appeals Board affirmed the ALJ’s decision; however, OCR offered Phoenix Healthcare the opportunity to settle the alleged violations for $35,000, provided that Phoenix Healthcare agreed not to challenge the Departmental Appeals Board’s decision.

The post March 2024 Healthcare Data Breach Report appeared first on HIPAA Journal.

OctaPharma Plasma Closes Donation Centers While It Deals with Suspected Ransomware Attack

Posted by Steve Alder

The Swiss pharmaceutical firm, Octapharma Plasma, is dealing with a cyberattack that has affected systems at 190 plasma donation centers in 35 U.S. states. Those centers have been temporarily closed while the company responds to the attack and works on bringing the affected systems back online.

Octapharma identified suspicious activity within its network on April 17, 2024, and confirmed that an unauthorized third party had breached its network and disrupted certain parts of its operations. An investigation has been launched and third-party cybersecurity experts have been engaged to investigate the attack and determine its impact. At this stage, Octapharma has yet to provide any further details about the attack, such as whether ransomware was used to encrypt files, and said further information will be released as the investigation progresses.

Without access to critical IT systems, donors are unable to visit its plasma donation centers. The plasma collected at its U.S. facilities is shipped to its European manufacturing plants and is used to create life-saving therapies. The disruption to plasma supplies threatens production at its EU-based facilities, given that 75% of the plasma used in its therapies is collected from donors in the United States.

A reporter at The Register spoke with a source familiar with the incident who claimed the attack occurred on Monday, April 15, 2024, and the BlackSuit ransomware group was responsible. BlackSuit is a relatively new ransomware operation that was discovered in May 2023. The group has significant similarities with the Royal ransomware group, which was a successor of the Conti ransomware operation.  The Register’s source claimed that vulnerabilities were exploited to gain access to Octapharma’s VMware systems, with Blacksuit ransomware used to encrypt files.

In November 2023, the Health Sector Cybersecurity Coordination Center (HC3) warned the healthcare and public health sector about BlackSuit ransomware. HC3 said the group appears to conduct indiscriminate attacks on a variety of industry sectors, including healthcare, manufacturing, business technology, business retail, and government sectors, and that the group engages in double extortion tactics, where stolen data is added to its data leak site if the ransom is not paid. As of April 22, 2024, Octapharma is not showing on the group’s data leak site.

The post OctaPharma Plasma Closes Donation Centers While It Deals with Suspected Ransomware Attack appeared first on HIPAA Journal.

FTC Prohibits Alcohol Addiction Firm from Sharing Consumer Data with Third Parties

Posted by Steve Alder

The Federal Trade Commission (FTC) has ordered the alcohol addiction treatment firm Monument to stop disclosing consumers’ health data to third parties for advertising purposes without obtaining affirmative consent. A $2.5 million civil monetary penalty has also been imposed but the penalty has been suspended due to the inability of Monument to pay.

The FTC’s proposed order settles FTC charges that Monument disclosed consumers’ personal and health information to third parties such as Google and Meta between 2020 and 2022 without obtaining consent. The data disclosed revealed that customers were receiving help with alcohol addiction when Monument had informed its customers that their data would remain 100% confidential.

When customers sign up for Monument’s services, they disclose sensitive information including their name, email address, date of birth, phone number, address, information about their alcohol consumption, medical history, copies of their government-issued IDs, and their IP address and device IDs are collected. According to the complaint, between 2020 and 2022, Monument informed consumers on its website and in communications that the personal and health information provided to the company would be 100% confidential and would not be disclosed to third parties without user consent. Monument also claimed that it was compliant with the Health Insurance Portability and Accountability Act (HIPAA).

However, Monument added tracking technologies to its website, also known as pixels and application programming interfaces (APIs), which were used to collect information that allowed it to target ads for its services to new consumers and current customers who had signed up for the lowest-cost memberships. Monument classified website interactions under standard and custom events, with the latter given descriptive titles such as “Paid: Weekly Therapy” or “Paid: Med Management,” when a user signed up for a service.

The “custom events” information was disclosed to advertising platforms along with users’ email addresses, IP addresses, and other identifiers, that allowed individuals to be identified and associated with the custom events. The descriptions confirmed that the individuals were receiving treatment for alcohol addiction. Monument did not track the disclosures nor maintain an inventory of the information it collected and disclosed to third parties; however, according to the FTC, as many as 84,000 of its users had their information disclosed to third parties without consent.

These disclosures were deemed to constitute unfair and deceptive practices that violated the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA). The $2.5 million civil monetary penalty will have to be paid if the company is found to have misrepresented its finances. Monument must also identify the user data it has sent to third parties and instruct them to delete the data, implement a comprehensive privacy program with strong safeguards to protect consumer data and address the issues the FTC identified in its complaint, and inform consumers whose information has been disclosed to third parties for advertising purposes. The FTC order now awaits approval from a District Court judge.

“This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”

The FTC has also recently taken action against the mental health telehealth company Cerebral and has ordered the company to pay a $7.1 million penalty.

The post FTC Prohibits Alcohol Addiction Firm from Sharing Consumer Data with Third Parties appeared first on HIPAA Journal.

96% of Hospitals Still Use Website Tracking Technologies That Share Data with Third Parties

Posted by Steve Alder

An analysis of the websites of non-federal acute care U.S. hospitals has confirmed that 96% of those websites use tracking technologies that share visitor data with third parties such as Meta, Google, LinkedIn, or Snapchat.

In December 2022, The Department of Health and Human Services issued guidance for HIPAA-regulated entities on the use of website tracking technologies. The guidance made it clear that under HIPAA, these technologies cannot be used if they share protected health information with third parties unless the third parties in question are authorized to receive the data – and a HIPAA-compliant business associate agreement is in place – or if consent to share the data is obtained from patients. In July 2023, OCR and the Federal Trade Commission (FTC) issued around 130 warning letters to hospitals and telehealth companies to remind them of their obligations under HIPAA with respect to website tracking technologies.

OCR issued updated guidance in March 2024 clarifying its position, confirming that OCR accepts that not all information collected through these tools is classed as protected health information, stressing that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

Prior to OCR issuing guidance, a study conducted by researchers at the University of Pennsylvania in Philadelphia determined that 99% of hospitals in the United States were using tracking technologies on their websites that transferred data to third parties. A follow-up study – published in the JAMA Network – was conducted on 100 hospitals between November 2023 and January 2024 that looked at whether hospitals were transferring visitor data to third parties via these tracking technologies and if they had easy-to-find privacy policies that advised visitors about the use of these tools, how and why data was collected, and the third parties that received that data.

Out of 100 hospital websites, 96 transferred user information to third parties. 71 websites had privacy policies, 69 stated the types of information that was automatically collected, 70 indicated how that data would be used, 66 stated the categories of third parties that would receive the collected information, but only 40 named the specific third parties that would receive the data. While some privacy policies state well-known names of companies that receive the data, Google for instance, the researchers note that hospital websites transfer data to a median of 9 domains, with previous research indicating many unfamiliar companies receive data from hospital websites, including data brokers and companies with little to no consumer-facing presences. The researchers point out that a substantial number of hospital websites are not providing users with adequate information about how their data will be collected and used, either by not including a privacy policy or not disclosing sufficient information to website visitors about how their data will be used.

The post 96% of Hospitals Still Use Website Tracking Technologies That Share Data with Third Parties appeared first on HIPAA Journal.

Epic Systems Shuts off Access for Certain Particle Health Customers Over Patient Privacy Concerns

Posted by Steve Alder

The electronic health record provider Epic Systems has cut off access to data for a startup called Particle Health after alleging the firm was sharing patient data with third-party companies for reasons not related to treatment. Epic, the largest provider of electronic health records in the United States, alleged that Particle Health was engaging in unauthorized and unethical data sharing that had the potential to violate the HIPAA Privacy Rule. On Thursday last week, Epic notified customers that the connection with Particle Health had been cut off.

Particle Health is a member of the Carequality network, which supports interoperability and facilitates health data exchange. Members of the network act as middlemen that connect different healthcare networks across the United States and the Carequality interoperability framework is used to exchange more than 400 million documents each month. To join the Carequality network, a company must agree to only share patient data for certain purposes, one of which is for treatment. Epic responds to requests for data for treatment purposes and requires the recipient to be providing care to the patient whose records have been requested.

On March 21, 2024, Epic filed a formal dispute with Carequality about Particle Health and its participant organizations and alleged that they may be inaccurately representing the purpose for record requests and suspended Particle Health’s connection the same day. Particle Health explained in an April 9, 2024 blog post that immediate action was taken to address the issue after Epic blocked access to data requests for a subset of its customers and confirmed that it is strongly committed to privacy and security and subjects its customers to a rigorous onboarding process and requires them to adhere to the standards of the Carequality framework. Particle Health explained that Epic did not shut off data access for the company and Carequality has not suspended Particle Health’s ability to participate in data exchange; however, on March 21, 2024, Epic stopped responding to data requests for some of Particle Health’s customers without a clearly stated reason for doing so.

Particle Health also expressed concern that certain individuals at Epic thought that some of its customers might be inaccurately representing the purpose associated with their record retrievals, then extrapolated that to assert that Particle Health might not be fulfilling its obligations as a Carequality implementer. Particle Health said it strongly objects to the latter and is happy to investigate the former, and pointed out that the company has always acted in good faith and followed guidelines and said there is no standard reference to assess the definition of treatment nor the application of the definition of treatment as it pertains to data requests.

“This decision has negatively impacted thousands of patients, and potentially puts 6M+ patient encounters per year at risk,” explained Particle Health founder, Troy Bannister, in a post on LinkedIn. “We believe strongly that this unilateral action is a violation of important rules developed to ensure that this doesn’t happen and is critical to the uninterrupted treatment of patients everywhere.”

Epic said the reason for cutting off access was due to anomalies in patient record exchange patterns, such as requests for large numbers of records in a particular geographic region, and that certain Particle Health customers were not sending back new data from patients, which is a red flag that suggests the data is being shared for reasons other than treatment. After evaluating Particle Health’s new participant connections, including organizations such as Integritort, MDPortals, and Reveleer, Epic determined that data sharing was likely not for treatment purposes and blocked access for a subset of Particle Health’s customers. Epic also said that it heard from another Carequality member that Integritort was attempting to use patient data to identify participants in a potential class action lawsuit. Epic requested that Particle Health provide further information on how its customers qualify for treatment uses.

“We have made significant progress towards resolving this connectivity, with some customers already turned back on,” explained Particle Health in a blog post. “We are continuing working collaboratively with Epic and remain committed to upholding our mission by standing up for our customers and supporting the legitimate use of health data exchanges.”

The post Epic Systems Shuts off Access for Certain Particle Health Customers Over Patient Privacy Concerns appeared first on HIPAA Journal.

FTC Fines Mental Health Company Cerebral $7.1 Million for Consumer Privacy Violations

Posted by Steve Alder

The Federal Trade Commission (FTC) has fined the mental health startup Cerebral $7.1 million for consumer privacy violations and deceptive trading practices. The $7.1 million financial penalty resolves allegations that the mental health telehealth company and its former CEO, Kyle Robertson, broke its privacy promise to consumers by impermissibly disclosing their sensitive personal and health information to third parties for advertising purposes, misled consumers about its cancellation process, and failed to protect sensitive health data. The proposed FTC order includes a requirement for Cerebral to refrain from disclosing consumers’ data to third parties for advertising purposes without consent and for the company to provide an easy way for consumers to cancel its services.

One of the most important factors for consumers when choosing a mental health care provider is privacy. Consumers need to be able to discreetly discuss highly sensitive mental health problems and be sure that the information disclosed is kept private and confidential. The FTC alleged that Cerebral claimed it provided safe, secure, and discreet services but failed to clearly inform consumers that their sensitive data would be shared with third parties. As a result of the information sharing, consumers could be targeted with advertisements related to the information they disclosed to Cerebral in confidence.

Cerebral had disclosed its data sharing practices in its privacy policies; however, those privacy policies were dense and the information about data sharing practices was deeply buried making it likely that consumers would not see it. Further, Cerebral claimed in multiple areas that it would not share consumer data with third parties for advertising purposes without their consent. According to the FTC complaint, Cerebral shared the sensitive data of almost 3.2 million consumers with third parties such as Snapchat, LinkedIn, and TikTok via tracking tools embedded in its websites and apps, which amounted to a deceptive business practice that violated the FTC Act.

The information disclosed to those third parties included names, addresses, email addresses, phone numbers, birth dates, IP addresses, medical and prescription histories, pharmacy and health insurance information, other types of health information, and other personal data such as religious and political beliefs and sexual orientation. That information was also available internally to Cerebral staff, with access to customer data not restricted to the employees who needed to view that information. Between May 2021 and December 2021, former employees could continue to access consumer information and the company failed to ensure that healthcare providers could only access their own patients’ records.

The FTC complaint alleged that Cerebral engaged in sloppy marketing practices. For instance, 6,000 postcards were mailed to patients that included patients’ names and language that would reveal their diagnosis and treatment to others, rather than using envelopes and Cerebral used a Single Sign-on solution that exposed patient data to other patients when they signed into the patient portal at the same time.

The FTC also alleged that Cerebral and its CEO violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) due to engaging in unfair and deceptive practices regarding substance use disorder treatment services and violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to clearly disclose all material terms of its cancellation policies before charging consumers. The alleged deceptive practices started while Robertson was CEO and continued after his tenure.

The FTC order has yet to be approved by the U.S. District Court for the Southern District of Florida. If approved, in addition to the financial penalty and ban on disclosing sensitive data for advertising purposes, Cerebral is required to post a notice on its website alerting consumers about the FTC order, delete consumer data that is not being used for either treatment, payment, or healthcare operations if users have not consented to those uses, provide consumers with a mechanism to request that their data is deleted, and adopt a data retention schedule.

The financial penalty includes $5.1 million to provide partial refunds to customers affected by its deceptive cancellation policies. A $10 million civil monetary penalty has also been imposed, which will be suspended after $2 million has been paid due to the inability of the company to pay the full amount.

“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC Chair Lina M. Khan. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.”

“Cerebral has been transparent and fully cooperative throughout the investigation and remains committed to providing excellent care for our valued patients while upholding the highest standards of customer service, data protection, and client privacy,” explained Cerebral in a statement about the FTC order.

The post FTC Fines Mental Health Company Cerebral $7.1 Million for Consumer Privacy Violations appeared first on HIPAA Journal.

Children’s Healthcare of Atlanta Sued for Disclosing Health Information to Facebook

Posted by Steve Alder

Children’s Healthcare of Atlanta is one of the latest healthcare providers to face a class action lawsuit over the use of website tracking technologies. According to the lawsuit, Children’s Healthcare of Atlanta added Meta pixel tracking code to its CHOA.org website and its MyChart patient portal. The tracking code was used by Children’s Healthcare of Atlanta to collect data to use for marketing purposes and transmitted the collected data to Facebook and was used to serve targeted ads.

The lawsuit was filed in the Superior Court of DeKalb County State of Georgia and alleges the tracking code was knowingly configured to collect user data from the website and patient portal, and that the code transmitted data to Facebook, including sensitive health information such as information about patients’ health concerns, appointment details, and treatments. The information was not anonymous, as it was tied to individuals via identifiers such as IP addresses, Facebook IDs, and browser and device information.

The lawsuit alleges that the addition of the tracking code to the website and patient portal, and the subsequent disclosures of protected health information to Facebook, violated the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Healthcare of Atlanta privacy policy. The plaintiff, who filed the lawsuit individually and on behalf of her two children, alleges that at no point was she told that Children’s Healthcare of Atlanta would be sharing her and her children’s data with third parties for profit, did not provide her consent, and was not made aware that the data would be provided to Facebook, which the lawsuit described as, “a company with a sordid history of violating consumer privacy in pursuit of ever-increasing advertising revenue.”

The lawsuit alleges the plaintiff and class members have been harmed by the disclosures, including but not limited to an invasion of their privacy rights, and bring causes for negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and bailment. The lawsuit seeks damages and other relief that the court deems just and proper. The plaintiff and class are represented by attorneys from the law firms Alonso Wirth; Cohen & Malad; Stranch, Jennings & Garvey; and Turke & Strauss.

A lawsuit against Seattle Children’s Hospital (SCH) that made similar allegations with respect to the use of Meta pixel was recently dismissed with prejudice by a Washington court.  Seattle Children’s Hospital successfully argued that it only transmitted anonymous data to third parties, stated disclosures of anonymous data to third parties in its privacy policy, and that it had not added tracking code to its patient portal. SCH said any identifiable information that was disclosed was due to the plaintiffs using browsers that allowed them to be identified, for which they gave their consent.

The post Children’s Healthcare of Atlanta Sued for Disclosing Health Information to Facebook appeared first on HIPAA Journal.

Medicare Data Exposed in Data Breach at Boston Consulting Firm

Posted by Steve Alder

Greylock McKinnon Associates, Inc., (GMA) a Boston consulting firm that provides litigation support, has suffered a data breach affecting 341,650 individuals. According to the GMA breach notice, a security incident was detected on May 30, 2023, with the subsequent forensic investigation revealing it had fallen victim to a sophisticated cyberattack. The exposure of sensitive personal data was detected on February 7, 2024.

The breach included Medicare health insurance claim numbers (which contain Social Security numbers), health insurance information, and medical information along with names, addresses, and dates of birth. GMA said the personal data was obtained by the Department of Justice (DoJ) as part of a civil litigation matter, and that the data was provided to GMA by the DOJ in relation to the litigation support provided by the firm. GMA confirmed that the affected individuals were not the subject of the investigation or the associated litigation, and the DOJ has confirmed that the incident does not affect their current Medicare benefits or coverage. Notification letters were sent to the affected individuals on April 8, 2024, and they have been offered complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services.

Medicare data, medical information, and health insurance information are classed as protected health information under the Health Insurance Portability and Accountability Act (HIPAA), but only if that information is collected, processed, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity. Neither GMA nor the DOJ are HIPAA-covered entities or business associates, so the breached information is not protected under HIPAA.

However, companies such as GMA are required to comply with the Federal Trade Commission (FTC) Act, and the FTC has taken several actions against companies over data breaches in recent months, including the failure to issue prompt notifications, as required by the FTC’s Health Breach Notification Rule. Like the HIPAA Breach Notification Rule, the FTC Health Breach Notification Rule requires individual notification letters to be issued without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security. GMA sent its notification letters 9 months after the security breach was detected, which could see the company investigated by the FTC. GMA is currently facing at least one class action lawsuit over the data breach, which alleges violations of the FTC Act and Health Breach Notification Rule.

The post Medicare Data Exposed in Data Breach at Boston Consulting Firm appeared first on HIPAA Journal.

Healthcare Data Breaches Up 53% from Q1, 2023

Posted by Steve Alder

Data compromises have increased by 90% compared to Q1, 2023, according to the Q1 2024 Data Breach Report from the Identity Theft Resource Center (ITRC). In Q1, 2024, there were 841 publicly reported data compromises, up from 442 compromises in Q1, 2023. While data compromises almost doubled, there was a 72% fall in the number of victims compared to Q1, 2023, and a drop of 81% from the previous quarter, with 24,474,351 individuals known to have been affected by the 841 data breaches.

In Q1, 2023, healthcare was the most attacked industry; however, in Q1, 2024, healthcare dropped to second place (124 notices and more than 6 million records breached), behind financial services (224 notices and more than 18 million records breached). Healthcare data breaches increased by 53% from Q1, 2023 and were up 69.9% from Q1, 2022; however, the number of victims (6,071,259 individuals) in Q1, 2024, were down 57.2% from Q1, 2023 (14,199,413 individuals). Healthcare placed second in the top 10 compromises of Q1, 2024, with a 2.35 million data breach at Medical Management Resource Group (American Vision Partners), behind LoanDepot which had a breach of more than 16 million records; however, healthcare topped the list with 6 of the 10 largest data breaches in the quarter.

The number of organizations impacted by supply chain attacks more than tripled in Q1 2024 compared to Q1, 2024, with 50 new attacks that affected 243 organizations and involved the data of 7.5 million individuals. In Q1, 2023, 73 entities were affected by supply chain attacks and there were 11.4 million victims. Cyberattacks were the biggest cause of data breaches (642 compromises), followed by phishing/smishing/BEC attacks (108 compromises), and system and human error (85 compromises). It is now increasingly common for data breach notices to not provide information about the cause of the breach. In Q1, 2024, 439 compromises did not state the root cause of the breach (52.2%) compared to 166 of the 442 data compromises (37.6%) in Q1, 2023. More than two-thirds of cyberattack-related data breaches included no information about the root cause of the breach.

“The dramatic increase in data compromises continues to concern us,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “However, the decrease in victims impacted is a bit of good news, though still too high. We believe it is due to identity criminals launching more targeted attacks, which differ from tactics used five to ten years ago. With that said, it is critical that businesses and consumers continue to practice good password hygiene and transition to Passkeys when possible.”

The post Healthcare Data Breaches Up 53% from Q1, 2023 appeared first on HIPAA Journal.