Healthcare Phishing Attack Potentially Impacts 16,500 Patients

Phishing is arguably the biggest data security threat faced by healthcare organizations. The past few weeks have seen several attacks reported by healthcare organizations, with the latest healthcare phishing attack one of the most serious, having affected as many as 16,562 patients.

Chase Brexton Health Care reports that the attack occurred on August 2 and August 3, 2017, when multiple phishing emails were delivered to the inboxes of its employees. Phishing attacks commonly take the form of bogus invoices and fake package delivery notifications, although these emails purported to be surveys. After employees completed the surveys they were required to enter their login information. Four employees fell for the scam and divulged their user account credentials.

The phishing attack was discovered on August 4 and access to the employees’ accounts was blocked.  However, on August 2 and 3, the accounts of those employees were accessed and the attackers re-route employee payments to their own bank account.

While the aim of the phishing attack did not appear to be to gain access to patient information, it is possible that some patients’ PHI was viewed and potentially stolen. Chase Brexton Health Care has notified patients of the breach and informed them that PHI access is not suspected, although out of an abundance of caution, patients are being offered complimentary identity theft repair services.

The types of information potentially compromised was limited to names, addresses, dates of birth, patient ID numbers, provider name, diagnosis codes, service location, line of service, visit descriptions, medication details, and insurance information.

The investigation into the attack is continuing, and while details of the attackers’ bank account are known, the individuals responsible for the attack have not been identified. A third-party has been contracted to conduct an investigation into the attack.

Aside from blocking access to the compromised accounts by changing passwords, Chase Brexton Health Care has implemented a new email spam filtering solution to improve protection against phishing attacks, staff have received additional training, and new security protocols have been implemented.

The post Healthcare Phishing Attack Potentially Impacts 16,500 Patients appeared first on HIPAA Journal.

Healthcare Data Breaches in September Saw Almost 500K Records Exposed

Protenus has released its Breach Barometer report which shows there was a significant increase in healthcare data breaches in September. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and security incidents tracked by databreaches.net. The latter have yet to appear on the OCR ‘Wall of Shame.’

In total, Protenus/databreaches.net tracked 46 healthcare data breaches in September. While the total number of breach victims has not been confirmed for all incidents, at least 499,144 healthcare records are known to have been exposed or stolen. The number of records exposed or stolen in four of the month’s breaches has yet to be disclosed.

The high number of incidents makes September the second worst month of 2017 for healthcare industry data breaches. Only June was worse, when 52 data breaches were reported. In August, 33 data breaches were reported by healthcare organizations.

The report confirms the worst incident of the month was a ransomware attack that saw the records of 128,000 individuals made inaccessible. It is not known if those records were accessed or stolen.

The main causes of healthcare data breaches in September were hacking (50%) and insiders (32.6%). The hacking total includes extortion attempts by TheDarkOverlord hacking group, ransomware incidents, and malware attacks. Hacking incidents accounted for 80% of breached records for the month – 401,741 records – although figures for 4 of the incidents have not yet been disclosed. The hacking incidents in September included one confirmed ransomware incident, eight extortion attempts, and seven phishing attacks.

The 15 insider incidents resulted in the exposure of 73,926 records. Those incidents included six insider errors and eight instances of insider wrong doing. Four theft incidents were reported which impacted 17,295 patients.

The breaches occurred at 31 healthcare providers, 6 health plans, 6 business associates of HIPAA-covered entities, and 3 schools, with California the worst affected with 5 incidents.

While most healthcare organizations discovered their data breaches within 6 weeks – the medial time for discovery was 38 days – it took one healthcare provider 2108 days to discover that one of its employees had been improperly accessing medical records.

Most healthcare organizations reported their breaches inside the HIPAA Breach Notification Rule deadline of 60 days, although there were two exceptions. One healthcare organization took 249 days to report its breach, risking a significant HIPAA violation penalty.

The post Healthcare Data Breaches in September Saw Almost 500K Records Exposed appeared first on HIPAA Journal.

OCR Reminder on How to Manage HIPAA Privacy Requirements during Emergency Relief Efforts – The National Law Review

OCR Reminder on How to Manage HIPAA Privacy Requirements during Emergency Relief Efforts
The National Law Review
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a reminder to its listserv subscribers following the Las Vegas Strip shooting on October 1, 2017, that HIPAA covered entities are permitted to share patient ...
Cybersecurity 2018 – The Year in Preview: HIPAA ComplianceJD Supra (press release)

all 3 news articles »

De-identification of Protected Health Information: How to Anonymize PHI

Healthcare organizations and their business associates that want to share protected health information must do so in accordance with the HIPAA Privacy Rule, which limits the possible uses and disclosures of PHI, but de-identification of protected health information means HIPAA Privacy Rule restrictions no longer apply.

HIPAA Privacy Rule restrictions only covers individually identifiable protected health information. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, PHI can be freely shared.

The de-identification of protected health information enables HIPAA covered entities to share health data for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed.

HIPAA-Compliant De-identification of Protected Health Information

HIPAA-compliant de-identification of protected health information is possible using two methods: Safe Harbor and Expert Determination. Neither method of de-identification of protected health information will remove all risk of re-identification of patients, but both methods will reduce risk to a very low and acceptable level. Use either of the two methods below and PHI will no longer be considered ‘protected health information’ and will therefore not be subject to HIPAA Privacy Rule restrictions.

1.     Safe Harbor – The Removal of Specific Identifiers

The first HIPAA compliant way to de-identify protected health information is to remove specific identifiers from the data set. The identifiable data that must be removed are:

  • Names
  • Geographic subdivisions smaller than a state
  • All elements of dates (except year) related to an individual (including admission and discharge dates, birthdate, date of death, all ages over 89 years old, and elements of dates (including year) that are indicative of age)
  • Telephone, cellphone, and fax numbers
  • Email addresses
  • IP addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Device identifiers and serial numbers
  • Certificate/license numbers
  • Account numbers
  • Vehicle identifiers and serial numbers including license plates
  • Website URLs
  • Full face photos and comparable images
  • Biometric identifiers (including finger and voice prints)
  • Any unique identifying numbers, characteristics or codes

In the case of zip codes, covered entities are permitted to use the first three digits provided the geographic unit formed by combining those first three digits contains more than 20,000 individuals. When that geographical unit contains fewer than 20,000 individuals it should be changed to 000. According to the Bureau of the Census, that means 17 zip codes must have the first three digits changed to zero:

036, 692, 878, 059, 790, 879, 063, 821, 884, 102, 823, 890, 203, 830, 893, 556, 831

Covered entities should not that the above list of zip codes may change after future censuses. The list is based on 5-digit zip codes from the 2000 census.

For further information on de-identification of protected health information using the safe harbor method see 45 CFR § 164.514(b)(2).

2. Expert Determination

The expert determination method carries a small risk that an individual could be identified, although the risk is so low that it meets HIPAA Privacy Rule requirements.

This method of de-identification of protected health information requires a HIPAA covered entity or business associate to obtain an opinion from a qualified statistical expert that the risk of re-identifying an individual from the data set is very small. In such cases, the methods used to make that determination and justification of the expert’s opinion must be documented and retained by the covered entity or business associate and made available to regulators in the event of an audit or investigation.

The expert must be a person with appropriate knowledge and experience of using generally accepted statistical and scientific principles and methods for removing or altering information to ensure that it is no longer individually identifiable.

When those methods and principles have been applied, the expert must determine that the risk of reidentification of an individual is very small. In such cases, the risk of reidentification must be very small when the information is used alone, and must remain very small should the data be combined with other reasonably available information by an anticipated recipient to identify an individual who is a subject of the information.

HIPAA does not define the level of risk of re-identification other than to say it should be ‘very small’. The expert should define ‘very small’ in relation to the context of the data set, the specific environment, and the ability of an anticipated recipient to be able to reidentify individuals.

Experts may come from a number of different fields and do not require any specific qualifications. What is important is experts have experience of deidentifying data. It is that experience that regulators will look at in the event of an audit, not specific qualifications or certifications.

For further information on de-identification of protected health information by expert determination see 45 CFR § 164.514(b)(1).

The U.S. Department of Health and Human Services’ Office for Civil Rights has issued guidance on de-identification of protected health information which can be viewed on this link.

The post De-identification of Protected Health Information: How to Anonymize PHI appeared first on HIPAA Journal.

GDPR Requirements for US Companies

A new European data privacy and security law – The General Data Protection Regulation (GDPR) – has been introduced, and while this law applies in Europe, there are also GDPR requirements for US companies, including for organizations in the healthcare sector.

The new law, which has an effective date of May 25, 2018, requires a swathe of protections to be introduced to keep data of EU consumers secure and to protect their privacy. Healthcare organizations are in a good position to comply with GDPR regulations since they are already required to comply with the HIPAA Privacy, Security and Breach Notification Rules. However, being HIPAA compliant is no guarantee that healthcare organizations will not fall afoul of GDPR.  GDPR requirements for US companies cover aspects of privacy and security not required for HIPAA compliance.

Why Does GDPR Apply to US Companies?

GDPR is concerned with protecting the privacy of EU citizens and securing their data, so why are there GDPR requirements for US companies? The reason for GDPR is to give data subjects greater control over the information that is collected, stored, and used by others. It doesn’t matter where in the world an entity is located, if that entity does business with EU citizens that involves collecting or processing personal data they must comply with GDPR. Simply complying with existing data privacy and security regulations in the country in which the entity operates is not sufficient.

GDPR Requirements for US Companies

GDPR naturally applies to multi-national companies that have a base in the EU or do business in the EU, although simply closing an EU base is not sufficient to avoid compliance with GDPR. GDPR is about data not where an organization has a base.

An organization may decide not to do business with EU citizens to avoid having to comply with GDPR, but even that decision must be implemented correctly. If you maintain a website that uses cookies, and it can be accessed by EU citizens, GDPR applies.

GDPR also applies to organizations of all sizes. It doesn’t matter if you are a small one-person practice or a large organization with thousands of employees. If you collect or process data on EU citizens, GDPR compliance is not optional.

GDPR replaces the EU Data Protection Act of 1998, which placed responsibility only on the data controller, not processors of data. If you processed data for another company (the controller) it would be that company that had to comply with past regulations. GDPR applies to both processors and controllers – Both parties are now responsible for protecting the privacy rights of EU citizens.

GDPR defines personal data as “Any information relating to an identified or identifiable natural person.” That includes names, addresses, telephone numbers, email addresses, credit card details, financial information, medical information, posts on social media websites, and an individual’s IP address.

The rights afforded to EU citizens and the major GDPR requirements for US companies include:

  • Ensuring data is only collected when there is a legal and lawful reason for doing so.
  • Obtaining consent before personal data is collected, stored, or processed.
  • Obtaining consent from parents or legal guardians before children’s data is collected or processed.
  • Implementing controls to ensure the confidentiality of data is safeguarded.
  • Training employees on the correct handling of personal data.
  • Ensuring EU citizens’ right to be forgotten can be honored and that it is possible to permanently erase all collected data.
  • Ensuring EU citizens are informed about how their information will be collected and used, similar to the Notice of Privacy Practices required by HIPAA.
  • Making sure data transfers across borders occurs in accordance with GDPR regulations.
  • Putting data breach notification policies in place to ensure EU citizens receive notifications of a breach of their personal data.
  • It may also be necessary for organizations to appoint a Data Protection Officer. That individual must have a thorough understanding of GDPR requirements for US companies as well as the infrastructure and organization of their company.

What Do US Companies Need To Do Now to Ensure Compliance with GDPR?

  • The GDPR requirements for US companies depend on whether you are a data controller or data processor. Determine whether you are a controller, processor, or both.
  • Ensure you are aware of all data you collect or use, that you know where the data came from, every entity it has been shared with, and every location where it is stored. You must conduct a full audit, which can be a labor intensive and time-consuming process.
  • Determine whether you need to appoint a Data Protection Officer and designate a contact that will liaise with the GDPR supervisory body.
  • Develop consent and disclosure forms covering all possible uses of data.
  • Ensure you can detect, respond, and report on data breaches and have policies in place to notify EU citizens of those breaches.
  • Check your Notice of Privacy Practices and make sure it meets GDPR requirements.
  • Make sure your business associates and their subcontractors are aware of their requirements under GDPR.
  • Check your policies on data retention and make sure they meet GDPR requirements. There is a maximum time limit for the storage of data on EU citizens and data can only be kept until the purpose for which the information has been collected has been achieved.
  • If you transfer data across borders, you must ensure that GDPR requirements are satisfied.

What are the Penalties for Noncompliance with GDPR

Fail to meet GDPR requirements for US companies and you could be fined by the EU. The penalties for noncompliance with GDPR can be severe. A violation of GDPR can attract a fine of up to 20,000,000 Euros ($23,138,200) or 4% of the company’s annual global turnover, whichever is higher. That is far in excess of the penalties for HIPAA violations. However, that fine could be higher.

Becoming GDPR Compliant May Not be Straightforward

Since achieving compliance with GDPR may not be straightforward, meeting the May 25 deadline could be difficult, especially for any organization that has yet to develop their compliance program. Forward thinking companies started their compliance programs soon after the EU directive was finalized, although many firms have yet to begin.

According to figures from PwC, 68% of organizations have committed between $1 million and $10 million to meet GDPR requirements for US companies. 9% of US firms say they have allocated more than $10 million to GDPR compliance.

If you are unsure how GDPR affects your business, whether your compliance program is adequate, or if you don’t know where to start with GDPR compliance, it is strongly advisable to seek advice from compliance experts who can guide you through the process and ensure, come the deadline, your policies, procedures, systems, and data privacy and security practices are up to the standard required by the new EU Directive.

The post GDPR Requirements for US Companies appeared first on HIPAA Journal.