JD Supra (press release) | HIPAA: Privacy Required, Even When Information Goes Public JD Supra (press release) But these exceptions do not apply under HIPAA's privacy rules. A health plan or health care provider that is subject to HIPAA is not permitted to disclose protected health information (PHI) other than to appropriate persons for permitted purposes, even ... |
Two Day Seminar: HIPAA Compliance 2018 (Salt Lake City, Utah, United States – June 13-14, 2018 … – Press of Atlantic City
Two Day Seminar: HIPAA Compliance 2018 (Salt Lake City, Utah, United States - June 13-14, 2018 ... Press of Atlantic City Although healthcare news and the internet is replete with articles and descriptions of the HIPAA privacy and security regulations, there remain many misconceptions of what these regulations mean to healthcare organizations and what they, and their ... |
Two Day Seminar: HIPAA Compliance 2018 (Salt Lake City, Utah, United States – June 13-14, 2018 … – Odessa American
Two Day Seminar: HIPAA Compliance 2018 (Salt Lake City, Utah, United States - June 13-14, 2018 ... Odessa American Although healthcare news and the internet is replete with articles and descriptions of the HIPAA privacy and security regulations, there remain many misconceptions of what these regulations mean to healthcare organizations and what they, and their ... |
Two Day Seminar: HIPAA Compliance 2018 (Salt Lake City, Utah, United States – June 13-14, 2018 … – Business Wire (press release)
Bristol Herald Courier | Two Day Seminar: HIPAA Compliance 2018 (Salt Lake City, Utah, United States - June 13-14, 2018 ... Business Wire (press release) DUBLIN--(BUSINESS WIRE)--The "HIPAA Compliance 2018" conference has been added to ResearchAndMarkets.com's offering. This two day seminar takes the participants through HIPAA compliance from start to compliance. Although healthcare news and ... Two Day Seminar: HIPAA Compliance 2018 (Salt Lake City, Utah ... |
One Day HIPAA and the Business Associate Seminar (Savannah, United States – June 5th, 2018 … – Business Wire (press release)
One Day HIPAA and the Business Associate Seminar (Savannah, United States - June 5th, 2018 ... Business Wire (press release) The primary goal is to ensure everyone is well educated on what is myth and what is reality with this law, as there is so much misleading information regarding the do's and don'ts with HIPAA. I want to add clarity for Business Associates, and also help ... |
HIPAA Compliance Seminar – Clear, Complete, Step-by-Step (Arlington, VA, United States – June 7-8, 2018 … – Business Wire (press release)
HIPAA Compliance Seminar - Clear, Complete, Step-by-Step (Arlington, VA, United States - June 7-8, 2018 ... Business Wire (press release) But mandatory HIPAA Compliance Audits conducted by the Office for Civil Rights (OCR), the HIPAA enforcement arm of the U.S. Department of Health and Human Services (HHS), found 94% of Covered Entities failed the Risk Management Audit and 87% ... |
Healthcare Data Breach Report: April 2018
April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March.
There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records.
Healthcare Data Breach Trends
For the past four months, the number of healthcare data breaches reported to OCR has increased month over month.
For the third consecutive month, the number of records exposed in healthcare data breaches has increased.
Causes of Healthcare Data Breaches in April 2018
The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees.
Largest Healthcare Data Breaches in April 2018
More than half of the healthcare records exposed in April were the result of a single security incident at the California Department of Developmental Services. Thieves broke into California Department of Developmental Services offices, stole electronic equipment, and started a fire. Digital copies of PHI on the stolen equipment were encrypted and were therefore not exposed. Most of the PHI was in physical form and it does not appear any paperwork was taken by the burglars.
While hacking usually results in the highest number of exposed/stolen records, in April the most serious breaches in terms of the number of individuals affected, were unauthorised access/disclosure incidents. In April there were 11 major breaches involving the theft/exposure of more than 10,000 records.
| Covered Entity | Entity Type | Records Exposed | Breach Type |
| CA Department of Developmental Services | Health Plan | 582,174 | Unauthorized Access/Disclosure |
| Center for Orthopaedic Specialists – Providence Medical Institute (PMI) | Healthcare Provider | 81,550 | Hacking/IT Incident |
| MedWatch LLC | Business Associate | 40,621 | Unauthorized Access/Disclosure |
| Inogen, Inc. | Healthcare Provider | 29,528 | Hacking/IT Incident |
| Capital Digestive Care, Inc. | Healthcare Provider | 17,639 | Unauthorized Access/Disclosure |
| Iowa Health System d/b/a UnityPoint Health | Business Associate | 16,429 | Hacking/IT Incident |
| Knoxville Heart Group, Inc. | Healthcare Provider | 15,995 | Hacking/IT Incident |
| Athens Heart Center, P.C. | Healthcare Provider | 12,158 | Hacking/IT Incident |
| Fondren Orthopedic Group L.L.P. | Healthcare Provider | 11,552 | Unauthorized Access/Disclosure |
| Kansas Department for Aging and Disability Services | Healthcare Provider | 11,000 | Unauthorized Access/Disclosure |
| Carolina Digestive Health Associates, PA | Healthcare Provider | 10,988 | Unauthorized Access/Disclosure |
Location of Breached PHI
One of the main causes of healthcare breaches in April was phishing attacks. There were nine data breaches involving the hacking of email accounts in April. The high number of phishing attacks highlights the need for healthcare organizations to invest in technology to prevent malicious emails from being delivered to employees’ inboxes and to improve security awareness of the workforce.
Data Breaches by Covered Entity
The majority of breaches in April were reported by healthcare providers, followed by health plans and business associates. While five breaches were reported by business associates, there was business associate involvement in at least 11 incidents in April.
Healthcare Data Breaches by State
California is the most populated state and often tops the list for healthcare data breaches, although in April Illinois was the worst affected state with 6 reported breaches. California was second worst with 5 breaches, followed by Texas with 3 breaches.
Florida, Iowa, Kansas, Louisiana, Maryland, Minnesota, North Carolina, New Jersey, Virginia, and Wisconsin each has two breaches reported, while Georgia, Kentucky, Montana, Nebraska, New York, Pennsylvania, and Tennessee each had one reported breach in April.
Financial Penalties for HIPAA Covered Entities
The HHS’ Office for Civil Rights has only issued two financial penalties for HIPAA violations so far in 2018, with no cases resolved since February.
There was one HIPAA violation case resolved by a state attorney general in April. Virtua Medical Group agreed to resolve violations of state and HIPAA laws with the New Jersey attorney general’s office for $417,816.
The breach that triggered the investigation exposed the names, diagnoses, and prescription information of 1,654 New Jersey residents. The information was accessible over the Internet as a result of a misconfigured server.
A Division of Consumer Affairs investigation alleged Virtua Medical Group had failed to conduct a thorough risk analysis and did not implement appropriate security measures to reduce risk to a reasonable and acceptable level.
The post Healthcare Data Breach Report: April 2018 appeared first on HIPAA Journal.
Judge Upholds Doc’s Conviction for Criminal HIPAA Violation – HealthITSecurity.com
HealthITSecurity.com | Judge Upholds Doc's Conviction for Criminal HIPAA Violation HealthITSecurity.com In the motions to reverse her convictions, Luthra argued that there was insufficient evidence to prove that the alleged PHI disclosures were not “permitted” by HIPAA and that the uncorroborated testimony of the Warner Chilcott representative Jose Cid ... |
HIPAA: Privacy Required, Even When Information Goes Public – The National Law Review
HIPAA: Privacy Required, Even When Information Goes Public The National Law Review But these exceptions do not apply under HIPAA's privacy rules. A health plan or health care provider that is subject to HIPAA is not permitted to disclose protected health information (PHI) other than to appropriate persons for permitted purposes, even ... |