HHS waives some HIPAA restrictions in Puerto Rico, Virgin Island post Hurricane Maria – Becker’s Hospital Review

HHS waives some HIPAA restrictions in Puerto Rico, Virgin Island post Hurricane Maria
Becker's Hospital Review
HHS issued a limited waiver of HIPAA sanctions and penalties in the wake of Hurricane Maria, which HHS Secretary Tom Price, MD, declared a public health emergency in Puerto Rico and the U.S. Virgin Islands Sept. 19. Although the HIPAA Privacy Rule ...

HIPAA Business Associate Data Breach Impacts 21,856 Individuals

The importance of reviewing system activity logs has been underscored by recent HIPAA business associate data breach.

Nebraska-based CBS Consolidated Inc., doing business as Cornerstone Business & Management Solutions, conducted a routine review of system logs on July 10, 2017 and discovered an unfamiliar account on the server. Closer examination of that account revealed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies.

21,856 patients who received durable medical supplies from the company through their Medicare coverage have potentially been affected. The types of data obtained by the hacker included names, addresses, dates of birth, insurance details, and Social Security numbers. While personal information was exposed, the hacker was not able to obtain details of any medical conditions suffered by patients, nor details of any items purchased or financial information.

It is currently unclear how the account was created, although an investigation into the incident is ongoing. CBS says following the discovery of unauthorized access, the server was isolated and access to data was blocked. Since the incident was discovered, CBS has been carefully monitoring its systems and has uncovered no further evidence of unauthorized access or data theft.

Due to the sensitive nature of data stolen by the hacker, all individuals impacted by the breach have been offered 12 months of credit monitoring and identity theft protection services without charge. CBS is also reviewing its security protections and will be introducing new administrative safeguards, providing additional training to staff members on security, as well as improving technical safeguards to prevent future incidents from occurring.

This is the second worst data breach reported by a HIPAA business associate so far in 2017, behind the 56,000-record breach reported by Enterprise Services LLC in June.

The post HIPAA Business Associate Data Breach Impacts 21,856 Individuals appeared first on HIPAA Journal.

Fall in Healthcare Data Breaches in August: Rise in Breach Severity

Healthcare data breaches have fallen for the second month in a row, according to the latest installment of the Breach Barometer report from Protenus/Databreaches.net. In August, there were 33 reported healthcare data breaches, down from 36 incidents in July and 56 in June. While the reduction in data breaches is encouraging, that is still more than one healthcare data breach per day.

August may have been the second best month of the year to date in terms of the number of reported incidents, but it was the third worst in terms of the number of individuals impacted. 575,142 individuals were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise further still, since two incidents were not included in that total since it is not yet known how many individuals have been affected.

The worst incident of the month was reported by Pacific Alliance Medical Center – A ransomware attack that impacted 266,133 patients – one of the worst ransomware incidents of the year to date.

Throughout the year, insider incidents have dominated the breach reports, although in July hacking was the biggest cause of PHI breaches. That trend has continued in August with hackers responsible for 54.5% of all reported data breaches. Those incidents accounted for 95% of all breached patient records in the month. The hacking totals also include phishing and ransomware incidents. There were at least five reported data breaches in August that involved ransomware.

In August, insiders were responsible for 9 incidents – 27.3% of the total – seven of which were insider errors, with two incidents due to insider wrongdoing. 15.2% of breaches were the result of the loss or theft of unencrypted devices containing PHI.

While breaches of electronic protected health information dominated the breach reports, there were six incidents reported that involved physical records, including two mailings in which PHI was visible through the clear plastic windows of the envelopes.

Protenus notes that while healthcare organizations appear to be getting better at discovering data breaches more quickly, the figures for the past two months may be misleading. Alongside the decrease in time taken to identify breaches there has been an increase in hacking incidents, which tend to be discovered faster than insider breaches.

Protenus explains, “For the month of August, time to discover a hacking incident took an average of 26 days (median = 22.5 days), while insider incidents took an average of 209.8 days (median = 115 days),” demonstrating the difficulty healthcare organizations have in detecting insider breaches.

Organizations are reporting breaches to HHS and notifying patients within 60 days of the discovery of a breach on the whole, with only three organizations exceeding the deadline. One of those entities took 177 days from the discovery of the breach to report the incident to HHS. The average time was 53 days and the median time was 58 days.

The breach reports followed a similar pattern to most months, with healthcare providers experiencing the majority of breaches (72%), followed by health plans (18.2%). Business associates reported 3% of breaches and 6% were reported by other entities, including a pharmacy and a private school. Texas was the worst affected state in August with five breaches, followed by California with four, and Ohio and New York with three apiece.

The post Fall in Healthcare Data Breaches in August: Rise in Breach Severity appeared first on HIPAA Journal.

United States: In the Wake Of Harvey And Irma, OCR Reminds Providers Of HIPAA Security Rule – Mondaq News Alerts (registration)

United States: In the Wake Of Harvey And Irma, OCR Reminds Providers Of HIPAA Security Rule
Mondaq News Alerts (registration)
OCR recently published a bulletin during Hurricane Harvey discussing how the HIPAA Privacy Rule applies to sharing protected health information (PHI) during natural disasters. Recirculated while Irma was looming, the guidance document reminds health ...

Fitbit Captivate Conference: Behavioral Economics, HIPAA and More – Workforce Management


Workforce Management
Fitbit Captivate Conference: Behavioral Economics, HIPAA and More
Workforce Management
HIPAA: Caroline Budde, global chief compliance and privacy officer at Walgreens Boots Alliance, Lauren Krasnodembski, senior counsel regulatory at Cardinal Health, and Lisa Acevedo, shareholder at Polsinelli Law, spoke at a panel about HIPAA and how it ...

United States: In The Wake Of Harvey And Irma, OCR Reminds Providers Of HIPAA Rules – Mondaq News Alerts (registration)

United States: In The Wake Of Harvey And Irma, OCR Reminds Providers Of HIPAA Rules
Mondaq News Alerts (registration)
OCR recently published a bulletin during Hurricane Harvey discussing how the HIPAA Privacy Rule applies to sharing protected health information (PHI) during natural disasters. Recirculated while Irma was looming, the guidance document reminds health ...

and more »