Author Archives: HIPAA Journal

Study Indicates Majority of EHR Vendors are Engaging in Information Blocking Practices

Information blocking by electronic health record (EHR) vendors is still highly prevalent, despite recent policymaking that prohibits information blocking practices, according to a recent study published in the Journal of the American Medical Informatics Association (JAMIA).

To identify the extent of the problem, the researchers conducted a national survey of health information exchange organizations (HIEs). HIEs were chosen as they are directly connected to EHR vendors and health systems and are therefore in an ideal position to assess interoperability and data sharing.

86 out of the 106 HIEs that met the qualification criteria responded and answered three questions:

  • How often do EHR vendors and health systems practice information blocking?
  • How are these information blocking practices conducted?
  • What is the impact of local market competitiveness on information blocking behavior?

A majority of HIEs (55%) reported cases of information blocking by EHR vendors at least some of the time and 14% said all EHR vendors engaged in information blocking. 30% of respondents said information blocking occurred with some health systems.

The information blocking practice most common with EHR vendors was setting unreasonably high prices, which was reported by 42% of respondents. The second most common information blocking practice, reported by 23% of respondents, was artificial barriers.

The most common information blocking practice by health systems, reported by 15% of respondents, was refusing to share health information. 10% of respondents said artificial barriers. The researchers found a correlation between information blocking and regional competition amongst vendors, with some geographic regions experiencing more cases of information blocking. 47% of respondents said there were high levels of information blocking by EHR vendors in more competitive developer markets, and 31% said there were high levels of information blocking by health systems in competitive markets.

The HHS’ Office of the National Coordinator for Health Information Technology’s (ONC) final interoperability rules prohibits intentional information blocking. “As enforcement of the new regulations begins, surveillance of stakeholders with knowledge of information blocking, including HIEs, will be critical to identify where reductions occur, where information blocking practices persist, and how best to target continued efforts,” suggested the researchers.

The findings of the study mirror a previous study in 2016, with the results of both serving as a baseline against which information blocking can be measured in the future.

“Given persistently high levels of information blocking reported by knowledgeable actors, our findings support the importance of defining and addressing it through the planned implementation of the final regulation, definition of penalties, and enforcement for those found to engage in information blocking,” wrote the researchers. “Our findings also provide insight into how enforcement efforts might be targeted and one useful approach to monitoring their effectiveness.”

The post Study Indicates Majority of EHR Vendors are Engaging in Information Blocking Practices appeared first on HIPAA Journal.

Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS

The Biden administration has appointed Micky Tripathi as the National Coordinator for Health IT at the Department of Health and Human Services’ Office.

Tripathi will head the Office of the National Coordinator for Health IT, which is tasked with coordinating efforts to implement advanced health information technology to ensure the secure exchange of health information. The ONC is currently overseeing efforts to provide Americans with easy access to their health records through their smartphones and is implementing 21st Century Cures Act provisions that promote health IT interoperability and prohibit information blocking.

Tripathi has a wealth of experience in secure health information exchange and is aware of the current interoperability issues in the healthcare industry. Prior to joining the ONC, Tripathi was most recently the chief alliance officer at the healthcare analytics and software company Arcadia, where he was responsible for developing partnerships to enhance healthcare with advanced IT technology.

Tripathi has also served as manager of the strategy and management consulting firm Boston Consulting Group (BCG), CEO of the Massachusetts eHealth Collaborative, was the founding president and CEO of the Indiana Health information Exchange, and has served on the boards of the HL7 FHIR Foundation, Datica, Sequoia Project, CommonWell Health Alliance, and the CARIN Alliance.

“I can personally attest to Micky’s industry-wide leadership on healthcare interoperability and to his vision for the value that shared, timely, and accurate data provides for improving healthcare delivery and reducing costs. No one is better suited for this absolutely critical mission,” said Sean Carroll, CEO, Arcadia.

Tripathi replaces former President Trump appointment Donald Rucker, M.D., who held the position for the previous 4 years.

The HHS has also confirmed that Robinsue Frohboese has taken on the role of Acting Director of the HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance. Frohboese previously served as principal deputy director of OCR and takes over from acting director March Bell, who replaced the former OCR Director Roger Severino on January 15, 2020.

Frohboese has played a key role in many civil rights initiatives and OCR’s implementation of the HIPAA Privacy Rule.

Prior to taking on the role of principal deputy at OCR, Frohboese worked for 17 years in the Special Litigation Section of the Civil Rights Division of the U.S. Department of Justice, first as Senior Trial Attorney and subsequently as Deputy Chief.

The post Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS appeared first on HIPAA Journal.

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules.

The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents.

The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of unencrypted hard drive containing the electronic protected health information 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000.

State Attorney HIPAA cases were relatively rare occurrences, with only 11 settlements reached with covered entities and business associates to resolve HIPAA violations between 2010 and 2015. HIPAA enforcement by state attorneys general was stepped up in 2017 with 5 settlements and again in 2018 when 12 cases resulted in financial penalties for violations of the HIPAA Rules.

In 2019 and 2020, a total of 5 cases have resulted in financial penalties, although those penalties have been sizeable, and four of the five cases were multistate actions against HIPAA covered entities and business associates where several state attorneys general participated in the actions. These multistate actions allow state attorneys general to pool their resources and investigate potential violations of HIPAA and state laws more efficiently.

When civil actions are brought against covered entities or business associates by state Attorneys General, they are separate from any Office for Civil Rights actions.

Several data breaches have resulted in settlements being reached at both the federal and state level. Community Health Systems/CHSPSC, Anthem Inc., Premera Blue Cross, Aetna, Cottage Health System, University of Rochester Medical Center, and Medical Informatics Engineering have all settled cases with OCR and state attorneys general to resolve potential HIPAA violations.

In many of the state AG enforcement actions below, the financial penalties resolve violations of federal (HIPAA) and state laws. Over the years there have been several cases where HIPAA Rules have been violated, but the decision was taken to bring actions for violations of equivalent provisions in state laws.

HIPAA Enforcement by State Attorneys General in 2020

Year State Entity Amount Individuals affected Reason for Investigation Findings
2020 Multistate (28 states) Community Health Systems / CHSPSC LLC $5,000,000 6.1 million Hacked by Chinese APT group Failure to implement and maintain reasonable security practices
2020 Multistate (43 states) Anthem Inc $39.5 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws
2020 California Anthem Inc $8.7 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws

HIPAA Enforcement by State Attorneys General in 2019

Year State Entity Amount Individuals affected Reason for Investigation Findings
2019 Multistate (30 states) Premera Blue Cross $10,000,000 10.4 million Hacking incident and major data breach Multiple violations of HIPAA and state laws
2019 Multistate (16 states) Medical Informatics Engineering $900,000 3.5 million Breach of NoMoreClipboard data Multiple violations of HIPAA and state laws
2019 California Aetna $935,000 1,991 2 mailings exposed PHI (Afib, HIV) Impermissible Disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2018

Year State Entity Amount Individuals affected Reason for Investigation Findings
2018 Massachusetts McLean Hospital $75,000 1,500 Loss of backup tapes Insufficient risk assessment, failure to encrypt data, delayed breach notifications
2018 New Jersey EmblemHealth $100,000 6,443 (81,000) Mailing error exposed SSNs Impermissible disclosure of PHI/ lack of staff training
2018 New Jersey Best Transcription Medical $200,000 1,650 Exposure of ePHI in Internet Risk assessment and risk management failure, breach notification failure
2018 Multistate (CT, NJ, DC) Aetna 640170.59 13,160 2 mailings exposed PHI (Afib, HIV) Impermissible Disclosure of sensitive health information
2018 Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Multiple data breaches Failure to secure ePHI
2018 New York Arc of Erie County $200,000 3,751 Exposure of ePHI on Internet Failure to secure ePHI
2018 New Jersey Virtua Medical Group $417,816 1,654 Exposure of ePHI on Internet Multiple violations of the HIPAA Rules
2018 New York EmblemHealth $575,000 81,122 Mailing error exposed SSNs Impermissible disclosure of PHI / lack of staff training
2018 New York Aetna $1,150,000 12,000 2 mailings exposed PHI (Afib, HIV) Impermissible Disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2017

Year State Entity Amount Individuals affected Reason for Investigation Findings
2017 California Cottage Health System $2,000,000 More than 54,000 Exposure of PHI on Internet Failure to safeguard personal information
2017 Massachusetts Multi-State Billing Services $100,000 2,600 Theft of unencrypted laptop computer Failure to safeguard personal information
2017 New Jersey Horizon Healthcare Services Inc $1,100,000 3.7 million Theft of 2 unencrypted laptop computers Failure to safeguard personal information
2017 Vermont SAManage USA, Inc. $264,000 660 Exposure of PHI on Internet Failure to secure ePHI / breach notification failure
2017 New York CoPilot Provider Support Services, Inc $130,000 221,178 Delayed breach notification Violation of breach notification requirements

HIPAA Enforcement by State Attorneys General (2010-2016)

Year State Entity Amount Individuals affected Reason for Investigation Findings
2015 New York University of Rochester Medical Center $15,000 3,403 List of patients provided to nurse who took it to a new employer Impermissible disclosure of ePHI
2015 Connecticut Hartford Hospital/ EMC Corporation $90,000 8,883 Theft of unencrypted laptop containing PHI Lack of Business Associate Agreement / failure to encrypt ePHI
2014 Massachusetts Women & Infants Hospital of Rhode Island $150,000 12,000 Loss of backup tapes containing PHI Failure to safeguard ePHI / Lack of staff training
2014 Massachusetts Boston Children’s Hospital $40,000 2,159 Loss of laptop containing PHI Failure to encrypt ePHI
2014 Massachusetts Beth Israel Deaconess Medical Center $100,000 3,796 Loss of laptop containing PHI Failure to encrypt ePHI
2013 Massachusetts Goldthwait Associates $140,000 67,000 Mishandling of PHI Improper disposal of PHI
2012 Minnesota Accretive Health $2,500,000 24,000 Mishandling of PHI Failure to safeguard PHI
2012 Massachusetts South Shore Hospital $750,000 800,000 Loss of backup tapes containing PHI Failure to safeguard PHI
2011 Vermont Health Net Inc. $55,000 1,500,000 Loss of unencrypted hard drive/delayed breach notifications Failure to safeguard PHI / Violation of breach notification requirements
2011 Indiana WellPoint Inc. $100,000 32,000 Failure to report breach in a reasonable timeframe Violation of breach notification requirements
2010 Connecticut Health Net Inc. $250,000 1,500,000 Loss of unencrypted hard drive Failure to safeguard PHI / Violation of breach notification requirements

The post HIPAA Enforcement by State Attorneys General appeared first on HIPAA Journal.

Data Breaches Reported by Gainwell Technologies, TaylorMade Diagnostics, and Mattapan Community Health Center

Gainwell Technologies has discovered unauthorized individuals have potentially accessed the information of certain participants of Wisconsin’s Medicaid program, which was stored in emails and email attachments in a compromised account.

Access to the email account was first gained on October 29, 2020 and continued until November 16, 2020. The account contained information such as names, member ID numbers, and billing codes for services. Approximately 1,200 Wisconsin Medicaid members have been affected. Affected individuals have been offered a 1-year complimentary membership to credit monitoring services.

Gainwell provides fiscal-agent services for the Wisconsin Department of Health Services (DHS) Medicaid Program. Since the breach occurred, the DHS and Gainwell have worked together to prevent similar breaches in the future.

This is the second incident to be reported as having affected Gainwell in recent weeks. Gainwell operates the Medicaid Management Information System used by the Tennessee state Medicaid health plan, TennCare. Gainwell discovered an error at a mailing vendor resulted in mailings being sent to incorrect addresses between 2019 and 2020. The two incidents are not related.

Email Account Breach Reported by Mattapan Community Health Center

Mattapan Community Health Center (MCHC) is notifying 4,075 patients that some of their protected health information was contained in an email account that was accessed by unauthorized individuals.

Unusual email account activity was detected on October 16, 2020. Assisted by a third-party computer forensics firm, MCHC determined the email account was compromised on July 28, 2020. Through a manual and programmatic review of the email account, MCHC determined the following information may have been accessed by unauthorized individuals: Names, Social Security numbers, medical diagnoses, treatment information, provider information, health insurance information, and/or medical record numbers.

Additional security measures have now been implemented to prevent further email security breaches.

Conti Ransomware Gang Leaks Data Stolen in Attack on TaylorMade Diagnostics

Chesapeake, VA-based TaylorMade Diagnostics, an operator of occupational health clinics used by transportation companies and government agencies, has suffered a ransomware attack that has resulted in workers’ health data being leaked online.

Approximately 3,000 files stolen by the ransomware gang prior to file encryption have been published on a darknet leak site operated by the Conti ransomware gang. The leaked data relates to employees of Taylor Made Diagnostics clients, including the United Parcel Service and Norfolk Southern Railroad. The leaked data includes details of medical examinations, drug and alcohol testing reports, and full names, Social Security numbers, and scans of driver’s licenses.

Hendrick Health Provides Update on November 2020 Ransomware Attack

Hendrick Health has provided further information on a ransomware attack that forced it to adopt EHR downtime procedures in November 2020. The attack was detected on November 20, 2020 and steps were immediately taken to contain the attack. The investigation into the incident has revealed the attackers first gained access to its systems on October 10, 2020 and potentially viewed or obtained patient information between that date and November 9, 2020.

The types of data that may have been accessed included patients’ names, Social Security numbers, demographic data, and other information related to the care provided by Hendrick Health. The incident only affected patients who had previously received medical services at Hendrick Medical Center or the Hendrick Clinic. The locations at Hendrick Medical Center Brownwood and Hendrick Medical Center South were not affected.

The ePHI of 640,436 patients was stored on the compromised systems. Data security measures and system monitoring have now been strengthened and new features have now been added to its security alert software.

The post Data Breaches Reported by Gainwell Technologies, TaylorMade Diagnostics, and Mattapan Community Health Center appeared first on HIPAA Journal.

At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020

Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft.

The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year.

In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities.

These attacks have caused significant financial harm and in some cases the disruption has had life threatening consequences. Healthcare services have had to be suspended, ambulances have been redirected to alternative facilities, 911 services have been interrupted, medical appointments have been postponed and test results have been delayed. “The fact that there were no ransomware-related deaths in the US last year was simply due to good luck. Security needs to bolstered across the public sector before that luck runs out and lives are lost,” said Fabian Wosar, CTO, Emsisoft.

One of the most damaging attacks was on Universal Health Services, a health system that operates more than 400 hospitals and healthcare facilities in the United States. The attack affected all its locations and caused considerable disruption. An attack on the University of Vermont Health Network forced systems offline, including its EHR system. Several hospital systems remained out of action for several weeks after the attack. The ransomware attack cost the health system around $1.5 million a day in additional expenses and lost revenue while it recovered. “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover,” said Gus Genter, CIO, Winnebago County, who was quoted in the report.

It has become increasingly common for ransomware threat actors to steal sensitive data prior to file encryption and for threats to be issued to publish or sell the stolen data if the ransom is not paid. This tactic was first adopted by the Maze ransomware gang, but many other threat groups have now adopted the same tactic. Emsisoft said only the Maze ransomware gang was exfiltrating data prior to file encryption at the start of 2020, but now at least 17 other threat groups are stealing data and publishing it on leak sites if the ransom is not paid.

In some cases, even payment of the ransom does not guarantee the stolen data will be deleted. Several ransomware gangs, including Sodinokibi (REvil), Netwalker, and Mespinoza are known to have leaked stolen data even after the ransom was paid.

Emsisoft notes that in the first half of 2020, only one of the 60 ransomware attacks on federal, state, county, and municipal governments and agencies resulted in stolen data being leaked; however, in the second half of the year, 23 out of the 53 attacks saw stolen data released on leak sites. At least 12 healthcare organizations that were attacked with ransomware had sensitive data stolen and leaked online.

2020 was clearly a bad year, but there is little to suggest 2021 will be any better. Ransomware attacks are likely to continue at pace and may even increase. “Unless significant action is taken, we anticipate 2021 being another banner year for cybercriminals,” explained Emsisoft in the report.

The post At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020 appeared first on HIPAA Journal.

HHS Makes $20 Million Available to Expand COVID-19 Vaccine Information Sharing

The U.S. Department of Health and Human Services has made $20 million available to improve data sharing between health information exchanges (HIEs) and immunization information systems.

The money comes from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) fund that was signed by President Trump on March 27, 2020 to support vaccination efforts to fight the COVID-19 pandemic.

The investment expands the Office of the National Coordinator for Health Information Technology (ONC)’s Strengthening the Technical Advancement and Readiness of Public Health Agencies via Health Information Exchange (STAR HIE) Program and will help communities improve health information sharing related to COVID-19 vaccinations.

Public health agencies will be able to receive additional help to track and identify individuals who have not yet received a second dose of the COVID-19 vaccine and the additional investment will help clinicians identify and contact high risk individuals who have not yet received their first vaccination.

The additional investment will be spread across the country and will be used to support communities that have been hit particularly hard by COVID-19. The HHS will also be awarding funds to the Association of State and Territorial Health Officials (ASTHO) and the Colorado Regional Health Information Organization (CORHIO) to improve HIE immunization collaborations.

“These CARES Act funds will allow clinicians to better access information about their patients from their community immunization registries by using the resources of their local health information exchanges,” said Don Rucker, MD, national coordinator for health information technology. “Through these collaborative efforts public health agencies and clinicians will be better equipped to more effectively administer immunizations to at-risk patients, understand adverse events, and better track long-term health outcomes as more Americans are vaccinated.”

The success of vaccination programs is dependent on correctly identifying patients and ensuring patients receive two doses of the correct vaccine. That means providers, pharmacists, and public health officials will need access to patient data and vaccine records. Effective data exchange and patient matching will also help to provide insights into the effectiveness of the vaccines and tracking long term health outcomes. STAR HIE intends to provide statistics to measure vaccination outcomes.

There are approximately 100 HIEs in the United States which reach around 92% of Americans and 63 immunization information systems in the United States, one in each state, 8 in territories, and in five cities. The immunization information systems are funded, in part, by the Centers for Disease Control and Prevention’s National Center for Immunization and Respiratory Diseases (NCIRD).

The post HHS Makes $20 Million Available to Expand COVID-19 Vaccine Information Sharing appeared first on HIPAA Journal.

OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

The Department of Health and Human Services’ Office for Civil Rights has announced it will be exercising enforcement discretion and will not impose financial penalties on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling individual appointments for COVID-19 vaccinations.

The notice of enforcement discretion applies to the use of WBSAs for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 public health emergency. The notification is effectively immediately, is retroactive to December 11, 2020, and will remain in effect for the duration of the COVID-19 nationwide public health emergency.

A WBSA is a non-public facing online or web-based application that allows individual appointments to be scheduled in connection with large scale COVID-19 vaccination. The purpose of a WBSA is to allow covered healthcare providers to rapidly schedule large numbers of appointments for COVID-19 vaccinations.

A WBSA, and the data created, received, maintained, or transmitted by the WBSA, should only be accessible to the intended parties, such as the healthcare provider or pharmacy providing the vaccinations, an authorized person scheduling appointments, or a WBSA workforce member that requires access to the solution and/or data for providing technical support.

The notice of enforcement discretion does not apply to an appointment scheduling application that connects directly to electronic health record (EHR) systems.

A WBSA may not meet all requirements of the HIPAA Rules and would therefore not be permitted for use in connection with electronic protected health information (ePHI) under normal circumstances. It is also possible that the vendor of a WBSA may not be aware that their solution is being used by healthcare providers in connection with ePHI, which would see the vendor classified as a business associate under HIPAA.

While the notice of enforcement discretion is in effect, OCR will not impose penalties against HIPAA covered entities, their business associates, and WBSA vendors that meet the definition of business associate under the HIPAA Rules for good faith uses of WBSAs for scheduling COVID-19 vaccination appointments.

While penalties will not be imposed, OCR encourages the use of reasonable safeguards to protect the privacy of individuals and the security of ePHI. That means the ePHI collected and entered into the WBSA should be limited to the minimum necessary information, encryption technology should be used if available, and all privacy settings should be enabled. That includes adjusting the calendar display to hide names or only show initials. If a vendor stores ePHI, the storage should only be temporary and ePHI should be destroyed no later than 30 days after the appointment. The WBSA vendor should be instructed not to disclose any ePHI in a manner inconsistent with the HIPAA Rules.

These reasonable safeguards are encouraged by OCR. “Failure to implement the recommended reasonable safeguards above will not, in itself, cause OCR to determine that a covered health care provider or its business associate failed to act in good faith for purposes of this Notification,” explained OCR in the notification.

Bad faith uses are not covered by the notification include:

  1. Use of a WBSA where the vendor prohibits its use for scheduling healthcare services.
  2. Using the WBSA for scheduling appointments other than COVID-19 vaccinations.
  3. Using a solution that does not have access controls to limit access to ePHI to authorized individuals.
  4. Screening individuals for COVID-19 prior to in-person healthcare visits.
  5. Use of public-facing WBSAs.

“OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible,” said March Bell, Acting OCR Director.

The post OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments appeared first on HIPAA Journal.

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website.

In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year.

More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010.

Key Takeaways

  • 25% year-over-year increase in healthcare data breaches.
  • Healthcare data breaches have doubled since 2014.
  • 642 healthcare data breaches of 500 or more records were reported in 2020.
  • 76 data breaches of 500 or more healthcare records were reported each day in 2020.
  • 2020 saw more than 29 million healthcare records breached.
  • One breach involved more than 10 million records and 63 saw more than 100K records breached.
  • Hacking/IT incidents accounted for 67% of data breaches and 92% of breached records.
  • 3,705 data breaches of 500 or more records have been reported since October 2009.
  • 78 million healthcare records have been breached since October 2009.

U.S. Healthcare Data Breaches 2009 to 2020

2020 was the third worst year in terms of the number of breached healthcare records, with 29,298,012 records reported as having been exposed or impermissibly disclosed in 2020. While that is an alarming number of records, it is 29.71% fewer than in 2019. 266.78 million healthcare records have been breached since October 2009 across 3,705 reported data breaches of 500 or more records.

U.S. Healthcare data breaches - exposed records 2009-2020

The Largest Healthcare Data Breaches in 2020

The largest healthcare data breach of 2020 was a ransomware attack on the cloud service provider Blackbaud Inc. The actual number of records exposed and obtained by the hackers has not been made public, but more than 100 of Blackbaud’s healthcare clients were affected and more than 10 million records are known to have been compromised. The breach does not appear on the OCR breach portal, as each entity affected has reported the breach separately.

Prior to deploying ransomware, the hackers stole the fundraising and donor databases of many of its clients which included information such as names, contact information, dates of birth, and some clinical information. Victims included Trinity Health (3.3 million records), Inova Health System (1 million records), and Northern Light Health Foundation (657,392 records).

The Florida-based business associate MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, experienced the largest phishing attack of the year. Hackers gained access to its Office 365 environment and potentially obtained the ePHI of 1,670 individuals, including Social Security numbers, driver’s license numbers, and health insurance and financial information.

Magellan Health’s million-record data breach also started with a phishing email but and ended with ransomware being deployed. The breach affected several of its affiliated entities and potentially saw patient information stolen.

Dental Care Alliance, a dental support organization with more than 320 affiliated dental practices across 20 states, had its systems hacked and the dental records of more than 1 million individuals were potentially stolen.

63 security incidents were reported in 2020 by HIPAA-covered entities and business associates that involved 100,000 or more healthcare records.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Trinity Health Business Associate 3,320,726 Hacking/IT Incident
MEDNAX Services, Inc. Business Associate 1,290,670 Hacking/IT Incident
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident
Magellan Health Inc. Health Plan 1,013,956 Hacking/IT Incident
Dental Care Alliance, LLC Business Associate 1,004,304 Hacking/IT Incident
Luxottica of America Inc. Business Associate 829,454 Hacking/IT Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident
Health Share of Oregon Health Plan 654,362 Theft
Florida Orthopaedic Institute Healthcare Provider 640,000 Hacking/IT Incident
Elkhart Emergency Physicians, Inc. Healthcare Provider 550,000 Improper Disposal
Aetna ACE Health Plan 484,157 Hacking/IT Incident
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident
SCL Health – Colorado Healthcare Provider 343,493 Hacking/IT Incident
AdventHealth Healthcare Provider 315,811 Hacking/IT Incident
Nuvance Health Healthcare Provider 314,829 Hacking/IT Incident
Magellan Rx Management Business Associate 314,704 Hacking/IT Incident
The Baton Rouge Clinic Healthcare Provider 308,169 Hacking/IT Incident
Allegheny Health Network Healthcare Provider 299,507 Hacking/IT Incident
Northeast Radiology Healthcare Provider 298,532 Hacking/IT Incident

Main Causes of 2020 Healthcare Data Breaches

Hacking and other IT incidents dominated the healthcare data breach reports in 2020. 429 hacking/IT-related data breaches were reported in 2020, which account for 66.82% of all reported breaches and 91.99% of all breached records. These incidents include exploitation of vulnerabilities and phishing, malware, and ransomware attacks, with the latter having increased considerably in recent months.

causes of 2020 healthcare data breaches

A recent report from Check Point revealed there was a 71% increase in ransomware attacks on healthcare providers in October, and a further 45% increase in healthcare cyberattacks in the last two months of 2020. Some of the year’s largest and most damaging breaches to affect the healthcare industry in 2020 involved ransomware. In many cases, systems were taken out of action for weeks and patient services were affected. Ryuk, Sodinokibi (REvil), Conti, and Egregor ransomware have been the main culprits, with the healthcare industry heavily targeted during the pandemic.

Unauthorized access/disclosure incidents accounted for 22.27% of the year’s breaches and 2.69% of breached records. These incidents include the accessing of healthcare records my malicious insiders, snooping on medical records by healthcare workers, accidental disclosures of PHI to unauthorised individuals, and human error that exposes patient data.

Breach Type Number of breaches Records breached

Mean Records Breached

Median Records Breached
Hacking/IT Incident 429 26,949,956 62,820 8,000
Unauthorized Access/Disclosure 143 787,015 5,504 1,713
Theft 39 806,552 20,681 1,319
Improper Disposal 16 584,980 36,561 1,038
Loss 15 169,509 11,301 2,298

Location of Breached Protected Health Information

The increased use of encryption and cloud services for storing data have helped to reduce the number of loss/theft incidents, which used to account for the majority of reported breaches. Phishing attacks are still a leading cause of data breaches in healthcare and are often the first step in a multi-stage attack that sees malware or ransomware deployed.

Email account breaches were reported at a rate of more than 1 every two days in 2020, but email-related breaches took second spot this year behind breaches of network servers. Network servers often store large amounts of patient data and are a prime target for hackers and ransomware gangs.

While the majority of healthcare data breaches have involved electronic protected health information, a significant percentage of breaches in 2020 involved paper/film copies of protected health information which were obtained by unauthorized individuals, lost, or disposed of in an insecure manner.

Location of compromised data in healthcare data breaches 2020

Which Entities Suffered the Most Data Breaches in 2020?

The pie chart below shows the breakdown of HIPAA covered entities affected by data breaches of 500 or more records in 2020. Healthcare providers suffered the most breaches with 497 reported incidents. Business associates reported 73 data breaches, but it should be noted that in many cases a breach was experienced at the business associate, but the incident was reported by the covered entities affected. In total, 258 of the year’s breaches had some business associate involvement, which is 40.19% of all breaches. There were 70 breaches reported by health plans, and 2 breaches reported by healthcare clearinghouses.

2020 healthcare data breaches in the United States by Entity type

2020 Healthcare Data Breaches by State

South Dakota, Vermont, Wyoming residents survived 2020 without experiencing any healthcare data breaches, but there were breaches reported by entities based in all other states and the District of Columbia.

California was the worst affected state with 51 breaches, followed by Florida and Texas with 44, New York with 43, and Pennsylvania with 39.

State No. Breaches State No. Breaches State No. Breaches State No. Breaches
California 51 Virginia 18 New Jersey 9 Kansas 3
Florida 44 Indiana 17 South Carolina 9 Nebraska 3
Texas 44 Massachusetts 17 Washington 9 West Virginia 3
New York 43 Maryland 16 Delaware 8 District of Columbia 2
Pennsylvania 39 North Carolina 16 Utah 8 Idaho 2
Ohio 27 Colorado 14 Louisiana 6 Nevada 2
Iowa 26 Missouri 14 Maine 6 Oklahoma 2
Michigan 21 Arizona 12 New Mexico 6 Mississippi 1
Georgia 20 Arkansas 12 Oregon 5 Montana 1
Illinois 20 Kentucky 12 Hawaii 4 New Hampshire 1
Minnesota 20 Wisconsin 12 Alabama 3 North Dakota 1
Connecticut 19 Tennessee 10 Alaska 3 Rhode Island 1

HHS HIPAA Enforcement in 2020

2020 was a busy year in terms of HIPAA enforcement. The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, conducted 19 HIPAA compliance investigations that resulted in financial penalties. More penalties were agreed with HIPAA covered entities and business associates in 2020 than in any other year since OCR started enforcing HIPAA compliance.  $13,554,900 was paid in penalties across the 19 cases.

It can take several years from the start of an investigation before a financial penalty is levied. Some of the largest settlements of the year date back to breaches that were experienced in 2015 or earlier; however, the large increase in financial penalties in 2020 is largely due to a HIPAA enforcement drive launched by OCR in late 2019 to tackle noncompliance with the HIPAA Right of Access. There were 11 settlements reached with healthcare providers in 2020 to resolve cases where individuals were not provided with timely access to their medical records.

You can view a summary of OCR’s 2020 HIPAA enforcement actions in this post.

State AG HIPAA Enforcement in 2020

OCR is not the only enforcer of HIPAA compliance. State attorney generals also have the authority to take action against entities found not to be in compliance with the HIPAA Rules. There has been a trend for state attorneys general to work together and pool resources in their legal actions for noncompliance with the HIPAA Rules. In 2020, two multi-state actions were settled with HIPAA covered entities/business associates to resolve violations of the HIPAA Rules.

The health insurer Anthem Inc. settled a case that stemmed from its 78.8 million-record data breach in 2015 and paid financial penalties totalling $48.2 million to resolve multiple potential violations of HIPAA and state laws.

CHSPSC LLC, a Tennessee-based management company that provides services to subsidiary hospital operator companies and other affiliates of Community Health Systems, also settled a multi-state action and paid a financial penalty of $5 million to resolve alleged HIPAA violations. The case stemmed from a 2014 data breach that saw the ePHI of 6,121,158 individuals stolen by hackers.

About This Report

The Health Insurance Portability and Accountability Act (HIPAA) requires all healthcare data breaches to be reported to the HHS’ Office for Civil Rights. A summary of breaches of 500 or more records is published by the HHS Office for Civil Rights. This report was compiled using data on the HHS website on 01/19/21 and includes data breaches currently under investigation and archived cases.

The post 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020 appeared first on HIPAA Journal.

December 2020 Healthcare Data Breach Report

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average.

There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 565 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.

2020 Healthcare Data Breaches

December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached.

healthcare records breached in 2020

Largest Healthcare Data Breaches Reported in December 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause
MEDNAX Services, Inc. FL Business Associate 1,290,670 Hacking/IT Incident Phishing attack
Dental Care Alliance, LLC FL Business Associate 1,004,304 Hacking/IT Incident Unspecified hacking incident
Aetna ACE CT Health Plan 484,157 Hacking/IT Incident Phishing attack (business associate)
Allegheny Health Network PA Healthcare Provider 299,507 Hacking/IT Incident Ransomware attack (Blackbaud)
AMITA Health IL Healthcare Provider 261,054 Hacking/IT Incident Ransomware attack (Blackbaud)
Community Eye Care, LLC NC Health Plan 149,804 Hacking/IT Incident Email account breach
GenRx Pharmacy AZ Healthcare Provider 137,110 Hacking/IT Incident Ransomware attack
Wilmington Surgical Associates, P.A. NC Healthcare Provider 114,834 Hacking/IT Incident Ransomware attack
Agency for Community Treatment Services, Inc. FL Healthcare Provider 73,825 Hacking/IT Incident Ransomware attack
Sonoma Valley Healthcare District CA Healthcare Provider 69000 Hacking/IT Incident Ransomware attack

There were two healthcare data breaches reported in December that each impacted more than 1 million individuals. The largest breach was a phishing attack on the Florida-based business associate, MEDNAX Services, Inc. MEDNAX provides revenue cycle management and other administrative services to its affiliated physician practice groups. Hackers gained access to its Microsoft Office 365-hosted email system after employees responded to phishing emails. The compromised accounts contained the protected health information of 1,290,670 patients of its clients.

Dental Care Alliance is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices in 20 U.S. states. Little information has been released about the exact nature of the cyberattack, other than hackers gaining access to its systems and viewing files containing patient information.

Causes of December 2020 Healthcare Data Breaches

Ransomware gangs continue to target healthcare organizations and attacks have increased considerably in recent months. 5 of the worst data breaches reported in December involved ransomware, as did many of the smaller breaches. Several healthcare providers have only just reported being affected by the ransomware attack on Blackbaud Inc., which was discovered by the cloud service provide in May 2020.

Phishing continues to be a major cause of healthcare data breaches. There were 13 data breaches involving unauthorized accessing of email accounts, the majority of which used credentials stolen in phishing attacks. While most of the month’s breaches involved unauthorized accessing of electronic protected health information, 17.75% of the month’s breaches involved paper records and films, highlighting the importance of also protecting physical records.

cvauses of December 2020 healthcare data breaches

33 hacking/IT incidents were reported to OCR in December 2020. Those incidents accounted for 98.39% of the month’s breached records (4,173,519 records). An average of 126,470 records were breached per incident with a median breach size of 8,000 records per incident.

There were 21 unauthorized access/disclosure incidents reported to OCR which involved a total of 57,837 records. The average breach size was 2,754 records and the median breach size was 1,020 records.

There were 7 theft and loss incidents reported (5 theft/2 loss). The average breach size was 1,392 records and the median breach size was 856 records. There was also one incident involving the improper disposal of 501 records.

Location of PHI in December 2020 healthcare data breaches

Entities Reporting Data Breaches in December 2020

Healthcare providers were the worst affected covered entity in December 2020 with 39 breaches reported, but there was a major increase in data breaches reported by health plans. 17 health plans reported breaches of 500 or more records in December, which is a 183% increase from November.

There were 6 data breaches reported by business associates of HIPAA covered entities, but 40% of the month’s breaches (25) had some business associate involvement. In many cases, the breach was experienced by the business associate but was reported by the covered entity.

December 2020 healthcare data breaches by covered entity type

December 2020 Healthcare Data Breaches by State

HIPAA covered entities and business associates in 58% of U.S. states reported data breaches in December. Florida was the worst affected of the 29 states with 9 reported data breaches. Pennsylvania also had a particularly bad month with 7 reported breaches, followed by Missouri and Texas with 4, and Illinois, North Carolina, and Tennessee with 3.

There were two breaches reported in each of Arizona, Connecticut, Georgia, Massachusetts, Minnesota, Ohio, and Wisconsin, and one breach reported in each of Arkansas, California, Colorado, Delaware, Indiana, Iowa, Kentucky, Louisiana, Maine, Mississippi, Nebraska, Oregon, Utah, Virginia, and West Virginia.

HIPAA Enforcement in December 2020

2020 has been a busy year in terms of HIPAA enforcement. More financial penalties were imposed on HIPAA covered entities and their business associates to resolve potential HIPAA violations in 2020 than in any other year since the HHS was given the authority to enforce HIPAA compliance.  19 settlements were reached to resolve cases where HIPAA Rules appeared to have been violated.

OCR announced one further financial penalty in December – The 13th financial penalty under its HIPAA Right of Access initiative. Peter Wrobel, M.D., P.C., dba Elite Primary Care, agreed to pay OCR a $36,000 to resolve a case involving the failure to provide two patients with timely access to their medical records.

You can read more about 2020 HIPAA enforcement in our end of year summary.

The post December 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.