Author Archives: HIPAA Journal

Cyberattacks on Hospitals Cause Significant Disruption at Neighboring Healthcare Facilities

A recent study has confirmed that healthcare cyberattacks not only cause disruption at the organization that experiences an attack but also at emergency departments at neighboring hospitals, where patients face longer wait times due to increased patient numbers which place a strain on resources.

The study involved a retroactive analysis of two academic emergency departments operated by a healthcare delivery organization (HDO) in San Diego, which were in the vicinity of an unrelated HDO that experienced a ransomware attack. The researchers looked at adult and pediatric patient volume, emergency medical services diversion data, and emergency department stroke care metrics for four weeks prior to the attack, during the attack, and four weeks after the attack.

The ransomware attack in question occurred on May 1, 2021, and affected an HDO with 4 acute care hospitals, 19 outpatient facilities, and more than 1,300 combined acute inpatient beds. The attack prevented access to electronic medical records and imaging systems and affected the HDO’s telehealth capabilities. Staff were forced to use pen and paper to record patient information and emergency traffic was redirected to unaffected facilities. The attack caused disruption for 4 weeks, and around 150,000 patient records were compromised.

An attack on one hospital will often see patient numbers increase at neighboring hospitals, and the increased volume of patients and resource constraints impact time-sensitive care for health conditions such as acute stroke. The researchers found there were significant disruptions to services at the neighboring healthcare facilities, even though they were not targeted or directly affected by the ransomware attack. Compared to the period before the attack, there was a 15.1% increase in the daily mean emergency department census, a 35.2% increase in mean ambulance arrivals, a 6.7% increase in mean admissions, a 127.8% increase in patients leaving without being seen, a 50.4% increase in visits where patients left against medical advice, and a 47.6% increase in median waiting room times.

The researchers chose acute stroke care as an example of a time-sensitive, resource-intensive, technologically dependent, and potentially lifesaving set of complex actions and decisions, that required a readily available multidisciplinary team working in close coordination. The researchers observed a 74.6% increase in stroke code activations and a 113.6% increase in confirmed strokes compared to the pre-attack phase.

Since a ransomware attack on one hospital impacts other non-targeted healthcare facilities, the researchers suggest that ransomware and other cyberattacks should be classed as regional disasters. The researchers report no significant difference in door–to–CT scan or acute stroke treatment times, but suggest the disruptions due to ransomware attacks could easily lead to negative patient outcomes. “These findings support the need for coordinated regional cyber disaster planning, further study on the potential patient care effects of cyberattacks, and continued work to build technical health care systems resilient to cyberattacks such as ransomware,” wrong the researchers, who also suggest this should be made a national priority given the increase in cyberattacks on healthcare organizations in recent years.

The study – Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US – was conducted by Christian Dameff, MD, MS, Jeffrey Tully, MD, and Theodore C. Chan MD, and was published in JAMA Open Network.

The post Cyberattacks on Hospitals Cause Significant Disruption at Neighboring Healthcare Facilities appeared first on HIPAA Journal.

CommonSpirit Health Says Ransomware Attack Likely to Cost $160 Million

CommonSpirit Health has provided an updated estimate on the cost of its October 2022 ransomware attack, which is expected to increase to $160 million. The ransomware attack was detected by CommonSpirit Health on October 2, 2022, forcing systems to be taken offline. The attack affected over 100 current and former CommonSpirit facilities in 13 states. The forensic investigation determined hackers first gained access to its network on September 16, 2022, and were ejected on October 3, 2022. The attackers stole data from two file servers, although they did not gain access to its medical record system. The stolen files contained the protected health information of almost 624,000 patients.

CommonSpirit Health operates 143 hospitals and around 2,300 other healthcare facilities in 22 states and is the second-largest non-profit health system in the United States. CommonSpirt’s first quarter results show total revenues from the 3 months to March 31, 2023, of $8.3 billion, and $25.6 billion for the 9 months to March 31. In the first quarter of 2023, CommonSpirit reported $648 million in operating losses and $1.1 million in losses for the 9 months to March 31. Net losses of $231 million and $445 million were reported for the 3- and 9-month periods due to improved investment returns. CommonSpirit said the ransomware attack did not have any impact on the current quarter’s operating results.

The ransomware attack was initially estimated to cost around $150 million, but a further $10 million in costs has been added to that figure. The increased cost factors in lost revenues due to business interruption, costs incurred remediating the ransomware attack, and other business-related expenses. In a call with investors, CommonSpirit explained that most of the $160 million is expected to be recovered from underwriters, although recovery of the costs is expected to take some time. CommonSpirit also confirmed in its quarterly report that it is facing a class action lawsuit over the ransomware attack and data breach. The lawsuit was filed in December 2022 in the U.S. District Court for the Northern District of Illinois and alleges negligence due to the failure to implement reasonable and appropriate security measures to protect patient data. The lawsuit seeks damages for the plaintiff and class exceeding $5 million, injunctive relief, and legal costs.

The post CommonSpirit Health Says Ransomware Attack Likely to Cost $160 Million appeared first on HIPAA Journal.

Point32Health Confirms Harvard Pilgrim Health Care Member Data Stolen in Ransomware Attack

In April 2023, Point32Health, the second-largest health insurer in Massachusetts and the parent company of Tufts Health Plan and Harvard Pilgrim Health Care, announced it suffered a ransomware attack that resulted in system outages, including the systems that serviced members, accounts, brokers, and providers. The attack was detected on April 17, and systems were rapidly taken offline to contain the breach, although at the time of the announcement it was unclear to what extent, if any, protected health information had been compromised.

Point32Health has provided an update on the incident and said it is likely that the protected health information of current and former members of Harvard Pilgrim Health Care plans was stolen in the attack. Point32Health said the forensic investigation confirmed that systems were breached on March 28, 2023, and the attackers maintained access to its systems until April 17, 2023, when the security breach was discovered. During that time the attackers exfiltrated files from its systems that contained personal and protected health information such as names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information.

Point32Health said some of the affected systems, including those used to service members, brokers, and providers remain offline, including the systems that support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). Point32Health is working with third-party cybersecurity experts and expects to bring those systems back online in the coming weeks. “We are currently going through the internal IT and business validations. Once this process is complete, alongside our thorough security screenings, some of our processes will become available in a phased fashion,” said Point32Health Director of Public Relations, Kathleen Makela.

Point32Health said it has reviewed and enhanced its user access protocols, enhanced vulnerability scanning, identified prioritized IT security improvements, implemented a new Endpoint Detection and Response (EDR) security solution, and performed a password reset for all administrative accounts.

Evidence has been found to indicate the protected health information of current and former health plan subscribers and their dependents has been compromised, but no reports have been received to date to indicate any misuse of the affected data; however, as a precaution against identity theft and fraud, affected individuals are being offered complimentary credit monitoring and identity theft protection services.

Point32Health and its subsidiaries serve more than 2 million individuals in New England, but it is unclear how many of those individuals have been affected.

The post Point32Health Confirms Harvard Pilgrim Health Care Member Data Stolen in Ransomware Attack appeared first on HIPAA Journal.

AHA Urges OCR To Reconsider its Guidance on Tracking Technologies

The American Hospital Association (AHA) has urged the HHS’ Office for Civil Rights to rethink its guidance on online tracking technologies and to stop considering an IP address as a unique identifier under HIPAA with respect to pixels and other website tracking technologies.

OCR’s December 2022 guidance was issued in response to the widespread use of tracking technologies on healthcare provider websites. The tracking code, provided by third parties such as Facebook and Google, can be used for a variety of legitimate purposes that benefit healthcare providers and consumers. The tracking technologies record information about website visits, which includes the pages a user visits on the site, as well as options selected from drop-down menus and form data. That naturally can include information about medical conditions, and that information, together with a unique identifier – the user’s IP address – is often transferred to the provider of the tracking technology.

In the guidance, OCR explained that the IP address ties health information to an individual and is therefore protected health information subject to the HIPAA Privacy Rule as the website visitor is either a past, present, or future patient. The AHA considers this to be a much too broad interpretation  and warns it “will result in significant adverse consequences for hospitals, patients and the public at large,” and suggests “by treating a mere IP address as protected health information under HIPAA, the Online Tracking Guidance will reduce public access to credible health information.”

There are many credible uses of tracking technologies that would potentially be lost based on the current guidance. “Analytics technologies allow hospitals to optimize their online presence to reach more members of the community, including members of the community most in need of certain healthcare information,” explained the AHA, while tracking technologies are used to help ensure non-English speakers have access to important health information, provide individuals with information about where healthcare services are located, and social media tools are used to drive traffic to websites containing trustworthy medical information. The AHA points out that tracking technologies need to be used with the help of third-party vendors, and those vendors will typically not sign business associate agreements and be subject to HIPAA.

“The Online Tracking Guidance puts hospitals and health systems at risk of serious consequences — including class action lawsuits, HIPAA enforcement actions, or the loss of tens of millions of dollars of existing investments in existing websites, apps and portals — for a problem that ultimately is not of their own making,” explained the AHA. The AHA has urged OCR to consider whether the guidance on online tracking technologies is necessary given the increased privacy protections outlined in the proposed modifications to the HIPAA Privacy Rule, to amend the guidance to better reflect the realities of the online activities by hospitals and health systems, or to seek public feedback before reissuing the guidance.

While the AHA has received negative feedback from its members on the tracking technology guidance, feedback on the proposed changes to the HIPAA Privacy Rule with respect to reproductive health information has been largely positive. “The prospect of releasing highly sensitive

Member Login

can result in medical mistrust and the deterioration of the confidential, safe environment that is necessary to quality health care, a functional health care system, and the public’s health generally,” wrote Melinda Reid Hatton, AHA General Counsel and Secretary in the comments for OCR. “If individuals believe that their PHI may be disclosed without their knowledge or consent to initiate criminal, civil, or administrative investigations or proceedings against them or others based primarily upon their receipt of lawful reproductive health care, they are likely to be less open, honest, or forthcoming about their symptoms and medical history.”

The AHA and its members believe that the provision of medical care that is lawful in the location where it is provided should not carry adverse legal consequences and that the proposed Privacy Rule changes will enhance provider-patient relationships. With respect to the requirement for entities requesting health information to attest that they are not seeking to use the information to investigate or penalize the lawful provision of health care, the AHA welcomes the amendments, which it considers common sense. However, the AHA suggests other measures to decrease the burden on healthcare providers such as emphasizing in the final rule that hospitals and health systems will not be burdened by having to question the validity of an attester’s statements, provided the statements are reasonably objective. The AHA also suggests OCR should produce a model attestation form, stipulate that attestation forms include the subpoena or administrative order relevant to the legal process, and make it a requirement for requests to be made only for individuals, and never in bulk.

The post AHA Urges OCR To Reconsider its Guidance on Tracking Technologies appeared first on HIPAA Journal.

19,000 Amazon PillPack Customer Accounts Compromised

The Amazon-owned online pharmacy, PillPack, has recently started notifying 19,000 customers that some of their protected health information was compromised in a cyberattack in April. Unauthorized customer account activity was detected by PillPack on April 3, 2023, and the investigation revealed customer accounts had been accessed by an unauthorized third party between April 2 and April 6, 2023. The compromised accounts contained names, addresses, phone numbers, and email addresses. Approximately 3,600 of the accounts also included prescription information.

The forensic investigation confirmed that the usernames and passwords used to access the accounts were not stolen from PillPack and had most likely been obtained in a breach at another platform where the same usernames and passwords were used. These credential-stuffing attacks can only occur when usernames and passwords have been used on multiple platforms. PillPack has not identified any misuse of customer data, and the types of information in the accounts are not sufficient to be used for identity theft. However, victims of the breach could be subject to phishing attempts to obtain further information. PillPack confirmed that the breach was limited to PillPack and notification letters have been mailed to affected individuals.

Fertility Specialists Medical Group Cyberattack Impacts 9,400 Patients

Carlsbad, CA-based Fertility Specialists Medical Group (FSMG) has recently discovered unauthorized individuals gained access to its network and potentially obtained the protected health information of 9,437 current and former patients. The network intrusion was detected on March 20, 2023, and a third-party forensic investigation was initiated to determine the nature and scope of the incident. The investigation concluded on April 21, 2023, that an unauthorized individual had access to the network and potentially acquired files containing first and last names, dates of birth, and medical information. Some of the affected individuals also had their Social Security numbers exposed. No reports of misuse of the exposed data had been received at the time of issuing notifications.

FSMG said IT specialists confirmed the security of its systems, and data security measures will be regularly reviewed to prevent similar incidents in the future. Complimentary credit monitoring services and identity theft protection services have been offered to all affected individuals.

Northwest Health – La Porte Impacted by Fortra GoAnywhere Hack

Northwest Health – La Porte in Indiana has recently confirmed that the protected health information of 10,256 patients was compromised in the Clop ransomware group’s series of attacks between January 28, 2023, and January 30, 2023. The threat actors exploited a zero-day vulnerability in Fortra’s GoAnywhewre file transfer software and exfiltrated data, which was used in attempts to extort money from victims.

Fortra has confirmed that unauthorized access is no longer possible, and its file transfer platform has been rebuilt with the vulnerability patched. Affected individuals have been offered ID restoration and credit monitoring services for the period stipulated by state law.

PHI Potentially Compromised in Cyberattack on IMA Financial Group, Inc.

The Wichita, KS-based integrated financial services company, IMA Financial Group, Inc., has confirmed that the protected health information of 2,937 individuals associated with IMA or its clients has potentially been obtained by unauthorized individuals.

Suspicious network activity was detected by IMA on October 19, 2022. Steps were immediately taken to secure its systems and a third-party cybersecurity firm was engaged to investigate the incident. The investigation confirmed that access to IMA data had been gained and information was potentially acquired by unauthorized individuals on October 19, 2023.

The data review concluded on March 10, 2023, that the files potentially obtained in the attack included protected health information such as names, dates of birth, Social Security numbers, driver’s license information, other government identification numbers, health information, and/or claim-related information. Up-to-date contact information then needed to be obtained, and notification letters started to be sent on April 19, 2023.

MU Health Care Discovers Employee HIPAA Violation

Columbia, MU-based MU Health Care has discovered an employee accessed the medical records of 736 patients without any legitimate work reason for doing so. The unauthorized access was discovered in March 2023 and the internal investigation confirmed that patient records were accessed by the employee between July 2021 and March 2023.

The types of information that could have been viewed included names, dates of birth, medical record numbers, and clinical and treatment information, such as diagnoses and procedure information. A spokesperson for MU Health Care said the individual concerned was subject to internal disciplinary procedures and there are no indications that any of the information accessed has been misused or further disclosed. Notification letters are being sent to all affected individuals.

The post 19,000 Amazon PillPack Customer Accounts Compromised appeared first on HIPAA Journal.

NY AG Fines Medical Management Company $550,000 for Patch Management Failures

A medical management company has been fined $550,000 by the New York Attorney General for failing to prevent a cyberattack that exposed the personal and protected health information of 1.2 million individuals, including 428,000 New Yorkers.

Professional Business Systems Inc, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp, had its systems hacked in November 2020. The threat actor exfiltrated sensitive data from its systems and then deployed ransomware to encrypt files. As proof of data theft and to pressure Practicefirst into paying the ransom, files were uploaded to the threat actor’s dark web data leak site. The leaked data included screenshots of 13 patients’ protected health information. Practicefirst’s investigation confirmed the threat actor exfiltrated approximately 79,000 files from its systems, which contained names, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, medication information, and financial information.

The investigation conducted by the Office of the New York Attorney General determined that the hacker gained initial access to Practicefirst’s systems by exploiting a critical vulnerability in its firewall. The firewall provider released an updated version of the firewall software in January 2019, but Practicefirst failed to apply the update. Practicefirst did not conduct penetration tests or vulnerability scans, or perform other security tests that would have highlighted the vulnerability before it was exploited.  The protected health information stored on its systems was also not encrypted. The New York Attorney General determined that these failures violated state law and the federal Health Insurance Portability and Accountability Act (HIPAA).

Practicefirst agreed to settle the alleged violations of HIPAA and state law. In addition to the financial penalty, Practicefirst has agreed to strengthen its data security practices and will offer affected individuals complimentary credit monitoring services. The data security measures agreed upon as part of the settlement include the development, implementation, and maintenance of a comprehensive information security program, encryption for health information stored on its systems, implementation of a patch management system with timely patching of vulnerabilities, regular vulnerability scans and penetration tests, and updates to its data collection, retention, and disposal practices.

“When a person is seeking medical care, their last concern should be the security of their personal information,” said Attorney General Letitia James. “Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. New Yorkers can trust that when companies fail at their duty, my office will step in to hold them accountable.

The post NY AG Fines Medical Management Company $550,000 for Patch Management Failures appeared first on HIPAA Journal.

April 2023 Healthcare Data Breach Report

There was a 17.5% month-over-month fall in the number of reported healthcare data breaches with 52 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR) – less than the 12-month average of 58 breaches per month, and one less than in April 2022.

April 2023 Healthcare Data Breaches

One of the largest healthcare data breaches of the year was reported in April, but there was still a significant month-over-month reduction in breached records, which fell by 30.7% to 4,425,891 records. The total is less than the 12-month average of 4.9 million records a month, although more than twice the number of records that were breached in April 2022.

Healthcare records breached in the last 12 months - April 2023

Largest Healthcare Data Breaches Reported in April 2023

As previously mentioned, April saw a major data breach reported that affected 3,037,303 individuals – The third largest breach to be reported by a single HIPAA-covered entity so far this year, and the 19th largest breach to be reported by a single HIPAA-regulated entity to date.  The breach occurred at the HIPAA business associate, NationsBenefits Holdings, and was a data theft and extortion attack by the Clop ransomware group involving the Fortra GoAnywhere MFT solution.  8 of the month’s 21 breaches of 10,000 or more records were due to these Clop attacks, including the top 5 breaches in April. Brightline Inc. was also hit hard by those attacks, which were reported separately for each covered entity client (9 reports). Together, the attacks on Brightline involved the PHI of more than 964,000 individuals.

18 of the 21 breaches of 10,000 or more records were hacking incidents. The remaining three breaches were unauthorized disclosures of protected health information, one due to tracking technologies and the other two due to mailing errors. While ransomware and data theft/extortion attacks dominated the breach reports, phishing, business email compromise, and other email account breaches are common, with 5 of the top 21 breaches involving hacked email accounts. End-user security awareness training is recommended to reduce susceptibility to these attacks and multifactor authentication should be implemented on all email accounts, ideally using phishing-resistant multifactor authentication.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Breach Cause
NationsBenefits Holdings, LLC FL Business Associate 3,037,303 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 462,241 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 199,000 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 180,694 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
California Physicians’ Services d/b/a Blue Shield of California CA Business Associate 61,790 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
MiniMed Distribution Corp. CA Healthcare Provider 58,374 Network Server Unauthorized disclosure of PHI to Google and other third parties (Tracking code)
Brightline, Inc. CA Business Associate 49,968 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
United Steelworkers Local 286 PA Health Plan 37,965 Email Hacked email account
Retina & Vitreous of Texas, PLLC TX Healthcare Provider 35,766 Network Server Hacking incident
Brightline, Inc. CA Business Associate 31,440 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 21,830 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Iowa Department of Health and Human Services – Iowa Medicaid Enterprise (Iowa HHS-IME) IA Health Plan 20,815 Network Server Hacking incident at business associate (Independent Living Systems)_
Lake County Health Department and Community Health Center IL Healthcare Provider 17,000 Email Hacked email account
Southwest Healthcare Services ND Healthcare Provider 15,996 Network Server Hacking incident (data theft confirmed)
La Clínica de La Raza, Inc. CA Healthcare Provider 15,316 Email Hacked email accounts
St. Luke’s Health System, Ltd. ID Healthcare Provider 15,246 Paper/Films Mailing error
Two Rivers Public Health Department NE Healthcare Provider 15,168 Email Hacked email account
Robeson Health Care Corporation NC Healthcare Provider 15,045 Network Server Malware infection
Northeast Behavioral Health Care Consortium PA Health Plan 13,240 Email Hacked email account (Phishing)
Centers for Medicare & Medicaid Services MD Health Plan 10,011 Paper/Films Mailing error at business associate (Palmetto GBA)
Modern Cardiology Associates PR Healthcare Provider 10,000 Network Server Hacking incident

Causes of April 2023 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 36 of the month’s breaches (69.2%) and the vast majority of the breached records. Across those incidents, 4,077,019 healthcare records were exposed or stolen – 92.1% of the records that were breached in April. The average breach size was 119,914 records and the median breach size was 9,675 records.

April 2023 Healthcare data breach causes

Ransomware attacks continue to be conducted by there has been a notable shift in tactics, with many ransomware gangs opting for data theft and extortion without encrypting files, as was the case with the attacks conducted by the Clop ransomware group which exploited a zero-day vulnerability in the Fortra GoAnywhere MFT solution. The BianLian threat group has previously conducted attacks using ransomware, but this year has been primarily conducting extortion-only attacks, which are quieter and faster. 12 of the month’s breaches (40%) involved hacked email accounts, highlighting the importance of security awareness training and multifactor authentication.

There were 13 unauthorized access/disclosure incidents in April, including a 58K-record incident involving tracking technologies that transferred sensitive data to third parties such as Google, instances of paper records not being secured, and PHI that had been exposed over the Internet. Across those 13 breaches, 105,155 records were impermissibly disclosed. The average breach size was 8,089 records and the median breach size was 1,304 records.

There were two theft incidents involving 3,321 records in total and one improper disposal incident. The improper disposal incident was reported as involving 501 records – a placeholder commonly used to meet the Breach Notification Rule reporting deadline when the total number of individuals affected has yet to be determined.  As the chart below shows, the majority of incidents involved ePHI stored on network servers and in email accounts.

Location of PHI in April 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data on the OCR breach portal shows the reporting entity, which in some cases is a HIPAA-covered entity when the breach actually occurred at a business associate. The breach portal shows 31 data breaches were reported by healthcare providers, 8 by health plans, and 13 by business associates. The charts below are based on where the breach occurred, rather than the entity that reported the data breach, to better reflect the extent to which data breaches are occurring at business associates.

April 2023 healthcare data breaches by HIPAA-regulated entity type

While healthcare providers were the worst affected HIPAA-regulated entity, the majority of the month’s breached records were due to data breaches at business associates.

Records exposed or stolen in April 2023 healthcare data breaches by hipaa-regulated entity type

Geographical Distribution of April 2023 Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states and Puerto Rico, with California the worst affected state with 16 breaches, 9 of which were the same incident that was reported separately for each client by Brightline Inc., which is why the breach count was so high for California this month.

State Breaches
California 16
Florida 4
New York & Pennsylvania 3
Illinois, Kentucky, Ohio, & Texas 2
Alabama, Arizona, Idaho, Iowa, Indiana, Maryland, Michigan, Minnesota, Nebraska, North Carolina, North Dakota, Oregon, Utah, Virginia, Washington, West Virginia, Wisconsin & Puerto Rico 1

HIPAA Enforcement Activity in April 2023

No HIPAA enforcement actions were announced by OCR or state attorneys general in April 2023 to resolve violations of HIPAA and state laws, and no Health Breach Notification Rule enforcement actions were announced by the Federal Trade Commission.

The post April 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Updated Pennsylvania Breach of Personal Information Notification Act Now in Effect

the 2022 update to the Pennsylvania Breach of Personal Information Notification Act (BPINA) is now in effect. The update broadened the definition of personal information to include medical information, health insurance information, and usernames in combination with a password or security question/answer that allows an account to be accessed. The update to BPINA was signed into law on November 3, 2022, and took effect on May 2, 2023.

Medical information is defined as any individually identifiable information contained in an individual’s current or historical record of medical history or medical treatment or diagnosis created by a health care professional. Health insurance information is defined as a health insurance policy number or subscriber identification number in combination with an access code or other medical information that permits misuse of an individual’s health insurance benefits.

The updated BPINA applies to state agencies, political subdivisions of the Commonwealth, and individuals or businesses that do business in the Commonwealth of Pennsylvania. A state agency includes any agency, board, commission, authority, or department of the Commonwealth and the General Assembly. The update also applies to state agency contractors, which are persons, businesses, subcontractors, or third-party subcontractors that have a contract with a state agency for goods or services, which requires access to personal information.

The updated BPINA requires notification to be issued when unencrypted and unredacted personal information is reasonably believed to have been accessed and acquired by an unauthorized individual, and if encrypted data is breached and the key to decrypt the data is also reasonably believed to have been obtained. No time frame is stipulated for issuing notifications, other than requiring them to be issued “without unreasonable delay”. When a breach occurs at a vendor, the vendor is required to notify the entity that provided the data, and that entity is responsible for making determinations and discharging any remaining notification duties.

Notifications must be issued by mail to the last known address, by telephone if the individuals concerned can be reasonably expected to be contacted by phone and are not required to provide personal information for verification, or via email, if a previous business relationship exists and a valid email address is known for that individual.  Electronic notifications are permitted if the notice directs the user to promptly change their password and security question or answer or to take other steps appropriate to protect that individual’s online account, provided sufficient contact information is held to allow the electronic notice to be served.

Any entity that is required by law to comply with HIPAA or the HITECH Act will be determined to be compliant with the updated BPINA provided they are compliant with the privacy and security standards of HIPAA and the HITECH Act, as will any state agency or state agency contractor that is compliant with the breach notification requirements or procedures established by the entity’s, state agency’s or state agency’s contractor’s primary state or functional federal regulator.

The post Updated Pennsylvania Breach of Personal Information Notification Act Now in Effect appeared first on HIPAA Journal.

Apria Healthcare Breach Affects Up to 1.8 Million Individuals

Apria Healthcare LLC, a Minneapolis, MN-based provider of home medical equipment for sleep apnea, has recently sent notifications to individuals about a historic data breach. Apria was alerted about unauthorized access to some of its systems on September 1, 2021. According to the breach notification letters, steps were immediately taken to mitigate the incident, and Apria worked with a third-party forensics team and the Federal Bureau of Investigation. The investigation confirmed its systems were accessed by an unauthorized individual between April 5, 2019, and May 7, 2019, and again from August 27, 2021, to October 10, 2021. The investigation determined that access was gained to its systems primarily to obtain funds from Apria, rather than to obtain the personal information of patients or employees.

While the investigation confirmed that some files containing protected health information were accessed, no evidence of data theft was found; however, data theft could not be ruled out. According to the breach notification sent to the Maine Attorney General, the files on its system that were potentially accessed contained the personal and protected health information of 1,869,598 individuals. The information involved varied from individual to individual and may have included personal, medical, health insurance information, and financial information, and for a limited number of individuals, Social Security numbers.

Apria said it has implemented additional security measures to prevent similar breaches in the future and affected individuals have been offered one year of complimentary credit monitoring services through Kroll. It is unclear why it took 20 months from the discovery of the intrusion for breach notification letters to be issued.

Illinois Department of Human Services Reports Breach of Benefits Eligibility System

The Illinois Department of Healthcare and Family Services (IHFS) and the Illinois Department of Human Services IDHS have recently announced that unauthorized individuals gained access to the Manage My Case (MMC) portal of the state Application for Benefits Eligibility (ABE) system, which is used for determining eligibility for State-funded medical benefits programs (Medicaid), the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF).

Unauthorized accounts were created in the ABE system, which accessed and linked to existing customer MMC accounts by using customers’ personal information that had been stolen from another source. The information exposed as a result of the breach included names, social security numbers, recipient identification numbers, addresses, phone numbers, and income information.

The portal has been secured and unauthorized access has been blocked. 50,839 individuals who applied for or are receiving benefits through the ABE systems have been affected.

Link Audiology Reports Email Account Breach

Link Audiology LLC, a Silverdale, WA-based provider of audiology services, has recently confirmed that the protected health information of up to 7,200 current and former patients has been exposed due to the hacking of an employee email account. The compromised account contained email communications between Link Audiology s and a company that was used to handle billing to insurance companies and patients.

The purpose of the attack appears to have been to divert payroll rather than obtain patient information. The email account breach was detected on April 4, 2023, when a fraudulent payroll submission appeared on the company checking account. The investigation revealed the email account was compromised on March 20, 2023, and that the account was again accessed between March 29, 2023, and April 4, 2023. The email account contained copies of personal and insurance checks and copies of insurance Explanation of Benefits (EOB) forms.

A password reset was performed for all email accounts and two-factor authentication was enabled. Internal protocols have also been updated to limit the exposure of data in the event of a similar attack in the future. The decision was taken to send notification letters to all individuals in its database as a precaution since it was not possible to determine if any patient information had been accessed.

Email Account Breach Impacts Patients of Beltone Hearing Aid Centers

Grohler Hearing Aid Center, Inc, doing business as Beltone Healing Aid Centers, has notified 5,272 individuals about the exposure of some of their protected health information. On March 1, 2023, an employee received a fraudulent request for payment from one of its vendors. The investigation revealed an unauthorized third party had accessed an employee’s Microsoft 365 online account on February 21, 2023, when the employee responded to a phishing email.

The unauthorized individual was discovered to have accessed documents in the account that included the full names, internal patient identification numbers, and insurance providers of 50 patients. It was not possible to rule out access to other patients’ protected health information that was present in other emails in the account, although evidence of data access and data theft was not found. Those emails contained information such as patient names, treatment information (including the hearing aid worn by the patient), address, date of birth, driver’s license number, Social Security Number, insurance claims information, patient identification numbers, health information, and credit card/bank account information. Additional security measures have been implemented and further training has been provided to the workforce.

The post Apria Healthcare Breach Affects Up to 1.8 Million Individuals appeared first on HIPAA Journal.