Author Archives: HIPAA Journal

Healthcare Organizations Face Legal and Technological Challenges Achieving CCPA Compliance

Healthcare organizations that are required to comply with the California Consumer Privacy Act (CCPA) are facing challenges achieving compliance, according to a new study published in the Health Policy and Technology – DOI: 10.1016/j.hlpt.2021.100543

The CCPA was signed into law on June 28, 2018 and took effect on January 1, 2020. The aim of the CCPA was to give California residents greater control over their personal data and how their information can be used.

The CCPA gave California residents the right to be informed about their personal data that will collected, whether their data may be sold or disclosed, to whom disclosures may be made, and to opt out of the sale of their personal data. They were also given the right to view the personal data held by a company covered by the CCPA, to request their personal data be deleted, and not to be discriminated against for exercising their rights under the CCPA.

The researchers conducted the study to explore any potential challenges associated with CCPA compliance for healthcare organizations, which involved interviews with 19 digital privacy and information system experts. The researchers found there to be perceived legal and technological challenges for healthcare organizations trying to comply with the CCPA.

The CCPA is mostly concerned with the use of individuals’ personal data by large consumer-facing technology companies, but the CCPA has had a significant impact on healthcare organizations. HIPAA-eligible information is exempt from the CCPA, but the researchers explained that there are some types of data which are collected by HIPAA regulated entities that potentially fall within the jurisdiction of the CCPA. For those types of data there is regulatory ambiguity, which could result in legal issues for healthcare organizations that do business with California residents.

“A lack of regulatory clarity and a low likelihood of enforcement emerged as two major themes of legal concern,” explained the researchers. “Poor data discovery and inventory processes, lack of sophisticated digital infrastructure, the interaction between technology and privacy professionals, and the high cost of compliance emerged as significant technological hurdles to CCPA compliance.”

There is confusion due to the CCPA’s broad definition of business and consumer companies that collect user data and deploy cookies, and the interplay between HIPAA and the CCPA creates some unintentional hurdles when it comes to compliance. One of the key issues covers healthcare data collected by healthcare organizations that is not classed as protected health information and is therefore not subject to the HIPAA Rules. In such cases, healthcare organizations may need to comply with the requirements of the CCPA.

“From an implementation perspective, our study finds that the more visible components of CCPA compliance, such as building a website or setting up a helpline service for consumers to raise data access requests, are easy to accomplish,” wrote the researchers. “However, the task of ensuring an accurate inventory of all the consumer data collected and stored within the organization will be a challenging endeavor.”

A considerable amount of additional data is also now being captured and collected due to the COVID-19 pandemic, and the speed at which systems had to be developed to record, store, and share that information for contact tracing and COVID-19 testing meant there was little time to ensure adequate privacy safeguards were implemented. For healthcare organizations, it is unclear in many cases whether these types of data falls under the CCPA.

The advice of the researchers for healthcare organizations doing business in California is to ensure they develop compliance plans proactively. If discovered not to be compliant they could be forced to make last-minute implementations to avoid financial penalties and could face expensive litigation.

The post Healthcare Organizations Face Legal and Technological Challenges Achieving CCPA Compliance appeared first on HIPAA Journal.

U.S. Vision Subsidiary Reports Hacking Incident Affecting 180,000 Individuals

The U.S. Vision Inc. subsidiary, USV Optical Inc. has announced unauthorized individuals have gained access to certain servers and systems that contained patients’ protected health information.  The unauthorized access was detected on May 12, 2021, with the subsequent forensic investigation confirming the hackers had access to its systems for almost a month from April 20, 2021 to May 17, 2021, when its systems were secured.

Third-party computer forensics specialists are continuing to investigate the breach to determine the full extent and scope of the intrusion but have concluded that unauthorized individuals potentially viewed and exfiltrated patient data in the attack.

It has been confirmed that the following types of employee and patient data have been exposed: Names, eyecare insurance information, and eyecare insurance application and/or claims information. A subset of individuals may also have had the following data exposed: Address, date of birth, and/or other individual identifiers. No reports have been received to date of any cases of attempted or actual misuse of personal and protected health information as a result of the security breach.

The data breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 180,000 individuals. Notifications are being sent to those individuals along with advice on steps that can be taken by breach victims to protect their identities, should they deem those steps to be appropriate.

USV Optical said it worked diligently to investigate and respond to the incident is currently working to identify and notify potentially impacted individuals. A review is being conducted of policies related to data protection and these will be enhanced to better protect patient data.

This is the second major data breach to be reported by an eye care provider in the past few days. Simon Eye Management recently reported an email security breach in which the protected health information of 144,000 individuals was exposed.

The post U.S. Vision Subsidiary Reports Hacking Incident Affecting 180,000 Individuals appeared first on HIPAA Journal.

August 2021 Healthcare Data Breach Report

There was a 44% month-over-month decrease in the number of reported healthcare data breaches in August 2021. 38 healthcare data breaches of 500 or more records were reported by healthcare providers, health plans, and their business associates in August. August’s reported data breaches takes the total number of healthcare data breaches in the past 12 months to 707 (Sep 2020 to August 2021), with 440 of those data breaches reported in 2021.

Healthcare data breaches in the past 12 months

While there was a marked fall in the number of reported breaches, 5,120,289 healthcare records were breached across those 38 incidents, which is well above the 12-month average of 3.94 million breached records a month. The high total was largely due to two major ransomware attacks on St. Joseph’s/Candler Health System and University Medical Center Southern Nevada, which involved 2.8 million healthcare records combined.

healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in August 2021

Ransomware gangs continued to target the healthcare industry in August. The attacks can cause disruption to care and can put patient safety at risk. Some of the attacks reported in August have resulted in appointments being postponed and have seen patients redirected to alternative facilities out of safety concerns.

It is now the norm for hackers to exfiltrate sensitive data prior to the use of ransomware and then demand payment for the keys to decrypt data and to prevent stolen data from being published or sold. While some major ransomware operations such as Sodinokibi/REvil and DarkSide appear to have been shutdown, several other operations have taken their place. The Vice Society and Hive ransomware gangs have been targeting the healthcare sector, and this month the Health Sector Cybersecurity Coordination Center (HC3) issued a warning to the health and public health sector about an increased risk of BlackMatter ransomware attacks. Fortunately, this month, past victims of Sodinokibi/REvil ransomware have been given the opportunity to recover encrypted data for free. Bitdefender released a free Sodinokibi/REvil decryptor last week.

In August there were three major ransomware attacks reported by healthcare providers that involved huge amounts of patient data. DuPage Medical Group suffered a ransomware attack in which the protected health information (PHI) of 655,384 patients may have been compromised, while the attack on University Medical Center Southern Nevada affected 1.3 million patients and the St. Joseph’s/Candler Health System attack involved the PHI of 1.4 million patients. Class action lawsuits have already been filed against DuPage Medical Group and St. Joseph’s/Candler Health System on behalf of patients affected by those attacks.

Listed below are the 20 data breaches reported in August that involved the PHI of 10,000 or more individuals. The majority of these data breaches involved ransomware or data stored in compromised email accounts.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Cause
St. Joseph’s/Candler Health System, Inc. Healthcare Provider 1,400,000 Hacking/IT Incident Ransomware attack
University Medical Center Southern Nevada Healthcare Provider 1,300,000 Hacking/IT Incident Ransomware attack
DuPage Medical Group, Ltd. Healthcare Provider 655,384 Hacking/IT Incident Ransomware attack
UNM Health Healthcare Provider 637,252 Hacking/IT Incident Unspecified hacking incident
Denton County, Texas Healthcare Provider 326,417 Unauthorized Access/Disclosure Online exposure of COVID-19 vaccination data
Metro Infectious Disease Consultants Healthcare Provider 171,740 Hacking/IT Incident Email accounts compromised
LifeLong Medical Care Healthcare Provider 115,448 Hacking/IT Incident Ransomware attack (Netgain Technologies)
CareATC, Inc. Healthcare Provider 98,774 Hacking/IT Incident Email accounts compromised
San Andreas Regional Center Business Associate 57,244 Hacking/IT Incident Ransomware attack
CarePointe ENT Healthcare Provider 48,742 Hacking/IT Incident Ransomware attack
South Florida Community Care Network LLC d/b/a Community Care Plan Health Plan 48,344 Unauthorized Access/Disclosure PHI emailed to a personal email account
Electromed Healthcare Provider 47,200 Hacking/IT Incident Unspecified hacking incident
Queen Creek Medical Center d/b/a Desert Wells Family Medicine Healthcare Provider 35,000 Hacking/IT Incident Ransomware attack
The Wedge Medical Center Healthcare Provider 29,000 Hacking/IT Incident Unspecified hacking incident
Gregory P. Vannucci DDS Healthcare Provider 26,144 Hacking/IT Incident Unspecified hacking incident
Texoma Community Center Healthcare Provider 24,030 Hacking/IT Incident Email accounts compromised
Family Medical Center of Michigan Healthcare Provider 21,988 Hacking/IT Incident Ransomware attack
Central Utah Clinic, P.C. dba Revere Health Healthcare Provider 12,433 Hacking/IT Incident Email accounts compromised (Phishing)
Hospice of the Piedmont Healthcare Provider 10,682 Hacking/IT Incident Email accounts compromised
Long Island Jewish Forest Hills Hospital Healthcare Provider 10,333 Unauthorized Access/Disclosure Unauthorized medical record access by employee

Causes of August 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, accounting for 81.6% of the month’s data breaches and 92.3% of breached healthcare records. There were 31 security breaches classed as hacking/IT incidents involving 4,727,350 healthcare records. The mean breach size was 152,495 records and the median breach size was 12,433 records. The majority of these incidents involved ransomware, malware, or compromised email accounts.

Causes of Healthcare Data Breaches Reported in August 2021

There were 7 incidents classed as unauthorized access/disclosure incidents. Those incidents involved 392,939 healthcare records. The mean breach size was 56,134 records and the median breach size was 4,117 records. There were no reported breaches involving lost or stolen devices or paper records and no reported improper disposal incidents.

Location of breached PHI in August 2021 healthcare data breaches

Healthcare Data Breaches by State

August’s 38 healthcare data breaches were reported by entities in 24 U.S. states. Texas was the worst affected state with 4 reported breaches, followed by Arizona and Illinois with three reported breaches each.

State Number of Reported Data Breaches
Texas 4
Arizona & Illinois 3
California, Georgia, Michigan, Minnesota, New Hampshire, Oklahoma, & Virginia 2
Alabama, Delaware, Florida, Iowa, Indiana, Massachusetts, Nevada, New Mexico, New York, Pennsylvania, Tennessee, Utah, West Virginia, & Wisconsin 1

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 30 data breaches reported, 4 of which occurred at business associates but were reported by the healthcare provider. 4 data breaches were reported by health plans, and business associates self-reported 4 breaches.

August 2021 healthcare data breaches by covered entity type

HIPAA Enforcement Activity in August 2021

The HHS’ Office for Civil Rights (OCR) did not announce any new HIPAA penalties in August and there were no HIPAA enforcement actions announced by state attorneys general. So far in 2021 there have been 8 financial penalties imposed on HIPAA-covered entities and business associates by OCR, and one multi-state action by state attorneys general.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on September 20, 2021

 

The post August 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital

Barlow Respiratory Hospital in Los Angeles, CA has announced it has suffered a ransomware attack on August 27, 2021. The attack was conducted by the Vice Society ransomware gang, which gained access to its network and electronic medical record system. Prior to using ransomware to encrypt files, the gang exfiltrated patient data, some of which has been posted on the gang’s dark web data leak site.

Barlow Respiratory Hospital said while the attack affected several IT systems, the hospital was able to continue to operate under its emergency procedures and patient care was not interrupted.

Upon detection of the security breach, law enforcement agencies were notified and a third-party cybersecurity firm was engaged to assist with the investigation and determine the scope of the data breach. The investigation into the attack is ongoing.

While some ransomware operations have said they will not target healthcare providers, Vice Society does not fall into that category. The ransomware operation appeared in June 2021 and has already attacked multiple healthcare providers, including Eskenazi Health in Indianapolis. The ransomware gang is known to exploit new security vulnerabilities, including the Windows PrintNightmare flaws.

“We will continue to work with law enforcement to assist in their investigation, and we are working diligently, with the assistance of a cybersecurity firm, to assess what information may have been involved in the incident,” said a spokesperson for Barlow Respiratory Hospital. “If necessary, we will notify the individuals whose information may have been involved, in accordance with applicable laws and regulations, in due course.”

Missouri Delta Medical Center Suffers Hive Ransomware Attack

The protected health information of patients of Missouri Delta Medical Center in Sikeston, MO has been stolen in a ransomware attack conducted by the Hive ransomware gang. Earlier this month, a sample of the stolen data was uploaded to the ransomware gang’s data leak site in an effort to pressure the medical center into paying the ransom. The Hive ransomware gang has attacked multiple healthcare providers in the past few weeks, including Memorial Health System.

Missouri Delta Medical Center engaged the services of a leading forensic security firm to investigate the attack and determine the nature and scope of the breach. The medical center was later notified by a third party that some patient data had been stolen and published online. According to the post on the Hive gang’s data leak site, the names, addresses, phone numbers, dates of birth, Social Security numbers, sex/race, next of kin details, diagnoses, and financial information of 95,000 individuals was stolen in the attack. That information was contained in 400 GB of files that were exfiltrated prior to file encryption.

Missouri Delta Medical Center said the attack has not affected its ability to provide care for patients. The investigation into the cyberattack is ongoing but at this stage it appears that its electronic medical record system was not affected.

“We apologize for any inconvenience this incident may have caused, and are taking steps to increase our security and reduce the risk of a similar incident occurring in the future. We remain focused on continuing to serve our community,” said Missouri Delta Medical Center.

The post Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital appeared first on HIPAA Journal.

Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans

The Alaska Department of Health and Social Services (DHSS) is about to start mailing notification letters to all individuals in the state telling them their personal and health information may have been compromised in a highly sophisticated cyberattack conducted by a nation state threat actor.

The cyberattack was detected on May 2, 2021 and the DHSS was notified about the attack on May 5, and was advised to shut down its systems immediately to prevent further unauthorized access. Details of when the hackers first gained access to DHSS systems has not been released, but it is known that Advanced Persistent Threat (APT) actors had access to DHSS systems for at least 3 days.

The DHSS has previously reported the security incident and issued an update about the breach in August. The latest update, on September 16, explains the potential impact the attack will have on Alaskans. In the latest update, the DHSS said notifications were delayed so as not to interfere with the criminal investigation into the attack.

The cyberattack was extensive and caused major disruption. Some IT systems affected remain offline, including the websites of many divisions. Temporary web pages have been used to host critical information until the websites can be restored. It is not yet known when all systems will be brought back online. The department’s IT infrastructure is complex, so the recovery process is taking a long time.

The cybersecurity firm Mandiant was engaged to conduct a forensic investigation into the cyberattack. In an August update, the DHSS said hackers had exploited a website vulnerability which allowed them to gain access to DHSS data. “This was not a ‘one-and-done’ situation, but rather a sophisticated attack intended to be carried out undetected over a prolonged period. The attackers took steps to maintain that long-term access even after they were detected,” said DHSS Technology Officer Scott McCutcheon.

All data stored on DHSS infrastructure at the time of the attack is presumed to have been compromised and could potentially be misused, which means the personal and health data of more than 700,000 individuals has likely been breached.

DHSS is currently unaware which information has been accessed or stolen, but it likely includes names, dates of birth, Social Security numbers, phone numbers, addresses, driver’s license numbers, internal identifying numbers (including case reports, protected service reports, Medicaid etc.), health information, financial information and historical information concerning any interactions with the DHSS.

“DHSS urges all Alaskans who have provided data to DHSS, or who may have data stored online with DHSS, to take actions to protect themselves from identity theft,” explained the DHSS in its breach notice.  The DHSS says it is providing free credit monitoring services to “any concerned Alaskan” as a result of the cyberattack, and a code for signing up for those services is being provided in the breach notification letters, which will be mailed between September 27, 2021 and October 1, 2021.

This is a breach of both the Health Insurance Portability and Accountability Act (HIPAA) and the Alaska Personal Information Protection Act (APIPA).

“DHSS is continuing work to further strengthen its processes, tools and staff to be more resilient to future cyberattacks,” said DHSS Chief Information Security Officer Thor Ryan. “Recommendations for future security enhancements are being identified and provided to state leadership.”

It is not the first time that a data breach has affected all state residents. In January 2019, around 700,000 Alaskans were notified by DHSS about a hacking incident that exposed their personal data. In that incident, the Zeus Trojan had been installed on its network in June 2018.

The post Alaska DHSS Says May 2021 Cyberattack Impacts All Alaskans appeared first on HIPAA Journal.

Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients

Wilmington, DE-based Simon Eye Management has suffered a breach of its email environment and hackers potentially gained access to the protected health information of 144,373 patients.

Simon Eye identified suspicious activity in certain employee email accounts on or around June 8, 2021. Action was immediately taken to secure the accounts and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the breach. Assisted by third -party security experts, Simon Eye determined that unauthorized individuals gained access to employee email accounts between May 12 and May 18, 2021.

The incident was an attempted business email compromise (BEC) attack, where employee email accounts are compromised and used in a scam to trick employees into making fraudulent wire transfers, in this case through the manipulation of invoices. Simon Eye said none of the attackers’ attempts were successful.

While gaining access to patient data did not appear to be the goal of the attackers, the email accounts they were able to access did contain patients’ protected health information and it is possible PHI was viewed or obtained in the attack. Simon Eye found no evidence indicating any patient information was viewed or stolen, and there have been no reported cases of actual or attempted misuse of patient data as a result of the cyberattack.

A comprehensive review was conducted to identify patients whose PHI was contained in emails and email attachments. The review confirmed the following types of patient data were present in the accounts: name, medical history, treatment/diagnosis information, health information, health insurance information, and insurance application and/or claims information. A subset of individuals also had their Social Security number, date of birth, and/or financial account information exposed.

Simon Eye has implemented additional data security protocols to enhance email security and is in the process of verifying the contact information of all affected patients. Notification letters will be mailed to those individuals in due course.

The post Hacked Simon Eye Management Email Accounts Contained PHI of More than 144,000 Patients appeared first on HIPAA Journal.

Stolen Laptop Contained the PHI of Dignity Health Patients

Resource Anesthesiology Associates (RAA) of California has started notifying certain patients of Dignity Health’s Mercy Hospital Downtown and Mercy Hospital Southwest that some of their protected health information was stored on a laptop computer that has been stolen.

RAA of California provides anesthesiology services at the Dignity Health hospitals, which requires access to patient data. On July 8, the laptop was stolen from an RAA of California administrator. The theft was reported to law enforcement, but the device has not been recovered.

RAA of California conducted an investigation to determine which patient information was stored on the device and could potentially be accessed. The review confirmed the following types of information were stored on the device: Names, addresses, dates of birth, provider names, dates of service, diagnoses and treatment information, health insurance information, and other information related to patients’ medical care.

The laptop computer was protected with a password, which provides a degree of protection against unauthorized access. However, passwords can be cracked, so there is a risk that information on the laptop could be viewed by unauthorized individuals. RAA of California said to date there has been no evidence found which indicates any of the information stored on the laptop computer has been accessed or misused.

RAA of California believes the risk of misuse of patient data is low but, out of an abundance of caution, is offering affected individuals a complimentary membership to identity theft protection services through IDX. Patients will receive 12 months of CyberScan monitoring and will be protected by a $1 million identity theft insurance policy, which includes fully managed identity theft recovery services.

The post Stolen Laptop Contained the PHI of Dignity Health Patients appeared first on HIPAA Journal.

1,738 Patients of Coalinga State Hospitals Notified About Improper Disclosure of PHI

The Department of State Hospitals – Coalinga (DSH-C) in California has notified 1,738 patients that some of their protected health information has been impermissibly disclosed by a DSH-C employee.

The United States District Court, Eastern District of California had made a request to be provided with DSH-C patient rosters in order to determine whether patients were eligible for a waiver of filing fees when filing a lawsuit. Those rosters were provided to a District Court Clerk by a DSH-C employee.

The patient rosters contained information about patients that had not filed a lawsuit, and the rosters contained more information than was required by the District Court Clerk to determine eligibility for a waiver. The disclosure was therefore in violation of the HIPAA Rules.

The rosters contained the following data elements: name, case number, birth date, legal commitment, admission date, unit number, and gender. DSH-C said it has no reason to believe the information was used for any reason other than for an eligibility determination for a public benefit provided by the Court.

Upon discovery of the breach, the District Court Clerk was contacted and instructed to destroy all DSH-C patient rosters that were provided to the District Court. Staff members are being provided with further training on data protection and policies and procedures are being reviewed and revised to ensure greater clarity on allowable uses and disclosures of patient information.

The post 1,738 Patients of Coalinga State Hospitals Notified About Improper Disclosure of PHI appeared first on HIPAA Journal.

36,500 Patients of Austin Cancer Centers Notified About PHI Exposure

Austin Cancer Centers is alerting 36,503 patients about a security incident discovered on August 4, 2021 in which some of their protected health information was exposed.

Unauthorized individuals were discovered to have gained access to computer systems and installed malware. To prevent further unauthorized access, computer systems were immediately shut down and law enforcement was notified. Since then, Austin Cancer Centers has worked with cybersecurity experts to learn about the exact nature and scope of the incident. Austin Cancer Centers said the malware has now been removed, systems have been restored and secured, and its facilities are open.

The forensic investigation into the security breach confirmed hackers first gained access to its computer systems on July 21, and access remained possible until the breach was discovered on August 4. A comprehensive review was conducted to identify all files on the network that could possibly have been accessed in the attack. Those files were found to contain patient information such as names, addresses, dates of birth, insurance carrier names, and medical notes. The Social Security numbers of certain patients were also exposed, as were the credit card numbers of a limited number of patients.

Austin Cancer Centers does not believe the attackers had access to its entire network, but the decision was taken to send notifications to 36,500 patients out of an abundance of caution. Since the attackers no longer had access to its network from August 4, new patients who received medical services after that date were definitely not affected.

Austin Cancer Centers said the attackers took steps to avoid detection and hide their activities, which is why it took around two weeks to discover the security breach. Throughout the investigation the priority was to ensure systems were secured and patient data were protected, so notifications were delayed until it was certain that appropriate safety measures were in place.

The exact nature of the malware attack, including whether ransomware was involved, has not been released as the investigation into the security breach is ongoing. Austin Cancer Centers said further information about the incident will be shared with affected individuals via its website when it is deemed appropriate for the information to be released.

Since the breach occurred, Austin Cancer Centers has implemented additional technical safeguards to further enhance security, and rigorous privacy and security training has been provided for the entire staff.

Affected patients have been provided with a complimentary 1-yuear membership to the Equifax Credit Watch™ Gold credit monitoring service, which includes automatic fraud alerts and cover through a $1,000,000 identity theft insurance policy.

“We are deeply saddened and frustrated by this incident.  Caring for our patients during medically stressful times in their life, is our core business,” said Austin Cancer Center CEO, Laurie East. “We apologize to our family of patients for any concern this may create, and we will do everything we can to remedy the situation and help them through necessary steps to ensure their safety.”

The post 36,500 Patients of Austin Cancer Centers Notified About PHI Exposure appeared first on HIPAA Journal.