Author Archives: Steve Alder

Bipartisan Coalition of Attorneys General Call for UHG to Take Decisive Action to Help Providers and Patients

Posted by Steve Alder

A bipartisan coalition of 22 state attorneys general sent a letter to UnitedHealth Group CEO Andrew Witty to express their concern about the response to the February 21, 2024, ransomware attack on Change Healthcare and the continuing problems faced by providers, pharmacies, and patients.

Providers and pharmacies in their various jurisdictions have reported catastrophic disruptions due to the extended outage and limited restoration of Change Healthcare’s services, and wholly inadequate responses from Change Healthcare and its payor partners. Many providers and pharmacies have said they are in jeopardy of collapse, with patients experiencing disruption to care due to delays in receiving vital prescription medications. In some cases, patients have been denied access to medications due to providers’ inability to conduct eligibility checks.

In the weeks following the attack, the Attorneys General have received increasingly dire messages from healthcare facilities, care providers, and patients due to the prolonged disruption to Change Healthcare’s services. The outage has caused problems with prescription drug access, there are catastrophic billing and payment backlogs, and other problems stemming from the continued lack of access to Change Healthcare’s services.

“Facilities that use Change Healthcare as their backbone to track services and claims have been unable to timely complete prior authorizations, confirm benefits, document and submit claims, and in some instances have even lost access to basic care IT infrastructure,” wrote the Attorneys General. “You must do more than you are currently to avoid imposing further harm to our states’ health care infrastructure and the patients who rely upon it.”

In addition to the lack of access to Change Healthcare’s systems, it has now been confirmed that there was a considerable data breach. UnitedHealth Group issued a statement confirming that personally identifiable and protected health information was compromised and that the data breach could affect “a substantial proportion of the U.S. population.” Further, “Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.”

The Attorneys General have been contacted by care providers and non-HG facilities who said they are unable to reach Change Healthcare staff who can provide timely information about the data that has been breached, how they can get financial support that does not impose unreasonable conditions such as waiver of liability, and how they can document and submit claims during the outage. While financial assistance has been provided, for many providers that have experienced financial difficulties due to the attack, the support offered has been “paltry”. Some independent providers have been quoted relief of as little as $10 per week.

In the letter, the Attorneys General outlined some of the specific actions that they believe need to be taken to help alleviate the harm caused by the outage. Those measures include the enhancement and expansion of financial assistance to all affected providers, ensuring providers and practices owned by UHG or its subsidiaries are not being offered more advantageous financial assistance than others, providing a dedicated helpline to allow providers to resolve unanswered questions, ensuring that the claims backlog is expeditiously resolved, to issuing timely notifications to the practices and patients whose data has been compromised. The Attorneys General also asked to be provided with an independent analysis confirming that UHG’s and Change Healthcare’s systems have been secured and the vulnerabilities that contributed to the cyberattack have been addressed.

The post Bipartisan Coalition of Attorneys General Call for UHG to Take Decisive Action to Help Providers and Patients appeared first on HIPAA Journal.

ComplianceJunction HIPAA Training Receives SCCE Accreditation

Posted by Steve Alder

The Society of Corporate Compliance and Ethics (SCCE) has recently accredited ComplianceJunction’s ‘HIPAA Training for Organizations’ training course. The SCCE is an Eden Prairie, MN-based non-profit association dedicated to enabling the lasting success and integrity of organizations by promoting high standards in compliance and ethics programs. The SCCE, which has more than 19,000 members in over 100 countries, provides resources, education, and networking opportunities for ethics and compliance professionals and offers professional certification through the Compliance Certification Board (CCB). The CCB is an independent body that recognizes individuals with competence in the practice of compliance and ethics.

ComplianceJunction’s mission is to help healthcare organizations train their employees on HIPAA compliance and ensure they understand their responsibilities when it comes to health information privacy. ComplianceJunction has developed a training course that provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) and serves as a foundation for developing a comprehensive HIPAA training program. The training has been used by more than 1,000 healthcare organizations and over 100 universities to raise awareness of the HIPAA regulations.

“ComplianceJunction’s customers include practice owners and senior managers who want to ensure that their staff members are kept up to date on the HIPAA regulations and their organization maintains compliance with the HIPAA training requirements,” explained ComplianceJunction’s Ryan Coyne. “The SCCE accreditation means their employees can now earn CEUs for completing the course, which provides an extra incentive for completing the training.” Healthcare professionals who complete the accredited HIPAA training course will earn 2.6 Continuing Education Units (CEUs) that demonstrate they are taking steps to stay up-to-date with current regulations and are continuing their education and professional development.

“The ComplianceJunction HIPAA training offers a detailed overview of HIPAA fundamentals, laying a solid foundation for developing a comprehensive training program. The modules and case studies are excellent tools to engage staff in further discussion and uncover additional role-specific training needs,” said Joanne Curran, Director of Health Information Management at the Greater Lawrence Family Health Center. “Staff appreciate the opportunity to earn CEUs for completing the training series and look forward to additional training offerings.”

The post ComplianceJunction HIPAA Training Receives SCCE Accreditation appeared first on HIPAA Journal.

Phishers Gain Access to 23 L.A. County Department of Health Services Email Accounts

Posted by Steve Alder

Los Angeles County Department of Health Services’ employees were targeted in a recent phishing campaign, and almost 2,800 Catholic Medical Center patients have been affected by a data breach at one of its vendors.

Los Angeles County Department of Health Services Phishing Attack

The Los Angeles County Department of Health Services was recently targeted in a phishing campaign that saw 23 employees tricked into disclosing their email account credentials after clicking a hyperlink in an email that appeared to have been sent by a trusted sender. The email accounts were accessed by an unauthorized third party between February 19, 2024, and February 20, 2024.

The Department of Health Services said the attack was reported to law enforcement which recommended delaying notifying the affected individuals so as not to interfere with the investigation. Notification letters have now been mailed to the affected individuals who have been provided with information on the steps they can take in response to the breach. The types of data exposed varied from individual to individual and may have included one or more of the following: first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.

The Department of Health Services has sent awareness notifications to all members of the workforce reminding them to be vigilant when opening emails, has enhanced its training regarding identifying and responding to phishing emails, and has implemented further controls to minimize the risk of further successful attacks.

The breach has been reported to the HHS Office for Civil Rights but is not yet showing on the OCR breach portal, so it is currently unclear how many individuals have been affected.

Catholic Medical Center Patients Affected by Email Breach at Business Associate

Almost 2,800 patients of Catholic Medical Center (CMC) in New Hampshire have been affected by a data breach at one of its vendors, the accounts receivable management service provider Lamont Hanley & Associates. Lamont Hanley & Associates notified CMC on March 6, 2024, that there had been unauthorized access to an employee’s email account. The breach was detected on June 20, 2023, and it was determined that patient data may have been accessed or acquired by the unauthorized third party, although no specific evidence of data access or data theft was identified.

The account contained the protected health information of 2,792 CMC patients, including names, Social Security numbers, dates of birth, medical and claim information, health insurance information, individual identification information, and financial account information. Lamont Hanley & Associates is offering complimentary credit monitoring services to eligible individuals and has taken steps to improve security to prevent similar breaches in the future.

The post Phishers Gain Access to 23 L.A. County Department of Health Services Email Accounts appeared first on HIPAA Journal.

Kaiser Permanente Website Tracker Breach Affects 13.4 Million Individuals

Posted by Steve Alder

Kaiser Permanente Health Plan Inc. is notifying 13.4 million individuals that some of their personal data has been disclosed to third parties such as Microsoft (Bing), Google, and X (Twitter) via tracking technologies on its websites and apps. This is the largest healthcare data breach to be reported so far in 2024 and the largest confirmed healthcare data breach to date involving website tracking technologies.

Kaiser Permanente said the tracking technologies were identified during a voluntary internal investigation and they have now been removed from its websites and mobile applications. Additional measures have been implemented to prevent similar occurrences in the future. Notifications are being sent to all individuals who have potentially been affected “out of an abundance of caution,” including current and former health plan members in all markets that Kaiser Permanente operates, and individuals who used its websites and mobile apps. Notifications are expected to be issued in May 2024.

The types of data potentially disclosed to tech companies included names, IP addresses, sign-in statuses, and information about users navigated through the websites and apps. Other information was potentially disclosed based on individuals’ usage of the websites and apps, including search terms when using its health encyclopedia such as symptoms, drugs, injuries, and exercises.  No highly sensitive information such as Social Security numbers, financial information, and usernames/passwords were disclosed. Kaiser Permanente said it is not aware of any misuse of the disclosed data; however, it is possible that individuals may have been served targeted ads based on their interactions on Kaiser Permanente’s websites and apps.

The privacy violation has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as a breach of the Health Insurance Portability and Accountability Act (HIPAA). In December 2022, OCR published guidance on HIPAA and tracking technologies and recently updated its guidance to clarify when these technologies can be used and how they can be made HIPAA-compliant. OCR and the Federal Trade Commission (FTC) have been cracking down on the use of these technologies and sent around 130 warning letters to hospitals and telehealth companies last year reminding them of their obligations under HIPAA and the FTC Act, and the FTC has settled 5 complaints – Easy Healthcare (Premom), GoodRx, BetterHelp, Monument, and Cerebral – that alleged violations of the FTC Act related to the use of these technologies without consumers’ consent. State attorneys general have also investigated privacy violations related to the use of tracking technologies, including the New York Attorney General, who settled alleged violations of HIPAA and state laws with New York Presbyterian Hospital over the use of these tools.

The post Kaiser Permanente Website Tracker Breach Affects 13.4 Million Individuals appeared first on HIPAA Journal.

BianLian Threat Group Claims Responsibility for Cyberattack on Tennessee Eye Clinic Network

Posted by Steve Alder

Politzer and Durocher, PLC, which does business as Optometric Physicians of Middle Tennessee (OPMT), has recently reported a hacking incident to the HHS Office for Civil Rights involving the personal and protected health information of 29,000 individuals. The Lebanon, TN-based eye clinic chain said it detected unauthorized access to its network on March 25, 2024. The attackers had circumvented its security controls, and accessed one of its servers and exfiltrated files containing “a very limited amount of healthcare information.” The investigation confirmed that other identifying information may have been accessed in the attack. A forensic investigation is currently underway to determine the exact types of information involved and notification letters will be mailed to the affected individuals when that process is completed. OPMT said, “Even though it is not specifically required by HIPAA, we will offer identity theft protection services to all affected individuals; we feel that this is an important precaution to protect our patients.”

The BianLian group has claimed responsibility for the attack. Like several other cybercriminal groups, BianLian tends not to use ransomware anymore and just steals data and demands payment to prevent the exposure or sale of the data. The BianLian has added OPMT to its leak site and claims to have exfiltrated 1.5TB of data in the attack, including financial information, HR data, biometric data, contracts and confidential agreements, SQL databases, and patients’ PII and PHI.

Moffitt Cancer Center Affected by Data Breach at Advarra

Moffitt Cancer Center has recently announced that it has been affected by a security breach at one of its vendors, Advarra.  Advarra provided services to Moffitt Cancer Center related to the care and treatment of patients and a research study. On October 26, 2023, Advarra discovered suspicious activity in an employee’s user account. The forensic investigation confirmed it had been accessed by an unauthorized individual on October 25, 2023, who acquired a limited amount of data. On or around February 8, 2024, Advarra completed its file review and confirmed that the compromised data belonged to Moffitt Cancer Center.

Moffitt Cancer Center was notified about the breach by Advarra on February 21, 2024, and completed its review of the affected data on March 13, 2024. Moffitt Cancer Center has confirmed that its own systems were not accessed and that the information exposed was limited to names, dates of birth, and Social Security numbers. Advarra is notifying the affected individuals on behalf of Moffitt Cancer Center.

Advarra has recently reported the breach to the HHS’ Office for Civil Rights as affecting 596 individuals and Moffit Cancer Center has reported the breach to the Maine Attorney General as affecting 26,577 individuals. Advarra said it has implemented additional measures to further strengthen its internal files system and is offering the affected individuals complimentary identity theft monitoring through Kroll. Moffitt Cancer Center also recently announced that it was affected by a data breach at another vendor, the law firm Gunster, Yoakley, and Stewart.

Patient Data Stolen in Cyberattack on Somerset Dental Las Vegas

Somerset Dental Las Vegas in Nevada has notified 11,321 patients that some of their protected health information has been exposed. The security breach was detected on February 16, 2024, and a third-party forensic investigation confirmed that certain files were exfiltrated from its network in the attack. The stolen data varied from individual to individual and may have included names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, driver’s license numbers, health information, and dental insurance information.  Somerset Dental Las Vegas said it is reviewing its security safeguards and will strengthen security. Complimentary identity protection and credit monitoring services have been offered to individuals whose Social Security numbers and/or driver’s license numbers were involved.

The post BianLian Threat Group Claims Responsibility for Cyberattack on Tennessee Eye Clinic Network appeared first on HIPAA Journal.

Multiple Class Action Lawsuits Filed Against City of Hope National Medical Center Over Data Breach

Posted by Steve Alder

Several class action lawsuits have been filed against City of Hope National Medical Center, a National Cancer Institute (NCI)-designated cancer treatment and research center, over a recently disclosed data breach that exposed the protected health information of more than 827,000 individuals.

City of Hope National Medical Center identified suspicious activity within its network on October 13, 2023, and the forensic investigation confirmed there had been unauthorized access by a third party between September 19, 2023, and October 12, 2023. During that time, files containing patient data were exfiltrated from its network. The exposed and stolen data included contact information, Social Security numbers, driver’s license numbers, financial information, health insurance information, medical records, medical histories, diagnoses/conditions, and health insurance information. City of Hope National Medical Center issued notification letters on April 2, 2024, and offered the affected individuals complimentary credit monitoring services.

Class action lawsuits started to be filed soon after notification letters were mailed. The lawsuits make similar claims, that City of Hope National Medical Center failed to implement reasonable and appropriate cybersecurity safeguards, did not follow industry best practices for cybersecurity, and that the cyberattack that exposed their sensitive data could have been prevented. The plaintiffs allege that City of Hope National Medical Center should have been aware that it was a likely target for cybercriminals due to the high value of healthcare data on the black market and numerous warnings from federal agencies about the high risk of cyberattacks on the sector. The plaintiffs also allege an unnecessary delay in issuing notifications – five months after the cyberattack was detected.

The plaintiffs allege that injuries have been sustained as a result of the data breach. They face an imminent and increased risk of identity theft and fraud since their sensitive data is now in the hands of cybercriminals, and have and will continue to need to spend time and money protecting themselves from fraud, identity theft, and medical identity theft. At least 8 lawsuits have been filed to date in response to the data breach that make claims of negligence, breach of fiduciary duty, breach of implied contract, and invasion of privacy. The lawsuits seek class action certification, a jury trial, damages, and injunctive relief.

The post Multiple Class Action Lawsuits Filed Against City of Hope National Medical Center Over Data Breach appeared first on HIPAA Journal.

ONC Releases Common Agreement Version 2.0

Posted by Steve Alder

On April 22, 2024, the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) released Version 2.0 of the Trusted Exchange Framework and Common Agreement (TEFCA).

TEFCA establishes the technical infrastructure model and governing approach for different health information networks and their users and allows them to share clinical information with each other. The ONC requires health information networks that participate in TEFCA to begin implementing the new version and support the Health Level Seven Fast Healthcare Interoperability Resources standard. ONC has also published Participant and Subparticipant Terms of Participation, which details the requirements for Participants and Subparticipants, compliance with which is required for participation in TEFCA. Version 2.0 of the Common Agreement will make it easier for participating health information networks to share data with each other and will also make it easier for patients to access their health data through digital health apps.

“We have long intended for TEFCA to have the capacity to enable FHIR API exchange. This is in direct response to the health IT industry’s move toward standardized APIs with modern privacy and security safeguards, and allows TEFCA to keep pace with the advanced, secure data services approaches used by the tech industry,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “I want to commend the effort put forth by the TEFCA and FHIR communities to help get us there with the release of CA v2.0.”

The post ONC Releases Common Agreement Version 2.0 appeared first on HIPAA Journal.

Threat Actors Increasingly Targeting Vulnerabilities for Initial Access

Posted by Steve Alder

The exploitation of vulnerabilities in software and operating systems is becoming far more common for initial access to networks, with phishing declining in prevalence, according to Mandiant’s M-Trends 2024 Report. Manidant, part of Google Cloud, is a leading provider of dynamic cyber defense, threat intelligence, and incident response services. The latest report is based on data from Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023, and December 31, 2023.

Exploited software vulnerabilities were the initial access method in 38% of intrusions investigated by Manidant, up 6% from 2022, with phishing used for initial access in 17% of incidents, down from 22% in 2022. Attackers are increasingly targeting edge devices and are exploiting a wide variety of vulnerabilities. In 2023, Mandiant identified 97 unique zero-day vulnerabilities being exploited in the wild, up 56% from 2022. The exploitation of zero day vulnerabilities used to be limited to a small number of threat actors, typically nation-state cyberespionage groups. While state-sponsored threat actors continue to target zero-day flaws, especially China-nexus threat actors, ransomware and data extortion groups are increasingly acquiring and utilizing 0days, helped by the rise of commercially available turnkey exploit kits.

Threat actors are combining exploits of zero-day flaws with living-off-the-land techniques, which involve native, legitimate tools within a system to allow them to maintain persistence for longer and avoid detection. One of the reasons for the decline in phishing as an initial attack vector is the widespread adoption of multifactor authentication (MFA). While MFA is effective at preventing phishing attacks, Mandiant has identified an increase in the use of web proxies and adversary-in-the-middle phishing pages that can steal credentials and login session tokens to bypass MFA. Defenses can be improved against these attacks by adopting phishing-resistant MFA.

Mandiant has also observed an increase in malware, with 626 new malware families identified in 2023, more than any other year to date. The most common malware families were backdoors (33%), downloaders (16%), droppers (15%), credential stealers (7%) and ransomware (5%). The industries most commonly targeted by threat actors were financial services (17%), business and professional services (13%), high technology (12%), retail and hospitality (9%), and healthcare (8%), with attacks increasingly targeting cloud environments, as more organizations transition to the cloud. The most likely reason for targeting these sectors is they store a wealth of sensitive information, including proprietary business data, personally identifiable information, protected health information, and financial records.

Mandiant’s data show that organizations are getting better at identifying intrusions. Last year, attackers were present in networks for a median of 10 days before the intrusions were detected, down from a median of 16 days in 2022. “Defenders should be proud, but organizations must remain vigilant. A key theme throughout M-Trends 2024 is that attackers are taking steps to evade detection and remain on systems for longer, and one of the ways they accomplish this is through the use of zero-day vulnerabilities,” Jurgen Kutscher, Vice President, Mandiant Consulting at Google Cloud, told The HIPAA Journal. “This further highlights the importance of an effective threat hunt program, as well as the need for comprehensive investigations and remediation in the event of a breach.”

The post Threat Actors Increasingly Targeting Vulnerabilities for Initial Access appeared first on HIPAA Journal.

March 2024 Healthcare Data Breach Report

Posted by Steve Alder

March was a particularly bad month for healthcare data breaches with 93 branches of 500 or more records reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), a 50% increase from February and a 41% year-over-year increase from March 2023. The last time more than 90 data breaches were reported in a single month was September 2020.

The reason for the exceptionally high number of data breaches was a cyberattack on the rehabilitation and long-term acute care hospital operator Ernest Health. When a health system experiences a breach that affects multiple hospitals, the breach is usually reported as a single breach. In this case, the breach was reported individually for each of the 31 affected hospitals. Had the breach been reported to OCR as a single breach, the month’s breach total would have been 60, well below the average of 66.75 breaches a month over the past 12 months.

Healthcare data breaches in the past 12 months

 

 

healthcare data breaches in March 2020-2024

While the breach total was high, the number of individuals affected by healthcare data breaches fell for the fourth consecutive month to the lowest monthly total since January 2023. Across the 93 reported data breaches, the protected health information of 2,971, 249 individuals was exposed or impermissibly disclosed – the lowest total for March since 2020.

records compromised in healthcare data breaches in the past 12 months

healthcare records breached in march 2020-2024

Biggest Healthcare Data Breaches in March 2024

18 data breaches were reported in March that involved the protected health information of 10,000 or more individuals, all of which were hacking incidents. The largest breach of the month was reported by the Pennsylvanian dental care provider, Risa’s Dental and Braces.  While the breach was reported in March, it occurred 8 months previously in July 2023. A similarly sized breach was reported by Oklahoma’s largest emergency medical care provider, Emergency Medical Services Authority. Hackers gained access to its network in February and stole files containing names, addresses, dates of birth, and Social Security numbers.

Philips Respironics, a provider of respiratory care products, initially reported a hacking-related breach to OCR involving the PHI of 457,152 individuals. Hackers gained access to the network of the Queens, NY-based billing service provider M&D Capital Premier Billing in July 2023, and stole files containing the PHI of 284,326 individuals, an August 2023 hacking incident was reported by Yakima Valley Radiology in Washington that involved the PHI of 235,249 individuals, and the California debt collection firm Designed Receivable Solutions, experienced a breach of the PHI of 129,584 individuals. The details of the breach are not known as there has been no public announcement other than the breach report to OCR.

 Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Risas Dental & Braces PA Healthcare Provider 618,189 Hacking Incident
Emergency Medical Services Authority OK Healthcare Provider 611,743 Hacking Incident
Philips Respironics PA Business Associate 457,152 Exploited software vulnerability (MoveIT Transfer)
M&D Capital Premier Billing LLC NY Business Associate 284,326 Hacking Incident
Yakima Valley Radiology, PC WA Healthcare Provider 235,249 Hacked email account
Designed Receivable Solutions, Inc. CA Business Associate 129,584 Hacking Incident
University of Wisconsin Hospitals and Clinics Authority WI Healthcare Provider 85,902 Compromised email account
Aveanna Healthcare GA Healthcare Provider 65,482 Compromised email account
Ezras Choilim Health Center, Inc. NY Healthcare Provider 59,861 Hacking Incident (data theft confirmed)
Valley Oaks Health IN Healthcare Provider 50,034 Hacking Incident
Family Health Center MI Healthcare Provider 33,240 Ransomware attack
CCM Health MN Healthcare Provider 28,760 Hacking Incident
Weirton Medical Center WV Healthcare Provider 26,793 Hacking Incident
Pembina County Memorial Hospital ND Healthcare Provider 23,811 Hacking Incident (data theft confirmed)
R1 RCM Inc. IL Business Associate 16,121 Hacking Incident (data theft confirmed)
Ethos, also known as Southwest Boston Senior Services MA Business Associate 14,503 Hacking Incident
Pomona Valley Hospital Medical Center CA Healthcare Provider 13,345 Ransomware attack on subcontractor of a vendor
Rancho Family Medical Group, Inc. CA Healthcare Provider 10,480 Cyberattack on business associate (KMJ Health Solutions)

 

Data Breach Causes and Location of Compromised PHI

As has been the case for many months, hacking incidents dominated the breach reports. 76 of the month’s breaches were classed as hacking/IT incidents, which involved the records of 2,918,585 individuals, which is 98.2% of all records compromised in March. The average breach size was 38,402 records and the median breach size was 3,144 records. The nature of the hacking incidents is getting harder to determine as little information about the incidents is typically disclosed in breach notifications, such as whether ransomware or malware was used. The lack of information makes it hard for the individuals affected by the breach to assess the level of risk they face. Many of these breaches were explained as “cyberattacks that caused network disruption” in breach notices, which suggests they were ransomware attacks.

Causes of March 2024 healthcare data breaches

There were 11 unauthorized access/disclosure incidents reported involving a total of 36,533 records. The average breach size was 3,321 records and the median breach size was 1,956 records. There were 4 theft incidents and 1 loss incident, involving a total of 15,631 records (average: 3,126 records; median 3,716 records), and one improper disposal incident involving an estimated 500 records. The most common location for breached PHI was network servers, which is to be expected based on the number of hacking incidents, followed by compromised email accounts.

Location of breached PHI in March 2024 healthcare data breaches

Where Did the Data Breaches Occur?

The OCR data breach portal shows there were 77 data breaches at healthcare providers (2,030,568 records), 10 breaches at business associates (920,522 records), and 6 data breaches at health plans (20,159 records). As OCR recently confirmed in its Q&A for healthcare providers affected by the Change Healthcare ransomware attack, it is the responsibility of the covered entity to report breaches of protected health information when the breach occurs at a business associate; however, the responsibility for issuing notifications can be delegated to the business associate. In some cases, data breaches at business associates are reported by the business associate for some of the affected covered entity clients, with some covered entities deciding to issue notifications themselves. That means that data breaches at business associates are often not abundantly clear on the breach portal. The HIPAA Journal has determined the location of the breaches, with the pie charts below show where the breaches occurred, rather than the entity that reported the breach.

Data breaches at HIPAA-regulated entities in March 2024

Records breached at HIPAA-regulated entities in March 2024

Geographical Distribution of Healthcare Data Breaches

In March, data breaches were reported by HIPAA-regulated entities in 33 U.S. states. Texas was the worst affected state with 16 breaches reported, although 8 of those breaches were reported by Ernest Health hospitals that had data compromised in the same incident. California experienced 10 breaches, including 3 at Ernest Health hospitals, with New York also badly affected with 7 reported breaches.

State Breaches
Texas 16
California 10
New York 7
Pennsylvania 6
Indiana 5
Colorado & Florida 4
Illinois, Ohio & South Carolina 3
Arizona, Idaho, Massachusetts, Michigan, Minnesota, New Mexico, North Carolina, Oklahoma & Utah 2
Alabama, Georgia, Kansas, Kentucky, Nevada, New Jersey, North Dakota, Oregon, Tennessee, Virginia, Washington, West Virginia, Wisconsin & Wyoming 1

HIPAA Enforcement Activity in March 2024

OCR announced one settlement with a HIPAA-regulated entity in March to resolve alleged violations of the HIPAA Rules. The Oklahoma-based nursing care company Phoenix Healthcare was determined to have failed to provide a daughter with a copy of her mother’s records when the daughter was the personal representative of her mother. It took 323 days for the records to be provided, which OCR determined was a clear violation of the HIPAA Right of Access and proposed a financial penalty of $250,000.

Phoenix Healthcare requested a hearing before an Administrative Law Judge, who upheld the violations but reduced the penalty to $75,000. Phoenix Healthcare appealed the penalty and the Departmental Appeals Board affirmed the ALJ’s decision; however, OCR offered Phoenix Healthcare the opportunity to settle the alleged violations for $35,000, provided that Phoenix Healthcare agreed not to challenge the Departmental Appeals Board’s decision.

The post March 2024 Healthcare Data Breach Report appeared first on HIPAA Journal.