Healthcare Data Privacy

February 2023 Healthcare Data Breach Report

The number of healthcare data breaches reported over the past three months has remained fairly flat, with only a small uptick in breaches in February, which saw 43 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), well below the 12-month average of 57.4 reported breaches a month. An average of 41 data breaches have been reported each month over the past 3 months, compared to an average of 50.6 breaches per month for the corresponding period last year.

February 2023 Healthcare Data Breach Report - Records breached

The downward trend in breached records did not last long. There was a sizeable month-over-month increase in breached records, jumping by 418.7% to 5,520,291 records. February was well above the monthly average of 4,472,186 breached records a month, with the high total largely due to a single breach that affected more than 3.3 million individuals.

February 2023 Healthcare Data Breach Report - Records Breached


Largest Healthcare Data Breaches Reported in February 2023

17 healthcare data breaches of 10,000 or more records were reported in February, all of which were hacking incidents. The largest data breach affected 3,300,638 patients of 4 medical groups in California that are part of the Heritage Provider Network – Regal Medical Group, Inc.; Lakeside Medical Organization, A Medical Group, Inc.; ADOC Acquisition Co., A Medical Group Inc.; & Greater Covina Medical Group, Inc. This was a ransomware attack with confirmed data theft and was, at the time of reporting, the largest data healthcare data breach of the year. That record did not stand for long, as a 4.4 million-record breach was reported this month (Independent Living Systems).

Hacking incidents were reported by CentraState Healthcare System in New York (617,901 records), Cardiovascular Associates in Alabama (441,640 records), and the Florida-based revenue cycle management company, Revenetics (250,918 records), all of which saw sensitive data exfiltrated. It is unclear whether these incidents were ransomware or extortion attacks. An email account breach at Highmark Inc. rounds out the top five. That incident was reported to the HHS’ Office for Civil Rights as two separate breaches, affecting 239,039 and 36,600 individuals -275,639 in total. The breach occurred as a result of an employee clicking a link in a phishing email.

The full list of 10,000+ record data breaches and their causes are detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Present
Regal Medical Group, Inc., Lakeside Medical Organization, A Medical Group, Inc., ADOC Acquisition Co., A Medical Group Inc. & Greater Covina Medical Group, Inc. CA Healthcare Provider 3,300,638 Ransomware attack (data theft confirmed)
CentraState Healthcare System, Inc. NJ Healthcare Provider 617,901 Hacking incident (data theft confirmed)
Cardiovascular Associates AL Healthcare Provider 441,640 Hacking incident (data theft confirmed)
Reventics, LLC FL Business Associate 250,918 Hacking incident (data theft confirmed)
Highmark Inc PA Health Plan 239,039 Phishing attack
90 Degree Benefits, Inc. WI Business Associate 175,000 Hacking incident
Hutchinson Clinic, P.A. KS Healthcare Provider 100,000 Hacking incident
Lawrence General Hospital MA Healthcare Provider 76,571 Hacking incident
Sharp Healthcare CA Healthcare Provider 62,777 Hacked web server (data theft confirmed)
Rise Interactive Media & Analytics, LLC IL Business Associate 54,509 Hacking incident
Highmark Inc PA Business Associate 36,600 Phishing attack
Teijin Automotive Technologies Welfare Plan MI Health Plan 25,464 Ransomware attack – Access gained through phishing
Evergreen Treatment Services WA Healthcare Provider 21,325 Hacking incident
Aloha Nursing Rehab Centre HI Healthcare Provider 20,216 Hacking incident (data theft confirmed)
NR Pennsylvania Associates, LLC PA Healthcare Provider 14,335 Hacking incident (data theft confirmed)
Intelligent Business Solutions NC Business Associate 11,595 Ransomware attack
Arizona Health Advantage, Inc. dba Arizona Priority Care; AZPC Clinics, LLC; and health plans for which APC has executed a BAA AZ Healthcare Provider 10,978 Ransomware attack

Causes of Healthcare Data Breaches in February 2023

Hacking and other IT incidents dominated the breach reports in February with 33 such incidents reported, accounting for 76.7% of all breaches reported in February. Across those incidents, the records of 5,497,797 individuals were exposed or stolen – 99.59% of the breached records in February. The average breach size was 166,600 records and the median breach size was 10,978 records.

There were 8 unauthorized access/disclosure incidents reported involving a total of 13,950 records. The average breach size was 1,744 records and the median breach size was 689 records. One of the incidents – reported by Asante – involved a physician accessing the records of patients when there was no treatment relationship. The unauthorized access occurred for 9 years before it was detected, during which time the records of 8,834 patients were impermissibly viewed. Incidents such as this show why it is important to maintain logs of medical record access and to review those logs regularly, ideally automating the process using a monitoring and alerting system.

February 2023 Healthcare Data Breach Report - Causes

One theft incident was reported involving a portable electronic device containing the PHI of 986 patients and one incident involved the improper disposal of paper records that contained the PHI of 7,558 patients.

February 2023 Healthcare Data Breach Report - Location PHI

What HIPAA-Regulated Entities were Affected?

Healthcare providers were the worst affected HIPAA-regulated entity in February, with 31 data breaches of 500 or more records. Seven data breaches were reported by business associates and five were reported by health plans. When data breaches involve business associates, they are often reported by the covered entity. In February, 6 data breaches involved business associates but were reported by the affected healthcare providers and health plans. The two charts are based on where the breach occurred rather than who reported it.

February 2023 Healthcare Data Breach Report - Reporting Entities

The average healthcare provider breach exposed 178,046 records (median: 3,061 records), the average health plan data breach exposed 67,236 records (median: 3,909 records), and the average business associate data breach involved 47,859 records (median: 8,500 records).

February 2023 Healthcare Data Breach Report - records by reporting entity

Where Did the Breaches Occur?

Data breaches were reported by HIPAA-covered entities and business associates in 28 states, with California being the worst affected state with 4 breaches reported in February.

State Breaches
California 4
Pennsylvania & Texas 3
Arizona, Illinois, Kansas, Massachusetts, New Jersey, Oregon, Virginia & Washington 2
Alabama, Colorado, Connecticut, Florida, Georgia, Hawaii, Iowa, Maryland, Michigan, New Hampshire, New Mexico, North Carolina, Rhode Island, Tennessee, Utah, Wisconsin & Wyoming 1

HIPAA Enforcement Activity in February 2023

The HHS’ Office for Civil Rights announced one enforcement action in February to resolve alleged violations of the HIPAA Rules. OCR investigated Banner Health over a 2016 breach of the protected health information of 2.81 million individuals and identified multiple potential HIPAA violations related to risk analyses, system activity reviews, verification of identity for access to PHI, and technical safeguards. Banner Health agreed to settle the case and paid a $1,125,000 financial penalty.

DNA Diagnostics Center was investigated by the Attorneys General in Pennsylvania and Ohio after a reported breach of the personal and health information of 45,600 state residents. The investigation determined there was a lack of safeguards, a failure to update its asset inventory, and a failure to disable or remove assets that were not used for business purposes. While these failures would have been HIPAA violations, the settlement resolved violations of state laws. DNA Diagnostics Center paid a financial penalty of $400,000, which was split equally between the two states.

In February, the Federal Trade Commission (FTC) announced its first-ever settlement to resolve a violation of the FTC Health Breach Notification Rule. While the Rule has been in effect for a decade, the FTC has never enforced it. That has now changed. The FTC stated last year that it would be holding non-HIPAA-covered entities accountable for impermissible disclosures of health information and breach notification failures. GoodRx Holdings Inc. was found to have used tracking technologies on its website that resulted in unauthorized disclosures of personal and health information to Facebook, Google, and other third parties and failed to issue notifications to affected individuals. The allegations were settled and GoodRx paid a $1,500,000 financial penalty.

The post February 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

$3 Million Settlement with Blackbaud Resolves SEC Allegations of Misleading Disclosures About Ransomware Attack

The Securities and Exchange Commission (SEC) has agreed to a $3 million settlement with Blackbaud Inc. to resolve charges that the company issued misleading statements about the impact of its 2020 ransomware attack. Blackbaud is a Charleston, SC-based cloud computing provider that serves the social good community. In May 2020, malicious actors gained access to its self-hosted private cloud environment and used ransomware to encrypt files. The forensic investigation confirmed the hackers gained access to files that included donor information such as names, addresses, phone numbers, email addresses, and birth dates. According to Blackbaud, approximately 13,000 customers were affected.

In July 2020, Blackbaud confirmed that the attack was blocked before the attackers were able to encrypt its systems fully, but not in time to prevent a copy of certain data from being stolen from its cloud environment. Blackbaud paid the ransom to ensure the stolen information was deleted and received proof that the stolen data had been deleted. Blackbaud initially said no financial information or Social Security numbers were exposed; however, Blackbaud later confirmed that a subset of individuals had their bank account information, Social Security numbers, and usernames and passwords exposed.

According to the SEC, Blackbaud publicly announced on July 16, 2020, that bank account information and Social Security numbers were not accessed, but within a few days of those public statements being made, its technology and customer relations staff learned that bank account information and Social Security numbers were in the dataset that was exfiltrated by the attackers. In August 2020, three months after the attack occurred, Blackbaud said in a 10-Q filing that there was only a hypothetical risk that data was stolen in the attack, then confirmed in an 8-K filing in September 2020 that Social Security numbers and bank account information may have been stolen.

Blackbaud did not deliberately issue misleading statements, as technology and customer relations personnel did not communicate the discovery of the theft of financial data and Social Security numbers to the senior management responsible for public disclosures. According to the SEC, Blackbaud failed to maintain disclosure controls and procedures. The SEC determined that Blackbaud had violated sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934, and Rules 12b-20, 13a-13, and 13a-15(a).

“Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.” Blackbaud agreed to settle with the SEC with no admission or denial of the charges and agreed to pay a $3 million civil monetary penalty.

“Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the commission as the company continuously improves its reporting and disclosure policies, said Blackbaud Chief Financial Officer, Tony Boor. “Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimize the risk of cyberattacks in an ever-changing threat landscape.”

The post $3 Million Settlement with Blackbaud Resolves SEC Allegations of Misleading Disclosures About Ransomware Attack appeared first on HIPAA Journal.

Democratic Senators Introduce Legislation to Ban the Use of Health Information for Advertising

Three Democratic Senators have introduced a bill that seeks to improve personal health data privacy by preventing companies from disclosing personally identifiable health information for advertising purposes. The legislation was introduced after two recent enforcement actions by the Federal Trade Commission (FTC) against GoodRx and BetterHelp over disclosures of personal and health information to social media and big tech firms after informing consumers that their health information would be kept private and confidential, and an enforcement action against a data broker – Kochava – for selling geolocation data, which could potentially be used to identify women who visited reproductive healthcare facilities.

The legislation – The Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act – was introduced by U.S. Senators Amy Klobuchar (D-MN), Elizabeth Warren (D-MA), and Mazie Hirono (D-HI). In addition to prohibiting the use of personally identifiable health information for advertising purposes, the bill seeks to ban data brokers from selling geolocation data, and limits the ability of companies to collect and use personal health information without express consent from consumers. The bill will also give Americans greater access to and ownership over their personal health information.

“For too long, companies have profited off of Americans’ online data while consumers have been left in the dark, which is especially concerning in light of reports that some social media companies collect data related to reproductive health care,” said Sen. Klobuchar. “By stopping the use of personal health information for commercial advertising and banning the sale of location data, this legislation will put new protections in place to safeguard Americans’ privacy while giving consumers greater say over how their sensitive health data is shared online.”

The ban on the use of personal health information for commercial advertising would apply to information collected from any source, including medical centers, fitness trackers and other wearable devices, and web browsing histories, but would not apply to public health campaigns. New data minimization rules would be introduced to restrict the health data that can be collected by companies, and there would be a ban on the sale of precise location data to and by data brokers.

“Since the reversal of Roe, data brokers, and tech firms have continued to profit from the private health and location data of millions of Americans, including those seeking reproductive health care services,” said Sen. Warren. “The UPHOLD Privacy Act would protect consumers’ sensitive data and their right to privacy.”

“With Republicans working to ban and criminalize reproductive health care nationwide, it’s critical we safeguard the reproductive data privacy of everyone in our country,” added Hirono. “Everyone should be able to trust that personal data about their bodies and their health care will be protected. By restricting the sale and use of personally-identifiable health data, this bill will give patients and providers the peace of mind that their private information is secure.”

The post Democratic Senators Introduce Legislation to Ban the Use of Health Information for Advertising appeared first on HIPAA Journal.

Amazon Completes Acquisition of OneMedical Amid Concern About Uses of Patient Data

Amazon has completed its $3.9 billion acquisition of the primary care provider One Medical as the retail behemoth continues its move into the healthcare ecosystem. One Medical has over 220 medical offices, a subscription-based telehealth service, and an electronic health record system, and contracts with more than 9,000 employers across the country. When Amazon announced its intention to acquire One Medical, consumer groups and privacy advocates expressed concern about the potential for misuse of patient data, with many analysts believing that data acquisition was a driving factor behind the deal.

The consumer rights advocacy group, Public Citizen, voiced concern about the merger and has been urging the Federal Trade Commission to step in and block the deal due to fears that Amazon could gain an unfair advantage in the healthcare market, by leveraging the retail side of its business. For instance, Amazon could add One Medical services to its Prime membership package or use the retail side of the business for advertising products related to customers’ medical conditions. Of even greater concern is the potential for Amazon to use the medical data of One Medical patients for other purposes.

One Medical has approximately 836,000 members, and the health data of those individuals could easily be used for a range of purposes. Amazon has stated that One Medical data will be kept totally separate from the retail and marketing side of the business and that it will be fully compliant with HIPAA, which prohibits the use of patient data for reasons not related to treatment, payment, or healthcare operations without consent. There is concern that Amazon may try to get around these restrictions, such as by offering incentives to One Medical patients to consent to the use of health data, such as for marketing purposes.

The FTC also has concerns about the merger and went as far as preparing a lawsuit to challenge the acquisition but it was never filed, presumably because it failed to find sufficient grounds to block the deal. As Rob Weissman, President, Public Citizen, suggested, “It’s a very, very problematic merger, but the kinds of concerns it raises don’t line up perfectly with antitrust law.”

The FTC is concerned about the merger and recently communicated some of its concerns about the limitations of current healthcare data privacy laws. On February 27, 2023, in response to the closure of the deal, FTC Commissioner Alvaro M. Bedoya and Commissioner Rebecca Kelly Slaughter issued a statement regarding the acquisition, calling for Congress to update the Health Insurance Portability and Accountability Act (HIPAA) or otherwise address U.S. privacy law, which they said is “both aging and incomplete.”

In the letter, Bedoya pointed out some of the regulatory gaps in the HIPAA Privacy Rule that could potentially be exploited by Amazon. The HIPAA Privacy Rule restricts uses and disclosures of protected health information (PHI), which is any individually identifiable healthcare information that relates to the past, present, or future health of an individual. PHI ceases to be PHI if it is deidentified, which involves stripping out 18 identifiers that allow that information to be tied to a specific individual. At the time when the HIPAA Privacy Rule was drafted, those 18 identifiers were considered complete, but there are now many more ways that individuals can be identified and that list has not been updated since.

Bedoya explained that when the Privacy Rule was drafted, the HHS failed to limit the uses of deidentified data to improving the efficiency and effectiveness of healthcare delivery. Instead, the HHS ruled that once deidentified, PHI is no longer PHI and is no longer covered by the HIPAA Privacy Rule, so there are no restrictions on what can be done with that data once those 18 identifiers have been removed. With respect to One Medical data, Amazon is free to do whatever it chooses with that data, provided it does not re-identify individuals. As Bedoya explained, Amazon can say it is HIPAA compliant, which suggests that it will not use patient data for anything other than health-related matters, when the reality is patient data – in a deidentified form – can be used for other purposes without restriction.

“When HHS proposed the Privacy Rule in 1999, I doubt that it had reason to anticipate that one day the world’s largest retailer—a company of profound technological sophistication— would amass people’s health information on this scale,” wrote Bedoya. “I encourage Congress to continue working toward new privacy laws and HHS to consider updating its Privacy Rule to better reflect the reality of how firms can use health data.”

Bedoya also said health information is not solely protected under HIPAA, and the FTC will be closely monitoring Amazon and the health app market and will not hesitate to initiate enforcement actions if laws are violated.

The post Amazon Completes Acquisition of OneMedical Amid Concern About Uses of Patient Data appeared first on HIPAA Journal.

Survey Reveals a Majority of Americans Are Uncomfortable with AI in Healthcare

A recent survey conducted by the Pew Research Center found a majority of Americans are uncomfortable with their healthcare providers using artificial intelligence tools to aid the diagnosis and treatment, indicating a need to improve education on the benefits of AI in healthcare.

60% of respondents expressed discomfort with the use of AI in care settings, with 39% of respondents saying they are comfortable with their care providers relying on AI for medical care. 38% of respondents believe AI will lead to better health outcomes, such as faster diagnosis and treatment, with 33% of respondents believing AI would result in worse health outcomes. 27% of respondents said they didn’t think AI would make much difference to patient outcomes.

When probed about the potential benefits of AI in healthcare, 40% of respondents believe AI will reduce the number of mistakes by healthcare providers, such as misdiagnosis or the failure to diagnose a disease, compared to 27% who thought medical mistakes would increase. Out of the respondents who believe there is a problem with racial and ethnic bias in healthcare, 51% believe the situation would improve with AI whereas 15% said they believe the problem would get worse if AI was used to diagnose diseases and recommend treatments.

Other notable concerns about the use of AI include the privacy and security of sensitive health information. 37% of respondents believe AI will make health information less secure, compared to 22% who believe that security would improve. There is also a fear that healthcare providers will adopt AI systems too quickly before the systems have been fully tested and the risks are fully understood. Only 23% of respondents believe adoption will occur too slowly, resulting in missed opportunities.

The biggest perceived problem with AI that was identified by the survey is the potential for patient-provider relationships to deteriorate. 78% of respondents believe relationships between patients and their healthcare providers will get worse if AI is used in the diagnosis and treatment of patients, with only 13% of respondents believing relationships would improve.

The greatest support for AI in healthcare is among younger adults and men, especially individuals with higher levels of education. 46% of men say they are comfortable with AI in healthcare, compared to 33% of women, with the highest support in the 18-29 age range (44%). Support falls to 35% in the over 50 age range. Individuals in the upper-income bracket were most in favor (49%) compared to 36% with HS or lower levels of education. Interestingly, even when individuals have heard a lot about AI, only 50% said they were comfortable with its use in healthcare.

When asked about specific applications of AI in healthcare, 65% of respondents said they would like AI to be used in their own skin cancer screenings; however, there was far less support for the other uses explored by Pew Research. 67% of respondents are opposed to the use of AI to determine the amount of pain medication prescribed, 59% would not want AI-powered robots conducting surgery, and 79% said they would not want AI chatbots to be used to support mental health.

The survey was conducted on 11,004 adults in the United States between December 12 and December 18, 2022.

The post Survey Reveals a Majority of Americans Are Uncomfortable with AI in Healthcare appeared first on HIPAA Journal.

Court Approves FTC’s $1.5 Million Settlement with GoodRx to Resolve FTC Act and Health Breach Notification Rule Violations

On February 1, 2023, the Department of Justice filed a proposed order on behalf of the Federal Trade Commission prohibiting GoodRx from sharing the health information of its users with third parties for advertising purposes, following an investigation by the FTC. The FTC alleged that GoodRx – doing business as GoodRx Gold, GoodRx Care, and Hey Doctor (GoodRx) – violated the FTC Act by engaging in unfair and deceptive trade practices by sharing the data of millions of users without their consent and knowledge and violated the FTC Health Breach Notification Rule by failing to notify users about the privacy violation.

The information shared with third parties included personally identifying information, information about sensitive health conditions, and medications. The FTC alleged that the information was shared despite GoodRx providing repeated assurances to its users that the company would ensure sensitive health information was protected and would not be shared with third parties. The FTC also took issue with GoodRx displaying a seal on its website confirming the company was “HIPAA Secure: Patient Data Protected”, which indicated that GoodRx was a covered entity under HIPAA when it was not and that it was compliant with the HIPAA Rules when it wasn’t.

“Consumers have a right to know whether and how their personal health information will be used, and to know when it has been disclosed to third-parties,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The Department is committed to enforcing protections against deceptive practices and unauthorized disclosure of personal health information.”

The data was shared with third parties via third-party tracking pixels on its website and plug-and-play software development kits provided by companies such as Google, Facebook, Criteo, Branch, and Twilio. The data collected via those tools were shared with the providers of those software kits and pixels and were potentially used for advertising purposes. GoodRx did not agree with the findings of the FTC, and told The HIPAA Journal there was no wrongdoing and the decision was taken to settle the allegations to avoid the time and expense of protracted litigation.

The settlement was agreed upon by all parties and requires GoodRx to pay a $1.5 million financial penalty and adopt a corrective action plan that will prevent future unauthorized disclosures of sensitive health data and ensure future compliance with the FTC Act and the Health Breach Notification Rule. GoodRx has also agreed not to disclose the sensitive health data of its users without first obtaining consent to do so and will notify all affected individuals about the disclosures. The court recently approved the proposed order and the settlement will now take effect.

“Companies that misuse their customers’ sensitive health information by sharing that information without their customers’ permission or knowledge will be held accountable,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “We will continue to work with our partners at the FTC to protect against the unauthorized disclosure of such sensitive, private information.”

The post Court Approves FTC’s $1.5 Million Settlement with GoodRx to Resolve FTC Act and Health Breach Notification Rule Violations appeared first on HIPAA Journal.

On-the-Spot Intervention 95% Effective at Preventing Further Unauthorized Medical Record Access

Defenses need to be put in place to detect and block attempts by cybercriminals to access healthcare networks, but not all threats are external. Each year, many data breaches are reported by hospitals and medical practices that involve unauthorized access to medical records by employees. These data breaches include non-malicious snooping on the medical records of colleagues, friends, family members, and high-profile patients, and insider wrongdoing incidents where patient data is stolen for identity theft and fraud or to take to a new employer. The healthcare industry has historically had a far bigger problem with insider data breaches than other industry sectors.

The study, recently published in the JAMA Open Network, was conducted at a large academic medical center and explored the effectiveness of email warnings in preventing repeated unauthorized access to protected health information by employees. Over a 7-month period in July 2018, the medical center’s PHI access monitoring system flagged 444 instances where employees accessed the medical records of patients when they were not authorized to do so. 49% of those employees (219) were randomly selected and were sent an email warning on the night when the unauthorized access was detected, and the remaining employees received no warnings and served as the control group.

The emails explained that the automated system had detected unauthorized medical record access and advised the employees that this was a privacy violation, as the medical center has a strict policy in place that prohibits accessing the medical records of individuals such as friends, family members, colleagues, and acquaintances unless they have written authorization to do so. No disciplinary action was taken against the employees for the duration of the study, but all employees were later disciplined per the medical center’s sanctions policy.

The study found that only 4 of the 219 employees (2%) who received an email warning repeated the offense, compared to 90 employees in the control group (40%). In the email warning group, the 4 repeat offenses occurred between 20 and 70 days after the initial unauthorized access. 88% of repeat violations by the control group occurred within 10 days of the initial offense, and 17% occurred after 90 days. On-the-spot intervention was found to be 95% effective at preventing further unauthorized access, and email warnings continue to be used by the medical center as a critical access control measure.

The study – Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information – was co-authored by Nick Culbertson, CEO and Co-Founder of Protenus; John Xuefeng Jiang, Ph.D., Professor, Plante Moran Faculty Fellow, Department of Accounting & Information Systems at Michigan State University; and Dr. Ge Bai, Ph.D., CPA, Professor of Accounting at Johns Hopkins Carey Business School.

The post On-the-Spot Intervention 95% Effective at Preventing Further Unauthorized Medical Record Access appeared first on HIPAA Journal.

January 2023 Healthcare Data Breach Report

January is usually one of the quietest months of the year for healthcare data breaches and last month was no exception. In January, 40 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights, the same number as in December 2022. January’s total is well below the 53 data breaches reported in January 2022 and the 12-month average of 58 data breaches a month.

For the second successive month, the number of breached records has fallen, with January seeing just 1,064,195 healthcare records exposed or impermissibly disclosed – The lowest monthly total since June 2020, and well below the 12-month average of 4,209,121 breached records a month.

Largest Healthcare Data Breaches in January 2023

In January there were 13 data breaches involving 10,000 or more records, 8 of which involved hacked network servers and email accounts. The largest data breach of the month affected Mindpath Health, where multiple employee email accounts were compromised. 5 unauthorized access/disclosure incidents were reported that impacted more than 10,000 individuals, three of which were due to the use of tracking technologies on websites. The tracking code collected individually identifiable information – including health information – of website users and transmitted that information to third parties such as Google and Meta, including the month’s second-largest breach at BayCare Clinic. Another notable unauthorized access incident occurred at the mobile pharmacy solution provider, mscripts. Its cloud storage environment had been misconfigured, exposing the data of customers of its pharmacy clients on the Internet for 6 years.

HIPAA-Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Community Psychiatry Management, LLC (Mindpath Health) NC Healthcare Provider 193,947 Compromised email accounts
BayCare Clinic, LLP WI Healthcare Provider 134,000 Impermissible disclosure of PHI due to website tracking technology
DPP II, LLC (Home Care Providers of Texas) TX Healthcare Provider 125,981 Ransomware attack (data theft confirmed)
Jefferson County Health Center (Jefferson County Health Department) MO Healthcare Provider 115,940 Hacked network server
UCLA Health CA Healthcare Provider 94,000 Impermissible disclosure of PHI due to website tracking technology
mscripts®, LLC CA Business Associate 66,372 PHI exposed due to misconfigured cloud storage
Circles of Care, Inc. FL Healthcare Provider 61,170 Hacked network server
Howard Memorial Hospital AR Healthcare Provider 53,668 Hacked network server
Stroke Scan Inc TX Healthcare Provider 50,000 Hacking Incident – No public breach announcement
University of Colorado Hospital Authority CO Healthcare Provider 48,879 Hacking incident at business associate (Diligent)
Insulet Corporation MA Healthcare Provider 29,000 Impermissible disclosure of PHI due to website tracking technology
City of Cleveland OH Health Plan 15,206 Unauthorized access/disclosure incident – No public breach announcement
DotHouse Health Incorporated MA Healthcare Provider 10,000 Hacked network server

Causes of January 2023 Healthcare Data Breaches

Just over half of the 40 data breaches reported in January were hacking/IT incidents, the majority of which involved hacked network servers. Ransomware attacks continue to be conducted, although the extent to which ransomware is used is unclear, as many HIPAA-regulated entities do not disclose the exact nature of their hacking incidents, and some entities have not made public announcements at all. Across the 23 hacking incidents, the records of 698,295 individuals were exposed or stolen. The average breach size was 30,61 records and the median breach size was 5,264 records.

There was an increase in unauthorized access/disclosure incidents in January, with 15 incidents reported. The nature of 7 of the unauthorized access/disclosure incidents is unknown at this stage, as announcements have not been made by the affected entities. 5 of the 15 incidents were due to the use of tracking technologies on websites and web apps. Across the 15 unauthorized access/disclosure incidents, 362,629 records were impermissibly accessed or disclosed. The average breach size was 24,175 records and the median breach size was 3,780 records. There were two theft incidents reported, one involving stolen paper records and one involving a stolen portable electronic device. Across those two incidents, 3,271 records were stolen. No loss or improper disposal incidents were reported.

Where Did the Data Breaches Occur?

Healthcare providers were the worst affected HIPAA-covered entity with 31 reported data breaches and 5 data breaches were reported by health plans. While there were only 4 data breaches reported by business associates of HIPAA-covered entities, 14 data breaches had business associate involvement. 10 of those breaches were reported by the covered entity rather than the business associate. The chart below shows the breakdown of data breaches based on where they occurred, rather than which entity reported the breach.

The chart below highlights the impact of data breaches at business associates. 23 data breaches occurred at health plans, involving almost 275,000 records. The 14 data breaches at business associates affected almost three times as many people.

Geographical Spread of January Data Breaches

California was the worst affected state with 7 breaches reported by HIPAA-regulated entities based in the state, followed by Texas with 6 reported breaches. January’s 40 data breaches were spread across 40 U.S. states.

State Breaches
California 7
Texas 6
Georgia, Massachusetts, Missouri & Pennsylvania 3
Florida, New York & North Carolina 2
Alabama, Arkansas, Colorado, Illinois, Indiana, Minnesota, New Jersey, Ohio & Wisconsin 1

HIPAA Enforcement Activity in January 2023

The Office for Civil Rights announced one settlement in January to resolve potential violations of the HIPAA Right of Access. OCR investigated a complaint from a personal representative who had not been provided with a copy of her deceased father’s medical records within the allowed 30 days. It took 7 months for those records to be provided. Life Hope Labs agreed to pay a $16,500 financial penalty and adopt a corrective action plan that will ensure patients are provided with timely access to their medical records in the future. This was the 43rd penalty to be imposed under OCR’s HIPAA Right of Access enforcement initiative, which was launched in the fall of 2019. No HIPAA enforcement actions were announced by state attorneys general in January.

The post January 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Biden Administration Considers HIPAA Update to Better Protect Reproductive Health Information

The Biden Administration is considering new rulemaking to update HIPAA to better protect reproductive health information, following the Supreme Court Decision in Dobbs v. Jackson Women’s Health Organization, which removed the federal right to abortion and left it to individual states to decide on the legality of abortions for state residents. Currently, at least 24 U.S. states have implemented bans on abortions or are likely to do so, with 12 states already having a near-total ban.

The Health Insurance Portability and Accountability Act classes reproductive health information as protected health information (PHI), so uses and disclosures are restricted by the HIPAA Privacy Rule. Following the Supreme Court decision, the HHS issued guidance to HIPAA-regulated entities on how the HIPAA Privacy Rule applies to reproductive healthcare data, confirming uses and disclosures of reproductive health information are restricted, and that the information can only be used or disclosed without a valid patient authorization for purposes related to treatment, payment, or healthcare operations.

The HHS also confirmed that while the HIPAA Privacy Rule permits disclosures of PHI “as required by law,” the HIPAA Privacy Rule does not require such disclosures, and that ‘required by law’ is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law,” an that when such a disclosure is required, it is limited to the relevant requirements of such a law. There is concern, however, that disclosures of reproductive health information may be made by HIPAA-regulated entities to law enforcement in states that have imposed bans or severe restrictions on abortions to support enforcement of the bans and allow individuals seeking abortion care to be prosecuted.

There have been calls for HIPAA to be updated to improve privacy protections with respect to reproductive health information. Currently, there are restrictions on disclosures of certain subclasses of PHI such as psychotherapy notes and information related to substance use disorder (SUD) treatment records, and similar restrictions could potentially be applied to reproductive health information. It has now been confirmed that the Department of Health and Human Services has drafted Proposed Modifications to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (RIN 0945-AA20), and that proposal is currently under White House review. The HHS has also proposed a change to a rule introduced by the Trump Administration that made it easier for healthcare providers to decline to provide abortions due to religious objections.

The HHS has not released details of the proposed HIPAA update at this stage but has confirmed that prior to drafting the rule, the HHS participated in listening sessions and roundtable discussions with patients, healthcare providers, advocates, and state health officials and that the proposed rule was drafted under its statutory mandate to ensure non-discriminatory access to healthcare for all Americans.

The draft is not necessarily an attempt to impose restrictions on states that have introduced near-total bans on abortions and could be an attempt to ensure any actions by states are compliant with Federal law. It is worth noting that even if the HIPAA Privacy Rule is updated to better protect reproductive health data, HIPAA only applies to HIPAA-regulated entities, and no HIPAA update would be able to guarantee privacy for individuals seeking abortion care. For instance, geolocation data from mobile phones would allow individuals to be tracked when they visit reproductive health clinics.  Geolocation data is not protected by HIPAA and disclosure of such information are not restricted by the HIPAA Privacy Rule.

The post Biden Administration Considers HIPAA Update to Better Protect Reproductive Health Information appeared first on HIPAA Journal.