Healthcare Data Privacy

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.

Vulnerability Identified in Philips HealthSuite Health Android App

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about a vulnerability that has been identified in the Philips HealthSuite Health Android App.

The Philips HealthSuite Health Android App records body measurements and health data to allow users to track activities to help them achieve their health goals. The app is used by individuals in the United States, Netherlands, Germany and the United Kingdom.

User data stored by the app is encrypted to prevent unauthorized access; however, a security researcher discovered the method used to encrypt data is too simplistic and does not offer a sufficiently high level of protection.

As a result, an attacker with physical access to the app could exploit the vulnerability to gain access to a user’s data. The vulnerability could not be exploited remotely so the risk to users is low. The vulnerability, tracked as CVE-2018-19001, has been assigned a CVSS v3 base score of 3.5.

Philips will be releasing a new version of the app in the first quarter of 2019 which will use a stronger method of encryption for user data. In the meantime, Philips recommends not using the app on rooted or jail-broken mobile devices as doing so would weaken security and increase risk.

The post Vulnerability Identified in Philips HealthSuite Health Android App appeared first on HIPAA Journal.

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.

UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court

A lawsuit filed by employees affected by a data breach at University of Pennsylvania Medical Center (UPMC) has been revived by the Pennsylvania Supreme Court.

The lawsuit was filed after hackers stole the information of approximately 62,000 current and former UPMC employees in a data breach discovered by UPMC in February 2014. The stolen information included names, addresses, Social Security numbers, tax information, and bank account numbers. The information was used to file fraudulent tax returns in employees’ names to receive tax refunds.

According the lawsuit, “As a result of UPMC’s negligence, employees incurred damages relating to fraudulently filed tax returns and are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”

UPMC argued that there is no cause of action for negligence as no property damage or physical injury was alleged by its employees. In Pennsylvania, no cause of action exists for negligence that solely results in economic losses.

The lawsuit was thrown out by two lower courts; however, last week the lawsuit was reinstated by the state’s high court. Justice Max Baer wrote in the opinion that UPMC had a responsibility to address risks that arise from the collection of sensitive data and had a legal duty to protect sensitive information provided by its employees. UPMC breached its common-law duty to exercise reasonable care and safeguard information stored on an Internet-accessible computer system. All six Supreme Court judges agreed that UPMC was responsible for protecting the sensitive data of its employees.

Baer confirmed that “Under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”

The case will now return to the lower court for review. If UPMC is found to have been negligent, UPMC may be required to pay monetary damages to employees who suffered economic losses as a result of the data breach.

The post UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court appeared first on HIPAA Journal.

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

A data breach has been reported by AccuDoc Solutions Inc., a provider of healthcare billing services, that resulted in the exposure of the protected health information of 2,650,000 patients of Atrium Health.

Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia.

On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018.

An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels.

AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has locked out the hackers and has enhanced its security measures to prevent future attacks.

Atrium Health said the information compromised in the attack was limited to patients’ names, addresses, invoice numbers, account balances, service dates, and health insurance information. Approximately 700,000 Social Security numbers were also compromised; however, no sensitive financial information or medical records were affected.

“We are notifying the patients and guarantors who may have been impacted by this incident. We take cybersecurity very seriously, and we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again,” said a spokesperson for Atrium Health. “The fact that even one record was accessed is one too many. Our patients expect us to keep all of their information private, which is why we took action so quickly.”

Atrium Health is now notifying all affected patients and has offered credit monitoring and identity theft protection services to patients impacted by the breach.

AccuDoc serves approximately 50 other healthcare providers; however only one other client was affected by the breach: Baylor Medical Center in Frisco, TX. Approximately 40,000 Baylor Medical Center patients were affected.

Based on the estimated number of individuals affected, this is the largest healthcare data breach since the 3,466,120-record breach at Newkirk Products Inc., that was reported to OCR in September 2016. It is the eleventh largest healthcare data breach reported since OCR started publishing breach summaries in 2009.

Largest Ever Healthcare Data Breaches

Rank Entity Entity Type Individuals Affected Breach Type Date
1 Anthem Inc. Health Plan 78,800,000 Hacking/IT Incident Feb-15
2 Premera Blue Cross Health Plan 11,000,000 Hacking/IT Incident Mar-15
3 Excellus Health Plan, Inc. Health Plan 10,000,000 Hacking/IT Incident Sep-15
4 Science Applications International Corporation Business Associate 4,900,000 Loss Nov-11
5 University of California, Los Angeles Health Healthcare Provider 4,500,000 Hacking/IT Incident Jul-15
6 Community Health Systems Professional Services Corporation Business Associate 4,500,000 Hacking/IT Incident Aug-14
7 Advocate Health and Hospitals Corporation, dba Advocate Medical Group Healthcare Provider 4,029,530 Theft Aug-13
8 Medical Informatics Engineering Business Associate 3,900,000 Hacking/IT Incident Jul-15
9 Banner Health Healthcare Provider 3,620,000 Hacking/IT Incident Aug-16
10 Newkirk Products, Inc. Business Associate 3,466,120 Hacking/IT Incident Aug-16
11 AccuDoc Solutions Inc. Business Associate 2,650,000 Hacking/IT Incident Nov-18
12 21st Century Oncology Healthcare Provider 2,213,597 Hacking/IT Incident Mar-16

The post 2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach appeared first on HIPAA Journal.

OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Hartford allergy practice $125,000 to revolve potential violations of the HIPAA Privacy Rule.

On October 6, 2015, OCR received a copy of a civil rights complaint that had been filed with the Department of Justice (DOJ). The complainant alleged Allergy Associates of Hartford – A Connecticut healthcare provider that specializes in treating patients with allergies – had impermissibly disclosed her protected health information to a TV reporter.

The complainant had previously contacted a local TV station after she had been turned away from the allergy practice because of her service animal. The TV reporter subsequently contacted the practice seeking comment. A physician at the practice spoke to the reporter and impermissibly disclosed some of the patient’s protected health information.

OCR’s investigation confirmed there had been an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a).

The physician in question had already been advised by the practice’s Privacy Officer to ignore the reporter’s request for comment or to respond with ‘no comment.’ However, the physician chose to speak with the reporter and disclosed some of the patient’s PHI. OCR viewed the disclosure as ‘a reckless disregard for the patient’s privacy rights.’

After Allergy Associates was contacted by OCR about the privacy breach, Allergy Associates failed to apply appropriate sanctions against the physician concerned for a violation of the practice’s privacy policies and procedures, as is required by the HIPAA Privacy Rule – 45 C.F.R. §164.530(e)(l).

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” explained OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

Allergy Associates agreed to settle the case with no admission of liability. In addition to paying a financial penalty of $125,000, Allergy Associates has agreed to adopt a robust corrective action plan which includes two years of OCR monitoring the practice’s compliance with HIPAA Rules.

The post OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure appeared first on HIPAA Journal.

NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has released a draft paper covering the privacy and security risks of telehealth and remote monitoring devices and best practices for securing the telehealth and remote monitoring ecosystem.

Patient monitoring systems have traditionally been deployed within healthcare facilities; however, there has been an increase in the use of remote patient monitoring systems in patients’ homes in recent years. While these systems are straightforward to secure in a controlled environment such as a hospital, the use of these systems in patients’ homes introduces new risks.

Managing the risks and ensuring the remote monitoring systems and devices have an equivalent level of security as in-house systems can be a major challenge.

The purpose of the paper is to create a reference architecture which addresses the security and privacy risks and provides practical steps that can be taken to improve the overall security of the remote patient monitoring environment.

The paper addresses cybersecurity concerns related to the use of the devices in patients’ homes, the use of home networks, and patient-owned devices and identifies cybersecurity measures that can be implemented by healthcare organizations with RPM and video telehealth capabilities.

“The project team will perform a risk assessment on a representative RPM ecosystem in the laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborate with industry and public partners,” explained NCCoE.

NCCoE has evaluated the following functions of the devices:

  • Connectivity of devices and applications deployed on patient-owned devices such as smartphones, tablets, laptops, and desktop computers
  • How applications transmit monitoring data to healthcare providers
  • The ability for patients to interact with their point of contact to initiate care
  • The ability for data to be analyzed by healthcare providers to identify trends and issue alerts to clinicians about issues with patients
  • The ability for data to be shared with electronic medical record systems
  • The ability for patients to initiate videoconference sessions through telehealth applications
  • The ability for application patches and updates to be installed
  • How a healthcare provider can establish a connection with a remote monitoring device to obtain patient telemetry data
  • How a healthcare provider can connect to a remote monitoring device to update the device configuration

The paper does not cover risks specific to third party telehealth platform providers nor does it evaluate device vulnerabilities and defects.

Stakeholders have been invited to comment on the draft paper. Comments will be accepted until December.

The guidance document can be downloaded on this link.

The post NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity appeared first on HIPAA Journal.

53% Of Healthcare Data Breaches Due to Insiders and Negligence

The healthcare industry has had more than its fair share of hacking incidents, but the biggest threat comes from within. The actions of healthcare providers, health insurers, and their employees cause more breaches than hacks, malware, and ransomware attacks.

Researchers at Michigan State University and Johns Hopkins University analyzed data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and found that more than half of breaches were the result on internal negligence.

The research study, which was recently published in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the risk of hospital data breaches and the types of hospitals that were most prone to data breaches. While the previous research cast light on which hospitals were most vulnerable, little information was available on the main causes of the breaches. The latest study addresses that gap in knowledge.

The researchers performed a retrospective analysis of the 1,183 healthcare data breaches reported to OCR between October 21, 2009 and December 31, 2017. Those breaches resulted in the exposure of 164 million healthcare records.

The analysis was limited to breaches of 500 or more records, as OCR does not publish summaries of smaller breaches. The breach reports split data breaches into six categories; hacking/IT incidents, unauthorized access/disclosure incidents, theft, loss, improper disposal, and unknown. 77.6% of breaches were correctly classified and 22.24% were misclassified or the cause was unknown.

The researchers discovered that theft of data by third-parties or unknown individuals was the single leading breach cause, accounting for 32.5% of incidents, with mailing errors in second place (10.5%), followed by theft by current or former employees (9%). Internal/external hacking incidents accounted for around 20% of breaches, although those incidents involved 133.8 million of the 164 million compromised records. 53% of all breaches were found to have originated from inside healthcare organizations.

“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” said Xuefeng Liang, associate professor of accounting and information systems at MSU’s Eli Broad College of Business and lead author of the study. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”

An analysis of the location of breached PHI showed 46.1% of breaches involved mobile devices, paper records were involved in 28.7% of breaches and 29.3% of breaches involved network servers.

Typically, the actions taken by healthcare organizations post-breach were the use of encryption software, restricting the use of mobile devices, switching to digital records, improving physical security, strengthening firewalls and other cybersecurity protections, and enhancing monitoring and auditing.

While many breaches involve little risk to patients – the accidental disclosure of a name and address to another patient – the consequences of some breaches can be severe: For patients as well as the breached entity. Anthem Inc’s 78.8 million record breach in 2015 was used as an example. Many breach victims had tax returns filed in their names, resulting in financial losses.

In addition to the considerable cost of mitigating the breach – improving cybersecurity protections; hiring forensic investigators, cybersecurity consultants, and legal advisors; printing and mailing notification letters; providing credit monitoring services for breach victims – Anthem had to cover the cost of defending multiple class action lawsuits, which were ultimately settled for $115 million. Anthem has also recently been fined $16 million by OCR to resolve the HIPAA violations uncovered during its breach investigation. Anthem’s reputation has also been tarnished by the breach, the cost of which is difficult to calculate.

The findings of the study are important. “Healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security,” explained the researchers in the paper.

The post 53% Of Healthcare Data Breaches Due to Insiders and Negligence appeared first on HIPAA Journal.

OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS

The Department of Health and Human Services’ Office of Inspector General (OIG) has published its annual report on the top management and performance challenges faced by the HHS.

The report lists 12 major challenges that the HHS must overcome to ensure the department achieves its aims. Given the scale of the current opioid crisis in the United States and its impact, the prevention and treatment of opioid misuse has topped this year’s list.

The report also draws attention to the importance of cybersecurity protections to mitigate threats to be confidentiality, integrity, and availability of health data. Protecting HHS data, systems, and beneficiaries from cybersecurity threats made 10th spot in this year’s list.

In the report, OIG explained that “data management, use, and security are essential to the effective and efficient operation of HHS’ agencies and programs.” Ensuring the integrity of IT systems and the confidentiality and availability of healthcare data are critically important to the health and well-being of Americans.

The HHS has a $5 billion annual budget for IT; a proportion of which is devoted to cybersecurity to ensure data and IT systems are kept secure. The HHS faces major challenges securing its highly complex systems and must store ever increasing volumes of data securely: Data which are spread across multiple locations and are accessible by many entities and individuals. Further, in recent years there has been a major expansion in the use of IoT technology and networked devices, which introduce many new risks. The HHS must ensure its internal systems are protected and is required to oversee the security of cloud data and ensure providers, contractors, and grantees are adhering to cybersecurity best practices.

OIG explained that the types of data used, stored, and transmitted by the HHS are of high value to cybercriminals and are up to ten times more valuable than credit card numbers. Consequently, the HHS is a major target for hackers.

If the HHS fails to secure its data and systems, not only could patients come to harm, it has potential to hinder Federal initiatives such as the NIH ‘All of Us’ Research program, preventing them from achieving their full potential.

OIG reports that the HHS lacks robust resources to prepare cybersecurity staff to respond to cyberattacks and has not thoroughly tested its incident response and recovery procedures, although significant progress has been made in improving cybersecurity protections.

The HHS budget for 2017 allocated $50 million to meet the HHS’s cybersecurity needs and ensure that sensitive data, and the systems on which the information is stored, are kept secure. Part of that budget has been spent on monitoring tools to ensure security compliance, threat hunting technologies have been deployed in some HHS agencies, and the staff of all agencies is now provided with ongoing cybersecurity awareness training.

Cybersecurity testing is conducted in conjunction with the Department of Homeland Security and there is a continuous dialogue across HHS agencies on the cybersecurity and operational challenges faced by the department. While significant progress has been made, there is still a great deal of work to be done.

OIG explained that the HHS needs to develop a well-designed contingency program for cyber-defenses, in addition to those for natural disasters. HHS must also take a more proactive approach to identify and address current and future vulnerabilities before they are exploited, including addressing vulnerabilities that have previously been discovered by OIG and other agencies. HHS must also focus on its capabilities to respond efficiently to a wide range of cybersecurity threats.

The HHS also needs to assist healthcare organizations address threats, which is best achieved through information sharing. Dissemination of threat information and strategies to mitigate threats is essential to ensure that cyberthreats do not result in widespread disruption in the healthcare sector.

The HHS should therefore continuously seek opportunities to partner with other government agencies, academia, private sector companies, and state governments to share cybersecurity information on emerging risks, threats, and best practices.

The HHS must also engage the healthcare and public health sectors to ensure that threat intelligence is communicated effectively and foundational cybersecurity best practices are made available.

The post OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS appeared first on HIPAA Journal.