Healthcare Data Privacy

Support for Windows 7 Finally Comes to an End

Microsoft is stopping free support for Windows 7, Windows Server 2008, and Windows Server 2008 R2 on January 14, 2020, meaning no more patches will be released to fix vulnerabilities in the operating systems. Support for Office 2010 has also come to an end.

The operating systems will be up to date as of January 14, 2020 and all known vulnerabilities will have been fixed, but it will only be a matter of time before exploitable vulnerabilities are discovered and used by cybercriminals to steal data and deploy malware.

Even though Microsoft has given a long notice period that the operating system was reaching end of life, it is still the second most used operating system behind Windows 10. According to NetMarketShare, 33% of all laptop and desktop computers were running Windows 7 in December 2019.

Many healthcare organizations are still using Windows 7 on at least some devices. The continued use of those devices after support is stopped places them at risk of cyberattacks and violating the HIPAA Security Rule.

The natural solution is to update Windows 7 to Windows 10, although that may not be straightforward. In addition to purchasing licenses and upgrading the operating system, hardware may also have to be upgraded and some applications may not work on newer operating systems. The upgrade is therefore likely to be a major undertaking that may take a great deal of time.

If upgrading Windows 7 devices and Windows 2008 servers is not possible, steps should be taken to protect the devices and reduce the likelihood of a compromise and the impact of a cyberattack.

Steps to take to reduce the likelihood of a compromise include preventing the Windows 7 devices from accessing untrusted content. That means not using the devices for accessing email and browsing the internet and portable storage devices and removable media should not be used.

Local administrator rights should be removed from all Windows 7 devices and firewall protection should be strengthened. The devices should not be used for accessing sensitive data, such as protected health information and any sensitive data stored on the devices should be moved to devices running supported operating systems.

Since there is a greater chance of a malware infection on devices running unsupported operating systems, it is essential for anti-virus software to be installed and for it to be kept up to date. Regular scans should be conducted on the devices for malware and the devices should be monitored for potential cyberattacks in progress.

Microsegmentation can help to limit the harm caused in the event of a compromise. All devices running unsupported operating systems should be isolated from other networks and the devices should only be allowed to access critical services. Access to core servers and systems should be removed. It is also strongly advisable to review and revise business continuity plans to ensure that in the event of a compromise, critical business operations can continue. While it is costly to pay for extended support it is strongly recommended.

These measures can reduce risk, but they will not eliminate it. Organizations should therefore be accelerating their plans to upgrade their operating systems and hardware. Moving to a supported operating system is the only way to ensure devices remain secure.

The post Support for Windows 7 Finally Comes to an End appeared first on HIPAA Journal.

Hospital Employee Pleads Guilty to Five-Year Account Hacking Spree

The U.S. Department of Justice (DOJ) has announced that a former employee of a New York City hospital has pleaded guilty to using malicious software to obtain the credentials of coworkers, which he subsequently misused to steal sensitive information.

Richard Liriano, 33, of the Bronx, New York, was IT worker at the unnamed NYC hospital. As an IT worker, Liriano had administrative-level access to computer systems. He misused those access rights to steal information, which he copied onto his own computer for personal use.

He used a keylogger to obtain the credentials of dozens of co-workers at the hospital between 2013 and 2018. Those credentials allowed Liriano to login to coworkers’ computers and online accounts and obtain sensitive information such as tax documents, personal photographs, videos, and other private documents and files. Other malicious software was also used to spy on his coworkers.

Liriano stole credentials to coworkers’ personal webmail accounts, social media accounts, and other online accounts. Liriano also gained access to hospital computers containing sensitive patient information. According to the DOJ, Liriano’s computer intrusions cost his employer around $350,000 to remediate.

Between 2013 and 2018, Liriano accessed coworkers’ computers and personal accounts on multiple occasions looking for sensitive information. The majority of his 70+ victims were female. The DOJ reports that Liriano conducted searches of their personal accounts looking for sexually explicit photos and videos.

The computer intrusions were discovered and Liriano was arrested on November 14, 2019. On December 20, 2019, Liriano pleded guilty to one count of transmitting a program to a protected computer to intentionally cause damage.

“Liriano’s disturbing crimes not only invaded the privacy of his coworkers; he also intruded into computers housing vital healthcare and patient information, costing his former employer hundreds of thousands of dollars to remediate,” said  Geoffrey S. Berman, the United States Attorney for the Southern District of New York. “He will now be held accountable for his actions.”

Liriano faces a maximum jail term of 10 years and has been scheduled to be sentenced on April 15, 2020 by U.S. District Judge Lewis A. Kaplan.

The post Hospital Employee Pleads Guilty to Five-Year Account Hacking Spree appeared first on HIPAA Journal.

HIPAA Enforcement in 2019

It has been another year of heavy enforcement of HIPAA compliance. HIPAA enforcement in 2019 by the Department of Health and Human Services’ Office for Civil Right (OCR) has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases.

2019 saw one civil monetary penalty issued and settlements were reached with 9 entities, one fewer than 2018. In 2019, the average financial penalty was $1,022,833.

HIPAA Enforcement in 2019 by the HHS' Office for Civil Rights

 

Particularly egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 provide insights into OCRs preferred method of dealing with noncompliance. Even when HIPAA violations are discovered, OCR prefers to settle cases through voluntary compliance and by providing technical assistance. When technical assistance is provided and covered entities fail to act on OCR’s advice, financial penalties are likely to be issued.

This was made clear in two of the most recent HIPAA enforcement actions. OCR launched compliance investigations into two covered entities after being notified about data breaches. OCR discovered in both cases that HIPAA Rules had been violated. OCR chose to provide technical assistance to both entities rather than issue financial penalties, but the covered entities failed to act on the guidance and a financial penalty was imposed.

Sentara Hospitals disagreed with the guidance provided by OCR and refused to update its breach report to reflect the actual number of patients affected. West Georgia Ambulance was issued with technical guidance and failed to take sufficient steps to address the areas of noncompliance identified by OCR.

If you are told by OCR that your interpretation of HIPAA is incorrect, or are otherwise issued with technical guidance, it pays to act on that guidance quickly. Refusing to take corrective action is a sure-fire way to guarantee a financial penalty, attract negative publicity, and still be required to change policies and procedures in line with the guidance.

There were two important HIPAA enforcement updates in 2019. OCR adopted a new interpretation of the Health Information Technology for Economic and Clinical Health (HITECH) Act’s requirements for HIPAA penalties and a new enforcement initiative was launched.

The HITECH Act of 2009 called for an increase in the penalties for HIPAA violations. On January 25, 2013, the HHS implemented an interim final rule and adopted a new penalty structure. At the time it was thought that there were inconsistencies in the language of the HITECH Act with respect to the penalty amounts. OCR determined that the most logical reading of the HITECH Act requirements was to apply the same maximum penalty of $1,500,000 per violation category, per calendar year to all four penalty tiers.

In April 2019, OCR issued a notice of enforcement discretion regarding the penalties. A review of the language of the HITECH Act led to a reduction in the maximum penalties in three of the four tiers. The maximum penalties for HIPAA violations were changed to $25,000, $100,000, and $250,000 for penalty tiers, 1, 2, and 3. (subject to inflationary increases).

2019 saw the launch of a new HIPAA Right of Access enforcement initiative targeting organizations who were overcharging patients for copies of their medical records and were not providing copies of medical records in a timely manner in the format requested by the patient.

The extent of noncompliance was highlighted by a study conducted by Citizen Health, which found that 51% of healthcare organizations were not fully compliant with the HIPAA Right of Access. Delays providing copies of medical records, refusals to send patients’ PHI to their nominated representatives or their chosen health apps, not providing a copy of medical records in an electronic format, and overcharging for copies of health records are all common HIPAA Right of Access failures.

The two HIPAA Right of Action settlements reached so far under OCR’s enforcement initiative have both resulted in $85,000 fines. With these enforcement actions OCR is sending a clear message to healthcare providers that noncompliance with the HIPAA Right of Access will not be tolerated.

Right of Access violations aside, the same areas of noncompliance continue to attract financial penalties, especially the failure to conduct a comprehensive, organization-wide risk analysis. 2019 also saw an increase in the number of cited violations of the HIPAA Breach Notification Rule.

HIPAA Compliance Issues Cited in 2019 Enforcement Actions

Noncompliance Issue Number of Cases
Risk Analysis 5
Breach Notifications 3
Access Controls 2
Business Associate Agreements 2
HIPAA Right of Access 2
Security Rule Policies and Procedures 2
Device and Media Controls 1
Failure to Respond to a Security Incident 1
Information System Activity Monitoring 1
No Encryption 1
Notices of Privacy Practices 1
Privacy Rule Policies and Procedures 1
Risk Management 1
Security Awareness Training for Employees 1
Social Media Disclosures 1

OCR’s HIPAA enforcement in 2019 also clearly demonstrated that a data breach does not have occurred for a compliance investigation to be launched. OCR investigates all breaches of 500 or more records to determine whether noncompliance contributed to the cause of a breach, but complaints can also result in an investigation and compliance review. That was the case with both enforcement actions under the HIPAA Right of Access initiative.

 

The post HIPAA Enforcement in 2019 appeared first on HIPAA Journal.

Discussion Draft of Federal Data Privacy Bill Released by House Energy and Commerce Committee

A discussion draft of a new bipartisan data privacy bill has been released by the House Energy and Commerce Committee. The bill calls for national standards for privacy and security and would place restrictions on the collection, use, and retention of consumer data by U.S. businesses.

The draft legislation calls for all businesses to have a privacy program and to publish a privacy policy, written in clear language, which explains what data will be collected, how it will be used, how long it will be retained, and with whom consumer information will be shared.

Data security measures would also need to be implemented, which should be appropriate for the size of the business and the nature and complexity of data activities. In the event of a breach of consumer information, businesses would be required to report the breach to the Federal Trade Commission.

The Federal Trade Commission has been tasked with creating a Bureau of Privacy which would be responsible for developing rules, issuing guidance, and enforcing compliance. The FTC would also need to set a data retention time frame and create rules covering the disclosure of personal information to third parties.

The bill would give consumers much greater control over their personal data and how it can be used by businesses. Consumers will have the right to view and correct their data, control who can access their personal information, and request that businesses delete their personal information.

To help consumers find out which businesses have their personal information, the draft legislation calls for the creation of a centralized repository of data brokers. Consumers could use that repository and find out who holds a copy of their data and find out how they can exercise their right to access that data, make corrections, and arrange for their personal data to be deleted.

“This draft seeks to protect consumers while also giving data collectors clear rules of the road. It reflects many months of hard work and close collaboration between Democratic and Republican Committee staff,” explained a spokesperson for the Energy and Commerce Committee.

The release follows a Senate Commerce Committee hearing in which two data privacy bills proposed by Senate Commerce Committee Chairman, Roger Whicker (R-Miss) and Senator Maria Cantwell (D-Wash) were discussed. Both camps could not reach a consensus on what should be included in the bill, but it was agreed that the only way forward was for bipartisan legislation to be passed.

Two of the sticking points from the competing bills was whether the federal privacy bill should preempt state laws and if a private cause of action should be included. Sen. Cantwell’s bill calls for a private cause of action to allow consumers to sue companies for privacy violations, which is opposed by Congressman Wicker. Wicker’s bill calls for the new federal privacy law to replace state laws, whereas Sen. Cantwell wants state laws to be retained to provide greater protection for consumers. The discussion draft of the bill avoids both of these issues.

Feedback is being sought from industry stakeholders on the draft legislation. Comments will be accepted until the middle of January 2020.

The post Discussion Draft of Federal Data Privacy Bill Released by House Energy and Commerce Committee appeared first on HIPAA Journal.

DoE and OCR Issue Updated Guidance on Sharing Student Health Records under FERPA and HIPAA

The Department of Education and the Department of Health and Human Services’ Office for Civil Rights have issued updated guidance on the sharing of student health records under the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).

The guidance document was first released in November 2008 to help school administrators and healthcare professionals understand how FERPA and HIPAA apply to student educational and healthcare records. The guidance includes several Q&As covering both sets of regulations. Further questions and answers have been added to clear up potential areas of confusion about how HIPAA and FERPA apply to student records, including when it is permitted to share student records under FERPA and the HIPAA Privacy Rule without first obtaining written consent.

HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. HIPAA does not usually apply to schools, since health information collected by an educational institution would usually be classed as educational records under FERPA. The HIPAA Privacy Rule excludes educational records from the definition of protected health information, but there are instances where HIPAA and FERPA intersect.

The HIPAA Privacy Rule requires consent to be obtained prior to the sharing of health information for purposes other than treatment, payment, or healthcare operations. The guidance explains that in emergencies and situations when an individual’s health is at risk, educational institutions and healthcare providers may disclose a student’s health information to someone in a position to prevent or lessen harm, including to family, friends, caregivers, and law enforcement.

The guidance states that “Healthcare providers may share (protected health information) with anyone as necessary to prevent or lessen a serious and imminent threat to the health or safety of the individual, another person, or the public—consistent with applicable law (such as state statutes, regulations or case law) and the provider’s standards of ethical conduct.” It is also permissible to share psychotherapy notes and information about mental health issues and substance abuse disorder in certain situations. The update details the situations when these disclosures are permitted.

“This updated resource empowers school officials, healthcare providers, and mental health professionals by dispelling the myth that HIPAA prohibits the sharing of health information in emergencies,” said OCR Director Roger Severino.

The update also includes information on when protected health information or personally identifiable information can be shared about a student that poses a danger to themselves or others. Additionally, disclosures of health data to law enforcement and the National Instant Criminal Background Check System are also now included in the guidance.

“Confusion on when records can be shared should not stand in the way of protecting students while they are in school,” said U.S. Secretary of Education Betsy DeVos.  “This update will provide much-needed clarity and help ensure that students get the assistance they need, and school leaders have the information they need to keep students safe.”

The post DoE and OCR Issue Updated Guidance on Sharing Student Health Records under FERPA and HIPAA appeared first on HIPAA Journal.

November 2019 Healthcare Data Breach Report

In November 2019, 33 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). That represents a 36.5% decrease in reported breaches from October – The worst ever month for healthcare data breaches since OCR started listing breaches on its website in October 2009. The fall in breaches is certainly good news, but data breaches are still occurring at a rate of more than one a day.

600,877 healthcare records were exposed, impermissibly disclosed, or stolen in November. That represents a 9.2% decrease in breached healthcare records from October, but the average breach size increased by 30.1% to 18,208 records in November.

Largest Healthcare Data Breaches in November 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Ivy Rehab Network, Inc. and its affiliated companies Healthcare Provider 125000 Hacking/IT Incident Email
Solara Medical Supplies, LLC Healthcare Provider 114007 Hacking/IT Incident Email
Saint Francis Medical Center Healthcare Provider 107054 Hacking/IT Incident Electronic Medical Record, Network Server
Southeastern Minnesota Oral & Maxillofacial Surgery Healthcare Provider 80000 Hacking/IT Incident Network Server
Elizabeth Family Health Healthcare Provider 28375 Theft Paper/Films
The Brooklyn Hospital Center Healthcare Provider 26312 Hacking/IT Incident Network Server
Utah Valley Eye Center Healthcare Provider 20418 Hacking/IT Incident Desktop Computer
Loudoun Medical Group d/b/a Comprehensive Sleep Care Center (“CSCC”) Healthcare Provider 15575 Hacking/IT Incident Email
Choice Cancer Care Healthcare Provider 14673 Hacking/IT Incident Email
Arizona Dental Insurance Services, Inc. d.b.a. Delta Dental of Arizona Health Plan 12886 Hacking/IT Incident Email

Causes of Healthcare Data Breaches in November 2019

Hacking/IT incidents dominated November’s breach reports and accounted for 63.6% of data breaches reported in November and 90.75% of the breached records (545,293). The average breach size was 25,966 records and the median breach size was 3,977 records.

There were 7 unauthorized access/disclosure breaches reported in November involving 16,586 healthcare records. The mean breach size was 2,369 records and the median breach size was 996 records.

There were 4 incidents involving the theft of 38,998 individuals’ protected health information. Two of the incidents involved electronic devices and two involved paper records. The mean breach size was 7,799 records and the median breach size was 3,237 records.

Phishing continues to be the most common cause of healthcare data breaches. 17 of the healthcare data breaches reported in November involved PHI stored in email accounts. The majority of those breaches were due to phishing attacks.

November 2019 Healthcare Data Breaches by Covered Entity Type

There were 28 healthcare provider data breaches reported in November and four breaches were reported by health plans. It was a good month for business associates, with only one breach reported, although a further two breaches had some business associate involvement.

 

November 2019 Healthcare Data Breaches by State

Data breaches were reported by covered entities in 19 states. California was the worst affected with 4 breaches, followed by Illinois, Missouri, New York, and Texas with three breaches each. Two breaches were reported by covered entities in Florida, North Carolina, and Pennsylvania, and there was one reported beach in each of Alaska, Arizona, Colorado, Connecticut, Indiana, Maryland, Michigan, Minnesota, Nebraska, Utah, and Virginia.

HIPAA Enforcement in November 2019

There were three financial penalties imposed on HIPAA-covered entities in November to resolve HIPAA violations.

University of Rochester Medical Center (URMC) settled its HIPAA violation case with OCR for $3,000,000. OCR launched an investigation after receiving two notifications about breaches due to lost or stolen devices. OCR investigated URMC in 2010 after the first device was lost and provided technical assistance. At the time, URMC recognized the high risk of storing ePHI on devices and the need for encryption, yet this was not implemented, and unencrypted portable electronic devices continued to be used. When OCR investigated the subsequent theft of a laptop computer, its investigators found URMC had failed to conduct an organization-wide risk analysis, risks had not been reduced to a reasonable and appropriate level, and URMC had not implemented appropriate device media controls.

Sentara Hospitals agreed to settle its HIPAA violation case with OCR for $2,175,000. OCR launched a compliance investigation in response to a complaint from a patient in April 2017. The patient had received a bill from Sentara containing another patient’s protected health information. Sentara Hospitals reported the breach as affecting 8 individuals, but OCR found that 577 letters had been misdirected to 16,342 different guarantors. Sentara Hospitals refused to update its breach report with the new total. OCR also found Sentara Hospitals had failed to enter into a business associate agreement with one of its vendors.

A substantial financial penalty was also imposed on The Texas Department of Aging and Disability Services (DADS). DADS had reported a breach of 6,617 patients’ ePHI to OCR in 2015. An error in a web application allowed ePHI to be accessed over the internet by individuals unauthorized to view the data. ePHI had been exposed for around 8 years. OCR investigated and found that DADS had failed to conduct an organization-wide risk analysis, there was a lack of access controls, and DADS failed to monitor information system activity. DADS settled the HIPAA violation case and paid a penalty of $1.6 million.

The post November 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

15 Million Customers Potentially Impacted by Ransomware Attack on Large Canadian Medical Testing Company

A major data breach has been reported by one of Canada’s largest medical testing and diagnostics companies. Toronto-based LifeLabs said hackers have potentially gained access to the personal and health information of up to 15 million customers, most of whom are in British Columbia and Ontario. The number of people potentially affected makes this one of the largest healthcare ransomware attacks to date. The privacy commissioners in both provinces said the scale of the attack “extremely troubling.”

After gaining access to its systems, the attackers deployed ransomware and encrypted an extensive amount of customer data. The cyberattack is still under investigation, so it is unclear what, if any, data has been stolen. It has been confirmed that the attackers gained access to parts of the system that contained the test results of around 85,000 Ontarians. The test results were from 2016 and earlier. No evidence has been found to suggest more recent test results, or medical test results from customers in other areas, have been compromised.

Some of those test results include highly sensitive health information that could potentially be used for blackmail. Other sensitive data potentially accessed includes names, email addresses, health card numbers, dates of birth, usernames, and passwords. To date, it appears that the compromised information has not been misused and the data does not appear to have been disclosed online. Based on the initial findings of the investigation, the risk to customers is believed to be low.

It is unclear whether LifeLabs had viable backups to restore the data, but the decision was taken to pay the ransom. The amount of the ransom has not been publicly disclosed. “We wanted to get the data back,” said LifeLabs chief executive Charles Brown. “We thought it was the smart thing to do because it was just in the best interests of our customers.”

Cybersecurity and computer forensics experts were engaged to secure its systems and determine the full scope of the attack. It may take some time to discover whether any customer data has been stolen by the attackers.

The attack is believed to have started on or before November 1, 2019, but the cyberattack was only disclosed to the public on December 17, 2019. Affected individuals are now being notified and have been offered one year of complimentary credit monitoring and identity theft protection services.

The post 15 Million Customers Potentially Impacted by Ransomware Attack on Large Canadian Medical Testing Company appeared first on HIPAA Journal.

Blue Cross Blue Shield of Minnesota Starts Correcting 200,000 Critical and Severe Vulnerabilities

Blue Cross Blue Shield of Minnesota, the largest health insurer in the state, is now taking steps to fix around 200,000 unaddressed vulnerabilities on its servers that, in some cases, are more than a decade old.

In August 2018, Tom Yardic, a cybersecurity engineer at BCBS Minnesota discovered patches were not being applied on its servers, even though the vulnerabilities were rated critical or severe. The engineer met with executives at BCBS Minnesota to raise the alarm, yet no action appeared to be taken.

Around a month later, Yardic alerted the BCBS Minnesota board of trustees as a last resort to get action taken to address the flaws, according to a recent report in the Star Tribune.

According to the newspaper report, evidence was obtained that revealed vulnerabilities had not been addressed for many years. There were around 200,000 critical or severe vulnerabilities that had not been addressed on approximately 2,000 servers. Around 44% of the vulnerabilities were more than 3 years old and approximately 12% of the flaws dated back 10 or more years.

Approximately 3.9 million individuals are insured by BCBS Minnesota. The failure to correct the vulnerabilities in a reasonable time frame has placed their sensitive information at risk.

The Star Tribune spoke with officials at BCBS Minnesota who confirmed that work is now underway to correct the flaws and said it is trying to correct as many of the flaws as possible before the end of the year. According to the Star Tribune, “Minnesota Blue Cross did not dispute the accuracy of the number of past vulnerabilities” and said that the number of unaddressed vulnerabilities is now far lower and is much lower on workstations.

It is not surprising that a cybersecurity engineer has taken steps to get the flaws corrected. It is surprising that it took so long, especially following the cyberattacks on Anthem Inc., Premera Blue Cross, and Excellus BCBS in 2015 that resulted in the theft of the protected health information of more than 99.8 million Americans.

Surprisingly, given the sheer number of unaddressed vulnerabilities, BCBS Minnesota has never reported a data breach of its own systems since the HHS Office for Civil Rights started publishing summaries of data breaches on its breach portal in 2009.

The post Blue Cross Blue Shield of Minnesota Starts Correcting 200,000 Critical and Severe Vulnerabilities appeared first on HIPAA Journal.

Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership

Pressure is continuing to be applied on Google and its parent company Alphabet to disclose information about how the protected health information (PHI) of patients of Ascension will be used, and the measures put in place to ensure PHI is secured and protected against unauthorized access.

The partnership between Google and Ascension was announced on November 11, 2019 following the publication of a story in the Wall Street Journal. A whistleblower at Google had shared information with the WSJ and expressed concern that millions of healthcare records had been shared with Google without first obtaining consent from patients. It was also alleged that Google employees could freely download PHI.

In its announcement, Google stated that the collaboration – named Project Nightingale – involved migrating Ascension’s infrastructure to the cloud and that it was helping Ascension implement G Suite tools to improve productivity and efficiency. Patient data was also being provided to Google to help develop AI and machine learning technologies to improve patient safety and clinical quality. When the migration of data has been completed, Google will have access to the health data of around 50 million patients.

Google has confirmed it is a business associate of Ascension and has signed a business associate agreement and is fully compliant with HIPAA regulations, but many privacy advocates are concerned about the partnership. Several members of Congress have also expressed concern and are seeking answers about the safeguards that have been put in place to secure patient data and how patient data will be used. The HHS’ Office for Civil Rights has also confirmed it is investigating Google and Ascension to make sure HIPAA Rules have not been violated.

Earlier this month, Rep. Pramila Jayapal (D-Washington), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, wrote to Google and Alphabet expressing concern about the partnership. She has demanded answers to several questions about how protected health information has been obtained, the measures put in place to protect patient data, and how Google will be using the PHI.

“As Google and parent company Alphabet have engaged in an ever-widening acquisition of the highly personal health-related information of millions of people, Americans now face the prospect of having their sensitive health information handled by corporations who may misuse it,” wrote Rep. Jayapal in her Dec 6, 2019 letter. “I am especially concerned that your company has not provided sufficient assurances that this sensitive data will be kept safe, and that patients’ data is being acquired by your companies without their consent and without any opt-out provision.”

Rep. Jayapal is particularly concerned about how that information will be used. Google is amassing huge quantities of healthcare data from several sources. Google’s healthcare-focused AI unit, Medical Brain, is actively acquiring health data, Alphabet has partnered with the Mayo Clinic, and Google has acquired the UK startup, DeepMind. NHS data has already been provided to Google. Google is also looking to acquire Fitbit, which holds health-related data on 25 million users of its wearable devices.

“The fact that Google makes the vast majority of its revenue through behavioral online advertising—creating an incentive to commoditize all user information—renders the company’s expansion into health services all the more troubling,” wrote Rep. Jayapal.

Rep. Jayapal also pointed out that Google does not have a blemish-free track record when it comes to protecting health and medical information, referencing one incident in which chest X-ray images from the National Institute of Health were almost posted online before Google realized they contained personally identifiable information. She also stated there is an active lawsuit that claims Google companies have obtained patient information from a major medical facility and DeepMind was found to have violated the Data Protection Act in the UK by using patient data to develop new apps.

Rep. Jayapal has given Google and Alphabet until January 5, 2020 to answer her questions, as detailed below:

The post Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership appeared first on HIPAA Journal.