Healthcare Data Privacy

CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System

The Centers for Medicaid & Medicare Services (CMS) has discovered hackers have gained access to a health insurance system that interacts with the website and have accessed files containing the sensitive information of approximately 75,000 individuals.

On October 13, 2018, CMS staff discovered anomalous activity in the Federally Facilitated Exchanges system and the Direct enrollment pathway used by agents and brokers to sign their customers up for health insurance coverage. On October 16, the CMS confirmed there had been a data breach and a public announcement about the cyberattack was made on Friday October 19, 2018.

While the number of files accessed only represents a small fraction of the total number of consumer records stored in the system, it is still a sizable and serious data breach. The files contained information supplied by consumers when they apply for healthcare plans through agents and brokers, including names, telephone numbers, addresses, Social Security numbers, and income details.

While the CMS has confirmed that the files have been accessed by unauthorized individuals, it is currently unclear whether any files were actually stolen by the attackers.

The investigation into the cyberattack is ongoing and the CMS is currently working on implementing new security controls to prevent further attacks. The Direct Enrollment system has been temporarily taken offline to allow the security updates to be applied. The CMS expects the system to be offline for about a week. It will be back online for the upcoming enrollment period that commences on November 1.

“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma.

The CMS notes that the attack only affected the system used by agents and brokers. There has not been a breach of the website which is used by consumers to personally sign up for health insurance coverage. “I want to make clear to the public that and the Marketplace Call Center are still available,” said Verma.

The CMS will be sending notification letters to all individuals whose personal information has been exposed and will be providing further information on the steps they can take to prevent misuse of their data. The CMS will release further information about the breach as and when it becomes available.

The post CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System appeared first on HIPAA Journal.

Aetna Settles HIPAA Violation Case with State AGs

In 2017, errors occurred with two Aetna mailings that resulted in the impermissible disclosure of the protected health information of plan members, including HIV statuses and AFib diagnoses.

A class action lawsuit was filed on behalf of the victims of the HIV status breach which was settled for $17 million in January. Now Aetna has reached settlements with the attorneys general for New Jersey, Connecticut, and the District of Columbia to resolve the alleged HIPAA violations discovered during an investigation into the privacy breaches.

The first mailing was sent on July 28, 2017 by an Aetna business associate. Over-sized windowed envelopes were used for the mailing, through which it was possible to see the names and addresses of plan members along with the words “HIV Medications.” Approximately 12,000 individuals received the mailing.

In September, a second mailing was sent on behalf of Aetna to 1,600 individuals. This similarly resulted in an impermissible disclosure of PHI. In addition to names and addresses, the logo of an IMPACT AFib study was visible, which suggested the individual had been diagnosed with atrial fibrillation.

A multi-state investigation was launched to investigate potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws pertaining to the protected health information of state residents, including the Consumer Protection Procedures Act in DC and the New Jersey AIDS Assistance Act.

The investigation confirmed that in both cases there had been an impermissible disclosure of protected health information, that Aetna failed to protect consumers’ confidential health information, and that Aetna had deceived consumers about its ability to safeguard their health information.

Aetna has agreed to settlements with the State of Connecticut ($99,959), the District of Columbia ($175,000) and a civil monetary penalty of $365,211.59 will be paid to the State of New Jersey. Washington also participated in the investigation but has yet to decide on an appropriate settlement amount.

“Companies entrusted with individuals’ protected health information have a duty to avoid improper disclosures,” said New Jersey attorney general Gurbir Grewal. “Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status. I am pleased that our investigation has led Aetna to adopt measures to prevent this from happening again.”

“Every patient should feel confident that their insurance company or health provider will safeguard their confidential medical information. Today’s action will prevent further disclosures and warns other insurance companies that they are responsible for protecting consumers’ private information,” said, District of Columbia attorney general Karl A. Racine.

The post Aetna Settles HIPAA Violation Case with State AGs appeared first on HIPAA Journal.

Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised

This week, the Minnesota Department of Human Services has mailed letters to approximately 21,000 individuals on medical assistance to alert them to a possible breach of their protected health information (PHI) due to two recent phishing campaigns.

Two DHS employees’ email accounts have been confirmed as having been compromised as a result of the employees clicking on links in phishing emails. The investigation into the breach determined that the attackers accessed both email accounts although it was not possible to determine which, if any, emails in the account had been accessed or copied by the attackers.

Minnesota DHS has reason to believe that other employees may also have been targeted and could also have clicked on links in phishing emails, but it has not yet been confirmed whether their accounts have been breached. The investigation into the phishing attacks is ongoing.

The two email account breaches occurred on June 28 and July 9, 2018, although the IT department only determined that the accounts had been breached in August. Upon discovery of the phishing attack, both accounts were secured to prevent further access.

It has taken a considerable amount of time to conduct the investigation and determine which patients have been affected. That process required every single email in each account to be checked for patient information, hence the delay in issuing breach notification letters.

Most of the individuals affected by the breach had previously interacted with the State Medical Review Team, although some individuals who had received services from Minnesota DHS Direct Care and Treatment facilities also had some of their PHI exposed.

The PHI in the compromised email accounts included full names, addresses, telephone numbers, birth dates, Social Security numbers, educational records, medical information, employment information, and financial information.

“We immediately took steps to secure these accounts, and currently have no evidence that any information was actually viewed, downloaded or misused,” explained Minnesota DHS in a statement about the breach. “We take data privacy very seriously at DHS, and continue to work with our employees and partners to prevent cyberattacks.”

The post Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised appeared first on HIPAA Journal.

HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia

Following the presidential declaration of public health emergencies in the states of Florida and Georgia in the wake of hurricane Michael, secretary of the Department of Health and Human Services (HHS) Alex Azar has followed suit in both states and has exercised his authority to waive HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule in the disaster areas.

The HHS announced the public health emergency in Florida on October 9, and Georgia on October 11.

The HIPAA Privacy Rule does permit healthcare providers to share protected health information during disasters to assist patients and ensure they receive the care they need, including sharing information with friends, family members and other individuals directly involved in a patient’s care. The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief efforts without first obtaining permission from patients.

During natural disasters the HIPAA Privacy and Security Rules remain in effect, although following the secretarial declaration, sanctions and penalties against HIPAA covered entities have been waived for the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

The waiver only applies to qualifying hospitals in the emergency area for the period identified in the public health emergency declaration. Qualifying hospitals are permitted to take advantage of the waiver for up to 72 hours, provided their disaster protocol has been implemented.

The waiver is only in place for the 72-hour period or the duration of the public health emergency declaration, whichever terminates sooner. Once the 72-hour time period is over or the presidential or secretarial declaration terminates, the waiver ends, even for patients still under a hospital’s care.

“We are working closely with state health authorities and private sector partners from hospitals and other healthcare facilities to save lives and protect public health after Hurricane Michael,” said secretary Azar. The declarations will help to ensure that residents in both states have continuous access to the care they need.”

The HHS has said more than 400 medical and public health personnel have been moved into the disaster areas along with caches of medical equipment and a further 300 personnel from the National Disaster Medical Systems and the U.S. Public Health Service Commissioned Corps have been placed on alert. HHS teams will be providing medical services in shelters, assisting with disease surveillance, offering behavioral support to residents and responders, and will be helping to assess whether further federal medical and health support is required in the disaster areas.

HHS guidance on hurricane preparedness, response and recovery can be found here.

The post HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia appeared first on HIPAA Journal.

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss.

The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco.

In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information.

A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities.

It was alleged that the failure to ensure its system was secure meant that any information entered in the portal by patients was at risk of exposure and could potentially be obtained by unauthorized individuals. In November 2016, four months after the system went live, A.J. Boggs & Company took the system offline to correct the flaws.

However, in February 2017, the California Department of Health discovered that the flaws in its portal had been exploited and unauthorized individuals had gained access to the system and had downloaded the private and highly sensitive information of 93 patients with HIV or AIDS. Following the discovery, the contract with the firm was cancelled and a new state-run system was adopted.

The ADAP program provides states with federal funding to provide financial assistance to low-income individuals with HIV or AIDS to make HIV medications more affordable, extending access to Medicaid when patients earned too much. Any medical data breach is serious, although the disclosure of an individual’s HIV status is especially so.

“HIV is still a highly stigmatized medical condition,” said Scott Schoettes, HIV Project Director at Lambda Legal. “When members of already vulnerable communities — transgender people, women, people of color, undocumented people, individuals with low incomes — already face challenges in accessing health care, undermining the trust they have in the ADAP is not just a breach of security; it creates a barrier to care.”

Lambda Legal is seeking statutory and compensatory damages for the patient and is seeking class action status to allow the other 92 breach victims to be included in the lawsuit.

The post California HIV Patient PHI Breach Lawsuit Allowed to Move Forward appeared first on HIPAA Journal.

Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC

The Healthcare & Public Health Sector Coordinating Council (HSCC) has announced it will shortly issue voluntary cybersecurity best practices to help medical device manufacturers improve the security of their devices and help healthcare provider organizations improve security posture. HSCC will also publish a voluntary curriculum that can be adopted by medical schools to help them train clinicians how to manage electronic health records, medical devices, and IT systems in a secure and responsible way.

The announcement coincides with National Cyber Security Awareness Month and includes an update on the progress that has been made over the past 12 months and the work that the HSCC still intends to complete.

HSCC explained that the global cyberattacks of 2017 involving WannaCry and NotPetya malware served as a wake-up call to the healthcare industry and demonstrated the potential harm that could be caused if an attack proved successful. Many large companies were crippled by the attacks for weeks. Fortunately, the healthcare industry in the United States escaped the attacks relatively unscathed, although the National Health Service in the UK was badly affected and had its systems crippled.

Later in 2017, the Healthcare Industry Cybersecurity Task Force, which was set up following the passing of the Cybersecurity Act of 2015, submitted a report to Congress that included more than 200 recommendations for improving healthcare cybersecurity and preventing cyberattacks on healthcare organizations from succeeding.

Since the report was released, scores of healthcare industry stakeholders have joined the HSCC Cybersecurity Working Groups and Task Groups and have been working toward strengthening cybersecurity in the healthcare industry and improving privacy protections for patients.

HSCC held a multi-stakeholder meeting in February 2018 to improve coordination of efforts to address cybersecurity challenges and the HHS held a meeting in June 2018 where members of the HSCC Cybersecurity Working Group provided an update on progress and received further direction on key priorities.

HSCC notes that there is considerable momentum and great strides are being taken to improve healthcare cybersecurity. As detailed in September’s National Cyber Strategy, policymakers within the Administration and Congress are addressing cybersecurity threats and state that the government will work closely with the private sector to manage risks to critical infrastructure, including healthcare.

The Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2018 (H.R. 6378) now contains cybersecurity provisions and requires the HHS to submit its strategy to Congress for public health preparedness and response to address cybersecurity threats. A joint table-top exercise will also be conducted with the HHS covering a simultaneous flu pandemic and cascading ransomware attack.

“We recognize that patient safety has taken on a new dimension that demands our attention – the recognition that patient security requires cybersecurity,” explained HSCC. “The health sector is now organized and working to fortify the industry’s immune system against a cyber epidemic that has become as infectious as a human epidemic.”

The post Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC appeared first on HIPAA Journal.

Summary of Recent Healthcare Data Breaches

A round up of healthcare data breaches recently announced by healthcare providers and business associates of HIPAA covered entities.

Tillamook Chiropractic Clinic Discovers 26-Month Malware Infection

The medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, OR have been stolen as a result of a malware infection.

On August 3, 2018, the clinic conducted an internal security audit which showed that malware had been installed on its network, even though a firewall was in place, antivirus and antimalware software were installed and up to date, and its software was fully patched. An investigation into the security breach revealed the malware had been installed on May 24, 2016 and had remained undetected for 26 months. The malware had been installed on the primary insurance billing system, which the clinic reports was used as a staging area by the attackers to collect patient records before exfiltrating the data.

The information believed to have been stolen includes full names, home addresses, work addresses, dates of birth, phone numbers, diagnoses, lab test results, medications, driver’s license numbers, insurance billing information, bank routing numbers, bank account numbers, employee payroll data, and for Medicare patients, Social Security numbers.

Tillamook Chiropractic Clinic removed the malware on August 3, 2018 and has now modernized and upgraded its computer security systems and policies.

Gwinnett Medical Center Investigating Possible Hack

A possible data breach has occurred at Lawrenceville, GA-based Gwinnett Medical Center. The PHI of approximately 40 patients has been accessed by an unauthorized individual according to Gwinnett Medical Center spokeswoman Beth Hardy. Names, genders, and dates of birth were exposed on Twitter and notification letters are being sent to those 40 individuals to alert them to the breach.

However, the breach could be far larger. Steve Ragan at Salted Hash reported that a source at the medical center said threats had been received from the attackers and that the breach potentially impacts hundreds of patients. The attackers allegedly posted data on Twitter as they claimed the medical center was attempting to cover up the breach.

Gwinnett Medical Center has informed the FBI about the security breach and is still conducting investigations into the cyberattack.

Hardy said, “GMC takes cyber security very seriously and we are committed to maintaining the integrity, availability and confidentiality of our systems and data.”

Toyota Industries North America Breach Impacts 19,000 Individuals

Columbus, IN-based Toyota Industries North America (TINA) has announced that approximately 19,000 current and former employees and health plan participants of the TINA family of companies have been informed that some of their PHI has been exposed. An unauthorized individual succeeded in gaining access to a small number of company email accounts and potentially viewed/copied PHI.

The breach was discovered on August 30 and information security experts were called in to help secure its system and investigate the breach. A wide range of PII and PHI were present in the compromised email accounts including first and last names, home addresses, dates of birth, phone numbers, financial account information, social security numbers, photographs of social security cards, driver’s license numbers, photographs of driver’s licenses, email addresses, photographs of birth certificates, photographs of passports, treatment information, prescription information, diagnoses, health plan beneficiary numbers and portal usernames, passwords and security questions.

All affected individuals have been notified by mail and have been offered a year of free credit monitoring and identity theft protection services. TINA has taken several steps following the breach to improve security, including implementing multi-factor authentication, making real-time security monitoring enhancements, and revising its password protection and password resetting policies. TINA is also currently reviewing and updating user training and technology and security practices to reduce the risk of further email breaches.

722 Patients Affected by Kansas City Business Associate Mis-mailing Incident

The Kansas City, MO-based revenue cycle management company, Pulse Systems, has announced that the PHI of 722 patients of Lincoln Pulmonary and Critical Care in Nebraska has been impermissibly disclosed. An error was made sending statements on July 27 that resulted in individuals receiving statements intended for other patients. The statements included only included names and procedure information. Steps have now been taken to prevent similar errors from being made in the future and all affected individuals have been notified about the privacy breach.

Oklahoma Department of Human Services Mis-mailing Incident Affects 813 Individuals

More than 800 parents and guardians who were involved in a developmental disabilities services program run by the Oklahoma Department of Human Services (ODHS) have been notified that some of their PHI has been impermissibly disclosed as a result of a computer software error. The error resulted in envelopes being mis-addressed in Plan of Care change notice mailings sent between May 17 and July 25.

The mailings contained names, addresses, DHS case numbers, Medicaid client ID numbers, plan of care numbers, providers’ names, services authorized and beginning and end dates, and an explanation that the person is authorized to receive Medicaid Home and Community-Based Waiver Services. No Social Security numbers were disclosed.

ODHS believes 813 individuals have received mailings containing someone else’s information, although it is not possible to tell if any other individuals have been affected.

Email Account Breaches Result in Exposure of 16,000 Individuals’ PHI

Ransom Memorial Hospital in Ottawa, KS, has discovered an unauthorized individual has gained access to an as of yet undisclosed number of email accounts which have been determined to contain the PHI of 14,239 individuals. A further email account breach was detected by Lakewood, CO-based Personal Assistance Services of Colorado, which has resulted in the exposure of 1,839 individuals’ PHI.

The post Summary of Recent Healthcare Data Breaches appeared first on HIPAA Journal.

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019.

The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring.

To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention.

Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions that could realistically be taken to reduce any impact on patient care.

Unsurprisingly, given the volume of cyberattacks on healthcare organizations, the high potential for harm, and the number of individuals that could be affected, the remote accessing of healthcare systems by hackers was rated as the number one hazard for 2019.

There is considerable potential for the remote access functionality of medical devices and systems to be exploited by hackers. A cyberattack could render medical devices and systems inoperative or could degrade their performance, which could have a major negative impact on patient care and could place patients’ lives at risk. Cyberattacks could also result in the theft of health data, which could also have a negative effect on patients.

ECRI notes that while cyberattacks can have a negative impact on healthcare providers, resulting in reputation damage and significant fines, cybersecurity is also a critical patient safety issue.

Hackers can easily take advantage of unmaintained and vulnerable remote access systems to gain access to medical devices and healthcare systems. They can move laterally within the network and gain access to medical and nonmedical assets and connected devices and systems. Patient data can be stolen, malware installed, computing resources can be hijacked, and ransomware can be installed which could render systems inoperable. In the most part, these attacks are preventable.

“Safeguarding assets requires identifying, protecting, and monitoring all remote access points, as well as adhering to recommended cybersecurity practices, such as instituting a strong password policy, maintaining and patching systems, and logging system access,” suggests ECRI.

The full Top Ten List of Health Technology Hazards for 2019 are:

  1. Hackers Can Exploit Remote Access to Systems, Disrupting Healthcare Operations
  2. “Clean” Mattresses Can Ooze Body Fluids onto Patients
  3. Retained Sponges Persist as a Surgical Complication Despite Manual Counts
  4. Improperly Set Ventilator Alarms Put Patients at Risk for Hypoxic Brain Injury or Death
  5. Mishandling Flexible Endoscopes after Disinfection Can Lead to Patient Infections
  6. Confusing Dose Rate with Flow Rate Can Lead to Infusion Pump Medication Errors
  7. Improper Customization of Physiologic Monitor Alarm Settings May Result in Missed Alarms
  8. Injury Risk from Overhead Patient Lift Systems
  9. Cleaning Fluid Seeping into Electrical Components Can Lead to Equipment Damage and Fires
  10. Flawed Battery Charging Systems and Practices Can Affect Device Operation

The post Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards appeared first on HIPAA Journal.

FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook

On October 1, 2018, the U.S. Food and Drug Administration released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook for healthcare delivery organizations to help them prepare for and respond to medical device cybersecurity incidents.

The playbook is intended to help healthcare delivery organizations develop a preparedness and response framework to ensure they are prepared for medical device security incidents, can detect and analyze security breaches quickly, contain incidents, and rapidly recover from attacks.

The playbook was developed by MITRE Corp., which worked closely with the FDA, healthcare delivery organizations, researchers, state health departments, medical device manufacturers and regional healthcare groups when developing the document.

The past 12 months have seen many vulnerabilities identified in medical devices which could potentially be exploited by hackers to gain access to healthcare networks, patient health information, or to cause harm to patients. While the FDA has not received any reports to suggest an attack has been conducted on medical devices to cause patients harm, the number of cyberattacks on healthcare organizations has increased significantly in recent years and concerns have been raised with the FDA about the potential for cybercriminals to attack patient medical devices.

“The playbook supplements existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents,” said MITRE. “The playbook outlines how hospitals and other HDOs can develop a cybersecurity preparedness and response framework, which starts with conducting device inventory and developing a baseline of medical device cybersecurity information.”

In addition to releasing the guidance for HDOs, the FDA has developed its own internal playbook to ensure that it can respond rapidly to any medical device cybersecurity incident. “Our internal playbook establishes an effective and appropriate incident plan that’s flexible and clear. It aims to help the agency respond in a timely manner to medical device cybersecurity attacks – mitigating impacts to devices, healthcare systems and ultimately, patients,” said Scott Gottlieb, MD, Commissioner of the FDA.

The Playbook includes several recommendations for healthcare delivery organizations, although it may not be possible for all recommendations to be executed by healthcare delivery organizations due to operational constraints. However, the document does serve as a starting point for developing a response plan for medical device security incidents and will include recommendations that could be incorporated into existing disaster recovery plans.

The FDA has also announced it has signed two memoranda of understanding which will establish information sharing analysis organizations (ISAOs) that will be tasked with gathering, analyzing, and distributing important information about new cyber threats to medical device security. Through the sharing of timely information it is hoped that device manufacturers will be able to address security issues more rapidly before they can be exploited.

The FDA is also working closely with the Department of Homeland Security and is holding joint cybersecurity exercises to simulate attacks on medical devices with a view to improving medical device security. The FDA has also made significant updates to its premarket guidance for medical device manufacturers which is expected to be released in the next few weeks.

The Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook can be downloaded from MITRE on this link (PDF – 543.73 KB)

The post FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook appeared first on HIPAA Journal.