Healthcare Data Privacy

January 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

January is usually one of the quietest months of the year for healthcare data breaches and last month was no exception. In January, 40 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights, the same number as in December 2022. January’s total is well below the 53 data breaches reported in January 2022 and the 12-month average of 58 data breaches a month.

For the second successive month, the number of breached records has fallen, with January seeing just 1,064,195 healthcare records exposed or impermissibly disclosed – The lowest monthly total since June 2020, and well below the 12-month average of 4,209,121 breached records a month.

Largest Healthcare Data Breaches in January 2023

In January there were 13 data breaches involving 10,000 or more records, 8 of which involved hacked network servers and email accounts. The largest data breach of the month affected Mindpath Health, where multiple employee email accounts were compromised. 5 unauthorized access/disclosure incidents were reported that impacted more than 10,000 individuals, three of which were due to the use of tracking technologies on websites. The tracking code collected individually identifiable information – including health information – of website users and transmitted that information to third parties such as Google and Meta, including the month’s second-largest breach at BayCare Clinic. Another notable unauthorized access incident occurred at the mobile pharmacy solution provider, mscripts. Its cloud storage environment had been misconfigured, exposing the data of customers of its pharmacy clients on the Internet for 6 years.

HIPAA-Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Community Psychiatry Management, LLC (Mindpath Health) NC Healthcare Provider 193,947 Compromised email accounts
BayCare Clinic, LLP WI Healthcare Provider 134,000 Impermissible disclosure of PHI due to website tracking technology
DPP II, LLC (Home Care Providers of Texas) TX Healthcare Provider 125,981 Ransomware attack (data theft confirmed)
Jefferson County Health Center (Jefferson County Health Department) MO Healthcare Provider 115,940 Hacked network server
UCLA Health CA Healthcare Provider 94,000 Impermissible disclosure of PHI due to website tracking technology
mscripts®, LLC CA Business Associate 66,372 PHI exposed due to misconfigured cloud storage
Circles of Care, Inc. FL Healthcare Provider 61,170 Hacked network server
Howard Memorial Hospital AR Healthcare Provider 53,668 Hacked network server
Stroke Scan Inc TX Healthcare Provider 50,000 Hacking Incident – No public breach announcement
University of Colorado Hospital Authority CO Healthcare Provider 48,879 Hacking incident at business associate (Diligent)
Insulet Corporation MA Healthcare Provider 29,000 Impermissible disclosure of PHI due to website tracking technology
City of Cleveland OH Health Plan 15,206 Unauthorized access/disclosure incident – No public breach announcement
DotHouse Health Incorporated MA Healthcare Provider 10,000 Hacked network server

Causes of January 2023 Healthcare Data Breaches

Just over half of the 40 data breaches reported in January were hacking/IT incidents, the majority of which involved hacked network servers. Ransomware attacks continue to be conducted, although the extent to which ransomware is used is unclear, as many HIPAA-regulated entities do not disclose the exact nature of their hacking incidents, and some entities have not made public announcements at all. Across the 23 hacking incidents, the records of 698,295 individuals were exposed or stolen. The average breach size was 30,61 records and the median breach size was 5,264 records.

There was an increase in unauthorized access/disclosure incidents in January, with 15 incidents reported. The nature of 7 of the unauthorized access/disclosure incidents is unknown at this stage, as announcements have not been made by the affected entities. 5 of the 15 incidents were due to the use of tracking technologies on websites and web apps. Across the 15 unauthorized access/disclosure incidents, 362,629 records were impermissibly accessed or disclosed. The average breach size was 24,175 records and the median breach size was 3,780 records. There were two theft incidents reported, one involving stolen paper records and one involving a stolen portable electronic device. Across those two incidents, 3,271 records were stolen. No loss or improper disposal incidents were reported.

Where Did the Data Breaches Occur?

Healthcare providers were the worst affected HIPAA-covered entity with 31 reported data breaches and 5 data breaches were reported by health plans. While there were only 4 data breaches reported by business associates of HIPAA-covered entities, 14 data breaches had business associate involvement. 10 of those breaches were reported by the covered entity rather than the business associate. The chart below shows the breakdown of data breaches based on where they occurred, rather than which entity reported the breach.

The chart below highlights the impact of data breaches at business associates. 23 data breaches occurred at health plans, involving almost 275,000 records. The 14 data breaches at business associates affected almost three times as many people.

Geographical Spread of January Data Breaches

California was the worst affected state with 7 breaches reported by HIPAA-regulated entities based in the state, followed by Texas with 6 reported breaches. January’s 40 data breaches were spread across 40 U.S. states.

State Breaches
California 7
Texas 6
Georgia, Massachusetts, Missouri & Pennsylvania 3
Florida, New York & North Carolina 2
Alabama, Arkansas, Colorado, Illinois, Indiana, Minnesota, New Jersey, Ohio & Wisconsin 1

HIPAA Enforcement Activity in January 2023

The Office for Civil Rights announced one settlement in January to resolve potential violations of the HIPAA Right of Access. OCR investigated a complaint from a personal representative who had not been provided with a copy of her deceased father’s medical records within the allowed 30 days. It took 7 months for those records to be provided. Life Hope Labs agreed to pay a $16,500 financial penalty and adopt a corrective action plan that will ensure patients are provided with timely access to their medical records in the future. This was the 43rd penalty to be imposed under OCR’s HIPAA Right of Access enforcement initiative, which was launched in the fall of 2019. No HIPAA enforcement actions were announced by state attorneys general in January.

The post January 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Biden Administration Considers HIPAA Update to Better Protect Reproductive Health Information

Posted by HIPAA Journal

The Biden Administration is considering new rulemaking to update HIPAA to better protect reproductive health information, following the Supreme Court Decision in Dobbs v. Jackson Women’s Health Organization, which removed the federal right to abortion and left it to individual states to decide on the legality of abortions for state residents. Currently, at least 24 U.S. states have implemented bans on abortions or are likely to do so, with 12 states already having a near-total ban.

The Health Insurance Portability and Accountability Act classes reproductive health information as protected health information (PHI), so uses and disclosures are restricted by the HIPAA Privacy Rule. Following the Supreme Court decision, the HHS issued guidance to HIPAA-regulated entities on how the HIPAA Privacy Rule applies to reproductive healthcare data, confirming uses and disclosures of reproductive health information are restricted, and that the information can only be used or disclosed without a valid patient authorization for purposes related to treatment, payment, or healthcare operations.

The HHS also confirmed that while the HIPAA Privacy Rule permits disclosures of PHI “as required by law,” the HIPAA Privacy Rule does not require such disclosures, and that ‘required by law’ is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law,” an that when such a disclosure is required, it is limited to the relevant requirements of such a law. There is concern, however, that disclosures of reproductive health information may be made by HIPAA-regulated entities to law enforcement in states that have imposed bans or severe restrictions on abortions to support enforcement of the bans and allow individuals seeking abortion care to be prosecuted.

There have been calls for HIPAA to be updated to improve privacy protections with respect to reproductive health information. Currently, there are restrictions on disclosures of certain subclasses of PHI such as psychotherapy notes and information related to substance use disorder (SUD) treatment records, and similar restrictions could potentially be applied to reproductive health information. It has now been confirmed that the Department of Health and Human Services has drafted Proposed Modifications to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (RIN 0945-AA20), and that proposal is currently under White House review. The HHS has also proposed a change to a rule introduced by the Trump Administration that made it easier for healthcare providers to decline to provide abortions due to religious objections.

The HHS has not released details of the proposed HIPAA update at this stage but has confirmed that prior to drafting the rule, the HHS participated in listening sessions and roundtable discussions with patients, healthcare providers, advocates, and state health officials and that the proposed rule was drafted under its statutory mandate to ensure non-discriminatory access to healthcare for all Americans.

The draft is not necessarily an attempt to impose restrictions on states that have introduced near-total bans on abortions and could be an attempt to ensure any actions by states are compliant with Federal law. It is worth noting that even if the HIPAA Privacy Rule is updated to better protect reproductive health data, HIPAA only applies to HIPAA-regulated entities, and no HIPAA update would be able to guarantee privacy for individuals seeking abortion care. For instance, geolocation data from mobile phones would allow individuals to be tracked when they visit reproductive health clinics.  Geolocation data is not protected by HIPAA and disclosure of such information are not restricted by the HIPAA Privacy Rule.

The post Biden Administration Considers HIPAA Update to Better Protect Reproductive Health Information appeared first on HIPAA Journal.

State AGs Fine DNA Testing Lab $400,000 for Data Breach

Posted by HIPAA Journal

DNA Diagnostics Center (DDC), one of the largest private DNA testing laboratories in the United States, has been fined a total of $400,000 by state attorneys general in Pennsylvania and Ohio for violations of state laws that contributed to a breach of the personal information of almost 46,000 Pennsylvania and Ohio residents, and approximately 2.1 million individuals across the United States.

The data breach that prompted the investigation was discovered by DDC on August 6, 2021, when suspicious activity was detected in some of its archived databases. The investigation determined the databases had been accessed by unauthorized individuals between May 24 and July 28, 2021, and certain files and folders had been removed. The databases contained the sensitive information of individuals who had received DNA testing services between 2004 and 2012, including 33,300 individuals in Pennsylvania and 12,600 individuals in Ohio. The information included sensitive customer information including names, Social Security numbers, and payment information.

The databases had been obtained from a company called Orchid Cellmark, which DDC acquired in 2012. The databases had been archived and were not used for any business purposes and, according to DDC, were inadvertently transferred as part of the acquisition, without the knowledge of DDC. Nine years after the acquisition, DDC was still unaware that the databases existed in its systems. DDC said it had conducted penetration tests and an inventory assessment prior to the data breach occurring, but those assessments and tests only identified active customer data and did not reveal the presence of the archived databases on its systems.

Prior to the data breach, DDC contracted with a third-party service provider to conduct data breach monitoring. That company detected the data breach and attempted to contact DDC on multiple occasions via automated email alerts, but employees failed to respond for two months. During those two months, malware – Cobalt Strike – was installed on the network and data was exfiltrated. The breach investigation confirmed that an unauthorized third party had logged on via a VPN on May 24, 2021, using a DDC user account. Active Directory credentials were harvested from a Domain Controller that provided password information for each account in the network. The VPN used by the threat actor was not in use at DDC, which had migrated to a new VPN. The unauthorized third party used a test account with admin privileges to achieve persistent access and execute Cobalt Strike within its network. Five servers were compromised that contained backups of 28 databases, and a decommissioned server was used to exfiltrate the data. The threat actor then contacted DDC and demanded payment for the return and deletion of the stolen data, and payment was made.

The investigation by the state attorneys general found DDC had “engaged in deceptive or unfair business practices by making material misrepresentations in its customer-facing privacy policy concerning the safeguarding of its customers’ personal information.” It was also alleged that DDC failed to employ reasonable measures to detect and prevent unauthorized access to its computer networks, and as such, engaged in unfair and deceptive cybersecurity practices which exposed customer data to unauthorized access and theft. The state AGs ruled that those failures constituted unfair trading practices and violations of state Consumer Protection Law.

DDC chose to settle the investigations with no admission of wrongdoing. Under the terms of the settlement, DDC agreed to pay $200,000 to Pennsylvania and $200,000 to Ohio, implement and maintain a comprehensive information security program, conduct comprehensive risk assessments at least annually, allocate risk-appropriate resources to protect the personal information of consumers, and conduct an information security program assessment at least annually to review the effectiveness of the information security program.

“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” said Acting Attorney General Henry. “That’s why my Office took action with the assistance of Attorney General Yost in Ohio. I am proud of the work our agents and attorneys do every day to protect Pennsylvanians’ most sensitive information.”

The post State AGs Fine DNA Testing Lab $400,000 for Data Breach appeared first on HIPAA Journal.

Democratic Senators Propose Update to HIPAA to Ban Abortion-Related PHI Disclosures Without Patient Consent

Posted by HIPAA Journal

Two Democratic U.S. Senators – Michael Bennett (D-CO) and Mazie Hirono (D-HI) – have introduced a bill that seeks to strengthen the privacy protections of the Health Insurance Portability and Accountability Act (HIPAA) for individuals seeking access to abortion care. The bill – The Secure Access for Essential Reproductive (SAFER) Health Act – was prompted by the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which removed the federal right to abortions and gave individual states the full power to regulate any aspect of abortion care not protected under federal law.

The senators are concerned that while patient privacy is protected under HIPAA, HIPAA permits healthcare providers to disclose patient information for legal investigations without patient consent, which means the sensitive health information of individuals seeking access to abortion care could be disclosed to law enforcement to allow those individuals to be prosecuted for attempting to terminate pregnancies.

In June 2022, in response to the Supreme Court decision, the Department of Health and Human Services issued guidance to HIPAA-covered entities and their business associates confirming that while the HIPAA Privacy Rule permits disclosures of protected health information, as required by law, without individual authorizations, the HIPAA Privacy Rule does not require such disclosures. The HHS also confirmed that disclosures of reproductive health information are also only permitted in very limited circumstances, and encouraged anyone who believes their privacy has been violated to file a complaint with OCR.

The SAFER Health Act seeks to improve protections further and prohibit healthcare professionals from sharing personal health information related to the termination or loss of pregnancy with the courts without a valid authorization from the patient and, if passed, would apply to federal, state, local, and tribal proceedings, including civil, criminal, administrative, and legislative proceedings. The Act calls for the HHS to revise HIPAA and health information technology regulations accordingly to allow the enforcement of this new requirement, and to conduct a national campaign to educate HIPAA-covered entities and their business associates about the revisions.

“No one should have to worry about being investigated or prosecuted for receiving or providing reproductive health care,” said Bennet. “This legislation will protect the privacy of patients who have had abortions, regardless of where they live or receive care.” Bennett, along with other Democratic senators, introduced the Freedom to Travel for Health Care Act in July 2022, to clarify that it is illegal for states that have implemented bans or restrictions on abortions to prohibit state residents from traveling across state lines to receive abortion care. Bennet was also one of several Democratic Senators to introduce the Let Doctors Provide Reproductive Health Care Act, which sought to protect doctors that provided legal abortions to out-of-state patients; however, both Acts failed to make it past the Senate.

“MAGA Republicans in states with abortion bans have made it very clear they want to prosecute women for seeking reproductive health care. One way they plan to do that is by weaponizing patients’ reproductive health information,” said Senator Hirono. “That is why I am proud to introduce the SAFER Health Act—legislation that would strengthen and expand HIPAA to protect women and ensure doctors cannot share personal reproductive health information to a court proceeding without patient consent.

The post Democratic Senators Propose Update to HIPAA to Ban Abortion-Related PHI Disclosures Without Patient Consent appeared first on HIPAA Journal.

Senators Demand Answers from Telehealth Firms on Pixel-Related Data Sharing Practices

Posted by HIPAA Journal

A bipartisan group of senators has written to three telehealth companies demanding answers about the use of third-party tracking technologies on their websites and details of the sensitive health data that they share with third parties such as Meta, Google, and social media networks.

In the summer of 2022, The Markup/STAT conducted an investigation into the use of tracking technologies on the websites of U.S. hospitals and found that around one-third of the hospitals investigated had these technologies on their websites. Website tracking code could capture and transmit identifiable health information to third parties, which could be further disclosed and used for targeted advertising. In December 2022, a similar investigation was conducted on the use of the code by telehealth companies. The investigation revealed 49 out of the 50 telehealth websites they investigated were sharing consumer data with third parties through pixels and other website tracking technologies, despite the companies maintaining that any information disclosed to them by consumers would be kept private and confidential.

Maria Cantwell (D-WA), Chair of the Senate Commerce Committee, Amy Klobuchar of (D-MN), Susan Collins (R-ME), and Cynthia Lummis (R-WY) wrote Cerebral in California, Monument in New York, and Workit Health in Michigan about these disclosures. The senators say the telehealth industry has been valued at over $30 billion and has allowed Americans to get easy access to the care they need, especially individuals in rural communities with limited physical access to healthcare facilities. However, the convenience of telehealth should not be at the expense of privacy and sensitive health information should not be exposed to the world’s largest advertising ecosystem.

Cerebral operates a website that was used by more than 200,000 patients in 2020 and 2021. Users of its website are asked to complete medical questionnaires, which include questions about medical conditions such as depression, anxiety, and bipolar disorder. That information, along with details of the medications they purchase through the website, is sent to third parties who can monetize that information. Website users are told that their health data will remain private and confidential and were not informed about these disclosures.

Workit Health’s website was used by more than 20,000 individuals in 2021. Its users were similarly asked to complete medical questionnaires, including questions about substance use and mental health, and that information was discovered to have been shared with platforms such as Google and Facebook along with identifiable information. Workit Health stated on its website that any information shared by users would be kept private and would be protected by its HIPAA-compliant software

Monument’s website was used by more than 30,000 patients in 2021. Users of the website were asked questions about mental health and alcohol use. Monument claims on its website that consumers’ health information is kept 100% confidential and that Monument is HIPAA compliant but The Markup/STAT investigation revealed information was being shared with platforms such as Google and Facebook without the knowledge of website users.

The senators asked the telehealth companies to provide a list of all questions consumers may be asked, the types of information that are shared with third parties, and whether information has ever been shared with a third party that would allow an individual to be identified as seeking treatment for a specific mental health or substance abuse condition. They also asked the companies to commit to protecting patient privacy and informing patients, in clear, easy-to-understand, plain language, the exact types of information that will be shared with third parties and for what specific purposes.

Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance to HIPAA-regulated entities on the use of website tracking technologies. OCR confirmed that HIPAA-covered entities are not permitted to share protected health information via these tracking technologies unless consent to do so is obtained from individuals in advance, or if the provider of the technology is a HIPAA business associate, a valid business associate agreement is in place, and the disclosure is expressly permitted by the HIPAA Privacy Rule.

The Federal Trade Commission is also taking an interest in the use of these tracking technologies on health apps and websites and recently announced its intention to fine GoodRx, a provider of discounts for medications and telehealth services, $1.5 million for violations of the FTC Health Breach Notification Rule. GoodRx is alleged to have failed to notify consumers that their health information had been disclosed to third parties such as Facebook and Google after claiming users’ health data would be kept private.

The post Senators Demand Answers from Telehealth Firms on Pixel-Related Data Sharing Practices appeared first on HIPAA Journal.

Cedars-Sinai Medical Center Sued for Website Tracking Technology Privacy Violations

Posted by HIPAA Journal

A lawsuit has been filed against Cedars-Sinai Medical Center alleging impermissible disclosures of patient data to Google, Meta, and other third parties due to the use of website tracking technologies without either a business associate agreement with the code providers or authorizations from patients. In the summer of 2022, an investigation into the use of these technologies revealed almost one-third of the top 100 hospitals in the United States had used pixels and other tracking code on their websites that were capable of collecting and transmitting sensitive data to the providers of that code. The Cedars-Sinai lawsuit is one of dozens filed against healthcare providers and other health-related companies in the past year over the use of tracking technologies on websites and mobile apps without user consent.

The widespread use of tracking technologies prompted the HHS’ Office for Civil Rights to issue guidance in December 2022 on the use of these technologies. The guidance confirmed that any tracking technologies that are capable of touching information protected by HIPAA can only be used if a valid, HIPAA-compliant business associate agreement is obtained from the provider of the code or if patient consent is obtained to share HIPAA-protected data.

The Cedars-Sinai Medical Center lawsuit was initially filed in California state court on December 30, 2022, but was moved to the U.S. District Court for Central California in Los Angeles on February 3, 2023. The lawsuit – John Doe v. Cedars-Sinai Health System and Cedars-Sinai Medical Center – alleges invasion of privacy, intrusion upon seclusion, negligence, breach of implied contract, breach of contract, and violations of the California Invasion of Privacy Act, California Confidentiality of Medical Information Act, and California Unfair Competition Law.

The lawsuit alleges the sensitive personal and health information of the plaintiff and other Cedars-Sinai patients was impermissibly disclosed to Google, Meta, and Microsoft Bing due to the use of tracking code on its website. The lawsuit states that Cedars-Sinai encourages patients to visit its website to research medical symptoms and health issues, identify doctors that can treat their specific health problems, and make appointments online. Doing so requires patients to disclose their symptoms and communicate highly sensitive medical information, which the plaintiff did in the belief that privacy was assured.

The tracking technologies added to the website recorded individually identifiable information based on user interactions and transmitted that information to unrelated companies, including Meta/Facebook, Google, Microsoft Bing, and social media platforms or businesses. According to the lawsuit, “this code served as real time wiretaps on patients’ communications,” and allowed marketing companies to use patients’ private information to target them with advertising related to their medical conditions, yet consent to collect and use private information for that purpose was not obtained, and patients were not informed about those uses and disclosures. The plaintiff is a Facebook user that has the ‘Keep Me Logged In’ feature of his Facebook account activated. He noticed an increase in health-related adverts since visiting the Cedars-Sinai website for further information on his medical condition. Some of the adverts he was served were specific to the medical condition he researched on the Cedars-Sinai website.

The lawsuit takes aim at Cedars-Sinai, not the providers of pixels and code, which explain in their terms and conditions that uses of the code in connection with health data is not permitted. For example, Google prohibits the use of Google Analytics code on the websites of HIPAA-covered entities and their business associates for any manner or purpose involving protected health information. The lawsuit claims that the inclusion of the tracking code has violated the privacy of patients and also constitutes a violation of the HIPAA Rules. The lawsuit seeks class action certification, a jury trial, compensatory and punitive damages, and injunctive relief.

The post Cedars-Sinai Medical Center Sued for Website Tracking Technology Privacy Violations appeared first on HIPAA Journal.

FTC Issues First Financial Penalty for a Health Breach Notification Rule Violation

Posted by HIPAA Journal

The Federal Trade Commission’s Health Breach Notification Rule requires vendors of personal health records and related entities to issue notifications to consumers in the event of a breach of unsecured personal records. The rule took effect in 2009, yet compliance has not been enforced. That has now changed. Yesterday, the FTC issued its first penalty for noncompliance with the Health Breach Notification Rule to the prescription drug provider, GoodRx Holdings Inc, which has been ordered to pay a financial penalty of $1.5 million.

In September 2021, the FTC issued a policy statement announcing its intention to start actively enforcing the Health Breach Notification Rule with a focus on health apps, which are generally not covered by HIPAA and data breaches are therefore not subject to the notification requirements of the HIPAA Breach Notification Rule. Two guidance documents – Health Breach Notification Rule: The Basics for Business – and Complying with FTC’s Health Breach Notification Rule – were published in January 2022 that clearly explained which entities are covered by the Health Breach Notification Rule, the types of events that require notifications to consumers, and how notifications should be issued. The first financial penalty was imposed almost a year to the day after the guidance was issued for the failure to notify consumers about unauthorized disclosures of their personal health information to Facebook, Google, Criteo, and others for advertising purposes.

GoodRx is a Santa Monica, CA-based provider of a telemedicine platform that includes a free-to-use website and mobile app that consumers can use to track prescription drug prices and obtain coupons that provide discounts on medications. The platform can also be used to arrange telehealth visits and access other health services. Users of the service provide personal and health information GoodRx, which also collects data from pharmacy benefit managers when users make purchases using GoodRx coupons. Since January 2017 more than 55 million consumers have used the GoodRx website and mobile app.

Multiple Privacy Violations and Deceptive Businesses Practices

According to the FTC complaint, GoodRx violated the FTC Act and its own privacy policy by sharing the sensitive personal and health information of its users with tech firms and social media websites without notifying users about those disclosures or obtaining consent to do so.

GoodRx told users of its website and mobile app that their personal health information would never be shared with advertisers or other third parties; however, the FTC determined that since at least 2017 GoodRx repeatedly violated that promise and shared personal health information with third parties such as Facebook, Google, Criteo, Branch, Twilio, and others for advertising purposes, including information about users’ health conditions and their prescription medications.

The personal health information of users was monetized and the data shared with Facebook was used to target its own users with adverts on Meta platforms such as Facebook and Instagram. The FTC cited one such example from 2019 where GoodRx compiled lists of users who had purchased certain medications for heart disease and blood pressure, then uploaded their email addresses, phone numbers, and advertising IDs to Facebook to allow those users to be identified in order to serve them with targeted health-related advertisements.

GoodRx also permitted third parties such as Facebook to use the shared data for their own internal purposes, while falsely claiming compliance with Digital Advertising Alliance principles, which require consent to be obtained before using health information for advertising purposes. GoodRx also misrepresented HIPAA compliance by displaying a seal on its telehealth services homepage falsely claiming it was in compliance with the HIPAA Rules. The company also failed to implement appropriate policies and procedures to protect the personal and health information of its users, and only implemented formal, written, privacy, and data-sharing policies when its data practices were publicly revealed by a consumer watchdog in February 2020.

The FTC said GoodRx was in violation of the Health Breach Notification Rule for failing to notify consumers of the impermissible disclosures of their personal health information, and the severity of those violations warranted a financial penalty. In addition to the financial penalty, GoodRx is prohibited from sharing the health data of its users for advertising purposes, must obtain consent from users for any other data sharing, must direct the third parties to whom health data were disclosed to delete that information, and must implement a comprehensive privacy program. The proposed penalty is now awaiting approval from the federal court.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

The post FTC Issues First Financial Penalty for a Health Breach Notification Rule Violation appeared first on HIPAA Journal.

Lawsuit Alleges Christ Hospital Website Has Sent Patient Data to Meta

Posted by HIPAA Journal

Earlier this month, a lawsuit was filed against The Christ Hospital in Cincinnati, OH, alleging third-party tracking code had been added to its website that was transmitting sensitive patient data to Meta and other third parties, without obtaining authorization from patients.

An investigation by The Markup last summer revealed one-third of the top 100 hospitals in the United States had Meta pixel tracking code on their websites, several of which were confirmed as having added the code to their password-protected patient portals. In some instances, the code was transmitting patient data to Meta, such as if website visitors were logged into their Facebook accounts while browsing the hospital websites. Tracking code is also provided by others, such as Google, which can similarly transmit data based on the interactions of users on websites.

Following the investigation, several healthcare organizations announced data breaches related to tracking technologies that have resulted in the impermissible disclosure of patient information. The HHS’ Office for Civil Rights recently issued guidance on the use of tracking technologies on hospital websites, confirming that these technologies have the potential to violate the HIPAA Rules, and the use of these technologies without patient authorizations or a business associate agreement is likely to be a reportable data breach. The Christ Hospital does not appear to have announced any such breach to date.

The lawsuit – Doe v. The Christ Hospital – was filed on January 10, 2023, by attorney James Eugene Burke III in Hamilton County Court but has since been moved to federal court. According to the lawsuit, The Christ Hospital website has a search engine that patients are encouraged to use to find physicians within its network, and patients can schedule appointments with those physicians online. The hospital website allegedly includes Meta Pixel and other third-party code, which collects information about the activities of website users and transmits that information to Meta and others, with the information potentially used to serve patients with targeted adverts on Facebook and other Meta platforms.

The lawsuit alleges patients who searched for cancer transmits, mental health care, and even sexually transmitted infections could be targeted with adverts related to their searches on the site. The lawsuit also alleges third party code was included on the MyChart patient portal, which could potentially transmit communications with physicians to third parties without patient authorization, in violation of the HIPAA Rules.

The lawsuit names Jane Doe as plaintiff and seeks class action status to cover all similarly affected patients. The lawsuit seeks a jury trial, punitive charges, and damages in excess of $25,000. The Christ Hospital maintains it is not selling patient data to Meta or other third parties and is investigating the claims made in the lawsuit.

The post Lawsuit Alleges Christ Hospital Website Has Sent Patient Data to Meta appeared first on HIPAA Journal.

2022 Healthcare Data Breach Report

Posted by HIPAA Journal

For the first time since 2015, there was a year-over-year decline in the number of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), albeit only by 1.13% with 707 data breaches of 500 or more records reported. Even with that reduction, 2022 still ranked as the second-worst-ever year in terms of the number of reported breaches.

As the year drew to an end, data breach numbers started to decline from a high of 75 data breaches in October. Time will tell whether this trend will continue in 2023, although the lull in data breaches appears to have continued so far this year with an atypically low number of breaches currently showing on the OCR data breach portal this month.

In addition to the slight reduction in reported data breaches, there was also a drop in the number of breached records, which fell by 13.15% from 54.09 million records in 2021 to 51.9 million records in 2022.

The theft of protected health information places patients and health plan members at risk of identity theft and fraud, but by far the biggest concern is the threat to patient safety. Cyberattacks on healthcare providers often cause IT system outages, which in many cases have lasted several weeks causing considerable disruption to patient care. While there have not been any known cases of cyberattacks directly causing fatalities, the lack of access to patient data causes diagnosis and treatment delays that affect patient outcomes. Multiple studies have identified an increase in mortality rates at hospitals following ransomware attacks and other major cyber incidents.

 

These cyberattacks and data breaches result in huge financial losses for healthcare organizations. The 2022 IBM cost of a data breach report indicates the average cost of a healthcare data breach increased to an all-time high of $10.1 million in 2023, although data breaches can be significantly more expensive. In addition to the considerable breach remediation costs, security must be improved, cyber insurance premiums increase, and it is now common for multiple class action lawsuits to be filed following data breaches. There is also a risk of financial penalties from regulators.

The largest ever healthcare data breach, suffered by Anthem Inc in 2015, affected 78.8 million members and cost the health insurer around $230 million in clean-up costs, $115 million to settle the lawsuits, $39.5 million to settle the state attorneys general investigation, and $16 million to resolve the OCR investigation. Even much smaller data breaches can prove incredibly costly. Scripps Health suffered a data breach of 1.2 million records in 2021 due to a ransomware attack. The attack caused losses in excess of $113 million due to lost business ($92 million) and the clean-up costs ($21 million). There are also several lawsuits outstanding and there could be regulatory fines.

Largest Healthcare Data Breaches in 2022

There were 11 reported healthcare data breaches of more than 1 million records in 2022 and a further 14 data breaches of over 500,000 records. The majority of those breaches were hacking incidents, many of which involved ransomware or attempted extortion. Notable exceptions were several impermissible disclosure incidents that resulted from the use of pixels on websites. These third-party tracking technologies were added to websites to improve services and website functionality, but the data collected was inadvertently transmitted to third parties such as Meta and Google when users visited the websites while logged into their Google or Facebook accounts. The extent to which these tracking technologies have been used by healthcare organizations prompted OCR to issue guidance on these technologies, highlighting the considerable potential for HIPAA violations.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
OneTouchPoint, Inc. WI Business Associate 4,112,892 Ransomware attack
Advocate Aurora Health WI Healthcare Provider 3,000,000 Pixel-related impermissible disclosure via websites
Connexin Software, Inc. PA Business Associate 2,216,365 Hacking incident and data theft
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking incident and data theft
Professional Finance Company, Inc. CO Business Associate 1,918,941 Ransomware attack
Baptist Medical Center TX Healthcare Provider 1,608,549 Malware infection
Community Health Network, Inc. as an Affiliated Covered Entity IN Healthcare Provider 1,500,000 Pixel-related impermissible disclosure via websites
Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc. NC Business Associate 1,362,296 Pixel-related impermissible disclosure via websites
North Broward Hospital District d/b/a Broward Health (“Broward Health”) FL Healthcare Provider 1,351,431 Hacking incident and data theft
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking incident and data theft
Doctors’ Center Hospital PR Healthcare Provider 1,195,220 Ransomware attack
Practice Resources, LLC NY Business Associate 942,138 Hacking incident and data theft
Wright & Filippis LLC MI Healthcare Provider 877,584 Ransomware attack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking incident and data theft
MCG Health, LLC WA Business Associate 793,283 Hacking incident and data theft
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Ransomware attack
SightCare, Inc. AZ Health Plan 637,999 Hacking incident and data theft
CommonSpirit Health IL Business Associate 623,774 Ransomware attack
Metropolitan Area EMS Authority dba MedStar Mobile Healthcare TX Healthcare Provider 612,000 Ransomware attack
Wolfe Clinic, P.C. IA Healthcare Provider 542,776 Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Ransomware attack
Adaptive Health Integrations ND Healthcare Provider 510,574 Adaptive Health Integrations
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking incident and data theft
Health Care Management Solutions, LLC WV Business Associate 500,000 Hacking incident and data theft
OakBend Medical Center / OakBend Medical Group TX Healthcare Provider 500,000 Ransomware attack

While 2022 saw some very large data breaches reported, the majority of reported data breaches were relatively small. 81% of the year’s data breaches involved fewer than 50,000 records, and 58% involved between 500 and 999 records.

Hacking incidents dominated the breach reports with 555 of the 707 reported breaches (71.4%) classified as hacking/IT incidents, which accounted for 84.6% of all breached records in 2022. The average breach size was 79,075 records and the median breach size was 8,871 records. There were 113 reported unauthorized access/disclosure breaches reported in 2022, accounting for 14.5% of the breached records. The average breach size was 66,610 records due to some large pixel-related data breaches, and the median breach size was 1,652 records.

Theft (23 breaches) and loss (12 breaches) incidents were reported in relatively low numbers, continuing a downward trend from these once incredibly common data breaches. The downward trend is due to better control of devices and the use of encryption. The average breach size was 13,805 records and the median breach size was 1,704 records. There were four incidents involving the improper disposal of devices containing PHI and physical records. The average breach size was 1,772 records and the median was 1,021 records.

The high number of hacking incidents is reflected in the chart below, which shows the location of breached protected health information. Compromised email accounts remain a major source of data breaches, highlighting the importance of multi-factor authentication and training employees on how to recognize the signs of phishing.

Which Entities Suffered the Most Data Breaches?

The raw data on the OCR breach portal does not accurately reflect the extent to which business associate data breaches are occurring. When you factor in business associate involvement it is possible to gain a more accurate gauge of the extent to which data breaches are occurring at business associates. In 2022, 127 data breaches were self-reported by business associates, but there were 394 reported data breaches where business associates were involved – That’s a 337% increase since 2018. Last year, data breaches at business associates outnumbered data breaches at healthcare providers for the first time.

Several major business associate data breaches were reported to OCR in 2022, with some of the data breaches affecting several hundred healthcare organizations. A data breach at the debt collections company, Professional Finance Company, affected 657 of its healthcare clients and involved more than 1.91 million healthcare records. Eye Care Leaders, a provider of electronic health records to eye care providers, suffered a cyberattack that affected at least 41 eye care providers and exposed the data of almost 3.65 million patients.

The graph below shows the sharp increase in data breaches at business associates in recent years. There are several reasons for the increase. Hackers have realized the value of conducting attacks on business associates. One successful attack can provide access to the data, and sometimes networks, of all of the vendor’s clients. Healthcare organizations are now using more vendors to manage administrative functions and risk increases in line with the number of vendors. As more vendors are used, it becomes harder to monitor cybersecurity at the vendors. Managing third-party risk is one of the biggest challenges for healthcare organizations in 2023.

Data breaches by HIPAA-regulated entity type, 2009 to 2022

 

Where Did the Data Breaches Occur?

Healthcare data breaches were reported by HIPAA-regulated entities in 49 states, Washington D.C., and Puerto Rico in 2022. Alaska was the only state to survive the year with no reported data breaches. In general, the most populated states suffer the most data breaches. In 2022, the 10 most populated U.S. states all ranked in the top 15 worst affected states, although it was New York rather than California that topped the list with 68 reported breaches.

State Breaches
New York 68
California & Texas 52
Florida & Pennsylvania 38
New Jersey 27
Georgia 26
Michigan, Virginia & Washington 24
Ohio 23
Illinois & North Carolina 22
Tennessee 17
Arizona & Maryland 16
Massachusetts & Wisconsin 15
Colorado 14
Connecticut, Indiana & Missouri 13
Alabama 11
Kansas, Oklahoma & South Carolina 9
Arkansas, New Hampshire & West Virginia 8
Nebraska & Oregon 7
Minnesota 6
Utah 5
Delaware, Nevada & Rhode Island 4
Hawaii, Kentucky, Louisiana, Mississippi, Montana, South Dakota, % Vermont 3
Iowa, Idaho, Maine, New Mexico, and Washington D.C. 2
North Dakota & Wyoming 1
Alaska 0

HIPAA Enforcement in 2022

HIPAA is primarily enforced by OCR, with state attorneys general also assisting with HIPAA enforcement. OCR imposed more financial penalties for HIPAA violations in 2022 than in any other year to date, with 22 investigations resulting in settlements or civil monetary penalties.

OCR has limited resources for investigations but does investigate all breaches of 500 or more records. That task has become increasingly difficult due to the increase in data breaches, which have tripled since 2010. Despite the increase in data breaches, OCR’s budget for HIPAA enforcement has hardly increased at all, aside from adjustments for inflation. As of January 17, 2022, OCR had 882 data breaches listed as still under investigation. 97% of all complaints and data breach investigations have been successfully resolved.

Some investigations warrant financial penalties, and while the number of penalties has increased, the penalty amounts for HIPAA violations have been decreasing. Most of the financial penalties in 2022 were under $100,000.

HIPAA Settlements and Civil Monetary Penalties 2008-2022

Since 2019, the majority of financial penalties imposed by OCR have been for HIPAA right of access violations, all of which stemmed from complaints from individual patients who had not been provided with their medical records within the allowed time frame. OCR continues to pursue financial penalties for other HIPAA violations, but these penalties are rare.

2022 HIPAA Settlements and Civil Monetary Penalties

Regulated Entity Penalty Amount Type of Penalty Reason
Health Specialists of Central Florida Inc $20,000 Settlement HIPAA Right of Access failure
New Vision Dental $23,000 Settlement Impermissible PHI disclosure, Notice of Privacy Practices, releasing PHI on social media.
Great Expressions Dental Center of Georgia, P.C. $80,000 Settlement HIPAA Right of Access failure (time/fee)
Family Dental Care, P.C. $30,000 Settlement HIPAA Right of Access failure
B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental $25,000 Settlement HIPAA Right of Access failure
New England Dermatology and Laser Center $300,640 Settlement Improper disposal of PHI, failure to maintain appropriate safeguards
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Dr. Brockley $30,000 Settlement HIPAA Right of Access
Jacob & Associates $28,000 Settlement HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., $50,000 Civil Monetary Penalty Impermissible disclosure on social media
Northcutt Dental-Fairhope $62,500 Settlement Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer

HIPAA enforcement by state attorneys general is relatively rare. Only three financial penalties were imposed in 2022 by state attorneys general. In these cases, penalties were imposed for violations of the HIPAA Rules and state laws.

State Regulated Entity Penalty Penalty Type Reason
Oregon/Utah Avalon Healthcare $200,000 Settlement Lack of safeguards and late breach notifications
Massachusetts Aveanna Healthcare $425,000 Settlement Lack of safeguards against phishing
New York EyeMed Vision Care $600,000 Settlement Multiple security failures

The post 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.