Healthcare Data Privacy

FTC and HHS Update Online Compliance Tool for Mobile Health App Developers

Developers of mobile health apps may be required to comply with certain federal laws such as the FTC Act, FTC Health Breach Notification Rule, Children’s Online Privacy Protection Act (COPPA), Health Insurance Portability and Accountability Act (HIPAA), Federal Food, Drug and Cosmetics Act (FD&C Act), the 21st Century Cures Act, and the ONC’s Information Blocking Regulations.

To help mobile health app developers avoid compliance missteps, the Federal Trade Commission (FTC), in conjunction with the Department of Health and Human Services’ Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA), developed an online tool to help developers determine which federal laws and regulations they need to comply with.

The online tool asks a series of questions about the nature of the app, the service it provides, the information it collects, and how that information is collected, shared, and used. Based on the answers to the questions, the tool will direct the developer to the relevant federal regulatory privacy, security, and breach notification laws and regulations that may apply.

The tool should be used by any developer of a mobile app that accesses, collects, shares, uses, or maintains information related to an individual’s past, present, or future health. Even if a health app has not been developed for use by a HIPAA-covered entity, there may be one or more federal laws or regulations that apply. The tool will point developers to resources where they can find out more information about their compliance obligations, along with best practices to help them deliver a safe and accurate service while ensuring the privacy and security of the health information of app users.

On December 7, 2022, the HHS announced that the online Mobile Health App Interactive Tool has been updated. The updated version can be found here.

The post FTC and HHS Update Online Compliance Tool for Mobile Health App Developers appeared first on HIPAA Journal.

OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation

The HHS’ Office for Civil Rights has issued a bulletin confirming that the use of third-party tracking technologies on websites, web applications, and mobile apps without a business associate agreement (BAA) is a HIPAA violation if the tracking technology collects and transmits individually identifiable health information. Even with a BAA in place, the use of the tracking technology may still violate the HIPAA Rules

The bulletin has been issued in response to the discovery earlier this year that Meta Pixel tracking code was being extensively used on the websites of hospitals and that the code snippet transferred data to Meta, including sensitive patient data. These privacy breaches came to light during an investigation by The Markup and STAT, which found Meta Pixel had been added to the websites of one-third of the top 100 hospitals in the United States and, in 7 cases, the code had been added to password-protected patient portals. The study was limited to the top 100 hospitals, so it is likely that hundreds of hospitals have used the code and have – in all likelihood unwittingly – transferred sensitive data to Meta/Facebook without a business associate agreement in place and without obtaining patient consent.

Following the publication of the report, several lawsuits were filed against healthcare providers over these impermissible disclosures, with some plaintiffs claiming the information disclosed on the websites of their healthcare providers had been transferred to Meta and was used to serve them targeted advertisements related to their medical conditions. The news came as a shock to healthcare providers, triggering investigations and recent data breach notifications; however, despite so the widespread use of the tracking code, only a handful of hospitals and health systems have reported the breach and have sent notifications so far. The bulletin from the HHS is likely to trigger a flurry of breach notifications as providers realize that the use of Meta Pixel and other tracking code constitutes a HIPAA violation.

What are Tracking Technologies?

Tracking technologies are commonly snippets of code that are added to websites, web applications, and mobile apps for tracking user activity, typically for determining the journeys of users while using websites and monitoring their on-site interactions. The data collected by these technologies can be analyzed and used to improve the services provided through the websites and applications and enhance the user experience, which benefits patients. While there are benefits to individuals from the use of this code, there is also considerable potential for harm to be caused, as in addition to providing a HIPAA-regulated entity with useful information, the data collected through these technologies is usually transmitted to the vendor.

For instance, if a female patient arranged an appointment on the website of a healthcare provider to discuss the termination of a pregnancy, the tracking technology on the site could be transmitted to the vendor, and subsequently disclosed to other third parties. That information could be provided to law enforcement or other third parties. Information disclosed in confidence by a patient of a website or web application could be transferred to a third party and be used for fraud, identity theft, extortion, stalking, harassment, or to promote misinformation.

In many cases, these tracking technologies are added to websites and applications without the knowledge of users, and it is often unclear how any disclosed information will be used by a vendor and to whom that transmitted information will be disclosed. These tracking technologies often use cookies and web beacons that allow individuals to be tracked across the Internet, allowing even more information to be collected about them to form detailed profiles. When tracking technologies are included in web applications, they can collect device-related information, including location data which is tied to a unique identifier for that device, through which a user could be identified.

All Tracking Technologies Must be HIPAA Compliant

There is nothing in HIPAA that prohibits the use of these tracking technologies, but the HIPAA Rules apply when third-party tracking technologies are used, if the tracking technology collects individually identifiable information that is protected under HIPAA and if it transmits that information to a third party, be that the vendor of the tracking technology or any other third-party. If the tracking technology collects any identifiers, they are classed as protected health information because the information connects the individual to the regulated entity, indicating the individual has received or will receive health care services or benefits from the regulated entity, and that relates to the individual’s past, present, or future health or health care or payment for care.

There is an elevated risk of an impermissible disclosure of PHI when tracking technology is used on patient portals or any other pages that require authentication as these pages usually have access to PHI. If tracking code is added to these pages it must be configured in a way to ensure that the code only uses and discloses PHI in compliance with the HIPAA Privacy Rule, and that any information collected is secured in a manner compliant with the HIPAA Security Rule. Tracking code on unauthenticated pages also has the potential to have access to PHI. The same applies to tracking technologies within a HIPAA-regulated entity’s mobile apps, if it collects and transmits PHI. OCR confirmed that only mobile apps offered by healthcare organizations are covered by HIPAA. HIPAA does not apply to third-party apps that are voluntarily downloaded by individuals, even if the apps collect and transmit health information.

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” explained OCR in the bulletin.

The OCR bulleting confirms that if tracking technologies are used, the provider of that code – which includes Meta Platforms (Meta Pixel) and Google (Google Analytics) – would be classed as a business associate and must enter into a business associate agreement (BAA) with the HIPAA-regulated entity before the code can be added to a website or application. The BAA must state the responsibilities of the vendor with respect to the PHI and specify the permitted uses and disclosures of that information. If the vendor will not sign a BAA, PHI cannot legally be provided to that vendor, therefore the code cannot be used or must be configured in a way that it does not collect or transmit PHI. OCR also confirmed that if a vendor states that they will strip out any identifiable information prior to saving or using the transferred data, such a disclosure to the vendor would still only be permitted if a BAA was signed and if the HIPAA Privacy Rule permits such a disclosure.

Other potential violations of HIPAA could occur. If any PHI is disclosed to a vendor, it must be in line with the organization’s privacy policy and be detailed in their Notice of Privacy Practices. It is important to note that simply stating that tracking technology is used in a notice of privacy practices is not sufficient by itself to ensure compliance. In addition to a BAA, any disclosure of PHI for a purpose not expressly permitted by the HIPAA Privacy Rule requires a HIPAA-compliant authorization from a patient, giving their consent to disclose that information. Website banners that ask a website visitor to consent to cookies and the use of web tracking technologies do not constitute valid HIPAA authorizations.

Actions HIPAA-Regulated Entities Should Take Immediately

In light of the bulletin, HIPAA-regulated entities should read it carefully to make sure they understand how HIPAA applies to tracking technologies. They should also conduct a review of any tracking technologies that they are using on their websites, web applications, or mobile apps to ensure those technologies are being used in a manner compliant with the HIPAA Rules. If they are not already, website tracking technologies must be included in a HIPAA-regulated entity’s risk analysis and risk management processes.

It is important to state that a tracking technology vendor is classed as a business associate under HIPAA, even if a BAA is not signed. As such, any disclosures to that vendor would be classed as an impermissible disclosure of PHI without a BAA in place, and the HIPAA-regulated entity would be at risk of fines and other sanctions if PHI is transmitted without a signed BAA.

If during the review a HIPAA-regulated entity discovers tracking technologies are being used in a manner not compliant with the HIPAA Rules, or have been in the past, then the HIPAA Breach Notification Rule applies. Notifications will need to be sent to OCR and the individuals whose PHI has been impermissibly disclosed.

The post OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation appeared first on HIPAA Journal.

HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2

The Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) have issued a Notice of Proposed Rulemaking (NPRM) detailing changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records (42 CFR Part 2) and HIPAA to increase care coordination and better align Part 2 with the HIPAA Privacy Rule, as required by Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

Part 2 protects patient privacy and records related to treatment for SUD and the HIPAA Privacy Rule is concerned with the privacy of protected health information (PHI); however, SUD records are treated differently from other types of PHI. The HIPAA Privacy Rule permits disclosures of protected health information without consent for treatment, payment, or healthcare operations, but Part 2 imposes greater restrictions on disclosures of SUD records. Generally, SUD records can only be disclosed by a SUD treatment provider if consent to do so is obtained from the patient. Further, even with a valid consent form, SUD treatment providers must include a written statement that the information cannot be redisclosed. This is because SUD records are particularly sensitive due to the stigma of substance abuse and the potential discrimination, which can potentially result in loss of insurance and employment.

Having to treat PHI and SUD records differently is problematic as it creates barriers to information sharing that is in the best interests of patients and the dual compliance obligations creates compliance challenges for regulated entities. “Varying requirements of privacy laws can slow treatment, inhibit care, and perpetuate negative stereotypes about people facing substance use challenges,” HHS Secretary Xavier Becerra, hence the need for better alignment of Part 2 with the HIPAA Privacy Rule. It is important, however, to ensure patient privacy, as any lessening of the protections for SUD records could deter individuals suffering from SUD from seeking treatment, which could have life-threatening consequences.

The proposed rule strikes a balance between the need for strong privacy protections and having the flexibility to allow information sharing to improve care coordination. “One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” said Miriam E. Delphin-Rittmon, Ph.D., the HHS Assistant Secretary for Mental Health and Substance Use and the leader of SAMHSA. “Bringing Part 2 requirements into closer alignment with HIPAA will support more effective coordination for people accessing care. At the same time, the proposed rule mitigates the discrimination and stigma that we know too often people with SUDs experience.”

The key changes in the NPRM are:

  • Permitted use and disclosure of Part 2 records will be based on a single patient consent. Once that consent is given, it covers all future uses and disclosures for treatment, payment, and healthcare operations.
  • Redisclosure of Part 2 records will be permitted – with certain exceptions – if redisclosure is permitted by the HIPAA Privacy Rule.
  • Patients are given new rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
  • Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have been expanded.
  • The HHS has new enforcement authority and can impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act
  • Part 2 programs must establish a process to receive complaints about Part 2 violations, those programs are prohibited from taking adverse action in response to complaints, and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • Breach notification requirements to the HHS and affected patients for Part 2 records will be aligned with the HIPAA Breach Notification Rule.
  • The HIPAA Privacy Rule Notice of Privacy Practices requirements have been updated to address uses and disclosures of Part 2 records and individual rights with respect to those records.

The HHS and SAMHSA are encouraging healthcare industry stakeholders and the public to submit comments on the proposed changes. To be considered, they must be submitted within 60 days of publication of the NPRM in the Federal Register. The expected publication date is 12/02/2022. A fact sheet on the proposed changes has been published on the HHS website.

The post HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2 appeared first on HIPAA Journal.

HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2

The Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) have issued a Notice of Proposed Rulemaking (NPRM) detailing changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records (42 CFR Part 2) and HIPAA to increase care coordination and better align Part 2 with the HIPAA Privacy Rule, as required by Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

Part 2 protects patient privacy and records related to treatment for SUD and the HIPAA Privacy Rule is concerned with the privacy of protected health information (PHI); however, SUD records are treated differently from other types of PHI. The HIPAA Privacy Rule permits disclosures of protected health information without consent for treatment, payment, or healthcare operations, but Part 2 imposes greater restrictions on disclosures of SUD records. Generally, SUD records can only be disclosed by a SUD treatment provider if consent to do so is obtained from the patient. Further, even with a valid consent form, SUD treatment providers must include a written statement that the information cannot be redisclosed. This is because SUD records are particularly sensitive due to the stigma of substance abuse and the potential discrimination, which can potentially result in loss of insurance and employment.

Having to treat PHI and SUD records differently is problematic as it creates barriers to information sharing that is in the best interests of patients and the dual compliance obligations creates compliance challenges for regulated entities. “Varying requirements of privacy laws can slow treatment, inhibit care, and perpetuate negative stereotypes about people facing substance use challenges,” HHS Secretary Xavier Becerra, hence the need for better alignment of Part 2 with the HIPAA Privacy Rule. It is important, however, to ensure patient privacy, as any lessening of the protections for SUD records could deter individuals suffering from SUD from seeking treatment, which could have life-threatening consequences.

The proposed rule strikes a balance between the need for strong privacy protections and having the flexibility to allow information sharing to improve care coordination. “One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” said Miriam E. Delphin-Rittmon, Ph.D., the HHS Assistant Secretary for Mental Health and Substance Use and the leader of SAMHSA. “Bringing Part 2 requirements into closer alignment with HIPAA will support more effective coordination for people accessing care. At the same time, the proposed rule mitigates the discrimination and stigma that we know too often people with SUDs experience.”

The key changes in the NPRM are:

  • Permitted use and disclosure of Part 2 records will be based on a single patient consent. Once that consent is given, it covers all future uses and disclosures for treatment, payment, and healthcare operations.
  • Redisclosure of Part 2 records will be permitted – with certain exceptions – if redisclosure is permitted by the HIPAA Privacy Rule.
  • Patients are given new rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
  • Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have been expanded.
  • The HHS has new enforcement authority and can impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act
  • Part 2 programs must establish a process to receive complaints about Part 2 violations, those programs are prohibited from taking adverse action in response to complaints, and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • Breach notification requirements to the HHS and affected patients for Part 2 records will be aligned with the HIPAA Breach Notification Rule.
  • The HIPAA Privacy Rule Notice of Privacy Practices requirements have been updated to address uses and disclosures of Part 2 records and individual rights with respect to those records.

The HHS and SAMHSA are encouraging healthcare industry stakeholders and the public to submit comments on the proposed changes. To be considered, they must be submitted within 60 days of publication of the NPRM in the Federal Register. The expected publication date is 12/02/2022. A fact sheet on the proposed changes has been published on the HHS website.

The post HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2 appeared first on HIPAA Journal.

Privacy Risks Identified in Websites Used to Deliver Opioid Addiction Treatment and Recovery Services

An alarming number of websites used to deliver opioid addiction treatment and recovery services contain data sharing and privacy risks, according to a new report from the Opioid Policy Institute (OPI) and Legal Action Center (LAC). Addiction treatment and recovery services are increasingly delivered online and via mobile apps, with the websites handling multiple functions. They are used to communicate with patients, conduct telehealth visits, enroll and screen patients, and receive referrals.

All websites that collect patient data need to have robust privacy and security controls in place, but this is especially important for websites used to deliver opioid addiction treatment and recovery services due to the stigma associated with drug addiction and the potential for discrimination against people with substance use disorders. Concerns about confidentiality frequently rank among individuals’ most common reasons for not seeking substance use disorder treatment.

At the federal level, HIPAA and other privacy laws have strict requirements for ensuring the confidentiality of patient information and many providers of substance use disorder treatment services operate on the central promise of anonymity, yet the privacy and security of the websites used by providers of these services have not been well studied. OPI and LAC teamed up for the study and analyzed the websites of 12 virtual care platforms over a period of 16 months using the Blacklight tool developed by The Markup to assess the privacy protections on websites, which in June 2022 received an average of 57,000 visits. The Blacklight tool was used to assess a variety of data collection practices, including ad trackers, third-party session cookies, session recording, keylogging, and third-party tracking code such as the code snippets provided by Google (Analytics) and Meta (Pixel).

While it was not possible to determine exactly what data was collected by the websites or determine how the collected data was used, all websites consistently used tools over the 16-month observation period that had the capability to collect and transmit sensitive information and all websites has issues that put patient privacy at risk. All 12 websites used ad trackers that were able to identify the individuals who visited the websites, with 11 of the 12 sites using third-party cookies that allow individuals visiting the virtual care platforms to be tracked across the Internet.

During the 16-month period, around half of the websites used Metal Pixel tracking code. The Meta Pixel code snippet is used to track visitor activity on websites to measure preferences and trends to improve the user experience; however, the code snippet can capture sensitive data and transmit it to Meta. This year, dozens of health systems were found to have added the code to their websites and patient portals, which transmitted sensitive patient data to Meta without consent. In some cases, the information transferred was allegedly used to serve individuals with targeted ads related to their health conditions. Meta has a policy that requires users of Meta Pixel not to share sensitive information such as healthcare data, but many healthcare providers were found to have transmitted patient data to Meta. In this study, four OUD mHealth websites were discovered to have sent identifiable information to Meta.

10 of the 12 websites used Google Analytics on their website, despite Google having a policy that the code should not be used to collect personally identifiable information or protected health information. All 12 websites used advertising, with at least some data sent by all 12 companies to ad tech firms that buy and sell user data for advertising purposes. The researchers note that over the course of the 16 months, the use of trackers on the websites generally increased. Despite the data sharing and privacy risks identified on the sites, these OUD websites generally marketed themselves as private, secure, and 100% confidential.

“In order to fulfill their promise of expanding access to quality care, virtual care platforms for OUD treatment and recovery should also meet or exceed the privacy and security standards for in-person care,” write OPI and LAC. “By shining a light on these issues, we hope that legislators and other policymakers take necessary measures to protect individuals who need treatment and recovery support.”

The post Privacy Risks Identified in Websites Used to Deliver Opioid Addiction Treatment and Recovery Services appeared first on HIPAA Journal.

State AGs Urge Apple to Improve Privacy and Security Controls for Reproductive Healthcare Data

A group of 10 state Attorney Generals recently wrote to Apple CEO, Tim Cook, urging the company to implement stronger privacy and security controls for applications available through the Apple App Store that track, collect, store, or transmit reproductive health data. The letter was written by Matthew Platkin, Attorney General of New Jersey, and was signed by the attorneys general of California, Connecticut, Illinois, Massachusetts, North Carolina, Oregon, Vermont, Washington, and Washington, D.C.

The decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization removed the Federal right to an abortion and gave individual states the power to regulate abortions and several states have already introduced bans or severe restrictions on abortions. The state AGs are concerned that the health information collected through health apps “can be weaponized against consumers by law enforcement, private entities, or individuals.”

AG Platkin cited a study conducted by the Mozilla Foundation of the most popular reproductive health apps to assess the security of health apps and how the apps collect, use, share, and retain user data. The privacy policies of many of the apps were opaque, especially regarding disclosures to law enforcement, and 18 of the 25 most popular apps – including period trackers, pregnancy/fertility apps, and health and fitness apps – either failed to abide by proper privacy and security practices or obfuscated the scope of the data collected by the apps. Many of the apps also failed to meet minimum standards for security, such as encrypting data, providing automatic security updates, having a clear and easily accessible privacy policy, and did not require strong passwords to be set. A majority of the apps also prompted users to input data that was outside the scope of the health services offered by the apps.

The AGs say the privacy and security gaps associated with health apps available through the App Store threaten the privacy and safety of App Store customers, and that runs directly counter to Apple’s publicly expressed commitment to protect user data. Apple maintains that strong privacy controls are built into the Apple Health app, such as 2-factor authentication and all health data is encrypted until an Apple iPhone is unlocked by using a passcode, Touch ID, or Face ID. Health data is also encrypted at rest and in transit when it is synched to iCloud, and the latest version of iOS and watchOS have default 2FA and passcode-restricted access, which means Apple is unable to view users’ health data. Apple also maintains that there are already fine-grained controls for third-party health apps that use the HealthKit framework, which let users specify what information can be read by the apps, and users of third-party apps must either grant or deny permission for each app to read and write data to the HealthKit store.

The state AGs claim Apple has not done enough to protect user privacy and have urged the company to go further.  They have called for Apple to require third-party app developers to delete non-essential user data, such as location history, search history, and other related information of consumers who may be seeking access to reproductive healthcare. They urge Apple to display clear and conspicuous notices advising iPhone users that there is the potential for reproductive healthcare data to be disclosed to third parties, and to require all third-party app developers only to disclose reproductive healthcare data if they are issued with a valid subpoena, search warrant, or court order. Third-party apps that collect, user, store, or transmit reproductive health data, or that synch with user health data on Apple devices, should be required to match or exceed the privacy and security standards of Apple. If any health app does not meet these standards, Apple should remove the apps from the App Store, and should conduct periodic audits of apps to ensure compliance with these standards.

“[The] provision of an app or service should not come at the cost of consumers losing control of their health data. To that end, Apple should pursue these measures to protect consumers’ reproductive health privacy. These steps will ensure that Apple stays true to its commitment “to provide a safe experience for users,” wrote AG Platkin.

The post State AGs Urge Apple to Improve Privacy and Security Controls for Reproductive Healthcare Data appeared first on HIPAA Journal.

October 2022 Healthcare Data Breach Report

October was the worst month of the year to date for healthcare data breaches, with 71 breaches reported and more than 6 million records breached. The first half of the year was looking like 2022 would see a reduction in healthcare data breaches; however, that is looking increasingly unlikely. In 2021, 714 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 594 data breaches were reported between January 1 and October 31, and with an average of 60 data breaches being reported each month, 2022 looks set to end with a similarly high number.

Across the 71 reported breaches, the protected health information of 6,242,589 individuals was exposed or impermissibly disclosed, with around half of that total coming from a single breach. So far this year, the records of 37,948,207 individuals have been exposed or impermissibly disclosed.

Largest Healthcare Data Breaches Reported in October

In October, 28 data breaches of 10,000 or more records were reported by HIPAA-regulated entities. The largest healthcare data breach reported in October – by some distance – was due to the use of Meta Pixel code on the website and patient portal of Advocate Aurora Health, which resulted in the impermissible disclosure of the PHI of up to 3 million patients to Meta/Facebook. Advocate Aurora Health was not alone. WakeMed Health and Hospitals reported a similar breach involving the PHI of 495,808 patients. Dozens of other healthcare providers have also used the code on their websites and lawsuits are mounting. Attorneys for Meta claim the company does not collect healthcare data without consent; however, U.S. District Judge William Orrick, who is presiding over a consolidated class action lawsuit against Meta over these impermissible disclosures, has expressed skepticism about those claims.

The data breach at SightCare Inc was due to a hacking incident at business associate USV Optical, a subsidiary of U.S. Vision, which also affected Nationwide Optometry. More than 700,000 records were compromised in the incident.  The third largest breach of the month occurred at CorrectCare Integrated Health, Inc, which provides administrative services to healthcare providers that serve correctional facilities. A database was exposed over the Internet as a result of a misconfiguration that resulted in the exposure of the PHI of at least 612,490 inmates at correctional facilities across the country.

Two more eye care providers confirmed in October that they had been affected by the ransomware attack on their EHR vendor, Eye Care Leaders. The records of at least 3,649,470 patients are now known to have been compromised in that attack.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Description
Advocate Aurora Health WI Healthcare Provider 3,000,000 Unauthorized Access/Disclosure Website Code Passed Patient Information to Meta/Facebook
SightCare, Inc. AZ Health Plan 637,999 Hacking/IT Incident Hacking incident at business associate (USV Optical)
OakBend Medical Center / OakBend Medical Group TX Healthcare Provider 500,000 Hacking/IT Incident Ransomware attack
WakeMed Health and Hospitals NC Healthcare Provider 495,808 Unauthorized Access/Disclosure Website Code Passed Patient Information to Meta/Facebook
CorrectCare Integrated Health, Inc. KY Business Associate 438,713 Unauthorized Access/Disclosure Exposure of PHI over the Internet
Keystone Health PA Healthcare Provider 235,237 Hacking/IT Incident Hacked network server
Louisiana Department of Public Safety and Corrections LA Healthcare Provider 85,466 Unauthorized Access/Disclosure Exposure of PHI over the Internet (CorrectCare Integrated Health)
Urology of Greater Atlanta, LLC GA Healthcare Provider 79,795 Hacking/IT Incident Hacking Incident (No information)
Nationwide Optometry, PC AZ Healthcare Provider 73,073 Hacking/IT Incident Hacking incident at business associate (USV Optical)
Ascension St. Vincent’s Coastal Cardiology GA Healthcare Provider 71,227 Hacking/IT Incident Ransomware attack
Valle del Sol, Inc. AZ Healthcare Provider 70,268 Hacking/IT Incident Hacked network server
CorrectCare Integrated Health, Inc. KY Business Associate 53,496 Unauthorized Access/Disclosure Exposure of PHI over the Internet
FOREFRONT DERMATOLOGY, SC WI Healthcare Provider 45,580 Theft Theft of an unencrypted portable electronic device at a business associate
VisionWeb Holdings, LLC TX Business Associate 35,900 Hacking/IT Incident Compromised email accounts
University of Michigan/Michigan Medicine MI Healthcare Provider 33,857 Hacking/IT Incident Compromised email accounts (phishing)
Aesthetic Dermatology Associates, PC PA Healthcare Provider 33,793 Hacking/IT Incident Hacked network server
Choice Health Insurance LLC SC Business Associate 32,064 Hacking/IT Incident Database exposed over the Internet (data theft confirmed)
PrimeCare Medical, Inc. PA Healthcare Provider 22,254 Unauthorized Access/Disclosure Exposure of PHI over the Internet (CorrectCare Integrated Health)
Administrative Fund of the Detectives’ Endowment Association, Inc., Police Department City of New York NY Health Plan 21,544 Hacking/IT Incident Compromised email accounts (Phishing)
Wenco Management, LLC Health and Welfare Benefit Plan OH Health Plan 20,526 Hacking/IT Incident Compromised email accounts
Gateway Ambulatory Surgery Center NC Healthcare Provider 18,479 Hacking/IT Incident Compromised email accounts (Phishing)
Alain A. Montiel, DDS CA Healthcare Provider 17,157 Theft Theft of an unencrypted laptop
St Luke’s Health – Texas TX Healthcare Provider 16,906 Hacking/IT Incident Compromised email accounts at business associate (Adelanto Healthcare Ventures)
Lifespire Services, Inc. NY Healthcare Provider 15,375 Hacking/IT Incident Hacked network server
HH/Killeen Health System, LLC doing business as Seton Medical Center Harker Heights TX Healthcare Provider 15,056 Hacking/IT Incident Compromised email accounts at an unspecified business associate
Massengale Eye Care OK Healthcare Provider 15,000 Hacking/IT Incident Ransomware attack on a business associate (Eye Care Leaders)
Wisconsin Department of Health Services WI Health Plan 12,358 Unauthorized Access/Disclosure Compromised email accounts
Somnia Pain Mgt of Kentucky NY Healthcare Provider 10,848 Hacking/IT Incident Hacked network server

Causes of October 2022 Data Breaches

Across all industry sectors, ransomware attacks have decreased slightly this year; however, the healthcare industry continues to be a target for ransomware gangs, with Hive, LockBit 2.0, Lorenz, and the Venus ransomware gangs among those that are attacking healthcare organizations. According to Check Point Research, healthcare was the most targeted industry sector in Q3, 2022, and saw the second-highest percentage increase in attacks out of all industry sectors, with 60% more attacks than in Q3, 2021. The largest confirmed ransomware attack was on OakBend Medical Center, which saw half a million records compromised.

As has been the case for several months, hacking incidents outnumber all other types of data breaches. In October, 47 hacking incidents were reported – 66% of the month’s data breaches – and 2,025,704 records were exposed in those incidents. The average breach size was 43,100 records and the median breach size was 6,594 records. October saw an increase in unauthorized access/disclosure incidents, due in part to the data breach that occurred at CorrectCare Integrated Health that exposed the PHI of inmates of correctional facilities. 7 of the 17 reported unauthorized access/disclosure incidents were due to this incident. Unsurprisingly, given the 3 million-record data breach reported by Advocate Aurora Health, 66% of the breached records were due to unauthorized access/disclosure incidents. 4,145,396 records were compromised in these incidents. The average breach size was 243,847 records and the median breach size was 7,000 records.

There were 6 loss/theft incidents reported in October (4 theft, 2 loss), all but one of which involved portable electronic devices that had not been encrypted. 67,244 records were exposed or stolen across these incidents. The average breach size was 11,207 records and the median breach size was 1,396 records. There was also one incident involving the improper disposal of paperwork that contained the PHI of 4,245 patients.

The most common location of breached PHI was network servers due to the high number of hacking incidents. Email accounts are also commonly targeted, with 15 incidents reported in October that involved compromised email accounts. Good password management and multifactor authentication can significantly improve defenses against these attacks, although phishing attacks that bypass MFA are increasing. The increase in these attacks prompted CISA to issue guidance on implementing phishing-resistant MFA this month.

Healthcare Data Breaches by HIPAA-Regulated Entity Type

55 breaches were reported by healthcare providers in October; however, 11 of those data breaches occurred at business associates. 10 data breaches were reported by health plans, with one of those breaches occurring at a business associate. Business associates self-reported 6 breaches. The chart below shows the breaches broken down by where they occurred rather than the entity that reported the data breach.

Healthcare Data Breaches by State

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 30 states, with New York the worst affected state with 11 reported breaches. This was due to a data breach at a New York-based management company that affected multiple anesthesiology service providers.

State Number of Reported Data Breaches
New York 11
Texas & Wisconsin 5
Florida & New Jersey 4
Arizona, California, Georgia, Kentucky, North Carolina, Pennsylvania & Virginia 3
Delaware, Maryland & Oregon 2
Colorado, Connecticut, Illinois, Indiana, Kansas, Louisiana, Maine, Michigan, Minnesota, Nebraska, New Mexico, Ohio, Oklahoma, South Carolina & Washington 1

HIPAA Enforcement Activity in October

No HIPAA enforcement actions were reported in October by the HHS Office for Civil Rights or State Attorneys general.

The post October 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Cybersecurity is Now a Patient Safety Issue, Suggests Sen. Warner In Congressional Report

Senator Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, has recently published a white paper – Cybersecurity is Patient Safety – that highlights the current cybersecurity challenges facing the healthcare industry and suggests several potential policy changes that could help to improve healthcare cybersecurity and better protect all health information, including health data not currently protected under the HIPAA Rules.

Sen. Warner suggests the only way to improve healthcare cybersecurity rapidly is through a collaborative effort involving the public and private sectors, with the federal government providing overall leadership. While further regulation may be necessary, the overall consensus of healthcare industry stakeholders is the best approach is to introduce incentives for improving cybersecurity, rather than mandating cybersecurity improvements with a threat of financial penalties for noncompliance.

The healthcare industry is under attack from cybercriminals and nation-state threat actors and cyberattacks and data breaches are increasing at unacceptable levels. In 2021, 45 million Americans had their sensitive personal and healthcare exposed or stolen in healthcare industry cyberattacks. More must be done to improve resilience and deal with the increasing threats. “Unfortunately, the healthcare sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate,” said Senator Warner. “Cybersecurity can no longer be viewed as a secondary concern; it must become incorporated into every organization’s – from equipment manufacturers to health care providers – core business models.”

The white paper suggests several areas where policies could be changed to improve cybersecurity in the healthcare industry.

Improve Federal Leadership

The Department of Health and Human Services (HHS) is the Sector Risk Management Agency (SRMA) for the healthcare industry, but within the HHS agencies such as the Office for Civil Rights (OCR), Centers for Medicare and Medicaid Services (CMS), and the Food and Drug Administration (FDA) have their own jurisdictions and cybersecurity policies. The white paper explains that there is a lack of overall leadership and suggests a senior leader should be appointed, who should be “empowered—both operationally and politically—to ensure HHS speaks with one voice regarding cybersecurity in health care, including expectations of external stakeholders and the government’s role.”

Modernize HIPAA

HIPAA was enacted in 1996, and the HIPAA Privacy and Security Rules have been in place for two decades, and while updates have been made to the HIPAA Rules, they fail to fully address emerging threats to the confidentiality, integrity, and availability of healthcare data. The current focus is on protecting the healthcare data collected, stored, and transmitted by HIPAA-regulated entities, but the same information is collected, stored, and transmitted by entities that are not bound by the HIPAA Rules. It has been suggested that more sensitive healthcare data is now being collected by health apps than is collected and stored by HIPAA-regulated entities, yet this data is largely unregulated. The white paper suggests Congress should direct the HHS to update HIPAA and expand the definition of covered entities and stipulate the allowable uses and disclosures of health data by entities that are not currently classed as HIPAA-regulated entities, to address the gap between HIPAA and the FTC Health Breach Notification Rule.

Develop a Healthcare-Specific Cybersecurity Framework

The National Institute of Standards and Technology (NIST) has released its Framework for Improving Critical Infrastructure Cybersecurity, and while that work has been commended, many healthcare industry stakeholders want more detailed guidance from NIST that is specific to the healthcare industry and have called for NIST develop a consensus-based healthcare-specific cybersecurity framework.

Improve Security Incident Preparedness and Response

The HHS recently stressed in its October Cybersecurity newsletter the importance of security incident preparedness and planning, as cyberattacks are inevitable in the lifespan of a healthcare organization. More needs to be done to encourage healthcare organizations to prepare for attacks. The HHS could direct healthcare facilities to consider cyberattacks to be equivalent to natural disasters such as hurricanes and earthquakes, including mandating training of hospital staff to use analog equipment and legacy systems, and to establish a disaster relief program for victims of cyberattacks.

Incentivize Healthcare Providers to Replace Legacy Systems

Legacy systems are still extensively used in the healthcare industry, despite software and operating systems reaching end-of-life and having support withdrawn. Legacy systems are a security risk, yet healthcare organizations continue to use them as they continue to function and the cost of replacing them is too high. Incentives should be offered to phase out these legacy systems, such as a program similar to the 2009 Car Allowance Rebate System (CARS) that encouraged people to trade in their old vehicles.

Improve Medical Device Cybersecurity

There is considerable concern about the cybersecurity of medical devices and a need for minimum standards of security to be maintained and good cyber hygiene practices followed. There is a need for all software and devices to be supplied with a software bill of materials (SBOMs), and for security requirements to be required during pre-market approval, as proposed by the PATCH Act. The white paper also suggests restrictions could be imposed on the sale of medical devices that have software that has reached end-of-life and is no longer supported, and for healthcare organizations to be incentivized to invest in systems for tracking medical equipment.

Address the Current Cybersecurity Talent Shortage

There is currently a global shortage of cybersecurity professionals that is unlikely to be resolved in the short to medium term. Healthcare organizations struggle to recruit the necessary talent and many cybersecurity positions in healthcare remain unfilled. The white paper suggests one way to address the shortage would be for Congress to create a workforce development program and to incentivize individuals to take on cybersecurity positions in healthcare, such as offering student loan forgiveness for cybersecurity professionals who commit to serving in rural communities, similar to the National Health Service Corps Loan Repayment Program.

Reduce the Cost of Cyber Insurance

Cyber insurance is becoming increasingly expensive and there is an extensive and burdensome application process. The white paper suggests a federal reinsurance program could be introduced to cover plans that require minimum cyber hygiene standards to be maintained, which could help the industry achieve minimum cyber hygiene standards without government mandates. The program would standardize coverage elements and provide incentives for insurance companies to adopt them. This could lower overall risks, which could help to reduce the cost of insurance.

Senator Warner is seeking feedback on the white paper from businesses, advocacy groups, researchers, and individuals. Comments should be submitted no later than December 1, 2022.

The post Cybersecurity is Now a Patient Safety Issue, Suggests Sen. Warner In Congressional Report appeared first on HIPAA Journal.

Advocate Aurora Health and WakeMed Sued Over Meta Pixel Privacy Breaches

Two class action lawsuits have been filed on behalf of patients whose protected health information (PHI) was impermissibly disclosed to Meta/Facebook as a result of the use of the Meta Pixel JavaScript code snippet on the websites and web applications of Advocate Aurora Health and WakeMed Health and Hospitals. Advocate Aurora Health said the PHI of up to 3 million patients had potentially been disclosed to Meta/Facebook, and WakeMed said around 495,000 patients were affected due to the inclusion of the code on the MyChart patient portal and its appointment scheduling page. Both healthcare providers have admitted to an impermissible disclosure of PHI but said at the time of issuing notifications that they were unaware of any cases of misuse of patient information and that there are no indications that employees of Meta or Facebook viewed the transmitted data.

The lawsuit against Advocate Aurora Health, which also names Meta as a defendant, was filed in the U.S. District Court for the Northern District of Illinois and names Alistair Stewart, of Illinois, as the lead plaintiff. The lawsuit seeks class action status, damages, and injunctive and other equitable relief. According to the lawsuit, “Whenever a patient uses Advocate’s websites and applications, including its LiveWell portal, Advocate and Facebook intercept, contemporaneously cause transmission of, and use personally identifiable patient information and PHI without patients’ knowledge, consent, or authorization.” The lawsuit alleges Advocate Aurora Health and Meta were aware that protected health information was being transmitted, and that this was in violation of the HIPAA Rules. “This was evidenced from, among other things, the functionality of the Pixel, including that it enabled Advocate’s LiveWell portal to show targeted advertising to its digital subscribers based on the products those digital subscribers had previously viewed on the website, including certain medical tests or procedures, for which Advocate received financial remuneration.”

Advocate Aurora Health maintains that the tracking code was only used to improve the consumer experience across its websites, and to encourage individuals to schedule necessary preventive care, and said it has stopped using the code and has implemented additional safeguards and third-party code-checking procedures to prevent similar breaches in the future.

The lawsuit against WakeMed was filed in the Wake County Superior Court in North Carolina by attorneys Gary Jackson and Tom Wilmoth and similarly seeks class action status, damages, and injunctive relief. The lawsuit makes similar claims and also alleges that the code was added to the website in the knowledge that sensitive patient data would be shared with Meta, and that WakeMed received financial benefits from sharing that information with Meta. The lawsuit alleges violations of FTC Rules and HIPAA, as sensitive healthcare data, including PHI, was shared with Meta without the knowledge or consent of the plaintiff and class members.

The lawsuit states the plaintiff reasonably expected her online communications with WakeMed to be confidential and would not be shared with or intercepted by a third party, and that consent to share her data had not been requested or obtained. The lawsuit alleges negligence for failing to implement reasonable safeguards to prevent improper disclosures of PHI, failing to adequately train employees, and failing to follow industry-standard data security practices.

In order for healthcare data breach lawsuits to succeed, an actual injury must have been sustained. In contrast to data breach lawsuits filed against healthcare organizations that have been hacked, the plaintiffs’ PHI is not in the hands of cybercriminals and there has been no injury through fraud or identity theft. The lawsuits allege an injury has been suffered in the form of the diminution in the value of the plaintiffs’ and class members’ private information. The plaintiff in the WakeMed lawsuit alleges she has lost time and experienced annoyance, interference, and inconvenience, which has led to her suffering anxiety, emotional distress, and increased concerns about her loss of privacy.

Many healthcare providers added Meta Pixel code to their websites. A study conducted by The Markup revealed 33 of the top 100 hospitals in the United States used the code, several of which added Meta Pixel to their patient portals. In August 2022, Novant Health announced that the PHI of up to 1.36 million patients had potentially been disclosed to Meta/Facebook, and many other healthcare providers are expected to make similar announcements in the coming weeks. Lawsuits have already been filed against Medstar Health System in Maryland, UCSF Medical Center and Dignity Health Medical Foundation, and Northwestern Memorial Hospital in Chicago, due to the use of the tracking code on their websites.

The post Advocate Aurora Health and WakeMed Sued Over Meta Pixel Privacy Breaches appeared first on HIPAA Journal.