Healthcare Data Privacy

CHIME Urges FTC to Stringently Enforce Health Breach Notification Rule

The College of Healthcare Information Management Executives (CHIME) has recently provided feedback to the Federal Trade Commission (FTC) on its Advance Notice of Proposed Rulemaking (ANPR) on the Trade Regulation Rule on Commercial Surveillance and Data Security and has urged the FTC to hold health apps and data brokers accountable for illegal disclosures of health data and unfair or deceptive data practices.

The ANPR was published in the Federal Register on August 22, 2022, with comment sought from healthcare industry stakeholders, specifically “on whether [the Commission] should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.”

CHIME expressed broad support for the measures proposed by the FTC in response to the prevalence of commercial surveillance and data practices that are harming consumers, especially with respect to health data due to the extent to which mobile devices and health apps are now being used to collect, process, and transmit health data. Mobile apps are generally not covered by HIPAA, so the data collected, processed, and shared through those apps is not subject to the protections of the HIPAA Privacy and Security Rules, and the health data collected is often sold to data brokers.

CHIME praised the efforts of the FTC to protect consumer health information and for the clarification of its authority under the Health Breach Notification Rule – provided in its September 2021 Policy Statement On Breaches by Health Apps and Other Connected Devices – that vendors of personal health records and related entities are required to issue notifications to consumers and the FTC if there have been breaches of unsecured identifiable health information, and that civil penalties may be pursued for violations.

Clarification was needed as the Health Breach Notification Rule was issued more than a decade ago and has never been enforced by the FTC, especially given the extent to which health data is being held by entities that are not required to comply with HIPAA. CHIME cited an IQVIA Institute for Human Data Science estimate that there are now around 350,000 publicly available health apps and suggests the amount of health data stored or transmitted by these apps could now exceed the amount of data held by HIPAA-covered entities.

“CHIME is broadly supportive of new trade regulation rules to utilize the FTC’s existing authority to protect consumers – we are strongly encouraging the FTC to push further into this space by utilizing and enforcing the clear, concise, and existing authority under the Health Breach Notification Rule to hold non-HIPAA covered third-parties (i.e., vendors of PHR and PHR-related entities) responsible when they illegally disclose – intentionally or not – covered information.” CHIME believes enforcement actions by the FTC will help to make consumers’ health data more secure and will encourage businesses with PHRs and PHR-related entities to strengthen their data security practices.

The FTC has confirmed that the Health Breach Notification Rule does not apply to HIPAA-covered entities and entities that act solely as HIPAA-business associates, but CHIME said its “members would appreciate clarification regarding the intersection of the potential future proposed rule regarding “Commercial Surveillance and Data Security”, the FTC’s existing authority under the Health Breach Notification Rule, and data held by HIPAA covered entities (CEs) which does not fall under HIPAA (i.e. de-identified data).”

Many Americans are unsure about when health information is protected under HIPAA and when their health information is not, such as when health data is collected through health apps. CHIME has called for “clear, transparent communication to consumers about how their data is being used, monetized, and secured,” and stresses this will be critical in future rulemaking.

CHIME believes it is now time for the FTC to take action against vendors of PHRs and PHR-related entities that have lax data security, or are blatantly disregarding the law, and for notices and penalties to be issued under the existing authority provided to FTC by the Health Breach Notification Rule. CHIME has also called for the FTC to do more to prevent data breaches and the sale of consumer health data before it happens, by enforcing real-world and stringent privacy and security protections on companies to better protect consumer data.

CHIME also recommends the FTC make sure consumers understand exactly how their data will be used prior to using any company’s technology, and suggested questions that should be asked of health apps which should be considered in future rulemaking.

The post CHIME Urges FTC to Stringently Enforce Health Breach Notification Rule appeared first on HIPAA Journal.

Meta Facing Scrutiny Over Use of Meta Pixel Tracking Code on Hospital Websites

Meta is facing further scrutiny of its privacy practices related to its Meta Pixel JavaScript code, which has been added to the websites and web applications of many U.S. hospitals to allow them to track user activity.

Meta Pixel is a snippet of JavaScript code that can be used by website owners for tracking user activity through the use of cookies. Meta Pixel collects any information contained in HTTP headers, button click data, form field names, and other user-specified data. Many website owners use the code to track activity to help them with website optimization, identifying trends, and improving the user experience on their websites and web applications.

Earlier this year, The Markup jointly published a report with STAT on the use of Meta Pixel code on the websites of U.S. hospitals. The study analyzed the websites of the top 100 hospitals in the United States and found that one-third used the code, and in some cases had added the code to their patient portals and appointment scheduling pages. The problem is that the data collected via this code snippet may be sent to Meta, and may include patients’ protected health information. Meta is not a business associate of HIPAA-covered entities, and under HIPAA, any data transmitted to Meta would require patient consent. The investigation failed to find evidence that patient consent was obtained.

Following the publication of the report, at least 28 of the 33 hospitals identified by The Markup removed the code from their websites, and at least three have now issued notifications to patients about the privacy violations that (may) have occurred. Novant Health said the protected health information of 1.36 million patients had potentially been transmitted, and in the past few days, notifications have been issued by Advocate Aurora Health (3 million), and WakeMed Health and Hospitals (495,000).  Several lawsuits have been filed against hospitals over the collection, impermissible disclosure, and use of data collected via Meta Pixel, which claim has been used to serve patients with targeted adverts related to their medical conditions.

Meta Scrutinized Over Data Collection and Sharing Practices

In a September 14, 2022, Senate Homeland Security and Governmental Affairs Committee hearing, Sen. Jon Ossoff (D-GA) questioned Chris Cox, Chief Product Officer for Meta Platforms, about the use of Meta code in connection with healthcare data. “There’s been substantial public reporting, controversy, and concern about the Meta Pixel product and the possibility that its deployment on various hospital systems’ websites, for example, has enabled Meta to collect private health care data,” said Ossoff. “We need to understand, as the U.S. Congress, whether or not Meta is collecting, has collected, has access to, or is storing, medical or health data for U.S. persons.” Cox said that to his knowledge, there had been no use of health or medical data by Meta.

Meta may have denied receiving or using data sent via Meta Pixel, but it has done little to assuage concern. On October 20, 2022, Sen. Mark R. Warner (D-VA) wrote to Meta CEO, Mark Zuckerberg, requesting information on the privacy practices of Meta with respect to the use of Meta Pixel tracking code on hospital websites. The letter came in the wake of the announcements by two more healthcare providers, Advocate Aurora Health and WakeMed, and the potential violation of the privacy of almost 3.5 million patients.

Sen. Warner explained in the letter that there is a need for user privacy and greater transparency about how data is collected online and used, and how this has become even more important due to the increase in online appointment booking, telehealth, and electronic record-keeping due to the pandemic. He explained the need for strong safeguards to protect user privacy and keep sensitive medical information private, and that he is very concerned that sensitive information may be transmitted – without a website user’s knowledge – to Meta or Facebook simply by clicking a button on a form within a patient portal or an appointment scheduling page on a healthcare provider’s website. “This data included highly personal health data, including patients’ medical conditions, appointment topics, physician names, email addresses, phone numbers, IP addresses, and other details about patients’ medical appointments,” said Sen Warner. Further, allegations have been made in at least two lawsuits that the data has been passed to third parties and used to serve targeted adverts.

Specifically, Sen. Warner has asked for answers to the following questions:

The North Carolina Attorney General has also recently confirmed that an investigation has been launched into the use of Meta Pixel tracking code on the websites of Triangle hospitals, including those operated by WakeMed and Duke University Health System Health. The confirmation came around a month after a lawsuit was filed alleging the improper use of the tracking tool, which has allowed data to be collected without authorization and has been used to serve targeted ads to patients.

The post Meta Facing Scrutiny Over Use of Meta Pixel Tracking Code on Hospital Websites appeared first on HIPAA Journal.

WakeMed Announces Meta Pixel-Related Breach Affecting 495,000 Patients

WakeMed Health and Hospitals, a health system with multiple healthcare facilities in metropolitan Raleigh, NC, has recently notified around 495,000 patients that some of their protected health information may have been impermissibly disclosed to Meta/Facebook due to the use of Meta Pixel tracking code on its website.

The privacy violation was announced by the health system on October 14, 2022, with WakeMed stating that the code was first added to its website and MyChart patient Portal in March 2018. The code is used to gather information on user activity on websites, which is achieved through the use of cookies. WakeMed said the code was added for website optimization and to, “better connect members of our community with WakeMed’s MyChart patient portal, thereby improving access to their health care, and to help improve the WakeMed website.”

The problem, as many healthcare systems have discovered, is that in addition to tracking user activity, the snippet of JavaScript code also transmits data to Meta/Facebook, which potentially includes sensitive patient information and information that can allow patients to be identified. According to WakeMed, that information included information entered by patients in the MyChart patient portal and on the appointment scheduling page.

The types of information transmitted depended on patients’ interactions on the website, their use of forms, and the data selected or entered when scheduling appointments. WakeMed said the information transmitted to Meta/Facebook may have included one or more of the following: email address, phone number, other contact information, IP address, emergency contact information, information provided during online check-in (e.g., allergy or medication information), COVID vaccine status, information about an upcoming appointment (e.g., appointment type and date, physician selected, and button/menu selections), and any information added to free text boxes.

WakeMed said its investigation was unable to determine whether Meta or Facebook collected or used any of the information transmitted by the Meta Pixel code. Meta has previously stated that if it identifies any information it is not authorized to receive, the information will not be used or provided to third parties for uses such as serving targeted advertisements. Multiple lawsuits have been filed against other healthcare organizations that claim targeted advertisements have been served using Meta Pixel-collected data.

WakeMed said that after becoming aware of the issue, the Meta Pixel code was stripped from its website in May 2022 and that there are no further plans to use the code unless it can be confirmed that there is no potential for it to transmit sensitive data. Policies and procedures have also been implemented that involve comprehensive reviews of code before it is added to its website to prevent similar situations in the future. The North Carolina Attorney General has launched an investigation into the incident.

Wakemed joins Novant Health and Aurora Advocate Health in issuing notifications to patients about impermissible disclosures of PHI due to the use of Meta Pixel and other tracking code and, this is unlikely to be the last such announcement by a healthcare provider. A study conducted by The Markup/STAT on the top 100 hospitals in the United States found one-third had used Meta Pixel code on their websites.

The post WakeMed Announces Meta Pixel-Related Breach Affecting 495,000 Patients appeared first on HIPAA Journal.

September 2022 Healthcare Data Breach Report

63 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in September, bringing an end to the downward trend in data breaches seen over the previous three months. September’s total was above the 12-month average of 59 breaches a month, with data breaches being reported at a rate of more than 2 per day. In 2017, data breaches were being reported at a rate of one per day.

healthcare data breaches in the past 12 months - September 2022

While the number of reported data breaches increased by 28.6% month-over-month, for the third consecutive month the number of breached records decreased, with 2,440,434 records breached across the 63 reported incidents. September’s total was well below the 12-month average of 3,481,033 breached records a month. Breached healthcare records in the past 12 months

So far in 2022, 31,705,618 patient records have been exposed or impermissibly disclosed.

The Largest Healthcare Data Breaches Reported in September

30 data breaches of 10,000 or more patient records were reported to the HHS’ Office for Civil Rights in September 2022, all but one of which were hacking/IT incidents. The largest data breach involved the records of more than 542,000 patients of the Wolfe Clinic in Iowa and occurred at its electronic health record provider Eye Care Leaders. The attack saw database and system configuration files deleted. More than 3.6 million individuals were affected by the data breach.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Wolfe Clinic, P.C. IA Healthcare Provider 542,776 Hacking incident at its EHR provider (Eye Care Leaders)
Empress Ambulance Service LLC NY Healthcare Provider 318,558 Ransomware attack
Cytometry Specialists, Inc. d/b/a CSI Laboratories GA Healthcare Provider 244,850 Business email compromise (BEC) attack
FMC Services, LLC TX Healthcare Provider 233,948 Hacked network server
Physician’s Business Office, Inc. WV Business Associate 196,673 Hacked network server
Providence WA Anesthesia Services PC NY Healthcare Provider 98,643 Hacked network server at management company
Medical Associates of the Lehigh Valley PA Healthcare Provider 75,628 Ransomware attack
Dyersburg Family Walk-In Clinic, LLC (Reelfoot Family Walk-In Clinic) TN Healthcare Provider 58,562 Hacked network server (data theft confirmed)
Palm Springs Anesthesia Services PC NY Healthcare Provider 58,513 Hacked network server at management company
Reiter Affiliated Companies, LLC CA Business Associate 48,000 Ransomware attack at a business associate
Reiter Affiliated Health and Welfare Plan CA Health Plan 45,000 Ransomware attack
Anesthesia Services of San Joaquin PC NY Healthcare Provider 44,015 Hacked network server at management company
Anesthesia Associates of El Paso PA NY Healthcare Provider 43,168 Hacked network server at management company
The Physicians’ Spine and Rehabilitation Specialists of Georgia, P.C. GA Healthcare Provider 38,765 Hacked network server
Country Doctor Community Clinic WA Healthcare Provider 38,751 Hacked network server
Resource Anesthesiology Associates PC NY Healthcare Provider 37,697 Hacked network server at management company
Lubbock Heart & Surgical Hospital TX Healthcare Provider 23,379 Hacked network server
Genesis Health Care, Inc. SC Healthcare Provider 21,226 Hacked network server
Resource Anesthesiology Associates of IL PC NY Healthcare Provider 18,321 Hacked network server at management company
Bronx Anesthesia Services PC NY Healthcare Provider 17,802 Hacked network server at management company
Resource Anesthesiology Associates of CA A Medical Corporation CA Healthcare Provider 16,001 Hacked network server at management company
Monroe Ear Nose and Throat Associates, PC MI Healthcare Provider 14,500 Hacked network server hosting EHRs
Magellan Rx Management MD Business Associate 13,663 Hacked network server
Hazleton Anesthesia Services PC NY Healthcare Provider 13,607 Hacked network server at management company
Riverside Medical Group NJ Healthcare Provider 12,499 Hacked legacy server containing EHRs
Anesthesia Associates of Maryland LLC MD Healthcare Provider 12,403 Hacked network server at management company
Northern California Fertility Medical Center CA Healthcare Provider 12,145 Ransomware attack
Neurology Center of Nevada NV Healthcare Provider 11,700 Hacking incident involving EHRs
Dr. Alexander J. Richardson, DPM OH Healthcare Provider 11,300 Hacking incident involving EHRs
WellMed Medical Management TX Healthcare Provider 10,506 A physician took records to his new practice

Causes of September 2022 Data Breaches

As is now the norm, the majority of the month’s data breaches were categorized as hacking/IT incidents, which include hacking, ransomware and malware attacks, phishing attacks, and misconfigured databases and cloud resources.

Causes of September 2022 healthcare data breaches

52 breaches – 82% of the month’s total – were hacking/IT incidents, which resulted in the exposure and/or theft of the records of 2,410,654 individuals. The average breach size was 46,359 records and the median breach size was 12,274 records. These incidents accounted for 98.78% of all records breached in September.

Ransomware is commonly used in attacks on hospitals to prevent access to business-critical files and patient records. These attacks typically involve data theft prior to file encryption with the attackers threatening to sell or publish the stolen data if the ransom is not paid. Several threat actors have now dispensed with the file encryption and are just stealing data and demanding payment to prevent its sale or release. That makes the attacks quicker and easier for the attackers and ransoms are still often paid. These extortion-only attacks have been increasing in recent months.

There were 7 reported unauthorized access/disclosure incidents reported, which include unauthorized access by employees, misdirected emails, and mailing errors. Across the 7 breaches, the records of 24,639 individuals were impermissibly disclosed. The average breach size was 3,250 records and the median breach size was 1,359 records.

There were 4 data breaches reported that involved the loss or theft of electronic devices that contained individually identifiable protected health information. Those devices contained 5,141 records. The average breach size was 1,285 records and the median breach size was 1,207 records. These incidents could have been avoided had data on the devices been encrypted.

The number of email-related data breaches is below the levels normally seen, with just 7 email data breaches reported. However, data from the ransomware remediation firm Coveware suggests email is still the most common way that threat actors gain access to networks in ransomware attacks. One of the largest data breaches reported this month – at CSI Laboratories – saw threat actors gain access to email accounts containing the records of almost 245,000 individuals. The email account was then used in a business email compromise attack to try to reroute CSI customer healthcare provider payments.

locatioon of PHI in september 2022 healthcare data breaches

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entity in September with 46 data breaches reported, with 10 breaches reported by business associates and 7 breaches reported by health plans. Healthcare providers and health plans often choose to report breaches at business associates themselves, as was the case in 7 data breaches at business associates in September. The pie chart below reflects this and shows where the data breaches actually occurred.

September 2022 healthcare data breaches - entities reporting

Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states reported data breaches in September. New York was the worst affected state with 15 breaches reported. 13 of the breaches were reported by providers of anesthesia services – The breach actually occurred at their management company.

State Breaches
New York 15
California 8
Tennessee & Washington 5
Florida & Texas 4
Georgia 3
Indiana, Maryland, New Jersey, & Pennsylvania 2
Colorado, Connecticut, Iowa, Michigan, Montana, Nebraska, Nevada, Ohio, Rhode Island, South Carolina, & Wisconsin 1

HIPAA Enforcement Activity in September

The HHS’ Office for Civil Rights agreed to settle HIPAA violations with three healthcare providers in September. All three of the settlements resolved violations of the HIPAA Right of Access, where patients were not provided with timely access to their medical records. All three cases were investigated by OCR after patients filed complaints that they had not been provided with their requested medical records. Great Expressions Dental Center of Georgia was also discovered to have overcharged a patient for providing a copy of her medical records.

Great Expressions Dental Center of Georgia, P.C. settled its case for $80,000, Family Dental Care, P.C. settled its case for $30,000, and B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental, settled its care for $25,000,  All three settlements involved a corrective action plan to address the areas of non-compliance.

OCR has now imposed 20 financial penalties on HIPAA-regulated entities to resolve HIPAA violations so far this year – more than any year to date.

The post September 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Advocate Aurora Health: Website Tracking Code May Have Impermissibly Disclosed PHI of 3 Million Patients

A second health system has announced that patient data has been impermissibly passed to Meta (Facebook) as a result of the inclusion of Meta Pixel tracking code on its website. First came Novant Health, with its admission that the protected health information of 1.36 million patients had been sent to Meta. Now, Advocate Aurora Health has confirmed that it too included the tracking code, which resulted in the impermissible disclosure of the protected health information of up to 3,000,000 patients. These two healthcare systems are far from the only ones affected by the use of Meta Pixel and other third-party tracking code on their websites.

An analysis, published by The Markup/STAT in June suggested one-third of the top 100 hospitals in the United States had included the code on their websites, including at least 6 that had incorporated the code within their password-protected patient portals. Following the discovery, patients affected by the breach took legal action against their healthcare providers and Meta over the impermissible disclosure. In some cases, their personal and private information was used to serve them target advertisements related to their medical conditions, as a result of their interactions on the websites of their healthcare providers. Lawsuits have been filed against Meta and Medstar Health System in Maryland, and Meta and UCSF Medical Center/ Dignity Health Medical Foundation.

Meta Pixel is a snippet of JavaScript code that website owners can add to their websites and web applications for the purpose of tracking visitor activity. In the case of healthcare providers, the code can be used for tracking the performance of advertising campaigns, as was the case with Novant Health, or identifying trends and preferences of patients. However, some of the data collected involved choices made via drop-down selection in web forms, which may have included information about medical conditions, and that information may have included personal identifiers.

The data collected through the Meta Pixel code snippet is sent to Meta, and that information may be made available to advertisers and used to serve targeted adverts. Meta has explained that it has technology in place to detect and identify data that it is not authorized to receive – such as medical information – which is stripped out and not made available to advertisers if it is detected. However, that does not appear to have always happened, according to the allegations made in the lawsuits.

There are two issues here: Consent had not been obtained from patients prior to their data being shared with Meta/Facebook and other third parties, and patients’ protected health information was impermissibly disclosed to Meta/Facebook or others when there was no business associate agreement in place, both of which are violations of the Health Insurance Portability and Accountability Act (HIPAA).

Advocate Aurora Health Breach Notification

Advocate Aurora Health is a non-profit health system with dual headquarters in Downers Grove, IL, and Milwaukee, WI. Advocate Aurora Health operates 27 hospitals, more than 500 outpatient locations, and serves around 3 million patients, all of whom may have been affected.

Advocate Aurora Health explained in its breach notification letters that Meta Pixel code was added to its website and applications “to understand how patients and others interact with our websites,” and for “identifying trends and preferences of patients.” Advocate Aurora Health also pointed out that many other hospitals and health systems had also used the code snippets on their websites and applications for similar purposes.

Advocate Aurora Health said it discovered that when individuals interacted with its websites and web applications while signed into their Google or Facebook accounts, in addition to data about their interactions on the websites and applications being shared with Google and Facebook/Meta, their identities would also have been disclosed. In some cases, those interactions may have included disclosures of protected health information.

“We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology,” explained Advocate Aurora Health. When this was discovered, the code snippets were either disabled or removed from its websites and web applications, and an internal investigation was launched to determine the extent to which patient data had been transmitted to third-party vendors.

Advocate Aurora Health explained that, out of an abundance of caution, the decision was taken to issue notifications to all patients who had an Advocate Aurora Health MyChart account, used the LiveWell application, or the scheduling widgets on its web platforms. The extent to which those patients were affected, if at all, depends on their interactions with the website and whether they were logged into their Google or Facebook accounts at the time.

Patients affected may have had one or more of the following types of information transmitted to Google, Facebook/Meta, or others:

  • IP address
  • Dates, times, and/or locations of scheduled appointments
  • Proximity to an Advocate Aurora Health location
  • Information about a patient’s provider
  • Type of appointment or procedure
  • Communications through MyChart, which may have included their first and last name and medical record number
  • Information about whether the patient was insured
  • If a patient had a proxy MyChart account, the patient’s first name and the first name of the patient’s proxy.

Advocate Aurora Health said its investigation indicates no Social Security numbers, financial account information, or credit/debit card information was impermissibly disclosed. Advocate Aurora Health said it has now implemented an enhanced, robust technology vetting process for any tracking technologies that it considers using in the future to ensure similar privacy violations do not occur again.

The post Advocate Aurora Health: Website Tracking Code May Have Impermissibly Disclosed PHI of 3 Million Patients appeared first on HIPAA Journal.

CommonSpirit Health Confirms System Outages Caused by Ransomware Attack

On October 3, 2022, CommonSpirit Health experienced a data security incident that forced it to take systems offline, including its electronic medical record (EHR) and other critical IT systems. These steps were taken to protect systems from damage, contain the breach, and prevent unauthorized access to sensitive data. CommonSpirit Health issued a statement on October 4, 2022, that provided a brief explanation of the incident, stating there was an IT issue that was being investigated that had resulted in system outages at some of its hospitals and care facilities. CommonSpirit Health is one of the nation’s largest health systems and is the second-largest non-profit health system in the United States, consisting of around 1,500 clinics and hospitals in 21 states. CommonSpirit Health was formed by the merger of CHI Health and Dignity Health in 2019.

Soon after the incident, hospitals and other care facilities across the United States started to confirm that they had been affected, with it clear that this incident was having an impact nationwide. Several CHI Health facilities confirmed they had been affected and were operating under emergency procedures due to the lack of access to essential IT systems. Hospitals in Iowa, Illinois, Nebraska, Tennessee, and Washington all stated that the incident has affected them.

CHI Health issued a statement confirming the incident at CommonSpirit Health was having an impact and some CHI Health facilities, and that as a precautionary step, some of its systems were taken offline. Due to patient safety concerns, the decision was taken to cancel, postpone, or reschedule some patient appointments and procedures, access to the patient portal was temporarily suspended, and offline procedures were being followed for processing and managing prescription medications.

These measures were necessary to contain the attack and prevent damage to systems; however, they are having a significant impact on patients, who face delays in receiving medical care. Many are also struggling to get the medications they need to manage their health conditions. MercyOne, the operator of 230 healthcare facilities in Iowa, said the incident took its online scheduling system offline, which has prevented the system from being used to schedule online appointments in Central Iowa.

Several individuals claiming to be employees and patients of CommonSpirit Health have taken to social media sites to voice their concerns. Patients have claimed they have been unable to obtain medical care and prescriptions, including medications for managing cancer at home. Individuals claiming to be employees have explained that it has been a nightmare for staff due to having to work with paper charts. One nurse took to Reddit to explain that staff at the hospital have been unable to access the Downtime Epic EHR system to see patient histories, with the pharmacy unable to verify orders and having to handwrite labels, with labs having to be handwritten and faxed. It has now been 11 days since the attack and the disruption is still being experienced with IT systems still offline.

Ransomware Attack Confirmed

No details were initially released about the exact nature of the incident, although security researcher Kevin Beaumont said on Twitter shortly after the attack that the incident response chatter he had heard made it clear that this was a ransomware attack. That has now been confirmed by CommonSpirit Health. HIPAA Journal has not been able to establish at this stage which group is responsible for the attack.

CommonSpirit Health said in a recent update that the incident is an ongoing situation and the response is being managed, with assistance provided by leading cybersecurity specialists. Law enforcement, the Department of Health and Human Services, and other authorities have also been notified about the attack and are providing support.

CommonSpirit Health said that throughout the response, the priority has been to continue to provide the highest quality of care to its patients and ensure patient safety. A forensic investigation is underway to determine the extent of the attack and reviews are being conducted of its systems to determine if there has been any data impact. That process could take some time and further information will be made available when conclusions have been drawn from the investigation.

CHI Health facilities have been affected and are still facing disruption. CommonSpirit Health said it is working hard to bring systems back online safely and will restore functionality as fast as possible. CommonSpirit Health has confirmed that there has been a minimal impact on the systems used by Dignity Health and Virginia Mason Medical Center.

The post CommonSpirit Health Confirms System Outages Caused by Ransomware Attack appeared first on HIPAA Journal.

California Governor Signs Package of Bills to Improve Protections for Individuals Seeking Abortion Care

California has taken further steps to improve protections for individuals seeking abortion care and birth control. A package of bills has recently been signed into law by state governor Gavin Newsom, including new data privacy legislation that prohibits healthcare providers from releasing individuals’ medical information in response to subpoenas and requests from out-of-state.

The bill (AB 2091) was introduced by Assemblymember Mia Bonta (D-Oakland) in response to the Supreme Court Decisions in Dobbs v. Jackson Women’s Health Organization which removed the federal right to an abortion and put abortion rights in the hands of individual states. Following the decision, several states implemented bans or restrictions on abortions and there are mounting fears that criminal investigations will be launched into women who seek abortions in other states.

HIPAA permits healthcare providers to provide PHI to law enforcement to support criminal investigations in limited circumstances. The HHS recently issued guidance to health care providers that stressed that HIPAA does not require regulated entities to disclose such information, and such disclosures may be considered HIPAA Privacy Rule violations in certain circumstances. Some healthcare providers may feel compelled to provide information to support law enforcement investigations into abortions performed on patients that reside in states with bans in place.

HIPAA permits states to introduce more stringent rules to protect patient privacy than the minimum standards of the HIPAA Privacy Rule. AB 2091, which was signed into law by Governor Newsom on September 27, 2022, ensures the privacy of women will be better protected as information related to legal abortions carried out in California cannot be legally disclosed to out-of-state entities.

Newsom also added his signature to AB 1242 which was passed by the California Legislature in September. AB 1242 prohibits Californian corporations from cooperating with out-of-state entities regarding lawful abortions performed in California. The bill, which was introduced by Assemblymember Rebecca Bauer-Kahan (D-Orinda), also prohibits law enforcement from knowingly arresting a person for aiding in a lawful abortion in California.

AB 2223 has been signed into law to ensure that pregnancy loss is not criminalized. The bill, introduced by Assemblymember Buffy Wicks (D-Oakland), prohibits people from being criminally or civilly liable for miscarriage, stillbirth, abortion, or perinatal death due to causes that occurred in utero.

Two bills have also been signed to improve access to reproductive healthcare services. SB 523, introduced by Senator Connie Leyva (D-Chino), expands access to birth control by requiring health plans to cover over-the-counter birth control without cost sharing, regardless of gender or health coverage status, and prohibits employment-related discrimination based on reproductive health decisions. SB 1375, introduced by Senate President pro Tempore Toni G. Atkins (D-San Diego), expands the training options available to Nurse Practitioners and Certified Nurse-Midwives for purposes of performing abortion care by aspiration techniques.

“An alarming number of states continue to outlaw abortion and criminalize women, and it’s more important than ever to fight like hell for those who need these essential services. We’re doing everything we can to protect people from any retaliation for accessing abortion care while also making it more affordable to get contraceptives,” said Governor Newsom. “Our Legislature has been on the frontlines of this fight, and no other legislative body in the country is doing more to protect these fundamental rights – I’m proud to stand with them again and sign these critical bills into law.”

The post California Governor Signs Package of Bills to Improve Protections for Individuals Seeking Abortion Care appeared first on HIPAA Journal.

GAO: HHS Should Strengthen Oversight of Medicare Telehealth and Help Providers Communicate Privacy Risks

The Government Accountability Office (GAO) recently conducted a review of Medicare telehealth services provided during the COVID-19 pandemic, when a waiver was in place that greatly expanded access to telehealth and virtual visits. The review covered the utilization of telehealth services, how the CMS identified and monitored risks under the Medicare waivers, and how the HHS’ Office for Civil Rights (OCR) changed its enforcement of HIPAA compliance with respect to telehealth during the COVID-19 public health emergency.

Under normal circumstances, telehealth services are covered by Medicare, but only in limited circumstances, such as when patients live in rural locations and do not have easy access to healthcare services. The increased need for telehealth due to the COVID-19 pandemic saw waivers issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) that expanded Medicare telehealth services and allowed virtual visits to be provided in a much broader range of circumstances. A notice of enforcement discretion was also issued by OCR stating enforcement actions would not be taken against healthcare providers over the good faith provision of telehealth services, even if non-public-facing technology was used that would not normally have been compliant with the HIPAA Rules.

Between April and December 2019, 5 million Medicare telehealth visits were conducted. During the same period in 2020, the number increased to 53 million. According to the GAO report, the CMS has not been able to comprehensively assess the quality of care provided to patients through telehealth visits, and there is concern that patients may not have been made fully aware of the privacy risks involved, which could have resulted in their sensitive health information being overheard or inappropriately disclosed.

OCR encouraged covered providers to inform patients about the potential privacy and security risks associated with telehealth services; however, OCR did not advise providers of the specific language to use when explaining those risks nor give direction to help providers explain the risks. “Providing such information to providers could help ensure that patients understand potential effects on their protected health information in light of the privacy and security risks associated with telehealth technology,” explained GAO in the report.

Under normal circumstances, a healthcare provider and a vendor of a communications platform must have a business associate agreement in place; however, that requirement was not enforced during the public health emergency. That could potentially increase the risk of a patient’s PHI being disclosed without their knowledge and patients may not have been aware that such a change had occurred under OCR’s telehealth policy, and that their privacy was not protected.

GAO explained in the report that also noted in the report that complaints had been filed about potential HIPAA Privacy and Security Rule violations with respect to telehealth visits. 5 separate complaints were filed by patients over the use of technology for telehealth visits that was not compliant with the HIPAA Security Rule, and 37 privacy complaints were filed over matters such as the presence of third parties during appointments and instances where providers shared PHI without obtaining patient consent.

GAO has recommended that OCR provide additional education and outreach to help providers explain the privacy and security risks to patients associated with telehealth to make sure that those risks are fully understood. GAO emphasized the importance of providing patients with easy-to-understand information to allow them to carefully weigh the risks to their personal information, and improved communication about telehealth vendors’ privacy policies and HIPAA compliance to allow patients to better understand the privacy risks.

OCR concurred with the recommendations and said it will be providing additional guidance for healthcare providers on the provision of telehealth services, including help on how best to explain the privacy and security risks to patients in plain language.

GAO found there was incomplete data on audio-only and video telehealth visits conducted between April and December 2020. This was determined to be due to the lack of accurate billing codes used by insurance companies to track telehealth and virtual appointments and to identify when telehealth services were delivered to beneficiaries in their homes.

GAO recommended the CMS develop an additional billing modifier to allow the accurate tracking of audio-only office visits, to require providers to use service codes that indicate when Medicare telehealth services are delivered to beneficiaries in their homes, and for the Administrator of the CMS to comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the public health emergency.

The post GAO: HHS Should Strengthen Oversight of Medicare Telehealth and Help Providers Communicate Privacy Risks appeared first on HIPAA Journal.

August 2022 Healthcare Data Breach Report

For the third successive month, the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights has fallen, with 49 breaches of 500 or more records reported in August– well below the 12-month average of 58 breaches per month. The 25.75% percentage decrease from July 2022 was accompanied by a significant reduction in breached records, which dropped almost 30% month over month.

healthcare data breaches in the past 12 months

Across the 45 data breaches, 3,741,385 healthcare records were exposed or impermissibly disclosed – well below the 5,135,953 records that were breached in August 2021, although slightly more than the 12-month average of 3,382,815 breached healthcare records per month.

Breached healthcare records over the past 12 months

Largest Healthcare Data Breaches Reported in August 2022

18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in August 2022, which have been summarized in the table below. It should be noted that the exact nature of the data breach is not always reported by the breached entity, such as if ransomware was used to encrypt files.

As the table below shows, the largest reported data breach of the month occurred at Novant Health and was due to the use of the third-party JavaScript code snippet – Meta Pixel on the healthcare provider’s website. The code snippet is used on websites to track visitor activity but can send PHI to Meta (Facebook), which can then be used to serve targeted ads. Novant Health said there had been a misconfiguration that saw the code added behind the login on the patient portal.

So far, Novant Health is the only healthcare provider to report such a breach, even though investigations have revealed many other healthcare organizations have used the code snippet on their websites, several of which added the code to their patient portals. Multiple lawsuits have been filed over these privacy breaches.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Business Associate Present
Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc. NC Business Associate 1,362,296 Electronic Medical Record Unauthorized disclosure to Meta through Meta Pixel code snippet on website
Practice Resources, LLC NY Business Associate 942,138 Network Server Ransomware attack
Warner Norcross and Judd, LLP MI Business Associate 255,160 Network Server Hacking and data theft incident
California Department of Corrections and Rehabilitation CA Healthcare Provider 236,000 Network Server Hacking incident
Conifer Revenue Cycle Solutions, LLC TX Business Associate 134,948 Email Hacking of Microsoft 365 Environment
Common Ground Healthcare Cooperative WI Health Plan 133,714 Network Server Ransomware attack on a business associate (OneTouchPoint)
Methodist McKinney Hospital TX Healthcare Provider 110,244 Network Server Hacking and data theft incident
First Choice Community Health Care, Inc. NM Healthcare Provider 101,541 Network Server Hacking incident
Onyx Technology LLC MD Business Associate 96,814 Network Server Hacking incident
EmergeOrtho NC Healthcare Provider 68,661 Network Server Ransomware attack
Lamoille Health Partners VT Healthcare Provider 59,381 Network Server Ransomware attack
Henderson & Walton Women’s Center, P.C. AL Healthcare Provider 34,306 Email Hacking incident
St. Luke’s Health System, Ltd. ID Healthcare Provider 31,573 Network Server Hacking incident at billing vendor
San Diego American Indian Health Center CA Healthcare Provider 27,367 Network Server Hacking and data theft incident
Rock County Human Services Department WI Healthcare Provider 25,610 Email Unauthorized access to email accounts
NorthStar HealthCare Consulting LLC GA Business Associate 18,354 Email Unauthorized access to email accounts
Methodist Craig Ranch Surgical Center TX Healthcare Provider 15,157 Network Server Hacking and data theft incident (Methodist McKinney)
Valley Baptist Medical Center – Harlingen TX Healthcare Provider 11,137 Network Server Ransomware attack (Practice Resources)

Causes of August 2022 Data Breaches

The above table shows hacking incidents continue to be a major problem for the healthcare industry, with ransomware often used in the attacks. There has been a growing trend for attackers to conduct data theft and extortion attacks, without using ransomware. While the consequences for patients may still be severe, the failure to encrypt files causes less disruption; however, a recent study by Proofpoint suggests that patient safety issues are still experienced after cyberattacks when ransomware is not used. Around 22% of healthcare providers reported seeing an increase in mortality rate following a major cyberattack and 57% reported poorer patient outcomes.

Healthcare organizations are vulnerable to email attacks, with phishing attacks a common cause of data breaches. There has also been an increase in the use of reverse proxies in attacks, which allow threat actors to steal credentials and bypass multifactor authentication to gain access to Microsoft (Office) 365 environments.

Causes of August 2022 Healthcare Data Breaches

35 of the month’s breaches (71.4%) were attributed to hacking/IT incidents and involved the exposure or theft of 2,337,485 healthcare records – 62.48% of the month’s reported breached records. The mean breach size was 66,785 records and the median breach size was 7,496 records.

There were 10 reported unauthorized access/disclosure incidents involving 1,398,595 records – 37.38% of the month’s breached records. The mean breach size was 139,860 records and the median breach size was 1,375 records. 1,362,296 of those records were breached in the Novant Health incident. There were 4 loss/theft incidents (2 losses; 2 theft) involving 5,305 records. The mean breach size was 1,326 records and the median breach size was 1,357 records.

The number of hacking incidents is reflected in the location of breached PHI, as shown in the chart below.

Location of Breached PHI in August

Data Breached by HIPAA Regulated Entity

Health plans were the worst affected HIPAA-regulated entity, with 35 data breaches reported. 9 breaches were reported by business associates, and 5 breaches were reported by health plans. Data breaches are not always reported by business associates directly, with some HIPAA-covered entities choosing to report breaches at their business associates. The chart below takes this into account and shows data breaches based on where they occurred. While 14 data breaches occurred at business associates in August, this is a notable reduction from the previous few months. In July there were 36 data breaches at business associates, and 40 in June.

August 2022 healthcare data breaches - HIPAA-regulated entity type

Geographic Distribution of Data Breaches

Healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August by HIPAA-regulated entities in 26 states, with Texas the worst affected with 8 reported data breaches.

State Breaches
Texas 8
North Carolina 4
Arkansas, California, & Michigan 3
Colorado, Florida, Illinois, New York, Vermont, Washington, & Wisconsin 2
Alabama, Arizona, Georgia, Idaho, Indiana, Louisiana, Maryland, Mississippi, New Hampshire, New Jersey, New Mexico, Ohio, Pennsylvania, & Virginia 1

HIPAA Enforcement Activity in August 2022

There was one HIPAA enforcement activity announced by OCR in August, and somewhat unusually given the focus on the HIPAA Right of Access over the past three years, it related to the improper disposal of PHI. Out of the past 25 enforcement actions that have resulted in financial penalties, only 5 have been for non-HIPAA Right of Access violations.

OCR launched an investigation of New England Dermatology and Laser Center after receiving a report on March 11, 2021, about the improper disposal of the PHI of 58,106 patients. In addition to failing to render PHI unreadable and indecipherable, OCR determined there was a failure to maintain appropriate administrative safeguards. The improper disposal of empty specimen containers with patient labels spanned from 2011 to 2021. New England Dermatology and Laser Center agreed to settle the case and paid a $300,640 penalty.

Lisa J Pino stepped down as OCR Director in July 2022 and has now been replaced by Melanie Fontes Rainer. It remains to be seen where she will lead the department regarding the enforcement of HIPAA compliance, although HHS Secretary Xavier Becerra has stated that HIPAA Privacy Rule violations with respect to unauthorized disclosures of PHI related to abortion care and other forms of sexual and reproductive health care will be an enforcement priority of OCR.

The post August 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.