Healthcare Data Privacy

HC3 Highlights Privacy and Security Risks Associated with Emerging Technologies

Posted by HIPAA Journal

Emerging technologies have the potential to revolutionize the healthcare industry. While there are many potential benefits, these technologies can introduce risks that could threaten patient privacy and safety. If vulnerabilities are not properly addressed, they could be exploited by malicious actors to gain access to sensitive patient data or internal networks, which could threaten patient safety.

The Health Sector Cybersecurity Coordination Center (HC3) has drawn attention to some of the most beneficial emerging technologies that have the potential to revolutionize clinical research, the monitoring and delivery of care, communication, data analysis, and data protection, and has highlighted some of the risks associated with these technologies.

Artificial intelligence systems can rapidly analyze big data, provide deeper patient insights, and accurately diagnose medical conditions from medical images and data far more quickly than humans, accelerating clinical decisions. While the uses of AI in healthcare are numerous, these systems can introduce risks.

AI systems need access to large amounts of data in order to learn, but there are concerns around patient privacy and the security of that data. The data sent to these systems must be protected at rest and in motion through end-to-end encryption and robust access controls must be in place. AI systems could potentially allow the re-identification of patients from de-identified data, such as if de-identified data is combined with data from other sources.

5G cellular networks are around 10 to 100 times faster than regular cellular communications and there are many possible uses in healthcare, with the low latency expected to make telesurgery possible. 5G networks will support a much more extensive range of wearable and Internet of Medical Things (IoMT) devices. As with IoT, there are security threats that must be mitigated. Data transmitted via 5G networks must be properly secured, 5G devices must authenticate before connecting to networks, and any data stored on the IoMT devices must be secured with whole disk encryption. HC3 has highlighted the importance of having a Cybersecurity Bill of Materials to allow healthcare organizations to accurately assess the security of devices.

Nanotechnology has the potential to revolutionize the treatment of diseases through the delivery of drugs to specific cells. The technology could improve diagnostic imaging, and there is considerable potential for the provision of highly personalized medicine. There is concern however about the potential for malicious actors to “hack humans,” in bioterrorist attacks, nanodevices could be taken out of action in denial-of-service attacks, and ransomware could be used to disrupt nanotechnology systems, with potentially fatal consequences.

These and other emerging technologies can all greatly benefit the healthcare industry and have the potential to improve patient outcomes and lower costs, but all risks associated with these technologies must be carefully assessed and managed to ensure that vulnerabilities cannot be exploited and patient privacy and safety are not put at risk.

The post HC3 Highlights Privacy and Security Risks Associated with Emerging Technologies appeared first on HIPAA Journal.

House Democrats Seek Answers from Meta on its Abortion Data Sharing Policies

Posted by HIPAA Journal

Democratic leaders have demanded answers from Meta CEO Mark Zuckerberg about the role the company played in a criminal investigation in Nebraska into an alleged illegal abortion. Democrats from the Committee on Energy and Commerce wrote to the Meta CEO on August 31, 2022, to express their concern about the release of private communications that had taken place between a mother and her daughter about an abortion.

The police conducted a criminal investigation into Jessica Burgess, 41, and her daughter, Celeste Burgess, 18, over an alleged illegal abortion. The teenager is alleged to have had an illegal abortion after 20 weeks, then buried the fetus. When Roe v Wade was overturned, Nebraska was one of the states that made abortion illegal more than 20 weeks after fertilization.

The police launched an investigation after learning that a 17-year-old had unexpectedly given birth to a stillborn baby. The local police issued a warrant to Meta seeking access to conversations that had taken place between the mother and daughter on its platforms, according to a Deseret News report. Celeste Burgess was charged with three felony counts: performing an illegal abortion, performing the abortion without a licensed doctor, and then concealing a dead human body, along with two misdemeanors: concealing the death of another person and false reporting. Jessica Burgess was charged on two counts: performing an illegal abortion after 20 weeks and performing the abortion as a non-licensed doctor. Another individual, a 22-year-old man, was also charged with one misdemeanor:  attempting to conceal the death of another person.

Meta issued a statement in response to the reporting of the case in the media seeking to correct factual errors in the stories, claiming “much of the reporting about Meta’s role in a criminal case against a mother and daughter in Nebraska is plain wrong.” Meta confirmed that the warrant made no mention of abortion. “We received valid legal warrants from local law enforcement on June 7, before the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. The warrants did not mention abortion at all,” said Meta. “Court documents indicate that police were at that time investigating the alleged illegal burning and burial of a stillborn infant. The warrants were accompanied by non-disclosure orders, which prevented us from sharing information about them. The orders have now been lifted.”

The Committee Democrats are seeking answers from Meta on its privacy policies regarding the protection of sensitive information of users of its platform and how the company ensures private information is protected while also complying with legal obligations, especially considering the company is likely to receive further requests from law enforcement seeking access to users’ sensitive data related to illegal abortions.

“We fear it is only a matter of time before Meta is asked by law enforcement to turn over personal data of users in which they specifically cite attempting or performing abortion as the crime being investigated,” wrote the Committee Democrats. “It is completely foreseeable that Meta may be asked to turn over other sensitive data based on conversations related to assisting a friend or family member with transportation to obtain an abortion or providing money for cab fare or hotel accommodations. The possibilities are endless and are endlessly troubling.”

Chairman Frank Pallone, Jr., Chairwoman of the Subcommittee on Health, Anna G. Eshoo, Chair of the Subcommittee on Oversight and Investigations, Diana DeGette, and Chair Subcommittee on Consumer Protection and Commerce, Jan Schakowsky, have requested a briefing regarding Meta’s treatment of personal data and its policies and procedures regarding the sharing of that data with law enforcement and other outside parties.

The post House Democrats Seek Answers from Meta on its Abortion Data Sharing Policies appeared first on HIPAA Journal.

California Legislature Passes Bill Prohibiting the Sharing of Information About Abortions

Posted by HIPAA Journal

The Californian legislature has passed a bill (AB-1242) that prohibits companies in the state from complying with warrants from other states that seek access to information about individuals seeking or providing abortions.

The decision of the U.S. Supreme Court to overturn Roe v. Wade removed the federal right to obtain an abortion. Several states had trigger laws in place that made abortion illegal in the event of Roe v. Wade being overturned. A dozen states have already made abortion illegal for state residents and several other states are considering implementing similar restrictions.

There are fears that legal action could be taken against individuals in those states if they seek access to abortions in other states, and that attempts may be made by state attorneys general and law enforcement to obtain information about individuals seeking abortion in states where abortion remains legal. Under the existing law in California, records of individuals must be provided if a search warrant is issued upon certain grounds. The law change prohibits the issuance of such a warrant related to investigations of individuals seeking abortions or individuals providing abortions. The new bill also prohibits local police from assisting with investigations into abortions, including providing cellphone location information of women who travel to California to obtain abortions.

Specifically, the bill prohibits “the issuance of an ex parte order authorizing interception of wire or other electronic communication or an order, or extension of an order, authorizing or approving the installation and use of a pen register or trap and trace device for the purpose of investigating or recovering evidence of a prohibited violation.”

Prohibited violations are defined as “a violation of a law that creates liability for, or arising out of, either prohibiting, facilitating, or obtaining an abortion or intending or attempting to provide, facilitate, or obtain an abortion that is lawful under California law.”

In the event that a state wishes to issue a search warrant seeking the identity of individuals or the content of their communications, those states would be required to attest that the information being sought is in no way related to investigations of abortions. If any Californian company chooses to comply with any such request, the state attorney general would be permitted to sue the company for a violation of state law.

The bill no awaits the signature of California Governor Gavin Newsom. Newsom has until September 30, 2022, to sign the bill into law.

The post California Legislature Passes Bill Prohibiting the Sharing of Information About Abortions appeared first on HIPAA Journal.

Study Explores How Medical Apps are Sending Health Data to Facebook and Others

Posted by HIPAA Journal

Sensitive information is being shared with data brokers and advertisers for the purpose of serving targeted advertisements, and not just by health apps and fitness trackers. HIPAA-covered entities are also sharing the health data without patient consent, which puts them at risk of regulatory fines and lawsuits.

Many consumer health apps collect sensitive health data, including pregnancy and fertility trackers and personal fitness and exercise apps. These apps are fed data or directly collect that information through associated wearable devices, and that information may be shared with third parties or sold, as per the terms and conditions for use of the apps. If users do not wish to share their data, they can simply not use the apps.

However, there is growing concern over the sharing of identifiable health data by healthcare organizations covered by the Health Insurance Portability and Accountability Act, which places restrictions on uses and disclosures of identifiable protected health information. Many hospitals have recently been discovered to have used the Meta Pixel JavaScript code on their websites for tracking visitor activity and evaluating the effectiveness of their Facebook marketing campaigns. In some cases, the code has been included on pages within patient portals, and health information has been transferred to Meta without consent and used by Facebook advertisers to serve targeted, personalized advertisements. At least two lawsuits have been filed against healthcare providers over the privacy violations, and Novant Health has recently issued notifications to more than 1.3 million patients whose privacy was violated.

Study Explores How Medical Apps Share Healthcare Data with Social Media Networks

A recent study has explored how medical apps have been sharing sensitive health data. The researchers selected medical apps that were commonly used by patients that engaged with social media websites, including Facebook, to find information related to their medical condition. The study focused on five digital medicine companies and evaluated 32 different cross-site-tracking middleware types that used cookies to track individuals across the Internet and shared their browsing data with Facebook for purposes of advertising and lead generation. Specifically, the researchers focused on companies that were offering services to patient advocates in the cancer care community who were active users of social media sites.

Patients often use social media websites to get support from their peers, with Facebook being one of the most popular. Facebook is awash with adverts related to health conditions. According to the researchers, health and pharmaceutical companies spent more than 1 billion on advertising on Facebook mobile advertising alone in 2019. The health information revealed by patients to social media sites exposes them to these adverts and allows health and pharmaceutical companies to target very specific patient populations. The focus on the cancer community was because those patients were perceived to be vulnerable to online scams, medical misinformation, and privacy breaches through the use of cross-site-tracking middleware. The researchers focused their study on Facebook’s ad model, although the findings may well apply to other social media platforms.

How Patients Are Tracked and Served Targeted Advertisements

In a typical scenario, a cancer patient signs up to use a digital medicine or genetic testing app and agrees to the terms and conditions. The patient has or signs up for a Facebook account in a separate process. Vendors embed third-party tracking code on websites that share off-Facebook activity without a user’s consent.

The off-Facebook activity from the vendor is used to update ad interests algorithms on Facebook. Facebook’s algorithms then promote health-related ads based on the users’ health interests. Vendors can target ads to users with specific health interests, and may also attempt to enrich data through forms and quizzes, with the lead data passed from Facebook to the vendor’s CRM system.

Privacy Policies and Data Sharing Practices Differ

While digital medicine or genetic testing apps have privacy policies that explain how data is collected and used, in some cases the privacy policies do not match the actual data sharing practices. All five of the apps had privacy policies, but three said health data would not be shared with advertisers when information was being shared.

All five apps are potentially covered by the Federal Trade Commission’s Health Breach Notification Rule, and two of the app providers were CLIA-certified labs that offer clinical genetic and diagnostic tests, and are therefore bound by HIPAA. In some cases, users were being tracked and data was being shared even though consent has not been obtained, and in some cases, users were told that their health information would not be shared with Facebook or others.

A spokesperson for Meta said that health information should not be shared with the platform and that it has filters in place that can detect and remove health data to prevent it from being shared with advertisers; however, the filter does not detect all health data. The researchers point out that Facebook announced in November 2021 that the platform would be removing all detailed ad-targeting endpoints for sensitive health information.”

The researchers suggest that the practice of tracking users and sharing their data with Facebook (and potentially other social media networks) could violate federal and industry regulations, especially the FTC’s Health Data Breach Notification Rule and potentially HIPAA. They also point out that since the introduction of the Health Data Breach Notification Rule, there has been no enforcement.

“We demonstrated that personal data and personal health data can be easily obtained without the aid of highly sophisticated cyberattack techniques but with rather commonplace third-party advertising tools,” said the researchers. While the study did not confirm any intentional deception of individuals, it was also not clear the extent to which these companies were aware that user health data is being monitored and fed to Facebook for the purposes of serving targeted advertisements.

“These marketing tools reveal a dark pattern used to track vulnerable patient journeys across platforms as they browse online, in some ways unclear to the companies and patient populations who are engaging through Facebook,” concluded the researchers. “While the digital medicine ecosystem relies on social media to recruit and build their businesses through advertising-related marketing channels, these practices sometimes contradict their own stated privacy policies and promises to users.”

The study – Health advertising on Facebook: Privacy and policy considerations – was published in the journal Patterns on August 15, 2022.

The post Study Explores How Medical Apps are Sending Health Data to Facebook and Others appeared first on HIPAA Journal.

July 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

In July 2022, 66 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights, which is a 5.71% reduction from the 70 data breaches reported in June 2022 and July 2021. While the number of data breaches fell slightly from last month, data breaches are being reported at well over the average monthly rate of 57 breaches per month.

Healthcare data breaches in the past 12 months

For the second consecutive month, the number of exposed or impermissibly disclosed healthcare records topped 5 million. 5,331,869 records were breached across the 66 reported incidents, which is well above the 12-month average of 3,499,029 breaches a month. July saw 8.97% fewer records breached than June 2022 and 7.67% fewer than July 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches in July 2022

In July, 25 data breaches of 10,000 or more records were reported, 15 of which occurred at business associates of HIPAA-covered entities. The largest data breach was a ransomware attack on the accounts receivable management agency, Professional Finance Company. Cyberattacks on business associates can affect many different HIPAA-covered entities, as was the case with the PFC breach, which affected 657 HIPAA-covered entities. The breach was reported by PFC as affecting more than 1.9 million individuals, although some of those clients have reported the breach separately. It is unclear how many records in total were compromised in the ransomware attack.

The second largest data breach occurred at the Wisconsin mailing vendor, OneTouchPoint. This was also a ransomware attack and was reported by OneTouchPoint as affecting more than 1 million individuals, but as was the case with the PFC ransomware attack, some of its healthcare provider clients self-reported the data breach, including Aetna ACE Health Plan. Goodman Campbell Brain and Spine also suffered a major ransomware attack. The Indiana-based healthcare provider confirmed that the threat actors had uploaded the stolen data to their data leak site.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Breach Cause of Breach
Professional Finance Company, Inc. CO Business Associate 1,918,941 Yes Ransomware attack
OneTouchPoint, Inc. WI Business Associate 1,073,316 Yes Ransomware attack
Goodman Campbell Brain and Spine IN Healthcare Provider 362,833 No Ransomware attack – Data leak confirmed
Aetna ACE CT Health Plan 326,278 Yes Ransomware attack on mailing vendor (OneTouchPoint)
Synergic Healthcare Solutions, LLC dba Fast Track Urgent Care Center FL Healthcare Provider 258,411 Yes Hacking incident at billing vendor (PracticeMax)
Avamere Health Services, LLC OR Business Associate 197,730 Yes Hacking incident – Data theft confirmed
BHG Holdings, LLC dba Behavioral Health Group TX Healthcare Provider 197,507 No Hacking incident – Data theft confirmed
Premere Infinity Rehab, LLC OR Business Associate 183,254 Yes Hacking incident at business associate (Avamere Health Services) – Data theft confirmed
Carolina Behavioral Health Alliance, LLC NC Business Associate 130,922 Yes Hacking incident
Family Practice Center PC PA Healthcare Provider 83,969 No Hacking incident
Kaiser Foundation Health Plan, Inc. (Southern California) CA Health Plan 75,010 No Theft of device in a break-in at a storage facility
Magie Mabrey Hughes Eye Clinic, P.A. dba Arkansas Retina AR Healthcare Provider 57,394 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
McLaren Port Huron MI Healthcare Provider 48,957 Yes Hacking incident at business associate (MCG Health) – Data theft confirmed
Southwest Health Center WI Healthcare Provider 46,142 No Hacking incident – Data theft confirmed
WellDyneRx, LLC FL Business Associate 43,523 Yes Email account compromised
Associated Eye Care MN Healthcare Provider 40,793 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Zenith American Solutions WA Business Associate 37,146 Yes Mailing error
Benson Health NC Healthcare Provider 28,913 No Hacking incident
Healthback Holdings, LLC OK Healthcare Provider 21,114 No Email accounts compromised
East Valley Ophthalmology AZ Healthcare Provider 20,734 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
Arlington Skin VA Healthcare Provider 17,468 No Hacking incident at EHR management company (Virtual Private Network Solutions)
The Bronx Accountable Healthcare Network NY Healthcare Provider 17,161 No Email accounts compromised
Granbury Eye Clinic TX Healthcare Provider 16,475 Yes Ransomware attack on EHR vendor (Eye Care Leaders)
CHRISTUS Spohn Health System Corporation TX Healthcare Provider 15,062 No Ransomware attack – Data leak confirmed
Central Maine Medical Center ME Healthcare Provider 11,938 Yes Hacking incident at business associate (Shields Healthcare Group)

Causes of July 2022 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in July with 55 data breaches classed as hacking/IT incidents, with ransomware attacks continuing to be a problem for the healthcare industry. 9 of the top 25 breaches were reported as ransomware attacks, although HIPAA-regulated often do not disclose the exact nature of cyberattacks and whether ransomware was involved. Across the hacking incidents, the records of 5,195,024 individuals were breached, which is 97.43% of all records breached in July. The average breach size was 94,455 records and the median breach size was 4,447 records. The median breach size is less than half the median breach size in June due to a large number of relatively small data breaches.

There were 8 unauthorized access/disclosure incidents reported involving 59,784 records. The average breach size was 7,473 records and the median breach size was 1,920 records. There were 3 incidents reported involving the loss of devices/physical documents containing PHI, and one reported theft. 77,061 records were exposed across those 3 incidents. The average breach size was 25,687 records and the median breach size of 1,201 records.

Causes of July 2022 healthcare data breaches

Unsurprisingly given the large number of hacking incidents, 56% of the month’s breaches involved PHI stored on network servers. 12 incidents involved unauthorized access to email accounts, caused by a mix of phishing and brute force attacks.

July 2022: location of breached PHI

There has been a marked increase in hybrid phishing attacks on the healthcare industry in recent months, where non-malicious emails are sent that include a phone number manned by the threat actor. According to Agari, Q2, 2022 saw a 625% increase in hybrid phishing attacks, where initial contact was made via email with the scam taking place over the phone. Several ransomware groups have adopted this tactic as the main way of gaining initial access to victims’ networks. The lures used in the emails are typically notifications about upcoming charges that will be applied if the recipient does not call the number to stop the payment for a free trial of a software solution or service that is coming to an end or the renewal of a subscription for a product. In these attacks, the victim is tricked into opening a remote access session with the threat actor.

HIPAA Regulated Entities Affected by Data Breaches

Every month, healthcare providers are the worst affected HIPAA-regulated entity type, but there was a change in July with business associates of HIPAA-regulated entities topping the list. 39 healthcare providers reported data breaches but 15 of those breaches occurred at business associates. 10 health plans reported breaches, with 4 of those breaches occurring at business associates. 17 business associates self-reported breaches. The chart below shows the month’s data breaches based on where they occurred, rather than the reporting entity.

July 2022 healthcare data breaches by HIPAA-regulated entity type

July 2022 Healthcare Data Breaches by State

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states, with Texas the worst affected with 10 data breaches.

State No. Breaches
Texas 10
Pennsylvania & Virginia 5
California, Florida, North Carolina & Wisconsin 4
Arizona, Connecticut, Georgia, Illinois, New Hampshire, Ohio, Oklahoma, & Oregon 2
Alabama, Arkansas, Colorado, Indiana, Iowa, Maine, Massachusetts, Michigan, Minnesota, Missouri, New York, Rhode Island, Washington, & Wyoming 1

HIPAA Enforcement Activity in July 2022

From January to June, only 4 enforcement actions were announced by the HHS’ Office for Civil Rights; however, July saw a further 12 enforcement actions announced that resulted in financial penalties to resolve HIPAA violations. OCR has continued with its HIPAA Right of Access enforcement initiative, with 11 of the penalties imposed for the failure to provide patients with timely access to their medical records. 10 of those investigations were settled, and one was resolved with a civil monetary penalty.

July also saw one investigation settled with OCR that resolved multiple alleged violations of the HIPAA Rules that were uncovered during an investigation of a 279,865-record data breach at Oklahoma State University – Center for Health Sciences.

No HIPAA enforcement actions were announced by state attorneys general in July.

Covered Entity Amount Settlement/CMP Reason
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure

The post July 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Survey Confirms Patients Are Extremely Concerned About Healthcare Data Privacy

Posted by HIPAA Journal

Healthcare data breaches are being reported in record numbers with tens of millions of patients having their healthcare data exposed or impermissibly disclosed every year. Healthcare data should remain private and confidential but it is clear that is no longer the case.

The American Medical Association (AMA) recently teamed up with the Savvy Cooperative to explore the perspectives of patients about the privacy of their medical information and conducted a survey on 1,000 adults in the United States to better understand patients’ views on the privacy of healthcare data, with a view to determining how the healthcare industry and the government can help patients and their care teams better protect medical information and strengthen trust.

The survey confirmed that patients are deeply concerned about the lack of security and the inability to ensure their private healthcare data remains confidential. 92% of respondents to the survey believe privacy is a basic right and their health data should not be available for corporations or other individuals to buy. 94% of respondents said companies that collect, store, analyze, or use health data should be held accountable under the law, and almost 93% of patients want health app developers to publicize if and how their product adheres to industry standards for handling health data.

HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities, and there are strict rules concerning uses and disclosures of healthcare data; however, the survey confirmed that patients are unclear about the rules that protect their privacy, and they are concerned about who has access to their personal healthcare information. 75% of respondents said they were concerned about protecting the privacy of their health data.

“The AMA is highly concerned that patients’ private medical information is increasingly vulnerable and digital patient data is being shared beyond the confines of the HIPAA framework without protections of federal privacy,” said AMA President Jack Resneck Jr., MD, especially in light of the U.S. Supreme Court ruling overturning Roe v. Wade. “That medical information was previously being siphoned off and monetized was always a concern. Now, it’s a legal threat as zealous prosecutors can track patients and access their medical records to determine what medical services were provided.”

The survey confirmed that patients are comfortable with their healthcare providers having access to their healthcare data, but patients were least comfortable with social media sites, employers, and big technology companies accessing their healthcare data. 59% of patients were concerned that their health data could be used by companies to discriminate against them or their loved ones or exclude them from opportunities to find housing, gain employment, and receive benefits.

Almost 88% of patients said they think their physicians or hospitals should have the ability to review and verify the security of health apps before those apps gain access to their health data, yet federal regulations prohibit this. Patients also want to have the choice about how their health information is used, with 75% of patients wanting to have the option to opt-in before a company uses any of their health data, and over 75% wanting to receive a request prior to a company using their health data for a new purpose. Almost 80% of respondents said they want to be able to opt-out of sharing some or all of their health data.

The AMA said much more needs to be done to improve transparency on how apps use patient medical information and said it has identified and recommended additional actions to increase transparency on what apps do with medical information. The AMA has also developed a “Privacy by Design” toolkit that health app developers can use to build privacy controls into their apps.

The AMA is calling for all policymakers, in Congress and the administration, to take much-needed action to better protect health information.

The post Survey Confirms Patients Are Extremely Concerned About Healthcare Data Privacy appeared first on HIPAA Journal.

Digital Marketing and Analytics Company Files Lawsuit Against FTC Over Alleged Privacy Violations

Posted by HIPAA Journal

A lawsuit has been filed against the Federal Trade Commission by an Idaho-based digital marketing and analytics company, which is alleged to have violated the Federal Trade Commission (FTC) Act with its data practices.

Kochava’s primary business unit provides mobile advertising attribution through customizable software tools, which are provided under the software-as-a-service model. The software allows its customers to obtain data points and analytics for digital marketing campaigns and applications. The second business unit is an aggregator of third-party provided mobile device data, which Kochava makes available through its data marketplace, the Kochava Collective.

Following the Supreme Court’s decision to overturn Wade v. Roe, privacy advocates have voiced their concern about the potential for data brokers and law enforcement in some states to collect information about individuals who visit reproductive health clinics to seek advice about abortions.  Shortly after the Supreme Court’s decision, the FTC announced its commitment to fully enforce the law against the illegal use and sharing of highly sensitive data, such as the collection and use of consumer location data and illegal privacy practices with respect to reproductive healthcare data.

The Kochava Collective provides data feeds and audience targeting to clients for marketing purposes. The FTC alleges the Kochava Collective provides precise geolocation data that is associated with Mobile Advertising Identifiers (MAIDs), which means it is possible to identify and track consumers when they visit sensitive locations such as reproductive health clinics, therapist’s offices, medical facilities, and addiction recovery centers.  The FTC also alleges that the data is time-stamped, so it is possible to tell exactly when an individual visited a location and that there are no technical controls in place to prohibit Kochava’s customers from tracking consumers when they visit those locations. The collection of latitude and longitude, IP address, and mobile advertising identifier information associated with consumers’ devices is a violation of the FTC Act, according to the FTC, which is seeking a permanent injunction against Kochava to prevent future FTC Act violations.

Kochava denies that its data can be used by its customers to identify and track individuals and claims that the FTC has misunderstood the services it provides. Kochava maintains that while the FTC is correct with respect to the collection of latitude and longitude, IP addresses, and MAIDS associated with consumer devices, those data elements are not received until days afterward, and the specific locations and consumers associated with MAIDs are not linked. Further, Kochava explains in the lawsuit that the FTC is wrong in its view that there are no technical controls in place to prevent its customers from tracking consumers when they visit sensitive locations. Kochava said it introduced a new capability on August 10, 2022, called Privacy Block, which allows its clients to shut off the collection of sensitive location data such as visits to healthcare providers.

Kochava maintains that it “operates consistently and proactively in compliance with all rules and laws, including those specific to privacy,” and that the FTC has threatened the company with a District Court lawsuit and a proposed settlement when both the lawsuit and settlement are based on inaccurate information. Kochava also alleges the FTC is overstepping its legal authority to enforce the FTC Act and is attempting to make the company a scapegoat in order to set a precedent across the ad tech industry. Kochava files the lawsuit to get the Idaho Federal Court to intervene.

The post Digital Marketing and Analytics Company Files Lawsuit Against FTC Over Alleged Privacy Violations appeared first on HIPAA Journal.

Novant Health Notifies Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal

Posted by HIPAA Journal

Novant Health has recently notified patients about a breach of their protected health information due to the incorrect configuration of Meta Pixel code on its patient portal.

Code Snippet Sending Sensitive Patient Data to Meta

Earlier this year, an investigation conducted by The Markup into the use of Meta Pixel code on healthcare providers’ websites revealed 33 of the top 100 hospitals in the United States had included Meta Pixel code on their websites, and 7 of those hospitals had added the code to their password-protected patient portals. The 7 hospitals discovered by The Markup to have installed Meta Pixel on their patient portals were Community Health Network, FastMed, Edward-Elmhurst Health, Piedmont, Renown Health, WakeMed, and Novant Health.

Meta Pixel is a snippet of JavaScript code that is used to track website visitors, and the information gathered is sent to Meta (Facebook), which may be used to serve targeted ads. Meta claims that organizations that use Meta Pixel are not supposed to send sensitive data. If Meta discovers it has been sent sensitive data by mistake, it is filtered out to prevent the information from being used to serve targeted ads. That process does not appear to be working, and even if that information is filtered out, it is still being sent to Meta.

In the weeks following the publication of the report, multiple lawsuits were filed on behalf of individuals whose personal and protected health information was disclosed to Meta via Meta Pixel code on healthcare provider websites. The lawsuits allege violations of federal and state privacy laws as the information was sent without obtaining express consent from patients.

A class action lawsuit was filed on behalf of a patient of Baltimore-based MedStar Health System, which alleges Meta Pixel has been used on the websites of at least 664 healthcare providers, allowing patient data to be sent to Meta in violation of the Health Insurance Portability and Accountability Act (HIPAA). Another lawsuit was filed against Meta and the University of California San Francisco and Dignity Health, with the lead plaintiff claiming to have been served targeted adverts following the disclosure of sensitive information about a health issue on the patient portal. Most recently, a similar lawsuit was filed against Meta and Northwestern Memorial Hospital in Chicago, IL.

Novant Health Notifies Patients About Meta Pixel Data Breach

Novant Health has recently notified an as-of-yet unspecified number of patients that some of their protected health information (PHI) has been sent to Meta. As far as HIPAA Journal has been able to establish, Novant Health is the first healthcare provider to issue breach notification letters to patients over the use of Meta Pixel code.

Novant Health explained in the breach notification letters that PHI was transferred to Meta due to “an incorrect configuration of [Meta] Pixel, an online tracking tool.” Novant Health said it wanted to be fully transparent over the data breach and the reasons for using the pixel code on its website.

“In May 2020, as our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goals of improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” explained Novant Health. “This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those advertisement efforts on Facebook; however, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”

When notified about the potential privacy violation, Novant Health immediately disabled and removed the pixel from the patient portal and launched an investigation to determine the extent to which information was being transferred to Meta. On June 17, 2022, Novant Health determined that PHI may have been inadvertently transferred based on the type of user activity on the patient portal. The information transferred would have varied from patient to patient, and may have included an individual’s email address, phone number, IP address, contact information entered into Emergency Contacts or Advanced Care Planning, appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes.

Novant Health said it has found no evidence that Meta or any other third party has acted upon the information provided. If an individual entered financial information or a Social Security number in free text boxes, that information may also have been sent to Meta. Novant Health said the individual notification letters would state if such information had been disclosed, and if so, complimentary credit monitoring services will be provided to affected individuals.

The post Novant Health Notifies Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal appeared first on HIPAA Journal.

1H 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

Ransomware attacks are rife, hacking incidents are being reported at high levels, and there have been several very large healthcare data breaches reported so far in 2022; however, our analysis of healthcare data breaches reported in 1H 2022, shows that while data breaches are certainly being reported in high numbers, there has been a fall in the number of reported breaches compared to 1H 2021.

Between January 1, 2022, and June 30, 2022, 347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the same number of data breaches reported in 2H, 2021. In 1H, 2021, 368 healthcare data breaches were reported to OCR, 21 fewer breaches than the corresponding period this year. That represents a 5.71% reduction in reported breaches.

Reported healthcare data breaches - 1H 2022

The number of healthcare records breached has continued to fall. In 1H, 2021, 27.6 million healthcare records were breached. In 2H, 2021, the number of breached records fell to 22.2 million, and the fall continued in 1H, 2022, when 20.2 million records were breached. That is a 9.1% fall from 2H, 2021, and a 26.8% reduction from 1H, 2021.

breached healthcare records - 1H 2022

While it is certainly good news that data breaches and the number of breached records are falling, the data should be treated with caution, as there have been some major data breaches reported that are not yet reflected in this breach report – Data breaches at business associates where only a handful of affected entities have reported the data breaches so far.

One notable breach is a ransomware attack on the HIPAA business associate, Professional Finance Company. That one breach alone affected 657 HIPAA-covered entities, and only a few of those entities have reported the breach so far. Another major business associate breach, at Avamere Health Services, affected 96 senior living and healthcare facilities. The end-of-year breach report could tell a different story.

Largest Healthcare Data Breaches in 1H 2022

1H 2022 Healthcare Data Breaches of 500 or More Records
500-1,000 Records 1,001-9,999 Records 10,000- 99,000 Records 100,000-249,999 Records 250,000-499,999 Records 500,000 – 999,999 Records 1,000,000+ Records
61 132 117 20 7 6 4

 

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Data Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Unspecified cyberattack
North Broward Hospital District (Broward Health) FL Healthcare Provider 1,351,431 Hacking/IT Incident No Cyberattack through the office of 3rd party medical provider
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Baptist Medical Center TX Healthcare Provider 1,243,031 Hacking/IT Incident No Unspecified cyberattack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Hacking/IT Incident No Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking/IT Incident No Unspecified hacking incident
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking/IT Incident No Unauthorized access to email accounts
Monongalia Health System, Inc. WV Healthcare Provider 492,861 Hacking/IT Incident No Unspecified hacking incident
ARcare AR Healthcare Provider 345,353 Hacking/IT Incident No Malware infection
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Hacking/IT Incident No Unspecified hacking incident
Cytometry Specialists, Inc. (CSI Laboratories) GA Healthcare Provider 312,000 Hacking/IT Incident No Ransomware attack
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Hacking/IT Incident No Unspecified hacking incident
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Refuah Health Center NY Healthcare Provider 260,740 Hacking/IT Incident No Ransomware attack

Causes of 1H 2022 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in 1H 2022, accounting for 277 data breaches or 79.83% of all breaches reported in 1H. That represents a 7.36% increase from 2H, 2021, and a 6.44% increase from 1H, 2021. Across the hacking incidents in 1H, 2022, the protected health information of 19,654,129 individuals was exposed or compromised – 97.22% of all records breached in 1H, 2022.

That represents a 6.51% reduction in breached records from 2H, 2021, and a 26.56% reduction in breached records from 1H, 2021, showing that while hacking incidents are being conducted in very high numbers compared to previous years, the severity of those incidents has reduced.

The average hacking/IT incident breach size was 70,954 records in 1H, 2022 and the median breach size was 10,324 records. In 2H, 2022, the average breach size was 81,487 records with a median breach size of 5,989 records, and in 1H, 2021, the average breach size was 96,658 records and the median breach size was 6,635 records.

In 1H, 2022, there were 52 unauthorized access/disclosure breaches reported – 14.99% of all breaches in 1H, 2022. These incidents resulted in the impermissible disclosure of 278,034 healthcare records, 72.33% fewer records than in 2H, 2021, and 61.37% fewer records than in 1H, 2021. In 1H, 2022, the average breach size was 5,347 records and the median breach size was 1,421 records. In 1H, 2021, the average breach size was 14,778 records and the median was 1,946 records. In 1H, 2021, the average breach size was 9,725 records, and the median breach size was 1,848 records.

The number of loss, theft, and improper disposal incidents has remained fairly constant over the past 18 months, although the number of records exposed in these incidents increased in 1H, 2022 to 279,266 records, up 217.33% from 2H, 2021, and 422.53% from 1H, 2021.

Location of Breached Protected Health Information

Protected health information is stored in many different locations. Medical records are housed in electronic medical record systems, but a great deal of PHI is included in documents, spreadsheets, billing systems, email accounts, and many other locations. The chart below shows the locations where PHI was stored. In several security breaches, PHI was breached in several locations.

The data shows that by far the most common location of breached data is network servers, which is unsurprising given the high number of hacking incidents and ransomware attacks. Most data breaches do not involve electronic medical record systems; however, there have been breaches at electronic medical record providers this year, hence the increase in data breaches involving EHRs. The chart below also shows the extent to which email accounts are compromised. These incidents include phishing attacks and brute force attacks to guess weak passwords. HIPAA-regulated entities can reduce the risk of email data breaches by implementing multifactor authentication and having robust password policies and enforcing those policies. A password manager is recommended to make it easier for healthcare employees to set unique, complex passwords. It is also important not to neglect security awareness training for the workforce – a requirement for compliance with the HIPAA Security Rule.

Location of breached PHI

Where are the Data Breaches Occurring?

Healthcare providers are consistently the worst affected type of HIPAA-covered entity; however, the number of data breaches occurring at business associates has increased. Data breaches at business associates often affect multiple HIPAA-covered entities. These data breaches are shown on the OCR breach portal; however, they are not clearly reflected as, oftentimes, a breach at a business associate is self-reported by each HIPAA-covered entity. Simply tallying up the reported breaches by the reporting entity does not reflect the extent to which business associate data breaches are occurring.

This has always been reflected in the HIPAA Journal data breach reports, and since June 2021, the reporting of data breaches by covered entity type was adjusted further to make business associate data breaches clearer by showing graphs of where the breach occurred, rather than the entity reporting the data breach. The HIPAA Journal data analysis shows the rising number of healthcare data breaches at business associates.

1H 2022 Data Breaches by State

As a general rule of thumb, U.S. states with the highest populations tend to be the worst affected by data breaches, so California, Texas, Florida, New York, and Pennsylvania tend to experience more breaches than sparsely populated states such as Alaska, Vermont, and Wyoming; however, data breaches are being reported all across the United States.

The data from 1H 2022, shows data breaches occurred in 43 states, D.C. and Puerto Rico, with healthcare data safest in Alaska, Iowa, Louisiana, Maine, New Mexico, South Dakota, & Wyoming, where no data breaches were reported in the first half of the year.

State Number of Breaches
New York 29
California 23
New Jersey & Texas 18
Florida & Ohio 17
Michigan & Pennsylvania 15
Georgia 14
Virginia 13
Illinois & Washington 12
Massachusetts & North Carolina 10
Colorado, Missouri, & Tennessee 9
Alabama, Arizona, & Kansas 8
Maryland 7
Connecticut & South Carolina 6
Oklahoma, Utah, & West Virginia 5
Indiana, Minnesota, Nebraska, & New Hampshire 4
Wisconsin 3
Arkansas, Delaware, Mississippi, Montana, Nevada, & the District of Columbia 2
Hawaii, Idaho, Kentucky, North Dakota, Oregon, Rhode Island, Vermont, and Puerto Rico 1

HIPAA Enforcement Activity in 1H 2022

HIPAA Journal tracks HIPAA enforcement activity by OCR and state attorneys general in the monthly and annual healthcare data breach reports. In 2016, OCR started taking a harder line on HIPAA-regulated entities that were discovered to have violated the HIPAA Rules and increased the number of financial penalties imposed, with peak enforcement occurring in 2019 when 19 financial penalties were imposed.

2022 has started slowly in terms of HIPAA enforcement actions, with just 4 financial penalties imposed by OCR in 1H, 2022. However, that should not be seen as OCR going easy on HIPAA violators. In July 2022, OCR announced 12 financial penalties to resolve HIPAA violations, bringing the annual total up to 16. HIPAA Journal records show only one enforcement action taken by state attorneys general so far in 2022.

Limitations of this Report

The nature of breach reporting makes generating accurate data breach reports challenging. HIPAA-regulated entities are required to report data breaches to OCR within 60 days of a data breach occurring; however, the number of individuals affected may not be known at that point. As such, data breaches are often reported with an interim figure, which may be adjusted up or down when the investigation is completed. Many HIPAA-regulated entities report data breaches using a placeholder of 500 records, and then submit an amendment, so the final totals may not be reflected in this report. Data for this report was compiled on August 10, 2022.

While data breaches should be reported within 60 days of discovery, there has been a trend in recent years for data breaches to be reported within 60 days of the date when the investigation has confirmed how many individuals have been affected, even though the HIPAA Breach Notification Rule states that the date of discovery is the date the breach is discovered, not the date when investigations have been completed. Data breaches may have occurred and been discovered several months ago, but have not yet been reported. These will naturally not be reflected in this report.

This report is based on data breaches at HIPAA-regulated entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. If an entity is not subject to HIPAA, they are not included in this report, even if they operate in the healthcare industry.

The post 1H 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.