Healthcare Data Privacy

1H 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

Ransomware attacks are rife, hacking incidents are being reported at high levels, and there have been several very large healthcare data breaches reported so far in 2022; however, our analysis of healthcare data breaches reported in 1H 2022, shows that while data breaches are certainly being reported in high numbers, there has been a fall in the number of reported breaches compared to 1H 2021.

Between January 1, 2022, and June 30, 2022, 347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the same number of data breaches reported in 2H, 2021. In 1H, 2021, 368 healthcare data breaches were reported to OCR, 21 fewer breaches than the corresponding period this year. That represents a 5.71% reduction in reported breaches.

Reported healthcare data breaches - 1H 2022

The number of healthcare records breached has continued to fall. In 1H, 2021, 27.6 million healthcare records were breached. In 2H, 2021, the number of breached records fell to 22.2 million, and the fall continued in 1H, 2022, when 20.2 million records were breached. That is a 9.1% fall from 2H, 2021, and a 26.8% reduction from 1H, 2021.

breached healthcare records - 1H 2022

While it is certainly good news that data breaches and the number of breached records are falling, the data should be treated with caution, as there have been some major data breaches reported that are not yet reflected in this breach report – Data breaches at business associates where only a handful of affected entities have reported the data breaches so far.

One notable breach is a ransomware attack on the HIPAA business associate, Professional Finance Company. That one breach alone affected 657 HIPAA-covered entities, and only a few of those entities have reported the breach so far. Another major business associate breach, at Avamere Health Services, affected 96 senior living and healthcare facilities. The end-of-year breach report could tell a different story.

Largest Healthcare Data Breaches in 1H 2022

1H 2022 Healthcare Data Breaches of 500 or More Records
500-1,000 Records 1,001-9,999 Records 10,000- 99,000 Records 100,000-249,999 Records 250,000-499,999 Records 500,000 – 999,999 Records 1,000,000+ Records
61 132 117 20 7 6 4

 

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Data Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Unspecified cyberattack
North Broward Hospital District (Broward Health) FL Healthcare Provider 1,351,431 Hacking/IT Incident No Cyberattack through the office of 3rd party medical provider
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Baptist Medical Center TX Healthcare Provider 1,243,031 Hacking/IT Incident No Unspecified cyberattack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Hacking/IT Incident No Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking/IT Incident No Unspecified hacking incident
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking/IT Incident No Unauthorized access to email accounts
Monongalia Health System, Inc. WV Healthcare Provider 492,861 Hacking/IT Incident No Unspecified hacking incident
ARcare AR Healthcare Provider 345,353 Hacking/IT Incident No Malware infection
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Hacking/IT Incident No Unspecified hacking incident
Cytometry Specialists, Inc. (CSI Laboratories) GA Healthcare Provider 312,000 Hacking/IT Incident No Ransomware attack
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Hacking/IT Incident No Unspecified hacking incident
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Refuah Health Center NY Healthcare Provider 260,740 Hacking/IT Incident No Ransomware attack

Causes of 1H 2022 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in 1H 2022, accounting for 277 data breaches or 79.83% of all breaches reported in 1H. That represents a 7.36% increase from 2H, 2021, and a 6.44% increase from 1H, 2021. Across the hacking incidents in 1H, 2022, the protected health information of 19,654,129 individuals was exposed or compromised – 97.22% of all records breached in 1H, 2022.

That represents a 6.51% reduction in breached records from 2H, 2021, and a 26.56% reduction in breached records from 1H, 2021, showing that while hacking incidents are being conducted in very high numbers compared to previous years, the severity of those incidents has reduced.

The average hacking/IT incident breach size was 70,954 records in 1H, 2022 and the median breach size was 10,324 records. In 2H, 2022, the average breach size was 81,487 records with a median breach size of 5,989 records, and in 1H, 2021, the average breach size was 96,658 records and the median breach size was 6,635 records.

In 1H, 2022, there were 52 unauthorized access/disclosure breaches reported – 14.99% of all breaches in 1H, 2022. These incidents resulted in the impermissible disclosure of 278,034 healthcare records, 72.33% fewer records than in 2H, 2021, and 61.37% fewer records than in 1H, 2021. In 1H, 2022, the average breach size was 5,347 records and the median breach size was 1,421 records. In 1H, 2021, the average breach size was 14,778 records and the median was 1,946 records. In 1H, 2021, the average breach size was 9,725 records, and the median breach size was 1,848 records.

The number of loss, theft, and improper disposal incidents has remained fairly constant over the past 18 months, although the number of records exposed in these incidents increased in 1H, 2022 to 279,266 records, up 217.33% from 2H, 2021, and 422.53% from 1H, 2021.

Location of Breached Protected Health Information

Protected health information is stored in many different locations. Medical records are housed in electronic medical record systems, but a great deal of PHI is included in documents, spreadsheets, billing systems, email accounts, and many other locations. The chart below shows the locations where PHI was stored. In several security breaches, PHI was breached in several locations.

The data shows that by far the most common location of breached data is network servers, which is unsurprising given the high number of hacking incidents and ransomware attacks. Most data breaches do not involve electronic medical record systems; however, there have been breaches at electronic medical record providers this year, hence the increase in data breaches involving EHRs. The chart below also shows the extent to which email accounts are compromised. These incidents include phishing attacks and brute force attacks to guess weak passwords. HIPAA-regulated entities can reduce the risk of email data breaches by implementing multifactor authentication and having robust password policies and enforcing those policies. A password manager is recommended to make it easier for healthcare employees to set unique, complex passwords. It is also important not to neglect security awareness training for the workforce – a requirement for compliance with the HIPAA Security Rule.

Location of breached PHI

Where are the Data Breaches Occurring?

Healthcare providers are consistently the worst affected type of HIPAA-covered entity; however, the number of data breaches occurring at business associates has increased. Data breaches at business associates often affect multiple HIPAA-covered entities. These data breaches are shown on the OCR breach portal; however, they are not clearly reflected as, oftentimes, a breach at a business associate is self-reported by each HIPAA-covered entity. Simply tallying up the reported breaches by the reporting entity does not reflect the extent to which business associate data breaches are occurring.

This has always been reflected in the HIPAA Journal data breach reports, and since June 2021, the reporting of data breaches by covered entity type was adjusted further to make business associate data breaches clearer by showing graphs of where the breach occurred, rather than the entity reporting the data breach. The HIPAA Journal data analysis shows the rising number of healthcare data breaches at business associates.

1H 2022 Data Breaches by State

As a general rule of thumb, U.S. states with the highest populations tend to be the worst affected by data breaches, so California, Texas, Florida, New York, and Pennsylvania tend to experience more breaches than sparsely populated states such as Alaska, Vermont, and Wyoming; however, data breaches are being reported all across the United States.

The data from 1H 2022, shows data breaches occurred in 43 states, D.C. and Puerto Rico, with healthcare data safest in Alaska, Iowa, Louisiana, Maine, New Mexico, South Dakota, & Wyoming, where no data breaches were reported in the first half of the year.

State Number of Breaches
New York 29
California 23
New Jersey & Texas 18
Florida & Ohio 17
Michigan & Pennsylvania 15
Georgia 14
Virginia 13
Illinois & Washington 12
Massachusetts & North Carolina 10
Colorado, Missouri, & Tennessee 9
Alabama, Arizona, & Kansas 8
Maryland 7
Connecticut & South Carolina 6
Oklahoma, Utah, & West Virginia 5
Indiana, Minnesota, Nebraska, & New Hampshire 4
Wisconsin 3
Arkansas, Delaware, Mississippi, Montana, Nevada, & the District of Columbia 2
Hawaii, Idaho, Kentucky, North Dakota, Oregon, Rhode Island, Vermont, and Puerto Rico 1

HIPAA Enforcement Activity in 1H 2022

HIPAA Journal tracks HIPAA enforcement activity by OCR and state attorneys general in the monthly and annual healthcare data breach reports. In 2016, OCR started taking a harder line on HIPAA-regulated entities that were discovered to have violated the HIPAA Rules and increased the number of financial penalties imposed, with peak enforcement occurring in 2019 when 19 financial penalties were imposed.

2022 has started slowly in terms of HIPAA enforcement actions, with just 4 financial penalties imposed by OCR in 1H, 2022. However, that should not be seen as OCR going easy on HIPAA violators. In July 2022, OCR announced 12 financial penalties to resolve HIPAA violations, bringing the annual total up to 16. HIPAA Journal records show only one enforcement action taken by state attorneys general so far in 2022.

Limitations of this Report

The nature of breach reporting makes generating accurate data breach reports challenging. HIPAA-regulated entities are required to report data breaches to OCR within 60 days of a data breach occurring; however, the number of individuals affected may not be known at that point. As such, data breaches are often reported with an interim figure, which may be adjusted up or down when the investigation is completed. Many HIPAA-regulated entities report data breaches using a placeholder of 500 records, and then submit an amendment, so the final totals may not be reflected in this report. Data for this report was compiled on August 10, 2022.

While data breaches should be reported within 60 days of discovery, there has been a trend in recent years for data breaches to be reported within 60 days of the date when the investigation has confirmed how many individuals have been affected, even though the HIPAA Breach Notification Rule states that the date of discovery is the date the breach is discovered, not the date when investigations have been completed. Data breaches may have occurred and been discovered several months ago, but have not yet been reported. These will naturally not be reflected in this report.

This report is based on data breaches at HIPAA-regulated entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. If an entity is not subject to HIPAA, they are not included in this report, even if they operate in the healthcare industry.

The post 1H 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites

Posted by HIPAA Journal

Meta is facing another class action lawsuit over the unlawful collection and sharing of health data without content. The lawsuit was filed in the Northern District of California on behalf of plaintiff, Jane Doe. The lawsuit alleges Meta and its companies, including Facebook, have been collecting the sensitive health data of millions of patients without obtaining express consent and have used the information to serve individuals with targeted advertisements.

Jane Doe was a patient of UCSF Medical Center and Dignity Health Medical Foundation and claims her sensitive health was unlawfully obtained by Meta when she entered the information into the UCSF Medical Center online patient portal. UCSF Medical Center had added Meta Pixel code to the web pages of the patient portal. Meta Pixel is a snippet of JavaScript code that is used to track website visitors. The code records and transmits to Meta the web pages that a user visits. If the code is present on a web page with a form, such as those used to book appointments, the selections from drop-down boxes are recorded and transmitted. Those selections could indicate a patient’s medical condition or why an appointment has been booked.

One of the targeted Facebook adverts served to Jane Doe. Source: Jane Doe v. Meta Platforms, Inc. F/K/A Facebook, Inc., UCSF Medical Center, and Dignity Health Medical Foundation.

Jane Doe said she has been a user of Facebook since 2012 and alleges her privacy has been violated, as her information was collected and used without her consent. The information entered on the form was used by Meta to serve her with targeted advertisements related to her medical condition. The lawsuit alleges a violation of HIPAA, as neither UCSF Medical Center nor Dignity Health Medical Foundation had entered into a business associate agreement with Meta or Facebook, and at no point did Meta, Facebook, or the hospitals obtain content or inform patients that their information was being provided to Meta to deliver targeted advertisements.

Under HIPAA, healthcare providers are permitted to disclose an individual’s protected health information to another HIPAA-covered entity or a third-party vendor for reasons related to treatment, payment, or healthcare operations, and in such cases, consent is not required from the patient. Most other disclosures require a HIPAA-covered entity to enter into a business associate agreement with the third party prior to any disclosure of PHI, and content is required from the individuals whose PHI is disclosed.

There is no private right of action in HIPAA, so it is not possible for individuals to sue their healthcare providers for HIPAA violations, but there are often equivalent federal and state laws that do have a private right of action. In this case, the lawsuit makes sixteen claims including common law invasion of privacy – intrusion upon seclusion, invasion of privacy, breach of contract, breach of implied contract, unjust enrichment, and violations of the California Constitution, California Confidentiality of Medical Information Act (CMIA), California Business and Professions Code, California Invasion of Privacy Act, the Comprehensive Computer Data Access and Fraud Act, and the Federal Wiretap Act.

The lawsuit alleges the plaintiff and class members have suffered damage and loss as a result of the conduct of the defendants, which has deprived the plaintiff and class members of control of their valuable property, the ability to obtain compensation for their data, the ability to withhold their data from sale, and that the violations have resulted in irreparable and incalculable harm and injuries. The lawsuit seeks damages and injunctive and equitable relief.

The lawsuit makes similar allegations to another lawsuit filed against Meta, in that case by plaintiff John Doe, who was a patient of MedStar Health in Maryland. The Markup recently conducted an investigation into the sharing of healthcare data with Meta/Facebook via Meta Pixel on hospital websites and found that 33 of the top 100 hospitals in the United States had the Meta Pixel code on their websites, and 7 hospitals had the code installed on their patient portals behind logins, yet consent to share data was not obtained.

The post Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites appeared first on HIPAA Journal.

June 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

June 2022 saw 70 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – two fewer than May and one fewer than June 2021. Over the past 12 months, from July 2021 to June 2022, 692 large healthcare data breaches have been reported and the records of 42,431,699 individuals have been exposed or impermissibly disclosed. The past two months have seen data breaches reported at well over the 12-month average of 57.67 breaches a month.

The past 6 months have seen data breaches reported at similar levels to the second half of 2021 (345 in 1H 2022 v 347 in 2H 2021), but data breaches are down 6.25% from the first half of 2021 (368 in 1H 2021 v 345 in 2H 2022).

Healthcare data breaches in the past 12 months

For the third successive month, the number of exposed or compromised records has increased. In June, 5,857,143 healthcare records were reported as breached. That is the highest monthly total so far in 2022. June saw 32.48% more records breached than the previous month and 65.64% more than the monthly average over the past 12 months.

While huge numbers of healthcare records are being breached, fewer records were breached in the first half of 2022 than were breached in either the first half or the second half of 2021. In 1H 2022, 20,191,930 records were breached – 26.84% fewer than the 27,600,651 records breached in 1H 2021 and 9.2% fewer than the 22,239,769 records breached in 2H 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in June 2022

There were 31 reported breaches of 10,000 or more healthcare records in June – the same number as May 2022  – two of which affected more than 1.2 million individuals. Several healthcare providers submitted breach reports in June 2022 due to the ransomware attack on the HIPAA business associate, Eye Care Leaders. At least 37 healthcare providers are now known to have been affected by that ransomware attack and more than 3 million records are known to have been exposed in the attack.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Cause of Breach
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Other Eye Care Leaders ransomware attack
Baptist Medical Center TX Healthcare Provider 1,243,031 Network Server Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Network Server Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Network Server Ransomware attack
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Network Server Eye Care Leaders ransomware attack
Spectrum Eye Physicians CA Healthcare Provider 175,000 Network Server Eye Care Leaders ransomware attack
90 Degree Benefits, Inc. WI Business Associate 172,450 Network Server Unspecified hacking incident
Michigan Avenue Immediate Care IL Healthcare Provider 144,104 Network Server Unspecified hacking and data theft incident
Mattax Neu Prater Eye Center, Inc. MO Healthcare Provider 92,361 Electronic Medical Record Eye Care Leaders ransomware attack
Sight Partners Physicians, P.C. WA Healthcare Provider 86,101 Electronic Medical Record Eye Care Leaders ransomware attack
Clinivate LLC CA Business Associate 77,652 Network Server Unspecified hacking incident – No information publicly released
Kaiser Foundation Health Plan of Washington WA Healthcare Provider 69,589 Email Compromised email account
Carolina Eyecare Physicians, LLC SC Healthcare Provider 68,739 Electronic Medical Record Eye Care Leaders ransomware attack
Precision Eye Care, Ltd. MO Healthcare Provider 58,462 Electronic Medical Record Eye Care Leaders ransomware attack
Resolute Health Hospital TX Healthcare Provider 54,239 Network Server Ransomware attack
Aloha Laser Vision HI Healthcare Provider 43,263 Electronic Medical Record Eye Care Leaders ransomware attack
Center for Sight, Inc. MA Healthcare Provider 41,041 Electronic Medical Record Eye Care Leaders ransomware attack
McCoy Vision Center AL Healthcare Provider 33,930 Electronic Medical Record Eye Care Leaders ransomware attack
Chesapeake Eye Center PA MD Healthcare Provider 32,770 Network Server Eye Care Leaders ransomware attack
Kevin Wolf, DPM d/b/a Goldsboro Podiatry NC Healthcare Provider 30,669 Network Server Unspecified hacking incident
Long Vision Center TX Healthcare Provider 29,237 Electronic Medical Record Eye Care Leaders ransomware attack
Foxhall Ob Gyn Associates DC Healthcare Provider 27,000 Other No information
Alabama Eye &Cataract, P.C. AL Healthcare Provider 26,000 Network Server Eye Care Leaders ransomware attack
Lori A. Harkins MD, P.C. dba Harkins Eye Clinic NE Healthcare Provider 23,993 Electronic Medical Record Eye Care Leaders ransomware attack
DialAmerica Marketing, Inc. NJ Business Associate 19,796 Network Server Unspecified hacking incident
Central Florida Inpatient Medicine FL Healthcare Provider 19,625 Email Compromised email account
Yale New Haven Hospital CT Healthcare Provider 19,496 Other Data exposed on a public-facing website
Cherry Creek Eye Physicians and Surgeons, P.C. CO Healthcare Provider 17,732 Electronic Medical Record Eye Care Leaders ransomware attack
Bayhealth Medical Center, Inc. DE Healthcare Provider 17,481 Network Server Ransomware attack on business associate (Professional Finance Company)
Kernersville Eye Surgeons, P.C. NC Healthcare Provider 13,412 Electronic Medical Record Eye Care Leaders ransomware attack
Phelps County Regional Medical Center d/b/a Phelps Health MO Healthcare Provider 12,602 Network Server Data breach at business associate (MCG Health)

Causes of June 2022 Healthcare Data Breaches

As the above table shows, ransomware attacks on healthcare organizations continue to be reported in high numbers. 20 of the 31 affecting 10,000 or more individuals have been confirmed as involving ransomware. When these attacks occur at business associates they can affect many different HIPAA-covered entities. As mentioned, the Eye Care Leaders ransomware attack has affected at least 37 eye care providers, and a ransomware attack on Professional Finance Company affected 657 of its healthcare provider clients.

There is no sign that ransomware attacks on healthcare providers will slow. This month, CISA has warned the health and public health sector that North Korean state-sponsored hackers are known to be targeting the sector and are using ransomware for extortion.

Hacking incidents continue to dominate the breach reports, with all but two of the top 31 breaches involving hacking. 81% of the month’s breaches were reported as hacking/IT incidents, and across those 57 incidents, the records of 5,784,009 were breached – 98.75% of all the breached records in June. The average breach size was 101,474 records and the median breach size was 12,602 records.

There were 6 unauthorized access/disclosure data breaches reported involving 59,224 records. The average breach size was 9,871 records and the median breach size was 5,672 records. 5 loss theft incidents were reported (4 x theft, 1 x loss) involving 12,184 records. The average breach size was 2,437 records and the median breach size was 1,126 records. Finally, there were two improper disposal incidents reported, both of which involving paper/films. In total 1,726 records were exposed as a result of those incidents.

Causes of June 2022 healthcare data breaches

Location of Breached Protected Health Information

The bar graph below shows where the breached information was stored. The high number of network server breaches indicates the extent to which hackers are attacking healthcare organizations. Many of these attacks involved ransomware. Most data breaches reported by healthcare providers do not involve electronic health records, which are separate from other systems. The high number of breaches involving EHRs is due to the ransomware attack on Eye Care Leaders, which provides electronic medical record systems to eye care providers.

Location of breached PHI (June 2022)

Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected HIPAA-covered entity in June, accounting for 55 data breaches of 500 or more records, with 4 data breaches reported by health plans. Business associates of HIPAA-covered entities self-reported 11 data breaches; however, 29 data breaches occurred at business associates but were reported by the affected covered entity rather than the business associate.

Taking this into account, the breakdown of the month’s data breaches by HIPAA-regulated entity type is shown in the chart below.

June 2022 Healthcare Data Breaches - HIPAA-regulated entity type

Geographic Distribution of Breached Entities

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states and the District of Columbia.

State Number of Data Breaches
Washington 5
California, New Jersey, North Carolina, Ohio, South Carolina, Texas, & Virginia 4
Alabama, Missouri, Nebraska, & New York 3
Delaware, Illinois, Kansas, Maryland, Michigan, Pennsylvania, Tennessee, & the District of Columbia. 2
Arizona, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Massachusetts, Mississippi, & Wisconsin 1

HIPAA Enforcement Activity in June 2022

There were no HIPAA enforcement actions announced by the OCR or state attorneys general in June; however, OCR announced this month (July) that a further 12 HIPAA penalties have been imposed, 11 of which were for violations of the HIPAA Right of Access.

The post June 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

FTC Committed to Enforcing Laws Preventing the Illegal Use and Sharing of Location and Sensitive Health Data

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights enforces the HIPAA Rules, which restrict uses and disclosures of healthcare data by HIPAA-covered entities and business associates of those entities. When entities are not covered by HIPAA, privacy violations and illegal uses and disclosures of sensitive consumer data are policed by the Federal Trade Commission (FTC). The FTC recently announced in a blog post that it is fully committed to enforcing the law against illegal uses and sharing of highly sensitive data.

Some of the most sensitive categories of data collected by connected devices are a person’s precise location and information about their health. Currently, those sensitive types of information are collected by fitness trackers, smartphone apps, browsers, and other connected software and devices, and that information is combined with other data and is monetized and sold to third parties, often without the knowledge of the individuals to whom the data relates.

“The conversation about technology tends to focus on benefits. But there is a behind-the-scenes irony that needs to be examined in the open: the extent to which highly personal information that people choose not to disclose even to family, friends, or colleagues is actually shared with complete strangers,” said Kristin Cohen, Acting Associate Director, FTC Division of Privacy & Identity Protection. “These strangers participate in the often shadowy ad tech and data broker ecosystem where companies have a profit motive to share data at an unprecedented scale and granularity.”

Location data is collected by connected devices, even when those devices are not being used. They can provide information about where individuals work, sleep, socialize, worship, and seek medical treatment. “While many consumers may happily offer their location data in exchange for real-time crowd-sourced advice on the fastest route home, they likely think differently about having their thinly-disguised online identity associated with the frequency of their visits to a therapist or cancer doctor,” said Cohen. “The marketplace for this information is opaque and once a company has collected it, consumers often have no idea who has it or what’s being done with it. After it’s collected from a consumer, data enters a vast and intricate sales floor frequented by numerous buyers, sellers, and sharers.”

Since the SCOTUS ruling that overturned Roe v. Wade, these data collection and sharing practices have faced even greater scrutiny due to the potential for the collection and misuse of location data and information related to personal reproductive matters, such as through the use of products that are used for reproductive cycle tracking, monitoring fertility, overseeing contraceptive use, and even for targeting women considering abortion.

In terms of the latter, Cohen explained that this is not just a theoretical risk. In 2017, Copley Advertising, LLC settled a case with the Massachusetts Attorney General over its use of geolocation technology to identify when people passed through a digital fence around a clinic offering abortion services. Those individuals were then served targeted advertisements offering alternatives to abortion. The FTC also recently settled a case with Flo Health over the sharing of the sensitive data of users of its period and fertility tracking app with Google and Facebook, when the company had told users that the information collected by the app would remain private and confidential.

Cohen explained that the misuse of location and any health data exposes consumers to significant harm, and can place consumers at risk of phishing attacks, extortion, physical and emotional injury, discrimination, stigma, mental anguish, and other significant harms. “The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy,” said Cohen. “We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.”

Cohen warned companies that collect sensitive consumer information to be aware that the information is protected under many federal and state laws, including laws enforced by the FTC such as the FTC Act which prohibits unfair and deceptive trade practices. The FTC also enforces the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.

Companies that claim they anonymize or aggregate consumer data should be on guard that such claims could be considered a deceptive trade practice. If found to be untrue, those practices would be in violation of the FTC Act. Cohen said the FTC is cracking down on companies that misuse consumer data and has recently taken action against several companies for using location data without content, improperly collecting and retaining sensitive data, and failing to respect consumer requests to delete sensitive data.

The post FTC Committed to Enforcing Laws Preventing the Illegal Use and Sharing of Location and Sensitive Health Data appeared first on HIPAA Journal.

Oklahoma State University Settles HIPAA Case with OCR for $875,000

Posted by HIPAA Journal

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.

OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals.

The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach occurred on November 7, 2017; however, it was later reported that the hackers first had access to the ePHI of patients 20 months earlier on March 9, 2016,

OCR investigators determined OSU-CHS had potentially violated the following provisions of the HIPAA Rules:

  • Impermissible disclosure of the ePHI of 279,865 individuals – 45 C.F.R. § 164.502(a)
  • Failure to conduct a comprehensive and accurate organization-wide risk analysis –45 C.F.R. § 164.308(a)(l)(ii)(A)
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI – 45 C.F.R. 164.308(a)(8)
  • Failure to implement audit controls – 45 C.F.R. § 164.312(b)
  • A security incident response and reporting failure – 45 C.F.R. § 164.308(a)(6)(ii)
  • Failure to provide timely breach notification to affected individuals – 45 C.F.R. § 164.404
  • Failure to provide timely breach notification to the Secretary of the HHS – 45 C.F.R. § 164.408

In addition to the financial penalty, OSU-CHS has agreed to implement a corrective action plan to resolve all areas of non-compliance identified by OCR and will be closely monitored for compliance with the corrective action plan and the HIPAA Rules for two years. The case was settled with no admission of liability or wrongdoing.

“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

This is the fifth financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, and the 111th penalty to be imposed since OCR was given the authority to fine HIPAA-regulated entities for HIPAA violations.

The post Oklahoma State University Settles HIPAA Case with OCR for $875,000 appeared first on HIPAA Journal.

Data Brokers and Health Apps Probed Over Privacy Practices

Posted by HIPAA Journal

On Friday, the House Committee on Oversight and Reform announced that a probe has been initiated to determine how data brokers and health app companies are collecting and selling individuals’ personal reproductive health data. The probe was initiated as a result of the SCOTUS decision that overturned Roe v. Wade, as members of the committee were concerned that the personal data of individuals seeking reproductive healthcare services may be misused.

Rep. Carolyn B. Maloney, Chairwoman of the Committee on Oversight and Reform, Rep. Raja Krishnamoorthi, Chairman of the Subcommittee on Economic and Consumer Policy, and Rep. Sara Jacobs, wrote to five data brokers (SafeGraph, Digital Envoy, Placer.ai, Gravy Analytics, Babel Street) and five health app companies (Flo Health, Glow, BioWink, GP International, and Digitalchemy Ventures) requesting documentation on how personal reproductive care information is collected and sold.

Huge amounts of personal data are now being collected and sold, often without the knowledge of individuals. The information is used to serve individuals’ targeted advertisements and for other reasons. There is concern that the collection and sale of this information may put the health, safety, and privacy of Americans and healthcare providers at risk.

“The collection of sensitive data could pose serious threats to those seeking reproductive care as well as to providers of such care, not only by facilitating intrusive government surveillance, but also by putting people at risk of harassment, intimidation, and even violence,” explained the Committee members. “Geographic data collected by mobile phones may be used to locate people seeking care at clinics, and search and chat history referring to clinics or medication create digital breadcrumbs revealing interest in an abortion.”

The Committee Members cited a study published in JMIR – Privacy, Data Sharing, and Data Security Policies of Women’s mHealth Apps: Scoping Review and Content Analysis – which found that 20 of the 23 most popular women’s health apps, which include reproductive health apps, were sharing user data with third parties, even though just 52% of those apps obtained consent from users. The study found that most women’s mHealth apps had poor data privacy, sharing, and security standards.

There is concern that data from health apps, especially period trackers, could be used to identify women who have had abortions. Data brokers are known to sell users’ location data, including the location data of individuals who have visited healthcare clinics that provide abortions. Recently Google announced that it will further improve privacy protections by automatically deleting the location data from Google accounts related to visits to healthcare providers that provide sensitive healthcare services, but Google is not the only company that records location data.

The data brokers and health app providers have been given until July 21, 2022, to respond and provide the requested data.

The post Data Brokers and Health Apps Probed Over Privacy Practices appeared first on HIPAA Journal.

President Biden Signs Executive Order to Protect Access to Reproductive Healthcare Services

Posted by HIPAA Journal

President Biden has signed an executive order that aims to protect access to reproductive healthcare services following the SCOTUS ruling that overturned Roe v. Wade, which gave women the constitutional right to make their own reproductive healthcare decisions almost 50 years ago.

“These deeply private decisions should not be subject to government interference.  Yet today, fundamental rights — to privacy, autonomy, freedom, and equality — have been denied to millions of women across the country,” said President Biden.

The SCOTUS ruling did not ban abortions in the United States, instead, it has been left to individual states to determine the legality of abortions. Several states have already banned or severely restricted abortion care for state residents, which has threatened access to reproductive care for millions of Americans. 16 states have either banned or mostly banned abortions, with those laws taking effect within a month, and further 6 states are expected to introduce bans imminently or in the near future. Clinics that provide abortions in the states that have already introduced bans have been forced to close, which not only prevents access to abortion care, but also other reproductive healthcare services including contraception.

In response to the SCOTUS Ruling, the Federal Government has taken steps to protect reproductive healthcare services. “It remains the policy of my Administration to support women’s right to choose and to protect and defend reproductive rights.  Doing so is essential to justice, equality, and our health, safety, and progress as a Nation,” said President Biden.

The executive order calls for the Secretary of the Department of Health and Human Services to identify potential actions to protect access to reproductive healthcare services. These include protecting and expanding access to abortion care and the full range of reproductive healthcare services, taking actions to enhance family planning services such as access to emergency contraception, and identifying ways to increase outreach and education about access to reproductive healthcare services.

Biden has called for the Secretary of the HHS to provide further guidance on HIPAA and other statutes to better protect sensitive data related to reproductive health care services. The HHS has already issued guidance on how HIPAA applies to disclosures of reproductive healthcare information and guidance for individuals on how they can protect the privacy of their health information. The HHS should also, in conduction with the Attorney General, FTC, and Department of Justice, consider how they can address deceptive or fraudulent practices related to reproductive healthcare services. In conjunction with the Gender Policy Council, the HHS should establish an Interagency Task Force on Reproductive Healthcare Access.

President Biden is concerned that extremist state governors and others may attempt to obtain sensitive data from individuals’ phones, such as if they may be seeking access to abortion care. “Right now, when you use a search engine or the app on your phone, companies collect your data and sell it to other companies. They even share it with law enforcement,” said Biden. Biden has called upon the Chair of the Federal Trade Commission to take steps to better protect the privacy of individuals who seek information about and the provision of reproductive healthcare services.

The Attorney General and the Secretary of Homeland Security have been told to consider actions under current laws that can be taken to ensure the safety of patients, providers, and third parties, and protect the security of clinics (including mobile clinics), pharmacies, and other entities providing, dispensing, or delivering reproductive and related healthcare services.

A fact sheet has been issued by the White House than summarizes the executive order.

The post President Biden Signs Executive Order to Protect Access to Reproductive Healthcare Services appeared first on HIPAA Journal.

Senators Call for HIPAA Privacy Rule Change to Prohibit Disclosures of Reproductive Health Care Information to Law Enforcement

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has recently issued guidance to healthcare organizations following the overturning of Roe v. Wade following the SCOTUS Dobbs v. Jackson Women’s Health Organization ruling, which removed the right to abortion at the federal level and allowed states to set their own laws. The guidance explained how the HIPAA Privacy Rule permits disclosures of protected health information – including reproductive health care information – to law enforcement but does not require such disclosures. OCR explained in the guidance when such disclosures of reproductive health care information would be considered HIPAA violations under the HIPAA Privacy Rule.

Two U.S. senators – Michael F. Bennet (D-Co) and Catherine Cortez Masto (D-NV) – recently wrote to the Secretary of the Department of Health and Human Services, Xavier Becerra, calling for the HHS to go further and make an update to the HIPAA Privacy Rule to ensure that the private and confidential health information of patients seeking reproductive healthcare is better protected.

“The [SCOTUS} decision has created profound uncertainty for patients concerning their right to privacy when making the deeply personal decision to have an abortion,” explained the senators in the letter. “We write to urge the Department of Health and Human Services (HHS) to take immediate steps to protect the privacy of Americans receiving reproductive health care services by updating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.”

The senators pointed out that at the time HIPAA was signed into law in 1996, Roe v. Wade had already upheld the right to abortion for more than two decades, and when the Privacy Rule was added to HIPAA in 2000, it was unthinkable that Roe v. Wade would be overturned two decades later. The senators praised the efforts of the HHS in issuing prompt guidance on the privacy of medical information relating to abortion and other sexual and reproductive health care and also for issuing guidance to consumers on protecting health information on mobile devices but believe that the HHS needs to go further.

“We urge HHS to immediately begin the process to update the Privacy Rule, following all requirements under the Administrative Procedure Act, to clarify who is a covered entity and to limit when that entity can share information on abortion or other reproductive health services,” explained the senators. The senators specifically requested the HHS clarify that reproductive health care information cannot be shared with law enforcement agencies who target individuals who have an abortion, and have requested the HHS rule that Pregnancy Care Centers (aka Crisis Pregnancy Centers) are required to comply with the HIPAA Privacy Rule.

“Following the Supreme Court’s decision in Dobbs, millions of Americans have lost a fundamental constitutional right to make their own health and reproductive decisions. We must do all that we can to protect their fundamental right to privacy,” concluded the senators.

The post Senators Call for HIPAA Privacy Rule Change to Prohibit Disclosures of Reproductive Health Care Information to Law Enforcement appeared first on HIPAA Journal.

Google Announces New Measures to Protect User Privacy on Healthcare Matters

Posted by HIPAA Journal

Google has announced that it will be taking steps to improve privacy protections for users of its services. Google has long advocated for a comprehensive, national privacy law covering consumer data to ensure there is consistency across the entire country, rather than relying on a patchwork of state-level privacy laws. The American Data Privacy and Protection Act that was recently introduced could see national privacy law introduced, but until ADPPA or equivalent consumer data privacy regulations are signed into law, Google said it has taken additional steps to protect user privacy, especially for health-related issues.

Google confirmed that location history is turned off in Google accounts by default, but if users choose to activate location history, they can auto-delete or manually delete parts or all of their location data at any time. However, to further protect privacy, Google has added a new auto-delete feature that will be rolled out in the next few weeks. If Google detects a user has visited certain medical facilities that offer sensitive medical services, the entries will be automatically deleted from the user’s location history soon after the visit.

Those locations include:

  • Abortion clinics
  • Domestic violence shelters
  • Counseling centers
  • Fertility centers
  • Addiction treatment facilities
  • Weight loss clinics
  • Cosmetic surgery centers

On Google Play there are policies that prevent app developers from selling personal and sensitive user data, developers are required to only handle data for purposes directly related to the use of the app, and any data collected must be handled securely. A new data safety section has now been added that developers can use to provide app users with more information about how their apps collect, share, and secure user data.

Users of Google Fit and Fitbit have access to tools that allow them to easily access and control their personal data, including the option to change or delete their tracking data as they see fit. “Fitbit users who have chosen to track their menstrual cycles in the app can currently delete menstruation logs one at a time, and we will be rolling out updates that let users delete multiple logs at once,” explained Google.

Google has also clarified its position regarding law enforcement demands for user data. “We take into account the privacy and security expectations of people using our products, and we notify people when we comply with government demands, unless we’re prohibited from doing so or lives are at stake — such as in an emergency situation,” explained Google in a recent blog post. “We remain committed to protecting our users against improper government demands for data, and we will continue to oppose demands that are overly broad or otherwise legally objectionable.”

The post Google Announces New Measures to Protect User Privacy on Healthcare Matters appeared first on HIPAA Journal.