Healthcare Data Privacy

Senators Question Mental Health App Providers Questioned About Privacy and Data Sharing Practices

Posted by HIPAA Journal

Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) have written to two leading mental health app providers and demanded answers about their data collection and sharing practices.

There have been multiple reports that the mental health apps provided by Talkspace and BetterHelp are collecting, mining, and disseminating private client information to third parties, including big tech firms such as Google and Facebook. During the COVID-19 pandemic, the use of mental health apps grew rapidly. The apps offered an alternative to traditional face-to-face therapy, with the app developers themselves marketing the apps as a cost-effective alternative to traditional therapy.

While therapists may be required to comply with the Health Insurance Portability and Accountability Act (HIPAA), mental health apps fall into a gray area and are not generally covered under HIPAA, which means that the restrictions on uses and disclosures of protected health information under the HIPAA Privacy Rule do not apply to many mental health apps.

Users of those apps may not understand that any information collected, stored, or transmitted through the apps may be shared with third parties. Consumers may mistakenly believe that HIPAA applies to these apps because if the same data were to be collected by a healthcare provider – a HIPAA-covered entity – the information would be classed as protected health information and the HIPAA Rules would apply. However, most app developers, including mental health app developers, are not HIPAA-covered entities and are generally not even business associates. The developers of those apps should explain clearly in their privacy policies about any uses or disclosures of users’ information, but privacy policies are often unclear.

“We have long been concerned about the misuse of personal data by Big Tech companies and unscrupulous data brokers, especially for the purpose of microtargeting vulnerable populations,” explained the Senators in their letter to BetterHelp and Talkspace. “Unfortunately, it appears possible that the policies used by your company and similar mental health platforms allow third-party Big Tech firms and data brokers, who have shown remarkably little interest in protecting vulnerable consumers and users, to access and use highly confidential personal and medical information.”

Earlier this year, researchers at Consumer Reports’ Digital Lab investigated 7 mental health apps, including the apps provided by Talkspace and BetterHelp. Using specially programmed Android devices, the researchers tracked which third-party companies received data from the apps and checked whether privacy settings were on or off by default. The researchers found that the apps behaved like many other consumer apps, and shared unique IDs associated with individual smartphones which can be used by big tech companies to track what people do across many different apps. When combined with other data, users can be served targeted ads.

An investigation in February 2020 found BetterHelp was sharing analytics data with Facebook, which included how many times the app was opened and metadata from every message, including data on how long and where users were accessing mental health services. Former employees of Talkspace claimed that treatment transcripts were viewed as a data resource to be mined, and individual users’ anonymized conversations were routinely reviewed and mined for insights to help the company with research and marketing tactics.

The Senators have raised concerns about the use of anonymized data, as that information could be combined with other data to identify individuals. The Senators referred to a 2019 study that found anonymized data that included only a zip code, gender, and date of birth would allow an individual to be identified in 81% of cases.

The senators have asked both companies questions about the types of data collected, the extent of data sharing with third parties, the methods used to protect clients’ information, and how potential clients and current users are informed about the privacy policies and the risks associated with sharing data. The companies have been given until July 6, 2022, to respond.

The post Senators Question Mental Health App Providers Questioned About Privacy and Data Sharing Practices appeared first on HIPAA Journal.

OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade

Posted by HIPAA Journal

President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra recently called on HHS agencies to take action to protect access to sexual and reproductive health care, which includes abortion, pregnancy complications, and other related care, following the decision of the Supreme Court in Dobbs vs. Jackson Women’s Health Organization. The Supreme Court overruled Roe v. Wade and Planned Parenthood v. Casey and took away the right of women to have a safe and legal abortion.

Yesterday, the HHS Office for Civil Rights (OCR) issued new guidance for healthcare providers and patients seeking access to reproductive health care services to ensure patient privacy is protected. The guidance explains that the federal Health Insurance Portability and Accountability Act (HIPAA) requires individuals’ private medical information, which includes information about abortion and other sexual and reproductive health care, is required to be kept private and confidential. That information is classed as protected health information (PHI) under HIPAA and healthcare providers are not required to disclose PHI to third parties.

The guidance also explains the extent to which private medical information is protected on personal cell phones and tablets and includes advice for protecting individuals’ privacy when using period trackers and other health information apps. Concern has been raised by women that health apps on smartphones, such as period trackers, threaten privacy as they disclose geolocation data. That information could potentially be abused by individuals seeking to deny them access to medical care.

“How you access health care should not make you a target for discrimination,” explained HHS Secretary Xavier Becerra. “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information.” Becerra is encouraging anyone who believes their privacy rights have been violated to file a complaint with OCR and explained that protecting access to health care, which includes abortion care and other forms of sexual and reproductive health care, is now an enforcement priority for OCR.

The guidance for healthcare providers explains that the HIPAA Privacy Rule allows HIPAA-covered entities, which includes healthcare providers, to disclose an individual’s PHI without obtaining authorization from that individual for the purposes of healthcare, payment, and healthcare operations, but other disclosures – to law enforcement officials for example – are only permitted in narrow circumstances, tailored to protect the individual’s privacy and support their access to health care, which includes abortion care. HIPAA-covered entities and their business associates are reminded that they can use and disclose PHI without an individual’s signed authorization, but only for reasons expressly permitted or required by the Privacy Rule. The guidance also explains the restrictions on disclosures of PHI under the HIPAA Privacy Rule when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.

Separate guidance has been issued for individuals about protecting the privacy and security of their health information when using their personal cell phones or tablets. It is important for individuals to understand that most health apps, including period trackers, are not covered by the HIPAA Privacy or Security Rules. That means any personal healthcare data entered, collected, or transmitted by those apps or is stored on smartphones or tablets, is not protected and there are no restrictions on disclosures of that information.

The guidance explains best practices to adopt when using these health apps that will decrease the personal information collected by the apps and limit the potential for disclosures of personal information – including geolocation data – without the individual’s knowledge. The guidance explains how to turn off the location services on Apple and Android devices, and offers advice on selecting apps, browsers, and search engines that prioritize privacy and security.

Information on individuals’ rights to reproductive healthcare is available here.

The post OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade appeared first on HIPAA Journal.

American Data Privacy and Protection Act Establishes GDPR-like Federal Data Privacy and Protection Standards

Posted by HIPAA Journal

Earlier this month, a draft bipartisan bicameral bill was introduced that seeks federal data privacy and protection regulations, which would replace the current patchwork of data privacy laws in different U.S. states.

The American Data Privacy and Protection Act (ADPPA) was introduced by Energy and Commerce Committee Chair Frank Pallone, (D-NJ), Ranking Member Cathy McMorris Rodgers (R-WA), and Ranking Member of the Senate Committee on Commerce, Science, and Transportation, Senator Roger Wicker (R-MS), and advanced passed a subcommittee on June 23 with a unanimous vote.

In a statement, Pallone, Rodgers, Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL), and Subcommittee Ranking Member Gus Bilirakis (R-FL) said the markup of the bill is “another major step in putting people back in control of their data and strengthening our nation’s privacy and data security protections.”

GDPR-Like Federal Data Privacy and Protection Regulations

“This bill will protect consumers’ data privacy, digital security, and our kids online. The bipartisan comprehensive privacy bill will provide regulatory certainty for the business community, end discriminatory use of Americans’ data, promote innovation and protect small businesses, and hold companies to high standards of data security,” said Representatives Schakowsky and Bilirakis. “Consumers across the nation have longed-for deserve strong privacy protections in the digital world that we all increasingly inhabit. This legislation provides those protections.”

The ADPPA shares many provisions with state-level data privacy and protection laws, including the California Consumer Privacy Act (CCPA), and would generally preempt state privacy laws such and, in many respects, is equivalent to the EU’s General Data Protection Regulation (GDPR).

ADPPA-covered entities are any individuals or entities that collect, process, or transfer covered data and are subject to the jurisdiction of the Federal Trade Commission (FTC), are common carriers subject to the Communications Act of 1934, or are not organized to carry on business for their own profit or that of their members. That means that in contrast to state laws such as the CCPA, the bill applies to nonprofits and many small businesses. Government entities are exempt.

The ADPPA applies to “covered data,” which is “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual and may include derived data and unique identifiers.” The ADPPA will not apply to de-identified data, employee data, and publicly available information.

Requirements of the ADPPA

ADPPA-covered entities would be required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect covered data against unauthorized access and acquisition. Americans will be given rights over their personal data, such as the right to access their personal data that has been collected or processed by an ADPPA-covered entity, correct any errors in the data, have the data deleted, restrict certain uses of their data, have their personal data exported in human- and machine-readable format, and will have the right to an accounting of disclosures. A time frame of 30 or 60 days would be provided for meeting those requests, depending on the size of the covered entity

The ADPPA also has provisions for “sensitive covered data,” which is defined as “any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatment of an individual.” Affirmative express consent would be required before an ADPPA-covered entity could collect and process sensitive covered data or transfer that information to a third party.

ADPPA-covered entities will be required to minimize the data collected, limits will be placed on the transfer of precise geolocation information, browsing history, and physical activity information collected from a smartphone or wearable device, and the collection, processing, or transferring of biometric information, known nonconsensual intimate images, or genetic information would be prohibited, apart from in limited circumstances.

The bill calls for privacy by design, and required policies and procedures to be implemented related to the collection, processing, and transfer of covered data, and ADPPA -covered entities would be required to make a privacy policy public that includes a detailed and accurate representation of the entity’s data collection, processing, and transfer activities. ADPPA-covered entities would be prevented from denying a service or product, conditioning a service or product, or setting the price of a service or a product based on an individual’s agreement to waive any privacy rights.

Implications for Healthcare Organizations

The ADPPA has implications for healthcare organizations and includes several provisions from the Health Insurance Portability and Accountability Act (HIPAA). Healthcare organizations that are compliant with HIPAA (or entities compliant with FERPA, the Gramm-Leach-Bliley Act, and other laws) would be seen to be compliant with the ADPPA, but only with respect to the data covered by those laws. In healthcare, the ADPPA would apply to all covered data that is not regulated by HIPAA including healthcare data collected, processed, or transferred by non-HIPAA-covered entities.

Any covered entity that fails to ensure personal data is kept private and confidential or does not allow Americans to exercise their rights under the ADPPA, will be held to account, with compliance enforced by the FDA and state attorneys general. The bill also includes a private cause of action that will allow Americans to sue over violations, although this is not due to be implemented until four years after the effective date.

This is not the first attempt at introducing a federal data privacy and protection bill and it is unclear if the bill has sufficient support in its current form.

The post American Data Privacy and Protection Act Establishes GDPR-like Federal Data Privacy and Protection Standards appeared first on HIPAA Journal.

Meta Sued over the Scraping of Patient Data from Hospital Websites

Posted by HIPAA Journal

A lawsuit has been filed against Meta that alleges the social media giant has been knowingly collecting patient data from hospital websites via the Meta Pixel tracking tool, and in doing so has violated the privacy of millions of patients.

The lawsuit was filed in the U.S. Northern District of California and alleges violations of state and federal laws related to the collection of patient data without consent. Last week, a report was released by The Markup/STAT on a study on the 100 top hospitals in the United States which found that one-third used the Meta Pixel tool on their websites. The Meta Pixel tool is a snippet of JavaScript code that is used to track visitor actions on websites, such as the forms they click and the options they select from dropdown menus. When the tool is included on healthcare providers’ websites, there is potential for the tool to transmit protected health information to Meta/Facebook, such as IP address, when a patient has scheduled an appointment and any information selected from menus, such as the medical condition that the appointment is about.

The study identified 7 hospital systems that had installed Meta Pixel on their patient portals behind password protection and the tool was transmitting sensitive data such as patient conditions, which could be tied to the patients through their IP addresses. The study found no evidence that Meta had entered into a business associate agreement with the hospitals, nor that consent to share patient data with Meta was obtained from patients by the hospitals and healthcare systems that used Meta Pixel.

The lawsuit was filed on behalf of patient John Doe, who is a user of Facebook and a patient of Medstar Health System in Maryland. The plaintiff said he uses the patient portal for making appointments, communicating with providers, and reviewing lab test results, and did not consent to information being shared with Meta/Facebook. Medstar Health said all patient data is secured and it does not use any Facebook/Meta technologies on its website. According to the lawsuit, at least 664 healthcare systems in the United States have added the Meta Pixel tool to their websites, which sends sensitive data to Meta.

Meta states on its website that “If Meta’s signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems.” However, the lawsuit claims, “Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook.” The lawsuit alleges the use of the tool on hospital websites without obtaining consent is a violation of the Health Insurance Portability and Accountability Act (HIPAA), as the data is collected without a business associate agreement. It should be noted that Meta/Facebook is not bound by HIPAA Rules; however, the hospitals that use the tool could be in violation of HIPAA for transferring the data without consent.

The lawsuit alleges a breach of the duty of good faith and fair dealing, and violations of federal and state laws, including the federal Electronic Communications Privacy Act and California’s Invasion of Privacy Act and Unfair Competition Law. The lawsuit seeks class action status, compensatory and punitive damages, and attorneys’ fees.

This is not the first lawsuit to be filed against Facebook over the collection of data from hospital websites. The same attorneys had a case against Facebook dismissed in 2018 – Smith et al v. Facebook – over the collection of browsing data from hospital websites. The decision was upheld by the U.S. Court of Appeals for the 9th Circuit, which ruled that the plaintiffs could not sue Facebook as they had agreed to Facebook’s contract terms.

A copy of the lawsuit was obtained by Reclaim the Net and is published here.

The post Meta Sued over the Scraping of Patient Data from Hospital Websites appeared first on HIPAA Journal.

May 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2022 saw a 25% increase in healthcare data breaches of 500 or more records. 70 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in May 2022, which is the highest monthly total this year and well above the 12-month average of 56.75 data breaches per month. This level of reported data breaches has not been seen since June 2021.

May 2022 Healthcare Data Breaches

Across those data breaches, the records of 4,410,538 individuals were exposed, stolen, or impermissibly disclosed, which is more than twice the number of records that were breached in April, and almost 40% higher than the average number of records breached each month over the past 12 months.

Breached healthcare records in the past 12 months (May 2022)

Largest Healthcare Data Breaches Reported in May 2022

In May 2022, there were 31 reports of healthcare data breaches that involved the records of more than 10,000 individuals. The largest breach to be reported affected the HIPAA business associate, Shields Health Care Group, which provides MRI and other imaging services in New England. The exact nature of the attack was not disclosed, but Shields said hackers accessed its network and exfiltrated files containing patient data. The breach affected 2 million patients who received medical services at 52 facilities in New England.

Partnership HealthPlan of California also reported a major data breach, in this case, a ransomware attack. Hackers gained access to systems containing the records of 854,913 current and former health plan members. The Hive ransomware gang claimed responsibility for the attack and allegedly stole 400GB of data.

The number of eye care providers affected by a hacking incident at the electronic health record vendor Eye Care Leaders continued to grow throughout May (and June). While they are not all reflected in the May data, as of June 21, at least 23 eye care providers are known to have been affected, and the data breach has affected at least 2,187,383 patients.

Data Breaches of over 10,000 Records Reported in May 2022

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Hacking and data theft incident
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
SAC Health System CA Healthcare Provider 149,940 Theft No Theft of documents in break-in at storage facility
Aon PLC IL Business Associate 119,636 Hacking/IT Incident Yes Hacking and data theft incident
Parker-Hannifin Corporation Group Health Plans OH Health Plan 119,513 Hacking/IT Incident No Hacking and data theft incident
Heidell, Pittoni, Murphy & Bach, LLP NY Business Associate 114,979 Hacking/IT Incident Yes Ransomware attack
Schneck Medical Center IN Healthcare Provider 92,311 Hacking/IT Incident No Hacking and data theft incident
Alameda Health System CA Healthcare Provider 90,000 Hacking/IT Incident No Unauthorized access to email accounts
Val Verde Regional Medical Center TX Healthcare Provider 86,562 Hacking/IT Incident No Ransomware attack
NuLife Med, LLC NH Healthcare Provider 81,244 Hacking/IT Incident No Hacking and data theft incident
Comstar, LLC MA Business Associate 68,957 Hacking/IT Incident Yes Unspecified hacking incident
Shoreline Eye Group CT Healthcare Provider 57,047 Hacking/IT Incident Yes Eye Care Leaders hacking incident
AU Health GA Healthcare Provider 50,631 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Finkelstein Eye Associates IL Healthcare Provider 48,587 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Oklahoma City Indian Clinic OK Healthcare Provider 38,239 Hacking/IT Incident No Ransomware attack
Moyes Eye Center, PC MO Healthcare Provider 38,000 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Family Health Care, Inc KS Healthcare Provider 33,619 Hacking/IT Incident No Unspecified hacking incident
Allwell Behavioral Health Services OH Healthcare Provider 29,972 Hacking/IT Incident No Hacking and data theft incident
Creative Hospice Care, Inc. dba Homestead Hospice & Palliative Care GA Healthcare Provider 28,332 Hacking/IT Incident No Unauthorized access to email accounts
FPS Medical Center AZ Healthcare Provider 28,024 Hacking/IT Incident No Ransomware attack
Capsule NY Healthcare Provider 27,486 Hacking/IT Incident No Unauthorized access to user accounts
McKenzie Health System MI Healthcare Provider 25,318 Hacking/IT Incident No Hacking and data theft incident
Sylvester Eye Care OK Healthcare Provider 19,377 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Aesto, LLC d/b/a Aesto Health AL Business Associate 17,400 Hacking/IT Incident Yes Hacking and data theft incident
Vail Health Services CO Healthcare Provider 17,039 Hacking/IT Incident No Ransomware attack
Motion Picture Industry Health Plan CA Health Plan 16,838 Unauthorized Access/Disclosure No Mismailing incident
Bryan County Ambulance Authority OK Healthcare Provider 14,273 Hacking/IT Incident No Ransomware attack
Associated Ophthalmologists of Kansas City, P.C. MO Healthcare Provider 13,461 Hacking/IT Incident No Eye Care Leaders hacking incident
Allaire Healthcare Group NJ Healthcare Provider 13,148 Hacking/IT Incident No Unauthorized access to user accounts
EmblemHealth Plan, Inc. NY Health Plan 11,399 Unauthorized Access/Disclosure No Unconfirmed
Behavioral Health Partners of Metrowest, LLC MA Business Associate 11,288 Hacking/IT Incident Yes Hacking and data theft incident

Causes of May 2022 Healthcare Data Breaches

Hacking incidents continue to be reported in high numbers in May, with 53 (75.7%) of the month’s data breaches classed as hacking or other IT incidents. That represents a 77% increase in incidents compared to April. Those incidents accounted for 95.5% of the records breached in May (4,212,721 records), which is more than twice the number of records exposed in hacking incidents in April. The average breach size was 79,485 records and the median breach size was 13,148 records.

There were 13 unauthorized access/disclosure incidents reported in May – a slight increase from April. Across those incidents, 43,807 records were impermissibly disclosed. The average breach size was 3,370 records and the median breach size was 1,196 records.

There were three theft incidents reported and one incident involving the loss of paper/films. These breaches involved a total of 154,010 records, with an average breach size of 35,503 records and a median breach size of 1,771 records.

Causes of May 2022 Healthcare Data Breaches

With so many hacking incidents, it is unsurprising that 31 of the month’s data breaches involved protected health information stored on network servers. The high number of breaches of electronic health records was due to the cyberattack on Eye Care Leaders. As the chart below shows, email account breaches were reported in high numbers in May, 70% more incidents than in April. While security awareness training for the workforce and multi-factor authentication will not prevent all email data breaches, they can significantly improve protection.

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the hardest hit HIPAA-covered entity type in May, with 49 reported breaches. There were 11 data breaches reported by health plans, and business associates of HIPAA-covered entities reported 10 breaches; however, 8 data breaches occurred at business associates but were reported by the covered entity. The data breaches detailed in the chart below reflect where the data breach occurred.

May 2022 Healthcare data breaches by HIPAA regulated entity

Healthcare providers suffered the highest number of data breaches, but business associates topped the list in terms of the number of exposed healthcare records.

HIPAA-Regulated Entity

 Number of Reported Data Breaches Total Records Exposed

Business Associate

18

2,554,789

Health Plan

 10

1,014,150
Healthcare Provider 42

841,599

May 2022 Healthcare Data Breaches by State

Data breaches of 500 or more healthcare records were reported by HIPAA-regulated entities in 29 states. California was the worst affected state with 8 large healthcare data breaches reported, followed by New York with 6 reported breaches.

State No. Reported Data Breaches
California 8
New York 6
Georgia, Missouri & Ohio 4
Alabama, Illinois, Massachusetts, North Carolina, Oklahoma & Texas 3
Arizona, Connecticut, Florida, Maryland, Michigan, New Hampshire, Virginia & Washington 2
Colorado, Indiana, Kansas, Minnesota, Mississippi, Montana, New Jersey, Nevada, Tennessee & Wisconsin 1

HIPAA Enforcement Activity in May 2022

No HIPAA enforcement actions were announced by the HHS’ Office for Civil Rights or state Attorneys General in May. So far this year, 4 financial penalties totaling $170,000 have been imposed by OCR to resolve HIPAA violations.

The post May 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Bill Seeks to Ban Data Brokers from Selling Health and Location Data

Posted by HIPAA Journal

A new bill has been introduced by Sen. Elizabeth Warren (D-MA) that seeks to ban data brokers from selling the health and location data of Americans. The bill, The Health and Location Data Protection Act, was co-sponsored by Sens. Ron Wyden (D-OR), Chair of the Senate Finance Committee; Patty Murray (D-WA), Chair of the Senate Health, Education, Labor, and Pensions Committee; Sheldon Whitehouse (D-RI); and Bernie Sanders (I-VT.), Chair of the Senate Budget Committee.

“Data brokers profit from the location data of millions of people, posing serious risks to Americans everywhere by selling their most private information,” said Senator Warren. “With this extremist Supreme Court poised to overturn Roe v. Wade and states seeking to criminalize essential health care, it is more crucial than ever for Congress to protect consumers’ sensitive data.”

Currently, data brokers are largely unregulated by federal law, yet they are collecting highly sensitive data from Americans, including their location. That information is gathered from a huge range of mobile apps and, in many cases, the data is collected without express user consent. That information is then sold for profit to virtually anyone willing to pay the price. That information has been used to circumvent the Fourth Amendment and stalk and harass individuals. In some cases, data brokers have been discovered to be selling cellphone-based location data of people visiting abortion clinics, which has placed the safety of women at risk who are seeking healthcare.

If passed, the Health and Location Data Protection Act will ban data brokers from selling or transferring the location and health data of Americans to rein in giant data brokers and implement long-overdue rules for this $200 billion industry. The bill calls for the Federal Trade Commission (FTC) to issue rules to implement the new law within 180 days and will empower the FTC, state attorneys general, and injured persons to sue data brokers to enforce the provisions of the law.  The bill will also ensure that the FTC is given $1 billion in funding over the next decade to ensure it can carry out its work and can enforce the law. The law will include exceptions for HIPAA-compliant activities, protected First Amendment speech, and validly authorized disclosures.

“When abortion is illegal, researching reproductive health care online, updating a period-tracking app, or bringing a phone to the doctor’s office all could be used to track and prosecute women across the U.S. It amounts to uterus surveillance. Congress must protect Americans’ privacy from abuse by far-right politicians who want to control women’s bodies. I’m proud to work with Senator Warren to introduce the Health and Location Data Protection Act,” said Sen Wyden.

The post Bill Seeks to Ban Data Brokers from Selling Health and Location Data appeared first on HIPAA Journal.

Study Reveals One Third of Top 100 U.S. Hospitals are Sending Patient Data to Facebook

Posted by HIPAA Journal

An analysis of hospitals’ websites has revealed one-third of the top 100 hospitals in the United States are sending patient data to Facebook via a tracker called Meta Pixel, without apparently obtaining consent from patients.

Meta Pixel is a snippet of JavaScript code that is used to track visitor activity on a website. According to Meta, “It works by loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting, for dynamic ads campaigns, and to analyze [the] effectiveness of your website’s conversion funnels.”

Meta Pixel can collect a variety of data, including information about the buttons clicked and the pages visited by clicking those buttons, and the data collected is linked to the individual by their IP address, which identifies the device that the visitor is using. That information is then automatically sent to Facebook. On a hospital website, the tracker could collect a user’s IP address and link it to sensitive information, such as if that individual had clicked to make an appointment.

The analysis was conducted by The Markup and the report was co-published by STAT. The Markup found that Meta Pixel tracking was present on a third of hospitals’ appointment scheduling pages. In one example – University Hospitals Cleveland Medical Center – the researchers found that when a visitor clicks on the ‘Schedule Online’ button on a doctor’s page, Meta Pixel sent the text of the button to Meta, along with the doctor’s name and the search term, which for that patient was pregnancy termination. It was a similar story with several other websites, which sent information taken from the selection made from dropdown menus, which provided information about the patient’s condition – Alzheimer’s disease for example.

Even more concerning is that for 7 hospital systems, Meta Pixel was installed inside password-protected patient portals. The researchers found that five of those hospital systems were sending data to Meta about real patients who volunteered to participate in the Pixel Hunt project, which was jointly run by the Markup and Mozilla Rally. Participation in that project involved allowing data to be sent to The Markup about the sites they visited, which revealed the data being sent to Meta included patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.

The Markup said there did not appear to be any business associate agreements between the hospitals and Meta that would allow the data sharing under the HIPAA Rules, and express consent from patients authorizing the sharing of data with Meta did not appear to have been obtained, suggesting potential HIPAA violations.

The 7 health systems were Community Health Network, Edward-Elmhurst Health, FastMed, Novant Health, Piedmont, Renown Health, and WakeMed. All but FastMed and Renown Health had removed the Meta Pixel after being informed about the data transfer by The Markup at the time of publication of the report, along with 6 hospitals out of the 33 that were identified as having the Meta Pixel on their appointment booking pages.

The Markup said in its report that the 33 hospitals that had Meta Pixel on their appointment pages have collectively reported more than 26 million patient admissions and outpatient visits in 2020, and this study was only limited to the top 100 hospitals. Many others may also be passing data to Facebook through Meta Pixel.

The Markup said it was unable to determine how Meta/Facebook used the data transferred through Meta Pixel, such as for providing targeted adverts. Meta spokesperson, Dale Hogan, issued a statement in response to the findings of the study. “If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems.”

The post Study Reveals One Third of Top 100 U.S. Hospitals are Sending Patient Data to Facebook appeared first on HIPAA Journal.

Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites

Posted by HIPAA Journal

A recent study by Source Defense examined the risks associated with the use of third- and fourth-party code on websites and found that all modern, dynamic websites included code that could be targeted by hackers to gain access to sensitive data.

SOurce Defense explained that websites typically have their own third-party supply chains, with those third parties providing a range of services and functions related to site performance, tracking and analytics, and improving conversion rates to generate more sales.

The inclusion of third- and fourth-party code on websites also introduces security and compliance risks. On the compliance side, tracking code has the potential to violate data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and from a security perspective, the code included on websites may have vulnerabilities that can be exploited by threat actors to gain access to sensitive data, including protected health information.

To explore the risks associated with third- and fourth-party code, Source Defense scanned the top 4,300 websites based on traffic and analyzed their results to identify the scale of the digital supply chain, how many partners are involved on a typical website, whether the inclusion of code by those partners leaves websites exposed to cyberattacks, whether sensitive data is being exposed, and the types of attacks that could be conducted on websites that take advantage of the digital supply chain.

The findings of the analysis are detailed in the report, Third-Party Digital Supply Chain Risk: Exposing the Shadow Code on Your Web Properties. Source Defense explained that there would be little point in a threat actor compromising a script on a static webpage; however, if scripts were included on webpages that collect sensitive data, threat actors could add malicious code to steal sensitive data. The researchers found that, on average, there were 12 third-party and 3 fourth-party scripts per website on web pages that collected data, such as login pages, account registration pages, and payment collection pages.

They identified six features on websites that could be exploited by threat actors that were commonly found on websites: Code to retrieve form input (49%), button click listeners (49%), link click listeners (43%), code to modify forms (23%), form submit listeners (22%), and input change listeners (14%). Every modern, dynamic website assessed for the study was found to contain one or more of those features.

An analysis was conducted of between 40 and 50 websites in industries where there is a higher-than-average risk. The researchers found that higher-risk industries such as healthcare had more than the average number of scripts. Healthcare websites had an average of 13 third-party and 5 fourth-party scripts on sensitive pages.

There may be a legitimate reason for including these scripts on the pages but adding that code introduces risk. “For example, a script might allow form fields to be changed or added on the fly to provide website users with a more personalized experience,” explained Source Defense in the report. “However, a threat actor could exploit this capability to add additional fields asking for credentials and personal information, which would then be sent to attacker’s website.”

“This data makes it clear that managing risk inherent in third- and fourth-party scripts is both a very necessary and a very challenging task,” explained the researchers, who recommend assessing websites for third party code, educating management about the risks, implementing a website client-side security solution, categorizing and consolidating scripts, and finding ways to recuse exposure and compliance risks.

The post Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites appeared first on HIPAA Journal.

Verizon Data Breach Investigations Report Reveals 2021 Data Breach Trends

Posted by HIPAA Journal

For the past 15 years, Verizon has been publishing annual Data Breach Investigation Reports (DBIR), with this year’s report confirming just how bad the past 12 months have been. Verizon described the past 12 months as representing an unprecedented year in cybersecurity history. “From very well-publicized critical infrastructure attacks to massive supply chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months,” explained Verizon.

The 2022 DBIR was compiled in conjunction with 87 partner organizations using data from 23,896 security incidents, of which 5,212 were confirmed data breaches, 849 of the security incidents analyzed in the report occurred in the healthcare sector, with 571 of those incidents resulting in confirmed data breaches.

The report confirms there was a major increase in ransomware attacks in 2021, increasing 13% from the previous year. To add some perspective, the increase is greater than the combined increases over the previous five years. As Verizon points out in the report, ransomware is just a way of taking advantage of access to victims’ networks, but it has proven to be particularly successful at monetizing illegal access to networks and private information. Ransomware was involved in 25% of data breaches in 2021.

The most common vectors in ransomware attacks were the use of stolen credentials, mostly for desktop sharing software, which provided initial access in 40% of attacks. Phishing was the second most common vector in attacks, providing initial access in 35% of ransomware attacks followed by the exploitation of vulnerabilities in web applications and direct installs. The high percentage of attacks involving remote desktop software and email highlights the importance of locking down RDP and securing email.

The increase in ransomware attacks is alarming, as is the number of supply chain attacks, which account for 62% of system intrusions. Supply chain attacks may be conducted by financially motivated cyber actors, but oftentimes they are used by nation-state actors to gain persistent access to systems for espionage purposes.

Protecting against cyberattacks requires action to be taken to address the four main avenues that lead to initial access to networks being gained, which are credentials, phishing, exploitation of vulnerabilities, and botnets. While insiders can and do cause data breaches, by far the main cause is external actors. Breaches due to external actors outnumber insider breaches by four to 4. While external attacks are much more likely, the median number of records involved in insider breaches is far higher.

Human error continues to play a large part in data breaches. 13% of breaches involved misconfigurations, mostly of cloud storage facilities, and 82% of all data breaches analyzed in the past 12 months involved a human element. 25% of all breaches in 2021 were the result of social engineering attacks, highlighting not only the importance of implementing advanced email defenses but also providing regular security awareness training to the workforce.

The top three attack methods were the same as last year, albeit changing position. System intrusions took the top spot, followed by web application attacks, and social engineering. In healthcare, the leading causes of data breaches were web application attacks, miscellaneous errors, and system intrusions, which accounted for 76% of all data breaches.

Verizon reports that while insiders have long been a leading cause of data breaches in healthcare, the increase in web application attacks has meant external threats have overtaken insiders. Healthcare employees caused 39% of breaches in 2021, which is considerably higher than the 18% across all other industry sectors. While there will always be malicious insiders in healthcare, employees are 2.5 times more likely to make an error than to maliciously abuse their access to data, with misdelivery and loss the most common errors made in healthcare.

Healthcare data breach trends

Patterns in Healthcare data breaches. Source: Verizon DBIR 2022

 

The post Verizon Data Breach Investigations Report Reveals 2021 Data Breach Trends appeared first on HIPAA Journal.