Healthcare Data Privacy

April 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

After four successive months of declining numbers of data breaches, there was a 30.2% increase in reported data breaches. In April 2022, 56 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Healthcare data breaches in the past 12 months (April 2022)

While the number of reported breaches increased month-over-month, the number of healthcare records that were exposed or impermissibly disclosed decreased by 30% to 2,160,194 – the lowest monthly number since October 2021. The average breach size in April 2022 was 38,575 records, and the median breach size was 6,546 records.

Breached healthcare records in the past 12 months (April 2022)

Largest Healthcare Data Breaches in April 2022

22 healthcare data breaches were reported in April 2022 that affected 10,000 or more individuals. The worst breach was a hacking incident reported by Adaptive Health Integrations, a provider of software and billing/revenue services to laboratories, physician offices, and other healthcare companies. More than half a million healthcare individuals were affected.  The Arkansas healthcare provider ARcare suffered a malware attack that disrupted its systems and potentially allowed hackers to access the records of 345,353 individuals. Refuah Health Center reported a hacking and data theft incident in April, which had occurred almost a year previously in May 2021 and affected up to 260,740 patients.

Illinois Gastroenterology Group, PLLC reported a hacking incident where the attackers had access to the records of 227,943 individuals, and Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown were affected by a data breach at the cloud-EHR vendor Eye Care Leaders (ECL), which exposed the records of 194,035 individuals. The ECL cyberattack saw the attackers delete databases and system configuration files of one of its cloud services. The cyberattack affected close to a dozen eye care providers and resulted in the exposure of more than 342,000 records.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking incident with potential data theft
ARcare AR Healthcare Provider 345,353 Malware infection
Refuah Health Center NY Healthcare Provider 260,740 Hacking incident and data theft incident
Illinois Gastroenterology Group, PLLC IL Healthcare Provider 227,943 Hacking incident with potential data theft
Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown WV Healthcare Provider 194,035 Hacking incident at EHR provider
Healthplex, Inc. NY Health Plan 89,955 Email account breach
Optima Dermatology Holdings, LLC NH Healthcare Provider 59,872 Unspecified email incident
SUMMIT EYE ASSOCIATES P.C. TN Healthcare Provider 53,818 Hacking incident at EHR provider
Newman Regional Health KS Healthcare Provider 52,224 Email account breach
WellStar Health System, Inc. GA Healthcare Provider 30,417 WellStar Health System
Central Vermont Eye Care VT Healthcare Provider 30,000 Unspecified hacking incident
Frank Eye Center, P.A. KS Healthcare Provider 26,333 Hacking incident at EHR provider
New Creation Counseling Center OH Healthcare Provider 24,029 Ransomware attack
Georgia Pines CSB GA Healthcare Provider 24,000 Theft of laptop computers
The Guidance Center, Inc. AZ Healthcare Provider 23,104 Email account breach
Allied Eye Physicians and Surgeons, Inc. OH Healthcare Provider 20,651 Hacking incident at EHR provider
King County Public Hospital District No. 2 d/b/a EvergreenHealth WA Healthcare Provider 20,533 Hacking incident at EHR provider
Onehome Health Solutions FL Healthcare Provider 15,401 Theft of laptop computers
Southern Ohio Medical Center OH Healthcare Provider 15,136 Hacking incident with potential data theft
Arkfeld, Parson, and Goldstein, P.C. doing business as ilumin NE Healthcare Provider 14,984 Hacking incident at EHR provider
Pediatric Associates, P.C. VA Healthcare Provider 13,000 Hacking incident at EHR provider
Fairfield County Implants and Periodontics, LLC CT Healthcare Provider 10,502 Email account breach

Causes of April 2022 Healthcare Data Breaches

Hacking and IT incidents accounted for 73.2% of the healthcare data breaches reported in April 2022 and 97.1% of the month’s breached healthcare records. 2,098,390 individuals were affected by those hacking incidents and may have had their protected health information stolen. The average breach size was 51,180 records and the median breach size was 9,969 records. 16 of the hacking incidents involved unauthorized individuals gaining access to employee email accounts, and there were 7 breaches of electronic health records, due to the hacking incident at the EHR vendor Eye Care Leaders.

Causes of April 2022 Healthcare Data Breaches (april 2022)

There were just breaches reported as unauthorized access/disclosure incidents which involved a total of 20,391 records. The average breach size was 1,854 records and the median breach size was 820 records. There were two theft incidents reported involving laptop computers and one loss incident involving an ‘other portable electronic device’. Across the three loss/theft incidents, the records of 40,298 individuals were potentially compromised. All three breaches could have been prevented if data had been encrypted. There was also one improper disposal incident reported, involving 1,115 paper records.

Location of breached protected health information (April 2022)

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected HIPAA-covered entity, with 39 reporting breaches in April. 7 data breaches were reported by health plans, and 10 data breaches were reported by business associates. However, a further 17 data breaches occurred at business associates but were reported by the respective covered entity. The chart below shows the month’s data breaches adjusted to reflect where the breaches occurred.

Healthcare Data Breaches by Covered Entity Type (April 2022)

Healthcare Data Breaches by State

In April 2022, HIPAA-regulated entities in 26 states reported breaches. New York and Ohio were the worst affected states in April, with 7 & 6 data breaches reported respectively.

State Number of Data Breaches
New York 7
Ohio 6
California 4
Arizona, Georgia, Kansas, Michigan, Tennessee, & Virginia 3
Florida, Maryland, North Carolina & New Hampshire 2
Alabama, Arkansas, Colorado, Connecticut, Illinois, Nebraska, North Dakota, Pennsylvania, South Carolina, Utah, Vermont, Washington & West Virginia 1

HIPAA Enforcement Activity in April 2022

There were no HIPAA enforcement activities announced by the HHS’ Office for Civil Rights or State Attorneys General in April 2022. So far this year, 4 financial penalties have been imposed to resolve HIPAA violations.

The post April 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

HC3 Highlights Trends in Ransomware Attacks on the HPH Sector

Posted by HIPAA Journal

The tactics, techniques, and procedures (TTPs) used by ransomware and other cyber threat actors are constantly evolving to evade detection and allow the groups to conduct more successful attacks. The TTPs employed in the first quarter of 2022 by ransomware gangs have been analyzed and shared by the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3).

In Q1, 2022, the majority of ransomware attacks on the Healthcare and Public Health Sector (HPH) were conducted by five ransomware-as-a-service groups. LockBit 2.0 and Conti each accounted for 31% of attacks, followed by SunCrypt (16%), ALPHV/BlackCat (11%), and Hive (11%). The financially motivated threat groups FIN7 and FIN12 have also shifted their activities and have moved to ransomware operations, with FIN7 working with ALPHV and FIN12 extensively involved in attacks on the HPH sector. FIN12’s involvement has decreased the timescale for conducting attacks from 5 days to 2 days.

Ransomware gangs often work with initial access brokers (IABs) that specialize in gaining access to organizations’ networks, then sell the access to the ransomware gangs. The use of IABs helps ransomware gangs concentrate on developing their ransomware variants and running their RaaS operations, which allows them to work on their TTPs and conduct more successful attacks. HC3 has not observed any change in the numbers of IABs working with ransomware gangs in Q1, 2022, with similar numbers observed as throughout 2022.

IABs were most commonly observed advertising general VPN/RDP access to the networks of HPH entities on cybercrime forums, which accounted for more than half of forum adverts, and around 25% of advertisements were offering compromised Citrix/VPN appliances. Remote access solutions were extensively implemented by organizations to support a remote workforce during the COVID-19 pandemic, but the rush to deploy meant basic security features were not implemented, and vulnerabilities have been extensively exploited.

Ransomware gangs are increasingly using living-of-the-land (LOTL) techniques in their attacks, utilizing legitimate tools that are already available in the environments of large organizations during ransomware attacks such as CMD.exe, PowerShell, Task Scheduler, MSHTA, and Sysinternals. The use of these tools makes the malicious activities of the gangs harder to detect.

Tactics include the use of remote access tools such as AnyDesk, Windows Safe Mode, Atera, ScreenConnect, ManageEngine, encryption tools such as BitLocker and DiskCryptor, file transfer tools including FileZilla FTP, Microsoft Sysinternals tools such as PsExec, Procdump, and Dumpert, and open-source tools such as Cobalt Strike, Mimikatz, AdFind, Process Hacker, and MegaSync.

While the malicious use of these tools is difficult to detect by security teams, there are detection opportunities. HC3 recommends using a behavior-based approach to detection, such as a Security Information and Event Management (SIEM) tool, which can detect malicious use of LOTL tools which signature-based detection tools cannot.

The HC3 Ransomware Trends in the HPH Sector Report provides detailed information on the TTPs employed by each ransomware operation, including the most commonly abused LOTL tools, relevant ATT&CK techniques, and a long list of mitigations that can be implemented to prevent, detect, respond to, and recover from ransomware attacks.

The post HC3 Highlights Trends in Ransomware Attacks on the HPH Sector appeared first on HIPAA Journal.

Connecticut Passes Comprehensive Data Privacy Law

Posted by HIPAA Journal

Connecticut has joined California, Colorado, Utah, and Virginia in passing a comprehensive new data privacy law that establishes responsibilities for businesses that collect and process the personal data of state residents and gives consumers new rights. The Connecticut Data Privacy Act (Senate Bill 6) was passed 35-0 by the Senate and 144-5 in the House of Representatives and awaits the signature of the state Governor, Ned Lamont. The new privacy law comes into effect on July 1, 2023.

The new law establishes a framework for controlling and processing the personal data of state residents, sets privacy protection standards for data controllers and data processors, and gives state residents rights over the collection and use of their personal data. Consumers will be given the right to access their personal data held by a company, obtain a copy of that information, and correct any errors. Consumers will also have the right to be forgotten and have their personal data deleted. Consumers can also choose to opt out of the processing of their personal data for targeted advertising, certain sales of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.

The new law closely mirrors the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (CDPA), with the scope of the law falling somewhere between the two. The law will apply to businesses that hold the data of more than 100,000 consumers or those that derive 25% or more of their annual revenue from the sale of data of more than 25,000 consumers, with the protections stronger than those of Virginia and Utah, but falling short of the privacy law in Colorado.

The new law includes a sunset on the right to cure, which is December 31, 2024. That means from July 1, 2023, until December 31, 2024, businesses found to be in violation of the Connecticut Data Privacy Act will have the opportunity to take corrective actions to address the areas of non-compliance and avoid a financial penalty or other sanctions. The removal of the right to cure should encourage businesses to comply with the new law.

Certain entities will be exempted and will not be required to comply with the Connecticut Data Privacy Act: state and local governments, nonprofits, national securities associations registered under the Securities Exchange Act of 1934, financial institutions subject to the Gramm-Leach-Bliley Act, and covered entities and business associates under the Health Insurance Portability and Accountability Act. There are also exceptions for certain data types, such as data regulated by HIPAA, FERPA, the Airline Deregulation Act, Fair Credit Reporting Act, Farm Credit Act, and the Driver’s Privacy Protection Act.

Compliance with the Connecticut Data Privacy Act will be enforced by the Connecticut Attorney General, and a standing working group will be formed to assess emerging topics that the law could be amended to address.

The post Connecticut Passes Comprehensive Data Privacy Law appeared first on HIPAA Journal.

New Framework for Assessing the Privacy, Security, and Safety of Digital Health Technologies

Posted by HIPAA Journal

The American College of Physicians (ACP), American Telemedicine Association (ATA), and the Organization for the Review of Care and Health Applications (ORCHA) have collaborated to produce a new framework for assessing the digital health technologies used by healthcare professionals and patients.

Currently, more than 86 million Americans use a health or fitness app. These digital health technologies, which include more than 365,000 individual products, can collect, store, process, and transmit personal and health information that would be classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA); however, the majority of these technologies are not covered by HIPAA and fall outside of other regulations, federal laws, and government guidance. The lack of guidance in this area is hindering the adoption of digital health technologies, which have tremendous potential for improving condition management, clinical risk assessment, and decision support.

The developers of digital health technologies often share user data collected by their products and apps with third parties but do not necessarily disclose their data sharing practices with consumers, and their privacy policies are often far from transparent. The use of these apps and technologies can place user privacy at risk. The technologies may also lack appropriate security controls and could be vulnerable to cyberattacks that could expose sensitive user data.

“The Digital Health Assessment Framework is intended to be an open framework, accessible for anyone to use, to support the adoption of high-quality digital health technologies and help healthcare professionals and patients make better-informed decisions about which digital health tools best suit their needs,” said the ATA in a press release.

The framework includes components that healthcare professionals and consumers can use to assess data and privacy, clinical assurance and safety, usability and accessibility, and technical security and stability, and was developed to support U.S. guidelines, regulations, and best practices for digital health practices.

“Digital health technologies can offer safe, effective, and engaging access to personalized health and support, and provide more convenient care, improve patient and provider satisfaction, and achieve better clinical outcomes,” said Ann Mond Johnson, CEO of the ATA. “There are literally hundreds of health apps and devices for patients and clinicians to choose from, and our goal is to provide confidence that the health and wellness tools reviewed in this Framework meet quality, privacy and clinical assurance criteria in the U.S.

ACP is conducting a pilot study of health apps which will be reviewed against the framework, with the goal of creating an extensive library of acceptable digital health tools. The framework will be regularly updated based on feedback from digital health technology companies, healthcare professionals, consumers, and other stakeholders to reflect changes in clinical practice, and the latest guidelines and best practices.

The post New Framework for Assessing the Privacy, Security, and Safety of Digital Health Technologies appeared first on HIPAA Journal.

NIST Published Updated Cybersecurity Supply Chain Risk Management Guidance

Posted by HIPAA Journal

On Thursday, the National Institute of Standards and Technology (NIST) published updated cybersecurity supply chain risk management (C-SCRM) guidance to help organizations develop an effective program for identifying, assessing, and responding to cybersecurity risks throughout the supply chain.

Cyber threat actors are increasingly targeting the supply chain. A successful attack on a single supplier can allow the threat actor to compromise the networks of all companies that use the product or service, as was the case with the REvil ransomware attack on Kaseya in 2021. The threat actors exploited a vulnerability in Kaseya VSA software and the attack affected up to 1,500 businesses.

The publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), is the result of a multiyear process that included the release of two draft versions of the guidance. The updated guidance can be used to identify, assess, and respond to cybersecurity risks throughout the supply chain at all levels of an organization.

While organizations should consider vulnerabilities in the finished product they are considering using, the guidance also encourages them to consider the security of components of the project, which may include open source code or components developed by third parties. A product or device may have been designed in one country, manufactured in another, and incorporate components from many other countries, which in turn may have been assembled from parts provided by disparate manufacturers. Malicious code may have been incorporated into components, and vulnerabilities may have been introduced that could be exploited by cyber threat actors. The guidance encourages organizations to consider the journey that each of the components took to reach their destination.

The guidance is aimed at acquirers and end users of products, software, and services. Since the guidance is intended to be used by a wide audience, user profiles are included that explain which sections of the guidance are most relevant for each group. “The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach, including guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services,” explained NIST.

The guidance can be used to build cybersecurity supply chain risk considerations and requirements into acquisition processes and create a program for continuously monitoring and managing supply chain risks.

“Managing the cybersecurity of the supply chain is a need that is here to stay,” said NIST’s Jon Boyens, one of the authors of the publication. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”

The post NIST Published Updated Cybersecurity Supply Chain Risk Management Guidance appeared first on HIPAA Journal.

HHS Information Security Program Rated ‘Not Effective’

Posted by HIPAA Journal

An audit of the Department of Health and Human Services conducted for the HHS’ Office of Inspector General (OIG) to assess compliance with the Federal Information Security Modernization Act of 2014 (FISMA) in the fiscal year 2021 has seen the agency’s security program rated ‘not effective’, as was the case in fiscal years 2018, 2019, and 2020. The audit was conducted at five of the 12 operating divisions of the HHS, although OIG did not state which five divisions were audited.

HHS Information Security Program Maturity Levels. Source: HHS’ OIG

In order to receive an effective rating, the HHS is required to reach the ‘Managed and Measurable’ maturity level for the Identify, Protect, Detect, Respond, and Recover function areas, as required by DHS guidance and the FY 2021 Inspector General FISMA Reporting Metrics.

OIG said in the report that the HHS has continued to make changes to strengthen the maturity of its enterprise-wide cybersecurity program and is making progress to sustain cybersecurity across all FISMA domains. The HHS security program strengthened the maturity of controls for several individual FISMA metrics, although progress in some areas has not been made due to the lack of full implementation of Information Security Continuous Monitoring (ISCM) efforts across its operating divisions. This is critical as reliable data and metrics are required to make informed risk management decisions.

The HHS has partially implemented its Continuous Diagnostics and Mitigation (CDM) strategy, which has improved visibility into some assets, and awareness of vulnerabilities and threat information has improved through the use of RSA Archer and Splunk. Progress has been made toward implementing a full department-wide CDM program to ensure continuous monitoring of HHS networks and systems, provide real-time reporting of operating divisions’ status and progress to address and implement strategies to combat risk, prioritize issues using established risk criteria, and improve its cybersecurity response capabilities.

The HHS has advanced its implementation of CDM tools and processes but does not have a definitive schedule for fully implementing the CDM program across all operating divisions.  Until the HHS fully implements its CDM strategy, the HHS may not be possible to identify cybersecurity risks on an ongoing basis, prioritize efforts to address risks based on their potential impacts and be able to mitigate the most significant vulnerabilities first.

OIG has made several recommendations for improving the maturity of the HHS information security program. The HHS should continue with its implementation of an automated CDM solution to provide a centralized, enterprise-wide view of risks across all of HHS. The ISCM strategy needs to be updated to include a more specific roadmap, with target dates specified for ISCM deployment across all HHS operating divisions. An enterprise risk assessment over known control weaknesses should be performed and an appropriate risk response must be documented, and the HHS needs to develop a process to monitor information system contingency plans to ensure they are developed, maintained, and integrated with other continuity requirements by information systems. The HHS concurred with all OIG recommendations.

The post HHS Information Security Program Rated ‘Not Effective’ appeared first on HIPAA Journal.

HHS Warns HPH Sector About Insider Threats in Healthcare

Posted by HIPAA Journal

Healthcare data breaches are occurring in record numbers, but not all privacy and security threats come from outside the organization. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HCC) has recently issued a warning about the threat from within.

Insider Threats in Healthcare

Nation-state hacking groups, cybercriminal gangs, and lone hackers have long targeted the healthcare industry, but there is also a significant threat of data breaches due to insiders. Insider threats are those involving individuals within a healthcare organization, such as employees, but also contractors and business associates that have been provided with access to healthcare assets and systems. These individuals may be aware of the security practices employed by the organization and have awareness of the network, computer systems, and the location of sensitive data. Oftentimes they will have been provided with access to sensitive data to complete their work or contracted duties.

According to the Verizon 2021 Data Breach Report, there was a decline in external threats between 2017 and 2020 and a corresponding rise in internal threats. Insider threats include healthcare employees who abuse their access rights to steal patient data to commit identity theft and financial fraud, inside agents that steal sensitive data and provide that information to third parties, and disgruntled employees that wish to cause harm to their employers.

Data breaches involving these kinds of insider threats are often covered by the media and healthcare organizations often commit significant resources to protect against and identify these threats. Monitoring systems are employed to monitor for unauthorized accessing of healthcare records to identify employees who have been snooping on patient records or stealing sensitive data; however, the Ponemon Institute’s 2020 Insider Threats Report suggests these incidents only account for a relatively small percentage of insider threat incidents – around 14%.

Other insider threats include negligent and careless workers that act inappropriately and individuals that accidentally put IT systems and data at risk without their knowledge. The Ponemon Institute’s report suggests 61% of insider threat incidents are due to negligent insiders, with credential theft due to negligent insiders accounting for 25% of insider threat incidents.

Negligent insider incidents can be caused by employees not being aware of security policies, which is often a training issue. Employees should be made aware of the organization’s security policies during the onboarding process and should be periodically reminded about those policies thereafter as part of regular security awareness training.

Insider threats often involve data theft, fraud, or system sabotage, all of which can cause harm to the organization and patients/plan members. The Ponemon Institute’s study suggests global organizations lose $11.45 million annually as a result of insider threats.

Insider Threat Prevention, Detection, and Response

“Deterrence, detection analysis, and post-breach forensics are key areas of insider threat prevention,” suggests HC3, which also recommends revising and updating cybersecurity policies and guidelines, limiting privileged access and establishing role-based access control, implementing zero-trust and MFA models, backing up data and deploying data loss prevention tools, and managing USB devices across the corporate network.

Detecting threats requires constant monitoring of user activity and regular audits of access and activity logs. A security information and event management (SIEM) system should be considered to help with the logging, monitoring, and auditing of employee actions.

Insider threat awareness should form a part of security awareness training, which should be provided to employees during onboarding, with refresher training provided periodically thereafter. Employees should only be given access to the resources they need to complete their work duties, and strict password and access management policies and practices should be implemented. A formal insider threat mitigation program should also be developed along with an incident response plan to ensure prompt and effective actions can be taken when insider threats are identified.

You can view the HC3 Insider Threats in Healthcare Report here (PDF).

The post HHS Warns HPH Sector About Insider Threats in Healthcare appeared first on HIPAA Journal.

March 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

For the fourth successive month, the number of reported healthcare data breaches has fallen. In March 2022, 43 healthcare data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which is a 6.52% fall from February and well below the 12-month average of 57.75 data breaches a month.

healthcare data breaches past 12 months - March 2022

However, there was a 36.94% increase in the number of breached records compared to February. Across the 43 reported breaches, 3,083,988 healthcare records were exposed, stolen, or impermissibly disclosed, which is slightly below the average of 3,424,818 breached records a month over the past 12 months.

number of breached healthcare recovers over the past 12 months - March 2022

Largest Healthcare Data Breaches in March 2022

In March 2022, there were 25 data breaches reported to OCR that affected 10,000 or more individuals, all but one of which were hacking incidents. The largest data breach of the month affected over half a million patients. Christie Business Holdings Company, which operates Christie Clinic in Illinois, discovered an employee email account had been accessed by unauthorized individuals and was used in a business email compromise (BEC) attack to try to divert payment to a third-party vendor. BEC attacks may account for a relatively small percentage of healthcare data breaches, but according to figures from the FBI, they are the biggest cause of losses to cybercrime.

SuperCare Health reported a major breach from July 2021 where hackers accessed its network and potentially stole patient data. Around two weeks after announcing the data breach the first lawsuit against SuperCare Health was filed. There is often a rush to file lawsuits following healthcare data breaches, and it is now common for multiple lawsuits to be filed.

CSI Laboratories reported a cyberattack that was discovered in February. While the nature of the attack was not disclosed, the Conti ransomware gang claimed responsibility for the attack and published a sample of the stolen data on its data leak site to pressure the lab into paying the ransom. Double extortion tactics, where payment is required for the keys to decrypt files and to prevent the publication of stolen data, are now the norm in ransomware attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacked email account
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Unspecified hacking incident
Cytometry Specialists, Inc., d/b/a CSI Laboratories GA Healthcare Provider 312,000 Ransomware attack (Conti)
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Unspecified hacking incident
Clinic of North Texas, LLP TX Healthcare Provider 244,174 Unspecified hacking incident
Taylor Regional Hospital KY Healthcare Provider 190,209 Unspecified hacking incident
Chelan Douglas Health District WA Healthcare Provider 188,236 Unspecified hacking and data theft incident
Urgent Team Holdings TN Healthcare Provider 166,601 Unspecified hacking incident
New Jersey Brain and Spine NJ Healthcare Provider 92,453 Unspecified hacking incident
Duncan Regional Hospital, Incorporated OK Healthcare Provider 86,379 Unspecified hacking incident
Labette Health KS Healthcare Provider 85,635 Unspecified hacking incident
Law Enforcement Health Benefits, Inc. PA Health Plan 85,282 Ransomware attack
Central Indiana Orthopedics IN Healthcare Provider 83,705 Unspecified hacking incident
Highmark Inc PA Health Plan 67,147 Hacking incident at mailing vendor
Advanced Medical Practice Management NJ Business Associate 56,427 Unspecified hacking and data theft incident
Charleston Area Medical Center, Inc. WV Healthcare Provider 54,000 Hacked email accounts (Phishing)
Resources for Human Development PA Healthcare Provider 46,673 Theft of unencrypted hard drive
Cancer and Hematology Centers of Western Michigan MI Healthcare Provider 43,071 Ransomware attack
Horizon Actuarial Services, LLC GA Business Associate 38,418 Unspecified hacking and data theft incident
Central Minnesota Mental Health Center MN Healthcare Provider 28,725 Hacked email accounts
Capital Region Medical Center MO Healthcare Provider 17,578 Unspecified hacking incident
Dialyze Direct, LLC NJ Healthcare Provider 14,203 Hacked email account
Major League Baseball Players Benefit Plan MD Health Plan 13,156 Unspecified hacking and data theft incident at a business associate
Colorado Physician Partners, PLLC CO Healthcare Provider 12,877 Hacked email account
Crossroads Health OH Healthcare Provider 10,324 Unspecified hacking and data theft incident

Causes of March 2022 Healthcare Data Breaches

The healthcare data breaches reported in March were dominated by hacking/IT incidents, which accounted for 90.7% of all data breaches reported and 98.3% of the breached healthcare records. 3,083,988 individuals were affected by those hacking incidents. The average breach size was 77,766 records and the median breach size was 17,758 records.

Causes of MArch 2022 healthcare data breaches

While the category “hacking/IT incidents” covers a broad range of causes, 31 of the incidents involved hackers gaining access to network servers where patient data was stored. 10 incidents involved unauthorized individuals gaining access to employee email accounts.

 

There were just three breaches reported as unauthorized access/disclosure incidents which involved a total of 4,447 records. The average breach size was 1,482 records and the median was 1,682 records. There was only one theft incident reported – a hard drive containing the records of 46,673 individuals was stolen.

Location of breached PHI in March 2022 healthcare data breaches

March 2022 Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states and Puerto Rico reported data breaches in March 2022. New Jersey, Pennsylvania & Texas were the worst affected states with 4 breaches reported in each state.

State Number of Reported Data Breaches
New Jersey, Pennsylvania & Texas 4
Colorado, Georgia, Indiana, Kansas, Michigan, Minnesota, Washington, West Virginia, and Puerto Rico 2
California, Illinois, Kentucky, Maryland, Massachusetts, Missouri, New York, Ohio, Oklahoma, Tennessee, and Utah 1

HIPAA Enforcement Activity in March 2022

There were no HIPAA enforcement actions announced by the HHS’ Office for Civil Rights or state attorneys general in March 2022.

The post March 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95%

Posted by HIPAA Journal

Immediate intervention following an instance of unauthorized access to protected health information (PHI) by a healthcare employee is 95% effective at preventing repeat offenses, according to a new study published in JAMA Open Network.

Healthcare data breaches are occurring at record levels, and while large data breaches are often the result of hacking and other IT incidents, insider breaches such as snooping on medical records are common. According to HHS data, in 2019, 92% of combined small and large breaches were tied to unauthorized access.

While many cases of employees snooping on the medical records of VIP patients have been covered in the media, these types of snooping incidents are relatively uncommon. It is much more common for healthcare employees to access the medical records of family members, friends, and colleagues, and those privacy violations can be just as damaging for patients.

All cases of unauthorized access start with an employee accessing a single patient record, but they can easily turn into major data breaches if left unchecked. There have been several cases of healthcare employees accessing the medical records of thousands of patients without authorization over several years when the unauthorized access is not promptly identified and addressed.

A study conducted by Bai, Jiang, and Flasher in 2017 found the risk of data breaches was higher at large academic medical centers than at other hospitals. Around one-quarter of the data breaches were cases of employees accessing patient information without authorization.

The recent study, Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information: A Nonrandomized Controlled Trial, conducted by researchers at Michigan State University, Johns Hopkins, and Nick Culbertson, CEO and Co-founder of the healthcare compliance analytics firm Protenus, investigated the effectiveness of email warnings at preventing repeat offenses by employees.

Between January 1 and July 31, 2018, a system that monitored unauthorized accessing of PHI at a large academic medical center flagged unauthorized accessing of electronic medical records by 444 employees, all of whom were professional medical staff who were not part of the patient’s intervention team and did not have access permission.

A group of 219 employees was randomly selected and received an email warning on the night of their access. The email explained that the individual had been identified as having accessed a patient’s electronic medical record when there was no work-related reason for doing so, and that it was a privacy violation. The remaining 225 employees formed a control group and received no email warning.

In the group that received an email intervention, 4 employees out 219 went on to access patient information without authorization on a second occasion between 20 and 70 days after the initial unauthorized access. In the control group, 90 out of the 225 employees accessed the protected health information of patients again without authorization between 20 and 70 days after the initial unauthorized access.

While there were limitations of the study and the findings may not translate to other hospitals, it demonstrates that on-the-spot intervention can be highly effective at preventing further privacy breaches and that if no action is taken, employees are likely to continue to access patient data in violation of the HIPAA Rules.

“What an email warning can do to deter employees’ unauthorized access is stunning. A simple email can lead to big changes,” said Dr. Ge Bai, a professor at Johns Hopkins Carey Business School and Bloomberg School of Public Health, and corresponding author of the study.

For the duration of the trial, no disciplinary action was taken against any of the employees. Disciplinary action was taken after the trial was concluded against all employees involved for violating the PHI access policy of the medical center, which prohibits employees from accessing the records of family members, coworkers, friends, or other acquaintances without prior written authorization.

The post On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95% appeared first on HIPAA Journal.