Healthcare Data Privacy

Florida County Drug Screening Lab Exposed Sensitive Data Online for 4 Years

Posted January 27, 2022 by HIPAA Journal

A misconfiguration of an internal website portal used by a Florida county drug screening lab has exposed sensitive information online for a period of more than four years.

St. Lucie County’s drug screening lab (SLC Lab) provides drug testing services for employment, court cases, and other purposes. The configuration error was discovered on October 13, 2021, and the issue was immediately corrected.

Assisted by third-party cybersecurity professionals, the country determined on December 28, 2021, that the configuration error occurred on June 2, 2017. From June 2, 2017, to October 13, 2021, sensitive data were accessible to certain portal users, including full names, dates of birth, Social Security numbers, and limited information related to the type of drug test performed and the result of the lab test.

While sensitive data were exposed via the web portal for 4 years, SLC Lab said it has not been notified about any cases of improper use of any of the exposed information and is unaware of any cases of identity theft or fraud as a result of the portal misconfiguration.

SLC Lab did not disclose in its breach notifications how many individuals have been affected, but the breach notice submitted to the Maine Attorney General says the sensitive information of 14,528 individuals was exposed. Notification letters started to be sent to those individuals on January 20, 2022. Complimentary credit and identity theft monitoring services have been offered to affected individuals.

SLC Lab said it is committed to maintaining the privacy of personal information and has taken many precautions to ensure sensitive information is safeguarded and will continue to evaluate and modify its practices and internal controls to improve the security and privacy of personal information.

While the exposed data include information classed as protected health information if held by a HIPAA-covered entity, this does not constitute a HIPAA breach as SLC Lab is not a HIPAA-covered entity with respect to the exposed data.

The post Florida County Drug Screening Lab Exposed Sensitive Data Online for 4 Years appeared first on HIPAA Journal.

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

Posted January 25, 2022 by HIPAA Journal

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents.

The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers, birth/marriage certificates, diagnoses, and medical treatment information.

Between June 24, 2020, and July 1, 2020, the attackers accessed the account from multiple IP addresses, including some from outside the United States and on July 1, 2020, the account was used to send around 2,000 phishing emails to EyeMed clients. The EyeMed IT department detected the phishing emails and received multiple inquiries from clients querying the legitimacy of the emails. The compromised account was then immediately secured.

The subsequent forensic investigation confirmed the attacker could have exfiltrated data from the email account while access was possible but could not determine if any personal information was stolen. Affected individuals were notified in September 2020 and were offered complimentary credit monitoring, fraud consultation, identity theft restoration services.

The Office of the New York Attorney General investigated the security incident and data breach and determined that, at the time of the attack, EyeMed had failed to implement appropriate security measures to prevent unauthorized individuals from accessing the personal information of New York residents.

The email account was accessible via a web browser and contained large quantities of consumers’ sensitive information spanning several years, yet EyeMed had failed to implement multifactor authentication on the account. EyeMed also failed to implement adequate password management requirements for the email account. The password requirements for the account were not sufficiently complex, only requiring a password of 8 characters, when it was aware of the importance of password complexity as the password requirements for admin-level accounts required passwords of at least 12 characters. EyeMed also allowed 6 failed password attempts before locking out the user ID. EyeMed had also failed to maintain adequate logging of email accounts and was not monitoring email accounts, which made it difficult to identify and investigate security incidents. It was also unreasonable to retain consumer data in the email account for such a long period of time. Older emails should have been transferred to more secure systems and be deleted from the email account.

State attorneys general have the authority to impose financial penalties for HIPAA violations and it would have been possible to cite violations of HIPAA; however, New York only cited violations of New York General Business Law.

Under the terms of the settlement, EyeMed is required to pay a financial penalty of $600,000 and must implement several measures to improve security and prevent further data breaches. Those measures include:

Maintaining a comprehensive information security program that is regularly updated to keep pace with changes in technology and security threats
Maintaining reasonable account management and authentication, including the use of multi-factor authentication for all administrative or remote access accounts
Encrypting sensitive consumer information
Conducting a reasonable penetration testing program to identify, assess, and remediate security vulnerabilities
Implementing and maintaining appropriate logging and monitoring of network activity
Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.

“New Yorkers should have every assurance that their personal health information will remain private and protected. EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals,” said Attorney General James. “Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”

The post New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach appeared first on HIPAA Journal.

More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability

Posted January 24, 2022 by HIPAA Journal

A recent study by the healthcare IoT security platform provider Cynerio has revealed 53% of connected medical devices and other healthcare IoT devices have at least one unaddressed critical vulnerability that could potentially be exploited to gain access to networks and sensitive data or affect the availability of the devices. The researchers also found a third of bedside healthcare IoT devices have at least one unpatched critical vulnerability that could affect service availability, data confidentiality, or place patient safety in jeopardy.

The researchers analyzed the connected device footprints at more than 300 hospitals to identify risks and vulnerabilities in their Internet of Medical Things (IoMT) and IoT devices. IV pumps are the most commonly used healthcare IoT device, making up around 38% of a hospital’s IoT footprint. It is these devices that were found to be the most vulnerable to attack, with 73% having a vulnerability that could threaten patient safety, service availability, or result in data theft. 50% of VOIP systems contained vulnerabilities, with ultrasound devices, patient monitors, and medicine dispensers the next most vulnerable device categories.

The recently announced Urgent11 and Ripple20 IoT vulnerabilities are naturally a cause for concern; however, there are much more common and easily exploitable vulnerabilities in IoT and IoMT devices. The Urgent11 and Ripple20 vulnerabilities affect around 10% of healthcare IoT and IoMT devices, but the most common risk was weak credentials. Default passwords can easily be found in online device manuals and weak passwords are vulnerable to brute force attacks. One-fifth (21%) of IoT and IoMT devices were found to have default or weak credentials.

The majority of pharmacology, oncology, and laboratory devices and large numbers of the devices used in radiology, neurology, and surgery departments were running outdated Windows versions (older than Windows 10) which are potentially vulnerable.

Unaddressed software and firmware vulnerabilities are common in bedside devices, with the most common being improper input validation, improper authentication, and the continued use of devices for which a device recall notice has been issued. Without visibility into the devices connected to the network and a comprehensive inventory of all IoT and IoMT devices, identifying and addressing vulnerabilities before they are exploited by hackers will be a major challenge and it will be inevitable that some devices will remain vulnerable.

Many medical devices are used in critical care settings, where there is very little downtime. More than 80% of healthcare IoT devices are used monthly or more frequently, which gives security teams a small window for identifying and addressing vulnerabilities and segmenting the network. Having an IT solution in place that can provide visibility into connected medical devices and provide key data on the security of those devices will help security teams identify vulnerable devices and plan for updates.

Oftentimes it is not possible for patches to be applied. Oftentimes healthcare IoT devices are in constant use and they are frequently used past the end-of-support date. In such cases, the best security alternative is virtual patching, where steps are taken to prevent the vulnerabilities from being exploited such as quarantining devices and segmenting the network.

Segmenting the network is one of the most important steps to take to improve healthcare IoT and IoMT security. When segmentation is performed that takes medical workflows and patient care contexts into account, Cybnerio says 92% of critical risks in IoT and IoMT devices can be effectively mitigated.

Most healthcare IoT and IoMT cybersecurity efforts are focused on creating a comprehensive inventory of all IoT and IoMT devices and gathering data about those devices to identify potential risks. “Visibility and risk identification are no longer enough. Hospitals and health systems don’t need more data – they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it’s time for all of us to step up,” said Daniel Brodie, CTO and co-founder, Cynerio.

The post More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability appeared first on HIPAA Journal.

HHS Releases Final Trusted Exchange Framework and Common Agreement

Posted January 19, 2022 by HIPAA Journal

The Department of Health and Human Services’ Office of the National Coordinator for Health IT has released the final version of its Trusted Exchange Framework and the Common Agreement (TEFCA) – a governance framework for nationwide health information exchange. Two previous versions of TEFCA have been released, the first in 2018 and the second in 2019, with the final version taking into consideration feedback provided by healthcare industry stakeholders. TEFCA was a requirement of the 21st Century Cures Act and has been 5 years in the making. The announcement this week sees the HHS finally move into the implementation phase of TEFCA.

The Trusted Exchange Framework is a set of non-binding foundational principles for health information exchange and outlines propositions for standardization, cooperation, privacy, security, access, equity, openness and transparency, and public health. The second component is the common agreement, which is a legal contract that a Qualified Health Information Network (QHIN) enters into with the ONC’s Recognized Coordinating Entity (RCE). The RCE, the Sequoia Project, is a body charged with developing, updating, and maintaining the Common Agreement and overseeing QHINs.

The framework promotes secure health information exchange across the United States and is intended to improve the interoperability of health information technology, including the electronic health record systems used by hospitals, health centers, and ambulatory practices, and health information exchange with federal government agencies, health information networks, public health agencies, and payers.

“The Common Agreement establishes the technical infrastructure model and governing approach for different health information networks and their users to securely share clinical information with each other – all under commonly agreed-to rules-of-the-road,” explained ONC in a press release. The Common Agreement supports multiple exchange purposes that are required to improve healthcare and should benefit a wide variety of healthcare entities. The Common Agreement operationalizes electronic health information exchange and provides easier ways for individuals and organizations to securely connect. TEFCA will also provide benefits to patients, such as allowing them to obtain access to their healthcare data through third parties that offer individual access services.

ONC’s RCE will sign a legal contract with each QHIN and entities will be able to apply to be designated as QHINs shortly. When designated as a QHIN they will be able to connect with each other and their participants will be able to participate in health information exchange across the country. ONC has released a QHIN Technical Framework which details the functional and technical requirements that QHINs will need to bring the new connectivity online. The HHS has also announced that the TEFCA Health Level Seven (HL7) Fast Healthcare Interoperability Resource (FHIR) Roadmap (TEFCA FHIR Roadmap) is now available, which explains how TEFCA will accelerate the adoption of FHIR-based exchange across the industry.

“Operationalizing TEFCA within the Biden Administration’s first year was a top priority for ONC and is critical to realizing the 21st Century Cures Act’s goal of a secure, nationwide health information exchange infrastructure,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “Simplified nationwide connectivity for providers, health plans, individuals, and public health is finally within reach. We are excited to help the industry reap the benefits of TEFCA as soon as they are able.”

ONC said its RCE will be hosting a series of public engagement webinars to provide further information on the Trusted Exchange Framework and the Common Agreement, which will explain how they work to help prospective QHINs determine whether to sign the Common Agreement

The post HHS Releases Final Trusted Exchange Framework and Common Agreement appeared first on HIPAA Journal.

December 2021 Healthcare Data Breach Report

Posted January 18, 2022 by HIPAA Journal

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020.

Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009.

Largest Healthcare Data Breaches in December 2021

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Breach Cause
Oregon Anesthesiology Group, P.C.	OR	Healthcare Provider	750,500	Ransomware
Texas ENT Specialists	TX	Healthcare Provider	535,489	Ransomware
Monongalia Health System, Inc.	WV	Healthcare Provider	398,164	Business Email Compromise/Phishing
BioPlus Specialty Pharmacy Services, LLC	FL	Healthcare Provider	350,000	Hacked network server
Florida Digestive Health Specialists, LLP	FL	Healthcare Provider	212,509	Business Email Compromise/Phishing
Daniel J. Edelman Holdings, Inc.	IL	Health Plan	184,500	Business associate hacking/IT incident
Southern Orthopaedic Associates d/b/a Orthopaedic Institute of Western Kentucky	KY	Healthcare Provider	106,910	Compromised email account
Fertility Centers of Illinois, PLLC	IL	Healthcare Provider	79,943	Hacked network server
Bansley and Kiener, LLP	IL	Business Associate	50,119	Ransomware
Oregon Eye Specialists	OR	Healthcare Provider	42,612	Compromised email accounts
MedQuest Pharmacy, Inc.	UT	Healthcare Provider	39,447	Hacked network server
Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E.	NY	Health Plan	20,579	Phishing
Loyola University Medical Center	IL	Healthcare Provider	16,934	Compromised email account
Bansley and Kiener, LLP	IL	Business Associate	15,814	Ransomware
HOYA Optical Labs of America, Inc.	TX	Business Associate	14,099	Hacked network server
Wind River Family and Community Health Care	WY	Healthcare Provider	12,938	Compromised email account
Ciox Health	GA	Business Associate	12,493	Compromised email account
A New Leaf, Inc.	AZ	Healthcare Provider	10,438	Ransomware

Causes of December 2021 Healthcare Data Breaches

18 data breaches of 10,000 or more records were reported in December, with the largest two breaches – two ransomware attacks – resulting in the exposure and potential theft of a total of 1,285,989 records. Ransomware continues to pose a major threat to healthcare organizations. There have been several successful law enforcement takedowns of ransomware gangs in recent months, the most recent of which saw authorities in Russia arrest 14 members of the notorious REvil ransomware operation, but there are still several ransomware gangs targeting the healthcare sector including Mespinoza, which the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about this month due to the high risk of attacks.

Phishing attacks continue to result in the exposure of large amounts of healthcare data. In December, email accounts were breached that contained the ePHI of 807,984 individuals. The phishing attack on Monongalia Health System gave unauthorized individuals access to email accounts containing 398,164 records.

8 of the largest breaches of the month involved compromised email accounts, two of which were business email compromise attacks where accounts were accessed through a phishing campaign and then used to send requests for changes to bank account information for upcoming payments.

Throughout 2021, hacking and other IT incidents have dominated the breach reports and December was no different. 82.14% of the breaches reported in December were hacking/IT incidents, and those breaches accounted for 91.84% of the records breached in December – 2,711,080 records. The average breach size was 58,937 records and the median breach size was 4,563 records. The largest hacking incident resulted in the exposure of the protected health information of 750,050 individuals.

The number of unauthorized access and disclosure incidents has been much lower in 2021 than in previous years. In December there were only 5 reported unauthorized access/disclosure incidents involving 234,476 records. The average breach size was 46,895 records and the median breach size was 4,109 records.

There were two reported cases of the loss of paper/films containing the PHI of 3,081 individuals and two cases of theft of paper/films containing the PHI of 2,129 individuals. There was also one breach involving the improper disposal of a portable electronic device containing the ePHI of 934 patients.

As the chart below shows, the most common location of breached PHI was network servers, followed by email accounts.

HIPAA Regulated Entities Reporting Data Breaches in December 2021

Healthcare providers suffered the most data breaches in December, with 36 breaches reported. There were 11 breaches reported by health plans, and 9 breaches reported by business associates. Six breaches were reported by healthcare providers (3) and health plans (3) that occurred at business associates. The adjusted figures are shown in the pie chart below.

December 2021 Healthcare Data Breaches by U.S. State

Illinois was the worst affected state with 11 data breaches, four of which were reported by the accountancy firm Bansley and Kiener and related to the same incident – A ransomware attack that occurred in December 2020. the firm is now facing a lawsuit over the incident and the late notification to affected individuals – 12 months after the attack was discovered.

State	Number of Breaches
Illinois	11
Indiana	5
Florida, Oklahoma, and Texas	4
Arizona	3
California, Georgia, Kansas, Michigan, New York, Oregon, Utah, and Virginia	2
Alabama, Colorado, Kentucky, Maryland, North Carolina, Rhode Island, Wisconsin, West Virginia, and Wyoming	1

HIPAA Enforcement Activity in December 2021

There were no further HIPAA penalties imposed by the HHS’ Office for Civil Rights in December. The year closed with a total of 14 financial penalties paid to OCR to resolve violations of the HIPAA Rules. 13 of the cases were settled with OCR, and one civil monetary penalty was imposed. 12 of the OCR enforcement actions were for violations of the HIPAA Right of Access.

The New Jersey Attorney General imposed a $425,000 financial penalty on Regional Cancer Care Associates, which covered three separate Hackensack healthcare providers – Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC – that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland.

The New Jersey Attorney General and the New Jersey Division of Consumer Affairs investigated a breach of the email accounts of several employees between April and June 2019 involving the protected health information of 105,000 individuals and a subsequent breach when the breach notification letters were sent to affected individuals’ next of kin in error.

The companies were alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, failing to protect against reasonably anticipated threats to the security/integrity of patient data, a failure to implement security measures to reduce risks and vulnerabilities to an acceptable level, the failure to conduct an accurate and comprehensive risk assessment, and the lack of a security awareness and training program for all members of its workforce. The case was settled with no admission of liability. There were 4 HIPAA enforcement actions by state attorneys general in 2021. New Jersey was involved in 3 of those enforcement actions.

The post December 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity

Posted December 31, 2021 by HIPAA Journal

The Healthcare Supply Chain Association (HSCA) has issued guidance for healthcare delivery organizations, medical device manufacturers, and service suppliers on securing medical devices to make them more resilient to cyberattacks.

The use of medical devices in healthcare has grown at an incredible rate and they are now relied upon to provide vital clinical functions that cannot be compromised without diminishing patient care. Medical devices are, however, often vulnerable to cyber threats and could be attacked to cause harm to patients, be taken out of service to pressure healthcare providers into meeting attackers’ extortion demands, or could be accessed remotely to obtain sensitive patient data. Medical devices are often connected to the Internet and can easily be attacked, so it is essential for proactive steps to be taken to improve security.

The HSCA represents healthcare group purchasing organizations (GPOs) and advocates for fair procurement practices and education to improve the efficiency of purchases of healthcare goods and services and, as such, has a unique line of sight over the entire healthcare supply chain. The HSCA guidance is for the entire supply chain and explains some of the key considerations for medical device manufacturers, HDOs, and service providers to improve cybersecurity and address weaknesses before they are exploited by threat actors.

Two of the most important steps to take are to participate in at least one Information Sharing and Analysis Organization (ISAO), such as the Health Information Sharing and Analysis Center (H-ISAC), and to adopt an IT security risk assessment methodology, such as the NIST Cybersecurity Framework (CSF).

An ISAO is a community that actively collaborates to identify and disseminate actionable threat intelligence about the latest cybersecurity threats that allows members to take proactive steps to reduce risk. The NIST CSF and other cybersecurity frameworks help organizations establish and improve their cybersecurity program, prioritize activities, understand their current security status, and identify security gaps that need to be addressed.

HCSA also recommends appointing an information technology and/or network security officer who has overall responsibility for the security of the organization who can communicate risks to decision makers and oversee the security efforts of the organization.

Cybersecurity training for the workforce is vital. All employees must be made aware of the threats they are likely to encounter and should be taught best practices to follow to reduce risk. Training should be provided annually, and phishing simulations conducted regularly to reinforce training. Any employee who fails a simulation should be provided with further training.

Good patch management practices are essential for addressing known vulnerabilities before they can be exploited, anti-virus software should be deployed on all endpoints and be kept up to date, firewalls should be implemented at the network perimeter and internally, least-privilege access should be applied to system resources, and networks should be segmented to prevent lateral movement in the event of a breach. Password policies should also be implemented that are consistent with the latest NIST guidance.

To prevent the interception of sensitive data, all data in transit should be encrypted, backup and data restoration procedures should be implemented and regularly tested to ensure recovery is possible in the event of a cyberattack, and the life expectancy of all devices and software solutions should be specified in all purchase agreements, including all supporting components. Plans should then be made to upgrade equipment and software prior to reaching end-of-life.

In addition to these standard cybersecurity best practices, HCSA has provided specific considerations for HDOs, device manufacturers, and service providers in the guidance – Medical Device and Service Cybersecurity: Key Considerations for Manufacturers & Healthcare Delivery Organizations – which is available for download from the HCSA website.

The post Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity appeared first on HIPAA Journal.

November 2021 Healthcare Data Breach Report

Posted December 21, 2021 by HIPAA Journal

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches.

The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month.

Largest Healthcare Data Breaches Reported in November 2021

In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The average breach size in November was 34,862 records and the median breach size was 5,403 records.

The worst breach of the month saw the protected health information of 582,170 individuals exposed when hackers gained access to the network of Utah Imaging Associates. Planned Parenthood also suffered a major data breach, with hackers gaining access to its network and exfiltrating data before using ransomware to encrypt files.

Sound Generations, a non-profit that helps older adults and adults with disabilities obtain low-cost healthcare services, notified patients about two ransomware attacks that had occurred in 2021, which together resulted in the exposure and potential theft of the PHI of 103,576 individuals.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Location of Breached PHI	Cause of Breach
Utah Imaging Associates, Inc.	Healthcare Provider	582,170	Hacking/IT Incident	Network Server	Unspecified hacking incident
Planned Parenthood Los Angeles	Healthcare Provider	409,759	Hacking/IT Incident	Network Server	Ransomware attack
The Urology Center of Colorado	Healthcare Provider	137,820	Hacking/IT Incident	Network Server	Unspecified hacking incident
Sound Generations	Business Associate	103,576	Hacking/IT Incident	Network Server	Two ransomware attacks
Mowery Clinic LLC	Healthcare Provider	96,000	Hacking/IT Incident	Network Server	Malware infection
Howard University College of Dentistry	Healthcare Provider	80,915	Hacking/IT Incident	Electronic Medical Record, Network Server	Ransomware attack
Sentara Healthcare	Healthcare Provider	72,121	Hacking/IT Incident	Network Server	Unspecified hacking incident at a business associate
Ophthalmology Associates	Healthcare Provider	67,000	Hacking/IT Incident	Electronic Medical Record, Network Server	Unspecified hacking incident
Maxim Healthcare Group	Healthcare Provider	65,267	Hacking/IT Incident	Email	Phishing attack
True Health New Mexico	Health Plan	62,983	Hacking/IT Incident	Network Server	Unspecified hacking incident
TriValley Primary Care	Healthcare Provider	57,468	Hacking/IT Incident	Network Server	Ransomware attack
Broward County Public Schools	Health Plan	48,684	Hacking/IT Incident	Network Server	Ransomware attack
Consociate, Inc.	Business Associate	48,583	Hacking/IT Incident	Network Server
Doctors Health Group, Inc.	Healthcare Provider	47,660	Hacking/IT Incident	Network Server	Patient portal breach at business associate (QRS Healthcare Solutions)
Baywood Medical Associates, PLC dba Desert Pain Institute	Healthcare Provider	45,262	Hacking/IT Incident	Network Server	Unspecified hacking incident
Medsurant Holdings, LLC	Healthcare Provider	45,000	Hacking/IT Incident	Network Server	Ransomware attack
One Community Health	Healthcare Provider	39,865	Hacking/IT Incident	Network Server	Unspecified hacking incident
Educators Mutual Insurance Association	Business Associate	39,317	Hacking/IT Incident	Network Server	Malware infection
Victory Health Partners	Healthcare Provider	30,000	Hacking/IT Incident	Network Server	Ransomware attack
Commission on Economic Opportunity	Business Associate	29,454	Hacking/IT Incident	Network Server	Hacked public claimant portal

Causes of November 20021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in November, accounting for 50 of the reported breaches. Ransomware continues to be extensively used in attacks on healthcare providers and their business associates, with the attacks often seeing sensitive patient data stolen and posted on data leak sites. The theft of patient data in these attacks also makes lawsuits more likely. Planned Parenthood, for example, was hit with a class action lawsuit a few days after mailing notification letters to affected patients.

2,327,353 healthcare records were exposed or stolen across those hacking incidents, which is 98.18% of all records breached in November. The average breach size for those incidents was 42,316 records and the median breach size was 11,603 records.

There were 11 unauthorized access/disclosure breaches in November – half the number of unauthorized access/disclosure breaches reported in October. Across those breaches, 37,646 records were impermissibly accessed or disclosed. The average breach size was 3,422 records and the median breach size was 1,553 records. There were also two reported cases of theft of portable electronic devices containing the electronic protected health information of 5,601 individuals.

November Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 50 reported breaches, with four of those breaches occurring at business associates but were reported by the healthcare provider. 8 data breaches were reported by health plans, 3 of which occurred at business associates, and business associates self-reported 10 data breaches. The pie chart below shows the breakdown of breaches based on where the breach occurred.

Geographic Distribution of November Healthcare Data Breaches

Healthcare data breaches of 500 or more records were reported by HIPAA-regulated entities in 32 states and the District of Columbia.

State	Number of Reported Data Breaches
California & New York	7
Maryland & Pennsylvania	4
Colorado, Kentucky, Ohio, & Utah	3
Illinois, Indiana, Michigan, Minnesota, New Mexico, Tennessee, Texas, Virginia, and the District of Columbia	2
Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Kansas, Massachusetts, Missouri, Nebraska, New Hampshire, New Jersey, North Carolina, Oregon, South Carolina, and Washington	1

HIPAA Enforcement Activity in November 2021

There was a flurry of HIPAA enforcement activity in November with financial penalties imposed by federal and state regulators. The HHS’ Office for Civil Rights announced a further 5 financial penalties to resolve alleged violations of the HIPAA Right of Access. In all cases, the healthcare providers had failed to provide patients with a copy of their requested PHI within a reasonable period of time after a request was received.

Covered Entity	Penalty	Penalty Type	Alleged Violation
Rainrock Treatment Center LLC (dba Monte Nido Rainrock)	$160,000	Settlement	HIPAA Right of Access
Advanced Spine & Pain Management	$32,150	Settlement	HIPAA Right of Access
Denver Retina Center	$30,000	Settlement	HIPAA Right of Access
Wake Health Medical Group	$10,000	Settlement	HIPAA Right of Access
Dr. Robert Glaser	$100,000	Civil Monetary Penalty	HIPAA Right of Access

The New Jersey Attorney General and the Division of Consumer Affairs announced in November that a settlement had been reached with two New jersey printing firms – Command Marketing Innovations, LLC and Strategic Content Imaging LLC – to resolve violations of HIPAA and the New Jersey Consumer Fraud Act. The violations were uncovered during an investigation into a data breach involving the PHI of 55,715 New Jersey residents.

The breach was due to a printing error that saw the last page of one individual’s benefit statement being attached to the benefit statement of another individual. The Division of Consumer Affairs determined the companies failed to ensure confidentiality of PHI, did not implement sufficient PHI safeguards and failed to review security measures following changes to procedures. A financial penalty of $130,000 was imposed on the two firms, and $65,000 was suspended and will not be payable provided the companies address all the security failures identified during the investigation.

The post November 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information

Posted December 17, 2021 by HIPAA Journal

In 2019, it was alarming that healthcare data breaches were being reported at a rate of more than 1 a day. In 2021, there have been several months where healthcare data breaches have been occurring at a rate of more than 2 per day. With data breaches occurring so regularly and ransomware attacks disrupting healthcare services, it is no surprise that many patients do not have much trust in their healthcare providers to protect sensitive personally identifiable information (PII).

That has been confirmed by a recent survey conducted by Dynata on behalf of Semafone. 56% of patients at private practices said they do not trust their healthcare providers to protect PII and payment information. Smaller healthcare providers have smaller budgets for cybersecurity than larger healthcare networks, but trust in large hospital networks is far lower. Only 33% of patients of large hospital networks trusted them to be able to safeguard their PII.

The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, has stepped up enforcement of compliance with the HIPAA Rules in recent years and is increasingly imposing financial penalties for HIPAA Privacy and Security Rule violations. The survey confirmed that patients want healthcare providers to face financial penalties when they fail to ensure the confidentiality of healthcare data. 9 out of 10 patients were in favor of financial penalties for healthcare providers that fail to implement appropriate protections to prevent healthcare data breaches.

Further, when data breaches occur, patients are willing to switch providers. 66% of patients said they would leave their healthcare provider if their PII or payment information was compromised in a data breach that occurred as a result of the failure to implement appropriate security measures. Another 2021 survey, conducted on behalf of Armis, had similar findings. 49% of patients said they would switch provider if their PHI was compromised in a ransomware attack.

The pandemic has increased the risk patients face from healthcare data breaches. Before the pandemic, many patients paid their medical bills in person or by mail, but the Semafone survey showed both payment methods are in decline, with many patients now choosing to pay electronically. There has been a 28% fall in in-person payments and a 17% drop in mail-in payments. With financial information more likely to be stored by healthcare providers, the risk of financial harm from a data breach has increased substantially.

Semafone explained in its 2021 State of Healthcare Payment Experience and Security Report that the increase in healthcare data breaches has led to patients having a heightened sense of awareness and interest in the processes their providers take to protect their information. Semafone suggests healthcare providers, and especially large hospital networks, need to pay more attention to the digital transformation measures they take to keep sensitive information secure.

“Regardless of size, the entire healthcare industry must do better at navigating and preventing data breaches,” said Gary E. Barnett, CEO of Semafone. “The sheer number of breaches in and out of healthcare is problematic. Fortunately, there are solutions that provide security and help meet compliance standards, but many of today’s companies still rely on outdated processes for operations. It is no longer acceptable to claim they aren’t aware that highly efficient, effective, and automated solutions exist to save time, money, and risk. Healthcare organizations must seek the right technologies and processes to protect the patient experience.”

While most patients (75%) said they feel confident that their healthcare providers are doing a good job at disclosing how payment information is secured, only 50% said they know where their payment data was stored. “As a patient, understanding where and how personal and payment information is stored is important to protect against potential fraud and breaches,” explained Semafone in the report. “Given the large number unaware of where their data is stored, providers have an opportunity to increase education and communication with patients to, in turn, improve the experience and overall sentiment toward the providers for the future.”

The post Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information appeared first on HIPAA Journal.

New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations

Posted December 16, 2021 by HIPAA Journal

The New Jersey Division of Consumer Affairs has agreed to settle a data breach investigation that uncovered violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA)

Hackensack, NJ-based Regional Cancer Care Associates is an umbrella name for three healthcare providers that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC.

Between April and June 2019, several employee email accounts were compromised. Employees had responded to targeted phishing emails and disclosed their credentials, which allowed the scammers to access their email accounts and the protected health information (PHI) of more than 105,000 individuals. The email accounts contained PHI such as names, Social Security numbers, driver’s license numbers, health records, bank account information, and credit card details.

In July 2019, notification letters were sent to 13,047 individuals by a third-party vendor; however, the letters were mismailed to the individuals’ next-of-kin. The notification letters disclosed sensitive information such as the patient’s medical conditions, including cancer diagnoses, when consent to disclose that information had not been provided by the patients.

Across the two incidents, the PHI of more than 105,000 individuals was exposed or impermissibly disclosed, including the PHI of more than 80,000 New Jersey residents.

“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said New Jersey Acting Attorney General Bruck. “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”

The companies are alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, did not protect against reasonably anticipated threats to the security/integrity of patient data, did not implement security measures to reduce risks and vulnerabilities to an acceptable level, did not conduct an accurate and comprehensive risk assessment, and had not implemented a security awareness and training program for all members of its workforce.

Under the terms of the settlement, three companies will pay a financial penalty of $425,000 and are required to implement further privacy and security measures to ensure the confidentiality, integrity, and availability of PHI.

The companies are required to implement and maintain a comprehensive information security program, a written incident response plan and cybersecurity operations center, employ a CISO to oversee cybersecurity, conduct initial training for employees and annual training on information privacy and security policies, and obtain a third-party assessment on policies and procedures relating to the collection, storage, maintenance, transmission, and disposal of patient data.

“Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Our investigation revealed RCCA failed to fully comply with HIPAA requirements, and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”

New Jersey has been one of the most active states in HIPAA enforcement. In the past few months, settlements have been reached with two other companies for violations of HIPAA and the Consumer Fraud Act. In October, a New Jersey fertility clinic was fined $495,000, and two printing companies were fined $130,000 in November.

The post New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information