Healthcare Data Privacy

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

Posted by HIPAA Journal

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of 21 million Americans.

Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities.

From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019.

AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for bankruptcy protection in June 2019.

The multi-state investigation into the breach was led by the Indiana, Texas, Connecticut, and New York Attorneys General, with the Indiana and Texas AGs also participating in the bankruptcy proceedings to ensure that the investigation continued, and the personal and protected health information of breach victims was protected. AMCA received permission from the bankruptcy court to settle the multistate action and filed for dismissal of the bankruptcy on December 9, 2020.

The multistate investigation confirmed information security deficiencies contributed to the cause of the breach and despite AMCA receiving warnings from banks that processed AMCA payments about fraudulent use of payment cards, AMCA failed to detect the intrusion.

Under the terms of the settlement, AMCA is required to create and implement an information security program, develop an incident response plan, employ a qualified chief information security officer (CISO), hire a third-party assessor to perform an information security assessment, and continue to assist state attorneys general with investigations into the data breach.

A financial penalty of $21 million has been imposed on AMCA which will be distributed pro rata between the affected states; however, due to the financial position of the company, the $21 million financial penalty has been suspended. That payment will only need to be made if AMCA defaults on the terms of the settlement agreement.

“AMCA is a cautionary tale: When a company does not adequately invest in information security, the costs associated with a data breach can lead to bankruptcy – destroying the business and leaving affected individuals in harm’s way,” said Connecticut Attorney General Tong. “My office will continue to work to protect personal information even where the business that had the responsibility to do so cannot.”

“AMCA’s security failures resulted in 21 million Americans having their data illegally accessed. I am committed to protecting New Yorkers’ personal data and will not hesitate to hold companies accountable when they fail to safeguard that information,” said New York Attorney General Letitia James. “Today’s agreement ensures that the company has the appropriate security and incident response plan in place so that a failure like this does not take place again.”

Indiana, Texas, Connecticut, and New York led the investigation and were assisted by Florida, Illinois, Maryland, Massachusetts, Michigan, North Carolina, and Tennessee. The Attorneys General of Arizona, Arkansas, Colorado, the District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, Washington, and West Virginia also joined the settlement.

The post Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation appeared first on HIPAA Journal.

Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days

Posted by HIPAA Journal

Changes to the HIPAA Rules are infrequent, so when updates are proposed they tend to include a slew of new requirements and updates to existing provisions. Before any updates are made, a request for information (RFI) is issued to allow the HHS to obtain feedback on aspects of the HIPAA Rules that are causing problems, and areas where improvements could be made.

Following the RFI, a proposed rule is issued by the HHS followed by a comment period. The comment period is the last chance for industry stakeholder, including patients and their families, to voice their opinions about the proposed changes before they are signed into law.

After issuing an RFI, the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking on December 10, 2020, along with the standard 60-day comment period from the date of publication in the Federal Register (January 21, 2021). The comment period was due to expire on March 22, 2021.

Since the proposed changes include updates to the HIPAA Privacy Rule that will impact virtually everyone in the healthcare industry, the HHS has taken the decision to extend the comment period.

The proposed Privacy Rule changes include strengthening patient rights to access their own healthcare information, changes to facilitate greater family and caregiver involvement in the care of individuals in emergencies and health crises, changes to bring greater flexibility for disclosures in emergency situations, updates to reduce the administrative burden on healthcare providers, and changes to improve information sharing for care coordination and case management.

The HHS’ Office for Civil Rights is encouraging all stakeholders to read the proposed changes and submit their feedback. All comments received will be carefully considered and will shape the final rule which is expected to be issued in late 2021/early 2022.

“OCR anticipates a high degree of public interest in providing input on the proposals because the HIPAA Privacy Rule affects nearly anyone who interacts with the health care system,” said Acting OCR Director Robinsue Frohboese.  “The 45-day extension of the comment period to May 6, 2021, will give the public a full opportunity to consider the proposals and submit comments to inform future policy.”

You can view the Proposed Modifications to the HIPAA Privacy Rule here.

The post Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days appeared first on HIPAA Journal.

FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent

Posted by HIPAA Journal

On March 4, 2021, Senator Robert Menendez (D-New Jersey), and Reps. Bonnie Watson Coleman (D-New Jersey) and Mikie Sherrill (D-New Jersey) wrote a letter urging the Federal Trade Commission (FTC) to start enforcing the Health Breach Notification Rule.

The Federal Trade Commission (FTC) has a mandate to protect Americans from bad actors that betray consumer trust and misuse consumers’ healthcare data and has the authority to take enforcement action but is not enforcing compliance with the Health Breach Notification Rule.

The Health Breach Notification Rule was introduced as part of the American Recovery and Reinvestment Act of 2009 and requires vendors of personal health records, PHR related entities, and third-party service providers to inform consumers about unauthorized disclosures of personal health information.

The Health Breach Notification Rule applies to entities not covered by the Health Insurance Portability and Accountability Act (HIPAA), and has similar provisions to the HIPAA Breach Notification Rule. While the HHS’ Office for Civil Rights has enforced compliance with the HIPAA Breach Notification Rule, the FTC has yet to take any enforcement actions against entities over violations of the Health Breach Notification Rule.

In the letter to the Honorable Rebecca Kelly Slaughter, FTC Acting Chair, the lawmakers urged the FTC to take enforcement actions against companies that fail to notify consumers about unauthorized uses and disclosures of personal health information, specifically disclosures of consumers’ personal health information to third parties without consent by menstruation tracking mobile app providers.

Over the past couple of years, several menstruation and fertility tracking apps have been found to be sharing app user data with third parties without consent. In 2019, a Wall Street Journal investigation revealed the period tracking app Flo was disclosing users’ personal health information to third parties without obtaining consent. While the Flo Health explained in its privacy policy that the personal health data of consumers would be safeguarded and not shared with third parties, consumer information was in fact being shared with tech firms such as Google and Facebook.

The FTC filed a complaint against Flo over the privacy violations and a settlement was reached between Flo Health and the FTC that required the app developer to revise its privacy practices and obtain consent from app users before sharing their health information, however, the complaint did not address the lack of notifications to consumers.

Flo is not the only period tracking app to disclose consumers’ personal health information without obtaining consent. The watchdog group International Digital Accountability Council determined the fertility tracking app Premom’s privacy policy differed from its actual data sharing practices, and the app was sharing user data without consent. In 2019, Privacy International conduced an investigation into privacy violations at another period tracking app and found user data was provided to Facebook before users could view changes to its privacy policy and provide their consent.

“Stronger [Health Breach Notification Rule] enforcement would be especially impactful in the case of period-tracking apps, which manage data that is both deeply personal and highly valuable to advertisers,” wrote the lawmakers. “Looking ahead, we encourage you to use all of the tools at your disposal, including the Health Breach Notification Rule, to protect women and all menstruating people from mobile apps that exploit their personal data.”

The post FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent appeared first on HIPAA Journal.

CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities Australia, New Zealand, Singapore, and the United Kingdom have issued an alert for users of the Accellion File Transfer Appliance (FTA) about 4 vulnerabilities which are being actively exploited by a threat actor to gain access to sensitive data.

The Accellion FTA is a legacy file transfer appliance used to share large files. Accellion identified a zero-day vulnerability in the product in mid-December and released a patch to address the flaw, although further vulnerabilities have since been identified.

The vulnerabilities are tracked as:

  • CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header
  • CVE-2021-27102 – Operating system command execution vulnerability via a local web service
  • CVE-2021-27103 – Server-side request forgery via a crafted POST request
  • CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request

The SQL injection flaw (CVE-2021-27011) allows unauthorized individual to run remote commands on targeted devices. An exploit for the vulnerability has been combined with a webshell, with the latter used receive commands sent by the attacker and exfiltrate data and clean up logs. The removal of clean up logs allows the attacker to avoid detection and hampers analysis of the attack.

Once sensitive data have been exfiltrated, the attacker attempts to extort money from the victim. Threats are issued to publicly expose the stolen data on a ransomware data leak site if the ransom is not paid. FireEye/Mandiant have linked the attacks with the FIN11 and CL0P ransomware operation, although ransomware is not being used in the attacks.

Accellion became aware of attacks exploiting the vulnerabilities in January 2021 and reports fewer than 100 clients have been affected and around 2 dozen clients are believed to have suffered significant data theft. Kroger has recently reported that some pharmacy and little Clinic customers have been affected, and Centene has similarly suffered a data breach via the exploitation of the vulnerabilities. Other victims include Transport for New South Wales in Australia, the Canadian Aircraft manufacturer Bombardier, the Reserve Bank of New Zealand, the Australian financial regulator ASIC, the Office of the Washington State Auditor, and the University of Colorado.

CISA has provided Indicators of Compromise (IoCs) in its cybersecurity alert (AA21-055A) which can be used by Accellion customers to determine if the vulnerabilities have been exploited, along with advice should malicious activity be detected.

In addition to performing an analysis to identify if the flaws have been exploited, CISA recommends isolating systems hosting the software from the Internet and updating Accellion FTA to version FTA_9_12_432 or later. It is also recommended by Accellion and CISA to migrate from this legacy product to a supported file sharing platform. The Accellion FTA reaches end-of-life on April 30, 2021. Accellion recommends upgrading to its Kiteworks file sharing platform, which has enhanced security features.

The post CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities appeared first on HIPAA Journal.

January 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day.

January 2021 Healthcare Data Breaches

There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records.

January 2021 Healthcare Data Breaches - Records Exposed

Largest Healthcare Data Breaches Reported in January 2021

The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply patches for 7 years, which allowed unauthorized individuals to exploit the flaws and gain access to sensitive data.

Hendrick Health had a major data breach due to a ransomware attack; one of many reported by healthcare providers since September 2020 when ransomware actors stepped up their attacks on the healthcare sector. The County of Ramsey breach was also due to a ransomware attack at one of its technology vendors.

Email-based attacks such as business email compromise (BEC) and phishing attacks were common in January, and were the cause of 4 of the top ten breaches.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Florida Healthy Kids Corporation Health Plan* 3,500,000 Hacking/IT Incident:

Website and Web Application Hack

 Network Server
Hendrick Health Healthcare Provider 640,436 Hacking/IT Incident:

Ransomware

 Network Server
Roper St. Francis Healthcare Healthcare Provider 189,761 Hacking/IT Incident:

Phishing attack

 Email
Precision Spine Care Healthcare Provider 20,787 Hacking/IT Incident:

BEC attack

 Email
Walgreen Co. Healthcare Provider 16,089 Unauthorized Access/Disclosure:

Unknown

 Email
The Richards Group Business Associate 15,429 Hacking/IT Incident:

Phishing attack

 Email
Florida Hospital Physician Group Inc. Healthcare Provider 13,759 Hacking/IT Incident:

EHR System

 Electronic Medical Record
Managed Health Services Health Plan* 11,988 Unauthorized Access/Disclosure:

Unconfirmed

 Paper/Films
Bethesda Hospital Healthcare Provider 9,148 Unauthorized Access of EMR by employee Electronic Medical Record
County of Ramsey Healthcare Provider* 8,687 Hacking/IT Incident:

Ransomware

 Network Server

*Breach reported by covered entity but occurred at a business associate.

Causes of January 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to cause the majority of healthcare data breaches. January saw 20 hacking/IT incidents reported, which accounted for 62.5% of the month’s data breaches. The protected health information of 4,413,762 individuals was compromised or exposed in those breaches – 98.8% of all breached records in January. The average breach size was 220,688 records and the median breach size was 2,464 records.

There were 11 reported unauthorized access and disclosure incidents involving 50,996 records. The average breach size was 4,636 records and the median breach size was 1,680 records.

There was one reported incident involving the loss of an unencrypted laptop computer containing 2,340 records, but no theft or improper disposal incidents.

Causes of January 2021 Healthcare Data Breaches

As the bar chart below shows, email is the most common location of breached PHI, mostly due to the high number of phishing attacks. This was closely followed by network server incidents, which mostly involve malware or ransomware.

Location of PHI in January 2021 Healthcare Data Breaches

January 2021 Healthcare Data Breaches by Entity Type

Healthcare providers were the worst affected covered entity type with 23 reported data breaches followed by health plans with 6 reported breaches. Three data breaches were reported by business associates of HIPAA covered entities, although a further 7 occurred at business associates but were reported by the covered entity, including the largest data breach of the month.

The number of breaches reported by business associates have been increasing in recent months. These incidents often involve multiple covered entities, such as the data breach at Blackbaud in 2020 which resulted involved the data of more than 10 million individuals across around four dozen healthcare organizations. A study by CI Security found 75% of all breached healthcare records in the second half of 2020 were due to data breaches at business associates.

January 2021 healthcare data breaches by covered entity type

Where Did the Data Breaches Occur?

January’s 32 data breaches were spread across 18 states, with Florida the worst affected with 6 reported breaches. There were 3 breaches reported by entities in Texas and Wyoming, and 2 reported in each of Louisiana, Massachusetts, and Minnesota.

Illinois, Indiana, Maryland, Missouri, Nevada, North Carolina, Ohio, Pennsylvania, South Carolina, Vermont, Virginia, and Washington each had 1 breach reported.

HIPAA Enforcement Activity in January 2021

2020 was a record year for HIPAA enforcement actions with 19 settlements reached to resolve HIPAA cases, and the enforcement actions continued in January with two settlements reached with HIPAA covered entities to resolve violations of the HIPAA Rules.

Excellus Health Plan settled a HIPAA compliance investigation that was initiated following a report of a breach of 9,358,891 records in 2015. OCR investigators identified multiple potential violations of the HIPAA Rules, including a risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. Excellus Health Plan settled the case with no admission of liability and paid a $5,100,000 financial penalty.

OCR continued with its crackdown of noncompliance with the HIPAA Right of Access with a $200,000 financial penalty for Banner Health. OCR found two Banner Health affiliated covered entities had failed to provide a patient with timely access to medical records, with both patients having to wait several months to receive their requested records.

The post January 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

100% of Tested mHealth Apps Vulnerable to API Attacks

Posted by HIPAA Journal

The personally identifiable health information of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by cybersecurity firm Approov.

Ethical hacker and researcher Allissa Knight conducted the study to determine how secure popular mHealth apps are and whether it is possible to gain access to users’ sensitive health data. One of the provisos of the study was she would not be permitted to name any of the apps if vulnerabilities were identified. She assessed 30 of the leading mHealth apps and discovered all were vulnerable to API attacks which could allow unauthorized individuals to gain access to full patient records, including personally identifiable information (PII) and protected health information (PHI), indicating security issues are systemic.

mHealth apps have proven to be invaluable during the COVID-19 pandemic and are now increasingly relied on by hospitals and healthcare providers. According to Pew Research, mHealth apps are now generating more user activity than other mobile device apps such as online banking. There are currently an estimated 318,000 mHealth apps available for download from the major app stores.

The 30 mHealth apps analyzed for the study are used by an estimated 23 million people, with each app downloaded an average of 772,619 times from app stores. These apps contain a wealth of sensitive data, from vital signs data to pathology reports, test results, X-rays and other medical images and, in some cases, full medical records. The types of information stored in or accessible through the apps carries a high value on darknet marketplaces and is frequently targeted by cybercriminals. The vulnerabilities identified in mHealth apps makes it easy for cybercriminals to gain access to the information.

“Look, let’s point the pink elephant out in the room. There will always be vulnerabilities in code so long as humans are writing it. Humans are fallible,” said Knight. “But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to broken object level authorization (BOLA) vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database.”

BOLA vulnerabilities allow a threat actor to substitute the ID of a resource with the ID of another. “When the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that allows an adversary the ability to read objects that don’t belong to them,” explained Knight. “These exposed references to internal implementation objects can point to anything, whether it’s a file, directory, database record or key.” In the case of mHealth apps, that could provide a threat actor with the ability to download entire medical records and personal information that could be used for identity theft.

APIs define how apps can communicate with other apps and systems and are used for sharing information. Out of the 30 mHealth apps tested, 77% had hard-coded API keys which made them vulnerable to attacks that would allow the attacker to intercept information as it is exchanged. In some cases, those keys never expired and 7% of the API keys belonged to third-party payment processors that strongly advise against hard coding these private keys in plain text, yet usernames and passwords had still been hard coded.

All of the apps lacked certificate pinning, which is used to prevent man-in-the-middle attacks. Exploiting this flaw would allow sensitive health and personal information to be intercepted and manipulated. Half of the tested apps did not authenticate requests with tokens, and 27% did not have code obfuscation protections, which made them vulnerable to reverse engineering.

Knight was able to access highly sensitive information during the study. 50% of records included names, addresses, dates of birth, Social Security numbers, allergies, medications, and other sensitive health data. Knight also found that if access is gained to one patient’s records, other patient records can also be accessed indiscriminately.  Half of all APIs allowed medical professionals to view pathology, X-ray, and clinical results of other patients and all API endpoints were found to be vulnerable to BOLA attacks, which allowed Knight to view the PHI and PII of patients not assigned to her clinical account. Knight also found replay vulnerabilities that allowed her to replay FaceID unlock requests that were days old and take other users’ sessions.

Part of the problem is mHealth apps do not have security measures baked in. Rather than build security into the apps at the design stage, the apps are developed, and security measures are applied afterwards. That can easily result in vulnerabilities not being fully addressed.

“The fact is that leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm,” said David Stewart, founder and CEO of Approov. “Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients.”

The post 100% of Tested mHealth Apps Vulnerable to API Attacks appeared first on HIPAA Journal.

Hospital Researcher Jailed for Stealing and Selling Research Data to China

Posted by HIPAA Journal

A woman who worked in a medical research lab at the Nationwide Children’s Hospital in Columbus, OH has been jailed for stealing sensitive research data and selling the information to the People’s Republic of China.

Li Chen, 47, and her husband Yu Zhou, 50, were both employed as medical researchers and worked in separate labs at the hospital’s Research Institute for more than 10 years. The former Dublin, OH residents were arrested in California in July 2019 and were subsequently charged over the alleged theft of cutting-edge scientific research.

Zhou was working on a novel technique that allowed exosomes to be isolated from small quantities of blood. Exosomes are used in the research, identification, and treatment of several medical conditions, such as necrotizing enterocolitis. The novel exosome isolation method was a vital process in the research into necrotizing enterocolitis, as the condition affects premature babies and only small blood samples can be taken safely.

The couple set up a company in China, stole at least five trade secrets related to exosome isolation, and then monetized the trade secrets by creating and selling exosome isolation kits. They then provided them to China and received benefits from the State Administration of Foreign Expert Affairs and the National Natural Science Foundation of China. Chen also applied to several government talent plans in China, which are used to transfer foreign research and technology to the Chinese government.

“For far too long, the People’s Republic of China (PRC) has encouraged the outright theft of American trade secrets through Chinese government programs that reward researchers for stealing what China cannot produce through its own ingenuity,” said Assistant Attorney General John C. Demers for the National Security Division. “These programs, like the Thousand Talents, are not innocuous platforms for academic collaboration.”

In July 2020, Chen pleaded guilty to conspiracy to commit wire fraud and the theft of scientific trade secrets for personal financial gain. Chen was recently sentenced to a 30-month jail term and, as part of her plea deal, agreed to pay $2.6 million in restitution, and forfeit around $1.4 million, 500,000 shares of common stock of Avalon GloboCare Corp. and 400 shares of common stock of GenExosome Technologies Inc. Zhou also pleaded guilty to conspiracy to commit wire fraud and is currently awaiting sentencing.

“The FBI will not stop its efforts to identify people who steal technology for their own financial benefit or for the benefit of a foreign government,” said Assistant Director Alan E. Kohler Jr. of the FBI’s Counterintelligence Division.

Chinese Government Targeting Health and Genetic Data of U.S. Citizens

China is not only trying to obtain sensitive medical research data. The National Counterintelligence and Security Center (NCSC) has recently drawn attention to efforts by China to obtain the healthcare data and DNA sets of Americans through cyberattacks, and partnerships between Chinese companies and U.S. states and healthcare organizations.

National Security laws in China require all Chinese companies to share any data they collect with the government. According to the NCSC, by 2019, 15 Chinese companies had been licensed to conduct genetic testing or genetic sequencing on patients in the United States. They had access to genetic data which could have been provided to the Chinese government.

The NSCS said genetic and healthcare data are being used to advance China’s AI and precision medicine industries, yet foreign companies are prevented from accessing the medical data of its own citizens. “Over time, this dynamic could allow China to outpace U.S. biotech firms with important new drugs and health treatments and potentially displace American firms as global biotech leaders,” explained NCSC in a February 2021 report.

The post Hospital Researcher Jailed for Stealing and Selling Research Data to China appeared first on HIPAA Journal.

Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data

Posted by HIPAA Journal

On January 28, 2021, democratic senators introduced the Public Health Emergency Privacy Act to protect the privacy of Americans and ensure data security measures are applied to protect COVID-19 related health data collected for public health purposes.

The Public Health Emergency Privacy Act was introduced by Sens. Mark Warner, D-Va., Richard Blumenthal, D-Conn. and U.S. representatives Anna Eshoo, D-CA., Jan Schakowsky, D-IL., and Suzan DelBene, D-WA and requires strong and enforceable privacy and data security rights for health information to be set.

“Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” said Sen. Blumenthal. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19.”

The Public Health Emergency Privacy Act will ensure strict privacy protections are implemented to ensure any health data collected for public health purposes will only ever be used to achieve the public health purpose for which it was collected.

The Public Health Emergency Privacy Act restricts the use of data collected for public health purposes to public health uses, prohibits the use of the data for discriminatory, unrelated, or intrusive purposes, and prevents government agencies that play no role in public health from misusing the data.

The Act requires data security and data integrity protections to be applied to safeguard health data, for the data collected to be restricted to the minimum necessary information to achieve the purpose for which it is collected and requires tech firms to ensure the data is deleted once the public health emergency is over.

Americans’ voting rights are protected by not permitting conditioning the right to vote on any medical condition or use of contact tracing apps. The Act will also give Americans control over participation in public health efforts by ensuring transparency and requiring opt-in consent. The Act also requires regular reports on the impact of digital collection tools on civil rights.

The Public Health Emergency Privacy Act will not supersede the requirements of HIPAA, the Privacy Act of 1974, or federal and state medical record retention and health information privacy regulations.

“Strong privacy protections for COVID health data will only be more vital as we move forward with vaccination efforts and companies begin experimenting with things like ‘immunity passports’ to gate access to facilities and services,” said Sen. Warner. “Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations and discriminatory uses of health data could become the new status quo in health care and public health.”

This is not the first time legislation of this nature has been proposed. A similar bill was introduced in 2020, but it failed to win congressional support.

The post Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data appeared first on HIPAA Journal.

Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent

Posted by HIPAA Journal

A lawsuit has been filed against Burr Ridge, IL-based Easy Healthcare Corp. over the alleged sharing of sensitive user data with third-party firms based in China.

Easy Healthcare Corp is the developer of Premom, a popular smartphone fertility app for tracking users’ ovulation cycles to identify their most fertile days. The lawsuit alleges a range of sensitive user data has been shared with at least three Chinese companies without obtaining users’ consent. Since the data is stored on servers in China, the lawsuit alleges sensitive information could potentially be accessed or seized by the Chinese government.

The data transmitted to the Chinese companies includes sensitive healthcare information, geolocation data, user and advertiser IDs, device activity data, and device hardware identifiers. Since the identifiers do not change, combining them with information where it was observed would allow data collectors to reconstruct app users’ activities.

Identifiers shared with the Chinese firms include Wi-Fi media access controls or MAC addresses, which are unique identifiers for network interface controllers; router MAC/BSSID addresses, which provide geographical location data; and router SSID (Service Set IDs), which provide information about Wi-Fi networks. It is also possible for information to be gathered about users interests, health, political views, religion, and other sensitive data.

The lawsuit alleges user data was sent to Jiguang (Aurora Mobile Ltd), Umeng, and UMSNS, which provide activity analysis, precision marketing, financial risk control, and location-based analysis services to their clients.

According to the lawsuit, the Premom privacy policy states, “We will not share or sell your personal data to advertising platforms, data brokers, or information resellers,” so the sharing of the data is in direct violation of those policies. While the privacy policy does state that non-identifiable user data may be collected, users are told that the information would not be shared with outside parties without user consent.

The plaintiff discovered that her personal data had been shared with the three Chinese companies for three years without her knowledge or consent. She claims to have been deceived by Easy Healthcare as she was not informed that her data would be provided to the Chinese entities. The lawsuit also alleges Easy Healthcare shared the data in exchange for monetary compensation and that the firm has been misrepresenting its data sharing practices, in what the lawsuit says is “an unfair, immoral, and unscrupulous business practice.” The lawsuit also claims user data is recorded whenever users unlock or use their phone, even if they are not using the app, which is in violation of Google Play’s developer policies.

The lawsuit was filed a few months after a bipartisan group of senators wrote to the Federal Trade Commission (FTC) to request an investigation of the data security and privacy practices of the Premom app, following the discovery of unauthorized data sharing by the watchdog group International Digital Accountability Council.

The lawsuit was filed in the US Northern District Court of Illinois, Eastern Division and seeks class action status and damages for app users. The lawsuit also calls for Easy Healthcare to stop sharing user data with companies without first obtaining consent from app users. Easy Healthcare has denied any wrongdoing.

Premom is not the only health app found to be sharing user data without obtaining informed consent from app users. The FTC settled a data privacy and security case with Flo Health in January 2021 after it was discovered to have misrepresented privacy practices for its fertility app and shared user data with a data analytics company without consent. Flo Health was ordered to review and revise its privacy policies and obtain consent from app users prior to sharing their data.

The post Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent appeared first on HIPAA Journal.