Healthcare Data Privacy

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

Posted by HIPAA Journal

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020.

Sept 2020 healthcare data breach report monthly breaches

Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records.

Sept 2020 healthcare data breach report monthly breached records

Causes of September 2020 Healthcare Data Breaches

The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers.

Blackbaud was able to contain the breach; however, prior to the deployment of the ransomware, the attackers exfiltrated some customer data. The breach was initially thought to only include limited data about donors and prospective donors, but further investigations revealed Social Security numbers and financial information were also exfiltrated by the hackers.

Blackbaud negotiated a ransom payment and paid to prevent the publication or sale of the stolen data. Blackbaud has reported it has received assurances that all stolen data were deleted. Blackbaud has engaged a company to monitor dark web sites but no data appears to have been offered for sale.

Blackbaud announced the ransomware attack in July 2020 and notified all affected customers. HIPAA-covered entities affected by the breach started to report the data breach in August, with most reporting in September.

It is currently unclear exactly how many U.S. healthcare organizations were affected by the breach and the final total may never be known. Databreaches.net has been tracking the Blackbaud breach reports and, at last count, at least 80 healthcare organizations are known to have been affected. The records of more than 10 million patients are thought to have been compromised as a result of the ransomware attack.

Sept 2020 healthcare data breach report causes of breaches

Unsurprisingly, given the numbers of healthcare providers affected by the Blackbaud breach, hacking/IT incidents dominated the breach reports. 83 breaches were attributed to hacking/IT incidents and 9,662,820 records were exposed in those breaches – 99.50% of all records reported as breached in September.  The mean breach size was 116,420 records and the median breach size was 27,410 records.

There were 7 unauthorized access/disclosure incidents reported in September involving a total of 34,995 records. The mean breach size was 4,942 records and the median breach size was 1,818 records. There were 4 loss/theft incidents reported involving 12,029 records, with a mean breach size of 3,007 records and a median size of 2,978 records. There was 1 improper disposal incident reported involving 1,076 records.

Most of the compromised records were stored on network servers, although there were a sizable number of breaches involving PHI stored in email accounts.

Sept 2020 healthcare data breach report - location of PHI

Largest Healthcare Data Breaches Reported in September 2020

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause
Trinity Health Business Associate 3,320,726 Hacking/IT Incident Blackbaud Ransomware Attack
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident Blackbaud Ransomware Attack
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Colorado (affiliated covered entity) Healthcare Provider 343,493 Hacking/IT Incident Blackbaud Ransomware Attack
Nuvance Health (on behalf of its covered entities) Healthcare Provider 314,829 Hacking/IT Incident Blackbaud Ransomware Attack
The  Baton Rouge Clinic, A Medical Corporation Healthcare Provider 308,169 Hacking/IT Incident Ransomware Attack
Virginia Mason Medical Center Healthcare Provider 244,761 Hacking/IT Incident Blackbaud Ransomware Attack
University of Tennessee Medical Center Healthcare Provider 234,954 Hacking/IT Incident Blackbaud Ransomware Attack
Legacy Community Health Services, Inc. Healthcare Provider 228,009 Hacking/IT Incident Phishing Attack
Allina Health Healthcare Provider 199,389 Hacking/IT Incident Blackbaud Ransomware Attack
University of Missouri Health Care Healthcare Provider 189,736 Hacking/IT Incident Phishing Attack
The Christ Hospital Health Network Healthcare Provider 183,265 Hacking/IT Incident Blackbaud Ransomware Attack
Stony Brook University Hospital Healthcare Provider 175,803 Hacking/IT Incident Blackbaud Ransomware Attack
Atrium Health Healthcare Provider 165,000 Hacking/IT Incident Blackbaud Ransomware Attack
University of Kentucky HealthCare Healthcare Provider 163,774 Hacking/IT Incident Blackbaud Ransomware Attack
Children’s Minnesota Healthcare Provider 160,268 Hacking/IT Incident Blackbaud Ransomware Attack
Roswell Park Comprehensive Cancer Center Healthcare Provider 141,669 Hacking/IT Incident Blackbaud Ransomware Attack
Piedmont Healthcare, Inc. Healthcare Provider 111,588 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Montana (affiliated covered entity) Healthcare Provider 93,642 Hacking/IT Incident Blackbaud Ransomware Attack
Roper St. Francis Healthcare Healthcare Provider 92,963 Hacking/IT Incident Blackbaud Ransomware Attack

September 2020 Data Breaches by Covered Entity Type

88 healthcare providers reported data breaches of 500 or more records in September and 2 breaches were reported by health plans. 5 breaches were reported by business associates of HIPAA-covered entities, but a further 53 breaches involved a business associate, with the breach reported by the covered entity. Virtually all of those 53 breaches were due to the ransomware attack on Blackbaud.

Sept 2020 healthcare data breach report - covered entity type

September 2020 Data Breaches by State

Covered entities and business associates in 30 states and the district of Columbia reported data breaches of 500 or more records in September.

New York was the worst affected state with 10 breaches, 6 breaches were reported in each of California, Minnesota, and Pennsylvania, 5 in each of Colorado, South Carolina, and Texas, 4 in Florida, Georgia, Massachusetts, Ohio, and Virginia, 3 in each of Iowa, Kentucky, Louisiana, and Michigan, and 2 in each of Connecticut, Maryland, North Carolina, Tennessee, and Wisconsin.

One breach was reported in each of Alabama, Delaware, Illinois, Indiana, Missouri, New Hampshire, New Jersey, Oklahoma, Washington, and the District of Columbia.

HIPAA Enforcement Activity in September 2020

Prior to September, the HHS’ Office for Civil Rights had only imposed three financial penalties on covered entities and business associates to resolve HIPAA violations, but there was a flurry of announcements about HIPAA settlements in September with 8 financial penalties announced.

The largest settlement was agreed with Premera Blue Cross to resolve HIPAA violations discovered during the investigation of its 2014 data breach that affected 10.4 million of its members. OCR found compliance issues related to risk analyses, risk management, and hardware and software controls. Premera agreed to pay a financial penalty of $6,850,000 to resolve the case. This was the second largest HIPAA fine ever imposed on a covered entity.

CHSPSC LLC, a business associate of Community Health Systems, agreed to pay OCR $2,300,000 to resolve its HIPAA violation case which stemmed from a breach of the PHI of 6 million individuals in 2014. OCR found compliance issues related to risk analyses, information system activity reviews, security incident procedures, and access controls.

Athens Orthopedic Clinic PA agreed to pay a $1,500,000 penalty to resolve its case with OCR which stemmed from the hacking of its systems by TheDarkOverlord hacking group. The PHI of 208,557 patients was compromised in the attack. OCR’s investigation uncovered compliance issues related to risk analyses, risk management, audit controls, HIPAA policies and procedures, business associate agreements, and HIPAA Privacy Rule training for the workforce.

Five of the September settlements resulted from OCR’s HIPAA Right of Access enforcement initiative and were due to the failure to provide patients with timely access to their medical records.

Entity Settlement
Beth Israel Lahey Health Behavioral Services $70,000
Housing Works, Inc. $38,000
All Inclusive Medical Services, Inc. $15,000
Wise Psychiatry, PC $10,000
King MD $3,500

 

There was one settlement to resolve a multistate investigation by state attorneys general, with Anthem Inc. agreeing to pay a financial penalty of $48.2 million to resolve multiple violations of HIPAA and state laws in relation to its 78.8 million record data breach in 2015, which is on top of the $16 million financial penalty imposed by OCR in October 2018.

The post September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised appeared first on HIPAA Journal.

Exposed Broadvoice Databases Contained 350 Million Records, Including Health Data

Posted by HIPAA Journal

Comparitech security researcher Bob Diachenko has discovered an exposed cluster of databases belonging to the Voice over IP (VoIP) telecommunications vendor Broadvoice that contained the records of more than 350 million customers.

The exposed Elasticsearch cluster was discovered on October 1, 2020, the day the database cluster was indexed by the Shodan.io search engine. The Elasticsearch cluster was found to contain 10 collections of data, the largest of which consisted of 275 million records and included information such as caller names, phone numbers, and caller locations, along with other sensitive data. One database in the cluster was found to contain transcribed voicemail messages which included a range of sensitive data such as information about financial loans and medical prescriptions. More than 2 million voicemail records were included in that subset of data, 200,000 of which had been transcribed.

The voicemails included caller names, phone numbers, voicemail box identifiers, internal identifiers, and the transcripts included personal information such as full names, phone numbers, dates of birth, and other data. Voicemails left at medical clinics including details of prescriptions and medical procedures. Information about loan inquiries were also exposed, along with some insurance policy numbers.

Diachenko reported the exposed Elasticsearch cluster to Broadvoice, which took prompt action to prevent any unauthorized access. According to Broadvoice CEO Jim Murphy, “We learned that on October 1st, a security researcher was able to access a subset of b-hive data. The data had been stored in an inadvertently unsecured storage service Sept. 28th and was secured Oct. 2nd.” Diachenko confirmed on October 4, 2020 that the Elasticsearch cluster had been secured.

“At this point, we have no reason to believe that there has been any misuse of the data. We are currently engaging a third-party forensics firm to analyze this data and will provide more information and updates to our customers and partners. We cannot speculate further about this issue at this time,” said Murphy.

Broadvoice reported the breach to law enforcement and is investigating the breach. It is currently unclear if anyone other than Diachenko found and accessed the databases.

While most of the databases contained only limited information, it would be of value to cybercriminals who could easily target customers of Broadvoice in phishing scams. The information in the database could be used to convince customers that they were in contact with Broadvoice, and they could be fooled into revealing further sensitive information or making fraudulent payments.

Individuals whose information was detailed in the voicemail transcripts would be most at risk, as the additional data could be used to create convincing and persuasive phishing campaigns.

Comparitech researchers have previously demonstrated individuals are constantly scanning for exposed databases and that they are often discovered within hours of them being exposed. Their research showed that attempts were made to access their Elasticsearch honeypot within 9 hours of the data being exposed. Once databases are indexed by search engines such as Shodan and BinaryEdge attacks occur within a matter of minutes.

Comparitech researchers scan the internet to identify exposed data and report breaches to the owners of the databases. “In order to help raise awareness of data exposures in general and inform affected parties of this particular incident, we publish a report,” explained Comparitech. “Our aim is to have the data secured and all relevant parties informed as quickly as possible to minimize the potential damage caused.”

The post Exposed Broadvoice Databases Contained 350 Million Records, Including Health Data appeared first on HIPAA Journal.

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Posted by HIPAA Journal

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million.

A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information.

The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during the breach investigation. In addition to the financial penalty, CHSPCS agreed to adopt a robust corrective action plan to address privacy and security failures discovered by OCR’s investigators.

Victims of the breach took legal action against CHS over the theft of their PHI and CHS settled the class action lawsuit in 2019 for $3.1 million. The latest settlement means CHS and its affiliates have paid $10.4 million in settlements over the breach.

“A patient’s personal information—especially health information—deserves the highest level of protection,” said Attorney General Slatery. “This settlement will require CHS to provide that moving forward.”

CHS and its affiliates were found to have failed to implement reasonable and appropriate security measures to ensure the confidentiality, integrity, and availability of protected health information on its systems. “The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure,” said Iowa Attorney General Tom Miller.

The states participating in the action were Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.

In addition to paying the financial penalty, CHS and its affiliates have agreed to adopt a corrective action plan and implement additional security measures to ensure the security of its systems. Those measures include developing a written incident response plan, providing security awareness and privacy training to all personnel with access to PHI, limiting unnecessary or inappropriate access to systems containing PHI, implementing policies and procedures for its business associates, and conducting regular audits of all business associates.

CHS must also conduct an annual risk assessment, implement and maintain a risk-based penetration testing program, implement and maintain intrusion detection systems, data loss protection measures, and email filtering and anti-phishing solutions. All system activity must be logged, and those logs must be regularly reviewed for suspicious activity.

“Community Health Systems is pleased to have resolved this six-year old matter,” said a spokesperson for CHS in a statement about the settlement. “The company had robust risk controls in place at the time of the attack and worked closely with the FBI and consistently with its recommendations after becoming aware of the attack.”

The post Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation appeared first on HIPAA Journal.

August 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average.

The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.

 

 

Largest Healthcare Data Breaches Reported in August 2020

 

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack
Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack
MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud ransomware attack
Imperium Health LLC Business Associate 139,114 Hacking/IT Incident Email Phishing attack
University of Florida Health Healthcare Provider 135,959 Hacking/IT Incident Network Server Blackbaud ransomware attack
Utah Pathology Services, Inc. Healthcare Provider 112,124 Hacking/IT Incident Email Phishing attack
Dynasplint Systems, Inc. Healthcare Provider 102,800 Hacking/IT Incident Network Server Ransomware attack
Main Line Health Healthcare Provider 60,595 Hacking/IT Incident Network Server Blackbaud ransomware attack
Northwestern Memorial HealthCare Healthcare Provider 55,983 Hacking/IT Incident Network Server Blackbaud ransomware attack
Richard J. Caron Foundation Healthcare Provider 22,718 Hacking/IT Incident Network Server Blackbaud ransomware attack
UT Southwestern Medical Center Healthcare Provider 15,958 Unauthorized Access/Disclosure Other Unconfirmed
City of Lafayette Fire Department Healthcare Provider 15,000 Hacking/IT Incident Network Server Ransomware attack
Hamilton Health Center, Inc. Healthcare Provider 10,393 Unauthorized Access/Disclosure Email Misdirected Email

 

Causes of August 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, with the 24 reported incidents making up 64.9% of the month’s data breaches. 2,127,070 records were compromised in those breaches, which is 98.15% of all records breached in August. The average breach size was 88,628 records and the median breach size was 11,550 records.

There were 8 unauthorized/access disclosure incidents involving 32,205 records. The average breach size was 4,026 records and the median breach size was 992 records. There were 5 loss (2) and theft (3) incidents reported. The average breach size was 1,581 records and the median breach size was 1,768 records.

While phishing attacks usually dominate the healthcare data breach reports, in August, attacks on network servers were more common. The increase in network server attacks is largely due to ransomware attacks, notably, an attack on Blackbaud, a business associate of many healthcare organizations in the United States. Blackbaud offers a range of services to healthcare providers, including patient engagement and digital data storage related to donors and philanthropy.

Between February 7, 2020 and May 20, 2020, hackers had access to Blackbaud’s systems and obtained backups of several of its clients’ databases before deploying ransomware. Blackbaud paid the ransom to ensure data stolen in the attack were destroyed.

Only a small percentage of its clients were affected by the attack, but so far at least 52 healthcare organizations have confirmed that their donor data were compromised in the attack. We have data for 17 of those attacks and so far, more than 3 million individuals are known to have been affected. That number is likely to grow significantly over the next few weeks now the deadline for reporting the breach is approaching.

There were also two major phishing incidents reported in August. Imperium Health suffered an attack in which the records of 139, 114 individuals were potentially compromised, and Utah Pathology Services suffered an attack involving the records of 112,124 individuals.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 24 data breaches reported in August. Three breaches were reported by health plans and five breaches were reported by business associates; however, a further 9 breaches had some business associate involvement.

States Affected by August 2020 Data Breaches

Data breaches were reported by entities in 24 states in August. Pennsylvania was the worst affected state with 6 breaches of 500 or more healthcare records, followed by Kentucky with 4, Texas with 3, and Arizona, Ohio, and Washington with 2.  One breach was reported in each of Arkansas, California, Colorado, Connecticut, Florida, Iowa, Idaho, Illinois, Indiana, Maryland, Maine, Michigan, Missouri, New York, Oklahoma, South Carolina, Utah, and Wisconsin.

HIPAA Enforcement Activity in August 2020

There were no HIPAA enforcement actions announced in August by either the HHS Office for Civil Rights or state attorneys general.

The post August 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Senators Demand Answers from VA on 46,000-Record Data Breach

Posted by HIPAA Journal

On September 14, 2020, the U.S. Department of Veteran Affairs announced it had suffered a data breach that had impacted 46,000 veterans. Several Senate Democrats are now demanding answers from the VA on the breach and the cybersecurity measures the VA has put in place to prevent data breaches.

Hackers gained access to an application used by the VA’s Financial Services Center to send payments to community healthcare providers to pay for veterans’ medical care. Six payments intended for community care providers were redirected to bank accounts under the control of the hackers and veterans’ data in the system was exposed and potentially stolen.

When the breach was discovered, the application was taken offline and will remain down until a full review has been conducted by the VA’s Office of Information and Technology. Affected veterans have been offered complimentary credit monitoring services and the VA is currently working on compensating the community care providers whose payments were redirected.

Officials at the VA Office of Information and Technology told Senate and House veterans’ affairs committees that approximately 17,000 community care providers were affected by the breach, although the VA has now said that while 17,000 community care providers use the application, only 13 were affected.

In a letter to VA Secretary Robert Wilkie, Sens John Tester, Patty Murray, Sherrod Brown, Richard Blumenthal, Mazie K. Hirono, Joe Manchin III, Kyrsten Sinema, Margaret Wood Hassan, and Jeanne Shaheen expressed “serious concerns” about the ability of the VA to protect veterans’ and community care providers’ data and called for the VA to provide assurances that the department is capable of safeguarding personal and financial data.

“Based on information currently available, it appears this cybersecurity incident was carried out by those able to find weaknesses in the way VA authenticates community care health care providers using VCAs and processes payments for their services,” said the Senators.

“This incident raises numerous concerns not just for this incident, but more broadly with how VA is approaching protecting the PII and other important data within its vast data systems and networks,” wrote the Senators. “This is not a new vulnerability for VA. Rather, it is a long-standing weakness of the Department as identified by independent reviews conducted by the VA OIG and the Government Accountability Office (GAO) for more than 10 years.”

The Senators reference two GAO reports from June 2019 and July 2019 that make several recommendations for agencies on cybersecurity, risk management and data protection, including recommendations specifically for the VA. They have called for the VA to provide information on the current status of the VA’s efforts to implement those recommendations.

The Senators have called for the VA to provide a state-level breakdown of all impacted community care providers and to provide information on the steps that have been taken to assure community care providers and veterans that their personal and financial data will be secure. The Senators want to know who discovered the breach – whether it was the VA or the VA Office of Inspector General. They also requested information on the systems used by the VA Financial Services Center.

The Senators also raised concern that the VA is in a reactive posture waiting for cybersecurity vulnerabilities to arise and want to know what proactive assessments have been conducted to identify vulnerabilities, the frequency of those assessments, and what steps the VA will take to ensure greater oversight of business rules and IT and cybersecurity processes to ensure vulnerabilities are identified and addressed before they are exploited.

“This most recent data breach is unacceptable. It also exposes the fact that VA has not taken the necessary steps to ensure oversight, accountability, and security of the vast financial, health, and other personal data it collects and processes to perform its critical services for America’s veterans,” wrote the Senators. “It is imperative VA take aggressive and decisive action to address this current incident and lay out a strategy to prevent such problems from arising in the future.”

The post Senators Demand Answers from VA on 46,000-Record Data Breach appeared first on HIPAA Journal.

Privacy Risks Found on Almost All Websites Offering COVID-19 Information

Posted by HIPAA Journal

A recent study published in JAMA found almost all websites offering information on COVID-19 have third-party tracking code that poses a privacy risk. Many web pages include tracking code that collects information about website visitors and transfers the data to third parties. Code is loaded on websites that initiates a data transfer that often includes details of the URLs that have been visited and the user’s IP address.  Other information may also be collected, and that information allows detailed profiles to be built up on people’s browsing habits and interests. Since IP addresses are collected, that information can easily be tied to a specific individual.

Researchers at the University of Pennsylvania Perelman School of Medicine and Carnegie Mellon University’s School of Computer Science had previously conducted a study of 1 million web pages, including health-related websites, and found that 91% of those websites included a third party data request and 70% had third-party cookies.

The researchers turned their attention to websites offering information on COVID-19, such sites offering symptom checkers, tips to avoid getting infected, post-infection care, and help finding testing sites. The researchers used Google Trends to find the top 25 search queries related to COVID and coronavirus on May 15, 2020. Searches were performed on Google to identify the top 20 URLs for non-personalized searches based on the top 25 search queries.

The researchers used a tool called webXray, which detects third-party tracking code on websites, data requests from third party domains, and cookies. 538 websites were analyzed for the study.

The researchers found that 535 of the 538 websites (99.44%) included third-party data requests and 477 (89%) included third-party cookies. The data requests and cookies did not vary by the type of website, and even government and academic websites, which visitors may expect to have greater privacy protections, also had tracking code and cookies.

“Compared with commercial web pages, third-party cookies were slightly less common, although still highly prevalent, among government and academic web pages,” explained the researchers. “However, the median numbers of third-party data requests and third-party cookies per page were both higher on commercial web pages (77 requests; 130 cookies) than on government (8 requests; 4 cookies), nonprofit (16 requests; 7 cookies), or academic (14 requests; 10 cookies) web pages.”

The researchers suggest decision makers at institutions may not be aware that third-party tracking code transmits data to third parties as it is usually only installed to monitor web traffic.

The researchers point out that there were two limitations to the study. Firstly, the tool used to check for third-party tracking only checked for two mechanisms of tracking and there are others, some of which have been developed to evade automatic capture. The number of websites that have third-party tracking is therefore likely to have been underestimated. Also, since the study was limited to the top 20 search results, the findings may not apply to web pages that appear lower in the search engine listings.

“Amid debate and legislative activity focused on the privacy implications of COVID-19 contact-tracing apps, these findings suggest that attention should also be paid to privacy risks of online information seeking,” warned the researchers.

The post Privacy Risks Found on Almost All Websites Offering COVID-19 Information appeared first on HIPAA Journal.

Poll Shows Consumers Unaware of the Extent Health Insurers Gather and Use Consumer-Generated Data

Posted by HIPAA Journal

Health insurers are collecting online data about consumers and using the information to predict an individual’s likely healthcare costs. Consumer-generated data are collected and used to create profiles, which could be used to determine appropriate premiums.

Consumer-generated data is distinct from protected health information (PHI) and relates to an individual’s lifestyle, interests and behavior and come from many different public and private sources. Health insurers may scour online sources for information or obtain data from data brokers. Some data brokers are actively marketing their data to insurers and claim the information includes social determinants of health, such as online shopping habits, memberships to organizations, TV streaming habits, and information posted to social media networks. Data are amalgamated and algorithms can be used to predict the likely cost of providing insurance.

The collection and analysis of consumer-generated data by health insurers and their business associates was highlighted by ProPublica in 2018, but the public is largely unaware of the extent to which information is being collected and used.

MITRE recently commissioned a Harris Poll to explore attitudes to the use of consumer-generated data. The Harris Poll was conducted in June 2020 on 2,065 adults in the United States.

The Harris Poll revealed consumers are largely unaware of the extent to which their information is being collected and used, and the types of information that health insurers and employers may know about individuals. 89% of respondents believed health insurers are not aware of their online spending and streaming habits, when this information is being collected and used.

The use of personal data by employers and health insurers is considered to be acceptable to a majority of the respondents, albeit only for certain purposes. 60% of respondents thought it acceptable for their insurance company to use personal data to design health promotion activities, with 54% believing it acceptable for their employer to do the same. However, two thirds of respondents said it was not acceptable for an employer or health insurer to gather or purchase outside information about employees or health plan members.

“These results reinforce that a significant gap exists between what we believe our insurance companies and employers know about us personally, and what they actually do,” said Erin Williams, executive director and division director for Biomedical Innovation at MITRE. “Americans need more education about the ways third parties are accessing and using their consumer-generated data. But it really shows that companies have an obligation to be more transparent about what data they are collecting from third parties.”

There is broad acceptance that in today’s world there is no such thing as digital privacy, with 77% of respondents saying data privacy doesn’t exist. Respondents to the Harris Poll said they were willing to provide their personal information if they receive something in return, such as improving safety (65%) or for convenience (48%).

While 70% of respondents believe there is an obligation to share personal health information to stop the spread of disease, the same respondents appeared to be reluctant to share they personal data for that purpose. When asked if personal information would be shared with a national database to help stop the spread of COVID-19, only 44% of respondents said they would share their personal information. 36% said they would share their temperature data, 29% would share their location, and only a quarter would share information about chronic illnesses.

When it comes to sharing information, there is distrust of social media networks. 59% of respondents said they would feel uncomfortable with sharing any PHI with a social media network directly, although consumers may still share health information via those networks.

“Organizations may have benevolent intentions—such data can be used in productive ways that ultimately benefit consumers’ health—but consumers can potentially be harmed if this data is used inappropriately or unethically,” explained MITRE.

MITRE has developed an Ethical Framework for the Use of Consumer-Generated Data in Health Care which establishes ethical values, principles, and guidelines to guide the use of consumer-generated data for healthcare purposes.

The framework is intended to guide organizations looking to establish policies promoting the ethical use of consumer-generated data for healthcare purposes and to motivate organizations to discuss the ethical implications of using machine learning systems to analyze consumer-generated data and develop appropriate governance processes to facilitate the ethical use of those systems.

The framework can be downloaded from MITRE on this link.

The post Poll Shows Consumers Unaware of the Extent Health Insurers Gather and Use Consumer-Generated Data appeared first on HIPAA Journal.

Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats

Posted by HIPAA Journal

September 2020 is the second annual National Insider Threat Awareness Month (NITAM). Throughout the month, resources are being made available to emphasize the importance of detecting, deterring, and reporting insider threats.

NITAM is a collaborative effort between several U.S. government agencies including the National Counterintelligence and Security Center (NCSC), Office of the Under Secretary of Defense Intelligence and Security (USD(I&S)), National Insider Threat Task Force (NITTF), Department of Homeland Security (DHS), and the Defense Counterintelligence and Security Agency (DCSA). NITAM was devised last year to raise awareness of the risks posed by insiders and to encourage organizations to take action to manage those risks.

Security teams often concentrate on protecting their networks, data, and resources from hackers and other external threat actors, but it is also important to protect against insider threats. An insider is an individual within an organization who has been granted access to hardware, software, data, or knowledge about an organization. Insiders include current and former employees, contractors, interns, and other individuals who have been given access to data or systems. Those trusted insiders could accidentally or deliberately take actions which are disruptive to the business. Those actions could cause damage to company facilities, systems, or equipment, result in financial harm, or expose or disclose intellectual property and sensitive data.

To combat insider threats, organizations need to establish an insider threat mitigation program to detect, deter, and respond to threats from malicious and unintentional insiders. The program should protect critical assets against unauthorized access and malicious acts, and the workforce should be trained how to identify insider threats and conditioned to report any suspicious behavior or activities. The program should also involve the collection and analysis of information to help identify and mitigate insider threats quickly.

The SARS-CoV-2 pandemic has created a new set of challenges. The changes made by organizations in response to the pandemic, such as the expansion of remote working to include the entire workforce, has increased the risk of espionage, unauthorized disclosures, fraud, and data theft. It is more important than ever for organizations to have an effective insider threat mitigation program.

The main focus of NITAM 2020 is improving resilience to insider threats. This can be achieved by improving awareness through education of the workforce, using the resources made available in September to learn how to detect and mitigate the actions of insider threats, and to improve protection against those threats.

The DHS Cybersecurity and Infrastructure Security Agency (CISA) is helping to raise awareness of insider threats and has published resources that can be used by healthcare organizations to improve organizational resilience and mitigate risks posed by insider threats. Games, videos, graphics, posters, and case studies to promote NITAM are available here.

The post Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats appeared first on HIPAA Journal.

Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA

Posted by HIPAA Journal

The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) recently released a draft consumer privacy framework for health data to address gaps in legal protections for the health data of consumers that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA).

The HIPAA Rules require healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of health data. There are restrictions on uses and disclosures of healthcare data and Americans are also given rights over how their protected health information is used, to whom that information may be disclosed, and they have the right to access their health data.

Many organizations collect, use, store, and transmit many of the data elements within the category of ‘protected health information’, yet if they are not HIPAA-covered entities or business associates of HIPAA-covered entities, HIPAA Rules will not apply.

The eHI/CDT Consumer Privacy Framework for Health Data is a voluntary, self-regulatory program “designed to hold member companies to a set of standards separately developed through a multistakeholder process” and covers consumer health data not covered by HIPAA.

The framework includes a definition of the health data which must be protected as well as the standards and rules to protect that information. The framework places limits on the amount of data collected, how health data can be used, and includes a model for holding companies accountable for data collected, used, and disclosed.

The framework requires companies to obtain affirmative express consent to collect, use, or disclose consumer health data and prohibits companies from using consumer health data for any purpose other than the reason for which the information was requested, and for which consumers gave their consent.

Notice must be provided about the information collected, used or disclosed, the purpose for data collection must be clearly stated, and if there will be any disclosures, to whom disclosures will be made. The framework also prohibits the use of consumer health information for causing harm or discrimination against an individual.

Like HIPAA, the framework calls for limits to be placed on the health information collected, disclosed or used, which should be restricted to the minimum necessary amount to achieve the purpose for which it has been collected.

The framework gives consumers rights with respect to their consumer data, including the right to access the information collected, check health information for errors, have errors collected, and have health information deleted. If technically feasible, consumers should be able to have their data transferred to another participating entity. The framework also calls for participating entities to establish and implement reasonable security policies, practices, and procedures to ensure consumer health information is protected.

eHI/CDT are seeking constructive public feedback on the Consumer Privacy Framework for Health Data. Comments will be accepted until Friday, September 25, 2020.

The post Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA appeared first on HIPAA Journal.