Healthcare Data Privacy

House of Representatives Votes to Remove Ban on HHS Funding a National Patient Identifier System

Posted by HIPAA Journal

The House of Representatives has voted to lift the ban on the Department of Health and Human Services using federal funds to develop a national patient identifier system.

The Health Insurance Portability and Accountability Act (HIPAA) called for the development of a national patient identifier system. As the name suggests, a national patient identifier system would see each person in the united States issued with a permanent, unique identification number, similar to a Social Security number, that would allow each patient to be identified across the entire healthcare system in the United States. If a patient from California visited an emergency room in New York, the patient identifier could be used to instantly identify the patient, allowing the healthcare provider to access their medical history. Currently, the lack of such an identifier makes matching patients with their medical records complicated, which increases the potential for misidentification of a patient.

The extent to which records are mismatched has been shown in multiple studies. For instance, in 2012, a study conducted by the College of Healthcare Information Management Executives (CHIME) found that 20% of its members could trace an adverse medical event to the mismatching of patient records. In 2014, the Office of the National Coordinator for Health Information Technology (ONC) found that 7 out of every 100 patient records were mismatched. Between 50% and 60% of records are mismatched when shared between different healthcare providers. A study conducted by the Ponemon Institute suggested 35% of all denied claims are due to inaccurately matched records or incomplete patient information, which costs the healthcare industry around $1.2 million each year.

It has been 24 years since HIPAA was signed into law, yet there is still no national patient identifier system. A ban was implemented in 1999 preventing the Department of Health and Human Services from funding the development of such as system out of privacy concerns. The ban has remained in place ever since.

Attempts have been made to lift the ban, notably by Reps. Bill Foster (D-IL) and Mike Kelly (R-PA). Last year, their efforts were partially successful, as the House of Representatives voted to remove the ban, only for the Senate to reject the house provision by not including the language removing the ban in the fiscal year 2020 funding bill for the HHS.

On July 30, 2020, the House approved the Foster-Kelly amendment for the House fiscal 2021 appropriations bill covering the departments of labor, health and human services and education. If the Foster-Kelly amendment is included in the Senate fiscal year 2021 funding bill, the HHS will be free to evaluate a range of solutions and find one which is cost-effective, scalable and secure.

Proponents of lifting the ban claim a national patient identifier would increase patient safety and would help with the secure exchange of healthcare information. While support for a national patient identifier is growing, not everyone believes such a system is wise. Opponents to the lifting of the ban believe a national patient identifier would create major privacy risks. The Citizens’ Council for Health Freedom said a national patient identifier “would combine all of your private information, creating a master key that would open the door to every American’s medical, financial and other private data.”

While there are concerns about privacy, the benefits of introducing such a system have been highlighted during the COVID-19 pandemic. Temporary healthcare facilities and testing sites have been set up and laboratories are now processing huge numbers of COVID-19 tests. There have been many reports of healthcare facilities struggling to correctly identify patients and laboratories have found it difficult to match test results with the right patients due to the lack of complete demographic data.

“The coronavirus pandemic continues to demonstrate the importance of accurately identifying patients and matching them to their medical records. Today marks another milestone in keeping patients safe with the passage of the Foster-Kelly Amendment in the House, bringing us closer to a national patient identification solution,” Russ Branzell, CHIME CEO.

“Removing this archaic ban is more important than ever as we face the COVID-19 pandemic,” said Rep. Bill Foster. “Our ability to accurately identify patients across the care continuum is critical to addressing this public health emergency, and removing this ban will alleviate difficult and avoidable operational issues, which will save money and, most importantly, save lives.”

The post House of Representatives Votes to Remove Ban on HHS Funding a National Patient Identifier System appeared first on HIPAA Journal.

HHS Adopts Changes to 42 CFR Part 2 Regulations to Improve Care Coordination

Posted by HIPAA Journal

The Confidentiality of Substance Use Disorder Patient Records regulations (42 CFR Part 2) have been revised by the Department of Health and Human Services’ Substance Abuse and Mental Health Services (SAMHSA).

The 42 CFR Part 2 regulations, first promulgated in 1975, were written at a time when there was great concern that information relating to substance use disorder could be used against an individual. The main purpose of 42 CFR Part 2 was to ensure that a person who seeks help and receives treatment for substance use disorder is not placed at any greater risk or is made more vulnerable than a person who does not seek treatment. Under the 42 CFR Part 2 regulations, before information relating to a substance use disorder treatment program can be shared, consent must be obtained from the patient in writing, except in limited circumstances.

42 CFR Part 2 was important at the time and remains so, but a lot has changed since 42 CFR Part 2 took effect. Many healthcare providers find the regulations burdensome, they can hamper care coordination, and can put a patient’s safety at risk.

42 CFR Part 2 protects the privacy of patients, but the regulations often discourage primary care providers from providing care to SUD patients or recording SUD information. In some cases, physicians are required to fill out 11 different kinds of paperwork related to 42 CFR Part 2 and the treatment of SUD records is itself stigmatizing.

Many healthcare industry stakeholders have called for 42 CFR Part 2 regulations to be updated and aligned with HIPAA, which also serves to protect the privacy of patients and ensure the confidentiality of healthcare data.

In 2019, the HHS proposed changes to 42 CFR Part 2 regulations to support care coordination while improving privacy protections for SUD patients. After seeking comment from stakeholders, some of the proposed changes have now been adopted.

The updates do not change the basic framework for the protection of SUD records created by federally funded treatment programs and restrictions are still in place to prevent the use of SUD patient records in criminal prosecution against the patient. Written consent is still required from a patient before their SUD records can be shared, except in very limited circumstances. Records can only be shared with out consent if a court order is received, in a genuine medical emergency, and for the purpose of scientific research, audits, and SUD program evaluations.

The changes align 42 CFR Part 2 more closely with HIPAA and are intended to make it easier for healthcare providers to share SUD records if consent has been obtained from a patient. The changes will help to improve patient safety, support better care coordination, improve claims management and training, and ensure quality improvement, while reducing the burden on healthcare providers.

This reform will help make it easier for Americans to discuss substance use disorders with their doctors, seek treatment, and find the road to recovery,” said HHS Secretary Alex Azar, in a statement“Thanks to the valuable input of stakeholders, our final rule will make it easier for Americans to seek and receive treatment while lifting burdens on providers and maintaining important privacy protections.”

Information about the changes and why they have been made are detailed in an HHS fact sheet. The key changes to 42 CFR Part 2 regulations are detailed below:

  • Treatment records created by non-Part 2 providers based on their own patient encounter(s) are explicitly not covered by Part 2, unless any SUD records previously received from a Part 2 program are incorporated into such records. Segmentation or holding a part of any Part 2 patient record previously received can be used to ensure that new records created by non-Part 2 providers will not become subject to Part 2.
  • When an SUD patient sends an incidental message to the personal device of an employee of a Part 2 program, the employee will be able to fulfill the Part 2 requirement for “sanitizing” the device by deleting that message.
  • An SUD patient may consent to disclosure of the patient’s Part 2 treatment records to an entity (e.g., the Social Security Administration), without naming a specific person as the recipient for the disclosure.
  • Disclosures for the purpose of “payment and health care operations” are permitted with written consent, in connection with an illustrative list of 18 activities that constitute payment and health care operations now specified under the regulatory provision.
  • Non-OTP (opioid treatment program) and non-central registry treating providers are now eligible to query a central registry, in order to determine whether their patients are already receiving opioid treatment through a member program.
  • OTPs are permitted to enroll in a state prescription drug monitoring program (PDMP), and permitted to report data into the PDMP when prescribing or dispensing medications on Schedules II to V, consistent with applicable state law.

The post HHS Adopts Changes to 42 CFR Part 2 Regulations to Improve Care Coordination appeared first on HIPAA Journal.

University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack

Posted by HIPAA Journal

University of California San Francisco has paid a $1.14 million ransom to the operators of NetWalker ransomware to resolve an attack that saw data on servers within the School of Medicine encrypted. The attack occurred on June 1, 2020. UCSF isolated the affected servers, but not in time to prevent file encryption.

UCSF School of Medicine is engaged in research to find a cure for COVID-19 and the university is heavily involved in antibody testing. The ransomware attack did not impede the work being conducted on COVID-19, patient care delivery operations were not affected, and UCSF does not believe the attackers gained access to patient data, although some files were stolen in the attack.

The encrypted data was essential to research being conducted by the university, and since it was not possible to recover files from backups, UCSF had little option other than to negotiate with the attackers. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained,” explained UCSF.

The BBC received an anonymous tip-off about a live chat on the dark web between the negotiators and the NetWalker ransomware operators and followed the negotiations. According to the report, a sample of data stolen in the attack was posted online by the attackers, but after UCSF made contact via email the data was taken offline while the ransom was negotiated. Initially, a ransom payment of $780,000 was offered by UCSF, but the NetWalker gang demanded a payment of $3 million. A payment of 116.4 Bitcoin – $1,140,895 – was finally negotiated a day later.

The investigation into the ransomware attack indicates that neither UCSF nor the School of Medicine were targeted in the attack. “Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted,” explained UCSF on its website. UCSF reported the attack to the FBI and is assisting with the investigation.

UCSF was one of three Universities in the United States to be attacked with NetWalker ransomware in the space of a week in early June. Attacks were also conducted on Columbia College, Chicago and Michigan State University. Data stolen in the attack on Columbia College has now been removed from the NetWalker website, which suggests the college also paid the ransom.

The post University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack appeared first on HIPAA Journal.

May 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.

Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has changed little during the pandemic.

Threat activity does not appear to have dropped, so the fall in reported cyberattacks and data breaches could indicate that threat actors have taken the decision not to attack healthcare providers on the front line in the fight against COVID-19. The Maze ransomware gang publicly stated that it would not target healthcare providers during the COVID-19 pandemic, but many other ransomware gangs appear to have stepped up their attacks and are making no such concessions.

It is also possible that rather than cyberattacks and data breaches falling, covered entities and business associates have not been detecting breaches or have delayed reporting. The reason for the fall in reported breaches is likely to become clearer over the coming weeks and months and we will see if this is part of a new trend or if the drop is simply a blip.

While it is certainly good news that the number of breaches has fallen, there was a significant increase in the number of exposed and compromised healthcare records. There were 10 fewer data breaches reported in May 2020 than April, but 1,064,652 healthcare records were breached in May. That is more than twice the number of records breached in April.

Largest Healthcare Data Breaches in May 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Elkhart Emergency Physicians, Inc. IN Healthcare Provider 550,000 Improper Disposal
BJC Health System MO Business Associate 287,876 Hacking/IT Incident
Saint Francis Healthcare Partners CT Business Associate 38,529 Hacking/IT Incident
Everett & Hurite Ophthalmic Association PA Healthcare Provider 34,113 Hacking/IT Incident
Management and Network Services, LLC OH Business Associate 30,132 Hacking/IT Incident
Sanitas Dental Management FL Healthcare Provider 19,000 Loss
Mediclaim, LLC MI Business Associate 14,931 Hacking/IT Incident
Woodlawn Dental Center OH Healthcare Provider 14,419 Hacking/IT Incident
Mat-Su Surgical Associates, APC AK Healthcare Provider 13,146 Hacking/IT Incident
Mille Lacs Health System MN Healthcare Provider 10,630 Hacking/IT Incident

Causes of May 2020 Healthcare Data Breaches

The largest healthcare data breach of the month affected Elkhart Emergency Physicians, Inc. and involved the improper disposal of paper records by business associate Central Files Inc. Elkhart Emergency Physicians was one of seven Indiana healthcare providers to be affected by the breach. In total, the records of 554,876 patients were exposed as a result of that improper disposal incident. There was one other improper disposal incident reported in May, making this the joint second biggest cause of data breaches in the month. Those improper disposal incidents accounted for 52.17% of breached records in May. The mean breach size was 69,434 records and the median breach size was 938 records.

There were 8 reported unauthorized access/disclosure incidents reported, although those breaches only accounted for 2.35% of breached records in May. The mean breach size was 3,124 records and the median breach size was 3,220 records.

Hacking/IT incidents once again topped the list as the main cause of healthcare data breaches, accounting for 39.28% of the month’s breaches and 43.69% of breached records in May. The mean breach size was 42,290 records and the median breach size was 14,419 records.

There was one loss incident involving a network server that contained the records of 19,000 patients. There were no reports of theft of physical records or devices containing electronic protected health information.

The graph below shows the location of breached protected health information. For the past several months, email has been the most common location of breached PHI due to the high number of healthcare phishing attacks. The number of reported phishing attacks dropped in May, hence the lower than average number of email-related breaches. While the number of incidents fell, there was one major phishing attack reported. An attack on BJC Health System saw 3 email accounts compromised. Those accounts included emails and attachments containing the PHI of 287,876 patients.

May 2020 Healthcare Data Breaches by Covered Entity Type

In line with virtually every other month since the HITECH Act mandated the HHS’ Office for Civil Rights to start publishing summaries of data breaches on its’ Wall of Shame’, healthcare providers were hardest hit, with 21 reported data breaches. It was a good month for health plans, with only one reported breach, but a particularly bad month for business associates. 6 business associates reported data breaches in May, and a further 8 breaches involved business associates but were reported by the covered entity.

Healthcare Data Breaches by State

Data breaches were reported by covered entities and business associates in 17 states in May. Indiana was the worst affected state with 7 reported breaches of 500 or more records, all of which were due to the improper disposal of records by business associate, Central Files, Inc.

There were 3 data breaches reported in each of Michigan and Ohio, two breaches reported by healthcare providers in Pennsylvania, and one breach was reported in each of Alaska, Arizona, California, Connecticut, Florida, Georgia, Illinois, Maryland, Minnesota, Missouri, Nebraska, New York, and Texas.

HIPAA Enforcement Activity in May 2020

There were no announcements about HIPAA penalties from the HHS’ Office for Civil Rights or state attorneys general in May 2020.

The post May 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

NAAG Urges Apple and Google to Take Further Steps to Protect Privacy of Users of COVID-19 Contact Tracing Apps

Posted by HIPAA Journal

On June 16, 2020, The National Association of Attorneys General (NAAG) wrote to Google and Apple to express concern about consumer privacy related to COVID-19 contact tracing and exposure notification apps. NAAG has made recommendations to help protect the personally identifiable information and sensitive health data of the millions of consumers who will be urged to download the apps to help control COVID-19.

“Digital contact tracing may provide a valuable tool to understand the spread of COVID-19 and assist the public health response to the pandemic,” explained the state AGs in the letter. “However, such technology also poses a risk to consumers’ personally identifiable information, including sensitive health information, that could continue long after the present public health emergency ends.”

Privacy protections are essential for ensuring that users of the apps do not have sensitive data exposed or used for purposes other than helping to control the spread of COVID-19. Without privacy protections, consumers will simply not download the apps, which will decrease their effectiveness. A study conducted by the University of Oxford suggests that in order for the aims of the apps to be achieved, there needs to be uptake of around 60% of a population. If consumers feel their privacy is at risk, that figure will not be achieved.

Current perceptions about the privacy protections of COVID-19 contact tracing apps were explored in a recent survey conducted on behalf of the antivirus firm Avira on 2,005 individuals in the United States. 71% of respondents said they do not plan to use the apps when they are made available. 44% were concerned about digital privacy, 39% said the apps provided a false sense of security, 37% said they did not think the apps would work, and 35% do not trust app providers.

The survey revealed most consumers do not trust Apple and Google to protect the data collected by the apps. Only 32% of respondents said they trusted the companies to protect their sensitive data, even though both companies have taken steps to implement privacy and security controls. There is even less trust in the government. Only 14% of respondents said they would trust contact tracing apps provided directly from the government. 75% of Americans said they believe their digital privacy would be placed at risk if COVID-19 contact tracing data was stored in a way that government and authorities could access the data.

In the letter, which was signed by 39 state attorneys general, concern was raised about the proliferation of contact tracing apps in the Google Play and Apple App Store. These apps are typically free to download and use and offer in-app adverts to generate revenue. Rather than using Google and Apple’s API and Bluetooth for identifying potential exposure, the apps rely on GPS tracking.

The state AGs also expressed concern that as more public health authorities start releasing contact tracing apps that use the Google and Apple API, it is likely many more developers will start releasing apps, and those apps may not incorporate the necessary privacy and security controls to comply with states’ laws.

Google and Apple were praised for the steps they have taken so far to ensure consumer privacy is protected but have been urged to go further. NAAG has requested any contact tracing app that is labeled or marketed as related to COVID-19 must be affiliated with either a municipal, county, state, or federal public health authority, or a hospital or university in the U.S. that is working with such public health authorities.

NAAG also called for Google and Apple to guarantee that all COVID-19 contact tracing apps will be removed from Google Play and the Apple App Store if they are not affiliated with the above entities, and for Google and Apple to pledge that all COVID-19 apps will be removed from Google Play and the App Store when the COVID-19 national public health emergency ends.

The post NAAG Urges Apple and Google to Take Further Steps to Protect Privacy of Users of COVID-19 Contact Tracing Apps appeared first on HIPAA Journal.

Software Glitch in Telehealth App Allowed Patients to View Videos of Other Patients’ Appointments

Posted by HIPAA Journal

A UK-based chatbot and telehealth startup has suffered an embarrassing privacy breach this week. Babylon Health has developed a telehealth app that can be used by general practitioners for virtual appointments with patients. The app allows users to book appointments with their GP, use an AI-based chatbot for triage, and have voice and video calls with their doctor through the app.

On June 9, 2020, a patient used the app to check his prescription and found 50 videos of other patients’ appointments in the consultation replays section of the app. The files contained video replays of consultations between doctors and patients, exposing confidential and, potentially, extremely sensitive information.

The patient took to Twitter to announce the discovery, stating the “Why have I got access to other patients video consultations through your app? This is a massive data breach. Over 50 video recordings are on this list!”

According to a statement released by Babylon Health, the issue was due to a glitch in the software rather than a malicious attack. Babylon Health said it discovered the error shortly before the patient disclosed the breach on Twitter and said the issue was resolved within a couple of hours.

The investigation revealed three patients were able to access video footage of other patients, but in both of the other cases, the patients had not viewed any of the video replays. The error was only introduced in the UK version of the app and did not affect its international operations. The error was introduced when the app was updated to allow a patient to switch between audio and video while on a call with a physician.

Babylon Health has reported the breach to the UK Information Commissioner’s Office as required by the EU’s General Data Protection Regulation and will disclose full details about the data breach.

In this case the software error does not appeared to have exposed many patients’ consultations, but it is a cause for concern given the highly sensitive nature of health information disclosed through the app. There are currently around 2.3 million users of the app in the UK, so the breach could potentially have been far worse.

There has been a major expansion of telehealth services in the United States as a result of the COVID-19 pandemic. The HHS’ Centers for Medicare and Medicaid Services (CMS) expanded coverage for reimbursable telehealth services during the COVID-19 pandemic and the HHS’ Office for Civil Rights (OCR) issued a notice of enforcement discretion covering telehealth services, allowing healthcare providers to use communications solutions which may not be fully HIPAA compliant.

Given the increase in telehealth services, and the wide range of apps being used to provide telehealth services, this could well be just the first of several privacy breaches involving telehealth services this year.

While financial penalties may not be issued over privacy and security issues related to the good faith provision of telehealth services during the COVID_19 public health emergency, care should still be taken choosing a telehealth solution. Many video conferencing apps have not been developed with sufficient security protections to ensure patient information is properly protected, which places patient privacy at risk. As this incident shows, even purpose-built health apps are not immune to data leaks.

To ensure the privacy of patients is protected, all new technology should be subjected to a thorough security review. Now that the COVID-19 pandemic is under better control, now would be an ideal time to conduct a review of any telehealth applications and other software that has been introduced to ensure appropriate protections are in place to protect patient privacy.

It is also worth considering making the change from consumer-grade apps that have been rapidly deployed during the COVID-19 pandemic to support telehealth to a purpose built healthcare telehealth solution that is HIPAA compliant and incorporates comprehensive privacy and security controls.

The post Software Glitch in Telehealth App Allowed Patients to View Videos of Other Patients’ Appointments appeared first on HIPAA Journal.

Alert Issued by Feds to Raise Awareness of Scams Related to COVID-19 Economic Payments

Posted by HIPAA Journal

A joint alert issued has been issued by the IRS, DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury to raise awareness of the risk of phishing and other cyberattacks related to the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

The CARES Act has made $2 trillion available to support businesses and individuals adversely affected by the COVID-19 pandemic, which will help to reduce the financial burden through economic impact payments to eligible Americans. CARES Act payments are being used as a lure in phishing attacks to obtain personal and financial information and attempts have been made to redirect CARES Act payments. All Americans have been urged to be on the lookout for criminal fraud related to the CARES Act and COVID-19.

The U.S. Government reports that many cybercriminal groups are using stimulus-themed lures in phishing emails and text messages to obtain sensitive information such as bank account information. Financial institutions have been asked to remind their customers to practice good cybersecurity hygiene and to monitor for illicit account use and creation.

Criminals are using CARES Act-themed emails and websites to obtain sensitive information, spread malware, and gain access to computer networks. “Themes for these scams might include economic stimulus, personal checks, loan and grant programs, or other subjects relevant to the CARES Act. These CARES Act related cybercriminal attempts could support a wide range of follow-on activities that would be harmful to the rollout of the CARES Act.”

Threat actors may seek to disrupt the operations of organizations responsible for implementing the CARES Act, including the use of ransomware to interrupt the flow of CARES Act funds and to extort money from victims. Federal, state, local and tribal agencies are being urged to review their payment, banking, and loan processing systems and ramp up security to prevent attacks.

Foreign threat actors have been discovered to be submitting fraudulent claims for COVID-19 relief funds, with one Nigerian business email compromise (BEC) gang known to have submitted more than 200 fraudulent claims for unemployment benefits and CARES Act payments. The gang, known as Scattered Canary, has been submitting multiple claims via state unemployment websites to obtain payments using data stolen in W-2 phishing attacks. The gang has submitted at least 174 fraudulent claims with the state of Washington and more than a dozen with the state of Massachusetts. At least 8 states have been targeted to date.

The U.S. Government has been distributing threat intelligence and cybersecurity best practices to help disrupt and deter criminal activity and the U.S. Secret Service is currently focussed on investigative operations to identify individuals exploiting the pandemic to ensure they are brought to justice and any proceeds of the crimes are recovered.

The IRS has reminded taxpayers that it does not initiate contact with taxpayers via email, text message, or social media channels to request personal and financial information such as bank account numbers, credit card information, and PINs. The IRS has warned Americans that copycat domains that may be set up to obtain sensitive information and to carefully check any domain for transposed letters and mismatched SSL certificates. The IRS is only using is www.irs.gov and the IRS-run site, https://www.freefilefillableforms.com/.

All Americans have been advised to be vigilant and monitor their financial accounts for signs of fraudulent activity and to report any cases of phishing attacks and other scams to the appropriate authorities. They should also alert their employer if they feel they may have fallen for a scam and revealed sensitive information about their organization.

The alert, Avoid Scams Related To Economic Payments, COVID-19, can be viewed on this link.

The post Alert Issued by Feds to Raise Awareness of Scams Related to COVID-19 Economic Payments appeared first on HIPAA Journal.

April 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

There were 37 healthcare data breaches of 500 or more records reported in April 2020, up one from the 36 breaches reported in March. As the graph below shows, the number of breaches reported each month has been fairly consistent and has remained well below the 12-month average of 41.9 data breaches per month.

Healthcare data breaches by month (2019-2020)

While the number of breaches increased slightly, there was a significant reduction in the number of breached healthcare records in April. 442,943 healthcare records were breached in April, down 46.56% from the 828,921 records breached in March. This is the second successive month where the number of exposed records has fallen. While this is certainly good news, it should be noted that in the past 12 months, 39.92 million healthcare records have been breached.

Healthcare records breached in the past 6 months

Largest Healthcare Data Breaches in April 2020

 

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Beaumont Health Healthcare Provider 112,211 Hacking/IT Incident Email
Meridian Health Services Corp. Healthcare Provider 111,372 Hacking/IT Incident Email
Arizona Endocrinology Center Healthcare Provider 74,122 Unauthorized Access/Disclosure Electronic Medical Record
Advocate Aurora Health Healthcare Provider 27,137 Hacking/IT Incident Email, Network Server
Doctors Community Medical Center Healthcare Provider 18,481 Hacking/IT Incident Email
Andrews Braces Healthcare Provider 16,622 Hacking/IT Incident Network Server
UPMC Altoona Regional Health Services Healthcare Provider 13,911 Hacking/IT Incident Email
Colorado Department of Human Services, Office of Behavioral Health Healthcare Provider 8,132 Unauthorized Access/Disclosure Network Server
Agility Center Orthopedics Healthcare Provider 7,000 Hacking/IT Incident Email
Beacon Health Options, Inc. Business Associate 6,723 Loss Other Portable Electronic Device

 

Causes of Healthcare Data Breaches in April

As was the case in March, hacking and IT incidents were the leading causes of healthcare data breaches. Unauthorized access/disclosure incidents were the next most common causes of breaches, an increase of 77.77% from the previous month.

333,838 records were compromised in the 18 reported hacking/IT incidents, which account for 75.37% of all records breached in April. The average breach size was 18,547 records and the median breach size was 4,631 records. There were 16 reported unauthorized access/disclosure incidents in April. The average breach size was 6,171 records and the median breach size was 1,122 records. In total, 98,737 records were breached across those 16 incidents.

There were two theft incidents reported in April, both involving portable electronic devices. The records of 3,645 individuals were stored on those devices. There was also one lost portable electronic device containing the records of 6,723 patients.

causes of healthcare data breaches in April 2020

The bar chart below shows the location of breached protected health information. The chart shows email is by far the most common location of breached health information. 48.65% of all reported breaches in April involved PHI stored in emails and email attachments. The majority of those breaches were phishing attacks. Most healthcare data breaches involve electronic data, but one in five breaches involved PHI in paper files and charts.

Location of breached PHI in April 2020

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in April with 30 breaches reported. 4 health plans reported a breach in April, and three breaches were reported by business associates of HIPAA-covered entities. A further 8 breaches had some business associate involvement.

Healthcare Data Breaches by State

April’s data breaches were reported by covered entities and business associates in 22 states. Florida and Texas were the worst affected with 4 breaches each. There were three data breaches reported in Michigan and Pennsylvania, and two breaches affecting covered entities and business associates based in California, Connecticut, Minnesota, Missouri, and Wisconsin. One breach was reported by entities based in Arkansas, Arizona, Colorado, Delaware, Indiana, Massachusetts, Maryland, North Carolina, New Mexico, Nevada, Tennessee, Utah, and Washington.

HIPAA Enforcement Activity in April

There were no financial penalties imposed on covered entities or business associates by state Attorneys General or the HHS’ Office for Civil Rights in April.

The post April 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Republicans and Democrats Introduce Competing Bills Covering COVID-19 Contact Tracing Apps

Posted by HIPAA Journal

Two privacy bills have been introduced relating to COVID-19 contact tracing apps that are now being considered by Congress. The competing bills, introduced by Republican and Democratic lawmakers, share some common ground and look to achieve similar aims.

The first bill, the COVID-19 Consumer Data Protection Act, was introduced by Republican senators Roger Wicker (R-Miss), John Thune (R-S.D), Jerry Moran, (R-Kan), and Marsha Blackburn (R-Tenn) last month “to protect the privacy of consumers’ personal health information, proximity data, device data, and geolocation data during the coronavirus public health crisis.”

The bill would make it illegal for personal health information, proximity data, device data, and geolocation data to be collected unless notice was given to consumers about the purpose of collecting data and consumers are required to give their consent to the collection, processing, and transfer of their data. The bill prohibits the collection, use, or transfer of data for any secondary purposes.

The allowed purposed for the collection, processing, and transfer of data is limited to tracking the spread, signs, and symptoms of COVID-19; the collection, processing and transfer of an individual’s data to measure compliance with social distancing guidelines and other requirements related to COVID-19 imposed on individuals; and the collection, processing, or transfer of data for COVID-19 contact tracing purposes.

The bill also requires companies to allow individuals to opt out, provide transparency reports describing data collection activities, establish data minimization and data security requirements, define what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to prevent re-identification; and to require companies to delete collected data when the COVID-19 public health emergency is over.

According to Senator Thune, “This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens.”

The Democratic bill, the Public Health Emergency Privacy Act, was introduced by Representatives Anna G. Eshoo (D-Calif), Jan Schakowsky (D-Ill), Suzan DelBene(D-Wash), and Senators Richard Blumenthal (D-Conn) and Mark Warner (D-Va). The aim of the bill is to ensure there is transparency over the health and location data collected by contact-tracing apps and to give Americans control over the collection and use of their data. The bill also ensures that businesses can be held to account by consumers if their data is used for any activities other than the fight against COVID-19.

The bill requires health data to only be used for public health purposes; prohibits the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising or to gate access to employment, finance, insurance, housing, or education opportunities; prevents misuse of data by government agencies that have no role in public health; ensures meaningful data security and data integrity protections are implemented; prohibits conditioning the right to vote based on a medical condition or use of contact tracing apps; and requires reports to be regularly produced on the impact of digital collection tools on civil rights.

The bill requires the public to be given control over participation in contact tracing through opt-in consent, there must be meaningful transparency, and robust private and public enforcement. The bill also calls for the destruction of data within 60 days of the end of the public health emergency. The bill would not apply to HIPAA-covered entities or their business associates, which would continue to be required to comply with HIPAA Rules.

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights,” said Rep. Jan Schakowsky.

Given the similarity of both bills and their common goals, it may be possible for some consensus to be reached on the content of any new legislation and for both sides to work together to get a bill passed to protect the privacy of Americans and ensure that data collected by COVID-19 contact tracing apps is not misused.

The post Republicans and Democrats Introduce Competing Bills Covering COVID-19 Contact Tracing Apps appeared first on HIPAA Journal.