Healthcare Data Privacy

Philadelphia Department of Public Health Data Breach Exposed PHI of Hepatitis Patients

Posted by HIPAA Journal

The Philadelphia Department of Public Health (PDPH) has discovered sensitive information of patients with hepatitis B and hepatitis C has been exposed over the internet and could be accessed by anyone without the need for authentication. The breach came to light on Friday October 12, 2019 following notification from a reporter from The Philadelphia Inquirer.

The issue was corrected within minutes of the hospital being notified of the breach. An investigation has now been launched to determine the nature, cause, and extent of the breach.

New cases of hepatitis B and hepatitis C must be reported to PDPH by medical providers to enable tracking and monitoring of the disease. Both diseases can be transmitted through contact with bodily fluids of an infected person. New cases are often the result of sharing of needles by intravenous drug users. New cases of both forms of hepatitis are monitored as part of the PDPH opioids initiative.

The data supplied by healthcare providers had been uploaded to a website tool that allows aggregated data to be visualized through charts using Tableau software. Tableau dashboards are created to allow data to be aggregated and easily displayed in an understandable format. The creators of Tableau dashboards must ensure security controls are implemented to prevent backend data from being accessed. If those controls are not applied, raw data can be viewed and downloaded.

According to The Philadelphia Inquirer, the breach could have affected tens of thousands of patients. The newspaper found data on around 23,000 patients who had contracted hepatitis C.

The exposed data included a patient’s name, along with their gender, address, test results, and in some cases, Social Security number. The data covered new cases of Hepatitis B and Hepatitis C reported to PDPH between 2013 and 2018. It is currently unclear for how long the data was accessible via the PDPH website, how many patients have been affected, and how many unauthorized individuals accessed the information during the time it was exposed.

The post Philadelphia Department of Public Health Data Breach Exposed PHI of Hepatitis Patients appeared first on HIPAA Journal.

New York Legislation Prohibits First Responders from Selling Patient Data for Marketing Purposes

Posted by HIPAA Journal

On October 7, 2019, New York Governor Andrew Cuomo signed new legislation into law – S.4119/A.230 – that prohibits first responders and ambulance service personnel from selling or disclosing patient data to third parties for marketing or fundraising purposes.

The bill was originally introduced by New York Assembly Member Edward Braunstein in 2014 following reports that ambulance and first response service personnel were selling patient data such as names, addresses, phone numbers and medical histories to third parties such as pharmaceutical firms and nursing homes for marketing and fundraising purposes. Prior to the introduction of the new law, these disclosures and the sale of patient information were permitted in New York.

“Patients have a right to privacy and their medical information should never be sold to pharmaceutical companies, insurers, nursing homes, or other businesses,” explained Braunstein.

The legislation follows the June 25, 2019 signing of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act into law, which overhauled state regulations for data privacy and security to better protect the private information of New York residents.

The new law applies to ambulance staff and first responders, but not to healthcare providers, health insurers, and parties acting under appropriate legal authority, such as government health inspectors and law enforcement. Patient information may be disclosed, transferred, or sold to the patient who is the subject of the information or a person authorized to make health care decisions on behalf of the patient.

Ambulance staff and first responders are only permitted to sell, disclose, transfer, exchange, or use patient data for marketing or fundraising purposes if they have obtained written consent from the patient in question prior to the sale or disclosure. The new law does not apply to de-identified patient data.

The new law applies to all individually identifying information which would allow a patient to be identified. Marketing is classed as, but not limited to, “advertising, detailing, marketing, promotion, or any activity that is intended to be or could be used to influence business volume, sales or market share or evaluate the effectiveness of marketing practices or personnel,” and applies to the sale or disclosure of patient data to for-profit, not-for-profit, and governmental entities.

“Nothing is more personal than your health records, and New Yorkers have a right to privacy when it comes to this incredibly sensitive information,” said Governor Cuomo. “This law sets clear guidelines so patient information isn’t sold or used for marketing purposes and most importantly doesn’t end up in the wrong hands.”

“Under no circumstances, when someone is in the middle of a life-threatening crisis, should they have to worry about their information being sold for any reason,” added Senator John Liu.

The post New York Legislation Prohibits First Responders from Selling Patient Data for Marketing Purposes appeared first on HIPAA Journal.

Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors

Posted by HIPAA Journal

Vulnerabilities in popular VPN products from Pulse Secure, FortiGuard, and Palo Alto are being actively exploited by advanced persistent threat (APT) actors to gain access to vulnerable VPNs and internal networks.

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity agencies issued security advisories about multiple vulnerabilities in VPN products over the summer of 2019; however, many organizations have been slow to take action. Weaponized exploits for the vulnerabilities have now been developed and are being used by APT actors and exploit code is freely available online on GitHub and the Metasploit framework.

On October 1, 2019, the UK’s National Cyber Security Centre issued a warning about the vulnerabilities following several attacks on government agencies, the military, businesses, and the education and healthcare sectors. The National Security Agency (NSA) also issued a security advisory about the vulnerabilities along with mitigations on October 7.

The vulnerabilities are present in outdated versions of the Pulse Secure VPN (CVE-2019-11508 and CVE-2019-11538), the Palo Alto GlobalProtect VPN (CVE-2019-1579), and the Fortinet Fortigate VPN (CVE 2018-13379, CVE-2018-13382, CVE-2018-13383).

No mention was made about the APT actors responsible for the attacks, although there have been reports that the Chinese APT group APT5 has been conducting attacks on Pulse Secure and Fortinet VPNs.

The weaponized exploits allow APT actors to retrieve arbitrary files, including those containing authentication credentials. Those credentials can then be used to gain access to vulnerable VPNs, change configurations, remotely execute code, hijack encrypted traffic sessions, and connect to other network infrastructure.

The flaws are serious and require immediate action to prevent exploitation. The NSA security advisory urges all organizations using any of the above products to check to make sure they are running the latest versions of VPN operating systems and to upgrade immediately if they are not.

The NSA advisory also provides information on actions to take to check whether the flaws have already been exploited and steps to take if an attack is discovered. If a threat actor has already exploited one of the vulnerabilities and has obtained credentials, upgrading to the latest version of the OS will not prevent those credentials from being used.

The NSA therefore advises all entities running vulnerable VPN versions to reset credentials after the upgrade and before reconnection to the external network as a precaution, since it may be difficult to identify an historic attack from log files.

User, administrator, and service account credentials should be reset, and VPN server keys and certificates should be immediately revoked and regenerated. If a compromise is suspected, accounts should be reviewed to determine whether the attacker has created any new accounts.

The NSA has also provided recommendations for public-facing VPN deployment and long-term hardening controls.

The post Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors appeared first on HIPAA Journal.

Dental Practice Fined $10,000 for PHI Disclosures on Yelp

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with Elite Dental Associates over the impermissible disclosure of multiple patients’ protected health information (PHI) when responding to patient reviews on the Yelp review website.

Elite Dental Associates is a Dallas, TX-based privately-owned dental practice that provides general, implant and cosmetic dentistry. On June 5, 2016, OCR received a complaint from an Elite patient about a social media HIPAA violation. The patient claimed the dental practice had responded to a review she left on Yelp and publicly disclosed some of the PHI.

When replying to the patient’s June 4, 2016 post, Elite disclosed the patient’s last name along with details of her health condition, treatment plan, insurance, and cost information.

The investigation confirmed that to be the case, but also found it was not the first time that PHI had been disclosed without authorization on the social media platform when responding to patient reviews. Further impermissible PHI disclosures were found on the Elite review page.

In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a), OCR determined Elite had not implemented policies and procedures relating to PHI, in particular the release of PHI on social media and other public platforms, in violation of 45 C.F.R. § 164.530(i). Elite was also discovered not to have included the minimum required content in its Notice of Privacy Practices as required by the HIPAA Privacy Rule (45 C.F.R. § 164.520(b)).

OCR agreed to a HIPAA violation fine of $10,000 and a corrective action plan (CAP) to resolve the alleged HIPAA violations and settle the case with no admission of liability. The three potential HIPAA violations could have attracted a substantially higher financial penalty; however, when considering an appropriate financial penalty, OCR took the financial position of the practice, its size, and Elite’s cooperation with the OCR investigation into account.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

This is the 4th OCR HIPAA settlement of 2019. In September, OCR fined Bayfront Health St Petersburg $85,000 for a HIPAA Right of Access failure. In May, two settlements were agreed to resolve multiple HIPAA violations at Medical Informatics Engineering ($100,000) and Touchstone Medical Imaging ($3,000,000).

The post Dental Practice Fined $10,000 for PHI Disclosures on Yelp appeared first on HIPAA Journal.

PHI Potentially Compromised in Cybersecurity Breach at North Florida OB-GYN

Posted by HIPAA Journal

Jacksonville, FL-based North Florida OB-GYN has discovered hackers gained access to certain parts of its computer system containing patients’ personal and health information and deployed a virus that encrypted files.

Upon discovery of the breach on July 27, 2019, networked computer systems were shut down and breach response and recovery procedures were initiated. Third party IT consultants assisted with the investigation and confirmed that parts of its networked computer systems had been subjected to unauthorized access and a virus had been used to encrypted certain files. The investigation revealed its systems had most likely been compromised on or before April 29, 2019.

While system access was confirmed, no evidence of unauthorized data access or theft of personal or medical information was found; however, unauthorized data access and data exfiltration could not be ruled out.

Protected health information potentially compromised in the attack varied from patient to patient and may have include name, demographic information, birth date, driver’s license number, ID card number, Social Security number, health insurance information, employment information, diagnoses, treatment information, and medical images.

Affected individuals have been advised to remain vigilant and review their account statements to check for unauthorized use of their information. It does not appear that affected individuals are being offered credit monitoring and identity theft protection services.

North Florida OB-GYN has been able to recover virtually all files encrypted in the attack. It is unclear whether a ransom demand was issued and paid, or if the files were recovered from backups. North Florida OB-GYN has already taken steps to strengthen security to prevent similar incidents from occurring in the future.

The breach has been reported to the HHS’ Office for Civil Rights and appropriate state authorities. The breach has yet to appear on the OCR breach portal, so it is currently unclear how many patients have ben affected. This post will be updated as and when further information becomes available.

Tomo Drug Testing Discovers Sensitive Information on Drug Testing Subjects Has Been Compromised

Springfield, MO-based Tomo Drug Testing, a provider of drug screening services, has discovered an unauthorized individual has gained access to a database containing the sensitive information of drug screening subjects, including names, Social Security numbers, driver’s license numbers, state identification numbers, and drug test results.

According to a statement released by the company, the database was accessed on April 23, 2019 and May 9, 2019 by an unidentified individual who claimed to have downloaded and removed certain information from the database.

Tomo Drug Testing learned of the breach on April 23, 2019 and launched an investigation into the breach. Forensics experts were called in to determine whether information had been removed or deleted from the database. While it was not possible to determine whether the database had been copied and stolen, certain items were found to have been removed or deleted from the database.

The database appeared to have been accessed using compromised credentials. Upon discovery of the breach, the password and privileges on the account used to access the database were changed. All data has now been migrated to a more secure system and the previous system has now been decommissioned. Tomo Drug Testing is continuing to implement additional security controls to prevent further incidents from occurring in the future.

Determining who was affected and the types of information in the database was a lengthy process. It took until July 1, 2019 to discover all individuals impacted by the breach and obtained up-to-date contact information. A substitute breach notice has been issued to media outlets as it was not possible find contact information for all individuals affected.

Notification letters have now been sent and affected individuals have been offered complimentary credit monitoring and identity theft protection services as a precaution. It is currently unclear how many individuals have been impacted.

The post PHI Potentially Compromised in Cybersecurity Breach at North Florida OB-GYN appeared first on HIPAA Journal.

Sen. Rand Paul Introduces National Patient Identifier Repeal Act

Posted by HIPAA Journal

Sen. Rand Paul, M.D., (R-Kentucky) has introduced a new bill that attempts to have the national patient identifier provision of HIPAA permanently removed due to privacy concerns over the implementation of such a system.

Today, HIPAA is best known for its healthcare data privacy and security regulations, but the national patient identifier system was proposed in the original HIPAA legislation of 1996 as a measure to facilitate data sharing and help reduce wastage in healthcare.

The provision called for the HHS to “adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system.” However, in 1998, former Congressman Ron Paul (R-Texas), Sen. Rand Paul’s father, introduced a proposal which called for a ban on funding the development and implementation of such a system. The ban was introduced into the Congressional budget for 1999 and has been written into all Congressional budgets ever since.

This year there was hope that the ban would finally be removed following a June amendment to the House of Representative’s appropriation bill for fiscal year 2020. The amendment received strong bipartisan support and it was hoped that the Senate would follow the House’s lead and have the ban finally lifted. However, on September 18, 2019, the Senate appropriations subcommittee’s proposed budget bill for fiscal year 2020 included the same language as previous years and, as it stands, the ban looks set to remain in place for at least another year.

Sen. Rand Paul’s National Patient Identifier Repeal Act seeks to repeal the HIPAA provision, which Sen Paul believes will place the privacy of Americans at risk. He considers the provision to be dangerous, as it would allow a government-issued ID number to be linked with the private medical histories of every man, woman, and child in America.

It is for the very same reason that dozens of healthcare industry stakeholder groups want the national patient identifier introduced, as without such an identifier, it is difficult to accurately match medical records with the correct patient. Those seeking to have the ban lifted believe it will improve the accuracy of health information exchange and improve security and patient safety.

Sen. Paul disagrees, as he believes the potential privacy risks are too great. “As a physician, I know firsthand how the doctor-patient relationship relies on trust and privacy, which will be thrown into jeopardy by a national patient ID,” explained Sen. Paul. “Considering how unfortunately familiar our world has become with devastating security breaches and the dangers of the growing surveillance state, it is simply unacceptable for government to centralize some of Americans’ most personal information.”

Industry associations such as the College of Healthcare Information Management Executives (CHIME) have stepped up efforts to have the ban lifted due to the difficulties matching medical records with patients.

CHIME CEO, Russ Branzell explained that Congress has already approved a healthcare identifier for Medicare beneficiaries, but a national identifier is also required. “The patient identification conversation is one about saving lives and unlocking the potential for technology to revolutionize healthcare while cutting costs.” He has called Sen. Paul’s views on the national patient identifier “antiquated and from some bygone era.”

While many industry associations share Branzell’s view, Sen. Paul’s bill has received support from certain privacy advocacy groups, including the Citizen’s Council for Health Freedom. Advocates of the removal of the HIPAA provision believes the centralization of patient information would greatly increase the risk of security breaches and could allow hackers to steal individuals’ lifelong healthcare records and such a system would allow unprecedented tracking of Americans through their healthcare records.

The post Sen. Rand Paul Introduces National Patient Identifier Repeal Act appeared first on HIPAA Journal.

Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS

Posted by HIPAA Journal

Sen. Mark Warner (D-Virginia) has written to TridentUSA demanding answers about a breach of sensitive medical images at one of its affiliates, MobileXUSA.

Sen. Warner is the co-founder of the Senate Cybersecurity Caucus, which was set up as bipartisan educational resource to help the Senate engage more effectively on cybersecurity policy issues. As part of the SCC’s efforts to improve cybersecurity in healthcare, in June Sen. Warner asked NIST to develop a secure file sharing framework and wrote to healthcare stakeholder groups in February requesting they share best practices and the methods they used to reduce cybersecurity risk and improve healthcare data security.

The latest letter was sent a few days after ProPublica published a report of an investigation into unsecured Picture Archiving and Communications Systems (PACS). PACS are used by hospitals and other healthcare organizations for viewing, storing, processing, and transmitting medical images such as MRIs, CT scans, and X-Rays. The report revealed more than 303 medical images of approximately 5 million Americans had been left exposed on the Internet due to PACS security failures. Those medical images were stored on 187 U.S. servers, including those used by MobileXUSA.

In the letter, Sen. Warner said “It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices – no software vulnerabilities were involved, and no explicit hacking was required [to access the images].”

Sen. Warner said HIPAA requires security controls to be applied to keep sensitive data protected, including medial images stored in PACS, and that both TridentUSA and MobileXUSA have a duty under HIPAA to ensure their PACS are not publicly accessible and that proper controls are applied to prevent unauthorized access and data theft.

By October 9, 2019, Sen. Warner requires answers to questions about the cybersecurity practices at both companies to determine how medical images in the PACS were exposed and why the lack of security protections was not detected internally.

Specifically, Sen Warner wants to know about the audit and monitoring tools employed to analyze its HIPAA-mandated audit trails, whether systems that access the PACS and DICOM images comply with current standards and use access management controls, what identify and access management controls are applied for IP-addresses and port filters, if a VPN or SSL is required to communicate with the PACS, the frequency of vulnerability scans and internal HIPAA compliance audits, what server encryption processes are in use, and whether the companies have an internal security team or if security is outsourced.

PACS and the DICOM image format have been designed to facilitate the sharing of medical images within an organization and with authorized third parties, but it is the responsibility of each organization to ensure that those systems are secured to protect patient privacy.

Healthcare organizations can face many challenges securing their PACS without negatively impacting workflows. To help healthcare organizations secure their systems, NCCoE has recently released new NIST guidance for healthcare providers to help them secure the PACS ecosystem.

The post Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS appeared first on HIPAA Journal.

Senate Fails to Remove Ban on Funding of National Patient Identifier

Posted by HIPAA Journal

The Department of Health and Human Services (HHS) is prohibited from using any of its budget to fund the development and implementation of a national patient identifier, but there was hope that the ban would finally be lifted this year.

The House of Representatives added an amendment to its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020 which removed the ban, which would allow the HHS to follow through on this requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

It now looks likely that the ban will remain in place for at least another year as the Senate Appropriations Subcommittee’s draft 2020 fiscal budget bill, released last Wednesday, has retained the text banning the HHS from acting on this HIPAA requirement.

The ban has been in place since 1999 and was introduced because of concerns over patient privacy. The ban has been written into the Congressional budget every year since and the proposed 2020 fiscal budget bill is no different.

The proposed fiscal budget bill includes the text, “None of the funds made available in this act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the 13 standard.”

The purpose of the national patient identifier is to make it easier for patients to be efficiently matched with their health records. Regardless of where a patient receives treatment, their health data will be tied to them through their unique national patient identifier code. The new identifier would help to ensure that patient information could flow freely between different healthcare organizations and it is seen by many healthcare industry stakeholders to be essential for full interoperability. A national patient identifier could help to improve patient privacy, patient safety, and eliminate considerable waste and misspending in healthcare.

For several years, industry associations such as the College of Healthcare Information Management Executives (CHIME), the American Health Information Management Association (AHMIA), and the Health Innovation Alliance (HIA) have been calling for the ban to be lifted.

HIA Executive Director Joel White has called the ban ‘antiquated’ and said studies have suggested that patients are matched with their records as little as 50% of the time. A national patient identifier would instantly solve that problem.

Efforts to have the ban removed have stepped up in recent years, and this year 56 healthcare stakeholder groups urged the Senate to remove the ban. Significant progress was made this year when the amendment receives strong bipartisan support in the House of Representatives.

Convincing the Senate to lift the ban is proving more difficult. As long as privacy concerns remain, the ban is unlikely to be lifted. One of the main issues is a single identifier would be used to tie medical records to an individual from birth until death, and that could allow unprecedented tracking of Americans through their health records. It could also potentially facilitate the sharing, use, and analysis of patient data without patient consent.

While the draft fiscal budget bill has not had the ban removed, it is possible that an amendment could be made at a later date. AHMIA and CHIME leaders remain hopeful that the Senate will follow the House’s lead and have the ban lifted this year.

The post Senate Fails to Remove Ban on Funding of National Patient Identifier appeared first on HIPAA Journal.

Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Posted by HIPAA Journal

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches.

The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act.

The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches.

“When the media reports data breaches that occurred to healthcare providers, the headline is always the number of patients affected,” explained John (Xuefeng) Jiang, MSU professor of accounting and information systems at MSU and lead author of the study. “We felt both the regulators and the public didn’t pay enough attention to the type of information compromised in the healthcare data breach.”

Types of Data Exposed in Healthcare Data Breaches

For the study, the researchers categorized healthcare data into three main groups: Demographic information (Names, email addresses, personal identifiers etc.); service and financial information (Payments, payment dates, billing amounts etc.); and Medical information (Diagnosis, treatments, medications etc.)

Social Security numbers, drivers license numbers, payment card information, bank account information, insurance information, and birth dates added to a subcategory of sensitive demographic information. This information could be used by criminals for identity theft, medical identity theft, tax and financial fraud. A subcategory of medical information was also used for particularly sensitive health data such as substance abuse records, HIV status, sexually transmitted diseases, mental health information, and cancer diagnoses, due to the potential implications for patients should that information be exposed or compromised.

Key Findings of the Study

  • 71% of breaches involved either sensitive demographic information or sensitive financial information, which placed 159 million individuals at risk of identity theft or financial fraud
  • 66% of breaches involved sensitive demographic information such as Social Security numbers
  • 65% of the breaches exposed general medical or clinical information
  • 35% of breaches compromised service or financial information
  • 16% of breaches only exposed medical or clinical information without exposing sensitive demographic or financial information
  • 76% of breaches included sensitive service and financial information such as credit card numbers – Those breaches affected 49 million individuals
  • 2% of breaches compromised sensitive health information – Those breaches affected 2.4 million individuals

Jiang believes hackers are not targeting healthcare organizations to gain access to patients’ sensitive medical information, instead healthcare organizations are attacked, and hackers take whatever data they can find in the hope that the information can be monetized. Jiang suggests hospitals and research institutions should store medical information separately from demographic information. Medical information could then be shared between healthcare providers and researchers without greatly increasing risks for patients. A separate system could be used for demographic, financial and billing information, which is needed by hospital administration staff.

The researchers advocate greater focus on the types of information exposed or compromised in healthcare data breaches to help breach victims manage risk more effectively. They suggest the Department of Health and Human Services should formally collect and publish information about the types of data that have been exposed in data breaches to help the public assess the potential for harm. The researchers plan to work closely with lawmakers and the healthcare industry to provide practical guidance and advice based on the results of their academic studies.

Data Breach Notifications Under HIPAA

The HIPAA Breach Notification Rule requires all patients affected by a reportable healthcare data breach to be notified within 60 days of discovery of the breach. Affected individuals must be told what types of information have been exposed or compromised as that information allows breach victims to make a determination about the risk they face so they can make a decision about any actions they need to take to reduce the risk of harm.

OCR explains in its online guidance on breach notification requirements of HIPAA, “These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).”

Publicly Available HIPAA Breach Information

The HHS’ Office for Civil Rights, as required by the HITECH Act, has been publishing summaries of data breaches of 500 or more healthcare records on the HHS website since October 2009. The breach portal, which can be accessed by the public, contains basic information about the breaches.

The breach portal details the name of the breached entity, state, type of covered entity, individuals affected, breach submission date, type of breach, location of breached information, and whether there was business associate involvement. This information can also be downloaded for breaches that are under investigation by OCR and for incidents that have been archived following the closure of the OCR investigation.

When a data breach is archived, further information is added to the breach summary in a “web description” field. The web summary is not available for breaches still under investigation, but the information is included for archived breaches. The web summary is only viewable in the downloaded breach reports.

In many cases, the web description includes details of the types of information that were exposed in the breach, but not in all cases. Formalizing this requirement would ensure that all breaches detailed on the portal would have that information included. The web description field also includes information on any actions taken by OCR in response to the breach that led to the resolution and closure of the investigation.

The post Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches appeared first on HIPAA Journal.