Healthcare Data Privacy

6.9 Million 23andMe Users Affected by Data Breach

Posted by Steve Alder

The genetic testing company, 23andMe, has confirmed in a recent filing with the Securities and Exchange Commission (SEC) that a hacker gained access to a very small percentage of user accounts. 23andMe has around 14 million users worldwide, and 0.1% of accounts were compromised – approximately 14,000 accounts. However, through those accounts, the hacker obtained the data of around 6.9 million users.

The account breaches first came to light on October 1, 2023, when a hacker claimed in an online forum to have the profile information of millions of 23andMe users. 23andMe launched an investigation into a potential data breach and determined that its own systems had not been compromised. Certain accounts had been accessed in a credential stuffing attack. A credential stuffing attack involves using credentials from data breaches at one or more companies to try to access accounts at another, unrelated company.

Access was gained to the 14,000 accounts as those users had used the password for their 23andMe account at another company that had suffered a data breach and had failed to implement 2-factor authentication for their 23andMe account. The information accessed varied from account to account, and generally included ancestry information and health information based on the user’s genetics.

Those accounts were then used to “access a significant number of files” that included the profiles of other users’ ancestry. The 23andMe DNA Relatives feature allows users to share information with others to find genetic relatives. Through this feature, the 14,000 accounts were used to obtain information from around 5.5 million users. The information obtained varied from user to user,  depending on the information they chose to share with others. That information generally included display names, the last login time, the percentage of DNA shared with their DNA relatives’ matches, and the predicted relationship with each person. In some cases, the information also included birth year, geographic information, family tree, and any uploaded photos.

Additionally, the family tree information of a further 1.4 million users who participated in the DNA Relatives feature was compromised. In these cases, the compromised information included display names and relationship labels and, in some cases, display name, geographic location, and birth year. In total, approximately 6.9 million individuals had their data stolen.

23andMe confirmed that notifications have started to be issued but could not say when that process will be completed. Steps have also been taken to improve security, including performing a forced password reset for all users and imposing mandatory 2-step verification for new and current users. The 2-step verification was previously optional. 23andMe estimated the cost of the incident to be between $1 million and $2 million, which has mostly been spent on technology consulting services, legal fees, and expenses of other third-party advisors. The expenses and direct and indirect business impacts of the incident could negatively affect its financial results.

The post 6.9 Million 23andMe Users Affected by Data Breach appeared first on HIPAA Journal.

A Federal Privacy Law is Critical to Effective AI Governance

Posted by Steve Alder

On October 30, 2023, President Biden announced an executive order that establishes new standards to ensure the safe, secure, and trustworthy development of Artificial Intelligence. The executive order requires developers of AI systems to share their safety test results with the U.S. government to ensure the systems are safe and trustworthy before they are made available to the public. The executive order calls for federal agencies to develop AI safety standards, tools, and tests, including strong new standards for biological synthesis screening to protect against the risks of AI being used to engineer dangerous biological materials.

The executive order requires standards and best practices to be established for detecting AI-generated content and authenticating official content and requests the Department of Commerce develop guidance on watermarking products that have AI-generated content. President Biden has also ordered an advanced cybersecurity program to be established to develop AI tools to find and fix vulnerabilities in critical software.

President Biden Calls for Federal Privacy Law

President Biden also called for a bipartisan federal data privacy law to be introduced to protect all Americans, especially children’s privacy. He said a federal privacy law should prioritize federal support for accelerating the development and use of privacy-preserving techniques, strengthen privacy-preserving research and technologies, strengthen privacy guidance for federal agencies to account for AI risks, and ensure that guidelines are developed for federal agencies to evaluate the effectiveness of privacy-preserving techniques, including those used in AI.

There is growing bipartisan support for a federal data privacy and protection law; however, all efforts to introduce such a law have failed. One of the most recent attempts, and the one that showed the most promise, was the American Data Privacy and Protection Act (ADPPA). The ADPPA had considerable bipartisan support; however, not quite enough to get the legislation over the line in 2022.

Two of the main sticking points with the ADPPA are state preemption and the private right of action. The ADPPA, in its current form, sets a ceiling rather than a floor for data protection and privacy. While privacy protections would be improved across the United States, states that have already introduced laws with strong privacy protections, such as California, would have to agree to lower privacy standards for state residents and would not be allowed to increase them, hence California’s refusal to support the ADPPA. Agreement currently cannot be reached on whether individuals who have their privacy violated should be able to sue for the violations. Complying with a federal privacy law would be expensive for many companies, especially small businesses, which, it is argued, should then not have the prospect of costly legal battles if consumer privacy is violated.

The ADPPA stalled last year and failed to get a house vote; however, the House Subcommittee on Innovation, Data, and Commerce held a hearing in March 2023 that reiterated the need for a federal data protection law and it is clear that Republicans and Democrats need to come to the table and agree to make compromises to get the ADPPA or an equivalent federal privacy law enacted, especially given the advances in AI.

A Federal Privacy Law Would Serve as A Basis for Future AI Rulemaking

AI-based systems are already being trained on vast amounts of personal data and there are considerable privacy risks associated with the data use and consumers have very little say in how their personal data is being collected and used. AI systems are being used to decide what content people see on the Internet and are already influencing consumer decisions, yet there is currently a lack of regulation of how personal data is collected and used and very little in the way of protections to prevent problematic uses of AI.

Currently, there is a patchwork of privacy protections in the United States, which means privacy protections can vary greatly from state to state. That leaves many Americans disadvantaged and also makes compliance complex and time-consuming for businesses. Several states are already formulating plans to introduce their own legislation for AI. Such a situation could prove to be unworkable for many companies in the AI space.

At the U.S. Senate’s Artificial Intelligence Insight Forum, Chris Lewis, Public Knowledge President and CEO, confirmed his support for the ADPPA, saying it would serve as a solid foundation on which AI legislation could be based, specifically the requirements of the ADPPA on data minimization and giving users control over their personal data, which would help to reduce privacy abuses from commercial data surveillance. Currently, the largest tech companies have a monopoly on personal data and have established dominance in the digital world. The ADPPA would minimize the amount of personal data that is collected, would give people greater control over their personal data, would encourage competition, and integrate important civil rights protections.

Mozilla, the developer of the Firefox web browser, also backs the introduction of the ADPPA. “What we need to prevent is a race to the bottom when it comes to privacy – so passing a federal privacy law, setting effective rules of the road, is paramount,” said a Mozilla spokesperson.

The post A Federal Privacy Law is Critical to Effective AI Governance appeared first on HIPAA Journal.

Republicans and Democrats Introduce Bills to Improve Consumer Privacy Protections

Posted by Steve Alder

In the absence of a federal privacy law, it is left to individual states to introduce consumer privacy laws and ensure that companies that collect, process, and sell personal data are adequately protecting that information. While attempts to pass a federal data privacy bill have stalled, Republican and Democratic lawmakers are continuing to push for greater privacy protections for consumers.

Congresswoman Anna Paulina Luna Introduces U.S. Data on U.S. Soil Act

Congresswoman Anna Paulina Luna (R-FL) recently introduced the U.S. Data on U.S. Soil Act, to protect the data security of Americans and prevent their personal information from being exploited by foreign adversaries. It is no secret that foreign countries are attempting to collect and use the personal data of U.S. citizens. In March 2023, the House Committee on Energy and Commerce explored the role that social media, and specifically TikTok, plays in data collection and how the Chinese Communist Party has access to the data of U.S. citizens that is collected by TikTok, through TikTiok’s parent company, ByteDance.

The European Union has a comprehensive data privacy and protection law, the General Data Protection Regulation (GDPR), which protects the rights of individuals and limits the data that can be collected and used by companies such as TikTok, but there is currently no comparable federal privacy and data protection law in the United States, only a patchwork of laws introduced by individual states.

“Americans daily face the threat of exposing their personal data to bad-actor countries who are looking for a chance to exploit us, simply by opening our phones,” said Luna. “The protections in my bill are long overdue. A military leader would never hand over his tactics and intelligence to the enemy on a silver platter, and neither should we. My bill would make sure our adversaries can’t have a free-for-all with our personal lives, national security, and strength as a country.”

The U.S. Data on U.S. Soil Act seeks to prohibit companies such as TikTok from storing the data of any U.S. national in a physical data center that is located within a foreign adversary, including China, Cuba, Iran, North Korea, Russia, and Venezuela. The bill also seeks to prevent government officials in foreign adversary countries from accessing covered data. The bill would set a national minimum standard for data privacy and would not pre-empt state law, ensuring that individual states could implement more stringent data privacy protections. The bill would seek penalties of $50,120 per violation under the Unfair or Deceptive Act under the Federal Trade Commission Act. The bill, which currently has no companion Senate bill, was co-sponsored by Reps. Mary Miller (R-IL), Ralph Norman (R-SC), and George Santos (R-NY)

Democratic Senator Reintroduces Three Data Privacy Bills

U.S. Sen. Catherine Cortez Masto (D-NV) has recently reintroduced three bills that aim at strengthening consumer data privacy protections. The first bill, The DATA Privacy Act, is concerned with improving privacy protections for consumers and ensuring that large tech firms implement data security and privacy protections. The bill would give consumers the right to request, dispute the accuracy, and transfer or delete their personal data without retribution. All data collection, processing, storage, and disclosure would require three standards to be met:

  • The data collected must be reasonable, and for a legitimate business or operational purpose that is contextual and does not subject an individual to unreasonable privacy risk.
  • The data must not be used in a discriminatory way.
  • And businesses must not engage in deceptive data practices.

The DATA Privacy Act would give new authority to state Attorneys General and the Federal Trade Commission (FTC) to impose civil penalties for violations.

Sen Cortez Mastro, along with Sen. Deb Fischer (R-Neb.), reintroduced The Promoting Digital Privacy Technologies Act, which requires the National Science Foundation (NSF) to support research into privacy-enhancing technologies (PET) to help protect consumer data. The bill also calls for the National Institute of Standards and Technology (NIST) to work with academic, public, and private sectors to establish standards for the integration of PET into business and government.

The third bill, like the U.S. Data on U.S. Soil Act, takes aim at the collection, access, and use of consumer data by foreign adversaries, specifically China. The Internet App ID Act aims to improve the digital security of Americans by requiring operators of Internet websites and mobile applications to disclose if the applications being used by consumers have been developed or store data within China, or are under the control of the Chinese Communist Party.

“Big technology companies are collecting massive amounts of Americans’ personal information, from social security numbers to health care data. It’s clear we need stronger privacy laws to make sure this information isn’t shared or sold without consumers’ permission,” said Sen. Cortez Masto. “My bills will hold corporations and foreign actors accountable, protect the data privacy of vulnerable consumers, and ensure that our emerging AI and other innovative technology industries grow responsibly.”

The post Republicans and Democrats Introduce Bills to Improve Consumer Privacy Protections appeared first on HIPAA Journal.

October 2023 Healthcare Data Breach Report

Posted by Steve Alder

For the second consecutive month, the number of reported data breaches of 500 or more healthcare records has fallen, with October seeing the joint-lowest number of reported data breaches this year. After the 29.4% fall in reported data breaches from August to September, there was a further 16.7% reduction, with 40 data breaches reported by HIPAA-regulated entities in October – the opposite trend to what was observed in 2022, when data breaches increased from 49 in August 2022 to 71 breaches in October 2022. October’s total of 40 breaches is well below the 12-month average of 54 breaches per month (median:52 breaches).

October 2023 healthcare data breach report - 12 month breaches

For the third consecutive month, the number of breached healthcare records has fallen, from more than 18 million records in July 2023 to 3,569,881 records in October – a month-over-month percentage decrease of 52.76%. October’s total is well below the 12-month average of 7,644,509 breached records a month (median: 5,951,455 records). While this is certainly good news, it should noted that 2023 has been a particularly bad year for healthcare data breaches. Between January 1, 2023, to October 31, 2023, more than 82.6 million healthcare records have been exposed or impermissibly disclosed, compared to 45 million records in 2021 and 51.9 million records in 2023. As of November 17, 2023, more than 100 million records have been breached.

October 2023 healthcare data breach report - 12 month breached records

Largest Healthcare Data Breaches Reported in October 2023

14 breaches of 10,000 or more records were reported in October, the largest of which occurred at Postmeds Inc., the parent company of Truepill, a provider of a business-to-business pharmacy platform that uses APIs for order fulfillment and delivery services for direct-to-consumer brands. While victims of the breach do not face an immediate risk of identity theft since no Social Security numbers were compromised, they do face an increased risk of phishing and social engineering attacks. As is now common in breach notifications, little information about the incident has been disclosed, other than it being a hacking incident involving unauthorized access to its network between August 30 and September 1, 2023.  The Postmeds data breach was the 21st data breach of 1 million or more records to be reported this year.

Even though the Clop hacking group’s mass exploitation of the zero-day vulnerability in Progress Software’s MOVEIt Transfer solution occurred in late May, healthcare organizations are still reporting MOVEit data breaches. More than 2,300 organizations are now known to have been affected and more than 60 million records were stolen in the attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of breach
Postmeds, Inc. (TruePill) CA Healthcare Provider 2,364,359 Hacking incident (details not disclosed)
Western Washington Medical Group MS Healthcare Provider 350,863 Hacking incident (details not disclosed)
Greater Rochester Independent Practice Association, Inc. NY Healthcare Provider 279,156 Hacking incident (details not disclosed)
Radius Global Solutions PA Business Associate 135,742 Hacking incident – MoveIT Transfer vulnerability exploited
Dakota Eye Institute ND Healthcare Provider 107,143 Hacking incident (details not disclosed)
Walmart, Inc. Associates Health and Welfare Plan AR Health Plan 85,952 Hacking incident (details not disclosed)
Westat, Inc. MD Business Associate 50,065 Hacking incident – MoveIT Transfer vulnerability exploited
Brooklyn Premier Orthopedics NY Healthcare Provider 48,459 Hacking incident (details not disclosed)
PeakMed CO Healthcare Provider 27,800 Hacking incident (Compromised credentials)
Hospital & Medical Foundation of Paris, Inc IL Healthcare Provider 16,598 Hacking incident (details not disclosed)
Fredericksburg Foot & Ankle Center, PLC VA Healthcare Provider 14,912 Hacking incident (details not disclosed)
Cadence Bank MS Business Associate 13,862 Hacking incident – MoveIT Transfer vulnerability exploited
Peerstar LLC PA Healthcare Provider 11,438 Hacking incident (details not disclosed)
Atlas Healthcare CT CT Healthcare Provider 10,831 Hacking incident (details not disclosed)

October 2023 Data Breach Causes and Data Locations

As has been the case throughout 2023, hacking was the most common cause of data breaches in October, accounting for 77.5% of the month’s data breaches (31 incidents) and 99.13% of the breached records (3,538,726 records). The average data breach size in hacking incidents was 114,152 records and the median data breach size was 4,049 records.

The exact nature of these incidents has not been publicly disclosed in many cases, so it is not possible to determine the extent to which ransomware attacks, phishing attacks, and vulnerability exploits are occurring. The exception being the mass hacking of a zero-day vulnerability in the MOVEit Transfer solution, a fairly safe disclosure legally as organizations cannot be expected to patch a vulnerability that is unknown even to the company that developed the software. While the lack of information is undoubtedly intended to reduce legal risk, if victims of the breach are given insufficient information it is difficult for them to accurately gauge the level of risk they face.

There were 8 data breaches classified as unauthorized access/disclosure incidents, across which 30,555 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 3,819 records and the median breach size was 2,111 records. There was one reported incident involving the theft of a desktop computer, which contained the unencrypted protected health information of 600 individuals, and no incidents involving the loss or improper disposal of PHI.

October 2023 healthcare data breach report - causes of breaches

The most common location of breached PHI was network servers, which is unsurprising given the large number of hacking incidents. 8 data breaches involved compromised email accounts.

October 2023 healthcare data breach report - location of breached data

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in October, with 25 reported data breaches. There were 11 data breaches reported by business associates and 4 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.

October 2023 healthcare data breach report - affected entities

October 2023 healthcare data breach report - breached records at HIPAA-regulated entities

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 23 states reported data breaches of 500 or more records in October. Texas was the worst affected state with 5 large data breaches followed by Mississippi with 4.

State Breaches
Texas 5
Mississippi 4
Illinois, New York & Pennsylvania 3
California, Colorado, Florida & Georgia 2
Arkansas, Connecticut, Delaware, Iowa, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, New Jersey, North Dakota, Oklahoma, Oregon & Virginia 1

HIPAA Enforcement Activity in October 2023

In October, the HHS’ Office for Civil Rights (OCR) announced its 10th HIPAA compliance enforcement action of the year. Doctors’ Management Services, a Massachusetts-based medical management company that offers services such as medical billing and payor credentialing, opted to settle an OCR investigation of a data breach. In April 2017, a threat actor accessed its network via Remote Desktop Protocol and gained access to the protected health information of 206,695 individuals.

OCR determined there had been a risk analysis failure, a failure to review records of system activity, and a failure to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule. Those failures resulted in an impermissible disclosure of the PHI of 206,695 individuals. Doctors’ Management Services paid a financial penalty of $100,000 and agreed to a corrective action plan to address the HIPAA compliance issues discovered by OCR.

State Attorneys General also have the authority to investigate HIPAA-regulated entities and impose financial penalties for HIPAA violations, although they often choose to impose penalties for equivalent violations of state laws. Three settlements were agreed in October with HIPAA-regulated entities to resolve allegations of data security and breach notification failures.

Blackbaud, a Delaware corporation headquartered in Charleston, South Carolina that provides donor relationship management software, chose to settle alleged violations of the HIPAA Security Rule, HIPAA Breach Notification Rule, and state consumer protection laws with 49 states and the District of Columbia and paid a $49.5 million penalty and agreed to make substantial data security improvements. Blackbaud suffered a ransomware attack in May 2020, which exposed the protected health information of 5,500,000 individuals. The multi-state investigation identified a lack of appropriate safeguards to ensure data security and breach response failures.

Inmediata, a Puerto Rico-based healthcare clearinghouse settled a multi-state data breach investigation involving more than 35 state attorneys general. A server has been left unsecured, which allowed sensitive data to be indexed by search engines, allowing it to be found by anyone with Internet access. The protected health information of 1,565,338 individuals was exposed. The multi-state investigation identified a failure to implement reasonable and appropriate security measures, as required by the HIPAA Security Rule, a failure to conduct a secure code review, and violations of the HIPAA Breach Notification Rule and state breach notification rules for failing to provide timely and complete information to victims of the breach. The investigation was settled for $1.4 million and Inmediata agreed to make improvements to its information security program and strengthen its data breach notification practices.

Personal Touch Holding Corp, a home health company that does business as Personal Touch Home Care, opted to settle an investigation by the Office of the New York Attorney General into a breach of the protected health information of 753,107 individuals, including 316,845 New York residents. An employee responded to a phishing email which resulted in malware being installed. The threat actor exfiltrated data and then used ransomware to encrypt files. The New York Attorney General alleged Personal Touch only had an informal information security program, insufficient access controls, no continuous monitoring system, a lack of encryption, and inadequate staff training. Personal Touch paid a $350,000 financial penalty and agreed to make improvements to its information security and training programs.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on November 11, 2023.

The post October 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Costco Pharmacy Patients Sue for Website Tracking Technology Disclosures of PHI to Third Parties

Posted by Steve Alder

Costco is one of the latest companies to be sued over the use of website tracking technologies. Many retailers use tracking code on their websites such as Meta Pixel and Google Analytics to gain information about the interactions of website visitors. These tools provide valuable information that can be used to improve websites and increase sales. The data collected by these tools is sent to the providers of the code, and in some cases, may be used to serve targeted advertisements.

Two lawsuits have recently been filed against Costco Wholesale over the use of these trackers on the Costco Pharmacy pages of the Costco website, which has allegedly impermissibly disclosed information protected under the Health Insurance Portability and Accountability Act (HIPAA).  Both lawsuits claim that Costco encourages patients and prospective patients to use its pharmacy webpages, communicate about their prescriptions, conduct research on medications, order new prescriptions, request refills for current medications, inquire about specific immunizations, search for local Medicare supplemental insurance, and sign up for its Rx mail order program.

However, unbeknown to website visitors, their activities are being tracked and their sensitive data is being transferred to third parties. The information transferred is tied to individuals by identifiers such as their IP address and Facebook ID and allows the third parties to infer that an individual is being treated for a specific type of medical condition such as cancer, pregnancy, HIV, mental health conditions, and they may be serviced targeted advertisements based on that information. Both lawsuits were filed in the U.S. District Court for the Western District of Washington at Seattle (R.S. v. Costco Wholesale Corporation and Castillo et al v Costco Wholesale Corporation). The lawsuits make similar claims, that the use of the tracking code without obtaining consent violates HIPAA, the Federal Trade Commission (FTC) Act, and federal and state wiretapping laws.

As a pharmacy operator, Costo is a HIPAA-covered entity and is required to comply with the HIPAA Rules. In December 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance on HIPAA and website tracking technologies, prohibiting the use of these tools unless consent was obtained – in the form of a HIPAA-compliant authorization – or a business associate agreement was in place with the providers of these tools. Most providers of tracking technologies do not sign business associate agreements. The FTC has taken action against non-HIPAA-covered entities that have used tracking code on websites that collects and discloses health data for violations of the FTC Act. The FTC and OCR jointly sent letters to 130 entities this year warning them about the use of tracking tools on their websites and the compliance risks associated with these tools. The guidance issued by OCR makes it clear that the use of these tools violates HIPAA; however, that position is being challenged by the American Hospital Association and others who recently filed a lawsuit against the Secretary of the HHS and the Director of OCR that seek confirmation from the court that the guidance is unlawful and to prevent OCR from ever enforcing it.

The two lawsuits seek class action certification, a jury trial, financial damages for the imminent and ongoing harm caused, and injunctive relief prohibiting Costco from using these tools and engaging in further unlawful behavior. These are just two of many lawsuits that have been filed against healthcare organizations and Meta over these tracking tools, which have disclosed the data of tens of millions of individuals to third parties without consent. Recently, Advocate Aurora Health settled its Pixel-related class action lawsuit for $12.225 million.

Plaintiffs and class members in the R.S. v. Costco lawsuit are represented by Kim D. Stephens & Rebecca L. Solomon of Tousley Brain Stephens PLLC, and Gary M. Klinger, Alexandra M. Honeycutt & Glen L. Abramson of Milberg Coleman Bryson Phillips Grossman PLLC. Plaintiffs and class members in the Castillo et al v Costco lawsuit are represented by Kim D. Stephens & Rebecca L. Solomon of Tousley Brain Stephens PLLC and Ryan J. Ellersick and Hart L. Robinovitch of Zimmerman Reed LLP.

The post Costco Pharmacy Patients Sue for Website Tracking Technology Disclosures of PHI to Third Parties appeared first on HIPAA Journal.

Q3, 2023 Sees 76% Fall in Data Breaches

Posted by Steve Alder

The United States remains the country most targeted by cybercriminals and nation-state actors, with 8.1 million breached accounts in Q3, 2023 – 26% of the global total of 31.5 million accounts that were breached from July through September 2023, according to Surfshark’s Data Breach Statistics: Q3 2023 Report. Russia was the second most targeted country with 7.1M breached accounts, followed by France (1.6M), China (1.5M), and Mexico (1.2M).

In the United States, that amounts to one breached account per second in Q3, although that is 84% fewer breached accounts than in Q2, 2023. Globally, there was a 76% decrease in breached users worldwide compared to Q2, 2023. North America was the second most targeted region, with Europe taking the top spot with 10.9 million breached accounts, down from 48.1 million breached accounts in Q2, 2023. North America had 30% of the breaches in Q3, 2023, with 9.5 million accounts breached, down from 82% of breached accounts in Q2, 2023. The countries with the highest breach density, which is the number of breached accounts per 1,000 residents, were Russia, France, the US, Colombia, and Malaysia. Last year, data breaches increased by 70% from Q2 to Q3, rising to 108.9 million breached accounts globally in Q3 – a rate of around 14 breaches per second. The United States was the fourth most attacked country behind Russia, France, and Indonesia.

The reduction in data breaches is certainly good news but data breaches are still being reported at alarming rates. “The third quarter of 2023 shows a general decrease in data breach count. Yet every minute, over 240 online accounts were compromised globally, exposing sensitive information to malicious actors,” says Agneska Sablovskaja, Lead Researcher at Surfshark. “We recommend a vigilant approach by maintaining accounts only on actively used platforms and implementing two-factor authentication for enhanced security.”

Surfshark’s data breach statistics were compiled from data collected by independent partners from 29,000 publicly available databases, which were aggregated by email address. The locations of the breaches were determined by domains, IP addresses, locales, coordinates, currency, or phone numbers.

Massive Increase in Breached Healthcare Records, Despite Reduction in Data Breaches

The Surfshark report does not break down data breaches by industry, so how has the healthcare industry fared? The HIPAA Breach Notification Rule requires HIPAA-regulated entities to report data breaches to the Secretary of the Department of Health and Human Services, and the HHS’ Office for Civil Rights publishes a list of breaches of 500 or more records.

OCR’s breach report data show an 8.5% reduction in healthcare data breaches from Q2, 2023 to Q3, 2023, and a 5.2% reduction in breaches from Q3, 2022. The year to September 30, 2023, has seen 10 fewer breaches (-1.83%) than the corresponding period in 2022.

Data Source: HHS’ Office for Civil Rights Breach Portal

While there has been a reduction in reported data breaches, there has been an alarming increase in the number of breached records. In Q3, 2023, an astonishing 45,799,584 healthcare records were breached – 53.47% more records than the previous quarter. The Q3 total is only 74,000 records short of the total number of healthcare records breached in all of 2021.

Data Source: HHS’ Office for Civil Rights Breach Portal

The post Q3, 2023 Sees 76% Fall in Data Breaches appeared first on HIPAA Journal.

Federal Judge Unseals FTC Amended Complaint Against Kochava

Posted by Steve Alder

On Friday, an Idaho federal court unsealed a Federal Trade Commission (FTC) amended complaint against the Idaho-based data broker Kochava, which the FTC alleges collected and disclosed enormous amounts of sensitive consumer data in violation of federal law.

The FTC filed its first complaint against Kochava in August 2022, which alleged Kochava was acquiring consumers’ precise geolocation data and was selling the data in a format that allowed entities to track consumers’ movements to and from sensitive locations, including but not limited to, medical centers, reproductive healthcare facilities, places of worship, mental health facilities, temporary shelters such as centers for survivors of domestic violence, and other sensitive locations, such as addiction recovery centers.

The FTC said Kochava sold access to its data feeds on online data marketplaces that are publicly accessible. Customers who pay a monthly subscription fee can access its location data feed, and a free sample containing a subset of the data feed was available free of charge, with minimal requirements for accessing the sample and no restrictions on usage. The FTC alleged that Kochava’s business practices cause and are likely to cause substantial injury to consumers, such as allowing individuals to be located who had visited abortion clinics.

The FTC alleged Kochava’s business practices violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits unfair or deceptive acts or practices in or affecting commerce. Acts or practices under Section 5 of the FTC Act are unfair if they cause or are likely to cause substantial injury to consumers, that consumers cannot reasonably avoid themselves, and that is not outweighed by countervailing benefits to consumers or competition.

Kochava moved to have the initial lawsuit dismissed, and on May 4, 2023, the lawsuit was dismissed by Judge B. Lynn Winmill of the US. District Court for the District of Idaho, as the FTC was determined to have relied too much on the inference that consumers are injured by the data broker’s business practices. The FTC was allowed 30 days to file an amended complaint, as the FTC’s concerns about consumer privacy were found to be legitimate. The amended lawsuit was filed under seal on June 5, 2023, and was three times as long as the initial complaint and ran to 33 pages.

The amended lawsuit includes details about the alleged violations not stated in the first lawsuit. Kochava is alleged to have collected and disclosed precise geolocation data, including details of consumers’ movements, such as visits to sensitive locations. In some cases, geolocation data spans days, months, and even years. In some cases, Kochava linked the geolocation data with other sensitive consumer data, such as name, gender, age, ethnicity, yearly income, marital status, education level, political affiliation, apps installed on users’ mobile devices, interests, behaviors, Mobile Advertising ID, and contact information, which may include address, phone number, and email address.

According to the FTC, the data accessible to Kochava customers allowed individuals to be tracked and served targeted ads. Kochava offered the data in several formats, including a Kochava Collective product, which includes precise geolocation data. This product included granular facts about users, including precise geolocation data, allowing precise targeting of those individuals, and Kochava is alleged to have advertised that product as such.

The FTC alleged the data would allow individuals who received an abortion or were planning on having an abortion to be tracked. The FTC provided an example from the free sample offered by Kochava, which included the data of a woman who visited an abortion clinic. The FTC was able to trace that visit to a mobile device in a single-family residence, and the mobile device was present in the same location three times in one week, allowing the user’s routines to be determined. The FTC alleges that in addition to allowing individuals to be targeted who have sought reproductive care, providers who offer reproductive health services could also be tracked and targeted.

It remains to be seen if the amended lawsuit sufficiently alleges that individuals are likely to suffer substantial injury as a result of Kochava’s business practices, and whether invasion of privacy constitutes an unfair practice under the FTC Act. In the absence of a federal privacy law, the FTC is in the best position to hold companies to account that are determined to have violated consumer privacy. While there have been bipartisan efforts to introduce a federal privacy law, all efforts thus far have failed to get the necessary backing. Earlier this year, three Democratic Senators proposed a bill that would prohibit sensitive health data from being used for advertising purposes. The proposed bill,  The Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act, sought to prevent data brokers such as Kochava from selling geolocation data and to limit the ability of companies to collect and use personal health information without express consent from consumers.

The post Federal Judge Unseals FTC Amended Complaint Against Kochava appeared first on HIPAA Journal.

AHA Files Lawsuit Challenging HHS Guidance on Tracking Technologies

Posted by Steve Alder

The American Hospital Association (AHA), Texas Hospital Association, United Regional Health Care System, and Texas Health Resources have filed a lawsuit against Department of Health and Human Services (HHS) Secretary, Xavier Becerra, and HHS’ Office for Civil Rights (OCR) Director, Melanie Fontes Rainer, over the December 2022 guidance issued by OCR on website tracking technologies.

OCR issued guidance for HIPAA-regulated entities on the use of third-party tracking technologies on public-facing websites and applications following revelations that these tools were disclosing the individually identifiable information of website visitors to third-party companies such as Meta (Facebook), Google, social media platforms, and other third parties. The information disclosed by these tools, which include Meta Pixel and Google Analytics code, could potentially include health information, depending on the interactions of users on the websites and apps where the code is used.

A study of the websites of the 100 top hospitals by The Markup found one-third had used these tracking tools on their websites without obtaining consent from website visitors. A more comprehensive study of hospitals that was published in Health Affairs, found that 99% of the 3,747 U.S. hospitals studied were using these tools on their websites. Several of the hospitals reported the use of these tools as data breaches, including Advocate Aurora Health, Novant Health, WakeMed Health, and Cerebral, Inc., some of which involved the data of millions of patients. Many lawsuits have since been filed against healthcare providers in response to the use of these tools. Advocate Aurora Health recently settled Pixel-related litigation for $12.225 million.

In July 2023, OCR and the Federal Trade Commission (FTC) jointly issued warning letters to 130 healthcare organizations over the use of tracking tools and then published those letters – which name the organizations involved – in September 2023, signaling both OCR and the FTC are actively enforcing the guidance.  The AHA has publicly criticized OCR for its position on tracking technologies. In the AHA’s response to Senator Bill Cassidy’s request for information on healthcare data privacy and HIPAA, the AHA called for the HHS to drop its new website tracking technology rule, which it claimed harmed hospitals and negatively affected patients.

The AHA has now taken the issue a step further with legal action. The AHA claims that it had no alternative other than to take legal action due to several months of unsuccessful attempts to communicate its concerns to the HHS. The lawsuit was filed in the U.S. District Court for The Northern District of Texas Fort Worth Division and alleges the new rule is unlawful, and claims that the HHS is actively enforcing its new rule against hospitals but the federal government’s own healthcare providers are continuing to use the prohibited tracking technologies on their websites.

Lawsuit Seeks Court Order Preventing OCR from Enforcing Tracking Technology Guidance

The lawsuit alleges the decision to class the metadata collected and transmitted by tracking technologies as individually identifiable health information subject to HIPAA is, “a gross overreach by the federal bureaucracy, imposed without any input from the public or the healthcare providers most impacted by it.” The AHA explains that “the HHS rule exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect.” While the lawsuit does not go as far as seeking the rescindment of the guidance, an order is requested from the court that prohibits OCR from enforcing its rule to prevent members from being unlawfully penalized.

The AHA’s position is that website tracking technologies that collect information such as IP addresses are critical to the function of websites and apps, and many web tools are rendered ineffective without that information, including analytics software, video technologies that offer the public education and information on health conditions, translation and accessibility services, and digital maps, to name only a few. By prohibiting tracking technologies, these vital website tools will no longer feature on hospital websites, and that ultimately harms the patients that OCR’s rule seeks to protect.

“The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information. In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites,” said Rick Pollack, AHA President and CEO. “We cannot understand why HHS created this ‘rule for thee but not for me.’”

The post AHA Files Lawsuit Challenging HHS Guidance on Tracking Technologies appeared first on HIPAA Journal.

Senate HELP Committee Senator Demands Answers from 23andMe about Data Breach

Posted by Steve Alder

Earlier this month, the direct-to-consumer genetic testing company 23andMe issued a security alert after the genetic ancestry information of its customers was stolen and listed for sale on hacking forums. A high-ranking member of the Senate Committee on Health, Education, Labor, and Pensions is demanding answers as to how such large-scale data theft was possible and what data protection measures 23andMe had in place.

According to 23andMe, its investigation into a security breach found no evidence to indicate its systems were compromised and it concluded that data was stolen in a credential stuffing attack. Credential stuffing involves taking usernames and passwords stolen in a breach on one platform and using those usernames and passwords to try to access accounts on another platform. These attacks are made possible due to users reusing usernames and passwords on multiple platforms.

A credential stuffing attack suggests users of the platform are at fault for the exposure of their data due to poor password practices; however, that has not prevented multiple lawsuits from being filed alleging 23andMe was at fault. More than a dozen class action lawsuits have now been filed against 23andMe over the data exposure and seek damages and court orders compelling 23andMe to improve data security practices. The lawsuits raise the question of whether 23andMe should have done more to protect user information.

The scale of the data breach and the highly sensitive nature of the stolen data are a big cause of concern. 1.3 million users of the platform had some of their sensitive information scraped from the site and that information has been offered for sale on the dark web, including highly sensitive information about genetic ancestry. One dataset offered for sale claims to include “Ashkenazi DNA Data of Celebrities.” The recent events in Israel-Gaza, which have drawn in more than 50 hacktivist groups so far according to an analysis by security researcher Jeremiah Fowler and Website Planet, emphasize the potential for harm from the sale of that information. As one commentator on the listing pointed out, “Crazy, this could be used by Nazis.”

Sen. Bill Richards (R-LA) wrote to 23andMe CEO, Anne Wojcicki, to express his “significant concern” about the data breach, the highly sensitive nature of the stolen data, and the potential for harm. “Your company’s own website describes the potential negative health implications of association with Ashkenazi Jewish ancestry, namely incidence of Gaucher disease, Canavan disease, Tay-Sachs disease, Crohn’s disease, and breast, ovarian, and prostate cancer,” wrote Sen Richards. “Such information in the hands of employers, potential employers, foreign governments, hostile actors, and others could be used to discriminate against individuals associated with the group.”

23andMe has more than 14 million users and the information of 1.3 million of those users was scraped from its DNA Relatives feature – around 9.3% of its users – which naturally prompts questions about the precautions 23andMe had in place to prevent such large-scale data theft. Sen. Richards asked 11 questions about the breach, the notifications to users, and what is being done to remediate the impact of the data breach and prevent similar breaches in the future.

Sen. Richards also wants to know about the regulatory and contractual obligations and considerations that 23andMe is subject to a holder of individual genetic and phenotype data, 23andMe’s data protection practices and security features that appear to have been so easily circumvented, whether audits of its privacy and security protocols are conducted, why individual users are given access to others’ genetic information and profiles, and what search tools and algorithms 23andMe uses to allow large-scale downloads of user data based on specific demographics.

The breach appears to have occurred by compromising a few hundred accounts, yet through those accounts and the DNA Relatives feature the hackers were able to scrape vast amounts of data. Sen. Richards seeks answers on how that was possible, and in response to 23andMe’s statement that the hackers violated its terms of service, how many times it has discovered an entity or an individual violated those terms in the past year, and whether there are any consequences to such violations.

Sen. Richards has asked for responses to each question by November 3, 2023.

The post Senate HELP Committee Senator Demands Answers from 23andMe about Data Breach appeared first on HIPAA Journal.