Healthcare Data Privacy

June 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

For the past two months, healthcare data breaches have been reported at a rate of 1.5 per day – Well above the typical rate of one per day. In June, data breaches returned to more normal levels with 30 breaches of more than 500 healthcare records reported in June – 31.8% fewer than May 2019.

 

While the number of reported data breaches fell,  June saw a 73.6% increase in the number of health records exposed in data breaches. 3,452,442 healthcare records were exposed in the 30 healthcare data breaches reported in June.

Largest Healthcare Data Breaches in June 2019

The increase in exposed records is due to a major breach at the dental health plan provider Dominion Dental Services (Dominion National Insurance Company). Dominion discovered an unauthorized individual had access to its systems and patient data for 9 years. During that time, the protected health information of 2,964,778 individuals may have been stolen. That makes it the largest healthcare data breach to be reported to the Office for Civil Rights so far in 2019 – At least for a month until entities affected by the breach at American Medical Collection Agency report the breach.

9 of the ten largest healthcare data breaches in June were hacking/IT incidents and the top six breaches involved network servers. Three email security breaches and one improper disposal incident round out the top ten.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2,964,778 Hacking/IT Incident Network Server
Inform Diagnostics, Inc. Healthcare Provider 173,617 Hacking/IT Incident Network Server
EyeCare Partners, LLC [on behalf of affiliated covered entities] Healthcare Provider 141,165 Hacking/IT Incident Network Server
TenX Systems, LLC d/b/a ResiDex Software Business Associate 90,000 Hacking/IT Incident Network Server
Shingle Springs Health and Wellness Center Healthcare Provider 21,513 Hacking/IT Incident Network Server
Desert Healthcare Services, LLC Healthcare Provider 8,000 Hacking/IT Incident Network Server
Summa Health Healthcare Provider 7,989 Hacking/IT Incident Email
Community Physicians Group Healthcare Provider 5,400 Hacking/IT Incident Email
Community Healthlink Healthcare Provider 4,598 Hacking/IT Incident Email
Adventist Health Physician Services Healthcare Provider 3,797 Improper Disposal Paper/Films

The Year So Far

As you can see in the graph below, 2019 is shaping up to be a bad year for healthcare data breaches. In the first 6 months of 2019, the records of 9,652,575 Americans were exposed, impermissibly disclosed, or stolen. That is already almost double the records exposed in 2017 and last year’s total will soon be exceeded. The data breach at American Medical Collection Agency has yet to appear in the figures below. That breach alone will raise the 2019 total to almost 35 million healthcare records. That’s more healthcare records than were breached in 2016, 2017, and 2018 combined.

Causes of June 2019 Healthcare Data Breaches

There was a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents in June, which accounted for 83% of all breaches reported. There were 12 unauthorized access/disclosure incidents reported in June, but they typically involved small numbers of records. Unauthorized access/disclosure incidents impacted 18,165 patients. The mean breach size was 1,813 records and the median breach size was 1,502 records.

There were 13 hacking/IT incidents reported in June. While these breaches only accounted for 43% of all incidents reported in June, 3,424,422 healthcare records were compromised in those breaches – 99.19% of all records breached in June. The mean breach size was 263,417 records and the median breach size was 7,995 records.

There were three theft incidents reported involving 3,424 records. The mean breach size was 1,141 records and the median breach size was 1,282 records. One loss incident was reported that impacted 2,634 patients and one improper disposal incident exposed the PHI of 3,797 patients.

Location of Breached Protected Health Information

Phishing attacks are continuing to cause problems for healthcare providers, but so too is ransomware. There was a sharp increase in ransomware attacks in Q1 and the trend continued in Q2. Ransomware may have fallen out of favor with cybercriminals in 2018, but it appears to be back in vogue in 2019. Email is usually the most common location of breached PHI, but there was a fairly even split between networks server and email incidents in June. The rise in ransowmare and malware attacks in June account for the increase in network server incidents.

 

June 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers reported 24 data breaches in June, one breach was reported by a health plan and one by a healthcare clearinghouse. While only one data breach was reported by a business associate, a further 7 data breaches had some business associate involvement.

 

June 2019 Healthcare Data Breaches by State

June’s 30 healthcare data breaches affected covered entities in 20 states. Arizona and California were the worst affected with three reported breaches. Florida, Massachusetts, Maryland, Minnesota, Missouri, and Ohio each experienced two breaches, and one breach was reported in each of Arkansas, Iowa, Illinois, Indiana, Kentucky, Michigan, Nevada, Pennsylvania, Texas, Virginia, Vermont, and Wyoming.

HIPAA Enforcement Actions in June 2019

One HIPAA enforcement action came to a conclusion in June. Premera Blue Cross agreed to settle a multi-state lawsuit over its 10.4-million-record data breach in 2017.

Premera Blue Cross is one of the nations largest health insurers. In early 2018, Premera discovered hackers had gained access to its network by exploiting an unpatched software vulnerability. The investigation into the breach revealed there had been basic security failures. The case, led by Washington State Attorney General Bob Ferguson, was settled for $10,000,000.

Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit.

The Department of Health and Human Services’ Office for Civil Rights did not issue any financial penalties for HIPAA violations in June.

The post June 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

AMCA Victim Count Swells to 15 Healthcare Providers and Nearly 24 Million Records

Posted by HIPAA Journal

The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is fast approaching 24 million records and 15 healthcare providers are now known to have been affected.

The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers.

AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and BioReference Laboratories. Many more healthcare providers have made announcements in the past week.

AMCA has been issuing breach notification letters to affected individuals whose financial information was exposed, but other individuals have not yet been notified. For example, Austin Pathology recently confirmed it has been affected by the breach. Austin Pathology was told around 1,800 breach notification letters had been sent to Austin Pathology patients whose financial information was exposed.

Austin Pathology has confirmed that 46,500 patients have been impacted. The 44,700 patients who have yet to be notified had their name, address, telephone number, date of birth, dates of service, provider details, and account balances exposed. It could well be weeks before all affected patients are notified.

AMCA Data Breach Victims

Affected Entity Records Exposed
Quest Diagnostics/Optum360 12,900,000
LabCorp 7,700,000
BioReference Laboratories/Opko Health 422,600
Penobscot Community Health Center 13,000
Clinical Pathology Associates 2,200,000
Carecentrix 500,000
Austin Pathology Associates 46,500
Seacoast Pathology, Inc 10,000
Arizona Dermatopathology 7,000
American Esoteric Laboratories Unconfirmed
CBLPath Inc. Unconfirmed
Sunrise Laboratories Unconfirmed
Natera Unconfirmed
South Texas Dermatopathology PLLC Unconfirmed
Laboratory of Dermatology ADX, LLC Unconfirmed

 

So far, the protected health information of 23,799,100 individuals is known to have been exposed, and as more providers confirm numbers, that total will continue to swell.

As it stands, the AMCA data breach is the second largest healthcare data breach ever reported, behind Anthem’s 78.8 million-record-breach that was discovered in 2015.

The cost of AMCA’s breach response has been considerable. AMCA has sent more than 7 million breach notification letters, IT consultants have been hired to assist with the investigation, and as of June 19, 2019, $3.8 million had been spent on the breach response. $2.5 million of that came from RMCB CEO Russell Fuchs, who lent the company the money to cover the cost of the breach notifications. RMCB has since filed for Chapter 11 protection.

AMCA will also be investigated by state attorneys general and the HHS’ Office for Civil Rights to determine whether the breach could be attributed to poor security and noncompliance with HIPAA. OCR has previously fined defunct companies for historic HIPAA violations. Bankruptcy does not offer protection against regulatory fines.

The post AMCA Victim Count Swells to 15 Healthcare Providers and Nearly 24 Million Records appeared first on HIPAA Journal.

Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules

Posted by HIPAA Journal

New rules for hospitals have been implemented in Idaho that give patients new rights. The rules were implemented by the Idaho Department of Health and Welfare (IDHW) and are effective from July 1, 2019.

The new rules were suggested by patient advocacy groups and “incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals,” according to IDHW. The policies align with the MyHealthEData initiative, which was launched in 2018 with the aim of removing the barriers to secure access to electronic medical records.

Under previous state law, critical access hospitals (CAHs) were not required to comply with many of the regulatory conditions that applied to other healthcare providers. The new rules change that, which will mean new policies and procedures will need to be implemented by CAHs. That will come with a considerable administrative burden.

The new rules apply to all hospitals in Idaho as well as any provider that renders services in hospitals. All hospitals and providers have been advised to check their policies and procedures to make sure they are compliant with the new rules.

The main purpose of the new rules is to improve patient rights and make it easier – and quicker – for patients to obtain copies of their health information and access to their EHRs.

As required by HIPAA, patients must be provided with a copy of their medical records on request within 30 days of the request being received. Under the new rules in Idaho, access to EMRs must be provided within 3 days of the request being received. The copy must also be provided in a readily readable format on a popular portable media storage device.

HIPAA limits the amount that can be charged for providing patients with copies of their health information. The new Idaho rules further protect patients by only permitting hospitals to charge a reasonable fee for labor and restricting the charges for copies to the cost of copying at the local library.

A patient’s right to privacy has been further protected. Patients have the right to privacy when personal care is being provided, which extends to continuous observation and video and audio monitoring of patients. As of July 1, 2019, hospitals are not permitted to record video or audio, except in common areas, without first obtaining written consent from the patient. Those recordings must then be included in a patient’s medical record.

The new rules also cover notices of discontinuation of care, advance directives, obtaining and documenting informed consent, patient safety, patient grievances, restraint and seclusion, and law enforcement restraints.

The post Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules appeared first on HIPAA Journal.

HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana

Posted by HIPAA Journal

The Secretary of the U.S. Department of Health and Human Services (HHS) has issued a limited waiver of HIPAA sanctions and penalties in Louisiana due to the devastation likely to be caused by Tropical Storm Barry as it made landfall on July 13 as a hurricane. The HHS announced the public health emergency in Louisiana on Friday July 12, 2019.

The waiver only applies to healthcare organizations in the emergency area and only for the length of time stated in the declaration. The waiver only applies to specific provisions of the HIPAA Privacy Rule and only for a maximum period of 72 hours after the hospital has implemented its emergency protocol.

Once the time period for the waiver ends, healthcare providers will be required once again to comply with all aspects of the HIPAA Privacy Rule, even for patients still under their at the time the declaration ends, even if the 72-hour time window has not expired.

While a waiver has been issued, the Privacy Rule does not prohibit the sharing of protected health information during disasters to assist patients and make sure they get the care they require. That includes sharing some health information with friends, family members and other individuals directly involved in a patient’s care.

The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief efforts without first obtaining permission from patients.

During natural disasters the HIPAA Privacy and Security Rules remain in effect, although following the secretarial declaration, sanctions and penalties against HIPAA covered entities are waived for the following aspects of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

“We are working closely with state health and emergency management officials to anticipate the communities’ healthcare needs and be ready to meet them,” said Secretary Azar. The HHS emergency declaration and limited HIPAA waiver can be viewed on this link (PDF).

The post HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana appeared first on HIPAA Journal.

Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance

Posted by HIPAA Journal

Compliancy Group is offering healthcare professionals an opportunity to take part in a webinar covering the main threats facing the healthcare industry.

Threats such as ransomware, malware, and phishing will be discussed by compliance experts in relation to HIPAA and the privacy and security of patient data.

Cybersecurity has become more important than ever in healthcare. The industry is seen as a weak target by hackers, large volumes of data are stored, and patient information carries a high value on the black market.

April 2019 saw the highest number of healthcare data breaches in a single month and more healthcare data breaches were reported in 2018 than in any other year to date. The increased frequency of attacks on organizations of all sizes highlights just how important cybersecurity has become.

Cyberattacks are not only negatively affecting businesses in the healthcare sector, but also place the privacy of patient’s health information at risk. While it was once sufficient to implement standard security tools, the sophisticated nature of attacks today mean new solutions are required to protect against cyberattacks.

Protecting against cyberattacks while ensuring compliance with HIPAA can be a challenge and oversights could easily lead to a costly breach or regulatory fine.

In the latest Compliancy Group webinar, compliancy experts will walk you through the inns and outs of the regulations and you can find out more about cybersecurity with respect to the requirements of HIPAA and HITECH.

Webinar:

Ransomware, Malware, Phishing, Oh My!

Wednesday, July 10th

2:00 ET/11:00 PT

Advance Registration

The post Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance appeared first on HIPAA Journal.

CMS Uses Weak ID Verification and Has No Plans to Change

Posted by HIPAA Journal

According to a recent Government Accountability Office (GAO) audit, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) is using an outdated and weak method of remote ID verification which is no longer considered to provide sufficient protection against fraud.

The CMS website, which is used to find federal income-based financial subsidies and private health insurance, uses knowledge-based verification to confirm an individual’s identity. Individuals are asked to confirm their name, address and date of birth and are then asked questions to which only they would know the answer, such as information found in their credit file.

While knowledge-based ID verification based on entries in a credit file does provide a good level of security, that all changed with the massive data breach at Equifax. A great deal of personal information was stolen by hackers – information that could be used to answer security questions. Without a more secure system of ID verification, Americans will be at risk of fraud.

There are several alternative methods for ID verification that provide a greater level of security and protection against fraud, such as the use of a mobile phone to take a photo of an ID document which is compared to the document on file. Alternatively, instead of using credit files, entries in an individual’s mobile phone records could be used. Several federal agencies have attempted to strengthen their remote ID verification methods but have struggled with implementing new solutions.

GAO conducted audits at six agencies following the Equifax breach to assess the extent to which new methods of verification had been implemented. Two of the six agencies have now transitioned to new forms of ID verification (General Services Administration (GSA) and the Internal Revenue Service (IRS)).

The Department of Veterans Affairs (VA) has partially transitioned, but still uses knowledge-based verification for some individuals. The Social Security Administration (SSA) and the United States Postal Service (USPS) are committed to eliminating knowledge-based ID verification, but do not yet have a formal plan or timescale for doing so.

Only the CMS is using knowledge-based ID verification and has no plans to reduce or eliminate knowledge-based ID verification in the future. Healthcare.gov only has email address confirmation, even though that only confirms that the user who provided the information also owns the email account used to create the account.

Several reasons have been given as to why alternative methods of ID verification are not suitable, including cost, the lack of viable solutions, and implementation difficulties. One difficulty is not everyone possesses a mobile device, so mobile-based verification is not universal solution.

The reason given for not changing Healthcare.gov was it was not cost-effective; however, GAO pointed out that NIST guidance does not permit federal agencies to use knowledge-based verification simply because it is cost effective to do so.

CMS also argued that NIST guidance was insufficient. GAO agreed that more could be done and has called for NIST to issue further guidance that can be followed by federal agencies to implement more secure ID verification methods.

GAO has urged CMS to continue to explore alternative options. “Until CMS takes steps to develop a plan with time frames and milestones to eliminate the use of knowledge-based verification, CMS and Healthcare.gov applicants will remain at an increased risk of identity fraud,” wrote Gao in the report.

GAO has also called for the Office of Management and Budget (OMB) to issue guidance to federal agencies requiring them to report their progress in adopting more secure ID verification methods.

The post CMS Uses Weak ID Verification and Has No Plans to Change appeared first on HIPAA Journal.

OCR Clarifies Allowable Uses and Disclosures by Health Plans for Care Coordination and Continuity of Care

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has issued new HIPAA guidance for health plans on how protected health information can be shared to support care coordination and continuity of care.

The guidance, which is in the form of an FAQ, answers two questions commonly asked by health plans:

Can PHI be disclosed to another health plan for care coordination purposes?

OCR has confirmed that the HIPAA Privacy Rule allows PHI to be used and disclosed for healthcare operations, so it is possible to share PHI with another health plan or other covered entity if doing so is necessary for the entity’s own healthcare operations. PHI can also be shared with another health plan for the recipient’s healthcare operations provided the following conditions are met: Both entities have or had a relationship with the individual, the disclosure pertains to that relationship, and the healthcare operation is one permitted by HIPAA (See 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4))

Case management and care coordination are included in permitted ‘healthcare operations,’ so they are permitted without patient authorization, but any disclosures should be limited to the minimum necessary information.

Can a health plan use and disclose PHI to inform individuals about other available health plans, without first obtaining authorization and Is this possible if PHI was received for another purpose?

Uses and disclosures of PHI for marketing purposes is generally not permitted without prior authorization. Using PHI for the purposes of offering an individual a different health plan could be seen to be marketing and would therefore only be permitted with prior authorization.

However, there are exceptions to marketing rule. Marketing communications are permitted face to face – 5 CFR 164.508(a)(3)(i) and HIPAA also does not count communications regarding replacements to, or enhancements of, existing health plans, provided the covered entity is not receiving financial remuneration for the communications. (See 45 CFR 164.506(c)(1) and 45 CFR 164.501). It is also permitted to use PHI that has been received for another purpose if the above conditions are met.

You can view the new OCR FAQ on this link.

The post OCR Clarifies Allowable Uses and Disclosures by Health Plans for Care Coordination and Continuity of Care appeared first on HIPAA Journal.

Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation

Posted by HIPAA Journal

A former patient care coordinator at University of Pittsburgh Medical Center (UPMC) has received a 1-year jail term for accessing the medical records of patients and using that information to cause malicious harm.

Sue Kalina, 62, of Butler, PA, had previously worked at UPMC Tri Rivers Musculoskeletal and Allegheny Health Network as a patient care coordinator. On March 30, 2016, while employed by UPMC, Kalina first started accessing patients’ medical records without authorization. She continued to do so until June 15, 2017.

Kalina accessed the records of friends, old classmates, and individuals that she had an aggrievance with. She used information from the medical records in a campaign of vengeance against her former employer, Frank J. Zottola Construction.

Kalina had worked at the firm as office manager for 24 years before losing the position and being replaced by a younger woman. Kalina accessed that woman’s medical records and disclosed gynecological information about the moan to the Zottola controller in June 2017. Kalina also left a voicemail message in which the medical information of the new office manager and one other Zottola employee was disclosed.

Zottola informed UPMC and Kalina was terminated. She was later hired by Allegheny Health Network where she is alleged to have continued to access patient records without authorization. In total, Kalina accessed the records of 111 patients without authorization.

Kalina took responsibility for her actions but claimed she was going through a difficult time in her life and had health issues. She also claimed she was not aware she was breaking the law and thought she was not prohibited from looking at patient files. Kalina and her legal team were seeking probation due to Kalina’s ongoing family commitments.

Prosecutors argued Kalina had been provided with HIPAA training and was aware that she was breaking the law and to claim ignorance of that was ‘a complete farce.” The U.S. attorney’s office sought a jail term of between 6 and 12 months.

At sentencing, U.S. District Judge Arthur Schwab opted for a jail term at the top end of that scale as the crime was particularly ‘egregious.’ Kalina was sentenced to 12 months in jail followed by 3 years of probation. During that time frame Kalina is not permitted to have any contact with any of the 111 victims.

The post Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation appeared first on HIPAA Journal.

2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee

Posted by HIPAA Journal

Mishawaka, IN-based Franciscan Health has discovered the protected health information of approximately 2,200 patients has been accessed by a former employee without authorization.

The privacy violation was discovered during a routine privacy audit. Franciscan Health announced that it was confirmed on May 24, 2019 that an employee in the quality research department had accessed the electronic medical records of patients without authorization and with no legitimate work reason for doing so.

The individual concerned is no longer employed by Franciscan Health and the matter has been reported to law enforcement. While unauthorized PHI access was confirmed, Franciscan Health found no evidence to suggest that the employee copied, transmitted, or disclosed any patient information.

Patient information was stored in Franciscan Health’s medical record system, which has been in use since 2012. Through that system, the former employee accessed patient records containing information such as names, addresses, email addresses, dates of birth, phone numbers, gender information, race/ethnicity, last four digits of social security numbers, and medical record numbers.

For certain patients, the following information may also have been accessed: Physician name, diagnoses, lab test results, medications, other treatment information, driver’s license numbers, emergency contact information, and insurance claims information. The records contained the full Social Security numbers of a small subset of patients.

All patients whose protected health information was compromised will be notified by mail and provided with information on how they can sign up for identity theft protection services.  Franciscan Health will cover the cost of those services for 2 years.

Medical Records Abandoned Outside Shuttered Chicago Medical Center

City crews have begun a clean up operation to remove boxes of medical records that have been abandoned outside a shuttered medical center in the Chatham area of Chicago, IL.

Boxes of medical records containing sensitive patient information had been dumped outside the former Medical Professional Home Healthcare center.

The Medical Professional Home Healthcare center was run by Carmen Dooley. In April 2017, the state health medical department license for Dooley and her business expired and was not renewed. The Illinois Department of Public Health visited the property and found it to be unoccupied with utilities cut off. The owner of the business could not be contacted and the agency was decertified by Medicare in 2017.

According to a recent report on CBS, the records had been stored in storage containers on the property. However, the containers were removed and their contents were dumped on site in 5-foot high piles. Some owners of local properties said the records had been there for months and some paperwork containing sensitive information had blown into their years. According to the report, Dooley had not authorized the removal of the storage containers and was unaware that the records had been abandoned.

The post 2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee appeared first on HIPAA Journal.