Healthcare Data Privacy

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Posted by HIPAA Journal

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules.

On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate.

Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.

 

You can download the HHS Fact Sheet on direct liability of business associates on this link.

business associate liability for HIPAA violations

Penalties for HIPAA Violations by Business Associates

The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the HHS determined that the language of the HITECH Act called for a maximum financial penalty of $1.5 million for violations of an identical provision in a single year. That maximum penalty amount was applied across the four penalty tiers, regardless of the level of culpability.

A re-examination of the text of the HITECH Act in 2019 saw the HHS interpret the penalty requirements differently. The $1.5 million maximum penalty was kept for the highest penalty tier, but each of the other penalty tiers had the maximum possible fine reduced to reflect the level of culpability.

Subject to further rulemaking, the HHS will be using the penalty structure detailed in the infographic below.

 

The post HHS Confirms When HIPAA Fines Can be Issued to Business Associates appeared first on HIPAA Journal.

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Posted by HIPAA Journal

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000.

MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary.

Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach.

OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules.

OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A).

As a result of that failure, there was an impermissible disclosure of 3.5 million individual’s PHI, in violation of 45 C.F.R. § 164.502(a).

MIE chose to settle the case with OCR with no admission of liability. In addition to paying a financial penalty, MIE has agreed to adopt a corrective action plan that requires a comprehensive, organization-wide risk analysis to be conducted and a risk management plan to be developed to address all identified risks and reduce them to a reasonable and acceptable level.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

While the settlement releases MIE from further actions by OCR over the above violations of HIPAA Rules, MIE is not out of the woods yet. In December 2018, a multi-state lawsuit was filed against MIE by 12 state attorneys general over the breach.

The lawsuit alleged there was a failure to implement adequate security controls, that known vulnerabilities had not been corrected, encryption had not been used, security awareness training had not been provided to staff, and there were post-breach failures at MIE. That lawsuit has yet to be resolved. It could well result in a further financial penalty for MIE.

This is OCR’s second financial penalty of 2019. Earlier this month, a $3,000,000 settlement was agreed with Touchstone Medical Imaging to resolve multiple HIPAA violations, several of which were related to the delayed response to a data breach.

The post Medical Informatics Engineering Settles HIPAA Breach Case for $100,000 appeared first on HIPAA Journal.

PHI of 1.5 Million Individuals Exposed Online by Inmediata

Posted by HIPAA Journal

In April, Inmediata, a provider of clearinghouse services to healthcare organizations, announced that the protected health information of certain patients had been exposed online as a result of a misconfigured setting on an internal web page.

The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 1,565,338 individuals had their PHI exposed. That makes the data breach the largest to be reported in 2019.

The information had been made available to employees through an internal web page, but the failure to configure that page correctly allowed the data to be made accessible over the internet without the need for authentication. The page was indexed by Google and patient information could be found through online searches.

The information had been provided by hospitals, health plans, and independent physicians and included names, addresses, dates of birth, gender, claims data and, for a small number of patients, Social Security numbers.

Inmediata immediately deactivated the web page when it was discovered that patient information had been exposed and a computer forensics firm was retained to conduct an investigation to determine whether any patient information had been accessed by unauthorized individuals during the time it was available online.

While the investigation did not uncover any evidence to suggest that information had been accessed or copied by unauthorized individuals, it was not possible to rule out unauthorized data access entirely.

Immediata started sending breach notification letters to affected individuals on April 22, 2019. As if suffering such a large data breach was not bad enough, there were further impermissible disclosures of protected information in the breach response.

Individuals reported receiving breach notification letters addressed to other individuals. In addition, several individuals complained that it was not made clear who the company was and why it had their personal information.

You can read more about the mailing error on this link.

The post PHI of 1.5 Million Individuals Exposed Online by Inmediata appeared first on HIPAA Journal.

AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan

Posted by HIPAA Journal

The American Academy of Neurology (AAN) has voiced concerns about the interoperability plans of the Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC).

In February, both ONC and CMS proposed new rules that aim to reduce information blocking and improve interoperability. The AAN supports ONC and CMS efforts to reduce information blocking and improve interoperability. Data blocking and interoperability problems force clinicians to spend more time on clerical work, which means less time is spent providing direct care to patients.

The AAN believes many of the provisions in the new rules are necessary for empowering patients and providers by providing comprehensive access to patient data; however, in a recent letter to CMS Administrator Seema Verma, the AAN has expressed concern about patient safety and security if the ONC and CMS interoperability plans are implemented.

The AAN supports efforts to advance the use of standardized Fast Healthcare Interoperability Resources (FHIR) based APIs to allow patients to easily gain access to their health data, including claims information, lab test results, medications, and clinical notes. Easy access to that information will help with care coordination and will improve patients’ understanding of their conditions and treatments. However, there are potential problems.

“Consistent policies are needed across the board to incentivize and facilitate the exchange of data across systems,” wrote AAN President Ralph L. Sacco. “Many EHRs do not support the robust use of application program interfaces (APIs) for data exchange or are hindered by APIs that are implemented in proprietary ways that inhibit data exchange.” The AAN has also voiced concerns about privacy and security.

While the AAN understands that once PHI has been shared through an API it is no longer the responsibility of the provider to protect that information, but the AAN believes a security framework is required for third-party applications to prevent unauthorized disclosures once PHI has been transmitted by providers.

There is currently no federal regulatory framework to address unauthorized disclosures of PHI onside of enforcement by the FTC. Without a regulatory framework, a burden is placed on providers to ensure that they inform patients of the potential risks, when it should be the responsibility of app developers to ensure that all necessary precautions are taken to ensure PHI is protected. The AAN is seeking clarification on the responsibilities of third-party applications to ensure patient information is protected.

Unauthorized disclosures after PHI has been transferred do not constitute HIPAA violations, but they do have potential to negatively impact a provider’s reputation. Further, explaining the risks to patients may result in patients declining to share their information, which would work counter to CMS’s goal of promoting exchange of data and could detrimentally impact providers’ relationships with their patients.

“Given the sensitive nature of PHI and the paramount importance of trust between patients and providers, the AAN implores CMS and the FTC to ensure that there are clear security guidelines for third-party APIs and that there is robust enforcement to ensure that third-party applications are responsible stewards of patient data,” wrote Sacco.

Concern has also been raised about the sharing of certain types of particularly sensitive information, such as high-risk genetic testing data. If a patient has a genetic test that indicates there is a high probability that the patient will develop an incurable degenerative disease such as Huntington’s disease, prior to that information being shared with patients and their families it is necessary to make sure appropriate counselling is provided. The AAN suggests that that type of information should not be shared through APIs.

The AAN also believes the proposed six-month implementation time scale for many of the proposed changes is much too short. Complying with the new requirements in such a short time frame will place a significant burden on providers. More time has been requested for implementing the proposed system-wide changes.

The College of Healthcare Information Management Executives (CHIME) is also urging the CMS and ONC to extend the timescale for complying with the proposed changes and has suggested an interim rule is required and the time frame for complying should be extended from six months to three years.

The post AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan appeared first on HIPAA Journal.

April 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

April was the worst ever month for healthcare data breaches. More data breaches reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years.

While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks.

Largest Healthcare Data Breaches in April 2019

Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients.

The ransomware was deployed 7 months after the attacker had first gained access to its systems. The initial access was gained via Remote Desktop Protocol (RDP) on a workstation.

The second largest data breach was reported by the healthcare provider Centrelake Medical Group. The breach resulted in the exposure of 197,661 patients’ PHI and was also a ransomware attack that prevented patient information from being accessed. While the delay between access to the servers being gained and the ransomware being deployed was not as long, it also appeared that the attacker had been exploring the network prior to deploying the malicious software. Access to the server was gained 6 weeks prior to the ransomware being deployed. Ransomware was also used in the attack on ActivYouth Orthopaedics.

Covered Entity Entity Type Records Exposed Breach Type Location of Breached PHI
Doctors Management Services, Inc. Business Associate 206695 Hacking/IT Incident Network Server
Centrelake Medical Group, Inc. Healthcare Provider 197661 Hacking/IT Incident Network Server
Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute Healthcare Provider 35000 Unauthorized Access/Disclosure Electronic Medical Record
EmCare, Inc. Healthcare Provider 31236 Hacking/IT Incident Email
Kim P. Kornegay, DMD Healthcare Provider 27000 Theft Desktop Computer, Electronic Medical Record, Paper/Films
Pediatric Orthopedic Specialties, PA, dba ActivYouth Orthopaedics Healthcare Provider 24176 Hacking/IT Incident Network Server
Health Recovery Services, Inc. Healthcare Provider 20485 Unauthorized Access/Disclosure Network Server
Baystate Health Healthcare Provider 11658 Hacking/IT Incident Email
Riverplace Counseling Center, Inc. Healthcare Provider 11639 Hacking/IT Incident Network Server
Minnesota Department of Human Services Healthcare Provider 10263 Hacking/IT Incident Email

Causes of April 2019 Healthcare Data Breaches

Hacking/IT incidents outnumbered unauthorized access/disclosure incidents by 2 to 1 in April. 28 of the reported breaches of 500 or more records were due to hacking/IT incidents. There were 14 unauthorized access/disclosure incidents, two cases of theft of PHI, one reported case of loss of paperwork, and one case of improper disposal of PHI.

While 2018 saw a decline in the number of ransomware attacks across all industry sectors, the number of ransomware attacks is increasing once again, and healthcare is the most attacked industry. Remote Desktop Protocol often exploited to gain access to servers and workstations to deploy ransomware.

In May, a Forescout study revealed that the use of vulnerable protocols is common in the healthcare industry. Risk can be reduced by disabling these protocols, and if RDP must be used, to only use RDP with a VPN.

Phishing attacks also increased considerably in April, which highlights just how vulnerable healthcare organizations are to this type of attack. Advanced anti-phishing and anti-spam solutions can reduce the volume of malicious emails that reach inboxes and combined with regular security awareness training, risk can be reduced.

The use of multi-factor authentication is also important. In the event of credentials being compromised, MFA will prevent those credentials from being used to gain access to PHI. MFA is not infallible, but it can ensure risk is reduced to a reasonable and acceptable level. According to Verizon, most credential theft incidents would not have resulted in a data breach if MFA been implemented.

Hacking/IT incidents resulted in the highest number of compromised records in April 2019 – 384,219 records or 55% of all compromised records in April. The mean breach size was 13,722 records and the median breach size was 4,008 records.

Unauthorized access/disclosure incidents resulted in the exposure of 264,016 records or 38% of the month’s total. While hacking incidents usually result in more records being compromised, these incidents were more severe and had a mean breach size of 18,858 records. The median breach size was 3,193 records.

31,810 records were exposed to loss or theft – 4.6% of the month’s total. The mean breach size was 10,603 records and the median breach size was 4,000 records.

April 2019 healthcare data breaches - breach cause

Location of Breached Protected Health Information

Email was the most common location of breached PHI in April. Email was involved in 22 data breaches – 47.8% of all breaches in April 2019. While this category includes misdirected emails, the majority of email breaches were due to phishing attacks.

Network servers were involved in 11 breaches – 23.9% of the month’s breaches – which include malware and ransomware attacks.

Physical records such as paperwork, charts, and films were involved in 6 breaches – 13% of the month’s total.

April 2019 healthcare data breaches - location of PHI

April Breaches by Covered Entity Type

April was a relatively good month for business associates of covered entities with only two breaches reported and one further breach having some business associate involvement, although a business associate breach was the largest breach of the month.

6 health plans reported breaches in April and the remaining 38 breaches were reported by healthcare providers.

April 2019 healthcare data breaches by covered entity type

April 2019 Healthcare Data Breaches by State

Data breaches were reported by entities based in 21 states in April. California and Texas were the worst affected, with each state having 5 breaches. Florida, Minnesota, and Ohio each had four breaches, and there were 3 breaches reported by entities in Illinois.

Idaho, Massachusetts, New York, Oregon, Tennessee, and Washington each had 2 breaches and one breach was reported in each of Alabama, Delaware, Louisiana, North Carolina, New Jersey, Pennsylvania, South Dakota, Utah, and West Virginia.

HIPAA Enforcement Activity in April 2019

There were no financial penalties issued by the HHS’ Office for Civil Rights or state Attorneys General in 2019. The first OCR financial penalty of 2019 was issued in May – A $3,000,000 penalty for Touchstone Medical Imaging for the delayed response to a data breach in which the records of 307,839 patients were exposed.

In addition to the delayed response, there was a failure to issue breach notifications in a reasonable time frame, a failure to notify the media about the breach, two BAAs failures, insufficient access rights, and a risk analysis failure.

The post April 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

7 Month Delay Notifying HIV Study Participants About Exposure of their Confidential Information

Posted by HIPAA Journal

The sensitive information of 24 women diagnosed with HIV has been made available to individuals unauthorized to access that information. Despite the breach being discovered more than 7 months ago, the affected women have still not been notified.

The women were participating in an EmPower Women study at the University of California San Diego (UCSD). All 24 women had been diagnosed with HIV yet had not sought treatment. The HIV research study aimed to explore the reasons why those women had not sought treatment, specifically how substance abuse, domestic violence, trauma, and mental illness affected the decision to seek treatment and commit to treatment programs.  To help recruit patients for the study, UCSD partnered with the non-profit organization Christie’s Place, which provides support to women diagnosed with HIV and AIDS.

The plan was to recruit 100 patients for the study and offer half of participants free support and counselling services and the other half were given the option of receiving standard services at Christie’s Place. The researchers would then monitor the outcomes of the two different groups.

The women’s names, audio recordings of interviews with study participants, and other sensitive information were stored in a database used to track clinical care. Access controls should have been implemented to ensure only individuals authorized to view the women’s confidential information could access the data. However, the database could be accessed by everyone at Christie’s Place.

An inewsource investigation revealed not only that the private and confidential information of study participants had been exposed, but despite UCSD being made aware of the privacy violation in October 2018, notification letters had not been issued.

Lead researcher of the study, Jamila Stockman, associate professor at UCSD and Vice Chief of Global Public Health, was made aware that the database was available to all employees, interns, and volunteers at Christie’s Place by a mental health professional.

She brought the privacy breach to the attention of officials at UCSD and continued to push for notifications to be issued in meetings, emails, and study reports. As a result of the failure to take action over the breach, Stockman suspended the study in October 2018.

The failure to take prompt action and issue notifications would constitute willful neglect of HIPAA Rules and would be punishable with a fine in the highest penalty tier. However, the research was entirely funded by the UC system and, as such, is not subject to HIPAA Rules and is beyond the remit of the HHS’ Office for Civil Rights.

Christie’s Place was accused of deliberately adding patient information to the database with full knowledge that it could be accessed by everyone in an effort to inflate the number of patients participating in the study and bill the County of San Diego for more services. That allegation has been denied.

Christie’s Place issued a statement to inewsource confirming its internal investigation concluded there had been no wrongdoing and that “Christie’s Place did not misuse client data, did not breach client data to inflate patient numbers, did not misrepresent the services we provided, and did not improperly bill the County of San Diego.”

After being notified about the breach, UCSD instructed Empower Women to draft a breach notification letter, but the sending of that letter was repeatedly delayed. In March 2019, the decision was finally taken to to inform the study participants about the breach, but there was a further delay as before those notifications could be issued, UCSD wanted to ensure that all study data was securely deleted from Christie’s Place systems. UCSD now plans to send notification letters in the next 2-3 weeks.

inewsource has brought the matter to the attention of County of San Diego officials who will conduct their own investigation and take appropriate action. The inewsource report can be viewed on this link.

The post 7 Month Delay Notifying HIV Study Participants About Exposure of their Confidential Information appeared first on HIPAA Journal.

CMS and ONC Tell Senate HELP Committee Rapid Progress is Required to Advance Interoperability

Posted by HIPAA Journal

The second Senate HELP Committee hearing on the proposed roles for implementing the electronic medical records provisions of the 21st Century Cures Act has taken place this week.

The Committee heard from National Coordinator for Health IT, Donald Rucker, and Director and Center for Medicare And Medicaid Services Chief Medical Officer, Kate Goodrich, M.D.

The hearings aim to find a way forward to ensure the efficient accessing and sharing of health information between care providers and patients.

The prevention of information blocking is one of the main goals. By allowing health information to flow freely between providers and be shared with patients, the cost of healthcare can be significantly reduced. According to Dr. Brett James of the National Academies, as much as 50% of the costs of healthcare are unnecessary. Patients are having to repeat tests because their information cannot be shared between different healthcare providers and there is considerable duplication of administrative tasks as a result of information blocking.

Earlier this year both the CMS and ONC proposed new rules to tackle the issue of information blocking, EHR usability, and patient empowerment. Goodrich explained that consumers need to put in the driving seat and be empowered to make decisions about their own healthcare. For that to happen, patients need easy access to their healthcare data. They can then pass that information on to whoever they wish.

The CMS and ONC’s proposed rules believe this goal can be largely achieved through the use of open APIs. APIs have been used in other industry sectors and have “transformed business after business after business,” according to Rucker.

Standards-based API technology should improve the sharing of healthcare data, although Rucker cautioned that for them to work, healthcare business practices that enable information blocking must be dismantled. Rucker suggests that rules preventing information blocking need to be implemented as soon as possible.

While progress needs to be made quickly, Committee Chair Sen. Lamar Alexander, R-Tennessee warned of moving too quickly and encountering similar problems to hose with Meaningful Use. “My major concern is to remind the administration of the advice that my piano teacher used to give me before a recital… Play it a little slower than you can play it, you’re less likely to make a mistake.”

Progress is being made. The CMS has already launched two initiatives (MyHealthEData and Blue Button 2.0) which will require Medicaid fee-for-service, managed care plans, Medicare Advantage Plans and others on the Federal Exchange to maintain secure APIs that allow individuals enrolled in those plans to easily access their own health information. It is hoped that developers will follow suit and build on the work that CMS/ONC has already done in this area.

While everyone wants the goals to be achieved, there is concern that the use of APIs could introduce privacy and security risks. These concerns were shared by Rucker and Goodrich, especially with respect to disclosures of health data to apps.

While apps will undoubtedly be required to receive health data and allow patients to share their health information with others, there are serious concerns as health apps are not well regulated. While there are some FTC regulations covering health apps, they are not covered by HIPAA requirements and are unlikely to be in the future.

If information is disclosed to the apps, patient privacy could be placed in jeopardy. Patients’ health data could be used by app developers and sold on to companies such as Facebook. Patients may not be aware of the implications of what could happen if their health data is disclosed to an app.

After disclosure to an app, healthcare organizations will not be liable for that data – as confirmed by the Office for Civil Rights recently – but patients could be exploited. What happens to data after it has been disclosed to an app is down to a contractual agreement between the patient and the app developer.

The reality is the uses and disclosures of patient data are likely to be hidden in a long list of T&Cs in app privacy policies, which may not be read or understood by patients. There are also few controls over what can be done with that information and how that information is secured.

“How data is secured and used in third-party apps illustrates a pressing issue that is currently part of a national discussion that extends beyond healthcare and into data privacy, stewardship, and regulatory interventions,” said Rucker. At present, patients need to “balance their selection and use of a health app with the potential risk of having negative implications.”

What is clear is there needs to be greater regulation of health apps, especially in light of recent reports about health information being shared with Facebook without user consent.

The post CMS and ONC Tell Senate HELP Committee Rapid Progress is Required to Advance Interoperability appeared first on HIPAA Journal.

Key Findings of the 2019 Verizon Data Breach Investigations Report

Posted by HIPAA Journal

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe.

The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources.

The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below:

  • C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees
  • Cyberespionage attacks increased from 13% of incidents in 2018 to 25% in 2019
  • Financially motivated breaches fell from 76% to 71%
  • Phishing is involved in 32% of breaches and 78% of cyberespionage incidents
  • 90% of malware arrived via email
  • 60% of web application attacks were on cloud-based email servers
  • Most email threats and BEC attacks only resulted in data breaches because multi-factor authentication had not been implemented
  • 52% of cyberattacks involve hacking
  • 34% of attacks involved insiders
  • 43% of cyberattacks were on small businesses
  • Ransomware is the second biggest malware threat and accounts for 24% of breaches
  • There has been a six-fold decrease in attacks on HR personnel
  • Misconfiguration of cloud platforms accounted for 21% of breaches caused by errors

C-Suite Executives Beware!

C-suite executives are being extensively targeted by cybercriminals and for good reason. They are likely to have high-level privileges, so their accounts and credentials are more valuable. Compromised email accounts can be used for social engineering, phishing, and BEC attacks on other members of the organization and vendors.

Attacks on the C-suite are 12 times more likely than on other employees and C-suite executives are 9 times more likely to be the target of social incidents. These figures show just how important it is for C-suite executives to receive regular security awareness training.

These attacks are part of a trend of cybercriminals choosing the path of least resistance. Why invest time and money into hacking a company when an email can be sent to the CEO or CFO requesting a fraudulent transfer. Hacking a C-suite email account and using it to send wire transfer requests is simple, effective, and highly profitable.

Figures from the FBI, a new DBIR partner in 2019, show the median losses due to BEC attacks is a few thousand dollars. However, there are an equal number of attacks with losses from zero to the median as there are from the median to $100 million dollars. 12% of all breaches were the result of business email compromise attacks

Cyberattacks on the Healthcare Industry

The 2019 DBIR included 466 healthcare cybersecurity incidents, 304 of which involved confirmed data disclosures.

Out of all industry sectors analyzed, healthcare was the only industry where the number of incidents caused by insiders was greater than those caused by external threat actors. 59% of incidents involved insiders compared to 42% involving external threat actors. Breaches of medical information are 14 times more likely to be caused by doctors and nurses.

The primary motive for attacks on the healthcare industry was financial gain (83%), followed by fun (6%), convenience (3%), because a grudge was held (3%), and espionage (2%). 72% of breaches involved medical data, 34% involved personal information, and 25% involved credential theft.

81% of all healthcare cybersecurity incidents involved either miscellaneous errors such as software misconfiguration, privilege misuse, and web applications.

Across all industries, ransomware is involved in 24% of attacks but 70% of those attacks were reported by healthcare organizations. It should be noted that, in most cases, ransomware attacks are reportable breaches under HIPAA. The overall number of attacks in other industry sectors may well be much higher, as many attacked companies choose not to report the incidents and just quietly pay the ransom.

Patterns Identified in Healthcare Data Breaches

Pattern Number of Data Breaches
Miscellaneous Errors 97
Privilege Misuse 85
Web Applications 65
Lost and Stolen Assets 28
Everything Else 27
Cyber-Espionage 2
Point of Sale 2
Crimeware 1
Denial of Service 0

Causes of Healthcare Data Breaches

Actions Involved   Incidents Data Breaches
Error 124 110
Misuse 110 85
Hacking 100 78
Social 91 78
Malware 85 7
Physical Theft 47 17

The post Key Findings of the 2019 Verizon Data Breach Investigations Report appeared first on HIPAA Journal.

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach.

Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability.

On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals.

As a result of the lack of access controls, files had been indexed by search engines and could be found by the public with simple Internet searches. Even when the server was taken offline, patient information could still be accessed over the Internet. The failure to secure the server constituted a violation of 45 C.F.R. § 164.312(a)(1).

The security breach was reported to OCR, but Touchstone initially claimed that no PHI had been exposed. OCR launched an investigation into the breach and during the course of that investigation Touchstone admitted that PHI had in fact been exposed. The types of information that could be accessed over the internet included names, addresses, dates of birth, and Social Security numbers.

In addition to the impermissible disclosure of 307,839 individuals’ PHI – a violation of 45 C.F.R. § 164.502(a) – OCR discovered the security breach had not been properly investigated until September 26, 2014: Several months after Touchstone was initially notified about the breach by the FBI, and after notification had been given to OCR. The delayed breach investigation was a violation of 45 C.F.R. §164.308(a)(6)(ii).

As a result of the delayed investigation, affected individuals did not receive notifications about the exposure of their PHI until 147 days after the discovery of the breach: Well in excess of the 60-day Breach Notification Rule’s maximum time limit for issuing notifications. The delayed breach notices were a violation of 45 C.F.R. § 164.404. Similarly, a media notice was not issued about the breach for 147 days, in violation of 45 C.F.R. § 164.406.

During the course of its investigation, OCR discovered that Touchstone had failed to complete a thorough, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI: A violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

OCR also identified two cases of Touchstone having failed to enter into a business associate agreement with vendors prior to providing access to systems containing ePHI.

OCR cites the use of an IT services company – MedIT Associates  – without a BAA as a violation 45 C.F.R. §§ 164.502(e)(2), 164.504(e), and 164.308(b), and the use of a third-party data center, XO Communications, without a BAA as a violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

In addition, in violation of 45 C.F.R. § 164.308(b), XO Communications continues to be used without a business associate agreement in place.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR Director Roger Severino.  “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

The settlement comes just a few days after OCR announced it has reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. This settlement confirms that while minor HIPAA violations may now attract lower financial penalties, when serious violations of HIPAA Rules are discovered and healthcare organizations fail to take prompt action to correct violations, the financial penalties can be considerable.

The post Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures appeared first on HIPAA Journal.