Healthcare Data Privacy

Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy

Posted by HIPAA Journal

Facebook is making changes to Facebook Groups used to discuss health conditions. The move comes following criticism that Facebook Groups were being promoted as private and confidential when information about participants in health groups was being made available to third parties for advertising purposes.

In January, a complaint was filed with the Federal Trade Commission alleging the content of private Facebook health groups had been shared with third parties. Some members of these health support groups claimed they had been targeted by advertisers who had offered products and services related to health conditions that had only ever been discussed in closed, private Facebook health groups.

The groups are used by individuals with health conditions to obtain advice and receive support. Groups have been set up to help people with a wide range of health conditions, including cancer, substance abuse disorder, and mental health issues. Information was being openly discussed by members of the groups in the belief that the groups were confidential. Not only were advertisers able to contact members of these groups, it was also possible for members of the public to find out the names of people who were members of the groups.

Facebook was accused of deceptively soliciting patients to sign up and use closed and private health groups when their personal health information was actually being used to generate advertising income.

In response to the complaint, Facebook has made changes that will allow users to post information anonymously in health groups. The groups will be given a special designation – Health Support Group – and will be treated differently to other Facebook Groups. Members of the groups will be allowed to request that group administrators post messages on their behalf. This measure will allow posts to be made that will not be tied to a user’s Facebook profile and their name will not appear on those posts. The move was announced by Facebook founder, Mark Zuckerberg, at Facebook’s annual developer conference.

While the move is a step in the right direction and will help to ensure that comments can be posted in confidence, a group administrator will be able to tie a comment to a particular user and information discussed in the groups will still be able to be used for advertising purposes.

Facebook is not an entity covered by HIPAA Rules and neither is it a business associate of HIPAA-covered entities, so it is not required to comply with HIPAA’s Privacy and Security Rules.  To protect the privacy of consumers, what is needed is a federal law to limit the collection and use of users’ sensitive information and to prevent social media and other tech companies from engaging in deceptive practices.

This is not the only Facebook issue concerning health data to have come to light in recent months. Third-party health app developers were discovered to be sharing users’ data with Facebook and, in some cases, without users’ consent. The issue was highlighted in a report in the Wall Street Journal and was viewed by many to be a serious violation of privacy. Facebook’s response was that its policies strictly prohibit app developers from sharing the sensitive health information of app users with Facebook and it is the responsibility of app developers to make sure sensitive information is not sent to Facebook.

The post Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy appeared first on HIPAA Journal.

MD Anderson Cancer Center Fires Three Scientists Over Concerns About Theft of Research Data

Posted by HIPAA Journal

MD Anderson Cancer Center, the world’s leading cancer research center, has recently fired three scientists with strong links to China over espionage fears after being alerted by the National institutes of Health (NiH) to irregularities involving grant recipients.

NiH, the largest public funder of biomedical research in the United States, had been instructed by federal officials to investigate certain professors who were believed to be in violation of granting agency policies.

NiH, assisted by the FBI, discovered potential conflicts of interest and unreported foreign income by five members of MD Anderson staff. NiH sent emails to MD Anderson in 2018 and demanded a response within 30 days.

The failure to take action could potentially result in NiH withholding essential funding. MD Anderson received $148 million in NiH grants in 2018.

In response to the accusations, MD Anderson conducted an investigation and initiated termination procedures for three professors, two of whom resigned from their posts before proceedings started. The fourth professor was investigated but termination was not deemed to be warranted. The investigation into the fifth professor is ongoing. Three of the professors concerned are ethnically Chinese and all are of Asian origin.

The firings were in relation to possible diversion of intellectual property, failure to disclose substantial resources from other institutions, and the sharing of confidential information on grant applications.

“We have an obligation to do all we can to protect our intellectual property and all state and federal resources entrusted to us,” said MD Anderson President Peter Pisters, MD. “We must be vigilant in protecting the outstanding work of our faculty and ensuring our continued ability to conduct world-class research in our pursuit to end cancer.”

According to the Houston Chronicle, which reported on the terminations, NiH has sent similar emails to dozens of other organizations voicing concerns about certain individuals who may have been recruited by foreign governments to steal proprietary research information. It is likely that these three actions will be the first of many over the coming weeks.

Concern has been growing recently about scientific research conducted in the United States being stolen by China and other foreign governments. The information is used to run ‘shadow laboratories’ overseas to benefit those countries.

The FBI has reported that up to $600 billion is being lost each year to intellectual property theft. FBI Director Christopher Wray said China is the biggest threat and is engaging in espionage in all 50 states across multiple industries.

The post MD Anderson Cancer Center Fires Three Scientists Over Concerns About Theft of Research Data appeared first on HIPAA Journal.

New Washington Breach Notification Law Unanimously Passed by Legislature

Posted by HIPAA Journal

A new data breach notification law (HB 1071 / SB 5064) has been unanimously passed by the Washington legislature and awaits Washington Governor Jay Inslee’s signature. The law broadens the definition of personal information and shortens the timescale for issuing notifications to 30 days.

Currently, data breach notification laws in Washington only require entities to issue notifications in the event of a breach of a state resident’s name along with a Social Security number, state ID, driver’s license number, or credit/debit card number.

The updated breach notification law will also require notifications to be issued in the event of a breach of the following data elements:

  • Full date of birth
  • Military ID numbers
  • Biometric data
  • Passport ID numbers
  • Student ID numbers
  • Medical histories
  • Health insurance ID numbers
  • Usernames and email addresses in combination with a password or answers to security questions that would allow an account to be accessed.
  • Keys for electronic signatures

With the exception of online account credentials, the new data elements could be classed as personal information even if they are not combined with an individual’s first and last name.

Notifications will need to be issued if one or more of the above data elements is compromised and has not first been made unusable – through encryption – and if the breach of that information is reasonably likely to place an individual at risk of harm.

The timescale for issuing notifications has been reduced from 45 days to 30 days after the discovery of a breach, although notifications should be issued in the most expedient time possible and without unreasonable delay. A notification must also be sent to the state Attorney General within the same timeframe.

As is the case in California, the new data breach notification law stipulates the information that must be included in breach notification letters. The letters must state the date of the breach, the discovery date, its duration (if known), and the types of information that were compromised or exposed. The Attorney General notification must also include the number of state residents affected (or an estimate if the actual number is not known) and the steps that have been taken to contain the breach.

Healthcare organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to be in compliance with the new breach notification law if they are in compliance with section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The post New Washington Breach Notification Law Unanimously Passed by Legislature appeared first on HIPAA Journal.

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

Posted by HIPAA Journal

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017.

Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted.

The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project.

While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the devices have been accessed or misused. Some of the plaintiffs named in the lawsuit alleged they have suffered identity theft/fraud as a result of the breach, but the university maintains that such cases were not the result of the stolen hard drive. The decision was taken to settle the lawsuit to save money. The settlement, while high, is believed to be far lower than the continued cost of legal action.

In January 2019, a settlement of $5.26 million was agreed by the WSU Board of Regents. While the final settlement is lower, it does not include the cost of credit monitoring and identity theft protection services for individuals impacted by the breach. In addition to settlement amount, Washington State University will cover the cost of two years of credit monitoring and identity theft protection services for up to 1,193,190 patients impacted by the breach.

The final cost will depend on the number of individuals who submit claims. WHU will accept claims up to $5,000 from individuals impacted by the breach to cover out-of-pocket expenses and lost time, provided those costs can be proven. The fund for covering those claims is $3.5 million. If that total is exceeded, claim amounts will be reduced pro rata. Approximately $800,000 has been set aside to cover attorneys’ fees and a further $650,000 will cover administrative costs. Washington State University was covered by a cyber-liability insurance policy which will cover the settlement.

The university has also agreed to update policies and procedures and enhance security. Backup data will now be stored in a more secure location, data security assessments and audits will be regularly conducted, and additional training will be provided to staff. IT contracts in relation to the research project will be cancelled and those functions will be handled in house and archived data from the research project will be permanently destroyed.

The settlement highlights the importance of using encryption to protect stored data, especially data stored on portable electronic devices. In the event of loss or theft of a device, data cannot be accessed and such an incident would not be classed as a reportable breach.

The post Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million appeared first on HIPAA Journal.

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

Posted by HIPAA Journal

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year.

Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for detect.

Even though conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare organizations were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when organizations were complying with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equate to security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still significant room for improvement. On average, healthcare organizations were complying with 77% of HIPAA Privacy Rule provisions. Many organizations had missing policies and procedures and improper postings. More than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased year over year for payers and physician groups, but declined for hospitals and health systems, falling from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being performed on hospitals and health systems in 2018.

CynergisTek also found that insider breaches continue to be a major challenge for healthcare organizations. Insiders were responsible for 28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees accessing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of co-workers and 8% involved accessing neighbors’ health records.

Business associates were found to be a major security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many cases, healthcare organizations were not proactively assessing their vendors, even those that are medium to high risk. The most common business associate failures were related to risk assessments, governance, and access management.

The post Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules appeared first on HIPAA Journal.

March 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In March 2019, healthcare data breaches continued to be reported at a rate of almost one a day. 30 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is 11% higher than the average of the past 60 months.

HEalthcare data breaches by month

The number of reported breaches fell by 6.67% month over month and there was a 58% decrease in the number of breached healthcare records. March saw the healthcare records of 883,759 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches.

healthcare records exposed by month

Causes of March 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 83.69% of all compromised records (739,635 records).

There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft incidents reported, which involved a total of 23,960 records.

The biggest data breach was reported by Navicent Health – A phishing attack in which the records of 278,016 patients were potentially accessed and copied by the attackers. A similarly sized data breach was reported by ZOLL Services, which impacted 277,319 individuals. The ZOLL Services breach occurred at one of its business associates. It’s email archiving company accidentally removed protections in its network server. It is unclear whether those records were accessed by unauthorized individuals during the time the information was accessible.

Causes of March 2019 healthcare data breaches

Largest Healthcare Data Breaches Reported in March 2019

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Navicent Health, Inc. Healthcare Provider 278,016 Hacking/IT Incident Email
2 ZOLL Services LLC Healthcare Provider 277,319 Hacking/IT Incident Network Server
3 LCP Transportation, Inc Business Associate 54,528 Unauthorized Access/Disclosure Email
4 Superior Dental Care Alliance Business Associate 38,260 Hacking/IT Incident Email
5 Superior Dental Care Health Plan 38,260 Hacking/IT Incident Email
6 St. Francis Physician Services Healthcare Provider 32,178 Hacking/IT Incident Network Server
7 Palmetto Health Healthcare Provider 23,811 Hacking/IT Incident Email
8 Gulfport Anesthesia Services, PA Healthcare Provider 20,000 Theft Other
9 Women’s Health USA, Inc. Business Associate 17,531 Hacking/IT Incident Desktop Computer, Email
10 Verity Medical Foundation Healthcare Provider 14,894 Hacking/IT Incident Email

 

Location of Breached Protected Health Information

Email incidents dominated the March 2019 healthcare data breach reports with 12 incidents reported that involved ePHI stored in emails and/or email attachments. The vast majority of those email breaches were phishing attacks. There were 7 hacking/IT incidents involving network servers – A combination of ransomware attacks, hacks, and the accidental deactivation of security solutions.

causes of march 2019 healthcare data breaches

March 2019 Healthcare Data Breaches by Covered Entity

Healthcare providers reported the most healthcare data breaches in March with 21 reported incidents. 4 breaches were reported by health plans and there were 5 data breaches reported by HIPAA business associates.  A further three breaches had some business associate involvement.

March 2019 healthcare data breaches by covered entity type

Healthcare Data Breaches by State

Healthcare organizations/business associates based in 18 state reported data breaches in March 2019. Three data breaches were reported in each of California, Ohio, and Pennsylvania. Two breaches were reported in each of Arizona, Idaho, Maryland, Massachusetts, Minnesota, Oregon, and South Carolina. One breach was reported in each of Arizona, Connecticut, Florida, Georgia, Indiana, Mississippi, New York, and Oklahoma.

HIPAA Enforcement in March 2019

The HHS’ Office for Civil Rights did not agree any fines or settlements in March 2019; however, the Texas Department of Aging and Disability Services has agreed to a financial penalty over a 2015 data breach.

Texas approved a settlement of $1.6 million to resolve alleged HIPAA violations discovered during the investigation of an 8-year data breach that was reported in June 2015. OCR has yet to confirm the settlement publicly.

There were no HIPAA-related financial penalties agreed with state attorneys general in March 2019.

The post March 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has raised awareness of the risk of advanced persistent threats and zero-day exploits in its spring cybersecurity newsletter.

Healthcare organizations are attractive targets for hackers due to quantity of sensitive data they store. Individual’s protected health information is highly valuable as it can be used for many different purposes, including identity theft, tax fraud, and gaining access to medical services. Sensitive information about medical conditions can also be used to blackmail individuals.

Healthcare organizations also store research data, genetic data, and data from experimental treatments, all of which are of great value cybercriminals. The information can be used by foreign governments to drive innovation.

There are many techniques that hackers use to break through defenses and silently gain access to networks, two of the most serious threats being advanced persistent threats and zero-day exploits.

An advanced persistent threat (APT) is a term used to refer to repeated cyberattacks that attempt to exploit vulnerabilities to gain access to information systems. These attacks are often sophisticated, but even relatively simple attacks are dangerous due to their persistence.

The aim of the attacks is to stealthily gain access to information systems and steal information over a long period of time. “Advanced” comes from the techniques used to access networks and remain undetected, such as the use of malware. “Persistent” refers to the length of time that systems are accessed and information is stolen. Several APT groups have succeeded in gaining access to healthcare IT systems in the United States and have used that access to steal sensitive patient information and propriety healthcare data.

Zero-day exploits – or zero-day attacks – involve the use of previously unknown vulnerabilities to attack organizations. By their very nature, these types of attacks can be difficult to prevent. Since the vulnerabilities are only known to hackers, no patches exist to correct the flaws.

Oftentimes, vulnerabilities are discovered as a result of them being exploited. Patches are promptly released to correct the flaws, but hackers will continue to take advantage of the vulnerabilities until systems are patched. It is therefore essential to apply patches promptly and ensure that all operating systems and software are kept up to date.

Once a zero-day vulnerability is publicly disclosed it doesn’t take long for an exploit to be developed. Oftentimes, exploits for recently discovered vulnerabilities are developed and used in attacks within days of a patch being released.

If patches cannot be applied promptly, such as if extensive testing is required, it is important to implement workarounds or other security controls to prevent the vulnerabilities from being exploited. The use of encryption and access controls can help to ensure that even if access to a network is gained through the exploitation of a vulnerability, damage is minimized.

OCR has warned of the danger of combination attacks involving APTs and zero-day exploits, such as the use of the NSA’s EternalBlue exploit. Within days of the exploit being made available online, it was incorporated into WannaCry ransomware which infected hundreds of thousands of computers around the world. A patch for the vulnerability that EternalBlue exploited was released by Microsoft 2 months before the WannaCry attacks. Organizations that patched promptly were protected against the exploit and WannaCry.

Healthcare organizations and their business associates can Improve their defenses against zero-day exploits and APTs by implementing measures outlined in the HIPAA Security Rule. OCR has draw attention to the following requirements of the Security Rule which can help prevent and mitigate zero-day exploits and APTs:

The post OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits appeared first on HIPAA Journal.

Amazon Launches New System for De-identifying Medical Images

Posted by HIPAA Journal

Amazon has announced that it has developed a new system that allows identifying protected health information contained in medical images to be automatically removed to prevent patients from being identified from the images.

Medical images often have patients’ protected health information stored as text within the image, including the patient’s name, date of birth, age, and other metrics. Prior to the images being used for research, authorization must be obtained from the patient or all identifying data must be permanently removed.  Removing PHI from images requires a manual check and alteration of the image to redact the PHI and that can be an expensive and time-consuming process, especially when large number of images must be de-identified.

The new system uses Amazon’s Rekognition machine-learning service, which can detect and extract text from images. The text is then fed through Amazon Comprehend Medical to identify any PHI. In combination with Python code it is possible to quickly redact any PHI in the images. The system works on PNG, JPEG, and DICOM images.

A confidence score is provided by the service which indicates the level of confidence in the accuracy of the detected entity, which can form the basis of reviews to make sure that information has been correctly identified. The desired confidence level – from 0.00 to 1.00 – can be set by the user. A confidence level of 0.00 will see all text identified by the service be redacted.

Amazon says the system allows healthcare organizations to de-identify large numbers of images quickly and inexpensively. Amazon notes that the system can be used to batch process thousands or millions of images. Also, once an image has been processed and the location of PHI has been identified, it is possible to associate a Lambda function to automatically redact PHI from any new images when they are uploaded to an Amazon S3 bucket.

The post Amazon Launches New System for De-identifying Medical Images appeared first on HIPAA Journal.

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

Posted by HIPAA Journal

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed.

According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego.

During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped.

A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts.

The lawsuit states that, “At times, defendants’ patients had their most sensitive genital areas visible.” The position of the laptop cameras was such that patients’ faces could be seen in the recordings and, as such, patients could be identified from the recordings.

The lawsuit alleges the video recordings could be accessed by multiple individuals including medical and non-medical staff and strangers via desktop computers. Controls had not been implemented to log which users had gained access to the video recordings or why the videos had been viewed.

The plaintiffs allege that many of the computers on which the videos were stored have since been replaced or refreshed and that Sharp has destroyed many of the videos; however, Sharp could not confirm whether those files were securely erased and if they could potentially be recovered.

The lawsuit was originally filed in 2016 but was denied class certification. The case has now been re-filed. 81 women who received surgical procedures in the operating rooms during the period in which the cameras were active have been included in the lawsuit and hundreds more women are expected to join.

The plaintiffs allege their privacy was violated as a result of the unlawful recording of video footage, there was a breach of fiduciary duty, negligent infliction of emotional distress, and that the failure to secure the video footage and ensure it was permanently destroyed amounts to gross negligence.

As a result of the actions of Sharp, “Plaintiffs suffered harm including, but not limited to, suffering, anguish, fright, horror, nervousness, grief, anxiety, worry, shock, humiliation, embarrassment, shame, mortification, hurt feelings, disappointment, depression and feelings of powerlessness,” states the lawsuit.

The plaintiffs are seeking a jury trial.

The post Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations appeared first on HIPAA Journal.