Healthcare Data Privacy

Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity

Posted by HIPAA Journal

Senator Mark Warner (D-Va) has written letters to leaders of the Department of Health and Human Services (HHS), the Food and Drug Administration (FDA), the Centers for Medicare and Medicaid Services (CMS), the National Institute of Standards and Technology (NIST), and 12 healthcare associations requesting answers to a list of healthcare cybersecurity questions.

Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, is deeply concerned about the state of cybersecurity in healthcare and is calling for a collaborative effort “to develop a short- and long-term strategy reducing cybersecurity vulnerabilities in the health care sector” and “develop a national strategy that improves the safety, resilience, and security of our healthcare industry.”

The healthcare industry is being targeted by cybercriminals and those attacks are succeeding far too frequently. 2014 was the sixth successive year to see an annual increase in healthcare data breaches. In 2015, another record was broken. The most healthcare records ever breached. 113 million healthcare records were exposed that year.

Even though investment in cybersecurity is increasing, records continue to be broken each year and data breaches have now reached unprecedented levels. 2016 saw the record for the most healthcare data breaches in a single year broken again, and again in 2017, and yet again in 2018. Last year, healthcare data breaches were reported at a rate of one a day. That trend is likely to continue unless action is taken.

2009-2018 healthcare data breaches

In the letters, Warner cited a 2015 GAO report that estimated cyberattacks on the healthcare industry would result in $305 million in losses over a five-year period and a Trend Micro report in the same year which suggests 100,000 healthcare devices and systems have been exposed over the internet.

Healthcare data is of high value to cybercriminals and hospitals store vast quantities of patient data. Successful attacks can be extremely profitable, either through theft and resale of healthcare data or by preventing healthcare providers from accessing patient data through ransomware attacks. Cyberattacks cannot be prevented, but it is possible to improve resilience and stop most of those attacks from succeeding.

As a first step, Warner has asked each agency to supply details of the actions each has taken to identify and reduce vulnerabilities in the healthcare industry, and what each agency has done to develop a national strategy to reduce vulnerabilities. Warner wants to know whether each department and agency has been seeking input from private sector healthcare stakeholders to address vulnerabilities and any potential changes to current laws and regulations that would help to combat cyberattacks on healthcare entities.

Similar questions have been sent to healthcare associations and organizations including the Healthcare Information Management and Systems Society (HIMSS), the American Hospital Association (AHA), the American Medical Association (AMA), and the Health Information Sharing and Analysis Center (H-ISAC). They have been asked to explain the steps that they have taken to improve security awareness and their technical capabilities.

The sheer volume of successful cyberattacks has prompted state regulators to introduce new requirements for entities doing business in their respective states to improve security and privacy protections, but what is also required is a nationwide effort to improve privacy and security. Federal regulators and Congress are taking steps to develop a national cybersecurity strategy. Warner hopes that his efforts will help to speed up that process.

The post Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity appeared first on HIPAA Journal.

Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices

Posted by HIPAA Journal

Several healthcare associations have requested a safe harbor for healthcare organizations that would prevent OCR and state attorneys general from issuing financial penalties for breaches of protected health information if the breached entity has met certain standards for safeguarding protected health information (PHI).

The suggestions were made in response to the Department of Health and Human Services’ request for information (RFI) on potential changes to HIPAA to reduce the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS received more than 1,300 comments on possible changes prior to the February 12, 2019 deadline.

The safe harbor was suggested by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA).

Healthcare organizations can adopt cybersecurity frameworks, create layered defenses to keep their networks secure, provide security awareness training to employees, and adopt cybersecurity best practices, yet still experience a data breach.

OCR has already made it clear that its area of focus for enforcement is egregious violations of HIPAA Rules, such as widespread noncompliance and HIPAA-covered entities that have little regard for HIPAA Rules. However, all breaches of 500 or more records are investigated, and if HIPAA violations are discovered, financial penalties could be issued.

It has been argued that entities that have made reasonable efforts to keep patient information private and confidential should not be at risk of significant penalties.

CHIME suggested OCR should create “A safe harbor for providers who have demonstrated they are meeting a set of best practices such as those developed under the public-private effort known as the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).”

The AHA suggested healthcare organizations that experience cyberattacks should be provided with support and resources, and rather than punishing the breached entity, “Enforcement efforts should rightly focus on investigating and prosecuting the attackers.”

Most healthcare organizations take significant steps to prevent successful cyberattacks. The AHA said that when an attack occurs, an investigation is necessary to determine how access to systems and data was gained. Lessons can be learned, safeguards improved, and details of the vulnerabilities and threats should then be shared widely to allow other healthcare organizations to prevent similar attacks.

The AHA suggested there should be “A safe harbor for HIPAA covered entities that have shown, perhaps through a certification process, that they are in compliance with best practices in cybersecurity, such as those promulgated by HHS, in cooperation with the private sector.”

The AMA suggests that “OCR could revise [the HIPAA Security Rule] to include a new clause stating that covered entities that adopt and implement a security framework – such as the NIST Cybersecurity Framework – or take steps toward applying the Health Industry Cybersecurity Practices – the primary publication of the Cybersecurity Act of 2015 Task Group – are in compliance with the Security Rule.”

The AMA also suggests that OCR should change its approach to securing health information from issuing penalties for failures to providing positive incentives to encourage healthcare organizations to improve security and better protect health information.

CHIME stated that the current policy that calls for breaches to be reported and listed on the OCR breach portal in perpetuity is unduly punitive and that there should be a mechanism for removing breached entities from the listings once they have taken actions to correct vulnerabilities that contributed to the breach.

The HHS is now assessing all comments and feedback received in relation to its RFI and will determine which aspects of HIPAA Rules should be changed. A notice of proposed rulemaking will then be issued, although the HSS has not provided a time frame for doing so.

The post Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices appeared first on HIPAA Journal.

New Cybersecurity Requirements for Ohio Health Insurers

Posted by HIPAA Journal

From March 20, 2019, insurance companies in Ohio will be subject to a new law (Senate Bill 273) that requires them to develop and implement a written information security program to safeguard business and personal information.

The information security program must include a comprehensive internal risk assessment to identify risk and threats to systems and data. Following the risk assessment, safeguards must be implemented to protect all nonpublic information that would cause a material adverse impact to business operations or could cause harm to customers if the information were to be exposed or accessed by unauthorized individuals.

Nonpublic information includes financial information, health information, and identifiers such as Social Security numbers, driver’s license numbers, state ID cards, biometric information, account numbers, credit/debit card numbers, security/access codes that permit access to a financial account, and any information (except age or gender) that is created by or derived from a healthcare provider or consumer that could be used to identify an individual in relation to physical/mental health, the provision of healthcare, or payment for healthcare.

The security program must ensure the security of information and information systems is protected, that threats to the security and integrity of information and information systems are mitigated, safeguards must be implemented to prevent unauthorized data access, and a mechanism must be put in place to ensure nonpublic information is permanently destroyed when no longer required.

Licensees are required to designate a party to be responsible for the security program and must identify reasonably foreseeable threats that could threaten the confidentiality, integrity, and availability of nonpublic information. Risks must be assessed for the likelihood of a breach and potential damage that could be caused. Risks must be managed, and safeguards put in place to manage threats must be assessed to ensure they are sufficient. Safeguards’ key controls, systems, and procedures must be reassessed at least annually to ensure they remain effective.

The security program should reflect the size and complexity of the licensee, the nature of its activities, the use of third-party service providers, and the sensitivity of the data.

If a security event is experienced that results in unauthorized access to information systems or nonpublic information that has a reasonable likelihood of resulting in material harm to a consumer or could have an adverse effect normal business operations, the Ohio Superintendent of Insurance must be notified within three days of the discovery of incident if the Licensee is based in Ohio. The Ohio Superintendent of Insurance must also be notified of a security event that affects 250 or more Ohio residents or warrants a notification to a government agency. Notifications must also be issued to consumers affected by the security incident in accordance with other state laws.

The new law applies to all individuals and non-government entities that are licensed under insurance laws in Ohio that have 20 or more employees, more than $5 million in gross annual revenue, or more than $10 million in assets.

Entities that are in compliance with the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to be in compliance with Senate Bill 273.

Licensees will be given one year to comply with the new requirements. The effective compliance date is therefore March 20, 2020.

The post New Cybersecurity Requirements for Ohio Health Insurers appeared first on HIPAA Journal.

New York State Departments Investigate Facebook Over Health Data Sharing Practices

Posted by HIPAA Journal

A recent analysis of Facebook’s data collection practices has revealed sensitive health data is obtained by Facebook from third party apps, even if the user has not logged in via Facebook or does not even have a Facebook account.

Private information including blood pressure measurements, heart rate data, menstrual cycle data, and other health metrics are provided to Facebook, often without the user’s knowledge or any specific disclosure that data provided by users or collected directly by the apps are shared with the ocial media platform.

The investigation was conducted by the Wall Street Journal, which conducted tests on various health-related apps. While it was known that some of those apps send data to Facebook about when they are used, the extent of data sharing was not well understood. The report revealed that 11 popular smartphone apps have been passing sensitive data to Facebook without apparently obtaining consent from users.

One app, Flo Period & Ovulation Tracker, shares dates of a user’s last period with Facebook and the predicted date when the user is ovulating. The Instant Heart Rate: HR Monitor App in the Apple iOS store was found to send users’ heart rate information to Facebook as soon as it is recorded. None of the apps that were found to be sharing sensitive data appeared to offer users a way of opting out of having their data sent to Facebook.

The WSJ report notes that while the data sent by these apps may be anonymous, Facebook could match the information with a particular Facebook user and use the data to serve them targeted ads.

The WSJ contacted Facebook for comment and received a reply confirming that some of the apps cited in its report appeared to be violating its business terms and that the platform does not permit app developers to send “health, financial information or other categories of sensitive information,” and that it is the responsibility of the app developers to be clear to their users about the information that is being shared. A Facebook spokesperson told Reuters, “We also take steps to detect and remove data that should not be shared with us.”

New York Governor Instructs State Departments to Investigate Facebook

On Friday, February 22, 2019, New York State Governor Andrew M. Cuomo issued a press release stating that he has instructed the Department of State and the Department of Financial Services to investigate how Facebook is acquiring health data and other sensitive information from developers of smartphone apps and the alleged privacy violations and breaches of Facebook’s own business terms.

Cuomo said that if the findings of the WSJ are correct, it amounts to “an outrageous abuse of privacy.”

Cuomo is determined to hold companies responsible for upholding the law and ensuring the sensitive data of smartphone users is kept private and confidential. Personal data should not be shared with other companies without users’ express consent.

Cuomo is also calling for federal regulators to investigate and put an end to the practice to protect consumers’ rights.

The post New York State Departments Investigate Facebook Over Health Data Sharing Practices appeared first on HIPAA Journal.

NHS to Phase Out Pagers by End of 2021

Posted by HIPAA Journal

The National Health Service (NHS) has commissioned a report on the costs of pagers and the extent of their use in NHS Trusts in the UK. The study revealed around 130,000 pagers are used in NHS Trusts – Approximately 10% of the world’s pagers – and the annual cost is around £6.6 million ($8.73 million).

Advantages and Disadvantages of Pagers in Healthcare

Pagers have served the healthcare industry well for several decades and they are still useful devices. Pagers are easy to use, they are small, easy to carry, and batteries can last months between charges. The pager system uses its own transmitters and frequencies and the signals can pass through structures. Consequently, coverage is excellent, and communication is fast and reliable. Pagers have one function and they perform that task very well.

However, there are many drawbacks to pagers in healthcare. Most of the pagers used by NHS Trusts do not support two-way communication. When a message is received, a doctor must find a phone and call a number to receive the message. When an immediate response is not possible, messages are often written down and they can be forgotten or lost. When responding to messages, doctors often find the number is engaged and so begins a time-consuming game of phone tag. Pages also do not convey the sense of urgency.

To investigate the use of pagers, the Department of Health commissioned a report from CommonTime, a digital solutions company. The firm concluded that the devices should not continue to be used in the NHS and that it was surprising for legacy equipment such as pagers to still be relied upon in emergency situations.

UK Health Secretary Matt Hancock is keen to see legacy technology such as pagers phased out. He views emails and mobile phones as a better option in terms of speed, security, and cost. Pagers are expensive to run. Switching to alternative, modern methods of communication could save the NHS millions each year. The report suggests that the use of mobile devices and mobile software in place of pagers could save the NHS around £2.7 million ($3.57 million) a year.

Messaging Apps and Secure Email to Replace NHS Pagers

Secure messaging apps on smartphones are a viable alternative to pagers and can be run at a fraction of the cost. The apps offer similar capabilities as WhatsApp and Skype, but with enhanced security and message accountability.

The West Suffolk NHS Foundation Trust trialed the use of a smartphone app in 2017 and replaced all of its pagers and found that it saved a considerable amount of time communicating with doctors and saved on costs. The app allowed two-way communications between doctors, could be used by healthcare professionals to communicate with each other, allowed group chats, and worked on smartphones, tablets and desktops.

Mobile technology may improve security and allow the NHS to cut costs, but the technology is not without drawbacks. There are often dead-spots in hospitals where signals cannot be received on mobile devices, mobile networks can face slowdowns which delay the delivery of urgent messages, and there is potential for mobile devices to interfere with hospital equipment. Those issues will need to be resolved over the coming two years, although NHS Trusts will be permitted to keep some pagers for emergency situations, such as when mobile networks go down or hospital Wi-Fi goes offline.

Fax Machines to be Phased Out by 2020

The latest report follows a 2018 study by the Royal College of Surgeons which revealed that the NHS was still using around 9,000 fax machines to send documents. In December 2018, the Department of Health announced that fax machines would be phased out and would be replaced by secure, encrypted email to improve patient safety and cybersecurity. NHS Trusts have not been permitted to buy new fax machines since January 2019 and fax machines will be completely phased out by April 2020.

These are just two of the initiatives that Hancock is pursuing to update the technology used by the NHS. As the May 2017 WannaCry ransomware attacks showed, it is not just legacy equipment that is a problem. A study conducted after the attacks revealed 60% of NHS Trusts were still using Windows XP, even though the operating system is a major security risk and is no longer supported. In May 2018, the UK government signed a £150 million ($1.98 million) deal with Microsoft to upgrade all Windows XP and Windows 7 machines to Windows 10. That process will be completed by January 14, 2020.

The post NHS to Phase Out Pagers by End of 2021 appeared first on HIPAA Journal.

January 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day. There were 33 healthcare data breaches reported in January 2019.

Healthcare Data Breaches January 2019 - Month

January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed.

Healthcare Data Breaches January 2019 - Records Exposed

Largest Healthcare Data Breaches in January 2019

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident
2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft
3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident
4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident
5 Managed Health Services Health Plan 31300 Hacking/IT Incident
6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident
7 Dr. DeLuca Dr. Marciano & Associates, P.C. Healthcare Provider 23578 Hacking/IT Incident
8 Critical Care, Pulmonary and Sleep Associates, PLLP Healthcare Provider 23377 Hacking/IT Incident
9 Valley Professionals Community Health Center Healthcare Provider 12029 Hacking/IT Incident
10 Cambridge Healthcare Services, LLC Business Associate 10866 Theft

Causes of January 2018 Healthcare Data Breaches

Hacking and other IT security incidents such as ransomware and malware attacks were the biggest cause of healthcare data breaches in January 2019, accounting for 51.52% of the month’s data breaches (917 incidents) and the largest reported breach of the month. Hacking/IT incidents also accounted for the most breached records: 74.07% of all breached records in January (363,631 records).

Healthcare Data Breaches January 2019 - Causes

Unauthorized access and impermissible disclosure incidents were in second place with 10 incidents (30.30%), although they involved only a small percentage of the month’s breached records – 19,500 or 3.97% of the month’s total.

There were 5 theft incidents reported in January which involved the protected health information of 106,006 individuals – 21.59% of the records exposed in January – and one improper disposal incident that saw 1,800 paper records accidentally discarded with regular trash.

Location of Breached Protected Health Information

Healthcare organizations are still having difficulty preventing phishing attacks and other email-related breaches. As has been the case in the past few months, email-related data breaches have dominated the breach reports. Most of the email breaches in January were due to phishing attacks.

51.52% of healthcare data breaches in January 2019 involved PHI stored in emails and email attachments (17 incidents). Physical PHI, such as paper records, charts, and films was exposed in 15.15% of breaches in January (5 incidents).

Healthcare Data Breaches January 2019 - Location PHI

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by healthcare data breaches in January 2019 with 20 reported incidents, six of which ranked in the top ten breaches of the month.

8 health plans reported breaches in January and there were five breaches reported by business associates of HIPAA-covered entities, including the largest data breach of the month. A further 6 data breaches had some business associate involvement but were reported by the HIPAA-covered entity.

Healthcare Data Breaches January 2019 - By Covered Entity

Healthcare Data Breaches by State

HIPAA covered entities and business associates based in 20 different states reported healthcare data breaches in January 2019. The worst affected state was Texas with four reported breaches. Georgia, Indiana, and Kentucky each had 3 breaches in January and there were two breaches reported in each of California, Connecticut, Florida, Kansas.

Colorado, Illinois, Michigan, Minnesota, North Carolina, Nebraska, New Jersey, Pennsylvania, Rhode Island, South Carolina, Tennessee, and Washington each experienced one healthcare data breach in January.

Penalties for Noncompliance and HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) did not issue any financial penalties in January 2019 or agree to any settlements to resolve HIPAA violations; however, OCR did announce in late January that a further settlement had been agreed with a HIPAA covered entity in December 2018 – Too late for inclusion in our December 2018 Healthcare Data Breach Report.

In December 2018, Cottage Health agreed to settle its HIPAA violation case with OCR for $3,000,000. OCR investigated Cottage Health over two breaches experienced in 2013 and 2015 which saw the protected health information of 62,500 patients exposed online.

OCR also announced that 2018 had been a record year for HIPAA enforcement. OCR’s HIPAA fines and settlements totaled $28,683,400 in 2018, beating the previous record of $23,505,300 set in 2016 by 22%. 2018 also saw the largest ever HIPAA settlement agreed. Anthem Inc., agreed to pay OCR $16,000,000 to resolve HIPAA violations discovered during the investigation of its 78.8 million-record data breach of 2015.

OCR closed out 2018 with 10 settlements to resolve HIPAA violations and one civil monetary penalty, beating last year’s total by one.

There was one HIPAA violation case closed by a state attorney general in January 2019. The California Attorney General agreed to settle a case with health insurer Aetna for $935,000. The financial penalty resolved violations of HIPAA and state laws that contributed to the impermissible disclosure of plan members’ PHI. In two separate 2017 mailings, PHI was visible through the windows of envelopes. The mailings were sent to individuals who had been diagnosed with Afib in one mailing, and patients who were receiving HIV medications in the other. The impermissible disclosures affected 1,991 California residents.

This was the sixth state attorney general financial penalty Aetna has agreed to pay in relation to the mailing errors. In 2018, Aetna settled cases with New York, New Jersey, Washington, Connecticut, and the District of Columbia. The latest financial penalty brings the total financial penalties over the HIPAA violations to $2,725,172.

The post January 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups

Posted by HIPAA Journal

A complaint has been filed with the FTC over misleading practices by Facebook. The complaint alleges health information disclosed in closed, supposedly anonymous and private Facebook groups has been exposed.

Congress is calling for Facebook to provide answers about the alleged privacy violations involving the Facebook PHR (Groups) platform. Leaders from the House Committee on Energy & Commerce have written to Facebook CEO Mark Zuckerberg requesting an urgent response to the privacy complaint filed with the FTC by users of Facebook Groups.

The complaint was sent to the FTC in December and was made public this week. In the complaint letter, security researcher Fred Trotter and members of a Facebook health group allege that personal health information disclosed by users of closed Facebook groups has been exposed. As a result, members of the groups are at risk of harassment and discrimination.

Closed Facebook groups are used by sufferers of health and mental health conditions to get support. Many support groups have been sent up on the platform specifically for that purpose. Members of the groups are offered a safe environment to chat about their issues. Highly sensitive information is often disclosed in the groups as they are believed to be private and anonymous. The complaint alleges Facebook is actively encouraging the use of closed groups as a good way for patients to communicate their health information and receive support for medical conditions.

Users of the groups have shared information about positive HIV diagnoses, sexual histories, details of past sexual abuse, substance abuse disorders, and a wide range of health and mental health conditions.

The groups are supposed to be private and anonymous and are often advertised as such. One example is the Affected by Addiction Community Facebook Group, which states that “This is a private group, so nothing you post will be seen by anyone outside of this group.” Several other examples are detailed in the complaint and some of the groups have been actively promoted by Facebook, even though privacy is not assured. Facebook states in its data policy that information shared on its platform can be shared with others on and off its products. Claiming the groups are private and anonymous is a misrepresentation.

Information disclosed in these groups, including personal health information, is shared with advertisers. There have been many cases of individuals being displayed adverts about possible treatments for medical conditions that have only ever been discussed in closed, private groups.

Facebook is not bound by HIPAA Rules, so the sharing of any personal health information with advertisers would not be a HIPAA violation. However, Facebook is required to comply with FTC Rules: Rules that Facebook is alleged to have violated.

In addition to sharing data with advertisers, the security of Facebook Groups has been called into question. One member of a closed health group claims she was able to obtain a list of all members of the group using a Chrome web browser extension called grouply.io. She contacted Trotter who used the extension to download the names of 10,000+ members of a closed and supposedly private Facebook group. In addition to real names of members, Trotter was also able to download email addresses, the cities where the members are located, and employers of the women who participated in the group. In this case, the members had been diagnosed as having the BRCA cancer mutation.

In the complaint, Trotter explained that since Facebook is encouraging the use of private groups for disclosing health information the groups should be treated as a personal health record and regulated as such by the FTC.  Part of the requirements for personal health records is the reporting of data breaches. Even though Facebook was notified about the file download and data breach, notifications were not sent to members of the Group.

“Sharing of privately posted personal health information violates the law, but this serious problem with Facebook’s privacy implementation also presents an ongoing risk of death or serious injury to Facebook users,” wrote Trotter in the complaint. “Facebook has ignored our requests to fix the specific issues we have identified to the company and denies publicly that any problem exists. All of this represents unfair, deceptive and misleading interactions between Facebook and its users in violation of the FTC Act.”

Leaders of the Energy and Commerce Committee said in their letter to Zuckerberg, “Facebook’s systems lack transparency as to how they are able to gather personal information and synthesize that information into suggestions of relevant medical condition support groups.  Labeling these groups as closed or anonymous potentially misled Facebook users into joining these groups and revealing more personal information than they otherwise would have.”

The committee leaders have requested a briefing from Facebook by March 1, 2019.

The post Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups appeared first on HIPAA Journal.

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Posted by HIPAA Journal

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018.

The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general.

The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches.

According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018.

In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased each quarter, from 1,175,804 records in Q1 to 6,281,470 healthcare records in Q4.

The largest data breach of the year was a hacking incident at a business associate of a North Carolina health system. Over the space of a week, the hackers gained access to the health records of 2.65 million individuals.

Healthcare hacking incidents have increased steadily since 2016 and were the biggest cause of breaches in 2018, accounting for 44.22% of all tracked data breaches. There were 222 hacking incidents in 2018 compared to 178 in 2017. Data was only available for 180 of those breaches, which combined, resulted in the theft/exposure of 11,335,514 patient records. The hacking-related breaches in 2017 resulted in the theft/exposure of 3,436,742 records. While it was not possible to categorize many of the hacking incidents due to a lack of data, phishing attacks and ransomware/malware incidents were both common.

Insiders were behind 28.09% of breaches, loss/theft incidents accounted for 14.34%, and the cause of 13.35% of breaches was unknown.

Insider breaches included human error and insider wrongdoing. These breaches accounted for a lower percentage of the total than in 2017 when 37% of breaches were attributed to insiders. Information was available for 106 insider-related breaches in 2018. 2,793,607 records were exposed in those breaches – 19% of exposed records for the year. While the total number of insider incidents fell from 176 to 139 year over year, there was a significant increase in the number of records exposed in insider breaches in 2018.

Insider errors resulted in the exposure of 785,281 records in 2017 and 2,056,138 records in 2018. Insider wrongdoing incidents resulted in the exposure of 893,978 records in 2017 and 386,469 records in 2018.

Without the proper tools in place, insider breaches can be difficult to detect. In one case, it took a healthcare provider 15 years to discover that an employee was snooping on patient records. Several incidents took over four years to discover.

Snooping by family members was the most common cause of insider breaches, accounting for 67.38% of the total. Snooping co-workers accounted for 15.81% of insider breaches. Protenus notes that there is a high chance of repeat insider offenses. 51% of cases involved repeat offenders.

Overall, it took an average of 255 days for a breach of any type to be discovered and an average of 73 days for breaches to be reported after they were discovered.

Healthcare providers were the worst affected group with 353 data breaches – 70% of all reporting entities. 62 breaches were reported by health plans (12%) and 39 (8%) were reported by other entities. It was a particularly bad year for business associates of HIPAA covered entities with 49 incidents (10%) reported by business associates. A further 102 incidents (20%) had some business associate involvement.

Protenus expects to trend of more than 1 breach per day to continue in 2019, as has been the case every year since 2016.

The post 2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records appeared first on HIPAA Journal.

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000.

Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital.

In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients.

In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information.

Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed patients’ ePHI over the internet. Patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information could all be accessed without a username or password.

OCR investigated the breaches and Cottage Health’s HIPAA compliance efforts. OCR determined that Cottage Health had failed to conduct a comprehensive, organization-wide risk analysis to determine risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. § 164.308(a)(l)(ii)(A).

Risks and vulnerabilities had not been reduced to a reasonable and acceptable level, as required by 45 C.F.R. § 164.308(a)(l )(ii)(B).

Periodic technical and non-technical evaluations following environmental or operational changes had not been conducted, which violated 45 C.F.R. § 164.308(a)(8).

OCR also discovered Cottage Health had not entered into a HIPAA-complaint business associate agreement (BAA) with a contractor that maintained ePHI: A violation of 45 C.F.R. § 164.308(b) and 164.502(e).

In addition to the financial penalty, Cottage Health has agreed to adopt a 3-year Corrective Action Plan (CAP). The CAP requires Cottage Health to conduct a comprehensive, organization-wide risk analysis to determine all risks to the confidentiality, integrity, and availability of ePHI. Cottage Health must also develop and implement a risk management plan to address all security risks and vulnerabilities identified during the risk analysis. The risk analysis must be reviewed annually and following any environmental or operational changes. A process for evaluating environmental or operational changes must also be implemented.

Cottage Health must also develop, implement, and distribute written policies and procedures covering the HIPAA Privacy and Security Rules and must train all staff on the new policies and procedures. Cottage Health must also report to OCR annually on the status of its CAP for the following three years.

“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino. “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”

A Record Year for HIPAA Fines and Settlements

It has been a busy year of HIPAA enforcement for OCR. In 2018, 10 settlements have been agreed with HIPAA-covered entities and business associates in response to violations of HIPAA Rules and one civil monetary penalty has been issued. The 11 financial penalties totaled $28,683,400, which exceeded the previous record of $23,505,300 set in 2016 by 22%.

2018 also saw OCR agree the largest ever HIPAA settlement in history. Anthem Inc., settled alleged violations of HIPAA Rules for $16,000,000. The settlement was almost three times larger than the previous record – The $5.5 million settlement with Advocate Health Care Network in 2016.

Further Information: 2018 HIPAA Fines and Settlements

The post OCR Settles Cottage Health HIPAA Violation Case for $3 Million appeared first on HIPAA Journal.