Healthcare Data Privacy

OCR Issues Telehealth Guidance for Providers and Patients

Posted by Steve Alder

The HHS’ Office for Civil Rights has issued new guidance for healthcare providers to help them educate patients about privacy and security risks when using remote communications technologies for telehealth visits and recommendations for patients on how they can protect and secure their health information.

During the pandemic, healthcare providers massively expanded their telehealth services to ensure that patients could access the medical services they needed while reducing the risk of contracting COVID-19. OCR issued a Notice of Enforcement Discretion covering the good faith provision of telehealth services to make it easier for healthcare providers to provide telehealth services during the pandemic by using non-public-facing communications platforms that are not fully HIPAA compliant, such as platforms where vendors would not enter into business associate agreements. Now that the COVID-19 public health emergency has been declared over, OCR’s telehealth Notice of Enforcement Discretion has expired; however, OCR continues to support telehealth services, which have proven popular with both providers and patients.

Telehealth Privacy and Security Risks

Healthcare providers must ensure that the communications platforms they use for providing telehealth services support HIPAA compliance. Even when ‘HIPAA-compliant’ platforms are used for telehealth there are still privacy and security risks that must be addressed and reduced to a low and acceptable level. In the summer of 2022, ahead of the telehealth flexibilities coming to an end, OCR issued guidance for healthcare providers on HIPAA and audio-only telehealth services.

While HIPAA does not require healthcare providers to educate patients about the privacy and security risks associated with telehealth, a Government Accountability Office (GAO) review of the Medicare telehealth services provided during the COVID-19 – Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks – recommended OCR issue guidance to help healthcare providers explain the privacy and security risks associated with telehealth services to patients.

During the review, GAO identified numerous complaints that had been made about the use of non-compliant technology during the pandemic, more than 3 dozen complaints had been filed about the presence of third parties during appointments, and there were instances where providers shared PHI without obtaining patient consent. GAO concluded that there was a need for additional education and outreach to help providers explain the privacy and security risks to patients associated with telehealth to make sure that those risks are fully understood. OCR concurred with the recommendation and agreed to publish new guidance.

New OCR Telehealth Privacy and Security Resources

Two guidance resources were published by OCR on October 18, 2023. The first guidance document is for healthcare providers to help them educate patients about the privacy and security risks associated with remote communication technologies, and the second guidance document is for patients and offers tips on privacy and security when taking advantage of telehealth services.

The provider guidance – Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth – offers suggestions for healthcare providers to help them discuss the telehealth options offered, the potential risks to protected health information associated with remote communications technologies, the privacy and security practices of vendors telehealth communication tools, and the applicability of civil rights laws.

The patient guidance – Telehealth Privacy and Security Tips for Patients – offers recommendations for patients on how they can protect and secure their protected health information, such as the importance of conducting telehealth visits in private settings, activating multi-factor authentication, using encryption, and avoiding using public Wi-Fi networks.

“Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” said OCR Director Melanie Fontes Rainer.  “Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private.”

The post OCR Issues Telehealth Guidance for Providers and Patients appeared first on HIPAA Journal.

Governor Newsom Signs California Delete Act into Law

Posted by Steve Alder

On October 10, 2023, California Governor Gavin Newsom signed the Delete Act (Senate Bill 362) into law. The bill was introduced in April 2023 by Senator Josh Becker to give California residents greater control over their personal information and how it is used by data brokers. Data brokers sell millions of consumers’ data points to the highest bidder. That information includes purchasing data, which can be accessed by retailers and used to serve targeted ads. More sensitive information may also be collected and sold, such as geolocation information and even reproductive health information.

The new law will allow state residents to request that data brokers delete their personal data and/or forbid them from selling or sharing their personal data. Since 2018, Californians have had similar rights, but in order to exercise them they were required to make requests to each individual data broker. Since there are almost 500 data brokers operating in California, exercising those rights would be a time-consuming process.

The Delete Act simplifies that process, as it calls for the California Privacy Protection Agency (CPPA) to develop a mechanism for allowing California residents to exercise their rights, which should be made available on a single page on its website. Consumers will be able to submit a single request for all data brokers to delete their personal information and prohibit them from selling or sharing that information. The CPPA has been given until January 1, 2026, to implement the feature on its website.

By August 1, 2026, data brokers will be required to check for any new requests at least once every 45 days and process those requests. The bill will not prohibit a data broker from continuing to collect the personal data of consumers who have exercised their rights, but once a request has been made via the CPPA, the data broker will be required to delete any new data that is collected at least once every 45 days. The data broker would not be permitted to sell or share a consumer’s data once a request has been made.

The Delete Act takes the definition of data broker from the California Consumer Privacy Act of 2018, which classes data brokers as companies with gross revenues of more than $25 million in the previous year, that buy, sell, or share the personal information of 100,000 or more consumers or households each year, provided that at least 50% of the company’s annual revenue comes from the sale of personal information.

From January 1, 2028, and every 3 years thereafter, data brokers would be required to undergo an independent third-party audit to determine whether they are compliant with the Delete Act and submit the audit report to the CPPA on request. Any data broker found not to be compliant with the Delete Act would be liable for administrative fines, fees, expenses, and costs.

While the Delete Act will provide consumers with greater control over their personal data, the Delete Act has significant exemptions. The definitions used for data broker means some companies that collect and sell considerable amounts of consumer data would be exempt and not subject to any deletion requests. Data brokers are likely to have to overcome technological challenges to comply and critics say it will place an undue burden on data brokers and could even undermine California’s digital economy. If large numbers of California residents exercise their rights, it will make it hard for small businesses to find new customers as they will no longer be able to rely on data-driven advertising.

The signing of the bill has been welcomed by the CPPA. “We applaud Governor Newsom for signing SB 362, the California Delete Act, which the CPPA Board unanimously voted to support in July. SB 362 is consistent with CPPA’s mission to further Californians’ privacy by making it easier for consumers to exercise their rights,” said Ashkan Soltani, Executive Director of the CPPA. “Similar to the California Consumer Privacy Act’s existing requirement for businesses to honor opt-out preference signals, the ‘accessible deletion mechanism’ is another privacy innovation that further cements California’s leadership in technology policy and consumer protection.”

The post Governor Newsom Signs California Delete Act into Law appeared first on HIPAA Journal.

First Lawsuit Filed Over 23andMe Data Breach

Posted by Steve Alder

On Friday, October 6, 2023, 23andMe, a direct-to-consumer genetic testing that offers ancestry and health reports, confirmed that it was investigating a cyberattack that resulted in unauthorized individuals gaining access to certain customer accounts. The announcement about the 23andMe data breach came a few days after stolen data started to be listed for sale on a dark net marketplace.

In the website announcement, 23andMe said it had launched an investigation and engaged third-party forensics experts to assist, and said the investigation is ongoing. The preliminary results suggest there has not been a breach of its systems, although 23andMe said in the breach notice that an unauthorized third party obtained certain information from users’ accounts, although did not mention in the website notice that stolen data had been listed for sale, although confirmed to certain media outlets that it is in the process of validating the listed data. The stolen data included names, sex, date of birth, genetic ancestry results, profile photos, and geographical location that had been gathered from the DNA Relatives feature but does not appear to have included any raw genetic data. The hacker claims to have obtained millions of data profiles that are being offered for sale. The listings were first identified by a researcher on October 4, 2023.

“While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” explained 23andMe in its website notice. “We believe the threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service.”

23andMe explained that it monitors accounts for unauthorized access and investigates suspicious activity, its security measures exceed industry data protection standards, has confirmed it has attained multiple ISO certifications, and has offered users of the service multifactor authentication since 2019. The website notice was updated on October 9, 2023. “We are reaching out to our customers to provide an update on the investigation and to encourage them to take additional actions to keep their account and password secure. Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA).

On Monday, October 9, 2023, a lawsuit – Santana v. 23andMe Inc. – was filed in the U.S. District Court for the Northern District of California on behalf of plaintiffs Monica Santana and Paula Kleynburd who allege negligence, invasion of privacy, unjust enrichment, and breach of implied contract. The plaintiffs are represented by the law firm, Edelsberg Law PA.

According to the lawsuit, “23andMe attempts to redirect the blame on to the criminal actors that gained access to Defendant’s customer accounts, in violation of their Terms of Service, while avoiding mention that their safeguards were inadequate,” and also alleges “23andME fails to state if they were able to contain or end the cybersecurity threat, leaving victims to fear whether the PII that 23andMe continues to maintain is secure and 23andMe fails to state how the breach itself occurred.”

The lawsuit alleges 23andMe was negligent for failing to implement reasonable and appropriate safeguards to protect sensitive user data, that it maintained users’ personally identifiable information in a reckless manner, did not protect its systems against unauthorized intrusions, did not take reasonable steps to prevent data breaches, did not provide adequate training to its staff, and despite publishing a notice on its website two days after a breach was known to have occurred, failed to provide timely notice of the data breach.

The lawsuit alleges the plaintiff and class members “suffered injury and ascertainable losses in the form of the present and imminent threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses, loss of value of their time reasonably incurred to remedy or mitigate the effects of the attack, and the loss of, and diminution in, value of their PII.” The lawsuit seeks class action certification, a jury trial, actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest.

The data breach highlights the risks of reusing passwords for multiple accounts. If there is a data breach on one platform, the stolen usernames and passwords can be used to access all other accounts where the login credentials have been used. These attacks are termed credential stuffing attacks, they are common and are one of the easiest ways that hackers can gain access to sensitive data. If a unique password is used for each account, these attacks can be prevented. Multifactor authentication adds an extra layer of security against these types of attacks, as an additional authentication factor must be provided in addition to a username and password for account access to be granted.

Setting strong and unique passwords and implementing multifactor authentication are the first two of the four cybersecurity measures being promoted this Cybersecurity Awareness Month. The 23andMe data breach clearly demonstrates why these two cybersecurity measures are so important.

The post First Lawsuit Filed Over 23andMe Data Breach appeared first on HIPAA Journal.

Senator Seeks Information on How to Improve Health Data Privacy

Posted by Steve Alder

Senator Bill Cassidy (R-LA), ranking member of the U.S. Senate Committee on Health, Education, Labor, and Pensions (HELP), is seeking feedback on how health data privacy can be improved while also supporting the need for medical research.

Over the past few years there has been a proliferation of new technologies that collect, store, and transmit health information, including wearable devices, smart devices, and health and wellness apps. These technologies have enabled better care and greater patient access to health information, but the health data collected, stored, and transmitted via these technologies largely falls outside the protection of HIPAA.

Senator Cassidy’s request for information seeks feedback from stakeholders on ways of improving health data privacy, especially data collected using technologies that were not in use in 1996 when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law, and whether HIPAA needs to be modernized and expanded to cover data collected by non-HIPAA-regulated entities.

Senator Cassidy asks general privacy questions, such as what should be considered as health data and whether the term should only apply only to data covered by HIPAA, whether other types of health data should be treated differently, and which entities that are not currently classed as HIPAA-regulated entities should be accountable for handling health data and whether they should have a duty of loyalty to consumers/patients.

Senator Cassidy acknowledges that new regulations are likely to have implementation challenges and seeks feedback on ways that health data privacy can be improved without creating too great a burden, such as restricting the duty of loyalty based on the sensitivity of the collected data. He also seeks information from stakeholders on how well the HIPAA framework is currently working, whether HIPAA should be updated, the challenges legislative reforms of HIPAA would create, and how health data sharing can be structured, given the current patchwork of legal frameworks in different states.

Information is requested on biometric data, genetic information, and location data, and whether these types of information should be included in a new definition of health data, and what the obligations should be for collecting and safeguarding these types of data.

Consent should be obtained from consumers before health data is collected and data minimization is necessary to limit the information collected to what is reasonably necessary. Feedback is requested on how this can be achieved, how data practices should be communicated to consumers, whether consumers should have the right to request non-HIPAA-covered data be deleted, and if there should be an opt-in or opt-out method of data collection for health data not covered by HIPAA.

Feedback is also sought on the challenges that have been experienced in complying with the data privacy frameworks that have been implemented in 9 states since 2018, and whether any lessons have been learned as states have implemented these frameworks for the governance of health data.

Any new regulations or updates to HIPAA will need to be enforced, and that is also likely to create challenges. Currently, the HHS’ Office for Civil Rights is the main enforcer of HIPAA and has made it clear that it is operating under severe financial restraints and has a large backlog of investigations. The Federal Trade Commission has oversight of health data collected by non-HIPAA-covered entities and has recently taken action over breaches of health data. Suggestions are sought on how updates to HIPAA and new health data regulations should be enforced, and the role different agencies should have in enforcement.

Stakeholders have been given until September 28, 2023, to submit their responses.

The post Senator Seeks Information on How to Improve Health Data Privacy appeared first on HIPAA Journal.

OCR, FTC Publish Online Tracking Technology Warning Letters

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have published the letters that were sent to hospital systems and telehealth providers in July 2023 advising them about the privacy risks associated with website tracking technologies such as Meta Pixel and Google Analytics.

The widespread use of these tools on hospital websites and the risk of impermissible disclosures of protected health information (PHI) prompted OCR to issue guidance for HIPAA-regulated entities in December 2022. OCR stated in the guidance that these tools are not permitted under HIPAA unless consent is obtained via HIPAA authorizations or if there is a valid business associate relationship with the technology provider and a corresponding HIPAA-compliant business associate agreement (BAA). The FTC has also taken an interest in these tools and has taken action against non-HIPAA-regulated entities for alleged violations of the FTC Act and the FTC’s Health Breach Notification Rule with respect to tracking technologies.

The July 2023 letters explain that serious privacy and security risks have been identified with online tracking technologies and the recipients of the letters were warned that their websites and mobile applications may have these tracking tools in place that could be disclosing consumers’ sensitive personal health information to third parties. The types of information disclosed would depend on where the tracking technologies have been added. If they have been added to appointment scheduling apps or behind the logins of patient portals they could disclose highly sensitive information to third parties such as health conditions, diagnoses, medications, treatment information, treatment locations, frequency of visits, and more, along with identifiers that link that information to individuals. The disclosed information could be used by third parties for advertising purposes and could potentially result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.

The recipients of the letters, which include a diverse range of HIPAA-regulated entities and non-HIPAA-covered entities that collect health information, have been advised to review OCR and FTC guidance, assess the extent to which tracking technologies are in use, and ensure they are fully protecting the privacy and security of individuals’ health information.

The recipients of the letters have now been made public in the 387-page PDF document jointly published by OCR and FTC on their websites. While OCR and the FTC had reason to issue the letters to these organizations, receipt of a letter does not mean that tracking technologies are currently being used or HIPAA, the FTC Act, or the Health Breach Notification Rule have been violated. The recipients of the letters are listed below.

ADHD Online, MI DearBrightly, CA Kick Health, WA Peace Health, WA Strut Health, TX
Advocate Aurora Health, WI Done, CA KwikMed, AZ Penn Medicine Chester County Hospital, PA Talkiatry, NY
Alfie, NY Dorsal, NY LCMC Health System, LA Penn Medicine, PA Talkspace, NY
Alpha, CA Duke University Health System, NC Lemonaid, CA Picnic, NY Tampa General Hospital, FL
Apostrophe, CA El Camino Hospital, CA Loyola Medicine, IL Piedmont Healthcare, GA Texas Health Resources, TX
Array Behavioral Care, NJ Eleanor Health, MA Mantra Health, NY Plume, CO The Wellness Company, RI
Ascension, MO Elektra Health, NY Marshall Medical Center, CA PRJKT RUBY, AZ Thomas Jefferson Hospital, PA
Barnes-Jewish Hospital, MO Everlywell, TX MedStar Health, MD Push Health, CA Tufts Medical Center, MA
Barton Healthcare System, CA Facet, NY Memorial Healthcare System, FL QCare Plus, FL UC Davis Health, CA
Beaumont Health System, MI Favor, CA MemorialCare Long Beach Medical Center, CA Quick MD, CA UCLA Reagan Medical Center, CA
Bellin Health, WI Folx, MA Mercy Medical Center, MD Relief Labs, Inc. d/b/a Clearing, NY UCSF Office of Legal Affairs, CA
Bicycle Health, MA Found, CA Middlesex Health, CT Remedy Psychiatry, CA UnityPoint Health, IA
Bon Secours Mercy Health, OH Froedtert Hospital and the Medical College of Wisconsin, WI Mindbloom, FL Renown Health, NV University Hospitals Cleveland Medical Center, OH
Boulder Care, OR Gennev, WA Minded, NY Riverside Health System, VA University of Chicago Medicine, IL
Brigham and Women’s Faulkner Hospital, MA Grady Health System, GA Mistr, FL Rochester Regional Health, NY University of Iowa Hospitals and Clinics, IA
Brightline, CA Henry Ford Hospital, MI MultiCare Health System, WA Roman, NY University of Kansas Health System, KS
Brightside, CA Hers, CA Musely, CA Rush University Medical Center, IL University of Pittsburgh Medical Center, PA
Calibrate, NY Hims, CA My Ketamine Home, FL Salem Health, OR University of Texas Southwestern Medical Center, TX
CallonDoc, TX Hone Health, NY Nemours Children’s Health, FL Sanford USD Medical Center, SD University of Vermont Health Network, VT
Cedars-Sinai Medical Center, CA Honor Health, AZ New York Presbyterian Hospital, NY Sarasota Memorial Health Care System, FL Wexner Medical Center, OH
Chesapeake Regional Healthcare, VA Houston Methodist, TX Northwestern Medicine Central DuPage Hospital, IL Scripps Memorial Hospital La Jolla – Scripps Health, CA Willis-Knighton Health System, LA
Children’s Wisconsin, WI Inova Health System, VA Northwestern Memorial Healthcare, IL Sharp Healthcare, CA Wisp, CA
Cone Health, NC Invigor Medical, WA Nue Life, FL Sparrow Health Systems, MI Wondermed, CA
Cove, NY Johns Hopkins Hospital, MD Nurx, CA St. Joseph Mercy Health System, MI Workit, FL
Covenant Health, TN K Health, NY Oar, NY St. Luke’s Health System, ID Yale New Haven Health, CT
Curology, CA Keeps, NY Ophelia, NY St. Tammany Health System, LA

The post OCR, FTC Publish Online Tracking Technology Warning Letters appeared first on HIPAA Journal.

July 2023 Healthcare Data Breach Report

Posted by Steve Alder

There was a 15.2% fall in reported data breaches in July with 56 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), which makes July an average month for data breaches. Over the past 12 months, 57 breaches have been reported each month on average; however, July was not an average month in terms of the number of compromised records.

There was a 261% month-over-month increase in breached records in July, with 18,116,982 records breached across the 56 reported incidents. The incredibly high total was due to a major data breach at HCA Healthcare that saw the records of 11,270,000 individuals compromised.

The figures this month bring the running breach total for 2023 up to 395 incidents, across which the records of 59,569,604 individuals have been exposed or stolen. The average breach size for 2023 is 150,809 records and the median breach size is 4,209 records. Over the past 12 months, more than 81.76 million records have been breached across 683 incidents.

Largest Healthcare Data Breaches Reported in July

HCA Healthcare is a Nashville, TN-based health system that operates 182 hospitals and around 2,300 sites of care. Hackers gained access to an external electronic storage facility that was used by a business associate for automating the formatting of email messages, such as reminders sent to patients about scheduling appointments. While the breach was one of the largest ever reported, the data stolen in the attack was limited. HCA Healthcare said the data compromised was limited to name, city, state, zip code, email, telephone number, date of birth, gender, service date, location, and, in some instances, the date of the next appointment.

The second largest breach, reported by the Centers for Medicare and Medicaid Services (CMS) as affecting 1,362,470 Medicare recipients, was more severe due to the types of data compromised. The breach occurred at a CMS contractor, Maximus Federal Services, Inc. (Maximus). Maximus was one of hundreds of organizations to fall victim to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Progress Software identified the vulnerability and issued a patch on May 31, 2023; however, the vulnerability had already been exploited by the Clop hacking group. The total number of victims of this breach has yet to be determined; however, Kon Briefing has been tracking the breach reports and reports that at least 734 organizations had the vulnerability exploited and between 42.7 million and 47.6 million records were stolen in the attack. Clop did not encrypt data, just stole files and issued ransom demands, payment of which was required to prevent the release or sale of the stolen data. In July, 26 breaches of 10,000 or more records were reported to OCR, 11 of which were due to the exploitation of the MOVEit vulnerability. All but two of the 26 breaches were due to hacking incidents.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
HCA Healthcare TN Business Associate 11,270,000 Hacking/IT Incident Hacking Incident – External, electronic storage facility used by a business associate
Centers for Medicare & Medicaid Services MD Health Plan 1,362,470 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (Maximus)
Florida Health Sciences Center, Inc. dba Tampa General Hospital FL Healthcare Provider 1,313,636 Hacking/IT Incident Hacking incident – Ransomware attack
Pension Benefit Information, LLC MN Business Associate 1,209,825 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Allegheny County PA Healthcare Provider 689,686 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 398,319 Hacking/IT Incident Hacking incident
Johns Hopkins Medicine MD Healthcare Provider 310,405 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Harris County Hospital District d/b/a Harris Health System TX Healthcare Provider 224,703 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Precision Anesthesia Billing LLC FL Business Associate 209,200 Hacking/IT Incident Hacking incident – Ransomware attack
Fairfax Oral and Maxillofacial Surgery VA Healthcare Provider 208,194 Hacking/IT Incident Hacking incident
The Chattanooga Heart Institute TN Healthcare Provider 170,450 Hacking/IT Incident Hacking incident – Data theft confirmed
Phoenician Medical Center, Inc AZ Healthcare Provider 162,500 Hacking/IT Incident Hacking incident – Data theft confirmed
UT Southwestern Medical Center TX Healthcare Provider 98,437 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Hillsborough County, Florida (County Government) FL Healthcare Provider 70,636 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Family Vision of Anderson, P.A. SC Healthcare Provider 62,631 Hacking/IT Incident Hacking incident – Ransomware attack
Jefferson County Health Center IA Healthcare Provider 53,827 Hacking/IT Incident Hacking incident – Data theft confirmed (Karakurt threat group)
New England Life Care, Inc. ME Healthcare Provider 51,854 Hacking/IT Incident Hacking incident
Care N’ Care Insurance Company, Inc. TX Health Plan 33,032 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (TMG Health Inc)
Synergy Healthcare Services GA Business Associate 25,772 Hacking/IT Incident Hacking incident
Rite Aid Corporation PA Healthcare Provider 24,400 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Life Management Center of Northwest Florida, Inc. FL Healthcare Provider 19,107 Hacking/IT Incident Hacking incident
Saint Francis Health System OK Healthcare Provider 18,911 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Pennsylvania Department of Human Services PA Healthcare Provider 16,390 Unauthorized Access/Disclosure Hacking incident – Unauthorized access to a system test website
The Vitality Group, LLC IL Business Associate 15,569 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Wake Family Eye Care NC Healthcare Provider 14,264 Hacking/IT Incident Hacking incident – Ransomware attack
East Houston Med and Ped Clinic TX Healthcare Provider 10,000 Unauthorized Access/Disclosure Storage unit sold that contained boxes of patient records

Causes of July 2023 Data Breaches

Hacking incidents dominated the breach reports in July, with 49 incidents reported to OCR involving 18,083,328 records. The average breach size was 369,048 records and the median breach size was 9,383 records. The majority of these incidents were data theft and extortion incidents, where hackers gained access to networks, stole data, and issued ransom demands. Many hacking groups are now choosing not to encrypt files and are concentrating on data theft and extortion. When claiming responsibility for the MOVEit attacks, a spokesperson for the Clop group said they could have encrypted data but chose not to.

There were 7 unauthorized access/disclosure incidents reported involving the PHI of 33,654 individuals. The average breach size was 4,808 records and the median breach size was 1,541 records. Three of those incidents involved unauthorized access to paper records and three were email-related data breaches. There were no reported breaches involving the loss, theft, or impermissible disclosure of physical records or devices containing electronic PHI.

Where did the Data Breaches Occur?

The OCR breach portal lists data breaches by the reporting entity, although that is not necessarily where the data breach occurred. Business associates of HIPAA-covered entities may report their own breaches, they may be reported by the covered entity, or a combination of the two. For instance, Maximus reported its MOVEit Transfer breach as affecting 932 individuals, but many of its clients were affected and the total number of individuals affected was in the millions.

The raw data on the breach portal indicates 37 breaches at healthcare providers, 11 breaches at business associates, 7 at health plans, and one breach at a healthcare clearing house. The charts below are based on where the breach occurred, rather than the reporting entity.

Geographical Distribution of Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states. Texas was the worst affected state with 7 breaches, with Florida and California also badly affected.

State Breaches
Texas 7
Florida 6
California 5
Maryland, Pennsylvania & Tennessee 4
Arizona & North Carolina 3
Connecticut, Illinois & Minnesota 2
Georgia, Idaho, Indiana, Iowa, Kentucky, Maine, Michigan, New Jersey, New York, Ohio, Oklahoma, South Carolina, Virginia & Washington 1

HIPAA Enforcement Activity in July 2023

There were no enforcement actions announced by OCR or state attorneys general in July to resolve HIPAA violations.

The post July 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Views on FTC’s Proposed Health Breach Notification Rule Update

Posted by Steve Alder

In May 2023, the Federal Trade Commission (FTC) proposed changes to the Health Breach Notification Rule following a 10-year review of the rule. The proposed changes are intended to modernize the rule and make it fit for purpose in the digital age. A lot has changed since the Health Breach Notification Rule was introduced. Huge amounts of health data are now collected and shared by direct-to-consumer technologies such as health apps and wearable devices. These apps and devices can collect highly sensitive health data, yet the information collected is generally not protected by the HIPAA Rules.

The proposed update to the Health Breach Notification Rule includes changes to definitions to make it clear that vendors of personal health records (PHRs) and related entities that are not covered by HIPAA are required to issue notifications after an impermissible disclosure of their health data. The definition of a ‘breach of security’ has been changed to make it clear that a breach includes the unauthorized acquisition of identifiable health information, either by a security breach or an unauthorized disclosure. Changes have also been made to standardize consumer notifications and ensure sufficient information is provided to consumers to allow them to assess risk and require consumers to be advised about the potential for harm from a data breach.

Timely notifications must be issued to the FTC, the affected individuals, and in some cases, the media. Third-party service providers to vendors of PHRs and PHR-related entities must also issue notifications to the vendor in the event of a data breach. The deadline for providing notifications is 60 calendar days following the discovery of a data breach, although, like the HIPAA Breach Notification Rule, notifications should be issued without undue delay.

While the FTC’s Health Breach Notification Rule has been in effect for more than a decade, the FTC has only recently started enforcing the rule. The first enforcement action came in February this year against the digital health company, GoodRx Holdings, Inc, which was found to have disclosed uses’ health data to third-party advertising platforms such as Facebook (Meta) and Google. The FTC also took action against Easy Healthcare Corporation, which provides an ovulation and period tracking mobile application (Premom). In the case of Premom, health data was transferred to third parties such as Google and AppsFlyer. GoodRx agreed to settle the case and pay a $1.5 million civil monetary penalty and Easy Healthcare paid a $100,000 civil penalty.

Feedback on the Proposed Rule

The FTC provided 60 days from the date of publication in the Federal Register for the public to submit comments on the proposed changes to the Health Breach Notification Rule and the final date for submitting comments was August 8, 2023. 117 individuals and organizations submitted comments on the proposed changes, with the FTC broadly praised for updating the rule. Some of the key points from the submitted comments are detailed below.

User Consent and Transparency

Mozilla, the developer of the Firefox Internet browser, broadly supports the proposed changes. Mozilla expressed concern about the extent to which users are tracked online and how personally identifiable health information is already being transferred to third parties, often without the users’ knowledge or consent. Mozilla’s “Privacy Not Included” research team recently reviewed the practices of popular mental health and reproductive apps and found many indiscriminately collect and share intimate information for advertising purposes yet provide limited opportunities for consumers to object to those uses. The researchers found apps frequently made deceptive claims about data sharing, combined app user data with data collected from other sources such as social media profiles and data brokers, and oftentimes, the sensitive data collected by these apps was not appropriately secured.

Mozilla points out that its survey data revealed 55% of users said they did not understand when they had given their consent for apps to share their data, indicating either deceptive practices when obtaining consent or app developers are using unclear language when obtaining consent. Mozilla called for the FTC to clearly define authorization in the rule and to include the language that the FTC considered but did not include in the proposed rule and calls for the FTC to require user consent to be obtained before any personal information is collected.

Mozilla also suggested the FTC require companies to abide by browser-based opt-out signals when determining whether they have authorization to share data under the rule, such as the Global Privacy Control (GPC) as individuals are likely to want to make a simple and clear decision about the sharing of their health data. Mozilla, like several other commenters, suggested the need for a definition of acquisition, which Mozilla believes should involve any use or access by a third party of information derived from the health data, not just wholesale transfer, aligning the definition with the California Privacy Rights Act, although this appears to be something of a contentious point, not supported by the Consumer Technology Association, for example (see below).

Unintended Consequences of Electronic Breach Notifications

The Identity Theft Resource Center (ITRC), a national nonprofit organization established to minimize identity risk and mitigate the impact of identity compromise and crime, broadly praised the FTC’s efforts to update the rule but warned that allowing increased use of electronic notifications about data breaches could have a negative effect due to the potential for significant data breaches to escape public scrutiny. The ITRC suggested a change in the language of the rule to make it clear that organizations subject to the rule must comply with applicable state laws that require broader public notice.

As can be seen in data breach reporting by ITRC and The HIPAA Journal, consumers are often not provided with much information about the nature and root cause of a breach, such as if data was obtained by a ransomware group and posted on a dark net data leak site. Consumers are often told that an unauthorized third party may have viewed or obtained a user’s data when data theft and dark web publication have been confirmed. ITRC noticed this growing trend starting in late 2021 and the data breach notifications required under HIPAA increasingly see consumers provided with little or no actionable information. The FTC was praised for expanding the content requirements for notifications, which require consumers to be advised, in plain language, about the potential harms from a data breach.

Clearer Requirements for Sexual and Reproductive Health Information

The Planned Parenthood Federation of America is a trusted voice for sexual and reproductive health and a leading advocate for policies advancing access to sexual and reproductive health care. Planned Parenthood is a strong believer that data related to accessing health care should not be used by government entities or others hostile to sexual and reproductive health care. Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, this has become an even more pressing concern as there are genuine fears that health data will be sought to punish individuals for seeking or obtaining reproductive health care.

Planned Parenthood expressed concern that consumers may avoid using health apps out of fear that their privacy may be at risk, given the criminalization of abortion, gender-affirming care, and contraception in some states. This could create a culture of fear around using health applications when technology should be able to be used safely without fear that sensitive data is being moved or sold without knowledge or consent.

The efforts of the FTC to improve health information privacy were praised by Planned Parenthood, which made several recommendations to further improve privacy, specifically the privacy of reproductive health information. In addition to the FTC’s definitions for ‘healthcare provider’ and ‘health care services or supplies’ in the proposed rule, Planned Parenthood recommends the FTC include explicit language that protects people’s sexual and reproductive health care data.

Planned Parenthood suggests the FTC’s definition of ‘PHR identifiable information’ should include a more explicit reference to sexual and reproductive health due to the sensitivity of that information, such as “…relates to the past, present, or future physical, sexual, reproductive, or mental health or condition of an individual,” and also include broad definitions for “sexual” and “reproductive” health. By including these definitions, the FTC Health Breach Notification Rule would be consistent with OCR’s proposed changes to the HIPAA Privacy Rule for improving reproductive health information privacy relating to data collected by HIPAA-regulated entities.

Ensure Data Brokers are Covered by the Rule

The U.S. Public Interest Research Group, a public interest research and advocacy organization, has included a 9,659-signature petition from its members and the general public calling for stronger rules to protect digital health information.

U.S. PIRG broadly supports the proposed changes and believes it is appropriate for the rule to apply to the type of information that entities may process, regardless of whether they brand themselves as health-related companies or not. U.S. PIRG has called for the FTC to ensure that data brokers are included in the rule, as they can pull in large amounts of data about consumers and can aggregate health signals. The data broker and AdTech firm Tremor was offered as an example. Tremor offers over 400 standard health segments that may be used by its clients to deliver targeted advertising. U.S. PIRG also believes the definition of ‘breach of security’ should also include an entity that collects more information than necessary to serve the purpose for which it was collected.

Personal Health Record Should Align with Protected Health Information Definition

The Healthcare Information and Management Systems Society (HIMSS) praised the FTC for the update and clarification on how the rule applies to today’s technologies but points out that privacy and security is not only about avoiding breaches but also about ensuring information is private and secure in the first place. HIMSS encourages the FTC to explore and encourage proactive, rather than reactive, privacy and security practices in future rulemaking cycles.

HIMSS recommends the FTC align the proposed definition of PHR with the definition of protected health information in HIPAA. This would help to ensure that all health data is covered by the rule, regardless of how that information is transmitted. To make it easier for breaches to be reported without unnecessary delay, HIMSS suggests the FTC create an easily accessible, user-friendly, interactive form on its website for directly reporting breaches and other suspected violations of the Rule to the FTC.

Expansion of PHR and Breach of Security Definitions

The American Medical Informatics Association (AMIA) recommends the explicit inclusion of usernames/passwords maintained by non-HIPAA-regulated entities as being PHR identifiable health information, and for a breach of security to be presumed when a PHR or PHR-related entity failed to adequately disclose to individuals how their data will be accessed, processed, used, reused, or disclosed. AMIA also points out that for the rule to act as a deterrent to poor data management, it must be rigorously enforced, and enforcement must be sufficiently stringent and appropriate to compel the secure and responsible management of health data.

Abandon Health Care Provider Definition

While the FTC has been broadly praised for the proposed update, the FTC has been warned about some of the unintended consequences of some of the proposed changes. Multiple commenters, including the American Medical Association (AMA), take issue with the definition of ‘health care provider’ in the rule. The rule does not apply to HIPAA-covered entities, and to include a definition of ‘health care provider’ could easily result in confusion, since a health care provider is widely regarded by the public as an entity that provides medical care or health care. This issue was also raised by the Texas Medical Association (TMA) in its comments.

“The AMA strongly urges the Commission to abandon this highly ambiguous and potentially harmful definition. To lump together apps such as FitBit and Flo, in the same regulatory definition as physicians, is a disservice to consumers of public health and the industry as a whole.” The AMA suggests creating a more appropriate definition for apps, tracking devices, and other covered technologies, removing ‘health care provider’ and instead using a more appropriate descriptive term such as “health apps and diagnostic tool services.” Both the AMA and TMA also recommend removing ‘health care provider’ from the PHR identifiable health information definition, and instead using the term HIPAA-covered entity.

The AMA also makes a good point about the definition of a PHR which includes the phrase, “has the technical capacity to draw information from multiple sources.” The AMA suggests the definition be broadened to also include “when an app only draws health information from one place but extracts non-health information drawn from other sources, as well as when a PHR only draws identifiable health information from one place with non-identifiable health information coming from others.”

Such a change would give individuals more confidence in using PHRs and health apps without having to worry about making a change in the settings that could cause the app to no longer qualify as a PHR, which would remove protections under the rule.

The option of electronic notifications was praised as the aim should be to ensure notification as fast as possible. The AMA suggests that PHR users should be required to choose two methods of notification, in addition to postal notices, that best suit their lifestyle, as that will ensure notifications reach them quickly.

Proposed Rule Goes Too Far

The Consumer Technology Association (CTA) believes the proposed rule should be narrowed considerably and suggests the scope of the parties subject to the rule is not consistent with the HITECH Act. The CTA recommends that covered entities should be limited and should not include “merchants that may sell a variety of products that include health-related products, focusing on apps that actually gather health-related information from multiple sources, and excluding service providers such as cloud computing providers, analytics providers, and advertising providers, particularly when they do not target or are unaware of receiving covered health data.”

The CTA also recommends narrowing the scope of a ‘breach of security’ to the acquisition of covered health data, and not including inadvertent or good faith unauthorized access or disclosure when no data was actually obtained by a third party. The CTA also takes issue with the timescales and content of notifications. Rather than a notification period of 60 days from the date of discovery of a breach, the CTA recommends requiring a company to report the breach and issue notifications when it has been reasonably determined that a breach of security has occurred. This will help companies devote all their resources to investigating breaches and would harmonize the rule with state breach reporting laws.

The CTA also recommends simplifying consumer notice content and focusing on providing consumers with actionable information. Companies should not be required to speculate about the harms that could potentially result from a breach, nor should they be required to provide a list of entities that obtained health data. “Requiring an explanation of potential, speculative harm will create consumer confusion, further misinformation, and encourage unnecessary litigation,” wrote the CTA. Having to list companies that obtained a consumer’s PHR identifiable health information may interfere with investigatory efforts, including law enforcement inquiries or other internal investigations, and could also invite litigation against those entities. Since not all of the proposed content for notifications is actionable, including ‘speculative’ information may only serve to alarm and confuse consumers.

Viewpoints from The HIPAA Journal

The HIPAA Journal supports the FTC’s efforts to update the Health Breach Notification Rule to plug notification gaps and ensure that consumers are provided with timely notifications whenever their health data has been impermissibly disclosed. As various studies have demonstrated, companies not covered by HIPAA have not been adequately protecting health data and have been disclosing health information without the knowledge of the subjects of that data.

Once established, the updated rule – and the FTC Act – should be rigorously enforced to ensure they serve as a deterrent against the improper sharing of sensitive health data, whether deliberate or accidental. The FTC should also work closely with OCR to ensure that there are no regulatory gaps and that all health data is protected, no matter who collects the information. In the event of an impermissible disclosure of health information of any kind, consumers need to be informed as quickly as possible.

There has been a growing trend in breach notifications from HIPAA-regulated entities where the date of discovery of a breach is taken as the date when the forensic investigation confirms protected health information has been breached, which may be several months after the date that a security breach was discovered. The deadline for reporting should align with the HIPAA Breach Notification Rule, and allowing electronic notifications should speed up the notification process and help to ensure that timely notifications are issued. The FTC should ensure that that reporting deadline is enforced. The HIPAA Journal shares the view of the ITRC regarding the potential for serious data breaches to escape public scrutiny with electronic notifications. Maintaining a public record of data breaches as the Office for Civil Rights does with data breaches at HIPAA-regulated entities would solve this problem. The proposed rule rightly includes content requirements for notifications.

It is important to provide consumers with actionable information about a data breach and to clearly explain how risk can be reduced. In order for consumers to be able to make accurate decisions about the actions they should take in response to a breach, they should be advised about the potential harms. If companies are concerned about the potential for litigation from explaining the harms that can be caused by a data breach, they may be more inclined to implement appropriate data security measures to prevent data breaches from occurring in the first place.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Views on FTC’s Proposed Health Breach Notification Rule Update appeared first on HIPAA Journal.

Federal Judge Tentatively Advances Meta Pixel Medical Privacy Class Action

Posted by Steve Alder

A class action lawsuit against Meta over the disclosure of health data to the social media giant has been allowed to proceed by a federal judge. The judge issued a tentative order allowing the lawsuit to advance for several of the claims made by the plaintiffs; however, the number of claims has been reduced by around half.

The consolidated lawsuit, John Doe v Meta Platforms Inc., filed in the U.S. District Court for the Northern District of California, alleges the plaintiffs and class members had their medical privacy violated by Facebook’s Meta Pixel tracking tool. The lawsuit alleges that Meta knew, or should have known, that the Pixel tool was being used improperly on the websites of hospitals. The lawsuit alleges at least 664 hospital systems and medical providers were sending medical information to Facebook through the Meta Pixel tool. According to the lawsuit, the improper use of the tracking tool resulted in “the wrongful, contemporaneous, re-direction to Facebook of patient communications to register as a patient, sign-in or out of a supposedly “secure” patient portal, request or set appointments, or call their provider via their computing device.” The data was then used to create and serve individuals with personalized ads.

As the HHS’ Office for Civil Rights confirmed in 2022 guidance on HIPAA and tracking technologies, these tools can only be used if there is a HIPAA-compliant business relationship with the tracking technology vendor or if valid HIPAA authorizations have been obtained. Since Meta is not a business associate and there were no HIPAA authorizations, the disclosures were impermissible under HIPAA.

Meta states in its terms and conditions that partners are required to have a lawful right to collect and share data before providing it to Meta. Meta argued that it is the responsibility of web developers to ensure that appropriate permission is obtained before Meta Pixel is used on websites and said that it explains to web developers how they can meet their legal obligations when using the Pixel tool. “There’s no statutory or common law doctrine that would allow the plaintiffs to impose liability upon Meta for the decision of third parties to send Meta data that it doesn’t want, that it has contractually barred them from sending in,” said Meta attorney, Lauren Goldman.

U.S. District Judge William Orrick III denied Meta’s motion to dismiss on several counts, allowing the lawsuit to proceed for the alleged violations of federal and state wiretap laws, as the plaintiffs had sufficiently argued that Meta had not done enough to prevent the transmission of sensitive health data. Orrick found the plaintiffs had plausibly argued that the data collection occurred in California and Meta had not met its burden of proof to show that healthcare providers were given sufficient consent by Meta to collect sensitive medical information.

The extraterritoriality, Wiretap Act, California Invasion of Privacy Act (CIPA), unjust enrichment, and larceny claims were advanced; however, Orrick granted the motion to dismiss the privacy, contract, California Comprehensive Computer Data Access and Fraud (CDAFA) Act, negligence per se, trespass to chattels, Unfair Competition Law (UCL), and Consumer Legal Remedies Act (CLRA) claims. The plaintiffs’ attorneys are required to refile the lawsuit as some of the privacy claims lack sufficient detail about the types of information that were allegedly transmitted to Meta. The judge stated in the hearing on Wednesday in San Francisco federal court that a final order would be issued as soon as possible.

The post Federal Judge Tentatively Advances Meta Pixel Medical Privacy Class Action appeared first on HIPAA Journal.

Vanderbilt University Medical Center Investigated by OCR over Disclosure of Transgender Patients’ Medical Records

Posted by Steve Alder

Vanderbilt University Medical Center is being investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) over the disclosure of the medical records of transgender patients to Tennessee Attorney General, Jonathan Skrmetti. VUMC provided the medical records of transgender patients to AG Skrmetti after receiving civil investigative demands for the data as part of an investigation into potential medical billing fraud. VUMC recently sent notifications to the affected patients informing them about the disclosure of their records, which started to be provided to AG Skrmetti in December last year.

The HIPAA Privacy Rule permits, but does not require, healthcare providers to disclose patients’ medical records for law enforcement purposes in certain circumstances, such as in response to an administrative request if the information being sought is relevant and material to a legitimate law enforcement inquiry. VUMC and AG Skrmetti both maintain that the disclosures were legal. AG Skrmetti said the records were requested in response to a run-of-the-mill investigation he was involved with. The investigation was launched in September 2022 after a VUMC doctor publicly described having manipulated medical billing codes to evade coverage limitations on gender-related treatments.

The medical record disclosures have been condemned by many members of the LGBTQ+ community. AG Skrmetti and other authorities in the state have expressed a hostile attitude regarding the rights of transgender individuals and a federal appeals panel recently approved a law in the state that bans hormone therapy and puberty blockers for transgender youth. There are fears that the information disclosed may be used against the patients. Two patients recently lawsuit against VUMC over the disclosures that alleges the records of 106 patients were provided to AG Skrmetti. Given the attitude of state authorities regarding transgender rights, the patients believe VUMC should have provided unidentified data – patient data that has had all personally identifiable information removed.

VUMC’s Chief Communications Officer, John Howser, recently confirmed that VUMC is assisting OCR with a civil rights investigation over the disclosures, although he did not provide any further information as the investigation is ongoing.

The post Vanderbilt University Medical Center Investigated by OCR over Disclosure of Transgender Patients’ Medical Records appeared first on HIPAA Journal.