Healthcare Data Privacy

OCR Seeks Permanent Deputy Director for Health Information Privacy

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has advertised for a permanent Deputy Director for Health Information Privacy. The position was posted on USAJOBS on January 14, 2019.

The last permanent Deputy Director was Deven McGraw, who left OCR in October 2017 for the private sector. Iliana Peters, OCR’s Senior Advisor for Compliance and Enforcement, took on the role of acting Deputy Director for Health Information Privacy but also left the post for the private sector in February 2018. Timothy Noonan, the former regional manager for the HHS Office for Civil Rights in Atlanta, replaced Peters in February 2018.

The role involves leading OCR’s day-to-day HIPAA privacy and security program operations, development of privacy and security policies, administrative rulemaking, interpretation of current regulations, providing technical assistance to the department’s regional offices, and coordinating HIPAA Privacy and Security Rule compliance activities to ensure consistent application of policies across all regional offices.

The Deputy Director for Health Information Privacy is a key player in the development of departmental policies, legislative, and regulatory proposals, and special OCR initiatives to ensure health information is protected and remains private.

The role involves advising OCR Director Roger Severino and senior OCR officials on HIPAA policies and application of those policies. The successful applicant will be required to work closely with the OCR Director and assist with the planning, organization, and formulation of policies and procedures for OCR and health privacy and security policies across the HHS.

According to the posting, the Deputy Director represents the Director and OCR on health information privacy and security matters and coordinates work where problems and issues involve more than one component of the HHS. The Deputy Director is also required to maintain relationships concerning health information privacy and security issues at a number of senior management levels.

Applications are being accepted until February 5, 2019.

The post OCR Seeks Permanent Deputy Director for Health Information Privacy appeared first on HIPAA Journal.

Advertising Expenditures Increase 64% Following a Healthcare Data Breach

Posted by HIPAA Journal

A recent study has explored the relationship between advertising expenditures and healthcare data breaches. The study shows hospitals significantly increase advertising spending following a data breach.

Healthcare Data Breaches Are the Costliest to Mitigate

Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. According to the Ponemon Institute/IBM Security’s 2018 cost of a data breach study, healthcare data breaches cost, on average, $408 per lost or stolen record. The costs are double, or in some cases almost triple, those in other industry sectors.

In addition to the high costs of mitigating the breaches, the same study confirmed that loss of patients to competitors is a very real threat. Data breaches cause damage to a brand and trust in an organization can be easily lost when confidential personal information is exposed or stolen.

The Ponemon Institute study revealed healthcare organizations have a high churn rate after a breach. At 6.7%, it is higher than the financial sector (6.1%), services (5.2%), energy (3.0%) and education (2.7%).

Hospitals’ Advertising Expenditure Increases 64% Following a Data Breach

In a recent study, Sung J. Choi, PhD and M. Eric Johnson, PhD., investigated how advertising expenditures at hospitals changed following a data breach.

The study, which was recently published in the American Journal of Managed Care, revealed hospitals increase advertising spending by an average of 64% in the year following a data breach. Advertising expenditures were found to be 79% higher over the two-year period following a data breach.

The researchers note that breached hospitals were most likely to be large or teaching hospitals located in urban settings. Hospitals that experienced data breaches had an average of 566 beds and were typically located in areas where there were other hospitals and, consequently, high competition for patients.

Hospitals in the control group that had not experienced a data breach spent an average of £238,000 on advertising each year, whereas hospitals that experienced data breaches spent an average of $817,205 on advertising in the year following a breach – Almost three times as much as the control group. An average of $1.75 million was spend on advertising in the two years following a breach.

The researchers suggest that the increase in spending is an attempt to minimize patient loss to competitors and to help repair hospitals’ reputations.

The researchers note that the data from the study came from 2011-2014 before ransomware attacks on hospitals became common. Given how much more these types of data breaches disrupt medical services provided by hospitals, advertising spending may be even higher following these types of breaches.

“Advertising and the efforts to fix the damages from a data breach increase healthcare costs and may divert resources and attention away from initiatives to improve care quality,” wrote the researchers. “Advertising costs subsequent to a breach are another cost to the healthcare system that could be avoided with better data security.”

The post Advertising Expenditures Increase 64% Following a Healthcare Data Breach appeared first on HIPAA Journal.

Summary of 2018 HIPAA Fines and Settlements

Posted by HIPAA Journal

This post summarizes the 2018 HIPAA fines and settlements that have resulted from the enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.

Another Year of Heavy OCR HIPAA Enforcement

In 2016, there was a significant increase in HIPAA files and settlements compared to the previous year. In 2016, one civil monetary penalty was issued by OCR and 12 settlements were agreed with HIPAA covered entities and their business associates. In 2015, OCR only issued 6 financial penalties.

The high level of HIPAA enforcement continued in 2017 with 9 settlements agreed and one civil monetary penalty issued.

While there were two settlements agreed in February 2018 to resolve HIPAA violations, there were no further settlements or penalties until June. By the end of the summer it was looking like OCR had eased up on healthcare organizations that failed to comply with HIPAA Rules.

However, in September, a trio of settlements were agreed with hospitals that had allowed a film crew to record footage of patients without first gaining consent. Further settlements were agreed in October, November, and December and OCR finished the year on one civil monetary penalty and 9 settlements to resolve HIPAA violations.

Summary of 2018 HIPAA Fines and Settlements

While 2018 was not a record-breaking year in terms of the number of financial penalties for HIPAA violations, it was a record-breaker in terms of the total penalty amounts paid. OCR received $25,683,400 in financial penalties in 2018. The mean financial penalty was $2,568,340.

2018 HIPAA fines and penalties total

The median HIPAA fine in 2018 was $442,000: Much lower than 2017 median of $2,250,000. It was also the lowest median fine amount of the last 5 years, although 2018 did see the largest ever HIPAA violation penalty.

In October 2018, Anthem Inc., settled its HIPAA violation case with OCR for $16,000,000. The massive fine was due to the extent of the HIPAA violations discovered by OCR and the scale of its 2015 data breach, which saw the protected health information of around 78,800,000 plan members stolen by hackers.

2018 HIPAA Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
February 2018 Fresenius Medical Care North America $3,500,000 Settlement Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
February 2018 Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
June 2018 University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Impermissible disclosure of ePHI; No Encryption
September 18 Massachusetts General Hospital $515,000 Settlement Filming patients without consent
September 18 Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
September 18 Boston Medical Center $100,000 Settlement Filming patients without consent
October 2018 Anthem Inc $16,000,000 Settlement Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
November 2018 Allergy Associates of Hartford $125,000 Settlement PHI disclosure to reporter; No sanctions against employee
December 2018 Advanced Care Hospitalists $500,000 Settlement Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
December 2018 Pagosa Springs Medical Center $111,400 Settlement Failure to terminate employee access; No BAA

State Attorneys General HIPAA Enforcement Activities

It is difficult to obtain meaningful statistics on HIPAA fines and settlements by state attorneys general. While state attorneys general can issue fines for violations of HIPAA Rules, in many cases, financial penalties instead issued for violations of state laws. That said, 2018 did see a major increase in HIPAA enforcement activity by state attorneys general.

There were 12 HIPAA-related financial penalties issued in 2018 by state attorneys general. The New Jersey attorney general was the most active HIPAA enforcer behind OCR with 4 HIPAA fines, followed by New York with 3, Massachusetts with 2, and 1 financial penalty issued by each of Connecticut, District of Columbia, and Washington.

The largest attorney general HIPAA fine of 2018 – Aetna’s $1,150,000 penalty – was issued by New York. Aetna was also fined a total of $640,171 in a multi-state action by Connecticut, New Jersey, Washington, and the District of Columbia. Washington has yet to agree to a settlement amount with Aetna.

EmblemHealth was fined a total of $675,000 for a 2016 data breach: $575,000 by New York and $100,000 by New Jersey.

State Covered Entity Amount State Residents Affected
Massachusetts McLean Hospital $75,000 1,500
New Jersey EmblemHealth $100,000 6,443
New Jersey Best Transcription Medical $200,000 1,650
Washington Aetna TBA* 13,160 (multi-state total)
Connecticut Aetna $99,959 13,160 (multi-state total)
New Jersey Aetna $365,211.59 13,160 (multi-state total)
District of Columbia Aetna $175,000 13,160 (multi-state total)
Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000
New York Arc of Erie County $200,000 3,751
New Jersey Virtua Medical Group $417,816 1,654
New York EmblemHealth $575,000 81,122
New York Aetna $1,150,000 13,160 (multi-state total)

*Washington yet to determine settlement amount

The post Summary of 2018 HIPAA Fines and Settlements appeared first on HIPAA Journal.

IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity

Posted by HIPAA Journal

The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) has issued an alert about increased Chinese malicious cyber activity targeting IT service providers such as Managed Service Provider (MSPs), Managed Security Service Providers (MSSPs), Cloud Service Providers (CSPs) and their customers.

The attacks take advantage of trust relationships between IT service providers and their customers. A successful cyberattack on a CSP, MSP or MSSP can give the attackers access to healthcare networks and sensitive patient data.

The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued technical details on the tactics and techniques used by Chinese threat actors to gain access to services providers’ networks and the systems of their customers.

The information has been shared to allow network defenders to take action to block the threats and reduce exposure to the Chinese threat actors’ activities. Guidance has been released for IT service providers and their customers on the steps that should be taken to improve security to prevent successful attacks. While a range of mitigations have been specified, there is no single solution that will work for all organizations and mitigating these malicious activities can be a complex process.

Advice for Customers of IT Service Providers

Healthcare organizations that utilize IT service providers are advised to:

  • Ensure their providers have conducted a review to determine if there is a security concern or has been a compromise
  • Ensure their IT service providers have implemented solutions and tools to detect cyberattacks.
  • Review and verify connections between healthcare systems and those used by IT service providers.
  • Verify all IT service provider accounts are being used for appropriate purposes.
  • Disable IT service provider accounts when they are not in use.
  • Ensure business associate agreements require IT service providers to implement appropriate security controls, require logging and monitoring of client systems and connections to their networks, and the need to promptly issue notifications when suspicious activity is detected.
  • Integrate system log files and network monitoring data into intrusion detection and security monitoring systems for independent correlation, aggregation and detection.
  • Ensure service providers view US-CERT pages related to APT groups targeting IT service providers, specifically TA-18-276A and TA-18-276B.

Advice for IT Service Providers

IT service providers have been advised to take the following actions to mitigate the risk of cyberattacks:

  • Ensure the mitigations detailed in US-CERT alerts are fully implemented.
  • Ensure the principle of least privilege is applied to their environments, customers’ data are logically separated, and access to clients’ networks is not shared.
  • Implement advanced network and host-based monitoring systems that look for anomalous behavior that could indicate malicious activity.
  • Aggregate and correlate log information to maximize the probability of detection of malicious activity and account misuse.
  • Work closely with customers to ensure that all hosted infrastructure is carefully monitored and maintained.

The post IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity appeared first on HIPAA Journal.

HHS Publishes Cybersecurity Best Practices for Healthcare Organizations

Posted by HIPAA Journal

The U.S. Department of Health and Human Services has issued voluntary cybersecurity best practices for healthcare organizations and guidelines for managing cyber threats and protecting patients.

Healthcare technologies are essential for providing care to patients, yet those technologies introduce risks. If those risks are not properly managed they can result in disruption to healthcare operations, costly data breaches, and harm to patients.

The HHS notes that $6.2 billion was lost by the U.S. Health Care System in 2016 as a result of data breaches and 4 out of 5 physicians in the United States have experienced some form of cyberattack. The average cost of a data breach for a healthcare organization is now $2.2 million.

“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

The guidance and best practices – Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patientswere developed in response to a mandate in the Cybersecurity Act of 2015 Section 405(d) to issue practical guidelines to help healthcare organizations cost-effectively reduce healthcare cybersecurity risks.

The guidance was developed over two years with assistance provided by more than 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.

“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers,” said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine.

Two technical volumes have also been published that outline cybersecurity best practices for healthcare organizations tailored to the size of the organization: One for small healthcare providers such as clinics and a second volume for medium healthcare organizations and large health systems. The documents contain a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes.

The aim of the guidance and best practices is threefold: To help healthcare organizations reduce cybersecurity risks to a low level in a cost-effective manner, to support the voluntary adoption and implementation of Cybersecurity Act recommendations, and to provide practical, actionable, and relevant cybersecurity advice for healthcare organizations of all sizes.

The guidance aims to raise awareness of cybersecurity threats to the healthcare sector and help healthcare organizations mitigate the most impactful cybersecurity threats: Email phishing attacks, ransomware attacks, loss/theft of equipment and data, accidental and intentional insider data breaches, and medical device attacks that could affect patient safety.

Ten cybersecurity practices are detailed in the technical volumes to mitigate the above threats in the following areas:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

A “cybersecurity practices assessments toolkit” has also been made available to help healthcare organizations prioritize threats and develop action plans to mitigate those threats.

Over the next few months, the HHS will be working closely with industry stakeholders to raise awareness of cybersecurity threats and implement the best practices across the health sector.

The post HHS Publishes Cybersecurity Best Practices for Healthcare Organizations appeared first on HIPAA Journal.

What is Texas HB 300?

Posted by HIPAA Journal

What is Texas HB 300, who is required to comply with the legislation, and what are the penalties for noncompliance? This article answers these and other important questions about Texas HB 300.

What is Texas HB 300?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets minimum privacy and security standards for healthcare organizations. HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health data is concerned which are detailed in Texas HB 300 (Texas House Bill 300).

Texas HB 300 was passed by the Texas legislature in June 2011 and was signed into law by Texas Governor Rick Perry. The compliance date for Texas HB 300 was September 1, 2012.

Texas HB 300 amended four laws in Texas: The Texas Health Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for health data than HIPAA.

Who is Required to Comply with Texas HB 300?

Compliance with Texas HB 300 is mandatory for all covered entities that are based in Texas or do business with Texas residents. Covered entities under Texas HB 300 differ from covered entities as defined in HIPAA.

Texas HB 300 expanded the HIPAA definition of covered entity (healthcare providers, health plans, and healthcare clearing houses) to include any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits protected health information in any form.

Texas HB 300 therefore applies to all healthcare organizations, including those that are not covered by HIPAA, and also lawyers, schools, universities, researchers, accountants, Internet service providers, IT service providers, government agencies, and individuals who maintain a website that collects, stores, or interacts with PHI.

Texas HB 300 Exemptions

The only entities not required to comply with Texas HB 300 are:

  • Not-for-profit agencies that pay for healthcare services or prescription drugs for indigent persons if the primary business of the agency is not the provision of healthcare services or reimbursement for healthcare services.
  • Workers’ compensation insurance and any entity or individual who acts in connection with the provision, support, administration, or coordination of benefits under a self-insured workers’ compensation program.
  • Employee benefit plans and entities or individuals that act in connection with those plans
  • Entities or individuals that provide, administer, support, or coordinate benefits associated with compensation for victims of crime.
  • Processing of certain payment transactions by financial institutions and education records covered by the Family Educational Rights and Privacy Act of 1974.

Texas HB 300 and Electronic Health Records

Texas HB 300 introduced new standards for handling electronic health records. A covered entity is prohibited from using PHI for any reason other than the provision of treatment, payment for healthcare, or insurance purposes unless, prior to the disclosure of PHI, the covered entity has obtained written authorization from an individual to disclose their PHI.

HIPAA requires covered entities to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being submitted. Texas HB 300 requires covered entities to provide copies of PHI much more rapidly – Within 15 days of a written request being received.

Texas HB 300 Training for All Employees Who Handle PHI

All employees who are required to handle PHI or sensitive personal information (SPI), or are likely to encounter PHI, are required to undergo formal privacy training within 60 days of commencing employment. In contrast to HIPAA, which does not stipulate how often additional training must be provided, Texas HB 300 requires additional privacy training to be provided at least every two years. Training sessions need to be tailored to the role and responsibilities of the employee. All training must be documented and employees are required to sign to confirm that they have received the training.

What are the Texas HB 300 Penalties for Noncompliance?

The penalties for noncompliance with Texas HB 300 are severe. The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to comply with the legislation. State licenses can also be revoked in cases where an entity or individual has demonstrated continued noncompliance.

As with HIPAA, the penalties for noncompliance with Texas HB 300 are broken down into tiers:

Tier 1: Up to $5,000 per violation, per year, for violations due to negligence

Tier 2: Up to $25,000 per violation, per year, for a knowing or intentional violation

Tier 3: Up to $250,000 per violation, per year, for an intentional violation for financial gain

The maximum financial penalty is $1.5 million per year in cases where there has been a pattern of noncompliance.

The level of the financial penalty is dictated by the severity of the violation, whether there has been a history of noncompliance, the measures taken to correct the violation, and whether harm has been caused as a result of the violation.

The post What is Texas HB 300? appeared first on HIPAA Journal.

Most Common Security Weaknesses in Healthcare Identified

Posted by HIPAA Journal

The most common security weaknesses in healthcare have been identified by Clearwater. Clearwater analyzed data from IRM analyses conducted over the past six years. Millions of risk records were assessed from hospitals, Integrated Delivery Networks, and business associates of those entities to identify the most common security vulnerabilities in healthcare.

The analysis revealed almost 37% of high and critical risks were in three areas:

  • User authentication
  • Endpoint leakage
  • Excessive user permissions

The most common security weaknesses in healthcare were deficiencies in user authentication. These are failures to correctly authenticate users and verify the level of access that users should have to an organization’s resources. These deficiencies include the use of default passwords and generic user IDs, writing down passwords and posting them on computer monitors or hiding them under keyboards, and the transmission of user credentials via email in plain text.

User authentication deficiencies were most commonly associated with servers and SaaS solutions. Clearwater also notes that more than 90% of healthcare organizations said they had password/token management policies and procedures, but in many cases the technical implementation of procedures was found to be lacking.

Clearwater recommends enforcing the use of strong passwords, enabling single sign-on, and implementing rate limiting to lock accounts after a set number of failed login attempts. Of the organizations that had user authentication deficiencies, 84.4% had deficiencies in password requirements, 52.2% failed to implement single sign-on, and 40.4% had not implemented rate limiting.

The cybersecurity best practice of limiting the use of admin accounts and restricting the systems and data that end users can access was often not adopted by healthcare organizations.

The failure to restrict access to drives and networks not required by users to perform their work duties increases risk. By restricting user permissions, if credentials are compromised, the damage that can be caused will be restricted. Healthcare organizations should adopt the principle of least privilege and should only give users access to data and networks that they require to perform their work duties.

The post Most Common Security Weaknesses in Healthcare Identified appeared first on HIPAA Journal.

NIST Releases Final Version of Risk Management Framework Update

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has released the final version of its updated Risk Management Framework (RMF 2.0).

RMF 2.0 (SP 800-37 Revision 2: Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) addresses privacy and security concerns in IT risk management.

One key change in the updated version of the RMF is the introduction of a ‘Prepare’ step. This additional step involves assigning responsibilities to specific individuals, enabling enterprise-wide privacy and security controls, eliminating unnecessary functions, publishing common controls, prioritizing resources for high value assets, and establishing communication channels to ensure effective communication between the C-Suite and employees. The ‘Prepare’ step, which comes before the Categorize step, was introduced to help organizations “achieve more effective, efficient, and cost-effective security and privacy risk management processes.”

RMF 2.0 requires maximum use of automation in executing the framework rules to allow continuous assessment and monitoring of privacy and security controls, and the preparation of authorization packages for timely decision making.

NIST has listed seven main objectives for the updated RMF. By achieving some or all of the objectives listed below, execution of the RMF will be simplified, organizations will be able to employ innovative approaches for risk management, and will increase the level of automation for risk management-related tasks.

The seven objectives are:

  • To achieve closer linkage and communication between the risk management processes and activities at the C-suite and the individuals, processes, and activities at the system and operational level of the organization.
  • To institutionalize critical risk management preparatory activities at all risk management levels.
  • To demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using current NIST risk management processes.
  • To integrate privacy risk management processes into the RMF
  • To promote the development of secure software and systems through the alignment of life cycle-based systems engineering processes.
  • To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC.
  • To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the NIST consolidated control catalog (SP 800-53, Revision 5).

The Office of Management and Budget (OMB) requires all states and agencies to follow RMF 2.0 to manage security and privacy risks. RMF 2.0 allows them to manage privacy and security risk in a single, unified framework.

According to NIST fellow, Ron Ross, “[RMF 2.0] ensures the term compliance means real cybersecurity and privacy risk management – not just satisfying a static set of controls in a checklist.”

The post NIST Releases Final Version of Risk Management Framework Update appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2018

Posted by HIPAA Journal

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records.

2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records.

A Bad Year for Healthcare Data Breaches

As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records.

It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017.

In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in the exposure of 5,138,179 healthcare records.

The Largest Healthcare Data Breaches of 2018

Listed below is a summary of the largest healthcare data breaches of 2018. A brief description of those breaches has been listed below.

At the time of writing, OCR is still investigating all but one of the breaches listed below. Only the LifeBridge Health breach investigation has been closed.

Rank

 

 Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 AccuDoc Solutions, Inc. Business Associate 2,652,537 Hacking/IT Incident
2 UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
3 Employees Retirement System of Texas Health Plan 1,248,263 Unauthorized Access/Disclosure
4 CA Department of Developmental Services Health Plan 582,174 Theft
5 MSK Group Healthcare Provider 566,236 Hacking/IT Incident
6 CNO Financial Group, Inc. Health Plan 566,217 Unauthorized Access/Disclosure
7 LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
8 Health Management Concepts, Inc. Business Associate 502,416 Hacking/IT Incident
9 AU Medical Center, INC Healthcare Provider 417,000 Hacking/IT Incident
10 SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
11 Oklahoma State University Center for Health Sciences Healthcare Provider 279,865 Hacking/IT Incident
12 Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident
13 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure
14 MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
15 HealthEquity, Inc. Business Associate 165,800 Hacking/IT Incident
16 St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident
17 New York Oncology Hematology, P.C. Healthcare Provider 128,400 Hacking/IT Incident
18 Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident

 

Causes of the Largest Healthcare Data Breaches of 2018

Further information on the causes of the largest healthcare breaches of 2018.

AccuDoc Solutions, Inc.

Morrisville, NC-based AccuDoc Solutions, a billing company that operates the online payment system used by Atrium Health’s network of 44 hospitals in North Carolina, South Carolina and Georgia, discovered that some of its databases had been compromised between September 22 and September 29, 2018. The databases contained the records of 2,652,537 patients. While data could have been viewed, AccuDoc reports that the databases could not be downloaded. Not only was this the largest healthcare data breach of 2018, it was the largest healthcare data breach to be reported since September 2016.

UnityPoint Health

A UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled in a business email compromise attack. A trusted executive’s email account was spoofed, and several employees responded to the messages and disclosed their email credentials. The compromised email accounts contained the PHI of 1,421,107 individuals.

Employees Retirement System of Texas

The Employees Retirement System of Texas discovered a flaw in its ERS OnLine portal that allowed certain individuals to view the protected health information of other members after logging into the portal. The breach was attributed to a coding error. Up to 1,248,263 individuals’ PHI was potentially viewed by other health plan members.

CA Department of Developmental Services

The California Department of Developmental Services experienced a break in at its offices. During the time the thieves were in the offices they potentially accessed the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of 582,174 patients.

MSK Group

Tennessee-based MSK Group, P.C, a network of orthopedic medical practices, discovered in May 2018 that hackers had gained access to its network. Certain parts of the network had been accessed by the hackers over a period of several months. The records of 566,236 patients, which included personal, health and insurance information, may have been viewed or copied by the hackers.

CNO Financial Group, Inc.

Chicago-based health insurer Bankers Life, a division of CNO Financial Group Inc., discovered hackers gained access to its systems between May 30 and September 13, 2018 and potentially stole the personal information of 566,217 individuals.

LifeBridge Health, Inc

The Baltimore-based healthcare provider LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. Those systems contained the PHI of 538,127 patients.

Health Management Concepts, Inc.

Health Management Concepts discovered hackers gained access to a server used for sharing files and installed ransomware. The ransom demand was paid to unlock the encrypted files; however, HMC reported that the hackers were ‘inadvertently provided’ with a file that contained the PHI of 502,416 individuals. It is suspected that the file was unwittingly sent to the attackers to prove they could decrypt files.

AU Medical Center, INC

An Augusta University Medical Center phishing attack resulted in an unauthorized individual gaining access to the email accounts of two employees. The compromised email accounts contained the PHI of 417,000 patients.

SSM Health St. Mary’s Hospital – Jefferson City

St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility; however, on June 1, 2018, the hospital discovered administrative documents containing the protected health information of 301,000 patients had been left behind. In the most part, the breach was limited to names and medical record numbers.

Oklahoma State University Center for Health Sciences

Oklahoma State University Center for Health Sciences discovered an unauthorized individual gained access to parts of its computer network and potentially accessed files containing billing information of Medicaid patients. The breach affected 279,865 patients, although only a limited amount of PHI was accessible.

Med Associates, Inc.

The Latham, NY-based health billing company Med Associates, which provides claims services to more than 70 healthcare providers, discovered an employee’s computer has been accessed by an unauthorized individual. It is possible that the attacker gained access to the PHI of up to 276,057 patients.

Adams County

Adams County, WI, discovered hackers gained access to its network and potentially accessed the PHI and PII of 258,102 individuals. The compromised systems were used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office.

MedEvolve

MedEvolve, a provider of electronic billing and record services to healthcare providers, discovered an FTP server had been left unsecured between March 29, 2018 and May 4, 2018. A file on the FTP server contained the PHI of 205,434 patients of Premier Immediate Medical Care.

HealthEquity, Inc.

HealthEquity, a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, experienced a phishing attack that resulted in hackers gaining access to the email accounts of two employees. Those accounts contained the PHI of 165,800 individuals.

St. Peter’s Surgery & Endoscopy Center

St. Peter’s Surgery & Endoscopy Center in New York discovered malware had been installed on one of its servers which potentially allowed hackers to view the PHI of 134,512 patients. The malware was discovered the same day it was installed. The fast detection potentially prevented patients’ data from being viewed or copied.

New York Oncology Hematology, P.C.

A phishing attack on New York Oncology Hematology in Albany, NY, resulted in hackers gaining access to the email accounts of 15 employees. Those accounts contained the PHI of 128,400 current and former patients and employees.

Boys Town National Research Hospital

Boys Town National Research Hospital, an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, experienced a phishing attack that allowed hackers to gain access to a single email account. The email account contained the PHI of 105,309 patients.

The post Largest Healthcare Data Breaches of 2018 appeared first on HIPAA Journal.