Healthcare Data Privacy

95% of Patients are Worried About Medical Record Breaches

Posted by Steve Alder

Given the number of healthcare data breaches that are now being reported it is no surprise that patients are concerned that their sensitive health information will be obtained by cybercriminals or leaked on the Internet. In the first half of 2023, 339 data breaches of 500 or more records had been reported to the HHS’ Office for Civil Rights, and while that represents a year-over-year decline in data breach incidents, more than 41,450,000 healthcare records have been reported as breached in the first 6 months of the year – 10 million less than the number of breached records in all of 2022.

The health information network and interoperability provider, Health Gorilla, recently conducted a study that explored patients’ views on health information privacy and data sharing. 1,213 patients were surveyed who had seen a physician at least once in the previous 12 months. 95% said they were concerned that their medical records would be stolen or leaked online, 70% of whom had extreme or moderate concerns about healthcare data breaches. More than half of respondents expressed concern about the privacy and security protections that companies that handle their health data are putting in place.

The survey also revealed there is widespread mistrust in big tech companies such as Amazon, Google, Microsoft, and Facebook, which are increasingly gaining access to healthcare information through products and services that store healthcare data. 65% of respondents said they do not trust or slightly distrust those companies. That distrust is fueled by data breaches and a lack of transparency about data handling and storage practices, and since big tech firms are heavily reliant on data monetization, there are fears that attempts may be made to commercialize the health data they store or sell that information to third parties.

Patients expressed a greater level of confidence in health data exchange facilitated by government-approved entities. 60% of respondents said they feel significantly more or much more confident about health information exchange facilitated by government-approved entities, although regardless of who is sharing or exchanging health data, there are fears that health data may be used for purposes other than the reasons for which it is being shared.

71% of respondents said they were comfortable with sharing health data with healthcare providers for treatment purposes and 39% were comfortable with health plans accessing their medical records. Only 28% of respondents were comfortable with their health data being shared for operations-related purposes, and only 23% said they were comfortable with government agencies accessing their health data for public health reasons.

One solution to the distrust issue is to share de-identified data – health data that has been stripped of all personal identifiers; however, only 64% of respondents said they were comfortable with deidentified data being shared for research purposes. 13% of individuals said they did not want their health data to be shared for research purposes even if the information contained no personal identifiers.

HIPAA gives patients the right to access their own medical records and 94% of individuals feel that is very or at least somewhat important. 88% of respondents said they had exercised that right and have accessed their medical records at least once in the past 12 months, with 48% saying they accessed their medical records in the past 3 months. While there have been many enforcement actions by the HHS’ Office for Civil Rights over failures to provide access to medical records, the survey suggests patients tend not to have problems accessing their health data. 72% of patients said accessing their records was extremely or somewhat easy, with only 4% of patients finding it extremely difficult.

“The results of this privacy report indicate the urgent need to build trust with patients. As we make progress in setting a universal floor for interoperability, patients must have confidence in the system for healthcare interoperability to work,” added Steve Yaskin, Co-Founder and Chief Executive Officer at Health Gorilla. “The majority of patients don’t believe that vendors are doing enough to protect their health data and have serious concerns about a potential breach of their medical records. Patients must serve as a prominent voice in our national dialogue on health data privacy. The actual solutions will come in many forms, but one thing is abundantly clear — it’s time to act.”

The post 95% of Patients are Worried About Medical Record Breaches appeared first on HIPAA Journal.

700,000 Highly Sensitive School Records Exposed Online

Posted by Steve Alder

Highly sensitive information on 682,438 teachers and students at independent schools has been left exposed to the Internet and could be accessed by anyone without a password. The exposed 572.8 GB database was discovered by security researcher Jeremiah Fowler who traced documents in the database to the Southern Association of Independent Schools, Inc (SAIS).

“In my many years as a security researcher, I have seen everything from millions of credit card numbers and health records to internal documents from organizations of all sizes. However, this discovery is among the most sensitive data collections I have ever encountered,” said Fowler. The database contained highly sensitive teacher and student records. Each student record included a photograph of the student, along with their home address, date of birth, age, Social Security number, and health information. Fowler said he discovered third-party security reports that included details of weaknesses in school security, the locations of cameras, access and entry points, active shooter and lockdown notifications, school maps, financial budgets, teacher background checks, and much more. Fowler quickly notified SAIS and the database was rapidly secured.

Fowler was unable to determine how long the database had been exposed and if it was accessed by unauthorized individuals. He said the database was a goldmine for criminals on many levels. The database was hosted in a cloud storage repository and had been mistakenly configured to be non-password protected. The database appeared to be on SAIS’s primary server, and the exposure did not appear to be due to a vendor configuration issue.

Harris Health Systems Confirms Breach of Almost 225,000 Patient Records

Harris County Hospital District, doing business as Harris Health System, has recently reported a data breach affecting 224,703 individuals. On June 2, 2023, Harris Health System was notified about a zero-day vulnerability in the MOVEit Transfer file transfer solution. The vulnerability was immediately addressed; however, the forensic investigation revealed hackers had exploited the vulnerability on May 28, 2023, and downloaded files from the system.

The review of the affected files revealed they contained information such as names, addresses, birth dates, Social Security numbers, medical record numbers, immigration status, driver’s license numbers/ other government-issued identification numbers, health insurance information, procedure information, treatment costs, diagnoses, medications, provider names, and dates of service.

Harris Health System said the vulnerability has been patched and additional steps have been taken to improve the security of its MOVEit server. Affected individuals were notified about the breach on July 21, 2023, and individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services.

New England Life Care Reports 51,854-Record Data Breach

New England Life Care in Portland, ME, says it detected a security breach on May 24, 2023, that disrupted its IT systems. The incident was rapidly contained a third-party cybersecurity firm was engaged to conduct a forensic investigation. The analysis confirmed that the exposed files contained patient data such as names, addresses, service/equipment information, and patient status (active/discharged).

The 51,854 affected individuals were notified by mail on July 21, 2023. New England Life Care said additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.

Park Royal Hospital Discovers Unauthorized Email Account Access

Park Royal Hospital in Fort Myers, FL, has discovered unauthorized access to an employee email account. The security breach was detected on May 15, 2023, and the forensic investigation confirmed that the email account was compromised on May 8, 2023. The email account contained protected health information such as patient names, provider names, dates of treatment, and diagnosis and treatment information. The hospital said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

The incident is still being investigated and notification letters will be mailed when that process is completed. The breach has been reported to the HHS’ Office for Civil Rights as affecting at least 500 individuals.

Email Accounts Compromised at Unified Pain Management

Konen & Associates, doing business as Unified Pain Management in Texas, has recently notified the HHS’ Office for Civil Rights about an email account breach involving at least 500 records. Suspicious activity was detected within its corporate email accounts on March 21, 2023. Steps were immediately taken to prevent further unauthorized access and a third-party digital forensic firm was engaged to conduct an investigation; however, it was not possible to determine if any information within the email accounts had been accessed or downloaded.

The review of the emails confirmed that they contained information such as patient names, addresses, health insurance policy numbers, Social Security numbers, payment information, and health information such as treatment and diagnosis information.  Steps have been taken to improve email security and affected individuals have been offered credit monitoring and identity theft restoration services at no cost.

The post 700,000 Highly Sensitive School Records Exposed Online appeared first on HIPAA Journal.

Majority of Americans Mistakenly Believe Health App Data is Covered by HIPAA

Posted by Steve Alder

There is a common misconception that the Health Insurance Portability and Accountability Act (HIPAA) applies to health apps; however, the majority of health apps are not covered by HIPAA nor is the health information collected, stored, or transmitted by the apps.

HIPAA applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and vendors used by those entities, which are classed as business associates. While health apps may collect some of the exact same health data that is maintained by HIPAA-covered entities, the information collected by health apps is not subject to the same privacy and security standards. As such, health information collected by health apps may be transmitted to third parties, sold, or used for purposes that are not permitted under HIPAA.

According to a recent ClearDATA Harris Poll survey of 2,000 U.S. adults, 68% of respondents said they were very or somewhat familiar with HIPAA, yet 81% of respondents believed that the health data collected by digital health apps is covered by HIPAA and subject to its Privacy and Security Rules. As such, many users of health apps are likely to be unaware that any health data entered into the apps could be legally sold to third parties.

The survey also revealed health information privacy is not a key factor for Americans when choosing personal health apps. 58% of respondents that have used digital health apps said they had not considered how the information entered into those apps would be used. Health information privacy is also not a major concern when seeking healthcare services, with only 27% of respondents considering whether their data is secure when choosing a provider.

The main considerations are whether the provider accepts their insurance (68%), whether they can see a doctor face to face (49%), and if they can be treated quickly (41%). This was especially true with younger Americans, with 54% of respondents in that age range saying health data privacy is less important to them than convenience, compared to 69% of those over 65 who place greater value on privacy and security than convenience.

While HIPAA does not apply to most digital health apps, digital health companies are required to comply with Federal Trade Commission (FTC) Act and must issue notifications to consumers in the event of a breach of health data under the Health Breach Notification Rule. The FTC has only recently started enforcing the Health Breach Notification Rule, despite the rule being in effect for a decade, and its recent enforcement actions indicate digital health companies have been disclosing sensitive health data to third parties and have not been informing consumers.

The FTC recently published a notice of proposed rulemaking that seeks to clarify that the Health Breach Notification Rule applies to health apps and other similar direct-to-consumer technologies such as fitness trackers. “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

Representative Adam Schiff (D-CA), Seth Magaziner (D-RI), André Carson (D-IN), Sara Jacobs (D-CA), Greg Casar (D-TX), Kim Schrier, M.D. (D-WA) recently expressed their support for the proposed changes to strengthen the Health Breach Notification Rule given that the FTC’s recent enforcement actions uncovered disclosures of sensitive health information and deceptive business practices. “We agree with the assertion by FTC that apps that provide health services to users and have personal health records (PHR) qualify as vendors of personal health records and must be regulated as such,” wrote the congress members. “There is a need for much greater transparency when this data is mishandled, and the FTC rule will require these apps to notify individuals, the FTC, and in some cases the media of a breach of unsecured personally identifiable health information.,” They also expressed their support for the FTC’s requirement for health app providers to clearly explain the potential harm that could stem from data breaches and name the third parties that may have acquired unsecured personal health information.

The post Majority of Americans Mistakenly Believe Health App Data is Covered by HIPAA appeared first on HIPAA Journal.

VUMC Faces Lawsuit Over Disclosure of Medical Records of Transgender Patients to State AG

Posted by Steve Alder

Vanderbilt University Medical Center (VUMC) in Nashville, TN, has confirmed that the medical records of transgender patients have been provided to Tennessee Attorney General, Jonathan Skrmetti, in connection with an investigation of medical billing fraud.

According to AG Skrmetti’s Chief of Staff, Brandon Smith, the medical records were requested as part of an investigation into medical billing fraud focused on VUMC and related healthcare providers, rather than patients. The AG’s office has not explained the nature of the fraud investigation to ensure the integrity of the investigative process.

VUMC has provided gender-affirming care to minors since 2018 and typically performs around 5 surgeries a year. VUMC said all procedures, none of which were genital procedures, were performed on minors over 16 years of age with parental consent. On Tuesday this week, VUMC confirmed that it provided patient records to the state Attorney General after receiving two civil investigative demands (CIDs); a move that has resulted in considerable backlash from the LGBTQ+ community. “The Tennessee Attorney General has legal authority in an investigation to require that VUMC provide complete copies of patient medical records that are relevant to its investigation. VUMC was obligated to comply and did so,” said VUMC spokesperson, John Howser.

Concerns have been raised about the disclosures in light of the soon-to-be-introduced ban on gender-affirming care for minors in Tennessee. The state law is due to take effect on July 1, 2023, and will prevent doctors from providing gender-affirming care to individuals under the age of 18. The law has been challenged and while the ban was partially blocked, prohibiting surgical procedures on minors but allowing puberty blockers and hormone therapies to be prescribed, the 6th Circuit Court of Appeals lifted that block, reinstating the ban on all gender-affirming care for minors.

Since the VUMC announcement, several individuals have taken to social media platforms alleging the medical record disclosures violated HIPAA and patient privacy. HIPAA places restrictions on disclosures of medical records but permits disclosures in response to “an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law.” In such cases, the information provided must be relevant to the inquiry and if de-identified protected health information could not reasonably be provided. VUMC has not confirmed how many records were disclosed in response to the CIDs but said the records requested by the Attorney General dated back to 2018 and that the patients concerned had been enrolled in TennCare insurance plans. The individuals concerned were notified by VUMC that their records had been provided to the state Attorney General as part of a civil investigation.

HIPAA permits but does not require healthcare providers to disclose patient data and VUMC has been criticized for not making a stand, although refusing the request would only likely have delayed the disclosures. The affected patients are fearful that regardless of the outcome of the fraud investigation, the Attorney General’s office will still have a list of individuals who have received gender-affirming care. Brandon Smith expressed concern about the decision of VUMC to make the disclosures public knowledge, stating “We are surprised that VUMC has deliberately chosen to frighten its patients like this,” and claimed the VUMC investigation has been running since September 2022 and VUMC has been providing information pertinent to the investigation since December 2022.

The medical record disclosures have prompted a class action lawsuit by two of the affected patients who allege VUMC was aware that the state has been targeting the transgender community, yet still provided patient records to the Attorney General and violated the HIPAA Rules by doing so. The lawsuit claims VUMC disclosed the information of 106 individuals, including individuals “on the state employees’ health plan and their family members, and people who receive their health care through TennCare,” as well as the information of some individuals who were not VUMC Transgender Health Clinic patients. According to the lawsuit, an additional CID was issued for all communications between VUMC’s Dr. Melissa Ciperski and others working at Centerstone regarding or related to a potential gender dysphoria diagnosis of a person receiving mental health treatment at Centerstone.

The lawsuit, filed by the law firm Herzfeld, Suetholtz, Gastel, Leniski & Wall, and Abby Rubenfeld, takes issue with the amount of data provided, which included highly sensitive health information including photographs of genitalia, private communication with clinicians, sexual histories, and the identities of intimate partners, and the failure to provide de-identified information in response to the CIDs.

The post VUMC Faces Lawsuit Over Disclosure of Medical Records of Transgender Patients to State AG appeared first on HIPAA Journal.

What is a HIPAA Compliant Cloud Drive?

Posted by Steve Alder

There is no doubt that data storage in the cloud has many benefits for healthcare organizations; however, if electronic protected health information (ePHI) is to be stored in the cloud, it is necessary to use a HIPAA compliant cloud drive – a HIPAA compliant cloud storage solution from a cloud service provider (CSP).

HIPAA and Cloud Computing

The Health Insurance Portability and Accountability Act was enacted just as the use of virtual computers started to gain popularity in the 1990s; however, it was not until the early 2000s that cloud computing really took off, although healthcare organizations were slow to embrace the cloud. The situation is very different today. According to Market Data Forecast, in 2022 the healthcare cloud computing market was worth $5.22 billion and it is expected to reach $201.1 billion by 2032. 90% of healthcare organizations are already using cloud-based services or plan to use them by 2025.

Even though cloud computing services have now been widely adopted by healthcare organizations, there is no mention of cloud computing in the HIPAA text. HIPAA was written in a way to ensure that it is technology agnostic to ensure that when new technologies were introduced, the HIPAA Rules could be easily applied to those technologies. Cloud services can be used by HIPAA-regulated entities, as long as they are fully compliant with the HIPAA Privacy and Security Rules. Healthcare organizations that have yet to transition to the cloud may be unaware what a HIPAA compliant cloud drive is, how HIPAA compliant cloud storage differs from other cloud storage services, and how they can ensure HIPAA compliance in the cloud, all of which are explained below.

What is a HIPAA Compliant Cloud Drive?

Technically, there is no such thing as a HIPAA compliant cloud drive as no cloud server can be truly HIPAA compliant. HIPAA compliance depends on the actions of the people. Even if appropriate security is applied to secure ePHI in the cloud, if healthcare organizations misconfigure settings or do not implement appropriate access controls, ePHI could easily be exposed over the Internet, thus violating the HIPAA Rules.

That said, many CSPs offer HIPAA compliant cloud storage to HIPAA-regulated entities. What this means is the service they offer incorporates all of the necessary security controls to ensure the confidentiality, integrity, and availability of ePHI and prevent impermissible disclosures. Those controls apply to ePHI at rest (stored on cloud servers) and in motion to and from the cloud server or service. Access controls can be configured to restrict access to ePHI to ensure only authorized individuals can view, alter, or transmit data, and audit logs are maintained of successful and unsuccessful access attempts and any alterations to ePHI.

A HIPAA compliant cloud service provider will ensure that safeguards are incorporated into the platform to ensure that it can be used in a HIPAA-compliant way; however, it is up to each HIPAA-regulated entity to ensure that the controls are correctly configured and the service is used in a manner that is compliant with the HIPAA Privacy and Security Rules.

A Business Associate Agreement Must be Obtained from a Cloud Service Provider

If a HIPAA-regulated entity engages the services of any vendor to create, receive, maintain, or transmit ePHI on their behalf, that vendor is classed as a business associate under HIPAA. If cloud services are used in connection with any ePHI, including the processing and storage of ePHI in the cloud, the CSP is a business associate and has responsibilities under HIPAA, even if the CSP only stores encrypted ePHI and does not hold an encryption key for the data. Any subcontractors used by the CSP are also business associates of the CSP and must also comply with certain requirements of the HIPAA Rules.

HIPAA-regulated entities must obtain a HIPAA compliant business associate agreement from the CSP before any HIPAA-covered data is uploaded to the cloud, and a CSP must obtain a HIPAA compliant business associate agreement from any third-party vendor before allowing them access to a HIPAA-regulated entity’s environment. The CSP and any subcontractors used are contractually liable for meeting the terms of the business associate agreement and are directly liable for compliance with the applicable requirements of the HIPAA Rules. If a CSP is not prepared to sign a business associate agreement, their services must not be used in connection with any ePHI.

In addition to a business associate agreement (BAA), many covered entities address other requirements through a service-level agreement (SLA). The BAA outlines the responsibilities of the CSP with respect to HIPAA, while the SLA deals with technical aspects such as availability and reliability of the service, data backups and recovery, the security responsibilities of each party, and how any stored data will be returned when the service is no longer used.

HIPAA Compliant Cloud Storage Requires More than a BAA!

Covered entities must obtain a BAA prior to any cloud service being used in conjunction with ePHI, but having a BAA is not sufficient to avoid a penalty for noncompliance with HIPAA Rules. Before any cloud service is used, covered entities must conduct a comprehensive risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and must subject any identified risks to a risk management process to reduce them to a low and acceptable level. Policies and procedures must be developed and implemented covering the use of the cloud service, and training must be provided to the workforce on the HIPAA-compliant use of cloud services.

Access controls must be configured correctly to ensure that only authorized individuals are able to access cloud-stored data. Even though a HIPAA compliant cloud drive may meet the requirements of the HIPAA Security Rule, covered entities must ensure they are fully compliant with the requirements of the HIPAA Privacy Rule. Covered entities should apply single sign-on controls, use multifactor authentication, automatic logoff controls, and secure passwords, and procedures should be developed to ensure ePHI is available in emergencies.

Audit controls are required to ensure all activities in relation to ePHI are recorded. HIPAA-regulated entities are required to conduct regular checks of logs to monitor for unauthorized activity and regulators may require access to those logs in the event of an audit or compliance investigation. Any data stored in the cloud should be encrypted and covered entities must ensure data uploaded to the cloud is encrypted in transit. The encryption algorithms used should meet the standards of the National Institute of Standards and Technology (NIST).

What Cloud Storage is HIPAA Compliant?

Many CSPs offer HIPAA compliant cloud storage and file-sharing services and are willing to sign BAAs with HIPAA-regulated entities. Sync is one of the current market leaders and is used by many healthcare providers for storing files in the cloud and private and secure file sharing, including Mount Sinai Hospital, Doctorcare, Equalize Health, and the Canadian Red Cross. The platform allows mission-critical files to be accessed easily by authorized individuals from any computer, mobile device, or the web, no matter where care is provided. Sync signs business associates with HIPAA-regulated entities and supports HIPAA compliance, PIPEDA compliance for Canadian healthcare companies, GDPR compliance for European healthcare providers, and other privacy and security regulations. The platform integrates with Microsoft Office 365, Windows and macOS desktops, and mobile devices, and all data is protected with strong encryption, robust access controls, and state-of-the-art security.

Many cloud service providers offer a variety of plans to meet the needs of individuals and businesses; however, not all plans are covered by business associate agreements. For example, Sync offers a HIPAA compliant cloud drive and will sign a BAA, but only for the Sync Professional and Teams Plans. HIPAA-regulated entities must sign up for a Professional or Business Plan and obtain a signed BAA before the service is used.

Summary

While there is no mention of HIPAA cloud storage and cloud computing in the HIPAA text, healthcare organizations can engage the services of CSPs and use their platforms to reduce costs, improve productivity, and connect and communicate more easily, provided they use HIPAA-compliant cloud services and obtain a BAA from the CSP. You can find out more about HIPAA cloud storage from the HHS, which recently published guidance for HIPAA-regulated entities on HIPAA compliant data storage in the cloud and the use of other cloud services in connection with ePHI.

The post What is a HIPAA Compliant Cloud Drive? appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million

Posted by Steve Alder

The 2023 IBM Security Cost of a Data Breach Report shows the average data breach cost has increased to $4.45 million ($165 per record), with data breaches in the United States being the costliest at an average of $9.48 million, up 0.4% from last year. Data breaches are the costliest that they have ever been and have increased by 15% since 2020. The data for this year’s report was collected by the Ponemon Institute and included breach data from 553 organizations in 16 countries with interviews conducted with thousands of individuals. All data breaches studied for the report occurred between March 2022 and March 2023.

For the 13th year in a row, healthcare data breaches were found to be the costliest, with the average cost increasing to $10.93 million, which is a 53.3% increase over the past 3 years and an 8.22% increase from the $10.10 average breach cost in 2022. Small organizations with fewer than 500 employees saw average data breach costs increase by 13.35% year-over-year to $3.31 million. There was a 21.4% increase in costs for mid-sized organizations (501-1,000 employees) to an average of $4.06 million, a 20% rise in costs for large organizations (1,001-5,000 employees) to $4.87 million, but a 1.8% decrease in costs for very large organizations (10,001–25,000 employees), which fell to an average of $5.46 million. The time to identify and contain a breach remained the same as in 2022 with the decrease in detection time cancelled out by an increase in containment time. In 2023, the average detection (204 days) and containment (73 days) time was 277 days.

The most common causes of data breaches were phishing attacks and compromised credentials, with phishing the initial access vector in 16% of data breaches and compromised credentials the vector in 15% of breaches. The average cost of a phishing attack was $4.76 million and an attack caused by stolen or compromised credentials cost an average of $4.62 million. The costliest breaches were caused by malicious insiders, with those incidents costing an average of $4.90 million per breach, although these breaches were relatively rare, accounting for 6% of the total. Breaches stemming from stolen or compromised credentials took the longest to identify and contain, taking 328 days compared to the average of 277 days.

Only one-third (33%) of data breaches were detected by the breached entity, with a benign third party such as law enforcement or a security researcher notifying the victim about the breach in 40% of cases, and the attacker notifying the breached entity about the attack in 27% of cases. Breaches where the attacker informed the victim cost around $1 million more than breaches that were detected by the victim ($5.23 million vs. $4.3 million). Data breaches that were disclosed by an attacker also had a much longer lifecycle (detection to containment), taking 320 days – 79 days longer than breaches that were identified by the victim.

Data breaches often occur in multiple locations such as on-premises as well as public and private clouds. IBM Security found attackers were able to breach multiple environments undetected, and when multiple environments were breached the costs soared. Multi-environment breaches cost an average of $750,000 more than data breaches in single environments and took 15 days longer to contain. Malicious attacks often rendered systems inoperable with destructive attacks accounting for 25% of all malicious attacks and ransomware accounting for 24% of attacks. Destructive attacks cost an average of $5.24 million and ransomware attacks cost an average of $5.13 million. 47% of ransomware victims chose to pay the ransom.

IBM Security was able to dispel a common myth – that involving law enforcement involvement in ransomware attacks increases the complexity and recovery time, when the reverse was found to be true. Ransomware attacks with law enforcement involvement took an average of 33 days less to contain than when law enforcement was not involved, and law enforcement involvement also shaved an average of $470,000 off the breach cost. Despite speeding up recovery and significantly reducing breach costs, 37% of ransomware victims did not seek help from law enforcement to contain a breach.

Law enforcement recommends not paying the ransom as there is no guarantee of a faster recovery and payment of a ransom encourages further attacks. IBM Security found that paying the ransom only resulted in minimal savings – a cost difference of $110,000 or $2.2%, although that does not include the ransom amount. Taking the ransom payment into consideration, many organizations ended up paying more than they would likely have spent had they chosen not to pay the ransom.

The biggest cost mitigators were the adoption of a DecSecOps approach (integrating security in the software development cycle), which saved almost $250,000 on average, employee training (-$233,000), incident response planning and testing (-$232,000), and AI and machine learning insights (-$225,000). AI and automation shaved an average of 108 days from identification and containment and attack surface management (ASM) solutions shaved an average of 83 days off of the response time. The biggest cost amplifiers were security systems complexity (+$241,000), security skills shortages (+$239,000), and non-compliance with regulations (+$219,000).

The report revealed 95% of organizations had suffered more than one breach and the costs of these breaches were passed onto consumers by 57% of organizations, with only 51% of organizations increasing security investments following a data breach.

The post IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million appeared first on HIPAA Journal.

OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have written to 130 hospitals and telehealth providers warning them about the risks of using tracking technologies such as pixels on their websites and web apps which may disclose sensitive health information to third parties in violation of the HIPAA Rules and the FTC Act.

A study published in Health Affairs suggests 98.6% of US nonfederal acute care hospitals have used tracking technologies on their websites, and a 2022 analysis by The Markup found one-third of the top 100 hospitals in the United States were using tracking technologies on their websites that could collect individually identifiable information, including information about health conditions. Following these discoveries, several hospitals and health systems reported breaches of protected health information, some of which involved impermissible disclosures of millions of patient records.

A later study by The Markup found that the technologies were also widely used by telehealth companies. Even companies that are not required to comply with the HIPAA Rules have an obligation to protect personal health information against impermissible disclosure. The FTC has already taken action against entities that are not covered by HIPAA, such as GoodRx, BetterHelp, and Premom, over the use of these tracking technologies for alleged violations of the FTC Act and Health Breach Notification Rule.

In December 2022, OCR issued guidance to HIPAA-regulated entities on HIPAA and tracking technologies. While these tools can provide valuable insights for improving the services provided to patients, these technologies can collect and transmit information protected by HIPAA. Further, these technologies also permit the tracking of users even after they navigate away from the website or mobile app where the tracking technology is used. Any information transmitted to a third party may then be used for a purpose not permitted under the HIPAA Rules, and the collected information may be further disclosed to other third parties.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”

The letters were jointly sent by OCR and the FTC to 130 entities cautioning them about tracking technologies on websites and mobile apps that can potentially disclose sensitive health data. The organizations that were sent the letters are believed to have used or are using tracking technologies such as Pixel from Meta/Facebook and Google

Analytics code to collect and analyze user interactions on websites and web apps. The letters do not mean that an organization has been found to be in violation of violated HIPAA or the FTC Act nor does the failure to receive a letter mean that an organization is in the clear. All organizations that collect personal health information should review their websites and web apps to identify any tracking technologies and ensure they are fully compliant with all relevant laws. If tracking technologies are discovered to have been used on websites or apps that impermissibly disclosed personal health information or protected health information to third parties, then the breaches should be reported in accordance with the HIPAA Breach Notification Rule and FTC Health Breach Notification Rule.

“Both agencies are closely watching developments in this area,” explained the FTC and OCR in the letters. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

The post OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies appeared first on HIPAA Journal.

June 2023 Healthcare Data Breach Report

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal shows a 12% month-over-month reduction in the number of healthcare data breaches of 500 or more records. In June, HIPAA-regulated entities reported 66 breaches, and while this was an improvement on the 73 breaches reported in June 2022, the month’s total is still well above the 12-month average of 58 data breaches a month.

Healthcare Data Breaches Past 12 Months - June 2023

May was a particularly bad month for data breaches with more than 19 million individuals having their protected health information exposed or impermissibly disclosed, so while there was a 73.67% month-over-month reduction in breached records in June, the previous month’s total was unnaturally high. June’s total of 5,015,083 breached records was below the 12-month average of 6 million records a month and less than the 6,258,833 records breached in June 2022, but that is still more than 167,000 breached healthcare records a day – 17.6% more than the daily average in 2022.

Healthcare Records Breached in the past 12 months - June -2023

In H1 2023, 41,452,622 healthcare records were exposed or impermissibly disclosed. That’s just a few thousand records short of the total for all of 2019 and just 10 million below the total for all of 2022.

Largest Healthcare Data Breaches in June 2023

In June, 25 data breaches of 500 or more records were reported to OCR, all but two of which were hacking/IT incidents. The largest breach of the month by some distance was a ransomware attack and data theft incident at the biotech and diagnostics company, Enzo Clinical Labs (Enzo Biochem).  Murfreesboro Medical Clinic & SurgiCenter also suffered a major breach where sensitive data was stolen and a ransom demand was issued to prevent a data leak, as did Intellihartx. Intellihartx was one of several companies that had sensitive data stolen by the Cl0p ransomware group, which mass exploited a zero day vulnerability in Fortra’s GoAnywhere MFT file transfer solution in late January.

As the table below indicates, it is becoming increasingly common for HIPAA-regulated entities to only disclose limited information in their notification letters. Data breaches are often reported as “unauthorized individuals accessed the network and may have accessed or removed patient information,” even when data theft has been confirmed and the stolen data has been uploaded to the data leak sites of ransomware groups. The lack of information can make it difficult for victims of data breaches to assess the level of risk they face.

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Hacking/IT Incident Ransomware attack
Murfreesboro Medical Clinic & SurgiCenter TN Healthcare Provider 559,000 Hacking/IT Incident Cyberattack (extortion)
Intellihartx, LLC TN Business Associate 489,830 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Advanced Medical Management, LLC MD Business Associate 319,485 Hacking/IT Incident Hacking of network designed/maintained by a business associate
Great Valley Cardiology PA Healthcare Provider 181,764 Hacking/IT Incident Cyberattack – Brute force attack involving data theft
Petaluma Health Center CA Healthcare Provider 124,862 Hacking/IT Incident Cyberattack – Details unknown
Imagine360 PA Business Associate 112,611 Unauthorized Access/Disclosure Cyberattack (extortion) – Fortra GoAnywhere MFT and Citrix file transfer solutions hacked
Kannact, Inc. OR Business Associate 103,547 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Activate Healthcare LLC IL Healthcare Provider 93,761 Hacking/IT Incident Cyberattack with data theft confirmed
Desert Physicians Management CA Business Associate 56,556 Hacking/IT Incident Cyberattack with data theft confirmed
ARx Patient Solutions KS Healthcare Provider 41166 Unauthorized Access/Disclosure Compromised email account
Orrick, Herrington & Sutcliffe LLP CA Business Associate 40,823 Hacking/IT Incident Cyberattack – Details unknown
Tidewater Diagnostic Imaging, Ltd. MA Healthcare Provider 40,195 Hacking/IT Incident Hacking Incident – Details unknown
Peachtree Orthopaedic Clinic, P.A. GA Healthcare Provider 34,691 Hacking/IT Incident Cyberattack (extortion) by Karakurt threat group
Atlanta Women’s Health Group, P.C. GA Healthcare Provider 33,839 Hacking/IT Incident Cyberattack – Details unknown
Maimonides Medical Center NY Healthcare Provider 33,000 Hacking/IT Incident Cyberattack – Details unknown
Elgon Information Systems MA Business Associate 31,248 Hacking/IT Incident Hacking Incident – Details unknown
Community Research Foundation CA Healthcare Provider 30,057 Hacking/IT Incident Hacking Incident – Details unknown
Mount Desert Island Hospital, Inc. ME Healthcare Provider 24,180 Hacking/IT Incident Cyberattack – Details unknown
Mercy Medical Center – Clinton, Inc. IA Healthcare Provider 20,865 Hacking/IT Incident Ransomware attack
Ascension Seton TX Healthcare Provider 17,191 Hacking/IT Incident Hacking incident at business associate (Vertex)
John N. Evans, DPM MI Healthcare Provider 15,585 Hacking/IT Incident Hacking Incident – Details unknown
New Horizons Medical, Inc MA Healthcare Provider 12,317 Hacking/IT Incident Hacking Incident – Details unknown
CareNet Medical Group, PC NY Healthcare Provider 10,059 Hacking/IT Incident Cyberattack with data theft confirmed
Core Performance Physicians, dba Vincera Core Physicians PA Healthcare Provider 10,000 Hacking/IT Incident Ransomware attack affecting four Vincera companies (25,000 affected in total)

Causes of June 2023 Healthcare Data Breaches

Hacking incidents once again dominated the breach reports, accounting for more than 77% of the month’s data breaches and more than 96% of the month’s breached records. The average breach size was 94,480 records and the median breach size was 5,973 records. 4,818,457 records were exposed or compromised in hacking incidents. There were 14 unauthorized access/disclosure incidents reported, which cover a range of different incidents including unauthorized medical record access, unsecured paper records, mismailing incidents, and misdirected emails. Across those incidents, 196,026 records were impermissibly accessed or disclosed. The average breach size was 14,002 records and the median breach size was 2,567 records. There was one incident involving the improper disposal of 600 paper records and no reported loss or theft incidents.

Causes of June 2023 healthcare data breaches

As the chart below shows the most common location of breached protected health information was network servers, with email accounts the second most common location of breached data.

location of breached information in June 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data from the OCR breach portal shows data breaches by reporting entity; however, that does not mean that is where the breach occurred. When data breaches occur at business associates, the business associate may report the breach, or the covered entities affected, or a combination of the two. The raw data shows 44 breaches at healthcare providers, 12 at business associates, and 10 at health plans.

The charts below are based on adjusted figures and show where the data breach occurred rather than the entity reporting the breach as this better reflects the number of data breaches that occurred at business associates of HIPAA-regulated entities.

June 2023 healthcare data breaches - covered entity type

Records breached at hipaa-regulated entities in June 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 31 states in June 2023. Pennsylvania was the worst affected state, with 11 data breaches reported. The high total is partly due to 6 of the breaches relating to two incidents that were reported separately for each company affected. Even taking this into account, Pennsylvania was the worst affected state.

State Breaches
Pennsylvania 11
California 5
Massachusetts, New York & Texas 4
Arizona & Minnesota 3
Florida, Georgia, Maryland, Michigan, North Carolina, Ohio, Tennessee & Utah 2
Alabama, Delaware, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Maine, Mississippi, Montana, New Jersey, Oklahoma, Oregon, South Carolina & Virginia 1

HIPAA Enforcement Activity in June 2023

The Office for Civil Rights announced three enforcement actions in June to resolve potential violations of the HIPAA Rules. Yakima Valley Memorial Hospital was investigated by OCR after a report was received about a HIPAA breach involving 23 security guards who had been accessing patient records without authorization. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. The case was settled and the hospital agreed to pay a $240,000 penalty.

Manasa Health Center was investigated after complaints were filed with OCR about impermissible disclosures of PHI in response to negative online reviews left by four patients. The case was settled with OCR and Manasa Health Center agreed to pay a $30,000 penalty. This was OCR’s third enforcement action in the past year to see a financial penalty for disclosures of PHI in response to negative patient reviews. No company likes to receive bad reviews and negative customer comments may be unjustified, but PHI must never be disclosed online in response to reviews.

iHealth Solutions, which does business as Advantum Health, was investigated over a relatively small data breach involving the exposure of the ePHI of 267 patients. Patient information was stored on a server that had not been properly secured, allowing protected health information to be accessed over the Internet. OCR determined that iHealth Solutions had failed to conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The case was settled and iHealth Solutions agreed to pay a $75,000 penalty.

OCR has now imposed 8 financial penalties on HIPAA-regulated entities so far this year to resolve alleged violations of the HIPAA Rules with the penalties totaling $1,976,500. OCR has already exceeded last year’s total of $1,124,640 in fines that were collected from HIPAA-regulated entities in 17 enforcement actions.

State attorneys general can also impose financial penalties for HIPAA violations, although the fines are often imposed for equivalent violations of state laws, as was the case in California in June. In 2019, Kaiser Permanente sent mailings to its plan members, but an error resulted in letters being sent to old addresses, resulting in an impermissible disclosure of members’ protected health information. While this was a HIPAA violation, California imposed a financial penalty for violations of the California Confidentiality of Medical Information Act (CMIA) – an impermissible disclosure of the personal information of up to 175,000 individuals and the negligent maintenance and/or disposal of medical information. The case was settled for $450,000.

The post June 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Criticized Over Proposed Reproductive Health Care HIPAA Privacy Rule Update

Posted by Steve Alder

Lawmakers and state Attorneys General have written to the U.S. Department of Health and Human Services Secretary, Xavier Becerra, criticizing the proposed update to the HIPAA Privacy Rule that seeks to improve reproductive health information privacy.

Lawmakers Criticize HIPAA Privacy Rule Change for Not Going Far Enough to Protect Patient Privacy

In response to the proposed changes, Senators Ron Wyden (D-Ore.), Patty Murray (D-Wash.), and Rep. Sara Jacobs (D-CA) wrote to the HHS Secretary calling for the HHS to take further steps to protect the privacy of Americans, and not only apply the proposed changes to reproductive health information but all categories of protected health information (PHI).

The proposed HIPAA Privacy Rule changes, if enacted, will improve protections for certain categories of PHI but the lawmakers claim the changes do not go far enough and there is a need to expand the protections to cover all PHI and ensure it has the same protections as the contents of phone calls, emails, text messages, and geolocation data “to protect Americans from warrantless government surveillance.”

“Americans should be able to trust that the information they share in confidence with their doctors when seeking care will receive the highest protections under the law, regardless of the specific medical issue,” wrote the lawmakers. They explain that while the HIPAA Privacy Rule does not force healthcare professionals to testify about their patients’ medical conditions, under the current HIPAA regulations, medical records can be subpoenaed by law enforcement agencies who do not need to show probable cause of crime and there is no oversight from an independent judge. “The ability of law enforcement agencies to subpoena these records undermines patients’ legal protections, particularly in an era of digital health records, where every patient interaction is carefully documented.”

The lawmakers request the HHS update the proposed Privacy Rule change to require law enforcement agencies to obtain a warrant before forcing doctors, pharmacists, and other healthcare providers to turn over their patients’ records. Instead of the current text of the HIPAA Privacy Rule – 64.512(f)(1)(ii) – permitting law enforcement to obtain PHI with a subpoena, administrative request, or a court order, the Privacy Rule should prohibit such disclosures unless there is a search warrant, issued by a judge, upon a finding of probable cause of a crime.

Further, in cases when medical records are disclosed after a search warrant is served, law enforcement should be prohibited from disclosing the records to other law enforcement agencies, unless the disclosures are related to the investigation of the same alleged crime. They also call for the law to be updated to ensure that individuals are notified about any disclosure of their PHI to law enforcement agencies. The lawmakers claim such a change would be consistent with the protections afforded to other sensitive data under federal law and the Fourth Amendment to the Constitution.

The lawmakers believe that the proposed changes are not sufficient to prevent rogue state Attorneys General from attempting to obtain the private health records of Americans, including, but not limited to, the records of individuals seeking a legal abortion or medical assistance with gender transition. Such healthcare decisions need to be taken by each individual whereas certain state Attorneys General believe those decisions are everyone’s business.

The letter was signed by Sens. Bernard Sanders, Tammy Baldwin, Peter Welch, Tammy Duckworth, Sherrod Brown, Chris Van Hollen, Elizabeth Warren, Edward J. Markey, Martin Heinrich, Mazie K. Hirono, Alex Padilla, John Fetterman, Debbie Stabenow, Raphael Warnock, Maria Cantwell, Kirsten Gillibrand, Cory A. Booker, Pramila Jayapal, Ted W. Lieu, James P. McGovern, Madeleine Dean, and Delia C. Ramirez and Congress members, Barbera Lee, Anna G. Eshoo, Josh Gottheimer, Adam B. Schiff, Nikema Williams, Raúl M. Grijalva, Veronica Escobar, Eleanor Holmes Norton, Earl Blumenauer, Jasmine Crockett, Rashida Tlaib, Ro Khanna, Ilhan Omar, David J. Trone, Andrea Salinas, Henry C. Johnson Jr., Val Hoyle, Nydia M. Velázquez, Suzanne Bonamici, Zoe Lofgren, Mikie Sherill and Becca Balint.

19 State Attorneys General Claim Reproductive Health Information Privacy Rule Change is Unlawful

While some lawmakers feel the Biden Administration’s plans do not go far enough to protect the privacy of Americans, others are challenging the attempt to change the HIPAA Privacy Rule to prevent disclosures of reproductive health information to law enforcement and claim the proposed changes will prevent the enforcement of state laws and will hamper investigations of women who seek illegal abortions. Tennessee Attorney General, Jonathan Skemetti, said, “The HHS does not have authority to change the law in contradiction of the statute passed by Congress,” in a letter to the HHS Secretary challenging the proposed HIPAA Privacy Rule change. The letter was signed by 18 other state Attorneys General from Alabama, Alaska, Arkansas, Georgia, Idaho, Indiana, Kentucky, Louisiana, Missouri, Montana, Nebraska, North Dakota, Ohio, South Carolina, South Dakota, Texas, & Utah.

They argue that the decision of the Supreme Court to remove the Federal right to abortion and put the matter into the hands of individual states allowed states to introduce laws prohibiting or restricting abortions, but updating federal HIPAA law to prevent disclosures of reproductive health information would essentially make it difficult, if not impossible, to enforce state laws. States such as Tennessee that have introduced a ban on abortions for state residents would not be permitted to obtain information on state residents that travel out of state to circumvent state laws and have abortion procedures.

In the letter, Attorney General Skemetti claims the Biden Administration is pushing a false narrative that states are looking to treat pregnant women as criminals and punish healthcare professionals that provide lifesaving care. “Based on this lie, the Administration has sought to wrest control over abortion back from the people in defiance of the Constitution and Dobbs. The proposed rule here continues that effort,” said Skemetti, who claims the proposed HIPAA update is unlawful and does not serve any legitimate need, and “is a solution in search of a problem.”

The broad definition of “reproductive healthcare” in the proposed rule which includes information “related to reproductive organs, regardless of whether the health care is related to an individual’s pregnancy or whether the individual is of reproductive age,” means there is the potential for the proposed rule to interfere with the ability of state authorities to investigate child abuse cases and other serious crimes. Skemetti also expressed concern that the proposed rule would also obstruct state laws concerning experimental gender-transition procedures for minors and help to further the Biden Administration’s “radical transgender policy goals.”

Attorney General Skemetti points out that for more than 20 years the Federal HIPAA laws have helped to protect the privacy of Americans and ensure their health data remains private and confidential; however, HIPAA permits disclosure of health information to law enforcement and state authorities to protect public health, safety, and welfare, and the proposed change will prevent states from performing that important duty.  The Attorneys General have called for the proposed HHS rule change to be withdrawn as it is unlawful and exceeds the HHS’s statutory authority.

The post HHS Criticized Over Proposed Reproductive Health Care HIPAA Privacy Rule Update appeared first on HIPAA Journal.