Healthcare Data Privacy

Study Suggests Improper Disposal of PHI is Commonplace

A recent study (published in JAMA) has highlighted just how frequently hospitals are disposing of PHI in an insecure manner. While the study was conducted in Canada, which is not covered by HIPAA, the results highlight an important area of PHI security that is often overlooked.

Improper Disposal of PHI is More Common than Previously Thought

Researchers at St. Michael’s Hospital in Toronto checked recycled paperwork at five teaching hospitals in Canada. Each of the five hospitals had policies covering the secure disposal of documents containing PHI and separate recycling bins were provided for general paperwork and documents containing sensitive information. The latter were shredded before disposal.

Despite the document disposal policies, paperwork containing personally identifiable information (PII) and personal health information (PHI) were often incorrectly placed in the bins. The researchers identified 2,867 documents containing PII and 1,885 items containing personally identifiable health information in the standard recycling bins. 1,042 documents contained high sensitivity PII, 843 items contained PII with medium sensitivity, and 802 contained low sensitivity data.

821 items included clinical notes, summaries, and medical reports, there were 385 discarded labels with patient identifiers clearly visible, 345 billing forms, 340 diagnostic test results, and 317 requests and communications containing personally identifiable information.

The study shows that even with policies in place covering the proper disposal of paper records, sensitive information is still regularly disposed of in an insecure manner.

Improper Disposal of PHI in the United States

In February, 23% of the month’s healthcare data breaches involved paper/film records. Those breaches impacted 121,607 individuals. In January 33% of the month’s data breaches involved paper/film records. Those breaches impacted 13,513 individuals.

Overall, between January 1, 2010 and December 31, 2017, there have been 514 healthcare data breaches involving 500 or more paper records. Those breaches have impacted 3,393,240 individuals.

Breaches of Physical PHI

Patients Impacted by Breaches of Physical PHI

Improper Disposal of Paper/Films and ePHI

Patients Impacted by Improper Disposal of all Forms of PHI

Many privacy incidents involving paper records only impact a few patients and are not made public, so it is difficult to determine exactly how many incidents have occurred and how many patients have been impacted, although the Canadian study suggests these types of breaches are incredibly common.

To prevent these types of privacy breaches, HIPAA covered entities should carefully review their policies, procedures and physical safeguards for PHI and strengthen controls as appropriate.

The post Study Suggests Improper Disposal of PHI is Commonplace appeared first on HIPAA Journal.

South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill

South Dakota has been slow to introduce legislation to improve protections for consumers affected by breaches of their personal information. Laws have already been introduced in 48 states that require individuals and companies that store personal information to issue notifications to breach victims when that information is compromised.

Last week, South Dakota residents were given similar protections to those in place in neighboring states. On March 21, 2018, South Dakota attorney general Marty Jackley issued a statement confirming SB 62 had been signed by Governor Daugaard and will take effect on July 1, 2018.

The bipartisan bill requires entities that experience a breach of personal information to issue notifications to affected state residents within 60 days of discovery of the breach – The same time frame as HIPAA.

Personal information is classed as the full name or first initial and last name of a state resident in combination with either a government ID number, Social Security number, driver’s license number, credit/debit card number (with an associated code that allows the card to be used), employment ID number (with authentication information), and health information (the same definition as HIPAA 45 CFR 160.103). A notification must also be issued to the state attorney general if the breach impacts more than 250 state residents, also within 60 days of discovery of the breach.

In contrast to many states, there is a risk of harm exception in the South Dakota data breach notification law. If a breached entity “reasonably determines that the breach will not likely result in harm to the affected person,” notifications do not need to be issued.

Delaying breach notifications could attract a fine up to $10,000 per day plus state attorneys’ fees, with a fine of $10,000 possible for each violation.

Now that the South Dakota data breach notification law has been enacted, Alabama is the only state that has not yet introduced state-level data breach notification regulations. That is likely to change soon as data breach legislation is currently under consideration by the House of Representatives following the unanimous passing of the Alabama Data Breach Notification Act of 2018 by the Alabama Senate earlier this month.

State Attorneys General Oppose Federal Data Breach Notification Regulations

Just as the patchwork of data breach notification regulations approaches completion, federal regulations are being considered that could see those state level laws rendered obsolete. A discussion draft of the Data Acquisition and Technology Accountability and Security Act was issued in February, which if signed into law, would apply to “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”

The Data Acquisition and Technology Accountability and Security Act would require security safeguards to be implemented to protect personal information stored by any entity included in the above definition. Data breach notifications would need to be issued if, following a risk assessment, the breached entity determines there is a “reasonable risk that the breach of data security has resulted in or will result in identity theft, fraud, or economic loss to the consumers to whom the personal information involved in the incident relates.” The notifications would need to be issued without unreasonable delay.

The discussion draft of the bill has attracted criticism from state attorneys general who have already enacted their own laws to protect residents in their respective states. A bipartisan group of 32 (20 Democrats / 12 Republicans) state attorneys general, led by Illinois attorney general Lisa Madigan, sent a joint letter to the House Financial Services Committee on March 19 opposing the Data Acquisition and Technology Accountability and Security Act.

The proposed Data Acquisition and Technology Accountability and Security Act preempts state regulations and appears to place credit reporting agencies such as Equifax outside the scope of state regulation. While the above definition of entities appears to be comprehensive, a notable exception is any entity covered by the Gramm-Leach-Bliley Act – Namely financial institutions and credit reporting agencies.

Further, the proposed bill would see protections for consumers lessened in most states, since the breach reporting requirements in the Data Acquisition and Technology Accountability and Security Act are far less stringent. Not only does the DATAS Act allow a breached entity to determine the level of risk to consumers – and whether data breach notifications are required – breached entities would have much longer to issue notifications. Those notifications could even be issued after consumers have experienced identity theft and fraud due to a breach of their personal information.

The post South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill appeared first on HIPAA Journal.

HIPAA Rules on Contingency Planning

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame.

A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order.

Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters.

Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and addressed.

What are the HIPAA Rules on Contingency Planning?

HIPAA Rules on contingency planning are concerned with ensuring healthcare organizations return to normal operations as quickly as possible and the confidentiality, integrity, and availability of PHI is safeguarded.

HIPAA Rules on contingency planning can be found in the Security Rule administrative safeguards -45 CFR § 164.308(a)(7)(ii)(A-E).

  • Develop and Implement a Data Backup Plan – 308(a)(7)(ii)(A)
  • Develop a Disaster Recovery Plan – 308(a)(7)(ii)(B)
  • Develop and Emergency Mode Operation Plan – 308(a)(7)(ii)(C)
  • Develop and Implement Procedures for Testing and Revision of Contingency Plans – 308(a)(7)(ii)(D)
  • Perform an Application and Data Criticality Analysis – 308(a)(7)(ii)(E)

A data backup plan ensures that when disaster strikes, PHI is not lost or destroyed. A viable copy of all ePHI must be created that allows exact copies of ePHI to be restored, which includes all forms of ePHI such as medical records, diagnostic images, test results, case management information, and accounting systems.  It is a good best practice to adopt a 3-2-1 approach for backups: Create three copies of data, store them on at least two different media, and have one copy stored securely offsite. Backups must also be tested to ensure the recovery of data is possible.

A disaster recovery plan should establish the procedures that must be followed to restore access to data, including how files should be restored from backups. A copy of the plan should be readily available and stored in more than one location.

The emergency mode operation plan must ensure critical business processes continue to maintain the security of ePHI when operating in emergency mode, for example when there is a technical failure or power outage.

All elements of the contingency plan must be regularly tested and revised as necessary. OCR recommends conducting scenario-based walkthroughs and live tests of the complete plan.

Covered entities should “assess the relative criticality of specific applications and data in support of other contingency plan components.” All software applications that are used to store, maintain, or transmit ePHI must be assessed to determine the level of criticality to business functions as it will be necessary to prioritize each when data is restored.

Summary of Key Elements of Contingency Planning

OCR has provided a summary of the key elements of contingency planning:

  • The primary goal is to maintain critical operations and minimize loss.
  • Define time periods – What must be done during the first hour, day, or week?
  • Establish Plan Activation – What event(s) will cause the activation of the contingency plan?  Who has the authority to activate the contingency plan?
  • Ensure the contingency plan can be understood by all types of employees.
  • Communicate and share the plan and roles and responsibilities with the organization.
  • Establish a testing schedule for the plan to identify gaps.
  • Ensure updates for plan effectiveness and increase organizational awareness.
  • Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.

The post HIPAA Rules on Contingency Planning appeared first on HIPAA Journal.

ATI Physical Therapy Data Breach Impacts 35,000 Patients

ATI Physical Therapy has discovered the protected health information of more than 35,000 patients has potentially been accessed after threat actors gained access to the email accounts of some of its employees.

A security breach was identified on January 18, 2018 when ATI Physical Therapy discovered the direct deposit information of some of its employees had been changed in its payroll platform. Prompt action was taken to protect its employees and external forensic investigators were called in to determine the full extent and scope of the breach.

The investigation revealed the email accounts of certain employees had been compromised and were accessed by unauthorized individuals between January 9 and January 12, 2018. An analysis of the emails in the accounts revealed they contained the protected health information of tens of thousands of patients.

The types of information potentially compromised varied per impacted individual, but may have included names, dates of birth, credit/debit card numbers, driver’s license numbers, state ID numbers, Social Security numbers, Medicare/Medicaid information, health insurance information, billing/claims information, medical record numbers, patient ID numbers, financial account numbers, disability codes, diagnoses, treatment information, prescription information, and physicians’ and therapists’ names.

ATI Physical Therapy reports that only a small number of patients had their Social Security numbers exposed.

Patients impacted by the phishing incident have now been notified by mail and have been offered credit monitoring services without charge. Patients will also be protected by a $1 million identity theft insurance policy. No evidence of misuse of information has been uncovered by ATI Physical Therapy of the forensic investigators.

ATI Physical Therapy’s investigation into the breach is ongoing and steps have been taken to strengthen email security to prevent future breaches and employees have been provided with training to help them identify phishing emails.

The Department of Health and Human Services’ Office for Civil Rights breach report indicates 35,136 patients have potentially have their protected health information accessed.

The post ATI Physical Therapy Data Breach Impacts 35,000 Patients appeared first on HIPAA Journal.

Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack

According to a financial report issued by Banner Health, OCR is investigating the colossal 2016 Banner Health data breach which saw the protected health information of 3.7 million patients exposed. The breach involved Banner Health facilities at 27 locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada, and Wyoming and resulted in the exposure of highly sensitive protected health information including names, dates of birth, Social Security numbers, and health insurance information.

The attackers gained access to the payment processing system used in its food and beverage outlets with a view to obtaining credit card numbers. However, once access to the network was gained, they also accessed servers containing PHI.

Banner Health reports that it has cooperated with OCR’s investigation into the breach and has supplied information as requested. However, OCR was not satisfied with its response and the evidence supplied on its HIPAA compliance efforts. Specifically, OCR was not satisfied with the documentation supplied to demonstrate “past security assessment activities” with its responses rated as “inadequate”.

Banner Health has respond and provided additional evidence of its security efforts but “negative findings” are anticipated. Banner Health suspects a financial penalty may be pursued by OCR, although it is not known how much the penalty is likely to be.

The Department of Health and Human Services’ Office for Civil Rights investigates all data breaches over 500 records. OCR can issue fines of up to $1.5 million per violation category, per year. HIPAA violations that have been allowed to persist over several years, and cases where there have been multiple violations of HIPAA Rules, can see multi-million-dollar financial penalties pursued. Fines have been issued of $25,000, although there have also been settlements in excess of $4 million dollars.

Based on previous HIPAA settlements, a breach of this magnitude is likely to see a fine toward the upper end of the spectrum.

In addition to a potential fine from OCR for non-compliance with HIPAA Rules, nine lawsuits were filed by plaintiffs affected by the 2016 data breach which have since been consolidated into a single class action lawsuit.

While many data breach lawsuits have been dismissed for lack of standing, this lawsuit appears to be going the distance. The plaintiffs have already demonstrated impending injury as a result of the exposure and theft of their health information.

Banner Health holds an insurance policy against cyberattacks although the extent of insurance coverage is not known. Banner Health is vigorously defending the lawsuit, but should its efforts fail, the health system believes a substantial proportion of the legal costs and any settlement will be covered by its cyber risk insurance policy.

The post Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack appeared first on HIPAA Journal.

Jail Terms for HIPAA Violations by Employees

The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information.

HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft.

This month there have been two notable cases of HIPAA violations by employees, one of which has resulted in a fine and imprisonment, with the other likely to result in a longer spell in prison when sentencing takes place in June.

Jail Term for Former Transformations Autism Treatment Center Employee

In February, a former Behavioral Analyst at the Transformations Autism Treatment Center (TACT) was discovered to have stolen the protected health information of patients following termination.

Jeffrey Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients following termination and downloaded the PHI of 300 current and former patients onto his personal computer.

Approximately one month after Luke was terminated, TACT discovered patient information had been remotely accessed and downloaded. An investigation was launched and law enforcement was notified, with the latter alerting the FBI. Luke was identified as the perpetrator from his IP address, with the search of his residence uncovering a computer containing stolen electronic patient records and TACT forms and templates.

Luke’s access rights to Google Drive had been terminated by TACT in accordance with HIPAA Rules; however, after termination, Luke had gained access to a shared Google Drive account and authorized access from his personal Gmail account.

It is unclear exactly how that was achieved after his access rights were terminated. Court documents say Luke hacked the account and law enforcement found evidence Luke had researched how to gain access to the data.

Law enforcement discovered this was not the first time Luke had stolen data from an employer. His computer also contained patient data from another former employer – Somerville, TN-based Behavioral and Counseling Services.

Luke pleaded guilty to the charges and was sentenced to 30 days in jail and 3 years of supervised release. Luke was also ordered to pay $14,941.36 in restitution.

This case sends a message to healthcare employees considering stealing healthcare data to sell, use, or pass on to a new employer, that data theft carries stiff penalties. While Luke will only serve 30 days in jail, he will have a criminal record which will hamper future employment.

Healthcare organizations should also take precautions to minimize the opportunity for ex-employees to access PHI remotely after they have left employment. When an employment contract ends, or an employee is terminated, access to all systems must be blocked and passwords should be changed on any shared accounts.

Nursing Home Employee Pleads Guilty to Theft of Credit Card Numbers

A former employee at a nursing home in St. Louis County, MO has pleaded guilty to the theft of credit card numbers.

Shaniece Borney, 29, of St. Louis County, was employed at a NHC Health Care nursing home between 2016 and 2017. Borney abused her access to the computer system and stole the credit card details of patients. The credit card details were used to make purchases for herself and family members.

Borney faces up to 10 years in jail and could be fined up to $250,000 and will be required to pay restitution to the victims of the fraud. Borney will be sentenced on June 21, 2018.

The post Jail Terms for HIPAA Violations by Employees appeared first on HIPAA Journal.

Insider Data Breaches Continue to Plague the Healthcare Industry

Protenus has published its February Healthcare Breach Barometer Report. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights or disclosed to the media in February 2018.

The report, compiled from data collected from databreaches.net, indicates at least 348,889 healthcare records were confirmed as breached in February, although that figure will be considerably higher as the number of people affected by 11 breaches is not yet known. There were 39 security breaches involving protected health information in February – a slight rise from the 37 breaches reported in January, although the number of records exposed was down from January’s total of 473,807 records.

Insider breaches continue to pose problems for healthcare providers with 16/39 incidents (41%) involving insiders. Those incidents resulted in the exposure/theft of 51% of all records confirmed as having been exposed or stolen in February. Protenus notes that 94% of insider breaches were the result of errors by healthcare employees, with only one confirmed breach involving insider wrongdoing.

Hacking accounted for 33% of data breaches and resulted in the exposure of 46% of the records exposed in February, although the number of people affected by five hacking incidents is not yet known. Out of the hacking/IT incidents, four were confirmed as involving malware or ransomware, including the largest breach of the month – the 135,000-record breach at St. Peter’s Surgery & Endoscopy Center in New York. There were two incidents confirmed as involving phishing. Theft/loss incidents accounted for 13% of all breaches and the cause of 13% of breaches is currently unknown.

Healthcare providers reported 23 breaches, health plans reported eight incidents, business associates reported four incidents, and businesses/other vendors reported four breaches. The breach reports submitted to the Office for Civil Rights only suggest two business associate breaches occurred, although the Protenus report has revealed there were 11 incidents with some business associate/vendor involvement.

Protenus notes that it took an average of 325 days from the date of the breach to the incident being discovered with a median detection time of 34 days. The average was high due to one insider breach taking more than four years to discover. The average time from discovery to reporting was 68 days with a median of 59 days. Six organizations reported the breaches later than the 60-day maximum time frame allowed by HIPAA.

California was the worst affected by healthcare data breaches in February with six incidents followed by Wisconsin and Georgia on three. Healthcare data breaches were reported by organizations in 22 states and Puerto Rico in February.

Protenus notes that while the number of people affected by healthcare data breaches fell to a four year low in 2017, the number of data breaches has not reduced. Healthcare data breaches are still occurring at a rate of more than one per day.

The post Insider Data Breaches Continue to Plague the Healthcare Industry appeared first on HIPAA Journal.

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website.

The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR.

Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published.

There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches is now hacking/IT incidents, with unauthorized access/disclosures also commonplace.

Healthcare Data Breaches by Year

Between 2009 and 2017 there have been 2,181 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 176,709,305 healthcare records.  That equates to more than 50% of the population of the United States (54.25%). Healthcare data breaches are now being reported at a rate of more than one per day.

Healthcare data breaches 2019-2017

Healthcare Records Exposed by Year

While there has been a general upward trend in the number of records exposed each year, there was a massive improvement in 2017 – the best year since 2012 in terms of the number of records exposed. However, while breaches were smaller in 2017, it was a record breaking year in terms of the number of healthcare data breaches reported – 359 incidents.

Records Exposed in Healthcare data breaches

Average/Median Healthcare Data Breach Size by Year

Average Size of Healthcare Data Breaches

 

Median Size of Healthcare Data Breaches

 

Largest Healthcare Data Breaches (2009-2017)

Rank Year Entity Entity Type Records Exposed/Stolen Cause of Breach
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2011 Science Applications International Corporation Business Associate 4900000 Loss
5 2014 Community Health Systems Professional Services Corporation Business Associate 4500000 Theft
6 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
7 2013 Advocate Medical Group Healthcare Provider 4029530 Theft
8 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
9 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
10 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
11 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
12 2014 Xerox State Healthcare, LLC Business Associate 2000000 Unauthorized Access/Disclosure
13 2011 IBM Business Associate 1900000 Unknown
14 2011 GRM Information Management Services Business Associate 1700000 Theft
15 2010 AvMed, Inc. Health Plan 1220000 Theft
16 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
17 2014 Montana Department of Public Health & Human Services Health Plan 1062509 Hacking/IT Incident
18 2011 The Nemours Foundation Healthcare Provider 1055489 Loss
19 2010 BlueCross BlueShield of Tennessee, Inc. Health Plan 1023209 Theft
20 2011 Sutter Medical Foundation Healthcare Provider 943434 Theft

Healthcare Hacking Incidents by Year

Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although healthcare organizations are now much better at detecting breaches when they do occur. The low hacking/IT incidents in the earlier years is likely to be due, in part, to the failure to detected hacking incidents and malware infections quickly. Many of the hacking incidents in 2014-2017 occurred many months, and in come cases years, before they were detected.

Healthcare Data Breaches - Hacking

 

Records Exposed in Healthcare Data Breaches - Hacking

Unauthorized Access/Disclosures by Year

As with hacking, healthcare organizations are getting better at detecting internal breaches and also reporting those breaches to the Office for Civil Rights. While hacking is the main cause of breaches, unauthorized access/disclosure incidents are in close second.

Healthcare Data Breaches - unauthorized access/disclosures

 

records exposed in authorized access/disclosures

Loss/Theft of PHI and Unencrypted ePHI by Year

Our healthcare data breach statistics show HIPAA covered entities and business associates have got significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public.

healthcare theft/loss data breaches

 

records exposed by healthcare theft/loss data breaches

Improper Disposal of PHI/ePHI by Year

healthcare data breaches - improper disposal incidents

 

records exposed in healthcare improper disposal incidents

 

Breaches by Entity Type

Year Provider Health Plan Business Associate Other Total
2009 14 1 3 0 18
2010 134 21 44 0 199
2011 137 20 42 1 200
2012 155 22 36 4 217
2013 199 18 56 5 278
2014 202 71 41 0 314
2015 196 62 11 0 269
2016 257 51 19 0 327
2017 288 52 19 0 359
Total 1582 318 271 10 2181

OCR Settlements and Fines for HIPAA Violations

The penalties for HIPAA violations can be severe with multi-million-dollar fines possible when violations have been allowed to persist for several years or when multiple violations of HIPAA Rules have been allowed to occur.

The penalty structure for HIPAA violations is detailed in the infographic below:

Penalty Structure for HIPAA Violations

OCR Settlements and Fines Over the Years

The data for the healthcare data breach statistics on fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines issued by OCR between 2008 and 2018. As the graph below shows, there has been a steady increase in HIPAA enforcement over the past 9 years.

HIPAA Fines and Settlements 2008-2017

 

How Much Has OCR Fined HIPAA Covered Entities and Business Associates?

In addition to an increase in fines and settlements, the level of fines has increased substantially. Multi-million-dollar fines for HIPAA violations are now the norm.

HIPAA Fine and Settlement Amounts 2008-2017

 

average HIPAA Fines and Settlements 2008-2017

 

Median HIPAA Fines and Settlements 2008-2017

As the graphs above show, there has been a sizable increase in both the number of settlements and civil monetary penalties and the fine amounts in recent years. OCR’s budget has been cut so there are fewer resources to put into pursuing financial penalties in HIPAA violation cases. 2018 is likely to see fewer fines for HIPAA covered entities than the past two years, although settlement amounts are likely to remain high and even increase in 2018.OCR Director Roger Severino has indicated financial penalties are most likely to be pursued for particularly egregious HIPAA violations.

State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations

State attorneys general can issue fines ranging from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.

Even when action is taken by state attorneys general over potential HIPAA violations, healthcare organizations are typically fined for violations of state laws. Only a handful of U.S. states have issued fines solely for HIPAA violations

Some of the major fines issued by state attorneys general for HIPAA violations and violations of state laws are listed below.

 

Year State Covered Entity Amount Individuals affected Settlement/CMP Reason
2018 NY EmblemHealth $575,000 81,122 Settlement Mailing error
2018 NY Aetna $1,150,000 12,000 Settlement Mailing error
2017 CA Cottage Health System $2,000,000 More than 54,000 Settlement Failure to adequately protect medical records
2017 MA Multi-State Billing Services $100,000 2,600 Settlement Theft of unencrypted laptop containing PHI
2017 NJ Horizon Healthcare Services Inc., $1,100,000 3.7 million Settlement Loss of unencrypted laptop computers
2017 VT SAManage USA, Inc. $264,000 660 Settlement Spreadsheet indexed by search engines and PHI viewable
2017 NY CoPilot Provider Support Services, Inc $130,000 221,178 Settlement Delayed breach notification
2015 NY University of Rochester Medical Center $15,000 3,403 Settlement List of patients provided to nurse who took it to a new employer
2015 CT Hartford Hospital/ EMC Corporation $90,000 8,883 Settlement Theft of unencrypted laptop containing PHI
2014 MA Women & Infants Hospital of Rhode Island $150,000 12,000 Settlement Loss of backup tapes containing PHI
2014 MA Boston Children’s Hospital $40,000 2,159 Settlement Loss of laptop containing PHI
2014 MA Beth Israel Deaconess Medical Center $100,000 3,796 Settlement Loss of laptop containing PHI
2013 MA Goldthwait Associates $140,000 67,000 Settlement Improper disposal
2012 MN Accretive Health $2,500,000 24,000 Settlement Mishandling of PHI
2012 MA South Shore Hospital $750,000 800,000 Settlement Loss of backup tapes containing PHI
2011 VT Health Net Inc. $55,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications
2011 IN WellPoint Inc. $100,000 32,000 Settlement Failure to report breach in a reasonable timeframe
2010 CT Health Net Inc. $250,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications

The post Healthcare Data Breach Statistics appeared first on HIPAA Journal.

Analysis of February 2018 Healthcare Data Breaches

Our February 2018 healthcare data breach report details the major data breaches reported by healthcare providers, health plans, and business associates in February 2018.

Summary of February 2018 Healthcare Data Breaches

February may have been a shorter month, but there was an increase in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered entities and business associates reported 25 breaches – a 19% month on month increase in breaches.

Healthcare Data Breaches by Month

While there was a higher breach tally this month, the number of healthcare records exposed as a result of healthcare data breaches fell by more than 100,000. In January 428,643 healthcare records were exposed. February 2018 healthcare data breaches saw 308,780 healthcare records exposed.

Records exposed in Healthcare Data Breaches

Largest Healthcare Data Breaches of February 2018

The largest healthcare data breaches reported to the Office for Civil Rights in February are listed below.

Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident Network Server
Tufts Associated Health Maintenance Organization, Inc. Health Plan 70,320 Unauthorized Access/Disclosure Paper/Films
Triple-S Advantage, Inc. Health Plan 36,305 Unauthorized Access/Disclosure Paper/Films
CarePlus Health Plan Health Plan 11,248 Unauthorized Access/Disclosure Paper/Films
Union Lake Supermarket, LLC Healthcare Provider 9,956 Improper Disposal Other Portable Electronic Device

The top five data breaches were responsible for 85% of all exposed healthcare records in February. The largest data breach – a malware-related incident at St. Peter’s Surgery & Endoscopy Center – accounted for 43.6% of the exposed healthcare records in February.

Main Causes of February 2018 Healthcare Data Breaches

Unauthorized access/disclosures topped the list of the main causes of healthcare data breaches in February 2018 with 12 incidents and included three of the most serious breaches. Hacking incidents were in close second with 9 breaches, followed by three loss/theft incidents and one case of improper disposal of ePHI.

Causes of February 2018 Healthcare Data Breaches

Records Exposed by Breach Type

Hacking/IT incidents were the second biggest cause of healthcare data breaches in February, but the incidents resulted in the exposure/theft of the largest amount of healthcare data.

Records Exposed by Breach Type

Location of Breached Records

Overall, there were more breaches involving electronic health data than physical records, although breaches involving paper/films were the most numerous with 6 incidents. The breach reports show that while technological controls are essential to prevent hacks and unauthorized access/disclosures of electronic records, physical security is important for paper records and administrative safeguards are necessary to prevent unauthorized access. All six of the breaches involving paper/films were unauthorized access/disclosures.

Location of breached healthcare records (February 2018)

Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in February with 15 incidents (reported by 14 healthcare providers). There were three breaches reported by pharmacies in February. 8 data breaches were reported by 7 health plans and two security incidents were reported by business associates.

Data Breaches by Covered Entity (February 2018)

Healthcare provider breaches exposed the most health records in February. 168,732 records were exposed by healthcare providers. The mean breach size was 11,248 records and the median breach size was 1,670 records.

Health plans experienced fewer breaches, but the incidents were more severe. 133,580 records were exposed by health plans. The mean breach size was 16,698 records and the median breach size was 6,075 records. The mean and median breach size for business associate data breaches was 3,234 records.

Records exposed by covered entity (February 2018)

February 2018 Healthcare Data Breaches by State

Healthcare organizations based in 18 states reported data breaches in February 2018. There were six states that experienced 2 data breaches– Alabama, California, Massachusetts, Mississippi, Rhode Island, and Wisconsin.

Arkansas, Connecticut, Illinois, Kentucky, Maine, Michigan, Missouri, North Carolina, New Jersey, New York, Tennessee, and Virginia each had one data breach reported.

Financial Penalties for HIPAA Covered Entities in February 2018

The Office for Civil Rights settled one HIPAA violation case in February. Filefax Inc, agreed to settle potential HIPAA violations with OCR for $100,000. The financial penalty sent a message to HIPAA-covered entities and their business associates that HIPAA responsibilities do not end when a business ceases trading. The fine relates to HIPAA violations that occurred after the business closed – the improper disposal of paperwork containing protected health information.

The post Analysis of February 2018 Healthcare Data Breaches appeared first on HIPAA Journal.