Healthcare Data Privacy

June 2023 Healthcare Data Breach Report

The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal shows a 12% month-over-month reduction in the number of healthcare data breaches of 500 or more records. In June, HIPAA-regulated entities reported 66 breaches, and while this was an improvement on the 73 breaches reported in June 2022, the month’s total is still well above the 12-month average of 58 data breaches a month.

Healthcare Data Breaches Past 12 Months - June 2023

May was a particularly bad month for data breaches with more than 19 million individuals having their protected health information exposed or impermissibly disclosed, so while there was a 73.67% month-over-month reduction in breached records in June, the previous month’s total was unnaturally high. June’s total of 5,015,083 breached records was below the 12-month average of 6 million records a month and less than the 6,258,833 records breached in June 2022, but that is still more than 167,000 breached healthcare records a day – 17.6% more than the daily average in 2022.

Healthcare Records Breached in the past 12 months - June -2023

In H1 2023, 41,452,622 healthcare records were exposed or impermissibly disclosed. That’s just a few thousand records short of the total for all of 2019 and just 10 million below the total for all of 2022.

Largest Healthcare Data Breaches in June 2023

In June, 25 data breaches of 500 or more records were reported to OCR, all but two of which were hacking/IT incidents. The largest breach of the month by some distance was a ransomware attack and data theft incident at the biotech and diagnostics company, Enzo Clinical Labs (Enzo Biochem).  Murfreesboro Medical Clinic & SurgiCenter also suffered a major breach where sensitive data was stolen and a ransom demand was issued to prevent a data leak, as did Intellihartx. Intellihartx was one of several companies that had sensitive data stolen by the Cl0p ransomware group, which mass exploited a zero day vulnerability in Fortra’s GoAnywhere MFT file transfer solution in late January.

As the table below indicates, it is becoming increasingly common for HIPAA-regulated entities to only disclose limited information in their notification letters. Data breaches are often reported as “unauthorized individuals accessed the network and may have accessed or removed patient information,” even when data theft has been confirmed and the stolen data has been uploaded to the data leak sites of ransomware groups. The lack of information can make it difficult for victims of data breaches to assess the level of risk they face.

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Hacking/IT Incident Ransomware attack
Murfreesboro Medical Clinic & SurgiCenter TN Healthcare Provider 559,000 Hacking/IT Incident Cyberattack (extortion)
Intellihartx, LLC TN Business Associate 489,830 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Advanced Medical Management, LLC MD Business Associate 319,485 Hacking/IT Incident Hacking of network designed/maintained by a business associate
Great Valley Cardiology PA Healthcare Provider 181,764 Hacking/IT Incident Cyberattack – Brute force attack involving data theft
Petaluma Health Center CA Healthcare Provider 124,862 Hacking/IT Incident Cyberattack – Details unknown
Imagine360 PA Business Associate 112,611 Unauthorized Access/Disclosure Cyberattack (extortion) – Fortra GoAnywhere MFT and Citrix file transfer solutions hacked
Kannact, Inc. OR Business Associate 103,547 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Activate Healthcare LLC IL Healthcare Provider 93,761 Hacking/IT Incident Cyberattack with data theft confirmed
Desert Physicians Management CA Business Associate 56,556 Hacking/IT Incident Cyberattack with data theft confirmed
ARx Patient Solutions KS Healthcare Provider 41166 Unauthorized Access/Disclosure Compromised email account
Orrick, Herrington & Sutcliffe LLP CA Business Associate 40,823 Hacking/IT Incident Cyberattack – Details unknown
Tidewater Diagnostic Imaging, Ltd. MA Healthcare Provider 40,195 Hacking/IT Incident Hacking Incident – Details unknown
Peachtree Orthopaedic Clinic, P.A. GA Healthcare Provider 34,691 Hacking/IT Incident Cyberattack (extortion) by Karakurt threat group
Atlanta Women’s Health Group, P.C. GA Healthcare Provider 33,839 Hacking/IT Incident Cyberattack – Details unknown
Maimonides Medical Center NY Healthcare Provider 33,000 Hacking/IT Incident Cyberattack – Details unknown
Elgon Information Systems MA Business Associate 31,248 Hacking/IT Incident Hacking Incident – Details unknown
Community Research Foundation CA Healthcare Provider 30,057 Hacking/IT Incident Hacking Incident – Details unknown
Mount Desert Island Hospital, Inc. ME Healthcare Provider 24,180 Hacking/IT Incident Cyberattack – Details unknown
Mercy Medical Center – Clinton, Inc. IA Healthcare Provider 20,865 Hacking/IT Incident Ransomware attack
Ascension Seton TX Healthcare Provider 17,191 Hacking/IT Incident Hacking incident at business associate (Vertex)
John N. Evans, DPM MI Healthcare Provider 15,585 Hacking/IT Incident Hacking Incident – Details unknown
New Horizons Medical, Inc MA Healthcare Provider 12,317 Hacking/IT Incident Hacking Incident – Details unknown
CareNet Medical Group, PC NY Healthcare Provider 10,059 Hacking/IT Incident Cyberattack with data theft confirmed
Core Performance Physicians, dba Vincera Core Physicians PA Healthcare Provider 10,000 Hacking/IT Incident Ransomware attack affecting four Vincera companies (25,000 affected in total)

Causes of June 2023 Healthcare Data Breaches

Hacking incidents once again dominated the breach reports, accounting for more than 77% of the month’s data breaches and more than 96% of the month’s breached records. The average breach size was 94,480 records and the median breach size was 5,973 records. 4,818,457 records were exposed or compromised in hacking incidents. There were 14 unauthorized access/disclosure incidents reported, which cover a range of different incidents including unauthorized medical record access, unsecured paper records, mismailing incidents, and misdirected emails. Across those incidents, 196,026 records were impermissibly accessed or disclosed. The average breach size was 14,002 records and the median breach size was 2,567 records. There was one incident involving the improper disposal of 600 paper records and no reported loss or theft incidents.

Causes of June 2023 healthcare data breaches

As the chart below shows the most common location of breached protected health information was network servers, with email accounts the second most common location of breached data.

location of breached information in June 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data from the OCR breach portal shows data breaches by reporting entity; however, that does not mean that is where the breach occurred. When data breaches occur at business associates, the business associate may report the breach, or the covered entities affected, or a combination of the two. The raw data shows 44 breaches at healthcare providers, 12 at business associates, and 10 at health plans.

The charts below are based on adjusted figures and show where the data breach occurred rather than the entity reporting the breach as this better reflects the number of data breaches that occurred at business associates of HIPAA-regulated entities.

June 2023 healthcare data breaches - covered entity type

Records breached at hipaa-regulated entities in June 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 31 states in June 2023. Pennsylvania was the worst affected state, with 11 data breaches reported. The high total is partly due to 6 of the breaches relating to two incidents that were reported separately for each company affected. Even taking this into account, Pennsylvania was the worst affected state.

State Breaches
Pennsylvania 11
California 5
Massachusetts, New York & Texas 4
Arizona & Minnesota 3
Florida, Georgia, Maryland, Michigan, North Carolina, Ohio, Tennessee & Utah 2
Alabama, Delaware, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Maine, Mississippi, Montana, New Jersey, Oklahoma, Oregon, South Carolina & Virginia 1

HIPAA Enforcement Activity in June 2023

The Office for Civil Rights announced three enforcement actions in June to resolve potential violations of the HIPAA Rules. Yakima Valley Memorial Hospital was investigated by OCR after a report was received about a HIPAA breach involving 23 security guards who had been accessing patient records without authorization. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. The case was settled and the hospital agreed to pay a $240,000 penalty.

Manasa Health Center was investigated after complaints were filed with OCR about impermissible disclosures of PHI in response to negative online reviews left by four patients. The case was settled with OCR and Manasa Health Center agreed to pay a $30,000 penalty. This was OCR’s third enforcement action in the past year to see a financial penalty for disclosures of PHI in response to negative patient reviews. No company likes to receive bad reviews and negative customer comments may be unjustified, but PHI must never be disclosed online in response to reviews.

iHealth Solutions, which does business as Advantum Health, was investigated over a relatively small data breach involving the exposure of the ePHI of 267 patients. Patient information was stored on a server that had not been properly secured, allowing protected health information to be accessed over the Internet. OCR determined that iHealth Solutions had failed to conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The case was settled and iHealth Solutions agreed to pay a $75,000 penalty.

OCR has now imposed 8 financial penalties on HIPAA-regulated entities so far this year to resolve alleged violations of the HIPAA Rules with the penalties totaling $1,976,500. OCR has already exceeded last year’s total of $1,124,640 in fines that were collected from HIPAA-regulated entities in 17 enforcement actions.

State attorneys general can also impose financial penalties for HIPAA violations, although the fines are often imposed for equivalent violations of state laws, as was the case in California in June. In 2019, Kaiser Permanente sent mailings to its plan members, but an error resulted in letters being sent to old addresses, resulting in an impermissible disclosure of members’ protected health information. While this was a HIPAA violation, California imposed a financial penalty for violations of the California Confidentiality of Medical Information Act (CMIA) – an impermissible disclosure of the personal information of up to 175,000 individuals and the negligent maintenance and/or disposal of medical information. The case was settled for $450,000.

The post June 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Criticized Over Proposed Reproductive Health Care HIPAA Privacy Rule Update

Lawmakers and state Attorneys General have written to the U.S. Department of Health and Human Services Secretary, Xavier Becerra, criticizing the proposed update to the HIPAA Privacy Rule that seeks to improve reproductive health information privacy.

Lawmakers Criticize HIPAA Privacy Rule Change for Not Going Far Enough to Protect Patient Privacy

In response to the proposed changes, Senators Ron Wyden (D-Ore.), Patty Murray (D-Wash.), and Rep. Sara Jacobs (D-CA) wrote to the HHS Secretary calling for the HHS to take further steps to protect the privacy of Americans, and not only apply the proposed changes to reproductive health information but all categories of protected health information (PHI).

The proposed HIPAA Privacy Rule changes, if enacted, will improve protections for certain categories of PHI but the lawmakers claim the changes do not go far enough and there is a need to expand the protections to cover all PHI and ensure it has the same protections as the contents of phone calls, emails, text messages, and geolocation data “to protect Americans from warrantless government surveillance.”

“Americans should be able to trust that the information they share in confidence with their doctors when seeking care will receive the highest protections under the law, regardless of the specific medical issue,” wrote the lawmakers. They explain that while the HIPAA Privacy Rule does not force healthcare professionals to testify about their patients’ medical conditions, under the current HIPAA regulations, medical records can be subpoenaed by law enforcement agencies who do not need to show probable cause of crime and there is no oversight from an independent judge. “The ability of law enforcement agencies to subpoena these records undermines patients’ legal protections, particularly in an era of digital health records, where every patient interaction is carefully documented.”

The lawmakers request the HHS update the proposed Privacy Rule change to require law enforcement agencies to obtain a warrant before forcing doctors, pharmacists, and other healthcare providers to turn over their patients’ records. Instead of the current text of the HIPAA Privacy Rule – 64.512(f)(1)(ii) – permitting law enforcement to obtain PHI with a subpoena, administrative request, or a court order, the Privacy Rule should prohibit such disclosures unless there is a search warrant, issued by a judge, upon a finding of probable cause of a crime.

Further, in cases when medical records are disclosed after a search warrant is served, law enforcement should be prohibited from disclosing the records to other law enforcement agencies, unless the disclosures are related to the investigation of the same alleged crime. They also call for the law to be updated to ensure that individuals are notified about any disclosure of their PHI to law enforcement agencies. The lawmakers claim such a change would be consistent with the protections afforded to other sensitive data under federal law and the Fourth Amendment to the Constitution.

The lawmakers believe that the proposed changes are not sufficient to prevent rogue state Attorneys General from attempting to obtain the private health records of Americans, including, but not limited to, the records of individuals seeking a legal abortion or medical assistance with gender transition. Such healthcare decisions need to be taken by each individual whereas certain state Attorneys General believe those decisions are everyone’s business.

The letter was signed by Sens. Bernard Sanders, Tammy Baldwin, Peter Welch, Tammy Duckworth, Sherrod Brown, Chris Van Hollen, Elizabeth Warren, Edward J. Markey, Martin Heinrich, Mazie K. Hirono, Alex Padilla, John Fetterman, Debbie Stabenow, Raphael Warnock, Maria Cantwell, Kirsten Gillibrand, Cory A. Booker, Pramila Jayapal, Ted W. Lieu, James P. McGovern, Madeleine Dean, and Delia C. Ramirez and Congress members, Barbera Lee, Anna G. Eshoo, Josh Gottheimer, Adam B. Schiff, Nikema Williams, Raúl M. Grijalva, Veronica Escobar, Eleanor Holmes Norton, Earl Blumenauer, Jasmine Crockett, Rashida Tlaib, Ro Khanna, Ilhan Omar, David J. Trone, Andrea Salinas, Henry C. Johnson Jr., Val Hoyle, Nydia M. Velázquez, Suzanne Bonamici, Zoe Lofgren, Mikie Sherill and Becca Balint.

19 State Attorneys General Claim Reproductive Health Information Privacy Rule Change is Unlawful

While some lawmakers feel the Biden Administration’s plans do not go far enough to protect the privacy of Americans, others are challenging the attempt to change the HIPAA Privacy Rule to prevent disclosures of reproductive health information to law enforcement and claim the proposed changes will prevent the enforcement of state laws and will hamper investigations of women who seek illegal abortions. Tennessee Attorney General, Jonathan Skemetti, said, “The HHS does not have authority to change the law in contradiction of the statute passed by Congress,” in a letter to the HHS Secretary challenging the proposed HIPAA Privacy Rule change. The letter was signed by 18 other state Attorneys General from Alabama, Alaska, Arkansas, Georgia, Idaho, Indiana, Kentucky, Louisiana, Missouri, Montana, Nebraska, North Dakota, Ohio, South Carolina, South Dakota, Texas, & Utah.

They argue that the decision of the Supreme Court to remove the Federal right to abortion and put the matter into the hands of individual states allowed states to introduce laws prohibiting or restricting abortions, but updating federal HIPAA law to prevent disclosures of reproductive health information would essentially make it difficult, if not impossible, to enforce state laws. States such as Tennessee that have introduced a ban on abortions for state residents would not be permitted to obtain information on state residents that travel out of state to circumvent state laws and have abortion procedures.

In the letter, Attorney General Skemetti claims the Biden Administration is pushing a false narrative that states are looking to treat pregnant women as criminals and punish healthcare professionals that provide lifesaving care. “Based on this lie, the Administration has sought to wrest control over abortion back from the people in defiance of the Constitution and Dobbs. The proposed rule here continues that effort,” said Skemetti, who claims the proposed HIPAA update is unlawful and does not serve any legitimate need, and “is a solution in search of a problem.”

The broad definition of “reproductive healthcare” in the proposed rule which includes information “related to reproductive organs, regardless of whether the health care is related to an individual’s pregnancy or whether the individual is of reproductive age,” means there is the potential for the proposed rule to interfere with the ability of state authorities to investigate child abuse cases and other serious crimes. Skemetti also expressed concern that the proposed rule would also obstruct state laws concerning experimental gender-transition procedures for minors and help to further the Biden Administration’s “radical transgender policy goals.”

Attorney General Skemetti points out that for more than 20 years the Federal HIPAA laws have helped to protect the privacy of Americans and ensure their health data remains private and confidential; however, HIPAA permits disclosure of health information to law enforcement and state authorities to protect public health, safety, and welfare, and the proposed change will prevent states from performing that important duty.  The Attorneys General have called for the proposed HHS rule change to be withdrawn as it is unlawful and exceeds the HHS’s statutory authority.

The post HHS Criticized Over Proposed Reproductive Health Care HIPAA Privacy Rule Update appeared first on HIPAA Journal.

HIPAA Compliance Guidelines

We have compiled these HIPAA Compliance Guidelines because HIPAA rules and regulations can be very confusing for healthcare professionals tasked with ensuring HIPAA compliance at their organization.

HIPAA Compliance Guidelines

Please use the form on this page to arrange to receive a free copy of the HIPAA Guidelines Checklist.

HIPAA Guidelines: Seven Elements For Effective Compliance

In 2011, HHS published “The Seven Fundamental Elements Of An Effective Compliance Program”. We have slightly amended it to be more relevant to HIPAA compliance in 2023. Here is a summary of the elements, which we outline in more detail below:

  1. Develop policies and procedures so that day-to-day activities comply with the Privacy Rule.
  2. Designate a Privacy Officer and a Security Officer.
  3. Implement effective training programs.
  4. Ensure channels of communication exist to report violations, and breaches.
  5. Monitor compliance at floor level so poor compliance practices can be nipped in the bud.
  6. Enforce sanctions policies fairly and equally.
  7. Respond promptly to identified or reported violations, and breaches.

You can also read more about the background and history of the Seven Elements here, although this is not necessary.

Next we go over each element in more detail

Element 1: Why Privacy Rule Policies and Procedures?

Although HIPAA compliance consists of complying with all relevant Administrative Simplification Regulations, implementing Security Rule and Breach Notification standards is generally an organizational process not connected with cultivating a culture of compliance. Additionally, the most common HIPAA violations are attributable to failures to comply with the Privacy Rule.

However, it is no longer sufficient to develop policies and procedures that only address permissible uses and disclosures, the minimum necessary standard, and patients’ rights. Covered Entities should ensure Privacy Rule policies and procedures include how to explain to patients what PHI is (and what it isn’t), how to verify an individual’s identity, and how to record requests for privacy protections.

Element 2: The Roles of HIPAA Compliance Officers

It is interesting that the HHS’ Office of Inspector General placed this “tip” in second place after the development of policies and procedures. This would imply the roles of HIPAA compliance officers are to train members of the workforce, monitor compliance, and enforce the organization’s sanctions policy. However, there is quite a lot more involved in being a compliance officer.

In most cases, the HIPAA Privacy Officer will be the point of contact for members of the public and members of the workforce that want to report privacy concerns. Security Officers are generally more responsible for conducting risk assessments, ensuring security solutions are configured properly, and training members of the workforce on how to use the solutions compliantly.

Element 3: What Makes an Effective Training Program?

The effectiveness of the training provided to members of the workforce can make the difference between ticking the box of compliance or cultivating a culture of compliance. To make Privacy Rule training effective, members of the workforce must understand what PHI is, why it has to be protected, and the consequences to patients, employers, and themselves of HIPAA violations.

Security Rule training must be even more focused on the consequences of taking shortcuts, circumnavigating safeguards, and failing to alert managers of a data breach for fear of “getting into trouble”. One way of achieving this is to ask members of the workforce to run personal online credentials through the HIBP database to illustrate the importance of unique, complex passwords.

Element 4: The Importance of Two-Way Communication

While policy making and training has to come from the top down, it is important that any channels of communication relating to HIPAA compliance are also bottom up – not only to raise compliance concerns or report HIPAA violations, but also to provide feedback on what works and what doesn’t on the ground floor, and what new challenges are facing frontline members of the workforce.

This is why it can be important – when resources allow – to have a compliance team consisting of team members that have worked in or have knowledge of how different departments operate. For example, a compliance team consisting solely of lawyers and IT managers may not appreciate the difficulty of protecting the privacy of PHI in front of a grieving family mourning a recent loss.

Element 5: How Most Poor Compliance Practices Develop

Most poor compliance practices result from well-meaning intentions – for example, to “get the job done” or provide a good service to a patient’s family. When minor violations are allowed to continue, poor compliance practices can develop into a culture of non-compliance. This is why it is important identify and address poor compliance practices at the earliest opportunity.

While it is important to have eyes on compliance at floor level, it is also important not to take eyes off compliance at higher levels. Busy managers and senior managers can also be guilty of taking shortcuts with compliance or ignoring non-compliant activities because they do not have the time to “sort it out” – when, in truth, the failure to take action is a failure of management.

Element 6: The Best Sanctions are Not Always Disciplinary

Sanctions policies can often be overwhelming documents threatening all manner of disciplinary actions for non-compliance from warnings to suspensions, to termination of contract and loss of license. Some even include the maximum federal penalties for violations of §1177 of the Social Security Act (up to ten years in prison and up to $250,000 in fines).

Although these sanctions may have to legally be included in a sanctions policy, making them the focus of attention is not necessarily the best way to cultivate a culture of compliance. The threat of additional training is often sufficient to create and maintain a compliant workforce – especially if whole teams have to attend refresher training due to the non-compliance of an individual!

Element 7: Responding Quickly is the Key to Compliance

One of the keys to cultivating a culture of compliance is to respond to queries, issues, complaints, reports of violations, and data breaches as quickly as possible. Responding quickly to any type of communication demonstrates a commitment to compliance and an eagerness to ensure – once a compliant workforce is achieved – the compliant state is maintained.

Responding to queries, issues, complaints, etc. would ordinarily be the responsibility of compliance officers (or teams), but this can lead to the compliance officers being overwhelmed. Consequently, it may be necessary for managers and senior managers to take some responsibility for monitoring compliance and responding to workforce or patient communications.

The post HIPAA Compliance Guidelines appeared first on HIPAA Journal.

HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle potential HIPAA violations with the HIPAA business associate, iHealth Solutions, LLC, for $75,000.

iHealth Solutions, doing business as Advantum Health, failed to secure one of its servers, which was accessed by an unauthorized individual who exfiltrated files that contained the electronic protected health information (ePHI) of 267 individuals. The HIPAA enforcement action shows that even relatively small data breaches can be investigated by OCR and result in a financial penalty. The last three penalties imposed by OCR to resolve HIPAA violations were all related to data breaches that affected fewer than 500 individuals.

Like many HIPAA-regulated entities that have been investigated by OCR after reporting data breaches, iHealth Solutions was discovered to have failed to comply with one of the most fundamental provisions of the HIPAA Rules – the risk analysis. All HIPAA-regulated entities must conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. §164.502(a).

OCR was notified about the data breach on August 22, 2017, and was informed that the ePHI of 267 individuals had been exfiltrated from the unsecured server. The fine was imposed for the impermissible disclosure of ePHI and the risk analysis failure.

In addition to the financial penalty, iHealth Solutions has agreed to implement a corrective action plan which includes the requirement to conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of iHealth’s ePHI, develop a risk management plan to address and mitigate all security risks identified in the risk analysis, develop a process to evaluate any environmental or operational changes that affect the security of iHealth ePHI, and develop, maintain, and revise, as necessary, written policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules. OCR will monitor iHealth Solutions for two years to ensure compliance with the HIPAA Rules.

“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”

This is the 7th OCR enforcement action of 2023 to result in a financial penalty, and the third enforcement action to be announced by OCR this month. So far this year, OCR has fined HIPAA-regulated entities a total of $1,976,500 to resolve violations of the HIPAA Rules.  See HIPAA Violation Fines.

The post HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server appeared first on HIPAA Journal.

Nevada Consumer Health Data Bill Signed into Law

The governor of Nevada recently signed a new consumer health data privacy bill into law that strengthens consumer health data privacy and gives Nevada residents new rights over their health data. Senate Bill (SB) 370 was modeled on Washington’s recently enacted “My Health, My Data (MHMD) bill, although is less comprehensive in scope. The new law applies to entities that conduct business in Nevada or produce or provide products or services that are targeted at consumers in Nevada and, either alone or with others, determine the purpose and means of processing, sharing, or selling consumer health data. Exceptions include law enforcement agencies and their contractors, and entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (BLBA).

The new law applies to consumer health data, which is defined as personally identifiable information that is linked to or reasonably capable of being linked to a consumer that a regulated entity uses to identify the past, present, or future health status of a consumer, but excludes information for certain research purposes, public health purposes, FERPA-covered data, and health data collected and shared as authorized by other state or federal laws, and certain other purposes.

Consumer health data includes information about any health condition or status, disease, or diagnosis; social psychological, behavioral, or medical intervention; surgeries or health-related procedures; use or acquisition of medication; bodily functions, vital signs, or symptoms; reproductive or sexual health care; gender-affirming care; biometric/genetic data; precise geolocation information and health information derived or inferred from non-health data.

The new law gives consumers new rights over their health information, including the right to confirm if a covered business is collecting, sharing, or selling their health data, obtain a list of all third parties that their health data has been sold to or shared with, the right to stop a business from processing, sharing, or selling their health data, and the right to have their health data deleted.  In the case of the latter, covered businesses have to delete data and notify affiliates, processors, and contractors of the deletion request within 30 days. Responses to consumer requests are required without undue delay and no later than 45 days after the request is authenticated.

Covered businesses must obtain affirmative, voluntary consent for the collection and sharing of consumer health data and obtain written, signed authorization before the sale of consumer health data is permitted. Covered businesses are required to maintain a consumer health data privacy policy, restrict access to consumer health data to employees and processors that need access to the data, maintain reasonable security practices, and establish a consumer appeals process. A privacy policy must be clearly posted on a covered business’s main Internet site that clearly explains how consumer health data is collected and used, the categories of entities with whom the information will be shared, and clearly explain consumer rights, such as the process for reviewing, requesting changes, and deleting consumer health data. Covered businesses are prohibited from geofencing healthcare facilities (within 1,750 ft) for the purpose of identifying/tracking consumers receiving or seeking healthcare, collecting health data from consumers, or sending health data or healthcare-related notifications, messages, or advertisements to consumers.

The new law takes effect on March 31, 2024, after which date the state Attorney General can impose financial penalties for noncompliance; however, there is no private cause of action, so consumers are unable to take legal action against entities that have violated their privacy through noncompliance with the law.

The post Nevada Consumer Health Data Bill Signed into Law appeared first on HIPAA Journal.

Senators Demand Answers on Amazon Clinic’s Uses of Customer Data

Two Democratic senators have demanded answers from Amazon about how it uses the data of customers of Amazon Clinic after an investigation by the Washington Post revealed individuals wishing to enroll in Amazon Clinic are required to sign away some of their privacy rights in order to use the service.

Amazon Clinic was launched in November 2022 and provides virtualized healthcare services. Amazon advertises the service as “a virtual healthcare storefront through which telehealth services are offered,” with those telehealth services provided by third-party healthcare providers. The Washington Post was contacted by a reader who requested an investigation of Amazon Clinic over the terms and conditions of its sign-up form. When enrolling for Amazon Clinic, users are required to provide consent to allow the use and disclosure of their protected health information. The form states that after providing consent Amazon will be authorized to have access to a complete patient file, may re-disclose information contained in that file and that the information disclosed will no longer be subject to the HIPAA Rules. While the terms are voluntary, individuals have no option of using Amazon Clinic if they do not agree to the terms and conditions.

Senators Peter Welch (D-VT) and Elizabeth Warren (D-MA) recently wrote to Amazon’s President and Chief Executive Officer, Andy Jassy, and expressed their concern that Amazon may be harvesting the health data of Amazon Clinic customers. The senators have demanded answers about how Amazon uses customers’ health data and whether Amazon is using the data collected from Amazon Clinic customers to sell them other Amazon products or services.

The form provided by Amazon Clinic is essentially a HIPAA Authorization, which is required by HIPAA-regulated entities before any disclosures of protected health information are possible that are not expressly permitted by the HIPAA Privacy Rule. The HIPAA Privacy Rule also prohibits conditioning care on signing an authorization to disclose patient information. The senators point out that the HIPAA authorization that Amazon Clinic customers are required to sign does not state how patient data will be used or shared. Essentially the signing of the authorization form gives Amazon full access to customers’ health data and allows the information to be used and redisclosed as Amazon sees fit. Amazon Clinic’s terms and conditions state that customer data is not used for any purposes that its customers have not consented to, yet no information is provided about why customer health data is collected and how that information will be used.

The senators explained that the Federal Trade Commission (FTC) recently fined telehealth provider GoodRx for failing to inform consumers that their health data was disclosed to third parties for advertising purposes, and in addition to paying a financial penalty, GoodRx has been prohibited from using manipulative methods – termed dark patterns – to obtain users’ consent to use and share their health information. “Amazon Clinic customers deserve to fully understand why Amazon is collecting their health care data and what the company is doing with it. Congress is also evaluating legislative efforts to protect health data in the context of emerging technologies,” wrote the senators.

The senators have asked Amazon to provide further information on its privacy practices by June 30, 2023, including a sample of the contract between Amazon and the third-party telehealth providers that have signed up with Amazon Clinic, a list of data elements collected from consumers that sign up for the service, a list of the data elements that are shared with other entities within Amazon Group, and a list of all uses of health data. Amazon was also asked whether any collected health data is used by its analytics and algorithms or for marketing, is sold to third parties, or is provided to federal, state, or local law enforcement authorities.

The post Senators Demand Answers on Amazon Clinic’s Uses of Customer Data appeared first on HIPAA Journal.

FTC Fines Genetic Testing Company for Data Privacy and Security Failures

A San Francisco-based company that sells DNA test kits and personalized diet and exercise plans based on genetic testing has been fined $75,000 by the Federal Trade Commission (FTC) and ordered to make improvements to its data privacy and security practices. The company is alleged to have left sensitive genetic and health data unsecured and deceived customers about its data-sharing practices.

1HEalth.io, which previously operated under the names Vitagene Inc. and Vitagene, is alleged to have violated the Federal Trade Commission Act by deceiving consumers about its data sharing, data deletion, and DNA sample destruction practices. According to the FTC’s complaint, consumers were informed on the Vitagene website that the company had “rock solid security,” and that the company “collects, processes, and stores your personal information in a responsible, transparent, and secure environment.” Between 2017 and 2020, Vitagene informed consumers that their sensitive health and personal information would only be shared in limited circumstances, such as with their doctor or the lab that was performing the testing. Vitagene also told consumers that DNA results were not stored with names or other identifying information, that DNA samples would be destroyed after analysis, and that consumers could have their personal data deleted at any time.

According to the FTC, the company made retroactive changes to its privacy policy in 2020, updating its policy to state that the company would share personal information with third parties such as supermarket chains; however, consumers were not notified about the change. Any consumer that had already provided personal information to the company would not be aware that their personal data would now be shared with third parties unless they voluntarily rechecked the company’s privacy policy. While the company claimed that DNA samples would be destroyed. From 2016, the company did not have a policy in place to require the labs that analyzed DNA samples to destroy those samples after analysis and since the company did not maintain a data inventory from 2016 through July 1, 2019, it was unable to search its cloud storage repositories in response to consumers’ data deletion requests.

The FTC also determined that its security practices put consumer data at risk. Consumers’ health reports were stored in an Amazon S3 bucket which could be accessed over the Internet. Almost 2,400 health reports were stored in the bucket, and those reports included the raw genetic data of at least 227 consumers, and in some cases, those reports also included the consumer’s first name. The data was not encrypted, access controls were not in place, and logs of access were not maintained and monitored. The company was warned about the exposed data at least three times over the space of 2 years from 2017, yet took no action to secure the S3 buckets until it was informed about the data exposure by a security researcher in June 2019.

In addition to the financial penalty, 1HEalth.io has been prohibited from sharing consumer data with third parties without first obtaining affirmative express consent and must implement a comprehensive information security program that addresses all security deficiencies outlined in the FTC complaint. 1HEalth.io must also have an assessment of its information security program by a qualified, objective, independent third-party professional within 180 days, and every two years thereafter for the next 20 years.

While 1HEalth.io agreed to settle the case, it disagreed with many of the FTC’s conclusions.

The post FTC Fines Genetic Testing Company for Data Privacy and Security Failures appeared first on HIPAA Journal.

May 2023 Healthcare Data Breach Report

May 2023 was a particularly bad month for healthcare data breaches. 75 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in May. May – along with October 2022 – was the second-worst-ever month for healthcare data breaches, only beaten by the 95 breaches that were reported in September 2020. Month-over-month there was a 44% increase in reported data breaches and May’s total was well over the 12-month average of 58 data breaches a month.

Healthcare Data Breaches in the Past 12 Months - May 2023

May was also one of the worst-ever months in terms of the number of breached records, which increased by 330% month-over-month to an astonishing 19,044,544 breached records. Over the past 12 months, the average number of records breached each month is 6,104,761 and the median is 5,889,562 records. 46.52 of the breached records in May came from one incident, which exposed the records of almost 8.9 million individuals, and 90.45% of the breached records came from just three security incidents. More healthcare records have been breached in the first 5 months of 2023 (36,437,539 records) than in all of 2020 (29,298,012 records).

Records Breached in Healthcare Data Breaches in the Past 12 Months - May 2023

Largest Healthcare Data Breaches in May 2023

23 data breaches of 10,000 or more records were reported to OCR in May, including the two largest healthcare data breaches of 2023. The worst data breach was a LockBit ransomware attack on the HIPAA business associate Managed Care of North America (MCNA) which affected almost 8.9 million individuals. The LockBit gang stole data, threatened to publish the information on its website if the $10 million ransom was not paid, and when it wasn’t, uploaded leaked the stolen data. Almost 6 million records were stolen in a ransomware attack on PharMerica Corporation and its subsidiary BrightSpring Health Services. The Money Message ransomware group exfiltrated 4.7 terabytes of data in the attack and proceeded to upload the stolen data to its data leak site when the ransom was not paid.

A third million+ record data breach resulted in the exposure and potential theft of the protected health information of 2,550,922 Harvard Pilgrim Health Care plan members following a cyberattack on its parent Company, Point32Health, the second largest health insurer in Massachusetts. This was also a ransomware attack with data theft confirmed. Other large data breaches include a hacking incident at the Virginia-based business associate, Credit Control Corporation (345,523 records), and ransomware attacks affecting Onix Group (319,500 records), the Iowa Department of Health and Human Services (233,834 records), and Albany ENT & Allergy Services, PC (224,486 records).

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Managed Care of North America (MCNA) GA Business Associate 8,861,076 Ransomware attack (LockBit) – Data theft confirmed
PharMerica Corporation KY Healthcare Provider 5,815,591 Hacking Incident – data theft confirmed
Harvard Pilgrim Health Care MA Health Plan 2,550,922 Ransomware attack – Data theft confirmed
R&B Corporation of Virginia d/b/a Credit Control Corporation VA Business Associate 345,523 Hacking Incident – data theft confirmed
Onix Group PA Business Associate 319,500 Ransomware attack – Data theft confirmed
Iowa Department of Health and Human Services – Iowa Medicaid (Iowa HHS-IM) IA Health Plan 233,834 Ransomware attack (LockBit) on its business associate (MCNA Dental) – Data theft confirmed
Albany ENT & Allergy Services, PC. NY Healthcare Provider 224,486 Ransomware attack (BianLian/RansomHouse) – Data theft confirmed
Uintah Basin Healthcare UT Healthcare Provider 103,974 Hacking Incident
UI Community Home Care, a subsidiary of University of Iowa Health System IA Healthcare Provider 67,897 Cyberattack on subcontractor (ILS) of its business associate (Telligen) – data theft confirmed
University Urology NY Healthcare Provider 56,816 Hacking Incident
Illinois Department of Healthcare and Family Services, Illinois Department of Human Services IL Health Plan 50,839 Hackers compromised the state Application for Benefits Eligibility (ABE) system
New Mexico Department of Health NM Healthcare Provider 49,000 Impermissible disclosure of deceased individuals’ PHI per access request by a journalist
Pioneer Valley Ophthalmic Consultants, PC MA Healthcare Provider 36,275 Malware infection at business associates (Alta Medical Management and ECL Group, LLC)
Brightline, Inc. CA Business Associate 28,975 Hacking of Fortra GoAnywhere MFT solution
Clarke County Hospital IA Healthcare Provider 28,003 Hacking Incident
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 26,561 Hacking Incident
ASAS Health, LLC TX Healthcare Provider 25,527 Hacking Incident
iSpace, Inc. CA Business Associate 24,382 Hacking Incident – data theft confirmed
PillPack LLC NH Healthcare Provider 19,032 Credential stuffing attack allowed customer account access
Solutran MN Business Associate 17,728 Hacking incident
MedInform, Inc. OH Business Associate 14,453 Hacking Incident – data theft confirmed
Catholic Health System NY Healthcare Provider 12,759 hacking incident at business associate (Minimum Data Set Consultants) – data theft confirmed
Northwest Health – La Porte IN Healthcare Provider 10,256 Paper records were removed from locked shredding bins at an old facility

Causes of May 2023 Healthcare Data Breaches

The vast majority of the month’s data breaches were hacking/IT incidents, many of which were ransomware attacks and data theft/extortion attempts. 81.33% of the month’s data breaches (61 incidents) were hacking/IT incidents and those incidents accounted for 99.54% of all breached records. The protected health information of 18,956,101 individuals was exposed or stolen in those incidents. The average data breach size was 310,756 records and the median breach size was 3,833 records. There were 11 data breaches reported as unauthorized access/disclosure incidents, which affected 82,236 individuals. The average breach size was 7,476 records and the median breach size was 1,809 records. Two theft incidents were reported involving a total of 5,632 records and there was one incident involving the improper disposal of 575 paper records.

Causes of May 2023 Healthcare Data Breaches

Unsurprisingly given the large number of hacking incidents, 57 data breaches involved electronic protected health information stored on network servers. There were also 9 data breaches involving electronic protected health information in email accounts.

Location of Breached PHI in May 2023 Healthcare Data Breaches

Where Did the Breaches Occur?

When data breaches occur at business associates of HIPAA-regulated entities, they are either reported by the business associate, the HIPAA-regulated entity, or a combination of the two, depending on the terms of their business associate agreements. In May, 36 breaches were reported by healthcare providers, 25 by business associates, and 14 by health plans; however, those figures do not accurately reflect where the data breaches occurred. The pie charts below show where the data breaches occurred rather than the entity that reported the data breach, along with the number of records that were exposed or impermissibly disclosed in those data breaches.

May 2023 Healthcare Data Breaches - HIPAA-regulated Entities

Records Breached at HIPAA-regulated entities - May 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 30 states. While Massachusetts tops the list with 15 data breaches reported, 13 of those breaches were the same incident. Alvaria, Inc. submitted a separate breach report to OCR for each of its affected healthcare clients. As such, California and New York were the worst affected states with 7 breaches each.

State Number of Reported Data Breaches
Massachusetts 15
California & New York 7
Connecticut, Iowa & Ohio 4
Illinois, New Jersey & Philadelphia 3
Alaska, Indiana, Missouri & Texas 2
Arizona, Arkansas, Georgia, Kansas, Kentucky, Michigan, Minnesota, New Hampshire, New Mexico, Oklahoma, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia & Wisconsin 1

Click here to view more detailed healthcare data breach statistics.

HIPAA Enforcement Activity in May 2023

After two months with no HIPAA enforcement actions, there was a flurry of enforcement activity in May over HIPAA compliance failures. Two financial penalties were imposed by OCR to resolve HIPAA violations, two enforcement actions were announced by state attorneys general, and the Federal Trade Commission (FTC) announced an enforcement action against a non-HIPAA-regulated entity for the impermissible disclosure of consumer health information.

In May, OCR announced its 44th financial penalty under its HIPAA Right of Access enforcement initiative, which was launched in the fall of 2019. David Mente, MA, LPC, a Pittsburgh-based counselor, was fined $15,000 for failing to provide a father with the medical records of his minor children, despite the father making two requests for the records and OCR providing technical assistance after the first complaint was filed.

Between January 2020 and June 2023, OCR imposed 61 financial penalties on HIPAA-regulated entities to resolve potential violations of the HIPAA Rules, 69% of which were for HIPAA Right of Access violations.  We are now starting to see more financial penalties imposed for other violations. May’s other HIPAA settlement involved a financial penalty of $350,000 for MedEvolve Inc., a Little Rock, AR-based business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. MedEvolve had misconfigured an FTP server which exposed the electronic protected health information of 230,572 individuals. OCR investigated and determined that in addition to the impermissible disclosure, MedEvolve had failed to conduct a comprehensive, accurate, and organization-wide risk analysis and had not entered into a business associate agreement with a subcontractor.

The New York Attorney General agreed to a settlement to resolve violations of HIPAA and state laws that were discovered during an investigation of Professional Business Systems Inc, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp. The medical management company was investigated after reporting a ransomware attack and data breach that impacted 1.2 million individuals. The hackers gained access to its network by exploiting a vulnerability that had not been patched, despite the patch being available for 22 months. Practicefirst was determined to have violated HIPAA and state laws through patch management failures, security testing failures, and not implementing encryption. The case was settled for $550,000.

A multi-state investigation of the vision care provider, EyeMed Vision Care, over a 2.1 million-record data breach was settled with the state attorneys general in Oregon, New Jersey, Florida, and Pennsylvania. A hacker gained access to an employee email account that contained approximately 6 years of personal and medical information including names, contact information, dates of birth, and Social Security numbers. The investigation revealed there had been several data security failures, including a lack of administrative, technical, and physical safeguards, in violation of HIPAA and state laws. The case was settled for $2.5 million.

The FTC has started actively policing the FTC Act and Health Breach Notification Rule and announced its third enforcement action of the year in May. Easy Healthcare, the developer and distributor of the Premom Ovulation Tracker (Premom) app, was alleged to have shared the health data of app users with third parties without user consent, in violation of the FTC Act, and failed to issue notifications, in violation of the Health Breach Notification Rule. Easy Healthcare agreed to settle the case and paid a $200,000 financial penalty.

The post May 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

24 State Attorneys General Confirm Support for Stronger HIPAA Protections for Reproductive Health Data

A coalition of 24 state attorneys general has written to the Department of Health and Human Services (HHS) to confirm their support for the proposed update to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to strengthen reproductive health information privacy.

Background

The decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization in June 2022 overturned Roe v. Wade and removed the federal right to abortion. Many states introduced their own laws banning or severely restricting abortions in their respective states, and those laws permit criminal or civil penalties for anyone that seeks, provides, or assists with the provision of an abortion. Currently, 15 states have introduced almost total bans on abortions and several others have restricted abortions or are in the process of introducing bans or restrictions. Idaho has also recently enacted an abortion trafficking law, which aims to restrict the ability of state residents to travel out of state to receive abortion care.

Following the Supreme Court decision, the HHS’ Office for Civil Rights (OCR) issued guidance to HIPAA-regulated entities on the HIPAA Privacy Rule and how it permits but does not require disclosures of reproductive health information if the disclosure is required by law or is for law enforcement purposes. OCR confirmed that if a patient in a state that has banned abortions informs their healthcare provider that they are seeking an abortion in a state where abortion is legal, the HIPAA Privacy Rule would not permit the healthcare provider to disclose that information to law enforcement in order to prevent the abortion.

OCR subsequently issued a notice of proposed rulemaking (NPRM) about a planned update to the HIPAA Privacy Rule to strengthen reproductive health data privacy further, which would make it illegal to share a patient’s PHI if that information is being sought for certain criminal, civil, and administrative investigations or proceedings against a patient in connection with a legal abortion or other reproductive care.

In response to the NPRM, a coalition of 24 state attorneys general recently wrote to the HHS’ Secretary, Xavier Becerra, and OCR Director, Melanie Fontes Rainer, to confirm their support for the proposed HIPAA Privacy Rule changes. The coalition is led by New York Attorney General, Leticia James, and the letter was signed by the state Attorneys General in Arizona, California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New York, New Mexico, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, Washington, Wisconsin, and Washington D.C. The state AGs requested the HHS “move expeditiously to issue [the proposed rule] and apply the standard compliance date of 180 days after the effective date of the final rule.”

“No one should have to worry about whether their health care information will be kept private when they go to the doctor to get the care they need,” said Attorney General James. “While anti-choice state legislatures across the nation are stripping away our reproductive freedom and seeking access to health care data, it is imperative that we take every measure to safeguard Americans’ privacy. I will always fight to defend abortion and ensure no one’s private right to choose can be used against them.”

Recommendations to Further Strengthen Reproductive Health Information Privacy

In addition to confirming their support, comment has been provided on areas where the protections stated in the proposed rule can be strengthened further. The proposed Privacy Rule update adopts a broad definition of “reproductive health care” as a subcategory of health care; however, the state AGs recommend also creating a separate definition of “reproductive health,” to make it clear that the update not only applies to providers of gynecological and/or fertility-related care but also to other HIPAA covered entities. This would help to avoid any possible ambiguities about the types of health care covered by the proposed rule and they recommend that examples of reproductive health care are incorporated into the regulatory text of the final rule.

The state AGs also call for the HHS to define “birth” and “death” separately, in order to clarify that termination of pregnancy is not a public health reporting event and is therefore not subject to the HIPAA Privacy Rule reporting requirements. They also call for tightening up of the language in the proposed rule, which prohibits “use or disclosure “primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.” There is concern that a different primary purpose may be manufactured as a pretext for obtaining PHI for a prohibited purpose. This potential loophole could be closed by dropping the word ‘primary’.

Among the other recommendations are for the HHS to ensure that requesters and providers receive adequate guidance on the attestation requirement of the proposed rule, which requires attestation that the request is not being made to obtain reproductive health information to take legal action against an individual, and for the HHS to create a nationally available, online platform to provide patients with accurate and clear information on reproductive care and privacy rights, and to conduct a public awareness campaign to promote the website.

The post 24 State Attorneys General Confirm Support for Stronger HIPAA Protections for Reproductive Health Data appeared first on HIPAA Journal.