Healthcare Data Privacy

How Many HIPAA Violations in 2017 Resulted in Financial Penalties?

Posted by HIPAA Journal

We are often asked about healthcare data breaches and HIPAA violations and two of the most recent questions are how many HIPAA violations in 2017 resulted in data breaches and how many HIPAA violations occurred in 2017.

How Many HIPAA Violations Occurred in 2017?

The problem with determining how many HIPAA violations occurred in 2017 is many violations are not reported, and out of those that are, it is only the HIPAA breaches that impact more than 500 individuals that are published by the Department of Health and Human Services’ Office for Civil Rights on its breach portal – often incorrectly referred to as the “Wall of Shame”.

To call it a ‘Wall of Shame’ is not fair on healthcare organizations because the breach reports show organizations that have experienced data breaches, NOT organizations that have violated HIPAA Rules. Even organizations with multi-million-dollar cybersecurity budgets, mature security defenses, and advanced employee security awareness training programs can experience data breaches. All it takes if for a patch not to be applied immediately or an employee to accidently click on a phishing link for a data breach to occur. The breach reports are therefore not an accurate guide to the number of HIPAA violations that have occurred.

Some attorneys general publish details of data breaches, and many of those breaches are the result of HIPAA violations; however, only a small number of states publish that data breach summaries and as with OCR’s breach portal, there are many breaches that have occurred at organizations that are fully compliant with HIPAA Rules. It is also not possible to say how many of those breaches were the result of HIPAA violations. That can only be determined with a detailed investigation.

Complaints about potential HIPAA violations are frequently submitted to OCR. These tend to be smaller incidents involving relatively few individuals, such as a patient who believes HIPAA Rules have been violated or employees who believe colleagues have violated HIPAA Rules. OCR occasionally releases figures on the number of complaints that it receives, but many of those complaints turn out to be unfounded and, in many cases, OCR cannot prove beyond reasonable doubt that a HIPAA violation has occurred.

It is also not possible to gauge the level of serious HIPAA violations that have occurred based on settlements and civil monetary penalties. Even when there is evidence to suggest HIPAA Rules have been violated, financial settlements are typically only pursued when a case against a HIPAA-covered entity is particularly strong and likely to be won.

It is therefore not possible to determine how many HIPAA violations in 2017 resulted in data breaches nor how many violations occurred last year.

How Many HIPAA Violations in 2017 Resulted in Financial Settlements?

It is also not possible to determine how many HIPAA violations in 2017 have resulted in financial penalties being issued, at least not yet. OCR and state attorneys general open investigations when data breaches are experienced or complaints are received about potential HIPAA violations. However, it takes time to conduct investigations and gather evidence. Even when there is evidence of HIPAA violations, cases can take years before settlements are reached or civil monetary penalties are issued.

The latest HIPAA settlement is a good example. Fresenius Medical Care North America settled its case with OCR for $3,500,000 in 2018, yet the data breaches that triggered the investigation occurred in 2012. The list below shows the settlements and civil monetary penalties issued in 2017 and the years in which the violations occurred.

So unfortunately, it is not possible to say how many HIPAA violations in 2017 resulted in financial penalties, as that will not be known for many years to come

HIPAA Settlements and Civil Monetary Penalties in 2017

 

Covered Entity Penalty Amount Penalty Type Reason for Penalty Date of Violation(s)
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations 2015
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI 2015
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI 2014
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement 2003-2015
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI 2011
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process 2011
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls 2007-2012
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI 2006-2013
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI 2011
Presense Health $475,000 Settlement Delayed Breach Notifications 2013

 

What we can say is HIPAA violations have occurred at most healthcare organizations, although oftentimes the violations are minor and inconsequential. We can go further and say that a majority of healthcare organizations have failed to follow HIPAA Rules to the letter all of the time.

The evidence comes from the second round of HIPAA compliance audits conducted by OCR in late 2016 and 2017. A final report on the findings of the audits has yet to be published, but last September preliminary results were released. They showed that healthcare organizations are still not getting to grips with HIPAA Rules and noncompliance is commonplace.

Findings of the 2017 HIPAA Compliance Audits

Listed below are the preliminary findings of the second round of HIPAA compliance audits. The audits consisted of ‘Desk Audits’ conducted on 166 covered entities on the HIPAA Privacy, Security, and Breach Notification Rules and 41 business associates of HIPAA covered entities on the Security and Breach Notification Rules.

OCR gave each audited entity a rating from 1-5 based on the level of compliance. A rating of 1 means the organization was in compliance with the goals and objectives of the audited standards and implementation specifications. A rating of 5 was given to entities that did not provide OCR with evidence to show that a serious attempt had been made to comply with HIPAA Rules.

HIPAA Rule Aspect of HIPAA Rule 1 Rating 2 Rating 3 Rating 4 Rating 5 Rating N/A
Breach Notification Rule Timeliness of Notification 65% 6% 2% 9% 11% 7%
Breach Notification Rule Content of Notification 14% 14% 23% 37% 7% 5%
Privacy Rule Patient Right to Access 1% 10% 27% 54% 11% N/A
Privacy Rule Notice of Privacy Practices 2% 33% 39% 11% 15% 2%
Privacy Rule Provision of eNotice 57% 15% 4% 6% 15% 3%
Security Rule Risk Analysis 0% 2% 19% 23% 13% N/A
Security Rule Risk Management 1% 3% 13% 29% 17% N/A

The post How Many HIPAA Violations in 2017 Resulted in Financial Penalties? appeared first on HIPAA Journal.

Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed

Posted by HIPAA Journal

Massachusetts Attorney General Maura Healey has announced the launch of a new online data breach reporting tool. The aim is to make it as easy as possible for breached entities to submit breach notifications to the Attorney General’s office.

Under Massachusetts data breach notification law (M.G.L. c. 93H), organizations experiencing a breach of personal information must submit a notification to the Massachusetts attorney general’s office as soon as it is practicable to do so and without unnecessary delay. Breaches must also be reported to the Director of the Office of Consumer Affairs and Business Regulation (OCABR) and notifications must be issued to affected individuals.

“Data breaches are damaging, costly and put Massachusetts residents at risk of identity theft and financial fraud – so it’s vital that businesses come forward quickly after a breach to inform consumers and law enforcement,” said Healey. “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.”

Regarding the latter, the Mass. Attorney general’s office will soon be uploading a database to its website that will allow the public to view a summary of data breaches affecting state residents, similar to the breach portal maintained by the Department of Health and Human Services’ Office for Civil Rights. The Massachusetts Attorney General’s “Wall of Shame” will list the organizations that have experienced data breaches, the date the breaches are believed to have occurred, and the number of state residents that are believed to have been impacted.

The new online portal and breach listings are part of the state’s commitment to make sure state residents are promptly notified about data breaches to enable them to take rapid action to mitigate risk.

Massachusetts is also committed to holding businesses accountable when security breaches are experienced that could easily have been prevented.

Last year, following notification of a breach by Equifax, Attorney General Healey filed an enforcement action against the credit monitoring firm seeking civil penalties, disgorgement of profits, restitution, costs, and attorneys’ fees in addition to injunctive relief to prevent harm to state residents. Massachusetts was the first state to launch such an enforcement action against the firm.

At the time, Healey said, “We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”

Massachusetts is also one of a handful of states that has exercised the right to pursue financial penalties when healthcare organizations violate HIPAA Rules and expose patients’ health information. The state will continue to punish firms that fail to address vulnerabilities and do not implement reasonable safeguards to keep the personal information of state residents secure.

The post Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed appeared first on HIPAA Journal.

$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches

Posted by HIPAA Journal

The first HIPAA settlement of 2018 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). Fresenius Medical Care North America (FMCNA) has agreed to pay OCR $3.5 million to resolve multiple potential HIPAA violations that contributed to five separate data breaches in 2012.

The breaches were experienced at five separate covered entities, each of which was owned by FMCNA. Those breached entities were:

  • Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval)
  • Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove)
  • Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin)
  • Fresenius Vascular Care Augusta, LLC (FVC Augusta)
  • WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island)

Breaches Experienced by FMCNA HIPAA Covered Entities

The five security breaches were experienced by the FMCNA covered entities over a period of four months between February 23, 2012 and July 18, 2012:

  • The theft of two desktop computers from FMC Duval during a February 23, 2012 break-in. The computers contained the ePHI – including Social Security numbers – of 200 individuals
  • The theft of an unencrypted USB drive from FMC Magnolia Grove on April 3, 2012. The device contained the PHI – including insurance account numbers – of 245 individuals
  • On April 6, 2012 FMC Ak-Chin discovered a hard drive was missing. The hard drive had been removed from a computer that had been taken out of service and the drive could not be located. The hard drive contained the PHI – including Social Security numbers – of 35 individuals
  • An unencrypted laptop computer containing the ePHI of 10 patients – including insurance details – was stolen from the vehicle of an employee on June 16, 2012. The laptop had been left in the vehicle overnight. The bag containing the laptop also contained the employee’s list of passwords
  • Three desktop computers and one encrypted laptop were stolen from FMC Blue Island on or around June 17-18, 2012. One of the computers contained the PHI – including Social Security numbers – of 35 patients

Multiple HIPAA Failures Identified

OCR launched an investigation into the breaches to establish whether they were the result of failures to comply with HIPAA Rules. The investigation revealed a catalogue of HIPAA failures.

OCR established that the FMCNA covered entities had failed to conduct a comprehensive and accurate risk analysis to identify all potential risks to the confidentiality, integrity, and availability of ePHI: One of the most common areas of non-compliance with HIPAA Rules. If an accurate risk assessment is not performed, risks are likely to be missed and will therefore not be managed and reduced to an acceptable level.

OCR also discovered the FMCNA covered entities had impermissibly disclosed the ePHI of many of its patients by providing access to PHI that is prohibited under the HIPAA Privacy Rule.

Several other potential HIPAA violations were discovered at some of the FMCNA covered entities.

FMC Magnolia Grove did not implement policies and procedures governing the receipt and removal of computer hardware and electronic storage devices containing ePHI from its facility, and neither the movement of those devices within its facility.

FMC Magnolia Grove and FVC Augusta had not implemented encryption, or an equivalent, alternative control in its place, when such a measure was reasonable and appropriate given the risk of exposure of ePHI.

FMC Duval and FMC Blue were discovered not to have sufficiently safeguarded their facilities and computers, which could potentially lead to unauthorized access, tampering, or theft of equipment.

FMC Ak-Chin had no policies and procedures in place to address security breaches.

Financial Penalty Reflects the Seriousness and Extent of HIPAA Violations

The $3.5 million settlement is one of the largest issued to date by OCR to resolve violations of HIPAA Rules. In addition to paying the sizeable financial penalty, FMCNA has agreed to adopt a robust corrective actin plan to address all HIPAA failures and bring its policies and procedures up to the standard demanded by HIPAA.

The FMCNA covered entities must conduct comprehensive, organization wide risk analyses to identify all risks to the confidentiality, integrity, and availability of PHI and develop a risk management plan to address all identified risks and reduce them to a reasonable and acceptable level.

Policies and procedures must also be developed and implemented covering device, media, and access controls and all staff must receive training on current and new HIPAA policies and procedures.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Settlement Shows it is Not the Size of the Breach that Matters

All of the five breaches resulted in the exposure of relatively few patients’ PHI. No breach involved more than 235 records, and three of the breaches exposed fewer than 50 records.

The settlement shows that while the scale of the breach is considered when deciding on an appropriate financial penalty, it is the severity and the extent of non-compliance that is likely to see financial penalties pursued.

The settlement also clearly shows that OCR does investigate smaller breaches and will do so when breaches suggest HIPAA Rules have been violated.

The post $3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches appeared first on HIPAA Journal.

Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case

Posted by HIPAA Journal

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones.

Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis.

The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $115 million settlement with the New York Attorney General to resolve violations of federal and state laws.

Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had their privacy violated by the September mailing.

The settlement agreement explains that more than 90% of patients diagnosed with HIV face discrimination and prejudice, and approximately one in eight individuals with HIV are denied health services as a result of the stigma associated with HIV and AIDS. A breach of HIV information can therefore have severe repercussions for the victims.

New York has implemented strict laws that require HIV information to be kept secure and confidential to ensure its residents are not discouraged from coming forward to be tested and treated for HIV. It is therefore important that action is taken against organizations and individuals who violate state laws by disclosing HIV information.

As a HIPAA-covered entity, Aetna is bound by the regulations and is required to implement safeguards to ensure the confidentiality of health and HIV information. Several laws in New York also require safeguards to be implemented to protect personal health information and personally identifiable information.

Not only were state and federal laws violated by the mailing, Aetna provided the personal health information of its members to outside counsel who in turn gave that information to a settlement administrator. While the outside counsel was a business associate of Aetna and had signed a business associate agreement, its subcontractor, the settlement administrator, was also a business associate yet no business associate agreement was entered into prior to the disclosure of PHI. A further violation of HIPAA Rules.

The office of the attorney general determined Aetna’s two mailings violated 45 C.F.R § 164.502; 42 U.S.C. § 1320d-5 of HIPAA, N.Y General Business Law § 349, N.Y Public Health Law § 18(6), and N.Y Executive Law § 63(12).

The settlement agreement also draws attention to the fact that Aetna had reported a further three HIPAA breaches to the Office for Civil Rights in the past 24 months, which in total impacted more than 25,000 individuals.

In addition to the financial penalty, Aetna has agreed to update its policies, procedures and controls to enhance the privacy protections for its members and protect them from negligent disclosures of personal health information and personally identifiable information through its mailings.

“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” said Attorney General Eric T. Schneiderman. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”

This may not be the last financial penalty Aetna has to cover in relation to the mailings. This $115 million settlement only resolves the privacy violations of 2,460 Aetna members in New York state. The mailing was sent to around 13,000 Aetna members across the United States. It is possible that other states will similarly take action over the privacy violations. The Department of Health and Human Services’ Office for Civil Rights is also investigating the data breach and may choose to penalize the insurer for violating HIPAA Rules.

The post Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case appeared first on HIPAA Journal.

Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records

Posted by HIPAA Journal

The Topeka, KS-based healthcare company Pearlie Mae’s Compassion and Care LLC and its owners have been fined by the Kansas Attorney General for failing to protect patient and employee records. The healthcare provider has agreed to pay a civil monetary of $8,750.

The HITECH Act gave attorneys general the authority to enforce HIPAA rules and take action against HIPAA-covered entities and business associates that are discovered not to be in compliance with HIPAA regulations. Only a handful of state attorneys general have exercised those rights, with many opting to pursue privacy violations under state laws.

In this case, Attorney General Derek Schmidt issued the civil monetary penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act.

Special agents of the Kansas attorney general’s office were assisting the Topeka Police Department execute a search warrant in June 2017 at the home of Ann Marie Kaiser, one of the owners of Pearlie Mae’s Compassion and Care. Kaiser’s home was used as an office location for the company. While at the property, the agents noticed unsecured medical records in open view.

The paperwork included personal information, which includes, social security numbers, driver’s license numbers, financial account numbers, which could be used to harm the persons whose information is compromised. Such information could have been viewed by anyone in the property, including individuals unauthorized to access the information.

The civil penalty was issued for the failure to maintain reasonable procedures and practices appropriate to the nature of information held, the failure to exercise reasonable care to protect personal information, and the failure to take reasonable steps to destroy records when they were no longer required – violations of K.S.A. 50-6,139b(b)(l) and K.S.A. 50-6,139b(b)(2).

In addition to covering the financial penalty, Pearlie Mae’s has agreed to update its policies and procedures to ensure compliance with the Wayne Owen Act and will also cover the costs – $1,250 – incurred by the Attorney general office during its investigation.

The post Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records appeared first on HIPAA Journal.

Analysis of Healthcare Data Breaches in 2017

Posted by HIPAA Journal

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from Databreaches.net, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been?

There Were at Least 477 Healthcare Data Breaches in 2017

In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day.

There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches.

There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was a massive reduction in the number of breached records. In 2016, there were 27,314,647 records exposed/stolen. The 407 healthcare data breaches in 2017 resulted in the exposure/theft of 5,579,438 records.

In 2017, there were no million-record+ breaches. The largest security incident was a breach of 697,800 records. That breach was an insider incident where a healthcare employee downloaded PHI onto a USB drive and CD.

Main Causes of Healthcare Data Breaches in 2017

There were two causes of healthcare data breaches in 2017 that dominated the breach reports – Hacking/IT incidents and insider breaches, both of which were behind 37% of the year’s breaches. 178 incidents were attributed to hacking/IT incidents. There were 176 breaches caused by insider wrongdoing or insider errors.

Hacking/IT incidents resulted in the exposure/theft of 3,436,742 records, although detailed data is only available for 144 of those breaches. In 2016, 86% of breaches were attributed to hacking/IT incidents. In 2016, 120 hacking incidents were reported which resulted in the exposure/theft of 23,695,069 records. The severity of hacks/insider incidents was therefore far lower in 2017, even though hacking incidents were more numerous.

What is clear from the breach reports is a major increase in malware/ransomware attacks, which were at more than twice the level seen in 2016. This could be explained, in part, by the issuing of new guidance from OCR on ransomware attacks. OCR confirmed that ransomware attacks are usually reportable security incidents under HIPAA Rules. Until the issuing of that guidance, many healthcare organizations did not report ransomware attacks unless it was clear that data had been stolen or viewed prior to or during the attack.

Insider breaches continue to plague the healthcare industry. Data is available for 143 of the 176 data breaches attributed to insiders. 1,682,836 records were exposed/stolen in those incidents. While the totals are still high, there were fewer insider incidents in 2017 than 2016, and the incidents resulted in fewer exposed records. There were 192 insider-related incidents in 2016 and those incidents resulted in the exposure/theft of 2,000,262 records.

Protenus broke down the incidents into insider error – mistakes made by healthcare employees – and insider wrongdoing, which included theft and snooping. The breakdown was 102 insider errors and 70 cases of insider wrongdoing. Four incidents could not be classified as either. One of the cases of snooping lasted for an astonishing 14 years before it was discovered.

While theft of PHI by employees is difficult to eradicate, arguably the easiest cause of healthcare data breaches to prevent is theft of electronic devices containing unencrypted PHI. If devices are encrypted, if they are stolen the incidents do not need to be reported. There has been a steady reduction in theft breaches over the past few years as encryption has been more widely adopted. Even so, 58 breaches (16%) were due to theft. Data is available for 53 of those incidents, which resulted in the exposure of 217,942 records. The cause of 47 healthcare data breaches in 2017 could not be determined from the data available.

Breached Entities and Geographic Spread

The breaches affected 379 healthcare providers (80%), 56 health plans (12%), and 4% involved other types of covered entity. Business associate reported 23 incidents (5%) although a further 66 breaches (14%) reported by covered entities had some business associate involvement. Figures are known for 53 of those breaches, which resulted in the exposure/theft of 647,198 records.  Business associate breaches were lower than in 2016, as was the number of records exposed by those breaches.

There were breaches by covered entities and business associates based in 47 states, Puerto Rico and the District of Columbia. Interestingly, three states were free from healthcare data breaches in 2017 – Hawaii, Idaho, and New Mexico. California was the worst hit with 57, followed by Texas on 40, and Florida with 31.

Slower Detection, Faster Notification

Reports of healthcare data breaches in 2017 show that in many cases, breaches are not detected until many months after the breach occurred. The average time to discover a breach, based on the 144 incidents for which the information is known, was 308 days. Last year the average time to discover a breach was 233 days. It should be noted that the data were skewed by some breaches that occurred more than a decade before discovery.

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) allows up to 60 days from the discovery of a breach to report the incident. The average time to report a breach, based on the 220 breaches for which information was available, was 73 days. Last year the average was 344 days.

The faster reporting may have been helped by the OCR settlement with Presense Health in January for delaying breach notifications – The first HIPAA penalty solely for late breach notifications.

Overall there were several areas where the healthcare industry performed better in 2017, although the report shows there is still considerable room for improvement, especially in breach prevention, detection and reporting.

The post Analysis of Healthcare Data Breaches in 2017 appeared first on HIPAA Journal.

Colorado Considers New Privacy and Data Breach Legislation

Posted by HIPAA Journal

Colorado is the latest state to consider changing its privacy and data breach notification laws to improve protections for state residents. The legislation has been proposed by a bipartisan group of legislators, and if passed, would make considerable changes to existing state laws.

The proposed legislation applies to personally identifying information. The changes would see the following information included in the definition of PII:

Full name or last name and initial in combination with any of the following data elements: Personal ID numbers, Social Security numbers, state ID numbers, state or government driver’s license numbers, passport numbers, biometric data, passwords and pass codes, employment, student and military IDs, financial transaction devices, health information, and health insurance information.

Usernames/email addresses, financial account numbers, and credit/debit card numbers are also included, if they are compromised along with other information that allows account access or use. A breach would not be deemed to have occurred if the PII is encrypted, unless the key to unlock the encryption is also compromised.

Organizations that store the PII of state residents would be required to implement controls to ensure the privacy and confidentiality of PII. The proposed legislation does not include details of the types of security protections, procedures, and practices that must be implemented to keep personally identifiable information secure, only that the security measures be “appropriate to the nature of the personally identifying information and the nature and size of the business and its operations.”

Any entity that wishes to disclose PII to a third party must communicate to that entity that the PII must be protected and secured at all times, including the use of technology, procedures and practices. They must be appropriate to the sensitivity of the data and be reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction.

If PII is no longer required, the information must be securely and permanently destroyed, whether the information is in paper form or stored on electronic devices. Policies covering the destruction of data are required in writing.

For paper records, this would likely mean burning, pulping, pulverizing, or shredding. For electric devices, data would need to be securely erased to prevent reconstruction. Typical methods include degaussing – the exposure of the device to strong magnetic fields, the use of software to overwrite media to prevent reconstruction of data, or destroying the media by pulverization, disintegration, melting, shredding, or incineration.

In the event of a breach of PII, the maximum time limit for issuing notifications would be 45 days from the discovery of a breach. Currently there is no stipulated maximum time frame for issuing notifications. Notifications must currently be issued “in the most expedient time and without unreasonable delay.”

A notification would also need to be sent to the state attorney general no later than 7 days following the discovery of a breach that impacts 500 or more individuals.

As is the case in California and several other states, the legislation stipulates the content that must be included in the breach notification letters.  The date of the breach must be communicated, or a reasonable estimate if it is not known, a description of the PII that has been compromised, contact information, a toll-free number to call for further information, contact details of consumer reporting agencies and the FTC, and information on how credit freezes and security alerts can be set.

The legislation would also authorize the Colorado Attorney General to initiate criminal investigations and legal proceedings against organizations that fail to comply with the legislation

The post Colorado Considers New Privacy and Data Breach Legislation appeared first on HIPAA Journal.

Analysis of Q4 2017 Healthcare Security Breaches

Posted by HIPAA Journal

Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported.

There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches.

Q4 2017 Healthcare Security Breaches by Month

Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.

 Largest Q4, 2017 Healthcare Security Breaches

 

Covered Entity Entity Type Number of Records Breached Cause of Breach
Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident
Henry Ford Health System Healthcare Provider 43563 Theft
Coplin Health Systems Healthcare Provider 43000 Theft
Pulmonary Specialists of Louisville, PSC Healthcare Provider 32000 Hacking/IT Incident
SSM Health Healthcare Provider 29579 Unauthorized Access/Disclosure
UNC Health Care System Healthcare Provider 27113 Theft
Emory Healthcare Healthcare Provider 24000 Unauthorized Access/Disclosure
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois, LLC (formerly known as WellGroup Health Partners, LLC) Healthcare Provider 22000 Loss
Chase Brexton Health Care Healthcare Provider 16562 Hacking/IT Incident
Hackensack Sleep and Pulmonary Center Healthcare Provider 16474 Hacking/IT Incident
Longs Peak Family Practice, P.C. Healthcare Provider 16238 Hacking/IT Incident
Shop-Rite Supermarkets, Incorporated Healthcare Provider 12172 Improper Disposal
Sinai Health System Healthcare Provider 11347 Hacking/IT Incident
The Medical College of Wisconsin, Inc. Healthcare Provider 9500 Hacking/IT Incident
Golden Rule Insurance Company Health Plan 9305 Unauthorized Access/Disclosure

 

There was a steady increase in breached records each month in Q4. In October, 71,377 records were breached, rising to 107,143 records in November and 341,621 records in December. Even December’s high total was lower than any month in the previous quarter.

Q4 2017 Healthcare Security Breaches - breached records

 

Hacking/IT incidents tend to involve the highest number of exposed/stolen records and Q4 was no exception. 7 of the top 15 security incidents (47%) were due to hacks and IT incidents. Loss and theft incidents accounted for 27% of the worst healthcare security breaches in Q4, followed by unauthorized access/disclosures on 20%.

Causes of Q4 2017 Healthcare Security Breaches

 

While hacking/IT incidents resulted in the exposure/theft of the most records, unauthorized access/disclosure incidents were the most numerous. Out of the 86 reported healthcare security breaches in Q4, 33 were unauthorized access/disclosures (38.37%). There were 29 hacking/IT incidents (33.7%), and 20 incidents (23.3%) involving the loss/theft of PHI and electronic devices containing ePHI. Four incidents (4.7%) involved the improper disposal of PHI/ePHI.

In Q4, paper records/films were involved in the most breaches, showing how important it is to physically secure records. 21 incidents (24.4%) involved physical records. As was the case in Q3, email was also a top three cause of breaches, with many healthcare organizations suffering phishing attacks in Q4. Network server attacks completed the top three locations of breached PHI.

Q4 2017 Healthcare Security Breaches - location of breached PHI

 

 

Healthcare providers reported the most security breaches in Q4, following by health plans and business associates of HIPAA-covered entities, as was the case for most of 2017.

Q4 2017 Healthcare Security Breaches by covered entity

 

In Q4, 2017, healthcare organizations based in 35 states reported security breaches. Unsurprisingly, being the most populous state in the US, California topped the list for the most reported healthcare security breaches with 7 incidents in Q4.

In close second on 6 breaches were Florida and Maryland, followed by New York with 5 incidents. Kentucky, Michigan, and Texas each had four reported breaches, and Colorado, Illinois, New Jersey, and Pennsylvania each suffered 3 incidents.

Q4 2017 Healthcare Security Breaches - by state

 

 

 

The post Analysis of Q4 2017 Healthcare Security Breaches appeared first on HIPAA Journal.

HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities

Posted by HIPAA Journal

The Office for Civil Rights has sent an email update on the Spectre and Meltdown chip vulnerabilities, urging HIPAA-covered entities to mitigate the vulnerabilities as part of their risk management processes. The failure to address the computer chip flaws could place the confidentiality, integrity, and availability of protected health information at risk.

HIPAA-covered entities have been advised to read the latest updates on the Spectre and Meltdown chip vulnerabilities issued by the Healthcare Cybersecurity and Communications Integration Center (HCCIC).

What are Spectre and Meltdown?

Spectre and Meltdown are computer chip vulnerabilities present in virtually all computer processors manufactured in the past 10 years. The vulnerabilities could potentially be exploited by malicious actors to bypass data access protections and obtain sensitive data, including passwords and protected health information.

Meltdown is an attack that exploits a hardware vulnerability (CVE-2017-5754) by tricking the CPU into speculatively loading data marked as unreadable or “privileged,” allowing side-channel exfiltration. Spectre is an attack involving two vulnerabilities (CVE-2017- 5753, CVE-2017-5715) in the speculative execution features of CPUs. The first vulnerability is exploited to trick the CPU into mispredicting a branch of code of the attacker’s choosing, with the second used to trick the CPU into speculatively loading the memory allocated to another application on the system. The Meltdown and Spectre chip vulnerabilities can be exploited to gain access to sensitive data, including passwords, cryptographic keys used to protect PII, PHI, or PCI information handled by an application’s database.

Meltdown and Spectre affect computers running on Windows, Mac, Linux and other operating systems. Eradicating the vulnerabilities means replacing chips on all vulnerable devices; however, operating system vendors have been developing patches that will prevent the vulnerabilities from being exploited. Updates have also been made to web browsers to prevent web-based exploitation of the vulnerabilities.

Following the disclosure of the vulnerabilities, HCCIC alerted healthcare organizations about the risk of attack, with the vulnerabilities categorized as a medium threat since local access is generally required to exploit the flaws. However, potentially the flaws can be exploited remotely if users visit a specially crafted website. Browsers are susceptible due to improper checks on JavaScript code, which could lead to information disclosure of browser data.

Mitigating the Threat of Spectre and Meltdown Attacks

Patching operating systems and browsers will mitigate the vulnerabilities, but there may be a cost. The patches can affect system performance, slowing computers by 5-30%. Such a reduction would be noticeable when running high demand computer applications.

There have also been several compatibility issues with anti-virus software and other programs. It is therefore essential for patches to be thoroughly tested before implementation, especially on high value assets and systems containing PII and PHI.

Due to the compatibility issues, Microsoft is only releasing updates for computers that are running anti-virus software that has been confirmed as compatible with the patch. If anti-virus software is not updated, computers will remain vulnerable as the update will not take place. Most anti-virus software companies have now updated their programs, but not all. Kevin Beaumont is maintaining a list of the patch status of AV software.

Web browsers must also be updated to the latest versions. Microsoft has updated Internet Explorer 11 and Microsoft Edge, and Firefox (57.0.4) and Safari (11.0.2) include the update. Google Chrome has also been patched. Healthcare organizations should ensure they are running the latest versions of browsers on all devices to prevent data leakage and operating systems should be patches as soon as possible. One of the main challenges for healthcare organizations is identifying all vulnerable devices – including computers, medical devices and accessory medical equipment – and ensuring they are fully patched.

The vulnerabilities also affect cloud service providers, as their servers also contain computer chips. There could be leakage of PII and PHI from cloud environments if patches have not been applied.

Amazon AWS and Azure have already been patched to protect against Meltdown and Spectre. Healthcare organizations using other managed cloud service providers or private cloud instances should check that they have been patched and are protected against Meltdown and Spectre.

The post HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities appeared first on HIPAA Journal.