Healthcare Data Privacy

Fall in Healthcare Data Breaches in August: Rise in Breach Severity

Posted by HIPAA Journal

Healthcare data breaches have fallen for the second month in a row, according to the latest installment of the Breach Barometer report from Protenus/Databreaches.net. In August, there were 33 reported healthcare data breaches, down from 36 incidents in July and 56 in June. While the reduction in data breaches is encouraging, that is still more than one healthcare data breach per day.

August may have been the second best month of the year to date in terms of the number of reported incidents, but it was the third worst in terms of the number of individuals impacted. 575,142 individuals were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise further still, since two incidents were not included in that total since it is not yet known how many individuals have been affected.

The worst incident of the month was reported by Pacific Alliance Medical Center – A ransomware attack that impacted 266,133 patients – one of the worst ransomware incidents of the year to date.

Throughout the year, insider incidents have dominated the breach reports, although in July hacking was the biggest cause of PHI breaches. That trend has continued in August with hackers responsible for 54.5% of all reported data breaches. Those incidents accounted for 95% of all breached patient records in the month. The hacking totals also include phishing and ransomware incidents. There were at least five reported data breaches in August that involved ransomware.

In August, insiders were responsible for 9 incidents – 27.3% of the total – seven of which were insider errors, with two incidents due to insider wrongdoing. 15.2% of breaches were the result of the loss or theft of unencrypted devices containing PHI.

While breaches of electronic protected health information dominated the breach reports, there were six incidents reported that involved physical records, including two mailings in which PHI was visible through the clear plastic windows of the envelopes.

Protenus notes that while healthcare organizations appear to be getting better at discovering data breaches more quickly, the figures for the past two months may be misleading. Alongside the decrease in time taken to identify breaches there has been an increase in hacking incidents, which tend to be discovered faster than insider breaches.

Protenus explains, “For the month of August, time to discover a hacking incident took an average of 26 days (median = 22.5 days), while insider incidents took an average of 209.8 days (median = 115 days),” demonstrating the difficulty healthcare organizations have in detecting insider breaches.

Organizations are reporting breaches to HHS and notifying patients within 60 days of the discovery of a breach on the whole, with only three organizations exceeding the deadline. One of those entities took 177 days from the discovery of the breach to report the incident to HHS. The average time was 53 days and the median time was 58 days.

The breach reports followed a similar pattern to most months, with healthcare providers experiencing the majority of breaches (72%), followed by health plans (18.2%). Business associates reported 3% of breaches and 6% were reported by other entities, including a pharmacy and a private school. Texas was the worst affected state in August with five breaches, followed by California with four, and Ohio and New York with three apiece.

The post Fall in Healthcare Data Breaches in August: Rise in Breach Severity appeared first on HIPAA Journal.

Augusta University Medical Center Phishing Attack Took Three Months to Discover

Posted by HIPAA Journal

An Augusta University Medical Center phishing attack has resulted in an unauthorized individual gaining access to the email accounts of two employees.

It is unclear when the phishing attack was discovered, although an investigation into the breach was concluded on July 18, 2017. That investigation confirmed access to the employees’ email accounts was gained between April 20-21, 2017.

Upon discovery of the breach, access to the email accounts was disabled and passwords were reset. The investigation did not confirm whether any of the information in the accounts had been accessed or copied by the attackers.

Patients impacted by the breach have now been notified – five months after the breach occurred. Patients have been informed that the compromised email accounts contained sensitive information such as names, addresses, dates of birth, driver’s license numbers, financial account information, prescription details, diagnoses, treatment information, medical record numbers and Social Security numbers. The amount of information exposed varied for each patient.

It is currently unclear how many patients have been impacted, although a spokesperson for AU Medical Center said the breach impacted fewer than 1% of its patients. Credit monitoring and identity theft protection services are being offered to all patients whose Social Security number was compromised.

This is not the first time that employees at Augusta University have fallen for phishing scams. A similar breach occurred between September 7-9, 2016, resulting in similar data being exposed. In that case, “a small number” of employees responded to phishing emails and divulged their email logins.

While that breach was identified promptly – News Channel 6 reported that all AU employees were required to reset their passwords due to a significant risk following the phishing attack – the Augusta Chronicle reported in May that the investigation into the breach was only completed on March 29, 2017 – more than six months after the attack took place. Individuals impacted by the breach were notified within 60 days of the breach investigation being completed. The breach was reported to the HHS’ Office for Civil Rights on May 26,2017.

The Health Insurance Portability and Accountability Act’s Breach Notification Rule allows HIPAA-covered entities up to 60 days following the discovery of a breach to issue breach notification letters to patients and to alert OCR of the breach.

It should be noted that while HIPAA allows up to 60-days to report data breaches, covered entities must report incidents ‘without unreasonable delay’.  Failure to report incidents promptly can easily result in a HIPAA penalty, as Presense Health discovered earlier this year. In that case, breach notifications were issued three months after the breach was discovered, resulting in a settlement of $475,000.

This latest breach was announced five months after the email accounts were compromised, with the investigation concluding three months after the initial breach. The earlier phishing attack appeared to take 6 months to investigate and report, with notifications sent to patients eight months after the breach.

Why the investigations took so long to conduct and why reporting the incidents was delayed is something of a mystery. According to OCR’s breach reporting portal, the September phishing attack is still under investigation. The latest incident has yet to appear on the OCR breach portal.

The post Augusta University Medical Center Phishing Attack Took Three Months to Discover appeared first on HIPAA Journal.

Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach

Posted by HIPAA Journal

A former employee of the Arkansas Department of Human Services (DHS) has been fired from her new position at the state hospital for emailing spreadsheets containing the protected health information of patients to a personal email account.

Yolanda Farrar worked as a payment integrity coding analyst for the DHS, but was fired on March 24, 2017. According to a statement issued by DHS spokesperson Amy Webb, Farrar was fired for “violations of DHS policy on professionalism, teamwork and diligent and professional performance.”

The day previously, Farrar had spoken with her supervisor about issues relating to her performance and learned that she was about to be terminated. Within minutes of that conversation, Farrar emailed spreadsheets from her work email account to a personal email address.

Farrar decided to take legal action against DHS for unfair dismissal. Attorneys working for DHS were preparing to represent the agency in court and were checking emails sent by Farrar through her work email account. They discovered the emails and spreadsheets on August 7. The DHS privacy officer was immediately notified of the discovery and an internal investigation into the incident was launched.

The spreadsheets were found to contain a range of sensitive information of patients including names, birth dates, linked Medicaid identification numbers, diagnoses, codes for medical procedures, and some Social Security numbers. Each record in the spreadsheet was manually checked and after duplicates were removed, DHS determined that the protected health information of 26,044 patients had been emailed to the personal account.

By emailing the spreadsheets, Farrar breached DHS policies, state and federal laws. Farrar had since been employed at the state hospital; however, the discovery of the emails resulted in her being fired from that position. The investigation into the privacy breach is ongoing and the DHS intends to pursue criminal charges against Farrar.

The DHS already requires employees to undergo privacy training. All employees are required to pass a test on that training before they are allowed Internet access and are made aware that emailing confidential information outside the agency is prohibited.  A review of policies and procedures is being conducted to determine whether any further actions can be taken to reduce the potential for similar incidents from occurring in the future.

DHS has confirmed that all individuals impacted by the incident will be notified of the privacy breach by mail this week.

The post Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach appeared first on HIPAA Journal.

Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury

Posted by HIPAA Journal

An investigation has been conducted into a privacy violation at the University of Pittsburgh Medical Center’s Bedford Memorial hospital, in which photographs and videos of a patient’s genitals were taken by hospital staff and in some cases, were shared with other individuals including non-hospital staff. The patient was admitted to the hospital in late December 2017, with photos/videos shared over the following few weeks.

The patient was admitted to the hospital on December 23, 2017 with a genital injury – a foreign object had been inserted into the patient’s penis and was protruding from the end. The bizarre injury attracted a lot of attention and several staff members not involved with the treatment of the patient were called into the operating room to view the injury. Multiple staff members took photographs and videos of the patient’s genitals while the patient was sedated and unconscious.

The privacy breach was reported by one hospital employee who alleged images/videos were being shared with other staff members not involved in the treatment of the patient. The complaint was investigated by the Pennsylvania Department of Health and Human Services on May 23, 2017.

While HIPAA violations appear to have occurred, the investigation only confirmed violations of the Social Security Act had occurred. According to the published report of the investigation, multiple areas of non-compliance with the Social Security Act – 42 CFR, Title 42, Part 482-Conditions of Participation for Hospitals were discovered: 482.13 – Patient rights; 482.22(c) Medical Staff Bylaws; 482.42 Infection Control; and 482.51 Surgical Services.

According to a statement obtained from a member of staff who was interviewed, a request was made for photographs to be taken of the patient’s injury for use in future medical lectures. That individual said, “We have a camera in the OR for that purpose, but it was reportedly broken and so personal phones were used. Initially, we thought there was only one picture taken but later we learned of others. We also had the camera checked out, it is working, it is just too complicated to use.”

One physician said, “At one point when I looked up, there were so many people it looked like a cheerleader type pyramid.”

The story was originally reported on Pennlive, which received an emailed statement from UPMC saying, “The behavior reported in this case is abhorrent and violates the mission of UPMC Bedford and the overall values of UPMC. Upon discovery, UPMC quickly self-reported the incident to the Pennsylvania Department of Health and took appropriate disciplinary action with the individuals involved.”

Those actions included suspensions and firings of staff who were discovered to have violated the patient’s privacy. The patient, who was not identified, has also been informed of the privacy breach.

The post Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury appeared first on HIPAA Journal.

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

Posted by HIPAA Journal

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma.

As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma.

OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act.

In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived:

  • 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – Honor requests to opt out of the facility directory.
  • 45 CFR 164.520 – Distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

The waiver only applies to penalties and sanctions in relation to the above provisions of the HIPAA Privacy Rule, only to hospitals in the emergency area that have implemented their disaster protocol, and only for the time period identified in the public health emergency declaration.

The waiver applies for a maximum of 72 hours after a hospital has implemented its disaster protocol. If either the President’s or HHS Secretary’s declaration terminates within that 72-hour time period, the hospital must immediately comply with all aspects of the HIPAA Privacy Rule for all patients under its care.

In emergency situations, the HIPAA Privacy Rule does permit the sharing of PHI for treatment purposes and with public health authorities that require access to PHI to carry out their public health mission. HIPAA-covered entities are also permitted to share information with family, friends, and others involved in an individual’s care, even if a waiver has not been issued. Further details of the allowable disclosures in emergency situations are detailed in the HHS HIPAA bulletin.

In all cases, covered entities must limit disclosures to the minimum necessary information to achieve the purpose for which PHI is disclosed.

Even during natural disasters, healthcare organizations and their business associates must continue to comply with the HIPAA Security Rule and must ensure appropriate administrative, physical, and technical safeguards are maintained to ensure the confidentiality, integrity, and availability of electronic protected health information to prevent unauthorized access and disclosures.

The post Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone appeared first on HIPAA Journal.

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems.

The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.”

Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices.

The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely; however, the guidelines are only recommendations and are not legally enforceable. It is down to each manufacturer to ensure the recommendations are incorporated into the design of the devices.

FDA Associate Director for Digital Health, Bakul Patel, Patel explained in a recent blog post that the guidelines focus on three key areas: Ensuring interoperability is at the core of the design of their devices, that verification, validation and risk management activities are performed, and that the functional, performance, and interface characteristics of the devices are clearly specified to ensure users.

In terms of interoperability, the guidelines say, “In designing a medical device’s electronic interface, manufacturers should consider the level of interoperability needed to achieve the purpose of the interface, as well as the information necessary to describe the interface.”

Manufacturers should “address the risks associated with the anticipated users of the device, reasonably foreseeable misuse of the device, and reasonably foreseeable combinations of events that could result in a hazardous situation.”

Devices must also be clearly labelled to advise users of the functional, performance and interface characteristics, including explicit warnings against foreseeable uses that could result in harm.

Patel explained, the FDA’s main concern is safety. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system. Our guidance recommends appropriate functional, performance, and interface requirements for devices with such interactions.”

Manufacturers should be transparent about the functions and characteristics of the devices and their interfaces to ensure those using the devices with systems and devices can do so safely. If it is not clearly explained to users how the devices function and interface, this could potentially lead to devices malfunctioning, which would have an impact on patient safety. The guidelines say, “The manufacturer should determine the appropriate way to provide the information based upon the anticipated users and the risk analysis.”

Patel explained, “Our guidance is a good step towards safer devices, and we will continue to work with all stakeholders to adapt along with the technology.”

The final guidelines can be downloaded here.

The post FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange appeared first on HIPAA Journal.

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems.

The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.”

Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices.

The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely; however, the guidelines are only recommendations and are not legally enforceable. It is down to each manufacturer to ensure the recommendations are incorporated into the design of the devices.

FDA Associate Director for Digital Health, Bakul Patel, Patel explained in a recent blog post that the guidelines focus on three key areas: Ensuring interoperability is at the core of the design of their devices, that verification, validation and risk management activities are performed, and that the functional, performance, and interface characteristics of the devices are clearly specified to ensure users.

In terms of interoperability, the guidelines say, “In designing a medical device’s electronic interface, manufacturers should consider the level of interoperability needed to achieve the purpose of the interface, as well as the information necessary to describe the interface.”

Manufacturers should “address the risks associated with the anticipated users of the device, reasonably foreseeable misuse of the device, and reasonably foreseeable combinations of events that could result in a hazardous situation.”

Devices must also be clearly labelled to advise users of the functional, performance and interface characteristics, including explicit warnings against foreseeable uses that could result in harm.

Patel explained, the FDA’s main concern is safety. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system. Our guidance recommends appropriate functional, performance, and interface requirements for devices with such interactions.”

Manufacturers should be transparent about the functions and characteristics of the devices and their interfaces to ensure those using the devices with systems and devices can do so safely. If it is not clearly explained to users how the devices function and interface, this could potentially lead to devices malfunctioning, which would have an impact on patient safety. The guidelines say, “The manufacturer should determine the appropriate way to provide the information based upon the anticipated users and the risk analysis.”

Patel explained, “Our guidance is a good step towards safer devices, and we will continue to work with all stakeholders to adapt along with the technology.”

The final guidelines can be downloaded here.

The post FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange appeared first on HIPAA Journal.

OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters

Posted by HIPAA Journal

Hospitals in Texas and Louisiana had to ensure medical services continued to be provided during and after Hurricane Harvey, without violating HIPAA Rules. Questions were raised about when it is permitted to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights responded by issuing guidance to covered entities on the HIPAA Privacy Rule and disclosures of patient health information in emergency situations to help healthcare organizations protect patient privacy and avoid violating HIPAA Rules. Allowable disclosures are summarized in this document.

Hot on the heels of hurricane Harvey comes hurricane Irma, closely followed by hurricane Jose. Hospitals in other parts of the United States will have to cope with the storm and its aftermath and still comply with HIPAA Rules. OCR has taken the opportunity to remind covered entities of the need to prepare.

OCR has explained that the HIPAA Privacy Rule was carefully created to ensure that in emergency situations, healthcare organizations can protect the privacy of patients and still share individually identifiable health information.

OCR also reconfirmed that even in emergency situations, the HIPAA Security Rule is not suspended and preparation for emergencies is essential. HIPAA-covered entities and business associates are required to implement strategies to ensure ePHI remains secured at all times and the confidentiality, integrity, and availability of ePHI is not placed in jeopardy. During and after an emergency, ePHI must be accessible, which means covered entities must plan for all eventualities to ensure patient health information can always be accessed.

OCR explained that the HIPAA Security Rule – § 164.308(a)(7) – requires contingency plans to include a data backup plan, disaster recovery plan, and emergency mode operation plan. These are all required elements of the HIPAA Security Rule.

The data backup plan must ensure retrievable, exact copies of electronic protected health information are created and maintained. The disaster recovery plan must ensure any data lost during a natural disaster or emergency can be recovered from backups. Procedures must be established, and implemented as necessary, to ensure data can be quickly recovered. During emergency mode, security processes to protect ePHI must be maintained, even during power outages and technical failures.

Further, there are two addressable requirements: testing and revision procedures and application and data criticality analysis. Covered entities should periodically test their contingency plans and revise them as necessary to ensure they continue to be effective in an emergency situation. Covered entities should also identify software applications that store, maintain or transmit ePHI, and assess how important each is to business needs. Priorities must be set for data backup, emergency operations, and disaster recovery.

OCR has drawn attention to an interactive decision tool on the HHS website that has been developed to help healthcare organizations prepare for the worst and find out how HIPAA Rules apply in emergency situations. OCR explains, “The tool is designed for covered entities as well as emergency preparedness and recovery planners at the local, state and federal levels.”

While the reminders have been issued specifically to help covered entities prepare for when hurricane Irma makes landfall, even covered entities unlikely to be affected must ensure they are prepared for the worst.

The post OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters appeared first on HIPAA Journal.

Mailing Error and PHI Breach Underscores Need for Greater Oversight

Posted by HIPAA Journal

Healthcare organizations must take care not to expose protected health information in mailings. Recently, there have been two incidents reported that involved sensitive information being disclosed as a result of a lack of oversight when corresponding with patients by mail.

A third-party error resulted in details of HIV medications used by Aetna plan members being improperly disclosed. Letters were sent in sealed envelopes, although prescribed HIV medications were clearly visible through the clear plastic windows of the envelopes.

Last year, Emblem Health sent a mailing in which patients’ Social Security numbers were accidentally printed on the outside of envelopes and the Ohio Department of Mental Health and Addiction Services sent a survey to patients on a postcard rather than using letters in sealed envelopes. In that case, the fact that the patient was, or had been, undergoing treatment for mental health issues was disclosed to any individual who happened to view the postcard.

A similar incident has recently affected patients of University of Wisconsin-Madison’s Department of Family Medicine and Community Health. UW-Madison took the decision to ask its patients how it could improve the quality of its services.

A request to take part in a survey was sent via mail, but rather than sending letters inside sealed envelopes, the decision was taken to send postcards. Printed on the postcards, in plain sight, were references to prescribed medications and family planning services: A violation of patient privacy and breach of HIPAA Rules.

UW-Madison has mailed all individuals affected by the privacy breach alerting them to the error and informing them that workflows have been reviewed and improved to prevent further privacy breaches. Additional reviews will be performed before any correspondence is sent in the future.

All of the above mailing errors have involved simple oversights, but the consequences can be severe for patients. The third-party error that resulted in the HIV medications of Aetna plan members being exposed has caused serious harm for several patients. Some plan members had their HIV positive status disclosed to family members and roommates. Some have been forced to move home out of embarrassment and fear.

These incidents serve as a reminder to all covered entities of the risk of privacy violations from mailings. Covered entities must ensure policies and procedures are implemented to ensure all mailings are reviewed prior to dispatch to ensure sensitive data is not accidentally exposed.

The post Mailing Error and PHI Breach Underscores Need for Greater Oversight appeared first on HIPAA Journal.