Healthcare Data Privacy

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Posted by HIPAA Journal

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations of the dangers of failing to follow HIPAA Rules.

When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind covered entities of the need to comply with specific aspects of HIPAA Rules.

At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino explained that “I have to balance that law enforcement instinct with the educational component that we do.” Severino went on to say, “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.”

Severino did not explain what aspect of noncompliance with HIPAA Rules OCR is hoping to highlight with its next big, juicy settlement, although no healthcare organization is immune to a HIPAA penalty if they are found to have violated HIPAA Rules. Severino said, “Just because you are small doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.”

Severino also explained that the number of complaints OCR is now receiving is colossal. More than 20,000 complaints about security incidents and privacy violations are received each year. OCR has many staff issuing technical assistance to help covered entities with their compliance programs.  The goal is to significantly reduce the number of complaints and enjoy a “culture of compliance” throughout the country.

The majority of HIPAA violations are resolved through technical assistance and voluntary compliance, but financial penalties are appropriate for egregious breaches of HIPAA Rules.

Already this year, OCR has agreed eight settlements with covered entities to resolve HIPAA violations discovered during investigations of complaints and data breaches and has issued one civil monetary penalty:

2017 HIPAA Enforcement Actions

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million (Civil monetary penalty)
  • Cardionet – $2.5 million
  • Memorial Hermann Health System (MHHS) – $2.4 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000
  • Metro Community Provider Network – $400,000
  • Luke’s-Roosevelt Hospital Center Inc. – $387,000
  • The Center for Children’s Digestive Health – $31,000

The largest HIPAA settlement of 2017 was agreed with Memorial Healthcare System – a health system consisting of 6 hospitals and various other facilities in South Florida. The settlement of $5.5 million resolved potential violations of HIPAA Rules relating to the impermissible accessing of ePHI by employees and the impermissible disclosure of PHI to affiliated physician office staff.  The settlement underscored the importance of audit controls and the need to carefully control who has access to the ePHI.

The second largest HIPAA settlement of 2017 was for $2.5 million and resolved multiple potential violations of HIPAA Rules that contributed to a breach of 1,391 patient records. The incident involved the theft of an unencrypted laptop computer from healthcare services provider Cardionet. The settlement underscored the importance of conducting a comprehensive risk assessment and of addressing vulnerabilities to the confidentiality of ePHI.

In May, OCR announced a $2.4 million settlement with Memorial Hermann Health System. The settlement resolved HIPAA violations discovered during the investigation of an impermissible disclosure of a patient’s ePHI in a press release and during subsequent meetings with advocacy groups and state representatives.

In January, a $2.2 million settlement was agreed with MAPFRE Life Insurance Company of Puerto Rico. The incident that triggered the investigation involved the theft of an unencrypted pen drive containing the PHI of 2,209 individuals. The investigation revealed multiple violations of HIPAA Rules including the failure to conduct a thorough and accurate risk assessment, the failure to implement a security awareness training program, the failure to encrypt ePHI and the failure to implement appropriate policies to safeguard ePHI.

The civil monetary penalty against Children’s Medical Center of Dallas was issued for the impermissible disclosure of ePHI and multiple failures to comply with the HIPAA Security Rule over several years. The settlement resolves HIPAA failures that contributed to a breach of 3,800 records involving the loss of an unencrypted Blackberry device in 2009 and the loss of an unencrypted laptop containing 2,462 records in 2013.

There has been a period of quiet on the enforcement front over the summer, with the last settlement announced in May. The fall is likely to see more settlements announced and this year looks on track to be another record year for HIPAA enforcement. The big, juicy egregious breach that OCR is looking for may prove to be the largest HIPAA penalty yet.

The post OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017 appeared first on HIPAA Journal.

Alaska DHSS Discovers Malware Infection and Possible PHI Breach

Posted by HIPAA Journal

A Trojan horse virus has been discovered on two computers used by the Alaska Department of Health and Social Services. The virus potentially allowed malicious actors to gain access to the data stored on the devices.

Katie Marquette, Communications Director of the Alaska DHSS, issued a statement confirming there was “a potential HIPAA breach of more than 500 individuals.” At present, the exact number of individuals affected has not been disclosed.

An analysis of the two malware-infected computers revealed the attackers, who are believed to be located in the Western region, may have been able to obtain sensitive information such as Office of Children’s Services (OCS) documents and reports. Those documents contained details of family case files, medical diagnoses and observations, personal information and other related information.

The investigation into the breach is ongoing and the DHSS Information Technology and Security team is currently attempting to determine the exact nature of the breach and whether any sensitive data were accessed or exfiltrated.

Individuals impacted by the breach will be notified in due course and will be provided with up-to-date information as the investigation progresses. At present, the breach appears to be limited to individuals who had prior contact with the Office of Children’s Services.

Due to the potential for data misuse, those individuals have been advised to protect themselves against identity theft and fraud and should carefully review their accounts, Explanation of Benefits statements, and obtain a credit report from one of the three credit monitoring agencies (Experian, Equifax, TransUnion) and to look for any signs of fraudulent activity.

Kaiser Permanente Alerts Members to Email Incident

Kaiser Permanente is notifying approximately 600 members from the Riverside, CA area about privacy breach that saw some of their protected health information emailed to an incorrect recipient.

The email contained a document that included names, medical record numbers and details of procedures performed. No Social Security numbers, financial information or other sensitive data were disclosed.

The incident occurred on August 9, 2017, with the privacy breach believed to have resulted from an error made by an employee when entering an email address. The owner of the email address to which the information was sent is unknown at this time. Kaiser Permanente believes this was an error and there was no malicious intent, although an investigation is ongoing to rule out the possibility of foul play.

The post Alaska DHSS Discovers Malware Infection and Possible PHI Breach appeared first on HIPAA Journal.

Former Employee of The Neurology Foundation Discovered to Have Obtained Patient Data

Posted by HIPAA Journal

The Neurology Foundation in Providence, RI has investigated an employee who had been discovered to be using a company credit card to make unauthorized purchases. The investigation revealed that individual copied and removed a range of sensitive patient information from the organization.

In breach of the Neurology Foundation’s policies, the former employee copied data relating to the Foundation’s patients onto an external hard drive which was stored in the employee’s home.

The Neurology Foundation discovered the employee had copied data onto the hard drive during an exit interview on May 3, 2017. That revelation prompted the Foundation to retain a computer forensics firm to conduct an investigation into the employee’s activities and determine the types of data copied to the storage device and the number of patients impacted.

That investigation also revealed the former employee had breached company policies by copying sensitive data onto his/her desktop computer and several zip drives.

The information copied to the external storage device included patients’ names, addresses, phone numbers, dates of birth, email addresses, health insurance policy numbers, medical record numbers, bank account numbers, medical diagnoses, Social Security numbers, details of treatments and medications, and patients’ race and sex.

While the data could potentially have been misused, the Neurology Foundation has uncovered no evidence to suggest that was the case. The portable hard drive has now been recovered and the data have been secured.

The unauthorized credit card purchases were discovered in April and the HIPAA breach discovered in May; however, patients have only just been informed that their protected health information was compromised.

The delaying of breach notifications is a breach of HIPAA Rules; however, in certain cases, law enforcement may request that the disclosure of the breach to patients, state and federal authorities, and the media be delayed so as not to interfere with a criminal investigation.  That was the case with this breach. Law enforcement requested a delay while the investigation was conducted. The investigation is ongoing, but the law enforcement request to delay notification has now elapsed and notifications are being sent.

All patients impacted by the breach are being offered 12 months of credit monitoring services without charge and have been told to be vigilant to the possibility of identity theft and fraud.

The incident has been reported to the appropriate authorities, although it is currently unclear exactly how many patients have been impacted by the incident.

The post Former Employee of The Neurology Foundation Discovered to Have Obtained Patient Data appeared first on HIPAA Journal.

106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach

Posted by HIPAA Journal

The protected health information of 106,000 current and former patients of the radiology center of Mid-Michigan Physicians has potentially been compromised.

McLaren Medical Group, which manages Mid-Michigan Physicians, has announced that the breach affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses.

McLaren Medical Group discovered the breach in March this year, although the investigation into the security breach was protracted and notifications were delayed until the investigation was completed.

That investigation confirmed the protected health information of seven individuals was definitely accessed, although potentially, the records of 106,000 patients could also have been viewed as a result of the radiology center’s system being compromised.

McLaren Medical Group says its computer system has been reconstructed with additional security protections in place to prevent further incidents of this nature from occurring. All patients affected by the incident have been offered credit monitoring and identity theft services without charge.

Breach notification letters have now been issued to all individuals potentially impacted by the security breach, although it has taken five months for those notification letters to be sent. The HIPAA Breach Notification Rule requires individuals impacted by a PHI breach to be notified as soon as possible, and certainly within 60 days of the discovery of the breach.

This year, Presense Health settled potential HIPAA Breach Notification Rule violations with OCR for $475.,000 after impermissibly delaying the issuing of breach notification letters to patients by one month. It was the first time OCR has settled a case with a covered entity solely for delaying breach notification letters.

Recently, Deven McGraw, deputy director for health information privacy at OCR, confirmed that waiting 60 days to send breach notification letters is a violation of HIPAA Rules. Letters must be sent as soon as possible after a breach. A five-month delay will certainly be scrutinized by OCR and a financial penalty may be deemed appropriate.

The post 106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach appeared first on HIPAA Journal.

106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach

Posted by HIPAA Journal

The protected health information of 106,000 current and former patients of the radiology center of Mid-Michigan Physicians has potentially been compromised.

McLaren Medical Group, which manages Mid-Michigan Physicians, has announced that the breach affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses.

McLaren Medical Group discovered the breach in March this year, although the investigation into the security breach was protracted and notifications were delayed until the investigation was completed.

That investigation confirmed the protected health information of seven individuals was definitely accessed, although potentially, the records of 106,000 patients could also have been viewed as a result of the radiology center’s system being compromised.

McLaren Medical Group says its computer system has been reconstructed with additional security protections in place to prevent further incidents of this nature from occurring. All patients affected by the incident have been offered credit monitoring and identity theft services without charge.

Breach notification letters have now been issued to all individuals potentially impacted by the security breach, although it has taken five months for those notification letters to be sent. The HIPAA Breach Notification Rule requires individuals impacted by a PHI breach to be notified as soon as possible, and certainly within 60 days of the discovery of the breach.

This year, Presense Health settled potential HIPAA Breach Notification Rule violations with OCR for $475.,000 after impermissibly delaying the issuing of breach notification letters to patients by one month. It was the first time OCR has settled a case with a covered entity solely for delaying breach notification letters.

Recently, Deven McGraw, deputy director for health information privacy at OCR, confirmed that waiting 60 days to send breach notification letters is a violation of HIPAA Rules. Letters must be sent as soon as possible after a breach. A five-month delay will certainly be scrutinized by OCR and a financial penalty may be deemed appropriate.

The post 106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

Posted by HIPAA Journal

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

Posted by HIPAA Journal

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

Posted by HIPAA Journal

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. The incident occurred during a recent mailing, when details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses.

The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed.

Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused.

The Legal Action Center and AIDS Law Project of Pennsylvania sent a letter to Aetna last week demanding the insurer stop sending mail that “illegally discloses” plan members are taking HIV medication.” Now, a class-action lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by both organizations and their legal team from Berger & Montague, P.C. The lawsuit demands that Aetna cease the practice of sending information relating to HIV medications in the mail and that it reforms procedures and pays damages.

In a recent press release, the AIDS Law Project explained that the disclosure has caused turmoil for some Aetna members whose HIV positive status was disclosed. The press release cited one example of a couple in Florida who have been forced to move home as a result of the disclosure out of fear and embarrassment.

In another example, the sister of a 52-year old man from Bucks County, PA found out he was taking HIV medication after viewing the information through the envelope. That man is the lead plaintiff in the class action lawsuit. In his case, he does not have HIV, but takes the medication as part of a regimen of pre-exposure prophylaxis to prevent him from contracting the virus.

The purpose of the Aetna correspondence was to address alleged privacy violations raised in two lawsuits in 2014 and 2015, which were filed after the company required customers to receive their HIV medications in the mail. The plaintiffs claimed such actions could breach their privacy. The cases were settled, and the letter was sent on July 28, 2017 in relation to the change in its HIV medication procedures.

When the press release was issued, six AIDS service organizations across the United States had received “dozens” of complaints from customers about the mailing.

Sally Friedman, legal director of the Legal Action Center said, “Some have lost housing, and others have been shunned by loved ones because of the enormous stigma that HIV still carries. This case seeks justice for these individuals. Insurers like Aetna must be held accountable when they fail to vigorously protect people’s most private health information.”

The post Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients appeared first on HIPAA Journal.

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

Posted by HIPAA Journal

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. The incident occurred during a recent mailing, when details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses.

The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed.

Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused.

The Legal Action Center and AIDS Law Project of Pennsylvania sent a letter to Aetna last week demanding the insurer stop sending mail that “illegally discloses” plan members are taking HIV medication.” Now, a class-action lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by both organizations and their legal team from Berger & Montague, P.C. The lawsuit demands that Aetna cease the practice of sending information relating to HIV medications in the mail and that it reforms procedures and pays damages.

In a recent press release, the AIDS Law Project explained that the disclosure has caused turmoil for some Aetna members whose HIV positive status was disclosed. The press release cited one example of a couple in Florida who have been forced to move home as a result of the disclosure out of fear and embarrassment.

In another example, the sister of a 52-year old man from Bucks County, PA found out he was taking HIV medication after viewing the information through the envelope. That man is the lead plaintiff in the class action lawsuit. In his case, he does not have HIV, but takes the medication as part of a regimen of pre-exposure prophylaxis to prevent him from contracting the virus.

The purpose of the Aetna correspondence was to address alleged privacy violations raised in two lawsuits in 2014 and 2015, which were filed after the company required customers to receive their HIV medications in the mail. The plaintiffs claimed such actions could breach their privacy. The cases were settled, and the letter was sent on July 28, 2017 in relation to the change in its HIV medication procedures.

When the press release was issued, six AIDS service organizations across the United States had received “dozens” of complaints from customers about the mailing.

Sally Friedman, legal director of the Legal Action Center said, “Some have lost housing, and others have been shunned by loved ones because of the enormous stigma that HIV still carries. This case seeks justice for these individuals. Insurers like Aetna must be held accountable when they fail to vigorously protect people’s most private health information.”

The post Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients appeared first on HIPAA Journal.