Healthcare Data Privacy

106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach

Posted by HIPAA Journal

The protected health information of 106,000 current and former patients of the radiology center of Mid-Michigan Physicians has potentially been compromised.

McLaren Medical Group, which manages Mid-Michigan Physicians, has announced that the breach affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses.

McLaren Medical Group discovered the breach in March this year, although the investigation into the security breach was protracted and notifications were delayed until the investigation was completed.

That investigation confirmed the protected health information of seven individuals was definitely accessed, although potentially, the records of 106,000 patients could also have been viewed as a result of the radiology center’s system being compromised.

McLaren Medical Group says its computer system has been reconstructed with additional security protections in place to prevent further incidents of this nature from occurring. All patients affected by the incident have been offered credit monitoring and identity theft services without charge.

Breach notification letters have now been issued to all individuals potentially impacted by the security breach, although it has taken five months for those notification letters to be sent. The HIPAA Breach Notification Rule requires individuals impacted by a PHI breach to be notified as soon as possible, and certainly within 60 days of the discovery of the breach.

This year, Presense Health settled potential HIPAA Breach Notification Rule violations with OCR for $475.,000 after impermissibly delaying the issuing of breach notification letters to patients by one month. It was the first time OCR has settled a case with a covered entity solely for delaying breach notification letters.

Recently, Deven McGraw, deputy director for health information privacy at OCR, confirmed that waiting 60 days to send breach notification letters is a violation of HIPAA Rules. Letters must be sent as soon as possible after a breach. A five-month delay will certainly be scrutinized by OCR and a financial penalty may be deemed appropriate.

The post 106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach appeared first on HIPAA Journal.

106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach

Posted by HIPAA Journal

The protected health information of 106,000 current and former patients of the radiology center of Mid-Michigan Physicians has potentially been compromised.

McLaren Medical Group, which manages Mid-Michigan Physicians, has announced that the breach affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses.

McLaren Medical Group discovered the breach in March this year, although the investigation into the security breach was protracted and notifications were delayed until the investigation was completed.

That investigation confirmed the protected health information of seven individuals was definitely accessed, although potentially, the records of 106,000 patients could also have been viewed as a result of the radiology center’s system being compromised.

McLaren Medical Group says its computer system has been reconstructed with additional security protections in place to prevent further incidents of this nature from occurring. All patients affected by the incident have been offered credit monitoring and identity theft services without charge.

Breach notification letters have now been issued to all individuals potentially impacted by the security breach, although it has taken five months for those notification letters to be sent. The HIPAA Breach Notification Rule requires individuals impacted by a PHI breach to be notified as soon as possible, and certainly within 60 days of the discovery of the breach.

This year, Presense Health settled potential HIPAA Breach Notification Rule violations with OCR for $475.,000 after impermissibly delaying the issuing of breach notification letters to patients by one month. It was the first time OCR has settled a case with a covered entity solely for delaying breach notification letters.

Recently, Deven McGraw, deputy director for health information privacy at OCR, confirmed that waiting 60 days to send breach notification letters is a violation of HIPAA Rules. Letters must be sent as soon as possible after a breach. A five-month delay will certainly be scrutinized by OCR and a financial penalty may be deemed appropriate.

The post 106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

Posted by HIPAA Journal

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

Posted by HIPAA Journal

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

Posted by HIPAA Journal

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. The incident occurred during a recent mailing, when details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses.

The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed.

Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused.

The Legal Action Center and AIDS Law Project of Pennsylvania sent a letter to Aetna last week demanding the insurer stop sending mail that “illegally discloses” plan members are taking HIV medication.” Now, a class-action lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by both organizations and their legal team from Berger & Montague, P.C. The lawsuit demands that Aetna cease the practice of sending information relating to HIV medications in the mail and that it reforms procedures and pays damages.

In a recent press release, the AIDS Law Project explained that the disclosure has caused turmoil for some Aetna members whose HIV positive status was disclosed. The press release cited one example of a couple in Florida who have been forced to move home as a result of the disclosure out of fear and embarrassment.

In another example, the sister of a 52-year old man from Bucks County, PA found out he was taking HIV medication after viewing the information through the envelope. That man is the lead plaintiff in the class action lawsuit. In his case, he does not have HIV, but takes the medication as part of a regimen of pre-exposure prophylaxis to prevent him from contracting the virus.

The purpose of the Aetna correspondence was to address alleged privacy violations raised in two lawsuits in 2014 and 2015, which were filed after the company required customers to receive their HIV medications in the mail. The plaintiffs claimed such actions could breach their privacy. The cases were settled, and the letter was sent on July 28, 2017 in relation to the change in its HIV medication procedures.

When the press release was issued, six AIDS service organizations across the United States had received “dozens” of complaints from customers about the mailing.

Sally Friedman, legal director of the Legal Action Center said, “Some have lost housing, and others have been shunned by loved ones because of the enormous stigma that HIV still carries. This case seeks justice for these individuals. Insurers like Aetna must be held accountable when they fail to vigorously protect people’s most private health information.”

The post Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients appeared first on HIPAA Journal.

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

Posted by HIPAA Journal

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. The incident occurred during a recent mailing, when details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses.

The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed.

Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused.

The Legal Action Center and AIDS Law Project of Pennsylvania sent a letter to Aetna last week demanding the insurer stop sending mail that “illegally discloses” plan members are taking HIV medication.” Now, a class-action lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by both organizations and their legal team from Berger & Montague, P.C. The lawsuit demands that Aetna cease the practice of sending information relating to HIV medications in the mail and that it reforms procedures and pays damages.

In a recent press release, the AIDS Law Project explained that the disclosure has caused turmoil for some Aetna members whose HIV positive status was disclosed. The press release cited one example of a couple in Florida who have been forced to move home as a result of the disclosure out of fear and embarrassment.

In another example, the sister of a 52-year old man from Bucks County, PA found out he was taking HIV medication after viewing the information through the envelope. That man is the lead plaintiff in the class action lawsuit. In his case, he does not have HIV, but takes the medication as part of a regimen of pre-exposure prophylaxis to prevent him from contracting the virus.

The purpose of the Aetna correspondence was to address alleged privacy violations raised in two lawsuits in 2014 and 2015, which were filed after the company required customers to receive their HIV medications in the mail. The plaintiffs claimed such actions could breach their privacy. The cases were settled, and the letter was sent on July 28, 2017 in relation to the change in its HIV medication procedures.

When the press release was issued, six AIDS service organizations across the United States had received “dozens” of complaints from customers about the mailing.

Sally Friedman, legal director of the Legal Action Center said, “Some have lost housing, and others have been shunned by loved ones because of the enormous stigma that HIV still carries. This case seeks justice for these individuals. Insurers like Aetna must be held accountable when they fail to vigorously protect people’s most private health information.”

The post Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients appeared first on HIPAA Journal.

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords.

Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.”

The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security.

To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator.

NIST suggests physical security mechanisms should be adopted to prevent the theft of cryptographic authenticators, while system security controls should be implemented to prevent malicious actors from gaining access to systems and installing malware such as keyloggers.

Security is only as good as the users of the system, so periodic training is required to ensure users understand their obligations and the importance of reporting suspected account compromises.

Out-of-band techniques (something you have) are also recommended to verify proof of possession of registered devices such as cell phones.

Passwords are categorized as ‘memorized secrets’ by NIST, which suggests a minimum of 8 characters should be used, although longer memorized secrets of at least 64 characters should be encouraged. UNICODE characters, special characters and spaces should be allowed.

The use of spaces does not add to password complexity, although it does help end users set strong passwords such as secret phrases. The longer the memorized secret, the harder it will be for malicious actors to guess.

Brute force attacks are used to gain access to systems by repeatedly guessing passwords. These automated attacks can involve many thousands of guesses, and start with commonly used passwords, dictionary words, repetitive and consecutive sequences of characters (aaaaaaaa, 12341234, 1234abcd), context specific words (server1, MRIpassword), and other weak passwords such as the use of the username in the password and passwords previously exposed in past data breaches.

Administrators should therefore set password policies that prevent these password choices. In the case of dictionary words, all words less than the minimum character requirement can be discounted. NIST says the use of password strength monitors helps end users select strong passwords.

While the forced use of special characters, lower case letters, and upper case letters can improve password strength, in reality, this may not be the case. Forcing users to use at least one lower case letter, one uppercase letter, one number and one special character may not result in the creation of stronger passwords.

NIST says, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought,” but “the impact on usability and memorability is severe.” Such a system means the password will be made much more difficult to remember and end users end up circumventing policies as a result. For example, with those controls in place, Password1! would be acceptable, even though the password is weak.

NIST says “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner.”

By allowing the use of spaces in passwords, users can choose more complex secrets, especially if the upper character limit is not overly restrictive. NIST recommends allowing long passwords (within reason). (See Appendix A – Strength of Memorized Secrets).

NIST also points out that there are other methods that can be adopted that provide greater protection than strong passwords. “Blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks.”

NIST also points out that while these measures – and strong passwords – can help to thwart brute force attacks, they are not effective against many forms of password-related attacks. Even if a 100-character strong password is used, it will still be obtained by a malicious actor who has installed keylogging malware or if an employee responds to a social engineering or phishing attack. Other security controls must therefore be implemented to prevent these sorts of attacks.

The post NIST Updates Digital Identity Guidelines and Tweaks Password Advice appeared first on HIPAA Journal.

Healthcare Hacking Incidents Overtook Insider Breaches in July

Posted by HIPAA Journal

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports.

Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents.

The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance.

In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on
Women’s Health Care Group of PA – impacted 300,000 individuals.

While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception. Protenus reports that 21 times more records were exposed/stolen as a result of hacking incidents than breaches involving insiders. Hacking incidents impacted 516,053 of the 575,142 known victims in July.

There were 8 confirmed insider breaches (22.2% of the total) which resulted in the theft/exposure of 24,212 records. Three were attributed to errors by insiders with five caused by insider wrongdoing. 8.3% of the breaches were due to loss or theft, with three incidents involving the theft of physical records.

At the end of July, the Department of Health and Human Services’ Office for Civil Rights’ cybersecurity newsletter highlighted the risk from phishing attacks, reminding HIPAA-covered entities of the need to conduct security awareness training. July was a particularly bad month for phishing, with 5 phishing incidents reported.

The majority of breaches were experienced by healthcare providers (80.5%) followed by health plans (8.3%) and business associates (5.5%). More business associates may have been involved in the breaches according to Protenus, although insufficient data was available to confirm this. 5.5% of the breaches were attributed to other entities, including one fire dispatch center.

Over the past few months, the time taken by covered entities to report data breaches has improved, with June seeing virtually all breaches reported inside the 60-day window stipulated by the HIPAA Breach Notification Rule. However, there was a slight deterioration in July. The average time to report the breaches was 67.5 days, although the median was 60 days.

It should be noted that unnecessarily delaying breach reports is a violation of HIPAA Rules. Healthcare organizations should not wait until the 60-day deadline arrives before sending notification letters to patients/plan members and informing OCR.

The time taken to discover data breaches is poor in the healthcare industry. In July, the average time to discover a breach was 503 days (median was 79.5 days). The average time was skewed by a single breach that took an astonishing 14 years to discover – a breach involving an insider who had been snooping on patient records.

California, Georgia, and Indiana topped the list for the states worst affected by healthcare data breaches with three incidents apiece.

The post Healthcare Hacking Incidents Overtook Insider Breaches in July appeared first on HIPAA Journal.

Want to Prevent Data Breaches? Time to Go Back to Basics

Posted by HIPAA Journal

Intrusion detection systems, next generation firewalls, insider threat management solutions and data encryption will all help healthcare organizations minimize risk, prevent security breaches, and detect attacks promptly when they do occur. However, it is important not to forget the security basics. The Office for Civil Rights Breach portal is littered with examples of HIPAA data breaches that have been caused by the simplest of errors and security mistakes.

Strong security must start with the basics, as has recently been explained by the FTC in a series of blog posts. The blog posts are intended to help businesses improve data security, prevent data breaches and avoid regulatory fines. While the blog posts are not specifically aimed at healthcare organizations, the information covered is relevant to organizations of all sizes in all industry sectors.

The blog posts are particularly relevant for small to medium sized healthcare organizations that are finding data security something of a challenge.

The blog posts are an ideal starting point to ensure all the security basics are covered.  They cover 10 basic security principles the FTC looks at when investigating complaint and data breaches. The blog posts use examples from FTC cases and 60+ complaints and orders, including settlements reached with organizations that have failed to implement appropriate security controls. The FTC has also listened to the challenges faced by businesses when attempting to secure sensitive information and offers practical tips to address those challenges.

While the FTC has taken action against organizations, in the majority of cases investigations have been closed without any further action necessary. Companies may have experienced data breaches, yet they got the basics right and had implemented reasonable data security controls. They may not have been enough to prevent cyberattacks and other security incidents, but they were sufficient to avoid a financial penalty.

The same applies to Office for Civil Rights investigations into HIPAA data breaches. OCR investigates all breaches of more than 500 records, yet only a very small percentage of the 2,000+ data breaches reported to OCR have resulted in a financial penalty. If you want to avoid a FTC or HIPAA fine, it is essential to get the basics right. Getting the basics wrong can prove very costly indeed.

The FTC blog services covers the following aspects of data security:

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

The blog posts have been combined into the FTC’s Start with Security brochure, which is a “nuts-and-bolts brochure that distills the lessons learned from FTC cases down to 10 manageable fundamentals applicable to companies of any size.” The blog posts and brochure can be viewed on this link.

HIPAA-covered entities should also sign up with OCRs cybersecurity newsletter, which details new threats and further steps that covered entities should take to improve security and keep ePHI secure. To sign up for the newsletter, visit this link and be sure to check out the Security Rule guidance material published by HHS.

The post Want to Prevent Data Breaches? Time to Go Back to Basics appeared first on HIPAA Journal.