Healthcare Data Privacy

Hard Drive Theft Sees Data of 1 Million Individuals Exposed

Washington State University (WSU) in Seattle is notifying approximately 1 million people that some of their personal information has been exposed following the theft of a computer hard drive.

The hard drive was used to store backup information from a server used by the University’s Social & Economic Sciences Research Center (SESRC). The hard drive was stored in an 85lb locked safe. That safe, along with the contents, was stolen.

There is a possibility that the safe has been opened and the information on the hard drive has been accessed. The thieves would require some skill to view the information as data were stored in a relational database which is not straightforward to access, although it is possible that the thieves could figure out how to view the information.  WSU says some of the files on the device were password protected and some had been encrypted.

The University discovered the safe was missing on April 21, 2017 and immediately conducted an investigation. WSU brought in a leading computer forensics firm to determine which data were backed up on the device and could potentially be accessed. That investigation revealed the device contained personally identifiable information of research participants, including names, addresses and Social Security numbers. The data came from a variety of sources, including school districts and colleges that track students after graduation and ran from 1998 to 2013.

WSU cannot confirm if the safe was opened or if the information on the drive was accessed, although it has received no indications that information has been viewed. However, as a precaution, all individuals impacted by the incident are being offered membership to Experian’s ProtectMyID service for 12 months without charge.

The incident has prompted WSU to perform a thorough review of its IT practices and policies and information technology operations will be strengthened as a result of the breach. Staff will also receive additional training on data handling best practices.

The data breach will prove costly for WSU. The recent Ponemon Institute/IBM Security Cost of a Data Breach Study calculated the average cost of university data breaches to be $245 per exposed record, although some of that cost is likely to be covered by the university’s cybersecurity insurance policy.

The post Hard Drive Theft Sees Data of 1 Million Individuals Exposed appeared first on HIPAA Journal.

Google to Remove Personal Medical Information From Its Search Results

There are only a handful of content categories that Google will not display in its search results. Now the list has grown slightly with the addition of personal medical records, specifically, the ‘confidential, personal medical records of private people.’

The update to its policy was made yesterday, with medical records joining national identification numbers such as Social Security numbers, bank account numbers, credit card numbers, images of signatures, sexual abuse images, revenge porn, and material that has been uploaded to the Internet in violation of the Digital Millennium Copyright Act.

Google’s indexing system captures all publicly accessible information that has been uploaded to the Internet, although there has been criticism in recent years about the types of information Google allows to be listed. Even so, it is rare for Google to make changes to its algorithms to block certain types of content. The last addition to the list of material that can be removed automatically by Google was revenge porn – nude or sexually explicit images that have been uploaded to the Internet without an individual’s consent. Google added that category to its list of unacceptable web content back in 2015.

The latest addition will go some way toward protecting the privacy of individuals who have been the victims of data breaches or data leaks. One notable case of the latter came to light in December last year when an Indian pathology lab accidentally uploaded the pathology results of 43,203 individuals to a website which was indexed by Google and displayed in the search listings. Recently there have been a number of cases of stolen medical records being dumped online when ransom demands have not been paid. In such cases, the information will now be less visible.

If medical records are uploaded to the Internet, accidentally or deliberately, they will still be accessible directly and will be indexed by other search engines, but since more than 77% of people use Google as their primary search engine, it will be harder for the medical records to be found online by the general public.

The post Google to Remove Personal Medical Information From Its Search Results appeared first on HIPAA Journal.

FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products

Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D., has announced the FDA will be launching a new, risk-based regulatory framework in the fall for overseeing connected medical technology, including health apps and medical devices.

The FDA wants to encourage and promote innovation that will lead to the development of new and beneficial medical technologies; however, it is essential that these technologies can benefit patients without placing their health or privacy at risk.

Gottlieb said the FDA has now developed a new Digital Health Innovation Plan that will foster “innovation at the intersection of medicine and digital health technology.” The plan includes a novel post-market approach that will allow the regulation of digital medical devices and health-related apps.

In a recent blog post, Gottlieb pointed out that close to 165,000 health-related apps have now been released for Smartphones and Apple devices, with forecasts estimating the apps will be downloaded 1.7 billion times by the end of this year. These apps have the potential to improve the health of patients, empowering them to make better day-to-day heath decisions and manage their health conditions more effectively.

There has been an explosion in the number and types of connected digital health devices in recent years, including health-tracking apps, fitness trackers and medical devices. There has been considerable innovation in the field, although Gottlieb said there is currently some ambiguity about how the FDA regulates apps and medical devices which results in some innovators steering clear of healthcare and focussing efforts on other ventures.

The FDA’s aim is to release clear guidance for developers that will enable them to understand all regulatory requirements on their own without having to obtain answers from the FDA on each individual technological change they wish to make.

The new guidance will cover a wide range of digital health products with multiple software functions, including some apps and devices that currently fall outside the scope of FDA regulation.

Gottlieb said, “Greater certainty regarding what types of digital health technology is subject to regulation and regarding FDA’s compliance policies will not only help foster innovation, but also will help the agency to devote more resources to higher risk priorities.”

The FDA will be running a pilot program for its new, risk-based regulatory framework this fall. The pilot program is still under development and the FDA is currently determining how a third-party certification program can be developed that will allow low-risk digital health products to be marketed without the need for a premarket review by the FDA.

High-risk products will still require a pre-market review, although the FDA is looking at ways the process can be streamlined. The FDA is considering a certification program that would assess companies on their products to determine whether they are reliably and consistently engaging in high quality software design and have been diligently validating their software products.

Gottlieb said, “Employing a unique pre-certification program for software as a medical device (SaMD) could reduce the time and cost of market entry for digital health technologies.”

“Applying this firm-based approach, rather than the traditional product-based approach, combined with leveraging real-world evidence, would create market incentives for greater investment in and growth of the digital health technology industry.”

The post FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products appeared first on HIPAA Journal.

Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records

A box of paper forms has been discovered to have been improperly disposed of by the Texas Health and Human Services Commission. The Texas Health and Human Services Commission recently announced that the paperwork was discovered in a box next to a dumpster used by one of its eligibility offices in the E. 40th St. complex in Houston.

An investigation into the improper disposal has been launched and steps are being taken to prevent similar incidents from occurring in the future. Those steps will include a review of the processes and procedures for permanently destroying documents containing protected health information.

Texas Health and Human Services Commission is in the process of issuing breach notification letters to all affected individuals. The breach summary on the Department of Health and Human Services breach portal indicates 1,842 patients were impacted. Those individuals all reside in the Houston area.

The Texas Health and Human Services Commission says the forms contained protected health information such as names, dates of birth, client numbers, case numbers and telephone numbers, and potentially also mailing addresses, health information, bank account numbers and Social Security numbers.

All individuals impacted by the breach have been offered credit monitoring services for a period of 12 months without charge, although the commission pointed out that no evidence has been uncovered to suggest any of the forms have been accessed by unauthorized individuals.

This is the second data breach in the space of a year reported by the Texas Health and Human Services Commission. In June last year, the commission was informed by Iron Mountain that boxes had been removed from three of its storage facilities. The boxes contained forms relating to individuals who had applied for medical assistance, with the incident impacting 600 individuals.

The post Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records appeared first on HIPAA Journal.

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported.

So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per day, as was the case in 2016.

In May, there were 255,108 exposed healthcare records representing a 10% increase in victims from the previous month; however, it is not yet known how many records were exposed in 8 of the breaches reported in May. The number of individuals affected could rise significantly.

The largest incident reported in May was the theft of data by TheDarkOverlord, a hacking group/hacker known for stealing data and demanding a ransom in exchange for not publishing the data. The latest incident saw the data dumped online when the organization refused to pay the ransom.

While April saw a majority of healthcare data breaches caused by hackers, in May it was insiders that caused the most data breaches. Insiders were responsible for 40.54% of data breaches (15 incidents) in May, with 10 the result of insider errors and 5 incidents the result of insider wrongdoing. In total, 39,491 healthcare records were exposed as the result of insiders.

Hacking was the second biggest cause of data breaches, accounting for 35.14% of the month’s reported breaches. As is typical, hacking resulted in the exposure of the most records – 203,394. At least three of those hacking incidents involved ransomware.

This month’s report proved problematic, as several hacking incidents were discovered after data were posted on black market websites, yet it is unclear whether the incidents are genuine as efforts to verify the data proved inconclusive.

Loss or theft of unencrypted devices and physical records accounted for 13.51% of breaches. Those incidents resulted in the exposure of 4,122 records, although it is unclear how many records were exposed in one of the 4 breaches involving theft/loss. The cause of the 10.81% of incidents is still unknown.

Healthcare providers reported 81% of the months’ breaches, followed by business associates (11%) and health plans (8%).

Over the past two months there has been an improvement in the reporting of healthcare data breaches, with more covered entities reporting incidents inside the 60-day limit of the HIPAA Breach Notification Rule. This month 83% of covered entities reported their breaches on time, an improvement from last month when just 66% of breaches were reported within 60 days. One covered entity took 77 days to report a breach while another took 140 days; more than twice the allowable time. The improvement could be due, in part, to OCR’s decision to fine a covered entity $475,000 for the late issuing of breach notifications to patients.

This month’s Breach Barometer report shows that while breach reporting is improving, breach detection remains a problem. April’s breaches took an average of 51 days to detect, whereas in May it took an average of 441 days for healthcare organizations to discover a breach had occurred. Three healthcare organizations took more than three years to discover a breach had occurred. One healthcare organization took almost three and a half years (1,260 days) to discover a breach, another took 1,125 days and one took 1,071 days.

California was once again the worst affected state with 6 breaches, closely followed by Florida with 5 incidents.

The post May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover appeared first on HIPAA Journal.

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’.

The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected.

The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches.

Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list.

Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently reassessing the website and how the information is made public.

While the publication of information is under review, the publication of breach summaries is a requirement of the HITECH Act of 2009. Any decision to stop publishing breach summaries on the website would require assistance from Congress. However, it is possible for changes be made to how the information displayed and for how long the information is made available. HITECH Act only requires the information to be published. It does not stipulate the length of time that the covered entity remains on the list.

The reason behind the publication of breach information is to inform the public of data breaches and to provide some information on what has occurred. If there was a time limit placed on the length of time a covered entity remained on the list, it would not be possible for a member of the public to determine whether a breach was an isolated event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement confirming the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess told Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

Of course, in the case of the WannaCry attacks, healthcare organizations may not be blameless. The attacks were only possible as a result of the failure to apply patches promptly. However, in its current form, there would be no indication on the website that a covered entity had experienced a ransomware attack as the breach list does not go into that much detail.

While options are being considered, some privacy advocates argue that the breach portal does not go into nearly enough detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has occurred.

The post OCR’s Wall of Shame Under Review by HHS appeared first on HIPAA Journal.

Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified

The recent WannaCry ransomware attacks have highlighted the risks from failing to apply patches and update software promptly; however, a new study conducted by BitSight sought to quantify the level of risk that tardy updates introduce.

For the study, BitSight analyzed the correlation between data breaches and the continued to use old operating systems such as Windows 7, Windows Vista and Windows XP and old versions of web browsers.

Operating systems and browsers used by approximately 35,000 companies from 20 industries were assessed as part of the study. BitSight checked Apple OS and Microsoft Windows operating systems and Chrome, Internet Explorer, Safari, and Firefox web browsers.

2,000 of the companies studied (6%) had out of date operating systems on more than half of their computers. BitSight said 8,500 companies were discovered to be using out of date web browsers.

BitSight used its risk platform to study computer compromises and identified operating system and browser versions at those companies. BitSight was able to determine that organizations running out of date operating systems were three times more likely to suffer a data breach than those running newer operating systems. Organizations with out of date web browsers were two times more likely to experience a data breach.

The analysis did not confirm whether the data breaches occurred as a direct result of running outdated browsers and operating systems. The outdated software was only an indicator in the risk profile of those companies.

BitSight research scientist Dan Dahlberg said it is common knowledge that using outdated software and operating systems increases risk, but the big surprise from the study was the number of companies that were taking such big risks. For instance, prior to the WannaCry attacks, 20% of computers analyzed during the study were still running Windows XP.

The healthcare industry fared better than other industry sectors with 85% of organizations using up to date browsers and operating systems. However, 15% were taking risks by failing to update their browsers promptly and upgrade their operating systems.

Unsurprisingly, government organizations were some of the worst offenders, with more than a quarter of computers running on old operating systems and using out-of-date browsers.

The post Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified appeared first on HIPAA Journal.

North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure

The North Dakota Department of Human Services (NDDHS) is alerting 2,452 Medicaid recipients that some of their protected health information has been exposed when documents were improperly disposed of in a Bismarck dumpster.

The HIPAA breach was discovered on May 19, 2017 when a member of the public saw documents containing sensitive information in a dumpster. The citizen contacted NDDHS about the discovery and an investigation was immediately launched. NDDHS arranged to collect the documents the same day.

The documents were Medicaid worksheets dated 2015. The worksheets did not contain Social Security numbers, financial information or Medicaid recipients’ addresses; however, detailed on the sheets were Medicaid recipients’ first and last names, the first two characters of their Medicaid provider name, Medicaid provider numbers, Medicaid ID numbers, a two-digit code representing the county of residence, an internal NDDHS ID number, dates of service, amounts covered by insurance, amounts billed and allowed, diagnosis codes, coding modifiers and quantity and tooth and surface detail relating to dental work. The information exposed varied for each patient.

The internal investigation into the privacy breach revealed one individual was responsible for dumping the documents and the improper disposal involved no malicious intent. The records were dumped on May 8, 2017, two days prior to them being found by a member of the public.

Since there is a possibility that the documents have been viewed by others, individuals affected by the incident have been offered complimentary credit monitoring and identity theft protection services. However, the potential for re-disclosure of information is believed to be low as all documents have now been recovered and secured. NDDHS said in its press release that no evidence has been uncovered to suggest any information in the documents has been used improperly or further disclosed and that “appropriate disciplinary action has been taken.”

Training had already been provided to staff members on information security and HIPAA Rules. NDDHS is now working with its staff to prevent future incidents of this nature from occurring. The incident has also prompted NDDHS to conduct a review of its policies and procedures for safeguarding the protected health information of Medicaid recipients.

The post North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure appeared first on HIPAA Journal.

MDLive Privacy Lawsuit Voluntarily Dismissed

The MDLive privacy lawsuit filed by law firm Edelson PC on behalf of plaintiff Joan Richards over alleged privacy violations has been voluntarily dropped without any settlement paid.

The lawsuit was filed after following an alleged discovery that screenshots were repeatedly taken by MDLive and were passed to third-party Israeli firm Test Fairy. Test Fairy had been contracted to perform quality control checks and debugging services. However, the plaintiff alleged that the sending of screenshots, which contained sensitive information entered by users of MDLive, was a violation of patient privacy.

Following the filing of the lawsuit on April 18, 2017, MDLive published a fact sheet explaining its relationship with the Israeli firm, stating the allegations were false, that there had not been a data breach and no HIPAA Rules had been violated.

MDLive also said in the fact sheet that no data had been shared with unauthorized third parties. Some data had been disclosed to authorized third parties, although those firms were bound by contractual obligations and had agreed only to use data for the specific purposes for which the information was disclosed.

MDLive pointed out that the use of the Test Fairy tool was consistent with its disclosed privacy policy and said Test Fairy did not have access to patient data from patient-physician consultations. MDLive also said all members are advised in its privacy policy that personal information may be disclosed to its contracted third parties to support its business.

A recent press release issued by MDLive has confirmed the lawsuit has been dismissed “in response to arguments by MDLive that the suit lacked any legal or factual basis.” MDLive filed a motion to dismiss the lawsuit and the plaintiff responded with a notice of non-opposition, but requested additional time to file an amended complaint. However, as the deadline for filing the complaint approached, the plaintiff made the decision to dismiss the entire lawsuit.

In the press release, MDLive said all claims in the lawsuit have been voluntarily dismissed without prejudice by the plaintiff. There was no payment of any settlement or other consideration by MDLive or its management in connection with the lawsuit.

MDLive CEO Scott Decker said, “Privacy and patient confidentiality are at the heart of everything we do, and MDLIVE will continue to rigorously review and evolve our technology and processes to safeguard member information and build trust in the telehealth industry.” Decker welcomed the dismissal of the lawsuit, saying, “We are thrilled this lawsuit was appropriately dismissed as we continue pursuing MDLIVE’s goal of enabling 24/7/365 access to affordable virtual healthcare for consumers, employers, health plans and health systems across the US.”

The post MDLive Privacy Lawsuit Voluntarily Dismissed appeared first on HIPAA Journal.