Healthcare Data Privacy

Protenus Publishes Healthcare Data Breach Report for March 2017

Posted by HIPAA Journal

Protenus has released its Breach Barometer report for March 2017, which shows a significant increase in healthcare data breaches and a major jump in the number of individuals who have had their sensitive data exposed or stolen.

In both January and February there were 31 reported healthcare data breaches, although March saw the figure jump to 39 incidents.  February saw relatively few individuals affected by healthcare data breaches. 206,151 patients and health plan members had some of their protected health information exposed last month. However, in March the figure jumped to 1,519,521 – more than 2.5 times the number of individuals impacted by healthcare data breaches in January and February combined. Almost half of those individuals had their ePHI exposed in the same incident – a 697,800-record theft incident reported by Commonwealth Health Corporation.

The Protenus report shows insiders were the biggest cause of the healthcare data breaches reported in March, accounting for 44% of the total. There were 10 insider incidents reported in March that involved insider error and seven were the result of insider wrongdoing.

Hacking incidents made up 28% of the total and resulted in the theft or exposure of 600,270 records. 21% of incidents involved the loss or theft of physical records and devices containing ePHI.  While loss and theft was responsible for the fewest data breaches, those incidents resulted in the exposure of the most records in March, with 737,131 individuals impacted by those incidents. The remaining 8% of breaches could not be categorized as the cause has not been disclosed.

Healthcare providers were the worst hit, registering 84.6% of the incidents. Four incidents were reported by health plans and there was one breach reported by a business associate.

Protenus reports that virtually all data breaches were reported within the 60-day window of the HIPAA Breach Notification Rule. There was a marked improvement in reporting times, taking an average of 45 days from the discovery of the breach to the submission of the breach report to the Department of Health and Human Services’ Office for Civil Rights. In February, the average time from the discovery of the breach to submitting a report to OCR was 478 days. In March, only two covered entities submitted late breach reports – one took 77 days and another took 89 days.

While California is usually the worst affected state, this month Texas gets that honor with 6 reported incidents. Tennessee, Pennsylvania, Kentucky, and Missouri each had three data breaches.

The post Protenus Publishes Healthcare Data Breach Report for March 2017 appeared first on HIPAA Journal.

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011.

Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation.

The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients.

OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from being successful; however, OCR investigators uncovered multiple violations of HIPAA Rules.

Phishing attacks on healthcare organizations are to be expected and it would be unreasonable to expect healthcare organizations to be able to reduce the risk of a successful phishing attack to zero. However, HIPAA-covered entities must take steps to identify potential risks and to take action to reduce risks to an appropriate level.

One of the fundamental elements of the HIPAA Security Rule is the risk analysis. The purpose of the risk analysis is to identify risks to the confidentiality, integrity, and availability of electronic protected health information. If a risk analysis is not conducted, HIPAA-covered entities will not be able to determine with any degree of certainty whether all risks have been identified. Appropriate measures to reduce those risks to acceptable levels would therefore be unlikely to be implemented.

While OCR confirmed that MCPN had conducted a risk analysis, it had not been performed until mid-February 2012, more than two months after the phishing attack had occurred. Further, that risk analysis and all subsequent risk analyses performed by MCPN did not meet the minimum requirements of the HIPAA Security Rule.

The lack of a risk analysis meant MCPN failed to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that the organization held. MCPN also failed to implement a risk management plan to address risks identified in the risk analysis.

OCR also determined that MCPN had failed to implement appropriate security measures to reduce risks to a reasonable and acceptable level and policies and procedures to prevent, detect, contain, and correct security violations had also not been implemented.

When deciding an appropriate settlement, OCR took into consideration MCPN’s status as a FQHC and its financial position to ensure MCPN could maintain sufficient financial standing to continue to provide ongoing patient care. The HIPAA settlement could have been considerably higher.

This is the first HIPAA settlement announced since the appointment of Roger Severino as Director of OCR. Severino issued a statement about the settlement explaining “Patients seeking health care trust that their providers will safeguard and protect their health information…Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

This is the fifth HIPAA settlement of 2017. OCR has previously agreed to settle potential violations of the Health Insurance Portability and Accountability with the following HIPAA-covered entities in 2017:

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post $400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures appeared first on HIPAA Journal.

AMIA Suggests it’s Time for a HIPAA Update

Posted by HIPAA Journal

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world.

The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology.

HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are.

The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access.

Healthcare providers often provide access to a limited range of patients’ health information via patient portals – information such as prescribed medications, allergies and lab test results; however, AMIA suggests the HIPAA Privacy Rule should be clarified so patients are aware they have the right to access all health data held by a covered entity in a designated record set or to obtain a digital copy of their legal health record. In the paper it is suggested this could be clarified in guidance from the Office for Civil Rights rather than a HIPAA legislation update.

However, an update to the legislation has been suggested to cover mHealth apps and related technologies. Currently, health data is collected, stored, and transmitted by a wide range of non-HIPAA-covered entities, yet non-covered entities are not required to provide users with access to their data.

If HIPAA is not extended to include these non-covered entities, AMIA suggests there should at least be HIPAA-like requirements for non-covered entities that would allow users of mHealth apps to gain access to their data. An alternative would be for industry stakeholders to develop codes of conduct that could be followed to ensure patients are able to access their data, if required.

Currently, non-covered entities are able to collect, use, and share ‘PHI’ in ways that may place patients’ data at risk of exposure or could result in data being shared improperly. The researchers suggest “HIPAA should be strengthened and extended, in particular to accommodate the broader set of data and stakeholders that are relevant to patient health, such as data from the use of Fitbit and Apple Watch.”

AMIA also suggests more needs to be done to make it easier not only for patients to access their data, but to pass on the information to other healthcare organizations. “EHR certification and health care system accreditation should be tied to making it easy for patients not only to obtain their data, but to obtain the data in a manner that preserves “computability” and standardization such that the data can be readily transferred to and consumed by other health IT systems with little or no need for further processing.”

AMIA also recommends federal officials and private sector stakeholders develop a process for vetting mHealth applications to ensure they have a minimum level of privacy, security, and safety protections.

Federal agencies should also collaborate to create a policy framework for research and innovation; “a framework that includes “common rule” updates to facilitate secondary use of data for research, common Data Use and Reciprocal Support Agreements, common enforced technical functionalities and specifications based on standard APIs, and data portability from HIPAA-covered entities.”

In total,  17 policy recommendations were made. The paper was recently published in JAMIA.

The post AMIA Suggests it’s Time for a HIPAA Update appeared first on HIPAA Journal.

918,000 Patients’ Sensitive Information Exposed Online

Posted by HIPAA Journal

The data of 918,000 patients who provided their sensitive information to HealthNow Networks, a Boca Raton, FL-based telemarketing organization that used to provide medical supplies to seniors, has been exposed online for many months.

The data were discovered by an individual with the Twitter handle Flash Gordon after he conducted a search for unprotected data on the search engine Shodan. The data had been stored in an unprotected root folder on an Amazon Web Service installation owned by a software developer who had previously worked on a database for HealthNow Networks. The project was abandoned long ago although the data provided to the developer were not secured and could be accessed online.

The database contained a range of highly sensitive data including individuals’ names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information and medical conditions. The data had been collected by the telemarketing firm and individuals had been offered discounted medical equipment in exchange for providing the firm with their data.

The data breach was investigated by ZDNet and Databreaches.net, who contacted AWS to report the exposure of sensitive data. Amazon made contact with the software developer who removed the data. ZDNet/Databreaches.net also managed to contact the owner of HealthNow Networks – which is no longer in business – and the software developer, both of whom confirmed the database has now been deleted.

While the data are no longer accessible online, the investigation revealed that many of the individuals whose data were exposed had their email addresses listed on the Have I Been Pwned website, suggesting the database may already have been accessed and downloaded and used for spamming and fraud. However, the logs detailing who accessed the data were not provided to ZDNet/Databreaches.net.

The data breach has now been reported to the FTC, FBI and other law enforcement agencies.  The report of the breach and investigation can be viewed on Databreaches.net and ZDNet.

Affected Individuals May Not be Notified

The database contained a number of data elements that are included in the HIPAA description of protected health information (PHI).

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires HIPAA covered entities to notify patients of any breach of their protected health information (PHI). However, HIPAA only applies to HIPAA-covered entities and their business associates. Individuals whose information has been exposed will not necessarily be notified of the breach of their information as telemarketing firms are not HIPAA-covered entities.

Non-HIPAA-covered entities are required to issue breach notifications, although only under state laws. Many states have now introduced data breach notification laws to protect residents in the event of a breach of their sensitive data by non-HIPAA-covered entities, although gaps exist.

Only 47 states have introduced data breach notification laws, and the definitions of ‘personal information’ that warrant notifications to be issued differ state by state. Residents in Alabama, New Mexico, and South Dakota have yet to introduce breach notification laws so residents may not be notified of data breaches.

Whether individuals affected by a data breach will be notified depends on which company has experienced a data breach and where affected individuals live in the United States. Even if health data is exposed or stolen, breach notifications may not be issued.

The post 918,000 Patients’ Sensitive Information Exposed Online appeared first on HIPAA Journal.

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

Posted by HIPAA Journal

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches.

The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records.

33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches.

The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS cost reports. Unlinked hospitals included those run by the Department of Veteran Affairs and military hospitals and long term care hospitals.

The study revealed that larger hospitals were statistically more likely to experience a data breach. More than one third of hospitals (37%) that had experienced a data breach are classed as major teaching hospitals.

Linked hospitals had a median of 262 beds, while an analysis of 2852 acute care hospitals that had not reported a data breach had a median of 134 beds. 265 (9%) of those unbreached hospitals were major teaching hospitals.

The researchers found that both the size of hospitals and their teaching status were positively associated with the risk of experiencing data breaches.

The researchers used multivariable and regression analyses to compare the 141 linked acute care hospitals with other hospitals to determine why they faced a higher risk of experiencing data breaches.

The researchers suggest the reason why larger hospitals and teaching hospitals experience more data breaches is due to having broader access to sensitive patient data. The more individuals who require access to data, the greater the risk of data breaches occurring. The report suggests “There is a fundamental trade-off between data security and data access.” When data are made available to a greater number of individuals for research and education purposes it makes “zero breach” an extremely challenging objective.

While investment in information technology such as EHRs has certainly made hospitals more efficient and has improved the provision of care to patients, it has also made security and privacy breaches more likely.

While many hospitals have invested heavily in cybersecurity defenses to reduce the risk of data breaches, the breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights clearly show that healthcare data breaches are increasing in frequency.

The fast-evolving threat landscape requires hospitals to invest in cybersecurity defenses to mitigate data breach risk and hospitals must continuously evaluate data security risks and apply best data security practices to prevent breaches from occurring; however, it is difficult for hospitals to determine which technologies and best practices are the most effective at preventing data breaches.

Lead author of the study, Ge Bai, an assistant professor at John Hopkins Business School said, “More research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”

The post Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches appeared first on HIPAA Journal.

Dr. Donald Rucker Named New National Coordinator for Health IT

Posted by HIPAA Journal

Dr. Donald Rucker has been named as the new National Coordinator of the Department of Health and Human Services’ Office of the National Coordinator for Healthcare Information Technology.

Nether the Department of Health and Human Services nor the Office of the National Coordinator for Healthcare Information Technology has officially announced the new appointment, although Dr. Donald Rucker’s name now appears in the HHS directory as National Coordinator.

Donald Rucker will replace acting National Coordinator, Jon White, M.D., who took over the position following the resignation of Dr. Vindell Washington in January 2016. White is expected to return to his former position as deputy national coordinator.

Prior to joining the ONC, Donald Rucker was an adjunct professor at the Department of Biomedical Informatics at Ohio State University’s College of Medicine. Prior to that appointment, Rucker was Chief Medical Officer at Premise Health for a year and CMO at Siemens Healthcare USA for 13 years.

While at Siemens Healthcare USA, Rucker led the team that designed the computerized physician order entry workflow that won the 2003 HIMSS Nicholas Davies Award for the best hospital computer system in the United States.

Donald Rucker has previously served as Clinical Assistant Professor of Emergency Medicine at the University of Pennsylvania Health System and as an Emergency Department Physician at Beth Deaconess Medical Center in Boston. Rucker has also practiced emergency medicine at Kaiser Permanente in California and at University of Pennsylvania’s Penn Presbyterian and Pennsylvania Hospitals. Rucker also worked at Datamedic in 1988 where he co-developed the first Windows-based electronic medical record system.

Donald Rucker graduated in Chemistry at Harvard University and medicine at the University of Pennsylvania School of Medicine, and also holds an MBA and a Masters in Medical Computer Science from Stanford University

This will be Dr. Rucker’s first government position.

The post Dr. Donald Rucker Named New National Coordinator for Health IT appeared first on HIPAA Journal.

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

Posted by HIPAA Journal

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained.

Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a generic password is required, although security researchers have discovered that in many cases, FTP servers can be accessed without a password.

The FBI warning cites research conducted by the University of Michigan in 2015 that revealed more than 1 million FTP servers allowed anonymous access to stored data

The FBI warns that hackers are targeting these anonymous FTP servers to gain access to the protected health information of patients. PHI carries a high value on the black market as it can be used for identity theft and fraud.

Healthcare organizations could also be blackmailed if PHI is stolen. Last year, the hacker operating under the name TheDarkOverlord conducted a number of attacks on healthcare organizations. The protected health information of patients was stolen and organizations were threatened with the publication of data if a sizable ransom payment was not made. In some cases, patient data were published online when payment was not received.

There are reasons why IT departments require FTP servers to accept anonymous requests; however, if that is the case, those servers should not be used to store any protected health information of patients. If PHI must be stored on the servers, they cannot be configured to run in anonymous mode.

In anonymous mode, any information stored on the server can potentially be accessed by the public. Hacking skills would not be required. Default usernames are freely available on the Internet.

Even if PHI is not stored on the servers, healthcare organizations may still be at risk. Any sensitive data could be accessed and used against the organization, ransomware could be installed or the servers could be used by hackers and other cybercriminals to store illegal content or malicious tools.

In the alert, the FBI said “In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft or financial fraud.”

Large healthcare organizations may already have ensured their servers are not configured to allow anonymous access or that all sensitive information has been removed from those servers; however, that may not be the case for smaller healthcare organizations. Smaller medical and dental organizations are more likely to be placing patient data and other sensitive information at risk.

The FBI suggests all healthcare organizations should instruct their IT departments to check the configuration of their FTP servers to ensure they are not running in anonymous mode and to take immediate action to secure those servers and reduce risk if they are.

The post FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks appeared first on HIPAA Journal.

Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County

Posted by HIPAA Journal

A spreadsheet containing the protected health information of more than 1,200 patients has been accidentally sent to two media outlets by a worker at Mecklenburg County, NC.

The spreadsheet was emailed to the media outlets in response to a freedom of information request. That request was made following the discovery that 185 female patients had not been notified of abnormal Pap smear results. The spreadsheet had been created for state officials who were conducting an audit.

County officials discovered the HIPAA breach on Monday and immediately launched an investigation to determine how such an error could have been made. County officials are furious about the privacy breach. Commissioner Vilma Leake said she wanted “to fire everybody on the health department.” County Manager Dena Diorio said “I am absolutely speechless with anger about how something like this could happen.”

This is the second HIPAA breach in a month to be discovered by Meklenburg County. WSOCTV said it had previously been sent information that contained the name of an individual that should not have been released. A request was received to return that information.

The latest mistake was allegedly made while a county worker was attempting to resolve the first privacy violation. County Commissioner Jim Puckett told WSOCTV Channel 9 “We had a relatively small problem that has escalated into a large one.”

The latest incident has prompted the County to implement new policies and procedures to prevent HIPAA breaches of this nature from occurring in the future.

Those policies will include prohibiting the inclusion of any protected health information in spreadsheets. ‘Gap measures’ have also been put in place to reduce the potential for a repeat HIPAA breach. Those measures include signing off any information coming out of the health department by two employees. A long-term solution is also being developed to ensure that public information requests are processed correctly without violating individuals’ privacy.

The Department of Health and Human Services’ Office for Civil Rights and affected patients will be notified of the privacy breach in the next 60 in accordance with HIPAA Rules.

Healthcare organizations should have policies in place to ensure responses to information requests are checked by multiple members of staff before they are released outside an organization.

All workers can make mistakes, but policies should be in place to prevent an error by a single employee resulting in a HIPAA violation and potentially, a significant HIPAA violation penalty. This incident shows how easy it is for a HIPAA breach to occur if adequate checks are not conducted.

The post Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County appeared first on HIPAA Journal.

Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients

Posted by HIPAA Journal

The Kentucky-based 6-hospital health system Med Center Health has reported a data breach affecting approximately 160,000 patients. Med Center Health believes a former employee may have stolen patients’ protected health information (PHI) prior to leaving employment.

The former employee has been accused of stealing PHI including names, addresses, health insurance information, Social Security numbers, procedure codes and billing information. Medical records were not compromised at any point.

The FBI has been notified and is also investigating along with other federal agencies. Med Center health is in the process of notifying patients of the breach, although the process is expected to take a couple of weeks due to the number of individuals that have been impacted.

While the breach has only recently been announced, the data theft incidents date back to 2014 and 2015. The former employee is understood to have taken an encrypted CD and encrypted portable storage device in August 2014 and February 2015. There was no legitimate work reason for ePHI to have been taken, although on both occasions the former employee claimed the data were needed for word-related duties.

The Bowling Green Daily News suggests Med Center Health discovered the breach several months ago, although notifications were delayed. A spokesperson for Med Center Health told Bowling Green Daily News “Med Center Health informed patients as expeditiously as possible. It is important to understand that the information leading Med Center Health to report the incident pursuant to HIPAA developed over time during an intensive internal investigation.”

Patients affected by the breach had received medical services at one of six Med Center Health facilities between 2011 and 2014: Cal Turner Rehab and Specialty Care, Medical Center EMS, the Commonwealth Regional Specialty Hospital, the Medical Center at Bowling Green, the Medical Center at Franklin and the Medical Center at Scottsville.

Patients impacted by the breach have been offered 12 months of credit monitoring and identity theft protection services without charge. Med Center Health has not uncovered any evidence to suggest that any of the stolen information was used to commit fraud, although the possibility cannot be ruled out.

The post Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients appeared first on HIPAA Journal.