Healthcare Data Privacy

OIG Issues Warning About HHS Agency Phone Scams

This year has seen numerous email scams aimed at obtaining the tax information of employees, but phone scams have also spiked in recent weeks.  One of the latest phone scams saw the Department of Health and Human Services’ Office of Inspector General (OIG) impersonated, prompting the HHS watchdog to issue a warning.

The scammers placed calls pretending to be from the OIG claiming individuals were eligible to receive a government grant. While this would likely appear suspect, the caller ID displayed the number 1-800-447-8477 (1-800-HHS-TIPS). If the number was checked, it would appear the call was genuine. The number is the OIG hotline number for reporting potential incidences of fraud.

The scammers tell individuals they are eligible to receive government grant money as a result of paying their taxes on time. However, in order to qualify for the grant, it is first necessary to confirm an individual’s identity. The attackers ask the individual to confirm their name and Social Security number or bank account number and other personal information.

Individuals are also told they need to pay a fee to cover processing costs for issuing the grant. The scammers pocket the payments and use the data collected during the phone calls for a range of nefarious purposes, including gaining access to bank accounts to make fraudulent transfers.

One woman was asked to make a transfer of $250 to cover fees related to a grant of $9,000. The fees had to be wired via Western Union, or alternatively she could provide a confirmation code for an iTunes Gift Card for $250. In that case, suspicions were aroused and the woman ended the call. However, OIG says, not without first confirming her identity and providing information that could potentially allow her bank account to be accessed.

OIG says the criminals have already placed thousands of calls, which in some cases has resulted in individuals sending money to the scammers.

This scam came to light in February when OIG first started receiving calls questioning the validity of the offer. Since the OIG hotline number appeared to have been used, an investigation was launched to determine whether any OIG systems had been breached. The investigation confirmed that the phone number had been spoofed.

OIG is continuing to investigate the scams and is working with Verizon Communications to prevent its hotline number from being spoofed again. OIG says two individuals are being investigated in relation to the scam and one criminal case is proceeding.

While this scam used the OIG number, other scams have spoofed other HHS agency numbers. Other HHS agencies have also been impersonated and different official numbers spoofed. The callers claim to work for the Federal Grants Department or some variation along that theme. OIG says cybercriminals are able to spoof any legitimate number.

OIG notes that the hotline number is never used to make outgoing calls and that the federal government will never make unsolicited phone calls.

OIG says no one should give out or confirm their date of birth, Social Security number, credit or bank account information, mother’s maiden name or other sensitive information to unknown individuals over the telephone, even if callers sound authoritative.

The post OIG Issues Warning About HHS Agency Phone Scams appeared first on HIPAA Journal.

21 Employees Found to Have Accessed PHI Without Authorization

A routine audit at Virginia Mason Memorial has revealed that employees have been accessing the protected health information of patients without authorization.

Audits of PHI access logs occasionally reveal rogue employees have been improperly accessing the medical records of patients, but what makes this incident stand out is the number of employees that were discovered to have improperly viewed PHI. The audit revealed 21 employees had deliberately accessed PHI without authorization.

Virginia Mason Memorial conducted the audit in January and immediately terminated access to PHI to prevent further privacy breaches. The investigation revealed those 21 employees had accessed the PHI of 419 patients. All of the patients had visited the hospital’s emergency room.

The investigation was conducted internally, although the hospital also brought in a third-party cybersecurity firm to conduct a forensic analysis of its systems. That firm has also been searching the darknet to find out if any of the accessed records have made it onto darknet marketplaces. To date, no patient information appears to have been listed for sale.

A spokesperson for the hospital issued a statement saying, “We believe this to be a case of snooping, or individuals who were bored.” The hospital does not believe the records were accessed with malicious intent.  As a precaution, all affected patients have been offered credit monitoring services without charge.

The employees concerned have been interviewed and disciplined, although for legal reasons, the hospital has not disclosed whether those employees have been terminated for their actions.

The types of information accessed includes demographic information and patients’ medical records. In some instances, it is possible that Social Security numbers were viewed, although financial information was not accessed by any of the employees.

Patients impacted by the breach were notified of the privacy violation last week by mail, according to a report in the Yakima Herald. While it is not clear exactly when in January the privacy violations were discovered, patient breach notifications appear to have been sent outside the 60-day breach notification window of the HIPAA Breach Notification Rule.

In response to the breach, Virginia Mason Memorial has re-educated employees on HIPAA and hospital rules concerning patient privacy and the hospital will now be monitoring access logs more proactively, with “audits going around the clock”.

The incident shows how important it is for healthcare organizations to conduct regular audits of PHI access logs to identify privacy issues before they become a major problem, and the importance of not only providing training on HIPAA Rules and patient privacy, but also regularly reminding employees of the requirements of HIPAA and the penalties for improper PHI access.

The post 21 Employees Found to Have Accessed PHI Without Authorization appeared first on HIPAA Journal.

Protenus Publishes Healthcare Data Breach Report for March 2017

Protenus has released its Breach Barometer report for March 2017, which shows a significant increase in healthcare data breaches and a major jump in the number of individuals who have had their sensitive data exposed or stolen.

In both January and February there were 31 reported healthcare data breaches, although March saw the figure jump to 39 incidents.  February saw relatively few individuals affected by healthcare data breaches. 206,151 patients and health plan members had some of their protected health information exposed last month. However, in March the figure jumped to 1,519,521 – more than 2.5 times the number of individuals impacted by healthcare data breaches in January and February combined. Almost half of those individuals had their ePHI exposed in the same incident – a 697,800-record theft incident reported by Commonwealth Health Corporation.

The Protenus report shows insiders were the biggest cause of the healthcare data breaches reported in March, accounting for 44% of the total. There were 10 insider incidents reported in March that involved insider error and seven were the result of insider wrongdoing.

Hacking incidents made up 28% of the total and resulted in the theft or exposure of 600,270 records. 21% of incidents involved the loss or theft of physical records and devices containing ePHI.  While loss and theft was responsible for the fewest data breaches, those incidents resulted in the exposure of the most records in March, with 737,131 individuals impacted by those incidents. The remaining 8% of breaches could not be categorized as the cause has not been disclosed.

Healthcare providers were the worst hit, registering 84.6% of the incidents. Four incidents were reported by health plans and there was one breach reported by a business associate.

Protenus reports that virtually all data breaches were reported within the 60-day window of the HIPAA Breach Notification Rule. There was a marked improvement in reporting times, taking an average of 45 days from the discovery of the breach to the submission of the breach report to the Department of Health and Human Services’ Office for Civil Rights. In February, the average time from the discovery of the breach to submitting a report to OCR was 478 days. In March, only two covered entities submitted late breach reports – one took 77 days and another took 89 days.

While California is usually the worst affected state, this month Texas gets that honor with 6 reported incidents. Tennessee, Pennsylvania, Kentucky, and Missouri each had three data breaches.

The post Protenus Publishes Healthcare Data Breach Report for March 2017 appeared first on HIPAA Journal.

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011.

Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation.

The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients.

OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from being successful; however, OCR investigators uncovered multiple violations of HIPAA Rules.

Phishing attacks on healthcare organizations are to be expected and it would be unreasonable to expect healthcare organizations to be able to reduce the risk of a successful phishing attack to zero. However, HIPAA-covered entities must take steps to identify potential risks and to take action to reduce risks to an appropriate level.

One of the fundamental elements of the HIPAA Security Rule is the risk analysis. The purpose of the risk analysis is to identify risks to the confidentiality, integrity, and availability of electronic protected health information. If a risk analysis is not conducted, HIPAA-covered entities will not be able to determine with any degree of certainty whether all risks have been identified. Appropriate measures to reduce those risks to acceptable levels would therefore be unlikely to be implemented.

While OCR confirmed that MCPN had conducted a risk analysis, it had not been performed until mid-February 2012, more than two months after the phishing attack had occurred. Further, that risk analysis and all subsequent risk analyses performed by MCPN did not meet the minimum requirements of the HIPAA Security Rule.

The lack of a risk analysis meant MCPN failed to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that the organization held. MCPN also failed to implement a risk management plan to address risks identified in the risk analysis.

OCR also determined that MCPN had failed to implement appropriate security measures to reduce risks to a reasonable and acceptable level and policies and procedures to prevent, detect, contain, and correct security violations had also not been implemented.

When deciding an appropriate settlement, OCR took into consideration MCPN’s status as a FQHC and its financial position to ensure MCPN could maintain sufficient financial standing to continue to provide ongoing patient care. The HIPAA settlement could have been considerably higher.

This is the first HIPAA settlement announced since the appointment of Roger Severino as Director of OCR. Severino issued a statement about the settlement explaining “Patients seeking health care trust that their providers will safeguard and protect their health information…Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

This is the fifth HIPAA settlement of 2017. OCR has previously agreed to settle potential violations of the Health Insurance Portability and Accountability with the following HIPAA-covered entities in 2017:

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post $400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures appeared first on HIPAA Journal.

AMIA Suggests it’s Time for a HIPAA Update

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world.

The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology.

HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are.

The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access.

Healthcare providers often provide access to a limited range of patients’ health information via patient portals – information such as prescribed medications, allergies and lab test results; however, AMIA suggests the HIPAA Privacy Rule should be clarified so patients are aware they have the right to access all health data held by a covered entity in a designated record set or to obtain a digital copy of their legal health record. In the paper it is suggested this could be clarified in guidance from the Office for Civil Rights rather than a HIPAA legislation update.

However, an update to the legislation has been suggested to cover mHealth apps and related technologies. Currently, health data is collected, stored, and transmitted by a wide range of non-HIPAA-covered entities, yet non-covered entities are not required to provide users with access to their data.

If HIPAA is not extended to include these non-covered entities, AMIA suggests there should at least be HIPAA-like requirements for non-covered entities that would allow users of mHealth apps to gain access to their data. An alternative would be for industry stakeholders to develop codes of conduct that could be followed to ensure patients are able to access their data, if required.

Currently, non-covered entities are able to collect, use, and share ‘PHI’ in ways that may place patients’ data at risk of exposure or could result in data being shared improperly. The researchers suggest “HIPAA should be strengthened and extended, in particular to accommodate the broader set of data and stakeholders that are relevant to patient health, such as data from the use of Fitbit and Apple Watch.”

AMIA also suggests more needs to be done to make it easier not only for patients to access their data, but to pass on the information to other healthcare organizations. “EHR certification and health care system accreditation should be tied to making it easy for patients not only to obtain their data, but to obtain the data in a manner that preserves “computability” and standardization such that the data can be readily transferred to and consumed by other health IT systems with little or no need for further processing.”

AMIA also recommends federal officials and private sector stakeholders develop a process for vetting mHealth applications to ensure they have a minimum level of privacy, security, and safety protections.

Federal agencies should also collaborate to create a policy framework for research and innovation; “a framework that includes “common rule” updates to facilitate secondary use of data for research, common Data Use and Reciprocal Support Agreements, common enforced technical functionalities and specifications based on standard APIs, and data portability from HIPAA-covered entities.”

In total,  17 policy recommendations were made. The paper was recently published in JAMIA.

The post AMIA Suggests it’s Time for a HIPAA Update appeared first on HIPAA Journal.

918,000 Patients’ Sensitive Information Exposed Online

The data of 918,000 patients who provided their sensitive information to HealthNow Networks, a Boca Raton, FL-based telemarketing organization that used to provide medical supplies to seniors, has been exposed online for many months.

The data were discovered by an individual with the Twitter handle Flash Gordon after he conducted a search for unprotected data on the search engine Shodan. The data had been stored in an unprotected root folder on an Amazon Web Service installation owned by a software developer who had previously worked on a database for HealthNow Networks. The project was abandoned long ago although the data provided to the developer were not secured and could be accessed online.

The database contained a range of highly sensitive data including individuals’ names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information and medical conditions. The data had been collected by the telemarketing firm and individuals had been offered discounted medical equipment in exchange for providing the firm with their data.

The data breach was investigated by ZDNet and Databreaches.net, who contacted AWS to report the exposure of sensitive data. Amazon made contact with the software developer who removed the data. ZDNet/Databreaches.net also managed to contact the owner of HealthNow Networks – which is no longer in business – and the software developer, both of whom confirmed the database has now been deleted.

While the data are no longer accessible online, the investigation revealed that many of the individuals whose data were exposed had their email addresses listed on the Have I Been Pwned website, suggesting the database may already have been accessed and downloaded and used for spamming and fraud. However, the logs detailing who accessed the data were not provided to ZDNet/Databreaches.net.

The data breach has now been reported to the FTC, FBI and other law enforcement agencies.  The report of the breach and investigation can be viewed on Databreaches.net and ZDNet.

Affected Individuals May Not be Notified

The database contained a number of data elements that are included in the HIPAA description of protected health information (PHI).

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires HIPAA covered entities to notify patients of any breach of their protected health information (PHI). However, HIPAA only applies to HIPAA-covered entities and their business associates. Individuals whose information has been exposed will not necessarily be notified of the breach of their information as telemarketing firms are not HIPAA-covered entities.

Non-HIPAA-covered entities are required to issue breach notifications, although only under state laws. Many states have now introduced data breach notification laws to protect residents in the event of a breach of their sensitive data by non-HIPAA-covered entities, although gaps exist.

Only 47 states have introduced data breach notification laws, and the definitions of ‘personal information’ that warrant notifications to be issued differ state by state. Residents in Alabama, New Mexico, and South Dakota have yet to introduce breach notification laws so residents may not be notified of data breaches.

Whether individuals affected by a data breach will be notified depends on which company has experienced a data breach and where affected individuals live in the United States. Even if health data is exposed or stolen, breach notifications may not be issued.

The post 918,000 Patients’ Sensitive Information Exposed Online appeared first on HIPAA Journal.

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches.

The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records.

33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches.

The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS cost reports. Unlinked hospitals included those run by the Department of Veteran Affairs and military hospitals and long term care hospitals.

The study revealed that larger hospitals were statistically more likely to experience a data breach. More than one third of hospitals (37%) that had experienced a data breach are classed as major teaching hospitals.

Linked hospitals had a median of 262 beds, while an analysis of 2852 acute care hospitals that had not reported a data breach had a median of 134 beds. 265 (9%) of those unbreached hospitals were major teaching hospitals.

The researchers found that both the size of hospitals and their teaching status were positively associated with the risk of experiencing data breaches.

The researchers used multivariable and regression analyses to compare the 141 linked acute care hospitals with other hospitals to determine why they faced a higher risk of experiencing data breaches.

The researchers suggest the reason why larger hospitals and teaching hospitals experience more data breaches is due to having broader access to sensitive patient data. The more individuals who require access to data, the greater the risk of data breaches occurring. The report suggests “There is a fundamental trade-off between data security and data access.” When data are made available to a greater number of individuals for research and education purposes it makes “zero breach” an extremely challenging objective.

While investment in information technology such as EHRs has certainly made hospitals more efficient and has improved the provision of care to patients, it has also made security and privacy breaches more likely.

While many hospitals have invested heavily in cybersecurity defenses to reduce the risk of data breaches, the breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights clearly show that healthcare data breaches are increasing in frequency.

The fast-evolving threat landscape requires hospitals to invest in cybersecurity defenses to mitigate data breach risk and hospitals must continuously evaluate data security risks and apply best data security practices to prevent breaches from occurring; however, it is difficult for hospitals to determine which technologies and best practices are the most effective at preventing data breaches.

Lead author of the study, Ge Bai, an assistant professor at John Hopkins Business School said, “More research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”

The post Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches appeared first on HIPAA Journal.

Dr. Donald Rucker Named New National Coordinator for Health IT

Dr. Donald Rucker has been named as the new National Coordinator of the Department of Health and Human Services’ Office of the National Coordinator for Healthcare Information Technology.

Nether the Department of Health and Human Services nor the Office of the National Coordinator for Healthcare Information Technology has officially announced the new appointment, although Dr. Donald Rucker’s name now appears in the HHS directory as National Coordinator.

Donald Rucker will replace acting National Coordinator, Jon White, M.D., who took over the position following the resignation of Dr. Vindell Washington in January 2016. White is expected to return to his former position as deputy national coordinator.

Prior to joining the ONC, Donald Rucker was an adjunct professor at the Department of Biomedical Informatics at Ohio State University’s College of Medicine. Prior to that appointment, Rucker was Chief Medical Officer at Premise Health for a year and CMO at Siemens Healthcare USA for 13 years.

While at Siemens Healthcare USA, Rucker led the team that designed the computerized physician order entry workflow that won the 2003 HIMSS Nicholas Davies Award for the best hospital computer system in the United States.

Donald Rucker has previously served as Clinical Assistant Professor of Emergency Medicine at the University of Pennsylvania Health System and as an Emergency Department Physician at Beth Deaconess Medical Center in Boston. Rucker has also practiced emergency medicine at Kaiser Permanente in California and at University of Pennsylvania’s Penn Presbyterian and Pennsylvania Hospitals. Rucker also worked at Datamedic in 1988 where he co-developed the first Windows-based electronic medical record system.

Donald Rucker graduated in Chemistry at Harvard University and medicine at the University of Pennsylvania School of Medicine, and also holds an MBA and a Masters in Medical Computer Science from Stanford University

This will be Dr. Rucker’s first government position.

The post Dr. Donald Rucker Named New National Coordinator for Health IT appeared first on HIPAA Journal.

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained.

Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a generic password is required, although security researchers have discovered that in many cases, FTP servers can be accessed without a password.

The FBI warning cites research conducted by the University of Michigan in 2015 that revealed more than 1 million FTP servers allowed anonymous access to stored data

The FBI warns that hackers are targeting these anonymous FTP servers to gain access to the protected health information of patients. PHI carries a high value on the black market as it can be used for identity theft and fraud.

Healthcare organizations could also be blackmailed if PHI is stolen. Last year, the hacker operating under the name TheDarkOverlord conducted a number of attacks on healthcare organizations. The protected health information of patients was stolen and organizations were threatened with the publication of data if a sizable ransom payment was not made. In some cases, patient data were published online when payment was not received.

There are reasons why IT departments require FTP servers to accept anonymous requests; however, if that is the case, those servers should not be used to store any protected health information of patients. If PHI must be stored on the servers, they cannot be configured to run in anonymous mode.

In anonymous mode, any information stored on the server can potentially be accessed by the public. Hacking skills would not be required. Default usernames are freely available on the Internet.

Even if PHI is not stored on the servers, healthcare organizations may still be at risk. Any sensitive data could be accessed and used against the organization, ransomware could be installed or the servers could be used by hackers and other cybercriminals to store illegal content or malicious tools.

In the alert, the FBI said “In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft or financial fraud.”

Large healthcare organizations may already have ensured their servers are not configured to allow anonymous access or that all sensitive information has been removed from those servers; however, that may not be the case for smaller healthcare organizations. Smaller medical and dental organizations are more likely to be placing patient data and other sensitive information at risk.

The FBI suggests all healthcare organizations should instruct their IT departments to check the configuration of their FTP servers to ensure they are not running in anonymous mode and to take immediate action to secure those servers and reduce risk if they are.

The post FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks appeared first on HIPAA Journal.