Healthcare Data Privacy

UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI

Posted by HIPAA Journal

Prenatal patients who visited certain obstetric clinics operated by UNC Health Care are being notified that some of their protected health information has been disclosed to local health departments by mistake.

Pregnancy Home Risk Screening Forms of Medicaid-eligible patients are sent to local health departments to ensure those individuals are connected with appropriate support services. However, UNC Health Care has discovered that in addition to Medicaid-eligible patients, forms relating to patients who were not eligible for Medicaid were also sent to local health departments. In total, around 1,300 patients have been affected.

The privacy breach affects women who had prenatal appointments at the UNC Maternal-Fetal Medicine at Rex Hospital or the Women’s Clinic at the North Carolina Women’s Hospital between April 2014 and February 2017.

Pregnancy Home Risk Screening Forms contain patients’ names and addresses, race and ethnicity, Social Security numbers, health and mental health histories, details of patients’ HIV status, any sexually transmitted diseases contracted, medical diagnoses related to the pregnancy or past pregnancies, details of drug and alcohol use and whether the patients were smokers.

Patients whose privacy has been violated were informed of the breach by mail on March 20, 2017. Patients have been advised that the health departments that have been sent the information are covered by state and federal laws put in place to protect patient privacy. Those health departments must have appropriate administrative, technical and physical safeguards in place to protect all protected health information that is received and stored.

Consequently, the risk of any sensitive information being used inappropriately is believed to be low, although as a precaution, all individuals affected by the breach have been offered fraud resolution services in case any experience identity theft or fraud as a result of the incident.

To prevent future breaches of this nature from occurring, UNC Health Care has updated its policies and procedures covering patients who complete the Pregnancy Home Risk Screening Form and all staff members have been trained on the new procedures. In future, only forms completed by Medicaid-eligible individuals will be sent to county health departments.

UNC Health Care has requested all county health departments purge any information relating to non-Medicaid-patients from their databases.

The post UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI appeared first on HIPAA Journal.

Snapshot of Healthcare Data Breaches in February 2017

Posted by HIPAA Journal

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported.

The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry.

IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous month.

Insider wrong-doing was behind eight of the 18 incidents caused by insiders and nine were the result of errors by employees. One of the incidents could not be classified due to a lack of information about the exact nature of the breach.

Preventing insider breaches can be a major challenge for healthcare organizations, as can detecting breaches when they occur. Small to mid-sized organizations often do not have the resources to allow them to continuously monitor for the inappropriate accessing of healthcare records by employees. However, if continuous monitoring is not possible, covered entities must ensure that regular audits of access logs take place. Fast detection of improper access can greatly reduce the harm that those incidents cause. Regular reviews of access logs will also reduce the risk of a OCR HIPAA fine or settlement

HIPAA requires covered entities to maintain access logs and regularly check for inappropriate ePHI access, although the frequency of those checks and audits is left to the discretion of the covered entity. The frequency of audits should be dictated by the results of an organization’s risk analysis.

Last month showed that while some healthcare organizations are complying with 45 CFR § 164.308(a)(5)(ii)(C) – log-in monitoring – and 45 CFR § 164.312(b) – Audit controls – and are keeping logs, they are failing on Section 45 CFR § 164.308(a)(1)(ii)(D) by not regularly conducting information system activity reviews.

One incident reported in February involved an employee improperly accessing ePHI for more than five years (2,103 days) before the improper access was detected. HIPAA Rules may not stipulate how frequently access logs should be checked, but it would be difficult to argue that a check every five years constituted ‘regular’.

That was not the only long delay in detecting a breach. A second incident was also reported in February that took more than five years to detect (1,952 days). In that case the incident involved a system glitch that left ePHI exposed.

Overall, the breaches and security incidents reported in February took far longer to identify than those reported in January. It took an average of 478 days from the date the incident occurred to the date OCR was notified of the breach; that said, the average time was increased considerably by the two 5-year+ delays in detection. In January, the average time from the initial event to reporting was 174 days.

Breaches of electronic protected health information made up the bulk of incidents, although a third of incidents involved paper records, highlighting the importance of implementing physical controls to keep physical PHI secured.

While California usually tops the list for the number of incidents reported each month, this month Texas earned the title of the worst hit state with 4 reported breaches. California, Arizona, and New York shared second place with three incidents apiece.

Healthcare providers were the worst affected in February, accounting for 77% of the month’s incidents. Health plans reported 13% of breaches and business associates and vendors accounted for 3%. The remaining 3% were reported by other organizations.

The post Snapshot of Healthcare Data Breaches in February 2017 appeared first on HIPAA Journal.

Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule

Posted by HIPAA Journal

A physician at the Dr. O Medical and Wellness Center in San Antonio, Texas allegedly retaliated against a patient by posting a video of the individual clad only in underwear on Facebook and YouTube. The doctor’s actions, which appear to be a clear violation of the HIPAA Privacy Rule, have resulted in her being sanctioned by the Texas Medical Board following a complaint by the patient.

The patient, Clara Aragon-Delk, underwent a series of cosmetic surgery procedures starting in 2015. Non-invasive laser treatments were performed by Dr. Tinuade Olusegun-Gbadehan, and while consent was provided by the patient to have photographs and videos taken, authorization was only given for ‘anonymous use for the purposes of medical audit, education, and promotion.’

The images and video contained full face shots of the patient. Rather than protecting the patient’s privacy by pixelating the patient’s face, a video was posted to Olusegun-Gbadehan’s Facebook page without any attempt to protect the patient’s privacy.

From the video, it would appear that the patient was happy with the treatment, although around a month later the patient had changed her mind. The patient replied to the Facebook post saying “OK, I’ll make my Comment! Beware! Send me a personal message, and I’ll share my experience with this crap!”

There were subsequent email exchanges between the Dr. Olusegun-Gbadehan and the patient in which Aragon-Delk claims Dr. Olusegun-Gbadehan acted in an abusive and threatening manner.

Aragon-Delk claims Dr. Olusegun-Gbadehan said in one email, “I will damage your professional and you will be humiliated!” Olusegun-Gbadehan also said, others “will see your glowing testimonial and your body, enjoy your Hi-Def video. Enjoy as others will do the same.”

In the complaint filed with the Texas Medical Board, the patient claimed she suffered burns during the first procedure. She also claimed to have been overbilled. In response to the overbilling, the patient contacted a merchant processing company called Stripe regarding the disputed charges.

Two weeks ago, the Texas Medical Board ruled that Dr. Olusegun-Gbadehan had violated the patient’s privacy and acted in an unprofessional manner.

The Texas Medical Board said the posting of the video was a HIPAA violation and was unprofessional. The Board also ruled that an email containing the link to a posting of the video that was sent to the patient in an unsecured format was also a confidentiality breach and was unprofessional. Dr. Olusegun-Gbadehan also sent the video to the merchant processing company in response to the billing dispute as evidence that the patient initially appeared to be happy with the treatment, but this too was a violation of the patient’s privacy.

Dr. Olusegun-Gbadehan neither admits or denies the allegations, but the Texas Medical Board’s order was agreed to by Dr. Olusegun-Gbadehan to avoid a contested hearing, according to the San Antonio Express News.

The order requires Dr. Olusegun-Gbadehan to retake the Texas Medical Jurisprudence Examination within the next 12 months.

While the matter would appear to have been settled, the patient has now sued Dr. Olusegun-Gbadehan for mental anguish, physical pain, and suffering. Patients are not permitted to sue physicians for HIPAA violations as there is no private cause of action. Consequently, a health care liability claim has been filed under state law, claiming the publication of the video and subsequent correspondence via email were intended to damage the patient’s personal and professional reputation.

The post Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule appeared first on HIPAA Journal.

New Mexico Data Breach Notification Bill Moves to Senate Judiciary Committee

Posted by HIPAA Journal

A new data breach notification bill has been unanimously passed by the New Mexico House of Representatives bringing the legislation one step closer to being written into state law. The bill (House Bill 15) – also known as the Data Breach Notification Act – was sponsored by Republican Rep. William R. Rehm of Bernalillo. The bill will now move on to the Senate Judiciary Committee.

This is not the first time that a New Mexico data breach notification law has been sent to the Senate Judiciary Committee. Rehm previously sponsored a similar bill in 2015, yet on two occasions the Senate Judiciary Committee failed to pass the bill onto the senate.

The new data breach notification bill covers a range of sensitive data, although medical and insurance information are not included in the definition of personal information. Entities covered by the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act will not be required to comply with the state law.

Should the legislation be passed by the senate, all other entities doing business in the state of New Mexico will be required to comply with the breach notification legislation. In the event of a breach of personal information, breach notifications will need to be issued to affected individuals ‘in the most expedient time possible’ but no later than 30 days following of the discovery of the breach. Notifications will also need to be sent to the state attorney general and major consumer reporting agencies.

In addition to security breaches that result in the exposure of personal information, the legislation covers improper disposal of sensitive information. The legislation calls for organizations to shred, erase or otherwise modify personal identifying information prior to disposal. As with HIPAA, the information must be rendered unreadable and undecipherable prior to disposal.

A breach of the Data Breach Notification Act could result in a $25,000 fine or in the case of failed notifications, $10 per instance up to a maximum of $150,000.

The types of information included in the definition of personal information are:

An individual’s full name, or first name or initial and last name, along with any of the following data elements:

  • Social Security number
  • Driver’s license number
  • Government Identification numbers
  • Bank account number or credit/debit card number along with a CVV code or other code or password that would enable access to be gained to a financial account
  • Unique biometric data

If passed, New Mexico will become the 48th state to introduce data breach notification legislation. The two remaining states that have yet to introduce data breach notification laws are Arkansas and South Dakota, both of which are currently working on new legislation to protect state residents.

The post New Mexico Data Breach Notification Bill Moves to Senate Judiciary Committee appeared first on HIPAA Journal.

68% of Healthcare Organizations Have Compromised Email Accounts

Posted by HIPAA Journal

Evolve IP has published the results of a new study that has revealed the extent to which healthcare email credentials are being compromised and sold on the dark web.

Email credentials are highly valuable to cybercriminals. A compromised email account can be plundered to obtain highly sensitive data and an email account can be used to gain access to healthcare networks.

63% of data breaches in the United States occur as a result of compromised email credentials and healthcare email credentials are being sold freely on the dark web.

Evolve used its Dark Web ID analysis technology for the study and reviewed 1,000 HIPAA covered entities and business associates. Evolve discovered 68% of those organizations had employees with visibly compromised email accounts. 76% of those compromised accounts included actionable password information and that information was freely available on the dark web.

Depending on the industry segment, between 55.6% and 80.4% of organizations had compromised email accounts. Medical billing and collections organizations fared the best, with 55.6% of organizations having at least one compromised account, while regional healthcare plans the worst affected with 80.4% of organizations having compromised email accounts.

Evolve points out that in many cases the passwords associated with the email accounts were outdated, but explained that even outdated passwords are valuable to hackers.

Passwords are often recycled, so an old password could allow a hacker to gain access to other online accounts. Evolve also says “hackers can create a user profile and determine a person’s new password fairly accurately by using simple guessing or sophisticated automated algorithms.” Even when passwords are hashed, hackers can crack the hash, conduct brute force attacks and use lookup, reverse lookup, and rainbow tables to guess the passwords.

In the majority of cases, email accounts were compromised as a result of a data breach (55% of compromised accounts). While just 6% of compromised accounts were the result of a phishing attack, Evolve points out that equated to 450 separate email accounts that were compromised as a direct result of phishing attacks.

Preventing email compromise incidents is an essential part of any cybersecurity strategy. Evolve suggests three main methods that all healthcare organizations should embrace to reduce risk: Proactive threat intelligence, continuous security management, and rapid incident response and recovery.

By obtaining up to date threat intelligence, healthcare organizations can discover the latest vulnerabilities and threats before they are exploited by criminals. Continuous security management should involve real-time security analyses and infrastructure management, which will help healthcare organizations stay one step ahead of hackers.

Even if security best practices are adopted and the latest cybersecurity technologies are implemented, it will not be possible to prevent all security breaches. Organizations must therefore have the policies and procedures in place to ensure a quick recovery. Fast action following a security breach will limit the harm caused.

The EvolveIP Report can be found on this link.

The post 68% of Healthcare Organizations Have Compromised Email Accounts appeared first on HIPAA Journal.

Improper Disposal of PHI Discovered by Minneapolis Heart Institute

Posted by HIPAA Journal

A member of a cleaning crew at the Minneapolis Heart Institute at Abbott Northwestern Hospital accidentally disposed of documents containing PHI with regular trash.

Minneapolis Heart Institute has policies and procedures in place that require all documents containing sensitive patient health information to be securely destroyed in accordance with HIPAA Rules. However, a member of the cleaning team was discovered to have emptied a trash container from a physician’s private office before documents could be securely shredded.

The incident was discovered on January 20, 2017, although not in time for the documents to be recovered and securely destroyed. The documents had been emptied into a bin bag which was placed in a regular recycling dumpster at the hospital.

It is unclear at this stage how many individuals have been impacted, although as a precaution, the Minneapolis Heart Institute is notifying all patients who were part of the physician’s service group between April 17, 2016 and January 17, 2017. Those individuals have been offered credit monitoring and identity theft protection services without charge for a period of 12 months, even though the risk of any PHI being accessed by unauthorized individuals is believed to be very low.

The documents contained PHI including names, addresses, birth dates, medical record numbers, clinical data, and health insurance information. Some health insurers use Social Security numbers as health plan identifiers; therefore, some Social Security numbers may also have been on the documents.

The incident shows that policies and procedures alone will not always prevent breaches of this nature from occurring. However, the action taken following the incident by Allina Health, which operates Abbott Northwestern Hospital, should prevent any further such incidents from occurring in the future.

Allina Health has removed all desk-side recycling bins and has replaced them with locked shredding bins. Now, all documents will be sent for shredding, irrespective of whether they contain sensitive data. An employee education program has also been conducted to advise employees of the need to shred all paperwork and Allina Health’s safeguards policy has also been reinforced, highlighting the importance of the correct disposal of documents.

The post Improper Disposal of PHI Discovered by Minneapolis Heart Institute appeared first on HIPAA Journal.

Healthcare Employee Accessed ePHI Without Authorization for 5 Years

Posted by HIPAA Journal

Healthcare professionals must have access to the protected health information of patients in order to provide medical care and perform healthcare operations.

Since access to data can be abused by rogue employees, it is essential that controls are put in place to alert healthcare organizations rapidly when improper access occurs. Rapid identification of improper access can greatly reduce the harm caused.

In many cases, improper access is discovered during routine audits of access and application logs. When those audits are conducted on an annual basis, employees may be found to have been improperly accessing patient data for many months.

Last month, Chadron Community Hospital and Health Services in Nevada discovered that a rogue employee had been accessing ePHI without any legitimate work reason for doing so. What makes this incident stand out, is how long access had been allowed to continue before it was discovered.

An investigation conducted by the healthcare provider revealed that the improper access had gone unnoticed for more than 5 years. During that time, the records of more than 700 patients had been accessed by the employee. The report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 702 individuals had their privacy violated by the employee.

Chadron Community Hospital and Health Services first learned of the privacy breach on January 3, 2017. The investigation into the employee’s activities showed medical records were first improperly accessed in September 2011 and that HIPAA-violating activity had continued until November 2016. The types of information accessed included names, addresses, dates of birth, demographic information, clinical information such as medical diagnoses, orders and physicians’ notes, some financial data and insurance information. No Social Security numbers are believed to have been viewed.

It is not clear why the employee accessed the information out of curiosity or if data were viewed with malicious intent. The individual is no longer employed by Chadron Community Hospital and Health Services. The dates of access suggest the employee had left the healthcare organization prior to the improper access being discovered.

Insider threats are a major concern for healthcare security staff. A recent Dimensional Research/Preempt survey showed that almost half of IT security professionals are more concerned about internal attacks than external threats. The network perimeter can be secured, although monitoring for improper access by employees can be a challenge.

HIPAA Rules require covered entities to maintain access logs and conduct periodic reviews of those logs to monitor for improper access. HIPAA does not state how often those logs must be checked, although it would be difficult to argue that regular, thorough checks were conducted if an employee was able to evade detection for more than 5 years. Such a long period of improper access is certain to attract the attention of Office for Civil Rights’ investigators.

The post Healthcare Employee Accessed ePHI Without Authorization for 5 Years appeared first on HIPAA Journal.

Data Breach Lawsuit Against Excellus BCBS Survives Motion to Dismiss, in Part

Posted by HIPAA Journal

A lawsuit filed by plaintiffs whose ePHI was exposed as a result of a cyberattack on Excellus BlueCross BlueShield has survived a motion to dismiss, in part. The United States District Court of the Western District of New York has both granted, in part, and denied, in part, the motions to dismiss.

The hacking of Excellus BlueCross BlueShield in 2013 resulted in the exposure of the protected health information of more than 10 million health insurance subscribers. The data breach was discovered in 2015, some 20 months after access to members’ data was first gained.

Following the discovery of the cyberattack, Excellus hired cybersecurity firm Mandiant to conduct a forensic analysis which revealed malware had been installed on the network. While the malware could potentially have resulted in the theft of PHI, no evidence of data exfiltration was discovered, although the possibility that data was stolen could not be ruled out.

Multiple lawsuits were filed against Excellus BCBS, which were consolidated into one case – Matthew Fero, et al., vs Excellus Health Plain Inc.

The plaintiffs allege Excellus was negligent for failing to implement sufficient measures to safeguard the confidentiality, integrity and availability of their electronic protected health information. The plaintiffs also allege breach of implied covenant of good faith and fair dealing, breach of contract, third-party beneficiary breach of contract for the Federal Employee class, negligent misrepresentation, unjust enrichment, violations of state consumer protection laws, violation of the California Customer Records Act, and violations of state insurance personal privacy statutes.

Many lawsuits are filed following healthcare data breaches even though actual losses have not been suffered. Plaintiffs claim that the theft of data places them at a future risk of harm. However, in this case, a number of plaintiffs claim they have suffered actual losses as a direct result of the breach.

Four plaintiffs allege fraudulent tax returns were filed in their names, three allege they suffered identity theft, while twelve allege they have been victims of credit/debit card fraud. All said they had to spend time mitigating risk and that they suffered anxiety and fear of identity theft as a direct result of the breach. All claim they face a future risk of harm as a result of the cyberattack.

Excellus filed two motions to dismiss the lawsuit for lack of standing and failure to state a claim. Excellus sought to dismiss the lawsuit for lack of standing with two separate arguments. First, four plaintiffs did not allege they suffered any misuse of their personally identifiable information due to the cyberattack. Second, the remaining sixteen defendants failed to allege facts to establish that the harm suffered was traceable to the Excellus cyberattack.

United States District Judge Elizabeth A. Wolford ruled that the two motions to dismiss were both granted and denied, in part.

For the plaintiffs that did not allege they had suffered actual harm or losses as a result of the cyberattack, the claims were dismissed without prejudice, although in all other respects the motion to dismiss was denied.

The motion to dismiss for the failure to state a claim was granted, in part, with respect to the claim for breach of the implied covenant of good faith and fair dealing, the negligent misrepresentation claim, the CCRA claim, and NJIPPA and NCCIPA claims, which were dismissed with prejudice, with the exception of the plaintiffs’ claim of breach of the implied covenant of good faith of fair dealing, which may be pursued as part of the breach of contract claim. The plaintiffs’ will be allowed to replead the negligent misrepresentation claim. The claim for misrepresentation was dismissed as none of the plaintiffs alleged they had actually read the privacy and security notices prior to taking out
insurance.

The ruling follows many similar cases, in that the claims for future losses were deemed too speculative. Due to the volume of healthcare data breaches that are now being discovered, it is increasingly common for defendants to argue that alleged losses are not traceable to a specific breach. In this case, Judge Elizabeth Wolford ruled that Excellus’s arguments that the alleged identity theft and other instances of data misuse could not be traced to the 2013 cyberattack had failed, and that the alleged losses were fairly traceable to the cyberattack.

The post Data Breach Lawsuit Against Excellus BCBS Survives Motion to Dismiss, in Part appeared first on HIPAA Journal.

AHIMA Published New Resource Confirming Patients PHI Access Rights under HIPAA

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data.

Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow – further explaining patients’ access rights, what to expect when requests are made to healthcare providers, possible fees, and the timescale for obtaining copies of PHI.

AHIMA explains that copies will not be provided immediately. Under HIPAA Rules, healthcare providers have up to 30 days to provide copies of medical records, although many will issue designated record sets well within that timeframe. However, in some cases, provided there is a justifiable reason for doing so, a healthcare provider may request a 30-day extension. In such cases, it may take up to 60 days for patients to obtain copies of their health data.

AHIMA has explained to whom healthcare providers are allowed to disclose the information: Patients or a nominated personal representative. In the case of the latter, guidance has been issued on who that person may be.

There are various models that can be adopted by healthcare providers for charging patients for copies of PHI. While the actual cost for providing copies of medical records may not be provided at the time the request is made, healthcare providers must advise patients of the approximate cost at the time the request is made. AHIMA points out that if electronic health data is being provided via a patient portal, a charge will not apply.

Since HIPAA serves to protect patient privacy, healthcare providers are required to verify the identity of the person making the request or a personal representative if one is used. A healthcare provider will therefore require a photographic ID to be produced prior to any records being released. A waiver will also need to be signed verifying identity.

AHIMA explains that obtaining copies of medical records is important. Access to health data improves patient engagement and empowers them to make more informed choices about their healthcare.

While providers should be able to obtain health data from other providers, that process is not always straightforward due to data incompatibility issues. It is therefore important that patients have complete copies of their medical records so they can provide complete sets to new providers. Doing so improves the coordination of care.

Patients should also check their health records for any errors and omissions – known allergies for instance. If an error or omission is discovered, a request to change the records should be submitted to the appropriate healthcare provider.

The AHIMA slideshow can be viewed here. Further information for patients on medical record access can be found in an accompanying blog post.

Penalties for Failing to Provide Patients with Copies of their Medical Records

Healthcare providers should be aware that failure to provide patients with copies of their medical records can result in a financial penalty for non-compliance with HIPAA Rules.

41 patients of Cignet Health of Prince George’s County in Maryland were denied access to their medical records and complained to OCR. The investigation revealed that the HIPAA Privacy Rule had been violated. Cignet eventually settled with OCR for more than $4.3 million.

AHIMA recommends that healthcare providers regularly review their policies and procedures for providing patients with copies of their medical records. Many healthcare providers have unintended barriers in place that make it difficult for patients to exercise their right to access their health data. Only by understanding HIPAA Rules on patient PHI access rights – and ensuring HIPAA Rules are followed – will healthcare providers be able to ensure that their patients enjoy the benefits that come from them taking a more active role in their healthcare.

The post AHIMA Published New Resource Confirming Patients PHI Access Rights under HIPAA appeared first on HIPAA Journal.