Healthcare Data Privacy

Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information

Posted by HIPAA Journal

Healthcare data breaches in 2016 reached record levels, while 2015 saw more healthcare records stolen than the combined total stolen over the previous six years. Those data breaches have naturally had an effect on how healthcare patients view the security of their medical data.

OCR figures show that since 2009, 166 million healthcare records have been stolen or exposed – that’s 52% of the population of the United States. It is therefore understandable that patients are worried about data security. A recent Xerox eHealth survey has revealed the extent to which patients are worried about the data held by their healthcare providers.

In January 2017, 3,000 U.S. adults over the age of 18 were surveyed by Harris Poll for the Xerox survey. The survey revealed that 44% of healthcare patients are worried about their healthcare data being stolen.

However, even with the high number of data breaches, patients are overwhelmingly in support of the transmission of electronic health data over more outdated communication methods such as faxing. 76% of survey respondents said secure electronic sharing of healthcare data was better than faxing health information. Patients also appreciate the benefits that come from the secure, electronic sharing of healthcare data. 87% of respondents said the ability of their healthcare providers to share data digitally could decrease waiting times for diagnoses and medical test results.

That said, patients are frustrated by the inability of healthcare providers to share healthcare data, as Xerox Healthcare Industry Senior Vice President Cees Van Doorn explains, “Patients are frustrated by the lack of care coordination and disjointed processes, so much so, that our Xerox survey shows 19 percent of Americans would rather wait in line at the DMV than coordinate between different doctors’ offices to ensure they have all of their records and health information.”

While the survey suggests that healthcare patients are open to secure, electronic sharing of healthcare data, not all patients are entirely comfortable with providing their details to physicians. In fact, a previous study published by Black Book suggests that patients are holding back healthcare data due to data security fears. 89% of patients said they held back medical information from their healthcare providers, with 93% of those respondents saying they held back information due to security concerns.

Another Black Book market research survey suggests that even if patients are comfortable with the secure sharing of health data, exchanging information is still problematic. A quarter of healthcare administrators said they are unable to access patient data from external sources and 70% of hospitals do not have external health data in their EHR systems’ workflow.

The post Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information appeared first on HIPAA Journal.

New York Giants Star and ESPN Agree to Settle Privacy Breach Lawsuit

Posted by HIPAA Journal

A privacy breach lawsuit filed against ESPN by New York Giant’s defensive end Jason Pierre-Paul has been amicably resolved. ESPN has agreed to settle the lawsuit, although the terms of the settlement have not been announced.

On July 4, 2015, Pierre-Paul was involved in a fireworks accident and sustained serious burns to his hand. He was rushed to Jackson Memorial Hospital in Miami to receive treatment for his injuries. News soon broke that the NFL star had been taken to hospital, although it was initially unclear what injuries had been sustained.

That was until details of the injuries were leaked to Schefter. Schefter sent a tweet containing a photograph of Pierre-Paul’s medical chart which showed Pierre-Paul had sustained serious damage to his hand that required the amputation of his index finger.

The disclosure and dissemination of Pierre-Paul’s medical charts involved a violation of the Health Insurance Portability and Accountability Act (HIPAA), although not by Adam Schefter. While the HIPAA Privacy Rule prohibits the unauthorized disclosure of patients’ electronic protected health information, reporters are not HIPAA-covered entities and therefore are not required to abide by HIPAA Rules.

However, the medical charts could only have come from the hospital where Pierre-Paul had received treatment and therefore were likely supplied by a hospital employee. Neither Schefter nor ESPN disclosed the source of the medical charts; however, and investigation into the privacy breach was launched by Jackson Memorial Hospital.

That investigation revealed that two employees at the hospital had inappropriately accessed Pierre-Paul’s medical records. Both employees were terminated for the HIPAA violation.

While the lawsuit has now been settled amicably, ESPN maintains the disclosure of Pierre-Paul’s medical information was “both newsworthy and journalistically appropriate.”

Legal representatives of Pierre-Paul claim the reporter and ESPN blatantly disregarded the private and confidential nature of Pierre-Paul’s medical records by disseminating the information on social media, just to show supporting proof that a surgical procedure had been performed.

The post New York Giants Star and ESPN Agree to Settle Privacy Breach Lawsuit appeared first on HIPAA Journal.

High Costs are Preventing Many Patients from Accessing their Medical Records

Posted by HIPAA Journal

The HIPAA Privacy Rule permits patients to obtain a copy of their medical records from their healthcare providers on request. By obtaining copies of medical records, patients are able to take a more active role in their healthcare and treatment. Obtaining copies of medical records also makes it much easier for patients to share their medical records with other healthcare providers and make smarter choices about their healthcare.

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently explained patients’ right to obtain copies of their medical records and created a series of videos explaining how the HIPAA Privacy Rule applies to patients. OCR also issued guidance for HIPAA-covered entities on allowable charges for labor, printing, and postage last year.

A flat fee of $6.50 has been recommended for providing electronic copies of medical records – should HIPAA-covered entities opt for a single charge for providing designated record sets to patients. While not all covered entities choose this model, the costs associated with obtaining copies of electronic copies of medical records are usually relatively low. However, not all patients have easy access to the technology that will allow them to view those records.

In such cases, paper copies are the only option, yet the cost of obtaining printouts of medical records is often considerably higher. In many cases, obtaining paper copies of medical records can be prohibitively expensive, especially for patients who have extensive medical histories spanning several pages. If the costs of obtaining medical records are too high, patients will be discouraged from accessing their medical records. That can make it harder for patients to choose their healthcare providers and share their ePHI.

Many physicians are concerned that the amounts being charged by some healthcare providers prevents many patients from exercising their rights under HIPAA to obtain copies of their medical records.

A recent article published in JAMA Internal Medicine highlights just how expensive it can be for patients to obtain their medical records if they choose paper over electronic copies.

The researchers indicate the cost of obtaining paper copies of medical records in Texas, for example, can be as high as $3.57 per page, not including the cost of postage or providing images. For a medical file of 15 pages, the cost would be $53.60. A full copy of medical records spanning 100 or more pages would see the price jump to several hundred dollars. For many Americans, the cost would prevent them from obtaining a copy of their records.

The high cost not only prevents patients from sharing their data with healthcare providers, it also has potential to prevent patients from providing their medical data for use in research. Patients would also not have the opportunity to check their medical records for errors, which could have a major negative impact on future care.

Currently, only one state – Kentucky – has laws in place that require healthcare providers to provide copies of medical records free of charge in the first instance. Researchers for the article suggest that the laws in Kentucky should serve as a model that all states should follow.

The post High Costs are Preventing Many Patients from Accessing their Medical Records appeared first on HIPAA Journal.

eHealth Email Spoofing Attack Sees Employee W-2 Information Disclosed

Posted by HIPAA Journal

In the past few days, two email spoofing attacks have been reported by healthcare organizations that have resulted in the W-2 information of employees being sent to cybercriminals.

Tax season phishing scams are to be expected at this time of year. Cybercriminals target HR and payroll employees and try to fool them into sending the W-2 information of employees via email. The scams are convincing. A casual glance at the address of the sender of the email will reveal nothing untoward. The emails appear to have been sent from other employees who have a legitimate need for the information.

The latest healthcare organization to report being duped by one of these scams is eHealthinsurance. An eHealth employee responded to a phishing email on January 20, 2017 after believing it had been sent from another eHealth employee.

While many of these scams involve emails being sent from compromised company email accounts, in this case the request came from a spoofed email account. The employee sent a file by return that contained employees’ W-2 tax forms. Data passed on to the scammer included employees’ names, addresses, Social Security numbers and wage information.

While employee data were obtained in the attack, an investigation of the incident uncovered no evidence to suggest that eHealth’s systems had been breached or were otherwise compromised.

eHealth has now notified all affected employees of the disclosure of their W-2 forms and has offered each employee 24 months of credit and identity monitoring services without charge to mitigate risk. The IRS has also been notified of the attack. To prevent any recurrences of incidents of this nature, employees are being provided with additional training on safeguarding the privacy and security of data.

Last week, Campbell County Health also reported that one of its employees had fallen for such as scam.

Many businesses and educational establishments have already discovered employees have accidentally disclosed employee W-2 form data to criminals involved in tax fraud and with two months of tax season still to go, they will certainly not be the last.

Healthcare organizations should be particularly vigilant during tax season. Any email request to send W-2 information should be treated as suspicious. To prevent accidental disclosure, any HR or payroll employee that receives a request to send W-2 forms or other tax-related information via email should attempt to verity the legitimacy of the request prior to sending any employee tax information. Since the scammer may have access to corporate email accounts, the request should not be authenticated via email.

The post eHealth Email Spoofing Attack Sees Employee W-2 Information Disclosed appeared first on HIPAA Journal.

OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs

Posted by HIPAA Journal

An annual review of Medicare administrative contractors’ (MACs) information security programs has shown them to be ‘adequate in scope and sufficiency’, although a number of security gaps were found to exist.

The Social Security Act requires each MAC to have its information security program evaluated on an annual basis by an independent assessor. Each MAC must have the eight major requirements of the Federal Information Security Management Act of 2002 (FISMA) evaluated, in addition to the information security controls of a subset of systems.

The Department of Health and Human Services’ Office of Inspector General (OIG) is required to submit a report of the annual MAC evaluations to congress. The Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) for this year’s evaluations.

The OIG report to congress shows a total of 149 security gaps were discovered to exist in the financial year 2015; a marked increase from the previous year. In 2014, the same 9 MACs were evaluated and 16% fewer security gaps were discovered.

A security gap is defined as an incomplete implementation of FISMA or CMS core security requirements. The security gaps identified are ranked as high, medium, or low-risk, depending on their severity.

PwC identified 22 high-risk gaps, 46 medium-risk gaps, and 81 low-risk gaps. According to the OIG report, 9 percent of the high and medium-risk gaps were identified in the previous year’s evaluations and had not yet been addressed. Four out of the six repeat gaps were determined to be high risk in both 2014 and 2015.

While the number of gaps increased by 16%, OIG points out that the scope of the evaluations was greater this year, with additional controls assessed in the 2015 financial year. The average number of gaps per MAC was 17. The highest number of gaps identified at any one MAC was 25 and the lowest was 14.

The biggest FISMA problem areas were ‘policies and procedures to reduce risk’ and ‘periodic testing of information security’, which had 45 and 41 security gaps identified respectively across the 9 MACs. 15 security gaps were identified with ‘system security plans’. Gaps were identified across all the FISMA control areas that were tested.

OIG reports that each MAC had 4-7 gaps related to policies and procedures to reduce risk. The evaluations showed that the most common security gaps were policies and procedures related to mobile device encryption, platform patch management, and external information systems that did not meet CMS requirements.

Each MAC had four to six gaps related to periodic testing of information security controls, including the failure to consistently enforce change management procedures and deficient system security configurations. There were one to three gaps in system security plans, including the failure to consistently enforce access control procedures, the failure to review policies and procedures within 365 days of the previous review date, and having a system security plan that did not reflect the current operating environment.

Each MAC is responsible for developing its own corrective action plan to address the high and medium risk security gaps identified by PwC. Each MAC must ensure that each of the identified gaps is remediated in a timely manner.

OIG has recommended that CMS continue with its oversight of MACs and should ensure that each MAC remediate all the identified high and medium-risk gaps in a timely manner.

The post OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs appeared first on HIPAA Journal.

Hospital Employee Discovered to Have Improperly Accessed 6,200 Patient Records

Posted by HIPAA Journal

Covenant HealthCare has notified more than 6,000 patients that their electronic medical records were inappropriately accessed by one of its employees. Individuals affected by the privacy breach had previously received medical services at a Covenant HealthCare facility in Saginaw, Michigan.

The improper access was discovered during a November 2016 audit of EMR access logs. The audit revealed an unusual pattern of medical record access by a single employee. Covenant HealthCare immediately ordered a full review of ePHI access by the employee to determine which medical records had been accessed and whether there was any legitimate reason for those records to have been viewed.

The review revealed that the Covenant HealthCare employee first started improperly accessing its electronic medical record system on February 1, 2016. The improper access continued for nine months until November 21, 2016 and involved 6,197 patients. A range of data were potentially viewed including patient’s names, dates of birth, home addresses, health insurance information, diagnostic and treatment information, medical record numbers, Social Security numbers and driver’s license numbers.

Covenant HealthCare spokesperson Kristin Knoll said in a statement that an investigation into the HIPAA breach was immediately launched and resulted in termination of the employee. Knoll also confirmed that the breach has been reported to all appropriate agencies.

Affected patients have now been notified of the breach by mail, although the delay in issuing notifications was because Covenant required two months to complete its investigation.

No reports of misuse of patients’ information have been received to date by Covenant HealthCare. All patients who have had their Social Security numbers viewed will be offered free credit monitoring and protection services to mitigate risk.

To prevent future breaches of this nature, Covenant HealthCare has increased ongoing training on patient privacy. Audits of ePHI access logs will also be conducted more frequently to ensure that any future inappropriate access is identified promptly.

The post Hospital Employee Discovered to Have Improperly Accessed 6,200 Patient Records appeared first on HIPAA Journal.

Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses

Posted by HIPAA Journal

A ‘software glitch’ has resulted in billing statements and other communications sent by TriHealth of Cincinnati being sent to patients’ former addresses. The privacy breach was discovered in November 2016, and impacts 1,126 TriHealth patients.

The glitch caused current addresses to be substituted with former addresses. In some cases, mail may have been forwarded on to the correct address, although TriHealth was unable to determine whether this was the case.  Letters have now been mailed to the correct addresses and affected patients have been notified of the error by mail.

The error affected mailings of billing statements, appointment reminder letters, and other correspondence between November 15, 2015 and January 12, 2017 when the error was discovered. Individuals affected by the error had all mailings directed to wrong addresses between those dates.

The types of protected health information contained in the mailings varied from patient to patient. PHI that was potentially exposed was limited to patients’ names, visit dates, descriptions of medical service provided, places of service, financial charges, details of payments and adjustments, account balances, due payments, and details of appointments.

No insurance numbers, Social Security numbers, credit/debit card information or financial institution information was printed in any of the misdirected letters.

TriHealth has not received any reports to suggest any of the information contained in the letters has been misused in any way. Since the privacy breach only involved a limited amount of data, and the risk of misuse is believed to be low, affected individuals have not been offered credit monitoring or identity theft protection services. They have been advised that they are entitled to obtain a free annual credit report from credit reporting companies and can check for suspicious credit activity.

The software error has now been fixed and affected patients have had their addresses corrected in TriHealth’s computer system.

The post Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses appeared first on HIPAA Journal.

New Report Reveals 2016 Data Breach Trends

Posted by HIPAA Journal

2016 was a particularly bad year for healthcare data breaches. The healthcare industry was targeted by ransomware gangs, careless employees left healthcare records exposed, and hackers broke through defenses on numerous occasions. 2016 was nowhere near as bad as 2015 in terms of the number of healthcare records stolen or exposed, but more healthcare data breaches were reported in 2016 than in previous years. But how did 2016 compare to other industries?

A new data breach report from Risk Based Security has revealed the 2016 data breach trends across all industries and confirms just how bad a year 2016 was for cybersecurity incidents. The total number of data breaches reported in 2016 – 4,149 data breaches – was on a par with 2015. However, the severity of data breaches in 2016 was far worse.

Until 2016, the worst year in terms of the number of records exposed or stolen was 2013, when the milestone of 1 billion exposed or stolen records was exceeded for the first time. However, in 2016 there were 3.2 billion more records exposed or stolen than that landmark year. More than 4.2 billion records were exposed or stolen between January and December 2016.

The worst security breaches of 2016 were caused by hackers. 9 out of the top 10 worst data breaches of 2016 were due to hacks, with one web breach ranking in the top ten. 2016 saw six data breaches make the top ten list of the worst data breaches ever reported as well as the worst ever data breach – The 1 billion-record breach at Yahoo. The top ten breaches of the year resulted in the theft or exposure of more than 3 billion records. Seven out of the top ten data breaches of 2016 had a severity score of 10/10, with an average score of 9.96/10.

94 data breaches involving more than 1 million exposed records were reported over the course of the year – a 63% increase year on year. 37 data breaches of more than 10 million records were reported – an increase of 105% over 2015.

Risk Based Security’s figures show the United States was the worst hit. 47.5% of data breaches affected U.S. companies and those breaches accounted for 68.2% of the total number of exposed or stolen records. California was the worst hit state, registering 234 breaches and 80.48% of exposed records. Florida in second place with 113 breaches, followed by Texas with 105 and New York with 104.

While healthcare industry data breaches increased in 2016, they still only made up a small percentage of the total – 9.2% and just 0.3% of the total number of records exposed. The business sector was the worst hit, registering 51% of data breaches over the course of the year. Those breaches accounted for 80.9% of exposed or stolen records.

The 2016 data breach report indicates 7.6% of breaches were reported by medical institutions and 2.1% by hospitals. 11% of medical data breaches involved third parties.

Hacking was the main cause of breaches in 2016, accounting for 53.3% of the total. Those breaches were also the most severe, accounting for 91.9% of exposed or stolen records. One of the most common techniques used by hackers in 2016 was SQL injection, although in many cases there was no need to hack at all. More than 256 million records were exposed or stolen as a result of misconfigured databases and websites.

Insider breaches were a major cause of healthcare data breaches in 2016, although across all industries, insider incidents only accounted for 18.3% of the total. While malware attacks were frequent, they only accounted for 4.5% of the total number of breaches and 0.4% of exposed records.

The Data Breach QuickView Report can be downloaded on this link.

The post New Report Reveals 2016 Data Breach Trends appeared first on HIPAA Journal.

Court of Appeal Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

Posted by HIPAA Journal

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi.

The incident which led to the lawsuit occurred between November 1 and 3, 2013. Two unencrypted laptop computers containing the personal information of 839,000 plan members were stolen from Horizon BCBS’s headquarters in Newark, NJ. Stored on the laptops were names, addresses, birth dates, Social Security numbers, medical histories, demographic data, lab test results, insurance information, and other care-related data.

Four plaintiffs – Courtney Diana, Karen Pekelney, Mark Meisel, and Mitchell Rindner – are named on the lawsuit, which was filed on behalf of themselves and other customers whose personal information was exposed.

The complainants maintain that the laptop computers were targeted by thieves who realized the value of data contained on the devices, rather than the computers being stolen for resale for their hardware value.

The plaintiffs claim that the disclosure, although accidental, placed them at “imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.”

The plaintiffs allege Horizon BCBS wilfully and negligently violated the Fair Credit Reporting Act (FCRA) – in addition to a number of state laws – by failing to adequately protect their personal information. The plaintiffs claim that the unauthorized transfer of personal information was a violation of FCRA and that the transfer, in itself, constitutes a cognizable injury.

The District Court dismissed the lawsuit under Federal Rule of Civil Procedure 12(b)(1) claiming a lack of Article III standing. However, the court of appeals judges ruled that even without evidence of misuse of the plaintiffs’ personal information, the case has standing.

According to U.S. Circuit Judge Kent Jordan , who wrote for the three-judge panel, “In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes.” Judge Jordan explained, “the alleged disclosure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).”

The post Court of Appeal Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft appeared first on HIPAA Journal.