Healthcare Data Privacy

Patients Holding Back Health Information Over Fears of Data Privacy

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers.

However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited.

Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider.

Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data.

Important Medical Information is Being Withheld by Patients

The extent to which patients are withholding information has recently been highlighted by a Black Book survey. Between September and December 2016, Black Book conducted a national poll on 12,090 adult consumers to assess patients’ confidence in healthIT and the extent to which they have been willing to share their health information.

The results of the survey clearly show that patients are extremely concerned about the privacy of their data and believe that sensitive health information is being shared without their knowledge. There are also serious concerns about healthcare organizations’ abilities to protect health information and ensure that it remains private.

For the Black Book survey, consumers were asked about the contact they had had with technology used by their physician, hospital, and other healthcare organizations over the past 12 months, including mobile apps, patient portals, and electronic health records.

57% of respondents who had experience of these health technologies said they were concerned about the privacy protections put in place and whether their data could be kept private.

87% of Patients Unwilling to Share their Full Medical Histories

Consumer confidence in privacy and security measures put in place by healthcare providers appears to be at an all time low. In the last quarter of 2016, Black Book reports that 87% of patients were unwilling to comprehensively share all of their health information with their providers. 89% of consumers who had visited a healthcare provider in 2016 said they had withheld some information during their visits.

While certain types of information are openly shared, healthcare patients are particularly concerned about sharing highly sensitive data. Many feel that those data are being shared without their knowledge.

90% of respondents said they were concerned about details of their pharmacy prescriptions being shared beyond their chosen provider and payer, and that information was being shared with the government, retailers, and employers. 81% were concerned that information about chronic conditions was being shared without their knowledge, and 99% were concerned about the sharing of mental health notes. 93% of respondents said they were concerned about their personal financial information being shared.

According to Black Book Managing Partner Doug Brown, “Incomplete medical histories and undisclosed conditions, treatment or medications raises obvious concerns on the reliability and usefulness of patient health data in application of risk based analytics, care plans, modeling, payment reforms, and population health programming.” In a statement issued about the findings of the survey he said, “This revelation should force cybersecurity solutions to the top of the technology priorities in 2017 to achieve tangible trust in big data dependability.”

Providers’ Expertise with Technology Inspires Trust

Providers can do more to improve patients’ confidence in technology by demonstrating that they know how to use it. Patients do not appear to have an issue with the technology itself. Only 5% of respondents said they mistrusted the technology. However, 69% of respondents said their current primary care physician did not display enough technology prowess for them to be able to trust that individual with all of their data. 84% of respondents said their level of trust in their provider was influenced by how that provider used technology.

Patients are also having trouble using technology. 96% of consumers said they had left physicians’ offices “with poorly communicated or miscommunicated instructions on patient portal use,” and 83% reported having difficulty using the portal at home. Only 40% of patients said they had tried to use the portal in their physician’s office.

The survey also revealed that patients believe the data they are collecting via personal wearable devices is important. 91% of consumers said their physician practice’s medical record system should store any health-related data they request. However, most physicians do not want access to so much information. 94% of physicians that responded to this section of the survey said much of the personally collected health information is redundant and would be unlikely to make a clinical difference. Furthermore, so much information is now being collected that they are becoming overwhelmed by data.

The post Patients Holding Back Health Information Over Fears of Data Privacy appeared first on HIPAA Journal.

11GB of Sensitive Data Left Unprotected by Department of Defense Subcontractor

A security researcher has discovered that the sensitive data of psychologists, doctors and other health workers employed by the United States Special Operations Command (SOCOM) have been exposed on the Internet by Woodbridge, VA-based Potomac Healthcare, a subcontractor for the Department of Defense. Potomac Healthcare supplies health workers to government organizations through Booz Allen Hamilton.

Chris Vickery of MacKeeper discovered 11GB of internal Potomac data were left unprotected and could be accessed over the Internet without a username or a password. The data included names, Social Security numbers, locations, assigned units, and salaries of psychologists, doctors, and other healthcare professionals. The files also included lists of websites and programs with their associated usernames and passwords. Vickery said that the details of at least two Special Forces data analysts who had “Top Secret government clearance” were also present in the data.

It is unclear for how long the data had been exposed and whether any other individuals had gained access to the information. Vickery reports on his blog that after notifying Potomac Healthcare of issue, the data were still available online an hour later. Only when the issue was escalated and reported to ‘Potomac’s boss’ was the information secured and access prevented. That happened within 30 minutes of the phone call.

According to Vickery, he discovered an “unprotected remote synchronization service was active at an IP address tied to Potomac.” The data were allegedly made available to the public via the Internet as a result of a misconfigured data backup.

Potomac Healthcare issued a statement to Threatpost saying that after being notified of the breach by Vickery, “we immediately initiated an internal review and brought in an external forensic IT firm for additional support.”

Potomac Healthcare also confirmed that the investigation into the security breach is ongoing and that aside from Vickery, “we have no indication that any sensitive government information was compromised.”

The post 11GB of Sensitive Data Left Unprotected by Department of Defense Subcontractor appeared first on HIPAA Journal.

Massachusetts Data Breach Notification Archive Now Available Online

The Office of Consumer Affairs and Business Regulation of the state of Massachusetts has taken a major step toward improving transparency by making its data breach notification archive available to the public. Previously, members of the public were permitted to view the breach reports, but only by submitting a public records request. Now all breach notifications made to the state’s Office of Consumer Affairs and Business Regulation can be viewed online.

The Massachusetts Data Breach Notification Archive can be viewed and downloaded in PDF form, with the identity theft report detailing the date the incident was reported, the organization affected, breach type, number of residents impacted, types of sensitive data exposed (SSNs, Driver’s license numbers, financial information, credit/debit card numbers), and whether credit monitoring services have been offered to breach victims. The reports include breaches of both physical records and electronic personal information from 2007. The report for 2016 currently includes 1,865 breach summaries.

State law (Chapter 93H) requires all entities that maintain a record of any personal information of residents of the state of Massachusetts to issue breach notifications to individuals if their personal information is “acquired or used by an unauthorized person or for an unauthorized purpose.” Breaches of encrypted data are not reportable unless a key to unlock the data is also compromised. Breaches must also be reported to the state attorney general and the Office of Consumer Affairs and Business Regulation.

State law covers accidental and deliberate breaches including, but not limited to, loss and theft of electronic data or papers, hacking incidents, insider errors, and unintentional data leakage.

In the state of Massachusetts, personal information is classed as a state resident’s first and last name or initial and last name in combination with any of the following data elements:

  • Social Security number
  • Driver’s license number
  • State-issued ID number
  • Financial account number
  • Credit or debit card number (with or without a CVV/CVC code
  • Personal ID number and/or password that would allow a financial account to be accessed

Breach notifications are not required if data elements are lawfully obtained from publicly available information or federal, state, or local records that are available to the general public.

Breaches of medical information are not included in the state’s definition of personal information as is the case in a number of other states, although such information is covered under HIPAA Rules and breach notification letters would need to be issued to affected individuals by HIPAA-covered entities.

State public records law was updated in June last year, although the records have only just been made public. Consumer Affairs Undersecretary John Chapman issued a statement on January 3 explaining the move: “The Data Breach Notification Archive is a public record that the public and media have every right to view.” He went on to say, “Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records law, but also with Governor Baker’s commitment to greater transparency throughout the Executive Office.”

The post Massachusetts Data Breach Notification Archive Now Available Online appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2016

 

2016 was a particularly bad year for healthcare data breaches. While the numbers of records exposed was nowhere near the level of 2015 – 15,936,849 records compared to 113,267,174 in 2015 – more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year.

As 2017 begins, there have been 313 reported breaches of more than 500 records that have been uploaded to the OCR breach portal.

2016 Healthcare Data Breaches of 500 or More Records

 

Year Number of Breaches Number of Records Exposed
2016 313 15,936,849
2015 270 113,267,174
2014 307 12,737,973
2013 274 6,950,118
2012 209 2,808,042
2011 196 13,150,298
2010 198 5,534,276
2009 18 134,773
Total 1785 170,519,503

 

While the above figures appear to suggest a significant reduction in large healthcare data breaches year on year, the figures are somewhat misleading.

In 2015 there were three massive data breaches reported by covered entities: Anthem Inc., Premera Blue Cross, and Excellus Health Plan. Those three cyberattacks resulted in the theft of 78.8 million records, 11 million, and 10 million records respectively.

More records may have been exposed in 2015 as a result of those major cyberattacks, although in each size category, 2016 ranked worse than 2015. Many healthcare organizations will be happy to put 2016 behind them.

 

Year 2016 Healthcare Data Breaches
500 to 1000 Records 1,000 to 10,000 Records 10,000 to 100,000 Records 100,001+ Records
2016 13 62 151 86
2015 12 37 142 76

 

Aside from one major breach at a business associate, all of the largest healthcare data breaches of 2016 – those that resulted in the exposure or theft of more than 100,000 healthcare records – affected healthcare providers. The largest data breach experienced by a health plan was the 91,187-record breach reported by Washington State Health Care Authority in September.

Largest Healthcare Data Breaches of 2016

 

Rank Covered Entity Entity Type Cause of Breach Records Exposed
1 Banner Health Healthcare Provider Hacking/IT Incident 3,62,0000
2 Newkirk Products, Inc. Business Associate Hacking/IT Incident 3,466,120
3 21st Century Oncology Healthcare Provider Hacking/IT Incident 2,213,597
4 Valley Anesthesiology Consultants Healthcare Provider Hacking/IT Incident 882,590
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider Hacking/IT Incident 749,017
6 Bon Secours Health System Incorporated Healthcare Provider Unauthorized Access/Disclosure 651,971
7 Peachtree Orthopaedic Clinic Healthcare Provider Hacking/IT Incident 531,000
8 Radiology Regional Center, PA Healthcare Provider Loss 483,063
9 California Correctional Health Care Services Healthcare Provider Theft 400,000
10 Central Ohio Urology Group, Inc. Healthcare Provider Hacking/IT Incident 300,000
11 Premier Healthcare, LLC Healthcare Provider Theft 205,748
12 Athens Orthopedic Clinic, P.A. Healthcare Provider Unauthorized Access/Disclosure 201,000
13 Community Mercy Health Partners Healthcare Provider Improper Disposal 113,528

 

Main Causes of Healthcare Data Breaches in 2016

Insider breaches continue to plague the healthcare industry in the United States. As in 2015, the main cause of healthcare data breaches in 2016 was unauthorized access/disclosure. Hacking incidents on the scale of those at Anthem, Premera, and Excellus were not repeated in 2016, but 2016 saw a major increase in healthcare hacks.

The loss and theft of unencrypted devices used to store PHI fell considerably year on year, although the use of data encryption technology could have prevented all 76 of those data breaches and the exposure of 1,459,816 healthcare records.

Main Cause of Breach 2016 2015
Unauthorized Access/Disclosure 127 102
Hacking/IT Incident 102 57
Theft 60 81
Loss 16 23
Improper Disposal 7 6

 

2016 Healthcare Data Breaches by Covered Entity

Healthcare data breaches in 2016 followed a similar pattern to 2015, with healthcare providers the main entities breached, although the percentage of breaches affecting health plans was significantly lower in 2015. Data breaches at business associates remained at the same level year on year.

 

Breached Entity 2016 2015
Healthcare Provider 247 196
Health Plan 46 62
Business Associate 19 19

Data Source: Department of Health and Human Services’ Office for Civil Rights

The post Largest Healthcare Data Breaches of 2016 appeared first on HIPAA Journal.

TigerText Announces Record-Breaking Year for Growth

TigerText, the nation’s leading secure healthcare messaging platform provider, has announced it has recorded another record-breaking year for growth, signing up over 300 healthcare organizations in 2016.

The company now boasts more than 3,000 healthcare customers in the United States, including five of the top ten largest health systems in the country. More than 10 million secure messages are now being sent via the TigerText platform every day and the platform is used in over 5,000 healthcare facilities in the United States.

TigerText was originally developed as a standalone messaging platform, yet over the course of the past 6 years it has evolved into a comprehensive clinical communications platform. The platform has been tailored to meet the exacting needs of healthcare organizations, including the strict privacy and security controls required by the Health Insurance Portability and Accountability Act (HIPAA).

This year has seen two major new developments. Earlier this year, the TigerText platform achieved the prestigious HITRUST certification and in October the company launched a new healthcare workflow solution –TigerFlow.

TigerFlow incorporates a range of healthcare-specific features that allow healthcare organizations of all sizes to optimize and enhance communications workflows. As Brad Brooks, co-founder and CEO of TigerText, explained “TigerFlow is the first clinical communication platform built to be the central hub for care teams, thus truly enabling the last mile of care.” Brooks went on to explain that “Optimizing communication at the point of care frees physicians and nurses to do what they love – take care of patients.” The introduction of TigerFlow is seen as the biggest event in the company’s history since its 2010 launch.

The healthcare industry faces unique communications challenges and has historically struggled with integrating new technology. The pager has proved to be an invaluable and reliable tool for the healthcare industry for more than 60 years, yet many healthcare organizations have now accepted that the time has come for a modern replacement to be introduced. The launch of TigerFlow has spurred many healthcare organizations to finally make the transition to a new, and more efficient communication system.

The communications system incorporates a wide range of features to improve productivity, patient outcomes, provider satisfaction, and profitability. As Brooks explained, “The TigerFlow solution specifically improves collaboration and clinical communications by addressing and solving health systems’ concerns around integrating technology.” In addition to the messaging platform, healthcare providers benefit from enhanced data integration capabilities, end-to-end workflow consultation services, and on-demand data analytics.

The cost savings that can be generated are considerable. Brooks believes the potential savings could be excess of $100 billion across the healthcare industry as a whole. One of the company’s large healthcare clients has generated over $6 million in cost savings in 2016 alone, while another reported savings of more than $200,000 in just 8 weeks after implementing the TigerText platform.

The past few months have also seen the company bring in new talent with a wealth of healthcare experience to further accelerate growth in the healthcare industry. Kirk Paul Kirkman has been recruited to serve as President of the TigerText Client Organization while Kelli Castellano has been appointed Chief Marketing Officer. Both new hires have extensive experience in the healthcare industry and are highly focused on improving physician and nurse satisfaction and helping providers improve patient outcomes.

The post TigerText Announces Record-Breaking Year for Growth appeared first on HIPAA Journal.

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation.

The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation response team. In many cases, cybercriminals are able to effectively mask their identities and it is relatively rare for the individuals responsible for phishing attacks to be identified. Bringing individuals to justice is harder still. All too often the perpetrators are based overseas.

In this case, the investigation has resulted in the identification of a suspect: Austin Kelvin Onaghinor, 37, of Nigeria. On December 15, 2016, a criminal arrest warrant for Onaghinor was issued. Onaghinor faces nine charges related to the phishing attack, including theft and misuse of L.A. County confidential information, unauthorized computer access, and identity theft.

At the time of writing, Onaghinor has yet to be arrested and his whereabouts is unknown. He is considered to be a fugitive of the law and Lacey said “My office will work aggressively to bring this criminal hacker and others to Los Angeles County where they will be prosecuted to the fullest extent of the law.”

The phishing attack occurred on May 13, 2016. A large number of expertly crafted phishing emails were sent to Los Angeles County employees. The emails appeared to be legitimate; however, responding to the emails resulted in employees disclosing their usernames and passwords to the attacker. In total, 108 L.A. County employees responded, and by doing so, compromised their email accounts.

The email accounts contained a wide range of sensitive data including financial and health information. Investigators were required to individually check each email in the 108 compromised accounts to determine which individuals had been impacted and what information had been exposed.

The extensive investigation determined that 756,000 individuals had been impacted by the breach. Those individuals had previously had contact via email with the following Los Angeles County departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works.”

According to the breach notice recently uploaded to the Department of Health and Human Services’ Office for Civil Rights breach portal, 749,017 patients of the County of Los Angeles Departments of Health and Mental Health were impacted.

The information contained in the email accounts included full names, home addresses, phone numbers, birth dates, Social Security numbers, state ID numbers, driver’s license numbers, Medi-Cal and insurance carrier IDs, medical record numbers, payment card numbers, bank account information, and medical information, including diagnoses and treatment information.

While the information was potentially accessed 7 months previously, Los Angeles County has uncovered no evidence to suggest that any information has been misused. As a precaution against identity theft and fraud, all individuals impacted by the breach have been offered a year of credit monitoring, identity consultation, and identity restoration services without charge.

Phishing emails are regularly sent to government employees and many make it past spam filters to employees’ inboxes. However, for the emails to result in the disclosure of 108 email account credentials is concerning.

Preventing employees from responding to phishing emails is a challenge, but a successful attack of this scale suggests a spectacular failure of systems and training, although the attack was detected the following day and L.A. County “immediately implemented strict security measures” to reduce the impact of the breach.

Phishing emails are a difficult threat to mitigate, although there are proven technologies and tactics that can be employed to reduce risk and at least limit the harm caused. Anti-phishing training has been demonstrated to greatly improve employees’ phishing email identification skills, in particular when anti-phishing exercises are conducted.

A study of 40 million phishing simulation emails by PhishMe (between January 2015 and July 2016) showed that susceptibility to phishing attacks falls to around 20% after just one failed phishing email simulation, while the implementation of a reporting tool can dramatically reduce the time to detect phishing threats. The sooner the threat is detected, the easier it is to alert employees and mitigate risk.

Solutions such as advanced spam filters can reduce the volume of phishing emails that are delivered to end users, while web filtering gateways can block users’ attempts to respond to phishing emails. Preventing end users from visiting websites based in foreign countries can reduce risk, although foreign-based phishers often host their phishing sites in the United States.

Along with next generation firewalls and intrusion detection systems it is possible to mount a reasonable defense against phishing attacks and reduce the damaged caused when those attacks succeed.

The attack should serve as a reminder of how serious the threat of phishing is, and how important it is for organizations – government and private sector – to enhance the controls they have in place to mitigate the threat.

The post 108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted appeared first on HIPAA Journal.

Regular PHI Access Log Audits Can Prevent Major PHI Breaches

Infirmary Health has announced that an employee has been fired after being discovered to have accessed the health records of approximately 1,000 patients without authorization. The individual was required to access patients’ protected health information (PHI) for legitimate work reasons, yet data access rights were abused.

The employee worked in the Atmore Community Hospital: A 49-bed facility serving patients in Escambia and Monroe counties in Alabama. A routine audit of PHI access logs on November 18, 2016 revealed that the individual first started inappropriately accessing patient records from October 3, 2015.  Records continued to be inappropriately accessed until November 11, 2016.

According to a press release issued by Infirmary Health, the information accessed was limited to patient names, admission dates and flowsheets. It is unclear why the information was accessed, although it is not believed that any data have been disclosed to any other individual nor copied and removed from the hospital. PHI appears to have been accessed purely out of curiosity.

In accordance with Health Insurance Portability and Accountability Act (HIPAA) Rules, the employee was authorized to view the minimum necessary information to conduct work duties and had received extensive training and specific instructions not to access the PHI of patients for non-work related reasons.

As a result of the discovery, the employee was placed on leave until the matter was investigated, and was later fired for breaching hospital policies and HIPAA Rules.

Infirmary Health has informed affected patients by mail and advised them to monitor their personal financial activity as a precaution, although the risk of any information being used inappropriately is believed to be very low.

Tacking the Problem of Unauthorized PHI Access by Employees

Training must be provided to healthcare employees on HIPAA Rules covering patient privacy, the circumstances under which PHI can be accessed, and the penalties for improper access.

Healthcare organizations should be aware that even with extensive training, unauthorized PHI access is likely to occur. In this case, patient privacy has been violated but no financial harm is believed to have been caused. However, as we have seen on numerous occasions this year, that is not always the case. All too often PHI is stolen and used for identity theft and fraud.

Hospitals and medical centers are required to conduct regular audits of PHI access logs, but all too often those audits occur far too infrequently. Annual checks could potentially allow rogue employees to view vast numbers of patient records before the privacy violations are discovered. During that time, hundreds of patients could suffer financial harm.

Only by regularly conducting audits of PHI access logs can healthcare organizations limit the harm caused to patients and nip the problem in the bud. Regular audits will also send a strong message to healthcare employees that inappropriate PHI access will be rapidly identified and swift action taken against the individuals concerned.

The post Regular PHI Access Log Audits Can Prevent Major PHI Breaches appeared first on HIPAA Journal.

New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics.

Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data.

The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure.

If a wearable device is provided to a patient by a HIPAA-covered entity, the data the device collects, records, and transmits must be secured at all times. If the same device is provided by a non-HIPAA-covered entity, personal data collected by the device will not necessarily be protected to the same standards. Consumers are afforded a certain level of privacy protection as the Federal Trade Commission (FTC) regulates wearable technology, although HIPAA Rules are far more stringent.

Consumers may not be aware that health data collected by wearable technology may not be protected to the standards demanded by HIPAA and that lack of knowledge may result in consumers unwittingly giving up certain privacy protections. The Department of Health and Human Services’ Office for Civil Rights has responded to the issue by issuing a report warning that wearable devices may not be covered by HIPAA Rules and consumers may be providing consent for their health data to be used by non-HIPAA covered entities without knowing exactly how their data will be collected, protected, and used.

However, more must be done to ensure consumers are informed about how their data will be collected and used and greater privacy controls must be put in place to ensure sensitive data are adequately protected regardless of which entity collects the data.

This month, researchers from the American University in Washington, D.C., and the Center for Digital Democracy published a report – Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer Protection – on the problem. The report raises awareness of the privacy and security gaps in current federal legislation and calls for further regulation of wearable devices to ensure consumer data are adequately protected and users of the devices are informed about how their data will be used.

In the 122-page report the researchers explain that while there are current privacy and security concerns surrounding wearable technology, those issues will become more serious as new and more sophisticated devices come to market. They explain that in the not-too-distant future, “Biosensors will routinely be able to capture not only an individual’s heart rate, body temperature, and movement, but also brain activity, moods, and emotions.”

It is not only the information collected by the devices that is a cause for concern. The researchers point out that data collected by the devices “can, in turn, be combined with personal information from other sources—including health-care providers and drug companies—raising such potential harms as discriminatory profiling, manipulative marketing, and security breaches.”

As the devices become more integrated into everyday life, the researchers warn that the ability of consumers to make informed decisions about privacy and the use of their data will depend, to a large extent, on the effectiveness of government and self-regulatory policies.

However, at present there are insufficient privacy controls in place and major gaps in coverage exist due to “limited and fragmented” government privacy laws. Unless new policies are put in place to ensure the privacy of consumers is protected, Americans could be exposed to serious privacy risks by using these devices.

The report makes a number of recommendations for protecting consumers’ privacy and suggests ways the government, academic institutions, and consumer and privacy groups can join forces to develop a new and more effective strategy for protecting the health data collected by wearable devices.

The recommendations include:

  • The creation of a Public Interest Connected-Health Task Force incorporating privacy experts from a broad range of consumer, privacy, and civil liberties organizations to enhance privacy protections in the big data-era. The task force should be responsible for “analyzing new developments, developing public policy and self-regulatory proposals, conducting outreach to other key stakeholders, and engaging in constructive dialogue with industry and government officials.”
  • Classifying all data collected by wearable technology as sensitive, regardless of which organization or entity collects and uses those data. The researchers also call for an affirmative and effective consent process to be implemented before any consumer data can be collected and used.
  • Consumers should be allowed to place limits on the types of data that can be collected and used by wearable devices, while companies should clearly explain how, and under what circumstances, data will be collected, used, and shared.
  • Companies that collect data should make it clear how consumers can access those data, correct any errors, and arrange for their data to be deleted should they so wish. Any requests must be dealt with in a timely manner and at minimal cost to the consumer.
  • The use of usability testing to ensure consumer privacy policies can be easily understood by consumers, regardless of the size of screen used to access the information. Companies should also publish the results of their studies.
  • The creation of standards by self-regulatory organizations that are applied to all organizations, not only those covered by HIPAA Rules.
  • The use of fair marketing practices to ensure data collected from the users of wearable devices are not used to discriminate based on “ethnicity, gender, sexual orientation, age, community, or medical condition.”
  • The placing of limits on the sharing of heath data to prevent organizations from sharing data with third parties where advertising, marketing, or the promotion of other services are involved and the provision of data to other entities without the knowledge or consent of consumers.

The post New Report Published on Privacy Risks of Personal Health Wearable Devices appeared first on HIPAA Journal.

Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online

New Hampshire Department of Health and Human Services has alerted approximately 15,000 patients to a breach of some of their personal and highly sensitive information. Patient data were accessed by a former patient in October 2015 and were posted on a social media website.

The data accessed and posted online by the former patient included names and addresses along with Medicaid ID numbers and Social Security numbers. The patient gained access to the data on a laptop computer located in the hospital library. Patients are permitted to use the library and the computers, although access to patients’ protected health information should not have been possible.

At the time of the breach the patient was observed accessing ‘non-confidential’ hospital data by a staff member. The incident was reported to a supervisor and steps were taken to restrict access to the library computers. At the time, it was not known that sensitive data were accessed. While a supervisor was alerted to the incident, the matter was not escalated and neither the New Hampshire Hospital nor the New Hampshire Department of Health and Human Services (NH-DHHS) were informed.

However, ten months later in August 2016, a security official at the hospital alerted NH-DHHS that the former patient may have posted NH-DHHS data on a social media website. An investigation into the incident was launched and the Department of Information Technology was notified. The matter was also reported to State Police and state officials. However, according to the breach notice published by NH-DHHS on December 27, “An investigation at that time did not reveal any evidence that confidential personal or personal health information had been breached.”

Three months later on November 4, 2016, hospital security notified NH-DHHS that the patient had posted some protected health information to a social media site that day. Within 24 hours of DHHS being informed of the breach, the PHI was removed from the site and a criminal investigation was launched. NH-DHHS says patients impacted by the breach had received services New Hampshire Hospital prior to November 2015, although no evidence has been uncovered to suggest any PHI has been misused.

NH-DHHS Commissioner Jeffrey A. Meyers issued a statement saying the breach was “an isolated incident stemming from unauthorized access in October 2015 as described above and is not the result of an external attack.”

He also confirmed that all state departments are investigating the incident and efforts are being made to strengthen state cybersecurity policies and procedures to better protect patient health data from attacks from hackers, as well as accidental disclosures as a result of human error.

The post Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online appeared first on HIPAA Journal.