Healthcare Data Privacy

Largest Healthcare Data Breaches of 2016

Posted by HIPAA Journal

 

2016 was a particularly bad year for healthcare data breaches. While the numbers of records exposed was nowhere near the level of 2015 – 15,936,849 records compared to 113,267,174 in 2015 – more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year.

As 2017 begins, there have been 313 reported breaches of more than 500 records that have been uploaded to the OCR breach portal.

2016 Healthcare Data Breaches of 500 or More Records

 

Year Number of Breaches Number of Records Exposed
2016 313 15,936,849
2015 270 113,267,174
2014 307 12,737,973
2013 274 6,950,118
2012 209 2,808,042
2011 196 13,150,298
2010 198 5,534,276
2009 18 134,773
Total 1785 170,519,503

 

While the above figures appear to suggest a significant reduction in large healthcare data breaches year on year, the figures are somewhat misleading.

In 2015 there were three massive data breaches reported by covered entities: Anthem Inc., Premera Blue Cross, and Excellus Health Plan. Those three cyberattacks resulted in the theft of 78.8 million records, 11 million, and 10 million records respectively.

More records may have been exposed in 2015 as a result of those major cyberattacks, although in each size category, 2016 ranked worse than 2015. Many healthcare organizations will be happy to put 2016 behind them.

 

Year 2016 Healthcare Data Breaches
500 to 1000 Records 1,000 to 10,000 Records 10,000 to 100,000 Records 100,001+ Records
2016 13 62 151 86
2015 12 37 142 76

 

Aside from one major breach at a business associate, all of the largest healthcare data breaches of 2016 – those that resulted in the exposure or theft of more than 100,000 healthcare records – affected healthcare providers. The largest data breach experienced by a health plan was the 91,187-record breach reported by Washington State Health Care Authority in September.

Largest Healthcare Data Breaches of 2016

 

Rank Covered Entity Entity Type Cause of Breach Records Exposed
1 Banner Health Healthcare Provider Hacking/IT Incident 3,62,0000
2 Newkirk Products, Inc. Business Associate Hacking/IT Incident 3,466,120
3 21st Century Oncology Healthcare Provider Hacking/IT Incident 2,213,597
4 Valley Anesthesiology Consultants Healthcare Provider Hacking/IT Incident 882,590
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider Hacking/IT Incident 749,017
6 Bon Secours Health System Incorporated Healthcare Provider Unauthorized Access/Disclosure 651,971
7 Peachtree Orthopaedic Clinic Healthcare Provider Hacking/IT Incident 531,000
8 Radiology Regional Center, PA Healthcare Provider Loss 483,063
9 California Correctional Health Care Services Healthcare Provider Theft 400,000
10 Central Ohio Urology Group, Inc. Healthcare Provider Hacking/IT Incident 300,000
11 Premier Healthcare, LLC Healthcare Provider Theft 205,748
12 Athens Orthopedic Clinic, P.A. Healthcare Provider Unauthorized Access/Disclosure 201,000
13 Community Mercy Health Partners Healthcare Provider Improper Disposal 113,528

 

Main Causes of Healthcare Data Breaches in 2016

Insider breaches continue to plague the healthcare industry in the United States. As in 2015, the main cause of healthcare data breaches in 2016 was unauthorized access/disclosure. Hacking incidents on the scale of those at Anthem, Premera, and Excellus were not repeated in 2016, but 2016 saw a major increase in healthcare hacks.

The loss and theft of unencrypted devices used to store PHI fell considerably year on year, although the use of data encryption technology could have prevented all 76 of those data breaches and the exposure of 1,459,816 healthcare records.

Main Cause of Breach 2016 2015
Unauthorized Access/Disclosure 127 102
Hacking/IT Incident 102 57
Theft 60 81
Loss 16 23
Improper Disposal 7 6

 

2016 Healthcare Data Breaches by Covered Entity

Healthcare data breaches in 2016 followed a similar pattern to 2015, with healthcare providers the main entities breached, although the percentage of breaches affecting health plans was significantly lower in 2015. Data breaches at business associates remained at the same level year on year.

 

Breached Entity 2016 2015
Healthcare Provider 247 196
Health Plan 46 62
Business Associate 19 19

Data Source: Department of Health and Human Services’ Office for Civil Rights

The post Largest Healthcare Data Breaches of 2016 appeared first on HIPAA Journal.

TigerText Announces Record-Breaking Year for Growth

Posted by HIPAA Journal

TigerText, the nation’s leading secure healthcare messaging platform provider, has announced it has recorded another record-breaking year for growth, signing up over 300 healthcare organizations in 2016.

The company now boasts more than 3,000 healthcare customers in the United States, including five of the top ten largest health systems in the country. More than 10 million secure messages are now being sent via the TigerText platform every day and the platform is used in over 5,000 healthcare facilities in the United States.

TigerText was originally developed as a standalone messaging platform, yet over the course of the past 6 years it has evolved into a comprehensive clinical communications platform. The platform has been tailored to meet the exacting needs of healthcare organizations, including the strict privacy and security controls required by the Health Insurance Portability and Accountability Act (HIPAA).

This year has seen two major new developments. Earlier this year, the TigerText platform achieved the prestigious HITRUST certification and in October the company launched a new healthcare workflow solution –TigerFlow.

TigerFlow incorporates a range of healthcare-specific features that allow healthcare organizations of all sizes to optimize and enhance communications workflows. As Brad Brooks, co-founder and CEO of TigerText, explained “TigerFlow is the first clinical communication platform built to be the central hub for care teams, thus truly enabling the last mile of care.” Brooks went on to explain that “Optimizing communication at the point of care frees physicians and nurses to do what they love – take care of patients.” The introduction of TigerFlow is seen as the biggest event in the company’s history since its 2010 launch.

The healthcare industry faces unique communications challenges and has historically struggled with integrating new technology. The pager has proved to be an invaluable and reliable tool for the healthcare industry for more than 60 years, yet many healthcare organizations have now accepted that the time has come for a modern replacement to be introduced. The launch of TigerFlow has spurred many healthcare organizations to finally make the transition to a new, and more efficient communication system.

The communications system incorporates a wide range of features to improve productivity, patient outcomes, provider satisfaction, and profitability. As Brooks explained, “The TigerFlow solution specifically improves collaboration and clinical communications by addressing and solving health systems’ concerns around integrating technology.” In addition to the messaging platform, healthcare providers benefit from enhanced data integration capabilities, end-to-end workflow consultation services, and on-demand data analytics.

The cost savings that can be generated are considerable. Brooks believes the potential savings could be excess of $100 billion across the healthcare industry as a whole. One of the company’s large healthcare clients has generated over $6 million in cost savings in 2016 alone, while another reported savings of more than $200,000 in just 8 weeks after implementing the TigerText platform.

The past few months have also seen the company bring in new talent with a wealth of healthcare experience to further accelerate growth in the healthcare industry. Kirk Paul Kirkman has been recruited to serve as President of the TigerText Client Organization while Kelli Castellano has been appointed Chief Marketing Officer. Both new hires have extensive experience in the healthcare industry and are highly focused on improving physician and nurse satisfaction and helping providers improve patient outcomes.

The post TigerText Announces Record-Breaking Year for Growth appeared first on HIPAA Journal.

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

Posted by HIPAA Journal

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation.

The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation response team. In many cases, cybercriminals are able to effectively mask their identities and it is relatively rare for the individuals responsible for phishing attacks to be identified. Bringing individuals to justice is harder still. All too often the perpetrators are based overseas.

In this case, the investigation has resulted in the identification of a suspect: Austin Kelvin Onaghinor, 37, of Nigeria. On December 15, 2016, a criminal arrest warrant for Onaghinor was issued. Onaghinor faces nine charges related to the phishing attack, including theft and misuse of L.A. County confidential information, unauthorized computer access, and identity theft.

At the time of writing, Onaghinor has yet to be arrested and his whereabouts is unknown. He is considered to be a fugitive of the law and Lacey said “My office will work aggressively to bring this criminal hacker and others to Los Angeles County where they will be prosecuted to the fullest extent of the law.”

The phishing attack occurred on May 13, 2016. A large number of expertly crafted phishing emails were sent to Los Angeles County employees. The emails appeared to be legitimate; however, responding to the emails resulted in employees disclosing their usernames and passwords to the attacker. In total, 108 L.A. County employees responded, and by doing so, compromised their email accounts.

The email accounts contained a wide range of sensitive data including financial and health information. Investigators were required to individually check each email in the 108 compromised accounts to determine which individuals had been impacted and what information had been exposed.

The extensive investigation determined that 756,000 individuals had been impacted by the breach. Those individuals had previously had contact via email with the following Los Angeles County departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works.”

According to the breach notice recently uploaded to the Department of Health and Human Services’ Office for Civil Rights breach portal, 749,017 patients of the County of Los Angeles Departments of Health and Mental Health were impacted.

The information contained in the email accounts included full names, home addresses, phone numbers, birth dates, Social Security numbers, state ID numbers, driver’s license numbers, Medi-Cal and insurance carrier IDs, medical record numbers, payment card numbers, bank account information, and medical information, including diagnoses and treatment information.

While the information was potentially accessed 7 months previously, Los Angeles County has uncovered no evidence to suggest that any information has been misused. As a precaution against identity theft and fraud, all individuals impacted by the breach have been offered a year of credit monitoring, identity consultation, and identity restoration services without charge.

Phishing emails are regularly sent to government employees and many make it past spam filters to employees’ inboxes. However, for the emails to result in the disclosure of 108 email account credentials is concerning.

Preventing employees from responding to phishing emails is a challenge, but a successful attack of this scale suggests a spectacular failure of systems and training, although the attack was detected the following day and L.A. County “immediately implemented strict security measures” to reduce the impact of the breach.

Phishing emails are a difficult threat to mitigate, although there are proven technologies and tactics that can be employed to reduce risk and at least limit the harm caused. Anti-phishing training has been demonstrated to greatly improve employees’ phishing email identification skills, in particular when anti-phishing exercises are conducted.

A study of 40 million phishing simulation emails by PhishMe (between January 2015 and July 2016) showed that susceptibility to phishing attacks falls to around 20% after just one failed phishing email simulation, while the implementation of a reporting tool can dramatically reduce the time to detect phishing threats. The sooner the threat is detected, the easier it is to alert employees and mitigate risk.

Solutions such as advanced spam filters can reduce the volume of phishing emails that are delivered to end users, while web filtering gateways can block users’ attempts to respond to phishing emails. Preventing end users from visiting websites based in foreign countries can reduce risk, although foreign-based phishers often host their phishing sites in the United States.

Along with next generation firewalls and intrusion detection systems it is possible to mount a reasonable defense against phishing attacks and reduce the damaged caused when those attacks succeed.

The attack should serve as a reminder of how serious the threat of phishing is, and how important it is for organizations – government and private sector – to enhance the controls they have in place to mitigate the threat.

The post 108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted appeared first on HIPAA Journal.

Regular PHI Access Log Audits Can Prevent Major PHI Breaches

Posted by HIPAA Journal

Infirmary Health has announced that an employee has been fired after being discovered to have accessed the health records of approximately 1,000 patients without authorization. The individual was required to access patients’ protected health information (PHI) for legitimate work reasons, yet data access rights were abused.

The employee worked in the Atmore Community Hospital: A 49-bed facility serving patients in Escambia and Monroe counties in Alabama. A routine audit of PHI access logs on November 18, 2016 revealed that the individual first started inappropriately accessing patient records from October 3, 2015.  Records continued to be inappropriately accessed until November 11, 2016.

According to a press release issued by Infirmary Health, the information accessed was limited to patient names, admission dates and flowsheets. It is unclear why the information was accessed, although it is not believed that any data have been disclosed to any other individual nor copied and removed from the hospital. PHI appears to have been accessed purely out of curiosity.

In accordance with Health Insurance Portability and Accountability Act (HIPAA) Rules, the employee was authorized to view the minimum necessary information to conduct work duties and had received extensive training and specific instructions not to access the PHI of patients for non-work related reasons.

As a result of the discovery, the employee was placed on leave until the matter was investigated, and was later fired for breaching hospital policies and HIPAA Rules.

Infirmary Health has informed affected patients by mail and advised them to monitor their personal financial activity as a precaution, although the risk of any information being used inappropriately is believed to be very low.

Tacking the Problem of Unauthorized PHI Access by Employees

Training must be provided to healthcare employees on HIPAA Rules covering patient privacy, the circumstances under which PHI can be accessed, and the penalties for improper access.

Healthcare organizations should be aware that even with extensive training, unauthorized PHI access is likely to occur. In this case, patient privacy has been violated but no financial harm is believed to have been caused. However, as we have seen on numerous occasions this year, that is not always the case. All too often PHI is stolen and used for identity theft and fraud.

Hospitals and medical centers are required to conduct regular audits of PHI access logs, but all too often those audits occur far too infrequently. Annual checks could potentially allow rogue employees to view vast numbers of patient records before the privacy violations are discovered. During that time, hundreds of patients could suffer financial harm.

Only by regularly conducting audits of PHI access logs can healthcare organizations limit the harm caused to patients and nip the problem in the bud. Regular audits will also send a strong message to healthcare employees that inappropriate PHI access will be rapidly identified and swift action taken against the individuals concerned.

The post Regular PHI Access Log Audits Can Prevent Major PHI Breaches appeared first on HIPAA Journal.

New Report Published on Privacy Risks of Personal Health Wearable Devices

Posted by HIPAA Journal

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics.

Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data.

The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure.

If a wearable device is provided to a patient by a HIPAA-covered entity, the data the device collects, records, and transmits must be secured at all times. If the same device is provided by a non-HIPAA-covered entity, personal data collected by the device will not necessarily be protected to the same standards. Consumers are afforded a certain level of privacy protection as the Federal Trade Commission (FTC) regulates wearable technology, although HIPAA Rules are far more stringent.

Consumers may not be aware that health data collected by wearable technology may not be protected to the standards demanded by HIPAA and that lack of knowledge may result in consumers unwittingly giving up certain privacy protections. The Department of Health and Human Services’ Office for Civil Rights has responded to the issue by issuing a report warning that wearable devices may not be covered by HIPAA Rules and consumers may be providing consent for their health data to be used by non-HIPAA covered entities without knowing exactly how their data will be collected, protected, and used.

However, more must be done to ensure consumers are informed about how their data will be collected and used and greater privacy controls must be put in place to ensure sensitive data are adequately protected regardless of which entity collects the data.

This month, researchers from the American University in Washington, D.C., and the Center for Digital Democracy published a report – Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer Protection – on the problem. The report raises awareness of the privacy and security gaps in current federal legislation and calls for further regulation of wearable devices to ensure consumer data are adequately protected and users of the devices are informed about how their data will be used.

In the 122-page report the researchers explain that while there are current privacy and security concerns surrounding wearable technology, those issues will become more serious as new and more sophisticated devices come to market. They explain that in the not-too-distant future, “Biosensors will routinely be able to capture not only an individual’s heart rate, body temperature, and movement, but also brain activity, moods, and emotions.”

It is not only the information collected by the devices that is a cause for concern. The researchers point out that data collected by the devices “can, in turn, be combined with personal information from other sources—including health-care providers and drug companies—raising such potential harms as discriminatory profiling, manipulative marketing, and security breaches.”

As the devices become more integrated into everyday life, the researchers warn that the ability of consumers to make informed decisions about privacy and the use of their data will depend, to a large extent, on the effectiveness of government and self-regulatory policies.

However, at present there are insufficient privacy controls in place and major gaps in coverage exist due to “limited and fragmented” government privacy laws. Unless new policies are put in place to ensure the privacy of consumers is protected, Americans could be exposed to serious privacy risks by using these devices.

The report makes a number of recommendations for protecting consumers’ privacy and suggests ways the government, academic institutions, and consumer and privacy groups can join forces to develop a new and more effective strategy for protecting the health data collected by wearable devices.

The recommendations include:

  • The creation of a Public Interest Connected-Health Task Force incorporating privacy experts from a broad range of consumer, privacy, and civil liberties organizations to enhance privacy protections in the big data-era. The task force should be responsible for “analyzing new developments, developing public policy and self-regulatory proposals, conducting outreach to other key stakeholders, and engaging in constructive dialogue with industry and government officials.”
  • Classifying all data collected by wearable technology as sensitive, regardless of which organization or entity collects and uses those data. The researchers also call for an affirmative and effective consent process to be implemented before any consumer data can be collected and used.
  • Consumers should be allowed to place limits on the types of data that can be collected and used by wearable devices, while companies should clearly explain how, and under what circumstances, data will be collected, used, and shared.
  • Companies that collect data should make it clear how consumers can access those data, correct any errors, and arrange for their data to be deleted should they so wish. Any requests must be dealt with in a timely manner and at minimal cost to the consumer.
  • The use of usability testing to ensure consumer privacy policies can be easily understood by consumers, regardless of the size of screen used to access the information. Companies should also publish the results of their studies.
  • The creation of standards by self-regulatory organizations that are applied to all organizations, not only those covered by HIPAA Rules.
  • The use of fair marketing practices to ensure data collected from the users of wearable devices are not used to discriminate based on “ethnicity, gender, sexual orientation, age, community, or medical condition.”
  • The placing of limits on the sharing of heath data to prevent organizations from sharing data with third parties where advertising, marketing, or the promotion of other services are involved and the provision of data to other entities without the knowledge or consent of consumers.

The post New Report Published on Privacy Risks of Personal Health Wearable Devices appeared first on HIPAA Journal.

Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online

Posted by HIPAA Journal

New Hampshire Department of Health and Human Services has alerted approximately 15,000 patients to a breach of some of their personal and highly sensitive information. Patient data were accessed by a former patient in October 2015 and were posted on a social media website.

The data accessed and posted online by the former patient included names and addresses along with Medicaid ID numbers and Social Security numbers. The patient gained access to the data on a laptop computer located in the hospital library. Patients are permitted to use the library and the computers, although access to patients’ protected health information should not have been possible.

At the time of the breach the patient was observed accessing ‘non-confidential’ hospital data by a staff member. The incident was reported to a supervisor and steps were taken to restrict access to the library computers. At the time, it was not known that sensitive data were accessed. While a supervisor was alerted to the incident, the matter was not escalated and neither the New Hampshire Hospital nor the New Hampshire Department of Health and Human Services (NH-DHHS) were informed.

However, ten months later in August 2016, a security official at the hospital alerted NH-DHHS that the former patient may have posted NH-DHHS data on a social media website. An investigation into the incident was launched and the Department of Information Technology was notified. The matter was also reported to State Police and state officials. However, according to the breach notice published by NH-DHHS on December 27, “An investigation at that time did not reveal any evidence that confidential personal or personal health information had been breached.”

Three months later on November 4, 2016, hospital security notified NH-DHHS that the patient had posted some protected health information to a social media site that day. Within 24 hours of DHHS being informed of the breach, the PHI was removed from the site and a criminal investigation was launched. NH-DHHS says patients impacted by the breach had received services New Hampshire Hospital prior to November 2015, although no evidence has been uncovered to suggest any PHI has been misused.

NH-DHHS Commissioner Jeffrey A. Meyers issued a statement saying the breach was “an isolated incident stemming from unauthorized access in October 2015 as described above and is not the result of an external attack.”

He also confirmed that all state departments are investigating the incident and efforts are being made to strengthen state cybersecurity policies and procedures to better protect patient health data from attacks from hackers, as well as accidental disclosures as a result of human error.

The post Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online appeared first on HIPAA Journal.

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

Posted by HIPAA Journal

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60.

The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of Health and Human Services’ Office for Civil Rights. The vast majority of those records are in the hands of cybercriminals. Supply is now outstripping demand and just like any commodity, that results in a dramatic fall in prices.

Stealing medical records is now much less profitable which means cybercriminals have to recoup their losses from somewhere. That does not mean the healthcare industry is likely to be attacked less. Instead the fall in price is likely to lead to even more attacks. In order to make the same level of profit, more records need to be stolen and sold on.

The fall in the price of healthcare records has also prompted cybercriminals to change their tactics and look for new ways to make money. Many have opted for ransomware. Ransomware offers cybercriminals a quick and easy source of cash. Ransom payments are typically paid within 7 days of the malicious software being installed on healthcare networks. It is also relatively easy to bypass healthcare organizations’ defenses to install ransomware. Given the quick source of cash, the ease of attacks, and the high likelihood of payment, it is no surprise that ransomware has proven so popular.

It is difficult to calculate exactly how many healthcare organizations have been attacked with ransomware in 2016, as not all incidents are reported. However, hacking incidents affecting more than 500 individuals are.

TrapX calculated that major healthcare data breaches increased by 63% in 2016 (January 1 to December 12, 2016) compared to 2015. TrapX classed any breach of more than 500 records as ‘major’ and only included hacking incidents. In 2015, 57 major healthcare data breaches were reported to the Office for Civil Rights, whereas in 2016 there have been 90 reported breaches and the year is not over yet.

Since healthcare organizations have 60 days from the date of discovery of a breach to issue a report to OCR, the final figures for 2016 will not be known until March 1, 2017. The end of year total is certain to be considerably higher than 90 breaches.

The healthcare industry has responded to the rise in attacks by committing more funds to cybersecurity defenses. Employees are being trained on security best practices and overall awareness of security risks such as phishing has increased. Even so, many healthcare organizations are still falling victim to ransomware attacks and hacking incidents continue to rise.

TrapX, along with many security experts, predicts the use of ransomware will continue and attacks on healthcare organizations will increase in 2017. Hacking incidents are also likely to rise, with TrapX predicting attacks on medical devices will significantly increase in 2017.

2017, it would seem, is set to be yet another difficult year for the healthcare industry.

The post Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data appeared first on HIPAA Journal.

Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach

Posted by HIPAA Journal

Fairbanks Hospital in Indianapolis, IN., has discovered that the electronic health information of its patients could have been accessed by all of its employees for a period of at least three years.

Protections had been put in place to prevent unauthorized accessing of electronic health records by staff members, but on October 18, 2016, the hospital became aware that some files had been stored on an internal network that lacked those protections and could be accessed by all employees, even those who were unauthorized to view patients’ electronic information.

Following the discovery, an independent forensics expert was called in to determine the nature and scope of the problem. That individual was able to determine that the files were accessible since November 2013, and potentially longer. It was not possible to say whether the files were accessible before that date.

Attempts were made to determine whether the files had been accessed by employees during the time that they were unprotected, but access logs were not kept so it was not possible to determine whether any unauthorized individuals had viewed the information in the files.

The majority of patients impacted by the incident only had their name and a very limited amount of information exposed to unauthorized staff members. In such cases, the information that could have been accessed included admission dates and appointment scheduling information.

However, in some cases, Social Security numbers, dates of birth, addresses, telephone numbers, patient ID numbers, treatment information, medical diagnoses, and health insurance information could have been accessed.

Fairbanks hospital is in the process of informing patients of the potential privacy breach by mail and is providing them with further information on the steps that can be taken to protect against identity theft and fraud. Credit monitoring and identity theft protection services do not appear to have been offered.

Patients have been encouraged to “remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports and explanation of benefits forms for suspicious activity.” They have also been told “this also includes reviewing account statements, medical bills, and health insurance statements regularly to ensure that no one has submitted fraudulent medical claims using your name and address.” However, no reports of unauthorized use or misuse of the information have been reported to date.

The incident has been reported to appropriate state and federal bodies, including the Department of Health and Human Services’ Office for Civil Rights. It is unclear at this stage exactly how many patients have potentially been impacted.

The post Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach appeared first on HIPAA Journal.

Joint Commission Ban on Secure Messaging for Orders Remains in Place

Posted by HIPAA Journal

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter.

In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain standards to be followed to ensure patient safety was not placed at risk.

The ban was originally put in place as SMS messages were not secure. It was also not possible to verify the sender of a message nor for original message to be retained for auditing purposes. Since the original ban was introduced, a number of companies developed secure text messaging platforms that incorporated all of the necessary security features to ensure messages could not be intercepted.

Those messaging platforms also allowed the identity of the sender to be verified, ensured that messages were retained for auditing purposes, and a slew of other privacy and security controls were incorporated to ensure compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.

The advances made in secure text messaging technology led to the decision to lift the ban, which was announced in the May perspectives newsletter. Then in July 2016, the Joint Commission reversed its decision and reinstated the ban, calling for further guidance for healthcare organizations due to concerns over patient privacy.

Guidance for healthcare organizations on the use of secure text messaging platforms would be developed in collaboration with the Centers for Medicare & Medicaid Services (CMS). Those guidelines were expected to be released by September this year.

However, the Joint Commission said in its December newsletter that its position has not changed and the ban is to remain in place, although it will continue to monitor the advances in secure texting technology and may update its position in the future.

In the meantime, CMS and the Joint Commission continue to ban the use of unsecure SMS messages and secure messaging platforms for sending patient care orders, although clinicians are permitted to use HIPAA-compliant secure messaging platforms to send messages to each other.

The decision to further delay the lifting of the ban on secure text messaging for orders is due to the Joint Commission still having a number of concerns over privacy and security.

The preferred method for sending orders is a computerized provider order entry (CPOE), as this method allows providers to directly enter orders into their electronic health record system.

The Joint Commission says, “CPOE helps ensure accuracy and allows the provider to view and respond to clinical decision support (CDS) recommendations and alerts. CPOE is increasingly available through secure, encrypted applications for smartphones and tablets, which will make following this recommendation less burdensome.”

If a CPOE is not possible, orders can be communicated verbally, but not by SMS message or even a secure messaging platform. The Joint Commission said, “After extensive discussion weighing the pros and cons of using secure text messaging systems to place orders, the Joint Commission and CMS have concluded that the impact of secure text orders on patient safety remains unclear.”

The Joint Commission also believes the use of an additional method of transmitting orders may increase the burden on nurses to manually enter the orders into the EHR. It was also pointed out that transmission of verbal orders allows synchronous clarification and confirmation of orders in real time, and if alerts or a CDS recommendation is triggered during the order process, an individual manually entering the order into an EHR may need to contact the ordering practitioner to request further information.

The post Joint Commission Ban on Secure Messaging for Orders Remains in Place appeared first on HIPAA Journal.