Healthcare Data Security

Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity

Posted February 23, 2021 by HIPAA Journal

Throughout the pandemic, cybercriminals have taken advantage of new opportunities and have been attacking hospitals, clinics and other businesses and organizations on the front line in the fight against COVID-19.

Ransomware attacks on the healthcare industry soared in 2020, especially in the fall when a coordinated campaign claimed many healthcare victims. Ransomware remains a major threat to the healthcare sector and the high numbers of attacks have continued into 2021.

A recent report from the CTIL League provides further information on these attacks and some of the other ways the healthcare industry was targeted in 2020. The report highlights the work conducted by the CTIL Dark team, which monitors the darknet and deep web for signs of data breaches and cybercriminal activity that has potential to impact the healthcare industry or general public health.

This is the first report to be released that highlights the discoveries and achievements of the CTIL Dark team, and delves into realm of healthcare ransomware attacks and the dark markets where access to healthcare networks are traded.

In 2020, the CTIL Dark team’s research determined the main ransomware gangs targeting the healthcare sector to be Maze, Conti, Netwalker, REvil, and Ryuk. Between these five operations more than 100 ransomware attacks were conducted on the healthcare sector, two thirds of which were in North America and Europe. The attacks by these groups accounted for 75% of all attacks on the sector in 2020.

The increase in ransomware attacks in 2020 was attributed to the ease at which the industry could be attacked and the increased prominence of the industry during the pandemic, and no healthcare organization was immune. In fact while attacks on large healthcare organizations with the means to pay large ransom demands were favored, in the fall there was a significant increase in attacks on small- to medium-sized hospitals and clinics.

Ransomware attacks tend to dominate the news reports due to the major impact these attacks have on healthcare providers and their patients. Hospitals are forced to switch to pen and paper, appointments often have to be cancelled, and patient information is frequently leaked online and made available to a wide range of cybercriminals. What is less well understood is the supply chain that makes many of these attacks possible.

During the pandemic, demand for backdoor access to healthcare networks increased considerably, as did the number of criminals providing access. The supply chains established to provide credentials for healthcare networks to ransomware gangs and other threat actors saw the barrier to entry into cyberattacks on the sector significantly lowered.

2020 saw an increase in the number of Initial Access Brokers. These are the hackers who target and breach vulnerable networks and sell on access to the highest bidder, including ransomware gangs and their affiliates. The CTIL Dark team reports a doubling of the number of Initial Access Brokers between Q2, 2020 and Q4, 2020. Skilled hackers that can breach healthcare networks often sign up to ransomware-as-a-service operations as affiliates themselves. In 2020, several RaaS operations started recruitment drives targeting individuals who already had access to healthcare networks and could conduct large numbers of attacks.

The CTIL Dark team notes that ransomware attacks are becoming more extensive, targeted, and coordinated, with threat groups often partnering and sharing resources and information. In 2020, the ransomware activity investigated by the team most commonly involved attacks on perimeter vulnerabilities such as unpatched systems and weak passwords in remote connectivity solutions, rather than phishing attacks.

The CTIL Dark team also identified an increase in the number of databases containing PHI being sold on darknet forums for use in targeted attacks on patients, and employee databases for targeting healthcare employees to gain access to healthcare networks.

Phishing attacks increased in 2020, with opportunistic threat actors abandoning their regular campaigns and switching to COVID-19 themed campaigns that closely mirrored equipment shortages and knowledge gaps. Scams were conducted in response to the shortage in COVID-19 tests and PPE, followed by fake offers of antibody blood. When hydroxyquinoline was touted as a game changer for COVID-19 treatment, darknet vendors switched from offering cocaine to offering doses of the drug. Now, as the vaccine rollout gathers pace, scammers have switched to offering fake vaccines.

CTIL has predicted attacks targeting the healthcare sector will most likely increase in 2021 rather than decline, so it is essential for healthcare organizations to remain on high alert and leverage data from cybersecurity vendors, health-ISACs, law enforcement, and organizations such as CTIL league and implement policies, procedures, and protections to combat these threats.

The post Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity appeared first on HIPAA Journal.

January 2021 Healthcare Data Breach Report

Posted February 19, 2021 by HIPAA Journal

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day.

There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records.

Largest Healthcare Data Breaches Reported in January 2021

The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply patches for 7 years, which allowed unauthorized individuals to exploit the flaws and gain access to sensitive data.

Hendrick Health had a major data breach due to a ransomware attack; one of many reported by healthcare providers since September 2020 when ransomware actors stepped up their attacks on the healthcare sector. The County of Ramsey breach was also due to a ransomware attack at one of its technology vendors.

Email-based attacks such as business email compromise (BEC) and phishing attacks were common in January, and were the cause of 4 of the top ten breaches.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Location of Breached Information
Florida Healthy Kids Corporation	Health Plan*	3,500,000	Hacking/IT Incident: Website and Web Application Hack	Network Server
Hendrick Health	Healthcare Provider	640,436	Hacking/IT Incident: Ransomware	Network Server
Roper St. Francis Healthcare	Healthcare Provider	189,761	Hacking/IT Incident: Phishing attack	Email
Precision Spine Care	Healthcare Provider	20,787	Hacking/IT Incident: BEC attack	Email
Walgreen Co.	Healthcare Provider	16,089	Unauthorized Access/Disclosure: Unknown	Email
The Richards Group	Business Associate	15,429	Hacking/IT Incident: Phishing attack	Email
Florida Hospital Physician Group Inc.	Healthcare Provider	13,759	Hacking/IT Incident: EHR System	Electronic Medical Record
Managed Health Services	Health Plan*	11,988	Unauthorized Access/Disclosure: Unconfirmed	Paper/Films
Bethesda Hospital	Healthcare Provider	9,148	Unauthorized Access of EMR by employee	Electronic Medical Record
County of Ramsey	Healthcare Provider*	8,687	Hacking/IT Incident: Ransomware	Network Server

*Breach reported by covered entity but occurred at a business associate.

Causes of January 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to cause the majority of healthcare data breaches. January saw 20 hacking/IT incidents reported, which accounted for 62.5% of the month’s data breaches. The protected health information of 4,413,762 individuals was compromised or exposed in those breaches – 98.8% of all breached records in January. The average breach size was 220,688 records and the median breach size was 2,464 records.

There were 11 reported unauthorized access and disclosure incidents involving 50,996 records. The average breach size was 4,636 records and the median breach size was 1,680 records.

There was one reported incident involving the loss of an unencrypted laptop computer containing 2,340 records, but no theft or improper disposal incidents.

As the bar chart below shows, email is the most common location of breached PHI, mostly due to the high number of phishing attacks. This was closely followed by network server incidents, which mostly involve malware or ransomware.

January 2021 Healthcare Data Breaches by Entity Type

Healthcare providers were the worst affected covered entity type with 23 reported data breaches followed by health plans with 6 reported breaches. Three data breaches were reported by business associates of HIPAA covered entities, although a further 7 occurred at business associates but were reported by the covered entity, including the largest data breach of the month.

The number of breaches reported by business associates have been increasing in recent months. These incidents often involve multiple covered entities, such as the data breach at Blackbaud in 2020 which resulted involved the data of more than 10 million individuals across around four dozen healthcare organizations. A study by CI Security found 75% of all breached healthcare records in the second half of 2020 were due to data breaches at business associates.

Where Did the Data Breaches Occur?

January’s 32 data breaches were spread across 18 states, with Florida the worst affected with 6 reported breaches. There were 3 breaches reported by entities in Texas and Wyoming, and 2 reported in each of Louisiana, Massachusetts, and Minnesota.

Illinois, Indiana, Maryland, Missouri, Nevada, North Carolina, Ohio, Pennsylvania, South Carolina, Vermont, Virginia, and Washington each had 1 breach reported.

HIPAA Enforcement Activity in January 2021

2020 was a record year for HIPAA enforcement actions with 19 settlements reached to resolve HIPAA cases, and the enforcement actions continued in January with two settlements reached with HIPAA covered entities to resolve violations of the HIPAA Rules.

Excellus Health Plan settled a HIPAA compliance investigation that was initiated following a report of a breach of 9,358,891 records in 2015. OCR investigators identified multiple potential violations of the HIPAA Rules, including a risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. Excellus Health Plan settled the case with no admission of liability and paid a $5,100,000 financial penalty.

OCR continued with its crackdown of noncompliance with the HIPAA Right of Access with a $200,000 financial penalty for Banner Health. OCR found two Banner Health affiliated covered entities had failed to provide a patient with timely access to medical records, with both patients having to wait several months to receive their requested records.

The post January 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

100% of Tested mHealth Apps Vulnerable to API Attacks

Posted February 16, 2021 by HIPAA Journal

The personally identifiable health information of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by cybersecurity firm Approov.

Ethical hacker and researcher Allissa Knight conducted the study to determine how secure popular mHealth apps are and whether it is possible to gain access to users’ sensitive health data. One of the provisos of the study was she would not be permitted to name any of the apps if vulnerabilities were identified. She assessed 30 of the leading mHealth apps and discovered all were vulnerable to API attacks which could allow unauthorized individuals to gain access to full patient records, including personally identifiable information (PII) and protected health information (PHI), indicating security issues are systemic.

mHealth apps have proven to be invaluable during the COVID-19 pandemic and are now increasingly relied on by hospitals and healthcare providers. According to Pew Research, mHealth apps are now generating more user activity than other mobile device apps such as online banking. There are currently an estimated 318,000 mHealth apps available for download from the major app stores.

The 30 mHealth apps analyzed for the study are used by an estimated 23 million people, with each app downloaded an average of 772,619 times from app stores. These apps contain a wealth of sensitive data, from vital signs data to pathology reports, test results, X-rays and other medical images and, in some cases, full medical records. The types of information stored in or accessible through the apps carries a high value on darknet marketplaces and is frequently targeted by cybercriminals. The vulnerabilities identified in mHealth apps makes it easy for cybercriminals to gain access to the information.

“Look, let’s point the pink elephant out in the room. There will always be vulnerabilities in code so long as humans are writing it. Humans are fallible,” said Knight. “But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to broken object level authorization (BOLA) vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database.”

BOLA vulnerabilities allow a threat actor to substitute the ID of a resource with the ID of another. “When the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that allows an adversary the ability to read objects that don’t belong to them,” explained Knight. “These exposed references to internal implementation objects can point to anything, whether it’s a file, directory, database record or key.” In the case of mHealth apps, that could provide a threat actor with the ability to download entire medical records and personal information that could be used for identity theft.

APIs define how apps can communicate with other apps and systems and are used for sharing information. Out of the 30 mHealth apps tested, 77% had hard-coded API keys which made them vulnerable to attacks that would allow the attacker to intercept information as it is exchanged. In some cases, those keys never expired and 7% of the API keys belonged to third-party payment processors that strongly advise against hard coding these private keys in plain text, yet usernames and passwords had still been hard coded.

All of the apps lacked certificate pinning, which is used to prevent man-in-the-middle attacks. Exploiting this flaw would allow sensitive health and personal information to be intercepted and manipulated. Half of the tested apps did not authenticate requests with tokens, and 27% did not have code obfuscation protections, which made them vulnerable to reverse engineering.

Knight was able to access highly sensitive information during the study. 50% of records included names, addresses, dates of birth, Social Security numbers, allergies, medications, and other sensitive health data. Knight also found that if access is gained to one patient’s records, other patient records can also be accessed indiscriminately. Half of all APIs allowed medical professionals to view pathology, X-ray, and clinical results of other patients and all API endpoints were found to be vulnerable to BOLA attacks, which allowed Knight to view the PHI and PII of patients not assigned to her clinical account. Knight also found replay vulnerabilities that allowed her to replay FaceID unlock requests that were days old and take other users’ sessions.

Part of the problem is mHealth apps do not have security measures baked in. Rather than build security into the apps at the design stage, the apps are developed, and security measures are applied afterwards. That can easily result in vulnerabilities not being fully addressed.

“The fact is that leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm,” said David Stewart, founder and CEO of Approov. “Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients.”

The post 100% of Tested mHealth Apps Vulnerable to API Attacks appeared first on HIPAA Journal.

OIG: Two VA Employees Concealed Privacy and Security Risks of a Big Data Project

Posted February 2, 2021 by HIPAA Journal

Two members of the Department of Veteran Affairs’ (VA) information technology staff are alleged to have made false representations about the privacy and security risks of a big data AI project between the VA and a private company that would have seen the private and confidential health data of tens of millions of veterans fed into the AI system.

An administrative investigation was conducted by the VA Office of Inspector General (OIG) into a potential conflict of interest related to a cooperative research and development agreement (CRADA) between the VA and a private company in 2016.

The purpose of the collaboration was to improve the health and wellness of veterans using AI and deep learning technology developed by Flow Health. The project aimed to identify common elements that make people susceptible to disease, identify potential treatments and possible side effects to inform care decisions and to improve the accuracy of diagnoses.

The CRADA would have resulted in the private and confidential health data, including genomic data, of all veterans who had received medical treatment at the VA being provided to Flow Health. The deal was brought to the attention of senior VA IT leaders in November 2016 following media coverage of the deal after Flow Health issued a press release announcing the new initiative.

The CRADA had been approved but was unilaterally terminated in December 2016 before any veteran data was transferred. The VA’s IT leaders requested the OIG conduct an investigation into potential conflicts of interest between the two employees and Flow Health in December 2016.

The CRADA would have seen private and confidential health data provided to Flow Health for 5 years. According to Flow Health, the project would see the company build “the world’s largest knowledge graph of medicine and genomics from over 30 petabytes of longitudinal clinical data drawn from VA records on 22 million veterans spanning over 20 years,” and that the project with the VA was “a watershed moment for deep learning in healthcare.” To protect the privacy of veterans, Flow Health said it would de-identify all patient data during analysis.

One of the VA employees worked as an Office of IT program manager and the other as a Veterans Health Administration health system specialist at the VHA central office. OIG investigated whether either of the employees had any financial conflicts of interest related to the deal with Flow Health, and while no financial conflicts of interest were found, OIG did discover the employees concealed material information about the privacy and security risks of the project and made misrepresentations about the risks which led to the project being approved under false pretenses.

In the report, False Statements and Concealment of Material Information by VA Information Technology Staff, OIG said the VA official tasked with approving or rejecting the proposed project requested the employees provide an explanation of the cybersecurity implications of the Flow Health project.

OIG said the two employees concealed information from the VA official and did not divulge that subject matter experts had raised significant privacy and security concerns about the project. The two employees also made false statements to the VA official about the status of privacy and security reviews, indicating they have been conducted and all issues had been addressed. They also advocated the VA official execute the contract with Flow Health.

The OIG referred the matter to the Department of Justice, which declined to prosecute the two employees. The OIG recommended the VA determine whether administrative actions should be taken over the employees’ conduct, and the VA concurred with the recommendation.

The post OIG: Two VA Employees Concealed Privacy and Security Risks of a Big Data Project appeared first on HIPAA Journal.

At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020

Posted January 20, 2021 by HIPAA Journal

Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft.

The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year.

In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities.

These attacks have caused significant financial harm and in some cases the disruption has had life threatening consequences. Healthcare services have had to be suspended, ambulances have been redirected to alternative facilities, 911 services have been interrupted, medical appointments have been postponed and test results have been delayed. “The fact that there were no ransomware-related deaths in the US last year was simply due to good luck. Security needs to bolstered across the public sector before that luck runs out and lives are lost,” said Fabian Wosar, CTO, Emsisoft.

One of the most damaging attacks was on Universal Health Services, a health system that operates more than 400 hospitals and healthcare facilities in the United States. The attack affected all its locations and caused considerable disruption. An attack on the University of Vermont Health Network forced systems offline, including its EHR system. Several hospital systems remained out of action for several weeks after the attack. The ransomware attack cost the health system around $1.5 million a day in additional expenses and lost revenue while it recovered. “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover,” said Gus Genter, CIO, Winnebago County, who was quoted in the report.

It has become increasingly common for ransomware threat actors to steal sensitive data prior to file encryption and for threats to be issued to publish or sell the stolen data if the ransom is not paid. This tactic was first adopted by the Maze ransomware gang, but many other threat groups have now adopted the same tactic. Emsisoft said only the Maze ransomware gang was exfiltrating data prior to file encryption at the start of 2020, but now at least 17 other threat groups are stealing data and publishing it on leak sites if the ransom is not paid.

In some cases, even payment of the ransom does not guarantee the stolen data will be deleted. Several ransomware gangs, including Sodinokibi (REvil), Netwalker, and Mespinoza are known to have leaked stolen data even after the ransom was paid.

Emsisoft notes that in the first half of 2020, only one of the 60 ransomware attacks on federal, state, county, and municipal governments and agencies resulted in stolen data being leaked; however, in the second half of the year, 23 out of the 53 attacks saw stolen data released on leak sites. At least 12 healthcare organizations that were attacked with ransomware had sensitive data stolen and leaked online.

2020 was clearly a bad year, but there is little to suggest 2021 will be any better. Ransomware attacks are likely to continue at pace and may even increase. “Unless significant action is taken, we anticipate 2021 being another banner year for cybercriminals,” explained Emsisoft in the report.

The post At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020 appeared first on HIPAA Journal.

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

Posted January 19, 2021 by HIPAA Journal

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website.

In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year.

More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010.

Key Takeaways

25% year-over-year increase in healthcare data breaches.
Healthcare data breaches have doubled since 2014.
642 healthcare data breaches of 500 or more records were reported in 2020.
76 data breaches of 500 or more healthcare records were reported each day in 2020.
2020 saw more than 29 million healthcare records breached.
One breach involved more than 10 million records and 63 saw more than 100K records breached.
Hacking/IT incidents accounted for 67% of data breaches and 92% of breached records.
3,705 data breaches of 500 or more records have been reported since October 2009.
78 million healthcare records have been breached since October 2009.

2020 was the third worst year in terms of the number of breached healthcare records, with 29,298,012 records reported as having been exposed or impermissibly disclosed in 2020. While that is an alarming number of records, it is 29.71% fewer than in 2019. 266.78 million healthcare records have been breached since October 2009 across 3,705 reported data breaches of 500 or more records.

The Largest Healthcare Data Breaches in 2020

The largest healthcare data breach of 2020 was a ransomware attack on the cloud service provider Blackbaud Inc. The actual number of records exposed and obtained by the hackers has not been made public, but more than 100 of Blackbaud’s healthcare clients were affected and more than 10 million records are known to have been compromised. The breach does not appear on the OCR breach portal, as each entity affected has reported the breach separately.

Prior to deploying ransomware, the hackers stole the fundraising and donor databases of many of its clients which included information such as names, contact information, dates of birth, and some clinical information. Victims included Trinity Health (3.3 million records), Inova Health System (1 million records), and Northern Light Health Foundation (657,392 records).

The Florida-based business associate MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, experienced the largest phishing attack of the year. Hackers gained access to its Office 365 environment and potentially obtained the ePHI of 1,670 individuals, including Social Security numbers, driver’s license numbers, and health insurance and financial information.

Magellan Health’s million-record data breach also started with a phishing email but and ended with ransomware being deployed. The breach affected several of its affiliated entities and potentially saw patient information stolen.

Dental Care Alliance, a dental support organization with more than 320 affiliated dental practices across 20 states, had its systems hacked and the dental records of more than 1 million individuals were potentially stolen.

63 security incidents were reported in 2020 by HIPAA-covered entities and business associates that involved 100,000 or more healthcare records.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
Trinity Health	Business Associate	3,320,726	Hacking/IT Incident
MEDNAX Services, Inc.	Business Associate	1,290,670	Hacking/IT Incident
Inova Health System	Healthcare Provider	1,045,270	Hacking/IT Incident
Magellan Health Inc.	Health Plan	1,013,956	Hacking/IT Incident
Dental Care Alliance, LLC	Business Associate	1,004,304	Hacking/IT Incident
Luxottica of America Inc.	Business Associate	829,454	Hacking/IT Incident
Northern Light Health	Business Associate	657,392	Hacking/IT Incident
Health Share of Oregon	Health Plan	654,362	Theft
Florida Orthopaedic Institute	Healthcare Provider	640,000	Hacking/IT Incident
Elkhart Emergency Physicians, Inc.	Healthcare Provider	550,000	Improper Disposal
Aetna ACE	Health Plan	484,157	Hacking/IT Incident
Saint Luke’s Foundation	Healthcare Provider	360,212	Hacking/IT Incident
NorthShore University HealthSystem	Healthcare Provider	348,746	Hacking/IT Incident
SCL Health – Colorado	Healthcare Provider	343,493	Hacking/IT Incident
AdventHealth	Healthcare Provider	315,811	Hacking/IT Incident
Nuvance Health	Healthcare Provider	314,829	Hacking/IT Incident
Magellan Rx Management	Business Associate	314,704	Hacking/IT Incident
The Baton Rouge Clinic	Healthcare Provider	308,169	Hacking/IT Incident
Allegheny Health Network	Healthcare Provider	299,507	Hacking/IT Incident
Northeast Radiology	Healthcare Provider	298,532	Hacking/IT Incident

Main Causes of 2020 Healthcare Data Breaches

Hacking and other IT incidents dominated the healthcare data breach reports in 2020. 429 hacking/IT-related data breaches were reported in 2020, which account for 66.82% of all reported breaches and 91.99% of all breached records. These incidents include exploitation of vulnerabilities and phishing, malware, and ransomware attacks, with the latter having increased considerably in recent months.

A recent report from Check Point revealed there was a 71% increase in ransomware attacks on healthcare providers in October, and a further 45% increase in healthcare cyberattacks in the last two months of 2020. Some of the year’s largest and most damaging breaches to affect the healthcare industry in 2020 involved ransomware. In many cases, systems were taken out of action for weeks and patient services were affected. Ryuk, Sodinokibi (REvil), Conti, and Egregor ransomware have been the main culprits, with the healthcare industry heavily targeted during the pandemic.

Unauthorized access/disclosure incidents accounted for 22.27% of the year’s breaches and 2.69% of breached records. These incidents include the accessing of healthcare records my malicious insiders, snooping on medical records by healthcare workers, accidental disclosures of PHI to unauthorised individuals, and human error that exposes patient data.

Breach Type	Number of breaches	Records breached	Mean Records Breached	Median Records Breached
Hacking/IT Incident	429	26,949,956	62,820	8,000
Unauthorized Access/Disclosure	143	787,015	5,504	1,713
Theft	39	806,552	20,681	1,319
Improper Disposal	16	584,980	36,561	1,038
Loss	15	169,509	11,301	2,298

Location of Breached Protected Health Information

The increased use of encryption and cloud services for storing data have helped to reduce the number of loss/theft incidents, which used to account for the majority of reported breaches. Phishing attacks are still a leading cause of data breaches in healthcare and are often the first step in a multi-stage attack that sees malware or ransomware deployed.

Email account breaches were reported at a rate of more than 1 every two days in 2020, but email-related breaches took second spot this year behind breaches of network servers. Network servers often store large amounts of patient data and are a prime target for hackers and ransomware gangs.

While the majority of healthcare data breaches have involved electronic protected health information, a significant percentage of breaches in 2020 involved paper/film copies of protected health information which were obtained by unauthorized individuals, lost, or disposed of in an insecure manner.

Which Entities Suffered the Most Data Breaches in 2020?

The pie chart below shows the breakdown of HIPAA covered entities affected by data breaches of 500 or more records in 2020. Healthcare providers suffered the most breaches with 497 reported incidents. Business associates reported 73 data breaches, but it should be noted that in many cases a breach was experienced at the business associate, but the incident was reported by the covered entities affected. In total, 258 of the year’s breaches had some business associate involvement, which is 40.19% of all breaches. There were 70 breaches reported by health plans, and 2 breaches reported by healthcare clearinghouses.

2020 Healthcare Data Breaches by State

South Dakota, Vermont, Wyoming residents survived 2020 without experiencing any healthcare data breaches, but there were breaches reported by entities based in all other states and the District of Columbia.

California was the worst affected state with 51 breaches, followed by Florida and Texas with 44, New York with 43, and Pennsylvania with 39.

State	No. Breaches	State	No. Breaches	State	No. Breaches	State	No. Breaches
California	51	Virginia	18	New Jersey	9	Kansas	3
Florida	44	Indiana	17	South Carolina	9	Nebraska	3
Texas	44	Massachusetts	17	Washington	9	West Virginia	3
New York	43	Maryland	16	Delaware	8	District of Columbia	2
Pennsylvania	39	North Carolina	16	Utah	8	Idaho	2
Ohio	27	Colorado	14	Louisiana	6	Nevada	2
Iowa	26	Missouri	14	Maine	6	Oklahoma	2
Michigan	21	Arizona	12	New Mexico	6	Mississippi	1
Georgia	20	Arkansas	12	Oregon	5	Montana	1
Illinois	20	Kentucky	12	Hawaii	4	New Hampshire	1
Minnesota	20	Wisconsin	12	Alabama	3	North Dakota	1
Connecticut	19	Tennessee	10	Alaska	3	Rhode Island	1

HHS HIPAA Enforcement in 2020

2020 was a busy year in terms of HIPAA enforcement. The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, conducted 19 HIPAA compliance investigations that resulted in financial penalties. More penalties were agreed with HIPAA covered entities and business associates in 2020 than in any other year since OCR started enforcing HIPAA compliance. $13,554,900 was paid in penalties across the 19 cases.

It can take several years from the start of an investigation before a financial penalty is levied. Some of the largest settlements of the year date back to breaches that were experienced in 2015 or earlier; however, the large increase in financial penalties in 2020 is largely due to a HIPAA enforcement drive launched by OCR in late 2019 to tackle noncompliance with the HIPAA Right of Access. There were 11 settlements reached with healthcare providers in 2020 to resolve cases where individuals were not provided with timely access to their medical records.

You can view a summary of OCR’s 2020 HIPAA enforcement actions in this post.

State AG HIPAA Enforcement in 2020

OCR is not the only enforcer of HIPAA compliance. State attorney generals also have the authority to take action against entities found not to be in compliance with the HIPAA Rules. There has been a trend for state attorneys general to work together and pool resources in their legal actions for noncompliance with the HIPAA Rules. In 2020, two multi-state actions were settled with HIPAA covered entities/business associates to resolve violations of the HIPAA Rules.

The health insurer Anthem Inc. settled a case that stemmed from its 78.8 million-record data breach in 2015 and paid financial penalties totalling $48.2 million to resolve multiple potential violations of HIPAA and state laws.

CHSPSC LLC, a Tennessee-based management company that provides services to subsidiary hospital operator companies and other affiliates of Community Health Systems, also settled a multi-state action and paid a financial penalty of $5 million to resolve alleged HIPAA violations. The case stemmed from a 2014 data breach that saw the ePHI of 6,121,158 individuals stolen by hackers.

About This Report

The Health Insurance Portability and Accountability Act (HIPAA) requires all healthcare data breaches to be reported to the HHS’ Office for Civil Rights. A summary of breaches of 500 or more records is published by the HHS Office for Civil Rights. This report was compiled using data on the HHS website on 01/19/21 and includes data breaches currently under investigation and archived cases.

The post 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020 appeared first on HIPAA Journal.

December 2020 Healthcare Data Breach Report

Posted January 18, 2021 by HIPAA Journal

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average.

There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 565 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.

December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached.

Largest Healthcare Data Breaches Reported in December 2020

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Type of Breach	Cause
MEDNAX Services, Inc.	FL	Business Associate	1,290,670	Hacking/IT Incident	Phishing attack
Dental Care Alliance, LLC	FL	Business Associate	1,004,304	Hacking/IT Incident	Unspecified hacking incident
Aetna ACE	CT	Health Plan	484,157	Hacking/IT Incident	Phishing attack (business associate)
Allegheny Health Network	PA	Healthcare Provider	299,507	Hacking/IT Incident	Ransomware attack (Blackbaud)
AMITA Health	IL	Healthcare Provider	261,054	Hacking/IT Incident	Ransomware attack (Blackbaud)
Community Eye Care, LLC	NC	Health Plan	149,804	Hacking/IT Incident	Email account breach
GenRx Pharmacy	AZ	Healthcare Provider	137,110	Hacking/IT Incident	Ransomware attack
Wilmington Surgical Associates, P.A.	NC	Healthcare Provider	114,834	Hacking/IT Incident	Ransomware attack
Agency for Community Treatment Services, Inc.	FL	Healthcare Provider	73,825	Hacking/IT Incident	Ransomware attack
Sonoma Valley Healthcare District	CA	Healthcare Provider	69000	Hacking/IT Incident	Ransomware attack

There were two healthcare data breaches reported in December that each impacted more than 1 million individuals. The largest breach was a phishing attack on the Florida-based business associate, MEDNAX Services, Inc. MEDNAX provides revenue cycle management and other administrative services to its affiliated physician practice groups. Hackers gained access to its Microsoft Office 365-hosted email system after employees responded to phishing emails. The compromised accounts contained the protected health information of 1,290,670 patients of its clients.

Dental Care Alliance is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices in 20 U.S. states. Little information has been released about the exact nature of the cyberattack, other than hackers gaining access to its systems and viewing files containing patient information.

Causes of December 2020 Healthcare Data Breaches

Ransomware gangs continue to target healthcare organizations and attacks have increased considerably in recent months. 5 of the worst data breaches reported in December involved ransomware, as did many of the smaller breaches. Several healthcare providers have only just reported being affected by the ransomware attack on Blackbaud Inc., which was discovered by the cloud service provide in May 2020.

Phishing continues to be a major cause of healthcare data breaches. There were 13 data breaches involving unauthorized accessing of email accounts, the majority of which used credentials stolen in phishing attacks. While most of the month’s breaches involved unauthorized accessing of electronic protected health information, 17.75% of the month’s breaches involved paper records and films, highlighting the importance of also protecting physical records.

33 hacking/IT incidents were reported to OCR in December 2020. Those incidents accounted for 98.39% of the month’s breached records (4,173,519 records). An average of 126,470 records were breached per incident with a median breach size of 8,000 records per incident.

There were 21 unauthorized access/disclosure incidents reported to OCR which involved a total of 57,837 records. The average breach size was 2,754 records and the median breach size was 1,020 records.

There were 7 theft and loss incidents reported (5 theft/2 loss). The average breach size was 1,392 records and the median breach size was 856 records. There was also one incident involving the improper disposal of 501 records.

Entities Reporting Data Breaches in December 2020

Healthcare providers were the worst affected covered entity in December 2020 with 39 breaches reported, but there was a major increase in data breaches reported by health plans. 17 health plans reported breaches of 500 or more records in December, which is a 183% increase from November.

There were 6 data breaches reported by business associates of HIPAA covered entities, but 40% of the month’s breaches (25) had some business associate involvement. In many cases, the breach was experienced by the business associate but was reported by the covered entity.

December 2020 Healthcare Data Breaches by State

HIPAA covered entities and business associates in 58% of U.S. states reported data breaches in December. Florida was the worst affected of the 29 states with 9 reported data breaches. Pennsylvania also had a particularly bad month with 7 reported breaches, followed by Missouri and Texas with 4, and Illinois, North Carolina, and Tennessee with 3.

There were two breaches reported in each of Arizona, Connecticut, Georgia, Massachusetts, Minnesota, Ohio, and Wisconsin, and one breach reported in each of Arkansas, California, Colorado, Delaware, Indiana, Iowa, Kentucky, Louisiana, Maine, Mississippi, Nebraska, Oregon, Utah, Virginia, and West Virginia.

HIPAA Enforcement in December 2020

2020 has been a busy year in terms of HIPAA enforcement. More financial penalties were imposed on HIPAA covered entities and their business associates to resolve potential HIPAA violations in 2020 than in any other year since the HHS was given the authority to enforce HIPAA compliance. 19 settlements were reached to resolve cases where HIPAA Rules appeared to have been violated.

OCR announced one further financial penalty in December – The 13^th financial penalty under its HIPAA Right of Access initiative. Peter Wrobel, M.D., P.C., dba Elite Primary Care, agreed to pay OCR a $36,000 to resolve a case involving the failure to provide two patients with timely access to their medical records.

You can read more about 2020 HIPAA enforcement in our end of year summary.

The post December 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty

Posted January 17, 2021 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced the health insurer Excellus Health Plan has agreed to pay a $5.1 million penalty to settle a HIPAA violation case stemming from a 2015 data breach that affected 9.3 million individuals.

The breach in question was discovered by Excellus Health Plan in 2015, the same year that massive data breaches were discovered by the health insurers Anthem Inc. (78.8 million records) and Premera Blue Cross (10.6 million records). All three entities have now settled breach investigations with OCR and have paid substantial financial penalties.

Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, serves individuals in upstate and western New York. In August 2015, the health insurer discovered hackers had gained access to its computer systems. The breach investigation revealed access to its systems was first gained around December 23, 2013 and continued until May 11, 2015. The breach was reported to OCR on September 9, 2015.

The hackers installed malware on its systems, performed reconnaissance, and were found to have accessed the healthcare data of around 7 million Excellus Health Plan members and approximately 2.5 million members of Lifetime Healthcare, its non-BlueCross subsidiary. The information accessed by the hackers included names, contact information, dates of birth, Social Security numbers, health plan ID numbers, claims data, financial account information, and clinical treatment information.

OCR launched an investigation of the breach in June 2016 to determine whether Excellus Health Plan was in compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The investigation identified five standards of the HIPAA Rules where Excellus was potentially noncompliant.

OCR determined the health plan had failed to conduct an accurate and thorough organization-wide risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) of its members. Sufficient measures had not been implemented to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and technical policies and procedures that only allow authorized persons and software programs to access systems containing ePHI were insufficient. As a result of these issues, unauthorized individuals gained access to the PHI of 9,358,891 of its members. It took Excellus more than 18 months to discover its systems had been breached. OCR found policies and procedures requiring regular reviews of information system activity to be lacking.

The financial penalty was agreed with OCR to avoid further investigation and formal proceedings, and the settlement was reached with no admission of liability or wrongdoing. In addition to paying the financial penalty, Excellus is required to adopt a corrective action plan that covers all areas of potential noncompliance identified by OCR during the investigation. Excellus will also be monitored closely by OCR for 2 years to ensure continued compliance with the HIPAA Rules.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”

This is the second HIPAA enforcement action to be announced by OCR in 2021. Earlier this month, OCR said a $200,000 settlement had been reached with Banner Health to resolve potential HIPAA Right of Access violations. The Excellus settlement comes just a few hours after the 5^th Circuit Court of Appeals vacated a $4.3 million Civil Monetary Penalty imposed by OCR on University of Texas M.D. Anderson Cancer Center that stemmed from three incidents involving the loss/theft of portable devices containing ePHI between 2012 and 2013.

The two HIPAA settlements in January follow on from a record year of HIPAA enforcement that saw 19 financial penalties paid by HIPAA covered entities and business associates to resolve potential violations of HIPAA Rules.

The post Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty appeared first on HIPAA Journal.

2020-2021 HIPAA Violation Cases and Penalties

Posted January 13, 2021 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules.

While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for violations of multiple HIPAA Rules that impacted large numbers of individuals. The $5,100,000 penalty, imposed on Excellus Health Plan, was so large because there were multiple violations of the HIPAA Rules, over multiple years, that led to a breach of the ePHI of 9,358,891 individuals.

Penalties for Noncompliance with the HIPAA Right of Access

In late 2019, OCR announced a new HIPAA enforcement initiative to tackle non-compliance with the Right of Access standard of the HIPAA Privacy Rule. Since then, OCR has been rigorously enforcing compliance with the HIPAA Right of Access and as of December 2021, has imposed 25 penalties for HIPAA Right of Access violations totaling $1,564,650. The fines range from $3,500 to $200,000. There have been 24 settlements and one civil monetary penalty, with many of the fines imposed on small healthcare providers.

The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set. When a request is received from an individual or their personal representative, the records must be provided within 30 days. A reasonable, cost-based fee may be charged for providing a copy of the requested records. A request for access to an individual’s health records may be denied, but only in very limited circumstances.

OCR investigates complaints from individuals who allege they have been denied access to their health records, have not received records within 30 days, or have been charged excessive amounts for copies of their records. The financial penalties imposed by OCR in 2020 for HIPAA Right of Access violations ranged from $15,000 to $160,000 and stemmed from refusals to provide copies of records or long delays. In many cases, records were only provided after OCR intervened.

2021 HIPAA Right of Access Enforcement Actions

Covered Entity	Penalty	Outcome
Banner Health	200,000	Settlement
Rainrock Treatment Center LLC (dba monte Nido Rainrock)	160,000	Settlement
Dr. Robert Glaser	100,000	Civil Monetary Penalty
Children’s Hospital & Medical Center	80,000	Settlement
Renown Health	75,000	Settlement
Sharpe Healthcare	70,000	Settlement
Arbour Hospital	65,000	Settlement
Advanced Spine & Pain Management	32,150	Settlement
Denver Retina Center	30,000	Settlement
Village Plastic Surgery	30,000	Settlement
Wake Health Medical Group	10,000	Settlement

Other 2021 HIPAA Violation Penalties

Covered Entity	Penalty	Outcome
Excellus Health Plan	$5,100,000	Settlement
AEON Clinical Laboratories (Peachstate)	$25,000	Settlement

Only two HIPAA enforcement actions in 2021 were not the result of HIPAA Right of Acess violations.

Excellus Health Plan

Rochester, New York-based Excellus Health Plan, a member of the Blue Cross Blue Shield Association, was investigated to identify potential HIPAA compliance issues following a report of a data breach of 9,358,891 records in 2015. It was one of three mega data breaches to be reported by health plans that year, Anthem Inc and Premera Blue Cross being the other two, both of which had settled their cases and paid sizeable penalties.

Excellus discovered the breach in August 2015, with its investigation revealing hackers had access to its systems between December 23, 2013, and May 11, 2015. The breach was reported to OCR on September 9, 2015. Malware had been installed which allowed the hackers to exfiltrate the data of around 7 million Excellus Health Plan members and approximately 2.5 million members of Lifetime Healthcare, its non-BlueCross subsidiary, which included names, contact information, dates of birth, Social Security numbers, health plan ID numbers, claims data, financial account information, and clinical treatment information.

OCR’s investigation uncovered multiple HIPAA violations, including the failure to conduct an accurate and thorough organization-wide risk analysis, the failure to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a lack of technical policies and procedures to limit data access to authorized persons and software programs. Excellus chose to settle the case and paid a $5,100,000 penalty and agreed to implement a comprehensive Corrective Action Plan to address all areas of non-compliance.

Peachstate Health Management LLC, dba AEON Clinical Laboratories

The enforcement action against Peachstate Health Management is notable because this was the first OCR investigation to result in a financial penalty for HIPAA violations identified in a company that was not the initial subject of the investigation.

OCR launched an investigation after receiving a report from the Department of Veteran Affairs in 2015 about a data breach involving its business associate, Authentidate Holding Corporation (AHC). AHC managed the VA’s Telehealth Services Program and suffered a data breach. While investigating, OCR learned that AHC had entered into a reverse merger with Peachstate Health Management on January 27, 2016, which saw Peachstate acquired by AHC. Peachstate is a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR then launched an investigation of Peachstate to assess HIPAA Privacy and Security Rule compliance and found multiple violations of the HIPAA Rules. OCR identified multiple HIPAA Security Rule failures, including risk assessment, risk management, audit controls failures, as well as the failure to maintain documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000, and a corrective action plan was agreed to resolve the HIPAA violations.

2020 HIPAA Right of Access Enforcement Actions

Covered Entity	Penalty	Outcome
Dignity Health, dba St. Joseph’s Hospital and Medical Center	$160,000	Settlement
NY Spine	$100,000	Settlement
Beth Israel Lahey Health Behavioral Services	$70,000	Settlement
University of Cincinnati Medical Center	$65,000	Settlement
Housing Works, Inc.	$38,000	Settlement
Peter Wrobel, M.D., P.C., dba Elite Primary Care	$36,000	Settlement
Riverside Psychiatric Medical Group	$25,000	Settlement
Dr. Rajendra Bhayani	$15,000	Settlement
All Inclusive Medical Services, Inc.	$15,000	Settlement
Wise Psychiatry, PC	$10,000	Settlement
King MD	$3,500	Settlement

Other 2020 HIPAA Violation Penalties

The remaining HIPAA violation penalties issued in 2020 were issued for non-compliance with several provisions of the HIPAA Rules. The penalty amounts reflect the seriousness of the violations, the harm caused, the number of individuals affected, the level of cooperation with OCR, the voluntary actions taken to address the violations, and the ability of the entity to pay. In each of the HIPAA violation cases below, OCR discovered multiple violations of the HIPAA Rules.

Covered Entity	Amount	Outcome
Premera Blue Cross	$6,850,000	Settlement
CHSPSC LLC	$2,300,000	Settlement
Athens Orthopedic Clinic	$1,500,000	Settlement
Lifespan Health System Affiliated Covered Entity	$1,040,000	Settlement
Aetna	$1,000,000	Settlement
City of New Haven, CT	$202,400	Settlement
Steven A. Porter, M.D	$100,000	Settlement
Metropolitan Community Health Services dba Agape Health Services	$25,000	Settlement

Second Largest HIPAA Violation Penalty for Premera Blue Cross

The largest HIPAA violation penalty of 2020 was imposed on the health insurer Premera Blue Cross. Premera Blue Cross was investigated over a data breach in which the protected health information of 10,466,692 individuals was obtained by hackers.

During the investigation, OCR discovered multiple potential violations of the HIPAA Security Rule. Premera Blue Cross had failed to conduct a comprehensive risk analysis, had not reduced risks to the confidentiality, integrity, and availability of ePHI to a reasonable and appropriate level, and had implemented insufficient hardware and software controls.

Premera Blue Cross agreed to pay a financial penalty of $6,850,000 to resolve the case and adopted a corrective action plan to address all areas of noncompliance.

In addition to the OCR penalty, Premera Blue Cross settled a multi-state action for $10 million and a class action lawsuit filed on behalf of victims of the breach for $74 million.

The financial penalty was the second-largest ever to be issued by OCR. The largest HIPAA violation penalty – $16 million – was paid by Anthem Inc. in 2018 and resolved an investigation into its 78.8 million record data breach that was discovered in 2015. Following on from that settlement, in 2020 Anthem Inc settled a multi-state action and paid $48.2 million in penalties. Anthem also settled a class action lawsuit filed on behalf of victims of the breach in 2018 for $115 million.

CHSPSC LLC

CHSPSC LLC, a Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, suffered a cyberattack in April 2014 in which compromised admin credentials were used by hackers to gain access to its systems. The hackers stole the ePHI of 6,121,158 individuals.

OCR investigated and found systemic noncompliance with the HIPAA Security Rule. CHSPSC had failed to conduct a comprehensive risk analysis, was not conducting information system activity reviews, and had implemented insufficient access controls and security incident response procedures. When notified about the cyberattack by the FBI, it took CHSPSC two months to respond.

CHSPSC LLC settled the case, paid a $2,300,000 penalty, and adopted a corrective action plan to address all areas of noncompliance. Community Health Systems and CHSPSC LLC also settled a multi-state action with 28 state Attorneys General over the breach for $5,000,000.

Athens Orthopedic Clinic

The Athens, GA-based healthcare provider Athens Orthopedic Clinic suffered a cyberattack in 2016 in which a hacker stole a database containing the PHI of 208,557 patients and demanded payment not to release the stolen data. When payment was not received the database was published.

OCR’s investigation into the breach uncovered systemic noncompliance with the HIPAA Rules. Athens Orthopedic Clinic had failed to conduct a comprehensive risk analysis, had not implemented security procedures to reduce risks to ePHI to a reasonable and appropriate level, had failed to implement appropriate hardware, software, and procedures for recording and analyzing information system activity, and did not implement HIPAA policies until August 2016.

OCR also found the clinic had not entered into business associate agreements with three vendors and did not provide HIPAA Privacy Rule training to the entire workforce until January 15, 2018.

Athens Orthopedic Clinic agreed to settle the case, paid a $1.5 million penalty, and adopted a corrective action plan to address all areas of noncompliance.

Lifespan Health System Affiliated Covered Entity

Lifespan Health System Affiliated Covered Entity is a Rhode Island not-for-profit health system with many healthcare provider affiliates in the state. In February 2017, an unencrypted laptop computer was stolen from an employee’s vehicle. The laptop contained the ePHI of 20,431 patients.

OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan had conducted a risk analysis and determined encryption was required for its mobile devices due to the high risk of data exposure but failed to implement encryption on mobile devices. The movement of the devices in and out of its facilities was not tracked and there was no comprehensive inventory of mobile devices. OCR also found that there was no business associate agreement between Lifespan Corporation and Lifespan ACE.

Lifespan ACE agreed to settle the case, paid a $1,040,000 penalty, and adopted a corrective action plan to address all areas of noncompliance.

Aetna

Aetna Life Insurance Company and its affiliated covered entity (Aetna) were investigated by OCR after reporting three data breaches in 2017. The first breach involved the exposure of the protected health information of 5,002 plan members over the Internet, and the other two breaches involved mailings in which sensitive PHI could be viewed through the windows of the envelopes. In the first mailing to 11,887 individuals the words ‘HIV medication’ could be viewed through the windows of the envelopes. In the second mailing to 1,600 individuals, the name and logo of an atrial fibrillation study could be viewed.

OCR determined Aetna had not performed periodic technical and non-technical evaluations of operational changes affecting the security of their ePHI, procedures had not been implemented to verify the identity of individuals or entities looking to access their ePHI, disclosures of ePHI had not been limited to the minimum necessary information to achieve the purpose for the disclosures, and there was a lack of appropriate administrative, technical, and physical safeguards to ensure the privacy of ePHI.

Aetna agreed to settle the case, paid a $1 million penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Other penalties related to be breach include a $1.15 million settlement with the New York Attorney General, a $935,000 settlement with the California Attorney General, and similar settlements with Connecticut ($99,959), the District of Columbia ($175,000), and New Jersey ($365,211.59). A class action lawsuit filed on behalf of victims of the breach was settled for $17.2 million.

City of New Haven, CT

In January 2017, the City of New Haven in Connecticut reported a data breach of the ePHI of 498 individuals to OCR. The city had terminated an employee in 2016 during her probationary period. The former employee returned to the New Haven Health Department with her union representative after she had been terminated, used her work key to access her old office, and locked herself inside. She used her login credentials to access a work computer and copied data onto a USB drive before leaving.

In addition to failing to terminate the former employee’s access rights, OCR discovered a comprehensive risk analysis had not been performed, the city had failed to implement HIPAA Privacy Rule policies, and had not issued unique IDs to allow system activity to be tracked.

The City of New Haven settled the case, paid a $202,400 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Steven A. Porter, M.D

The medical practice of Steven A. Porter, M.D in Ogden, UT provides gastroenterological services to more than 3,000 patients. On November 13, 2013, OCR received a breach notification alleging Dr. Porter’s electronic medical record company was impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until a $50,000 bill was paid.

OCR investigated and found serious violations of the HIPAA Security Rule at the practice. At the time of the investigation, a risk analysis had never been performed and risks to the confidentiality, integrity, and availability of ePHI had not been managed and reduced to a reasonable and acceptable level. The practice had also allowed Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on behalf of the practice, without entering into a business associate agreement.

Dr. Porter settled the case, paid a $100,00 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Metropolitan Community Health Services / Agape Health Services

Metropolitan Community Health Services is a Washington, NC-based Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina.

In June 2011, Metro notified OCR about a breach of the PHI of 1,263 patients. OCR conducted a compliance review and identified longstanding, systemic noncompliance with the HIPAA Security Rule.

Prior to the breach, Metro had not implemented HIPAA Security Rule policies and procedures, had failed to conduct an accurate risk analysis, and had not provided security awareness training to its workforce for more than 16 years.

Metro settled the case, paid a $25,000 penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Further information on HIPAA Penalties

You can view a summary of the HIPAA violation penalties in previous years on this link.

The post 2020-2021 HIPAA Violation Cases and Penalties appeared first on HIPAA Journal.