Healthcare Data Security

October 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches.

This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States.

Largest Healthcare Data Breaches in October 2019

Breached Entity Entity Type Individuals Affected Type of Breach
Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident
Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident
The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident
Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure
Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident
University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident
Prisma Health – Midlands Healthcare Provider 19,060 Hacking/IT Incident
South Texas Dermatopathology Laboratory Healthcare Provider 15,982 Hacking/IT Incident
Central Valley Regional Center Business Associate 15,975 Hacking/IT Incident
Texas Health Harris Methodist Hospital Fort Worth Healthcare Provider 14,881* Unauthorized Access/Disclosure

The largest healthcare data breach in October was reported by Betty Jean Kerr People’s Health Centers and was the result of a ransomware attack. At the time of issuing notifications, files that were encrypted in the attack remained locked. The decision was taken not to pay the ransom demand, but it was not possible to restore files from backups. Those files contained the health information of 152,000 patients.

The Kalispell Regional Healthcare data breach was due to a May 2019 phishing attack. An initial investigation did not uncover the extent of the breach. The forensic investigation revealed in August that the health information of up to 140,209 patients may have been accessed.

The Methodist Hospitals, Inc. data breach was also the result of a phishing attack. The incident was reported in October, but the initial email account compromise occurred in March 2019. Two accounts were breached for a total of four months.

South Texas Dermatopathology Laboratory is the last healthcare organization to report that its patients have been impacted by the data breach at the collection agency, AMCA. Its 15,982 records take the total number of individuals impacted by the AMCA breach to 26,059,725.

*Also of note is the data breach at Texas Health Resources. The breach makes the top 10 list of the most healthcare records exposed, but the breach was more far reaching than the table above shows. The Texas Health data breach involved a total of 82,577 records, but the breach was reported to the HHS’ Office for Civil Rights as 15 separate breaches, with one breach report submitted for each of its affected facilities. Had the incident been reported as a single incident, the month’s total would stand at 38 breaches – two more than September.

Causes of October 2019 Healthcare Data Breaches

There were 18 hacking/IT incidents reported in October involving 501,847 healthcare records. The average breach size was 27,880 records and the median breach size was 9,413 records.

There were 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records. The mean breach size was 4,813 records and the median breach size was 2,135 records. Those incidents include the 15 separate breach reports from Texas Health Resources.

There were 5 loss/theft incidents involving 13,454 records. The mean breach size was 2,350 records and the median breach size was 2,752 records. One improper disposal incident was reported involving 11,754 records.

Location of Breached Health Information

Phishing continues to cause problems for healthcare organizations. Not only are healthcare providers struggling to block phishing attacks, they are also not detected quickly when they do occur. Several phishing attacks have been reported that have taken weeks to discover.

Multi-factor authentication can help to reduce the risk of stolen credentials being used by cybercriminals to access corporate email accounts, yet many healthcare organizations only implement this important security measure after a phishing attack has occurred.

This high number of “other” breaches is due to the mailing error at Texas Health, which accounts for 15 of the 19 incidents in the other category.

The majority of the network server breaches were due to ransomware attacks, which include the largest healthcare data breach of the month. That breach highlights just how important it is to ensure that a viable backup copy of all data is created, that the backup is tested to make sure data recovery is possible, and that at least one backup copy is stored on a non-networked device that is not exposed to the internet.

October 2019 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in October with 45 reported incidents. Three breaches were reported by health plans, and four breaches were reported by business associates of HIPAA-covered entities. A further four breaches also had some business associate involvement but were reported by the covered entity.

October 2019 Healthcare Data Breaches by State

October saw healthcare organizations and business associates in 24 states report data breaches. With 15 breach reports coming from Texas Health, Texas was unsurprisingly the worst affected state with 17 incidents.

There were 4 breaches reported by entities based in Ohio, three breaches reported in California, and two breaches reported in each of Arkansas, Florida, Louisiana, Maryland, New Mexico, South Carolina, and Virginia. A single breach was reported in each of Alabama, Arizona, Georgia, Illinois, Indiana, Kentucky, Minnesota, Missouri, Mississippi, Montana, New York, Oregon, South Dakota, and Washington.

HIPAA Enforcement Actions in October 2019

A further two financial penalties for HIPAA violations were announced by the HHS’ Office for Civil Rights in October – One settlement and one civil monetary penalty.

OCR launched an investigation of Elite Dental Associates following a complaint from a patient who had some of her PHI publicly disclosed in response to a Yelp review. OCR found she was not the only patient to have had PHI disclosed in that manner. OCR also determined that the practice’s notice of privacy practices did not include sufficient information and was therefore not compliant with the HIPAA Privacy Rule. Elite Dental Associates agreed to settle its HIPAA violation case with OCR for $10,000.

OCR launched an investigation of Jackson Health System following the disclosure of PHI in the media. A photograph of an operating room display had been published which contained the health information of two individuals, including a well-known NFL star. The OCR investigation uncovered multiple Privacy Rule, Security Rule, and Breach Notification Rule violations spanning several years. OCR imposed a civil monetary penalty of $2,154,000 on Jackson Health System.

The post October 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records

Posted by HIPAA Journal

Virtual Care Provider Inc. (VCP), a Wisconsin-based provider of internet and email services, data storage, cybersecurity, and other IT services has experienced a ransomware attack that has resulted in the encryption of medical records and other data the firm hosts for its clients. Its clients include 110 nursing home operators and acute care facilities throughout the United States. Those entities have been prevented from accessing critical patient data, including medical records. The company provides support for 80,000 computers, in around 2,400 facilities in 45 states.

The attack involved Ryuk ransomware, a ransomware strain that has been used to attack many healthcare organizations and managed IT service providers in the United States in recent months. The ransomware is typically deployed as a secondary payload following an initial Trojan download. The attacks often involve extensive encryption and cause major disruption and huge ransom demands are often issued. This attack is no different. A ransom demand of $14 million has reportedly been issued, which the company has said it cannot afford to pay.

According to Brian Krebs of KrebsonSecurity, who spoke to VCP owner and CEO Karen Christianson, the attack has affected virtually all of the company’s core offerings, including internet access, email, stored patient records, clients’ phone systems, billing, as well as the VCP payroll system.

The attack has meant acute care facilities and nursing homes cannot view or update patient records and order essential drugs to ensure they are delivered in time. Several small facilities are unable to bill for Medicaid, which will force them to close their doors if systems are not restored before December 5th in time for claims to be submitted. VCP has prioritized restoring its Citrix-based virtual private networking platform to allow clients to access patients’ medical records.

The attack commenced on November 17, 2019 and VCP is still struggling to restore access to client data and cannot process payroll for almost 150 employees. Christianson is concerned that the attack could potentially result in the untimely demise of some patients and may force her to permanently close her business.

KrebsonSecurity reports that the initial attack may date back to September 2018 and likely started with a TrickBot or Emotet infection, with Ryuk deployed as a secondary payload.

The post IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records appeared first on HIPAA Journal.

GAO and VA OIG Identify Privacy and Security Failures at the Department of Veterans Affairs

Posted by HIPAA Journal

Privacy and security failures at the U.S. Department of Veteran Affairs (VA) have recently been identified by government watchdog agencies. Two reviews were conducted by the VA Office of Inspector General (VA OIG) and the Government Accountability Office (GAO).

GAO assessed the security controls at the VA to determine whether they met the requirements of the National Institute of Science and Technology (NIST) Cybersecurity Framework. GAO determined that the VA had failed to meet all requirements of NIST Cybersecurity Framework and was deficient in five areas: Security management, access control, configuration management, contingency planning, and segregation of duties. The VA had reported that it had only met 6 of the 10 cybersecurity performance targets set by the Trump administration and had not yet met the targets for software asset management, hardware asset management, authorization management, and automated access management. The security failures identified by GAO were similar to those at 18 other government agencies.

As with the other government agencies, modernizing and securing information systems has been a major challenge. Security practices have been implemented, but those practices have not been implemented consistently across the entire agency and many vulnerabilities remain unaddressed. The VA was found not to have consistently mitigated vulnerabilities, has not fully established a cybersecurity risk management program, was not identifying critical cybersecurity staffing needs, and was not effectively managing IT supply chain risks.

In 2016, GAO had recommended 74 actions that the VA needed to take to improve its cybersecurity program and address deficiencies. As of October 2019, only 42 of those recommendations had been addressed. The latest review also added a further 4 recommendations for its cybersecurity risk management program, along with one additional recommendation to accurately identify IT/cybersecurity workforce positions. The VA concurred with the GAO recommendations and will implement the additional recommendations as soon as possible.

Another report was recently published by VA OIG following a review of the Veterans Benefits Administration’s (VBA) Records Management Center (RMC). The review was conducted to determine whether staff were disclosing third-party, sensitive personally identifiable information (PII).

Many records held by VBA contain the PII of other individuals. Staff at RMC were previously required to redact third-party PII when processing Privacy Act requests, and only provide information on the person making the request. A change to the VA privacy policy in 2016 meant that third-party PII stopped being redacted, which resulted in the disclosure of a considerable amount of third-party PII when processing the Privacy Act requests.

The decision to stop redacting third-party PII has meant that requests can be processed much faster, but it has also placed many individuals at risk of identity theft. Since those individuals are unaware that their PII is being disclosed, they would not know to take steps to reduce risk.

A sample of 30 Privacy Act responses out of a total of 65,600 requests processed between April 1, 2018 and September 30, 2018 were reviewed. 18 of those 30 requests contained the names and Social Security numbers of unrelated third parties. In some cases, the requests included the PII of more than 100 third parties, including the PII of physicians and other people involved the care of a veteran.

From the data of the privacy policy change n 2016 to May 2019, approximately 379,000 requests had been processed. The 30-request sample was found to contain the names and Social Security numbers of 1,027 unrelated third parties. Assuming the 30 responses were representative of the total, the PII of millions of third parties may have been disclosed. Further, the discs on which the information was saved were not encrypted or protected with passwords. The policies covering the mailing of discs had not been updated following the privacy policy changes in 2016.

According to the VA OIG report, after privacy concerns were raised, VBA agreed that a further update to its privacy policy was required and from no later than October 1, 2019 the redaction of third-party PII will resume.

The post GAO and VA OIG Identify Privacy and Security Failures at the Department of Veterans Affairs appeared first on HIPAA Journal.

House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership

Posted by HIPAA Journal

Leaders of the House Committee on Energy and Commerce are seeking answers from Google and Ascension on Project Nightingale. The Department of Health and Human Services’ Office for Civil Rights has also confirmed that an investigation has been launched to determine if HIPAA Rules have been followed.

The collaboration between Google and Ascension was revealed to the public last week. The Wall Street Journal reported that Ascension was transferring millions of patient health records to Google as part of an initiative called Project Nightingale.

A whistleblower at Google had contacted the WSJ to raise concerns about patient privacy. A variety of internal documents were shared with reporters on the extent of the partnership and the number of Google employees who had access to Ascension patients’ data. Under the partnership, the records of approximately 50 million patients will be provided to Google, 10 million of which have already been transferred.

According to the WSJ report, 150 Google employees are involved with the project and have access to patient data. The whistleblower stated that those individuals are able to access and download sensitive patient information and that patients had not been informed about the transfer of their data in advance. Understandably, the partnership has raised concerns about patient privacy.

Both Google and Ascension released statements about the partnership after the WSJ story was published, confirming that Google was acting as a business associate of Ascension, had signed a business associate agreement, and that it was in full compliance with HIPAA regulations. Under the terms of the BAA, which has not been made public, Google is permitted access to patient data in order to perform services on behalf of Ascension for the purpose of treatment, payment, and healthcare operations.

Google will be analyzing patient data and using its artificial intelligence and machine learning systems to develop tools to assist with the development of patient treatment plans. Google will also be helping Ascension modernize its infrastructure, electronic health record system, and improve collaboration and communication. Google has confirmed in a blog post that it is only permitted to use patient data for purposes outlined in the BAA and has stated that it will not be combining patient data with any consumer data it holds and that patient data will not be used for advertising purposes.

Democratic leaders of the House Committee on Energy and Commerce wrote to Google and Ascension on November 18, 2019 requesting further information on the partnership. The inquiry is being led by House Energy Committee Chairman, Frank Pallone Jr. (D-New Jersey). The letters have also been signed by Chairwoman of the Subcommittee on Health, Anna Eshoo (D-California), Subcommittee on Consumer Protection and Commerce Chair, Jan Schakowsky (D-Illinois), and Subcommittee on Oversight and Investigations Chair, Diana DeGette (D-Colorado).

In the letters, the Committee leaders have requested information on the “disturbing initiative” known as Project Nightingale.

“While we appreciate your efforts to provide the public with further information about Project Nightingale, this initiative raises serious privacy concerns. For example, longstanding questions related to Google’s commitment to protecting the privacy of its own users’ data raise serious concerns about whether Google can be a good steward of patients’ protected health information.”

Ascension’s decision not to inform patients prior to the transfer of protected health information has also raised privacy concerns, as has the number of Google employees given access to the data. Further, employees of Google’s parent company Alphabet also have access to Ascension data.

The Committee leaders have requested a briefing by no later than December 6, 2019 about the types of data being used, including the data being fed into its artificial intelligence tools, and the extent to which Google and Alphabet employees have access to the data. The Committee leaders also want to know what steps have been taken to protect patient information and the extent to which patients have been informed.

The Department of Health and Human Services’ Office for Civil Rights has also confirmed that it has launched an investigation into the partnership. Its investigation is primarily focused on how data is being transferred, the protections put in place to safeguard the confidentiality, integrity, and availability of protected health information, and whether HIPAA Rules are being followed. Google has stated it will be cooperating fully with the OCR investigation.

The post House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership appeared first on HIPAA Journal.

Update Issued on Unsecured PACS as Exposed Medical Image Total Rises to 1.19 Billion

Posted by HIPAA Journal

It has been 60 days since Greenbone Networks uncovered the extent to which medical images in Picture Archiving and Communication Systems (PACS) servers are being exposed online. In an updated report, the German vulnerability analysis and management platform provider has revealed the problem is getting worse, not better.

Picture Archiving and Communication Systems (PACS) servers are extensively used by healthcare providers for archiving medical images and sharing those images with physicians for review, yet many healthcare providers are not ensuring their PACS servers have appropriate security. Consequently, medical images (X-Ray, MRI, CT Scans), along with personally identifiable patient information, is being exposed over the Internet. Anyone who knows where to look and how to search for the files can find them, view them and, in many cases, download the images without any authentication required. The images are not accessible due to software vulnerabilities. Data access is possible because of the misconfiguration of infrastructure and PACS servers.

Between July and September 2019, Greenbone Networks conducted an analysis to identify unsecured PACS servers around the globe. The study shed light on the scale of the problem. In the United States, 13.7 million data sets were found on unsecured PACS servers, which included 303.1 million medical images of which 45.8 million were accessible. The discovery was widely reported in the media at the time, and now further information on the scale of the problem has been released.

On Monday, November 18, Greenbone Networks issued an updated report that shows globally, 1.19 billion medical images have now been identified, increasing the previous total of 737 million by 60%. The results of 35 million medical examinations are online, up from 24 million.

In the United States, the researchers found 21.8 million medical examinations and 786 million medical images. 114.5 of those images were accessible and there are 15 systems that allow unprotected Web/FTP access and directory listing. In one PACS alone, the researchers found 1.2 million examinations and 61 million medical images. The researchers had full access to the data, which included the images and associated personally identifiable information. Greenbone Networks has confirmed that in the 24 hours prior to publication of its latest report, data access was still possible. “For most of the systems we scrutinized, we had – and still have – continued access to the personal health information,” explained Greenbone Networks CMS, Dirk Schrader.

Exposed Medical Images on PACS Servers. Source: Greenbone Networks

Earlier in November, Sen. Mark. R. Warner wrote to HHS’ Office for Civil Rights Director, Roger Severino, expressing concern over the apparent lack of action from OCR over the exposed files. Far from the situation improving following the announcement about the exposed data, it appears that very little is being done to secure the PACS servers and stop further data exposure.

The types of information in the images, which is classed as Protected Health Information (PHI) under HIPAA, includes names, dates of birth, examination dates, scope of the investigations, imaging procedures performed, attending physicians’ names, location of scan, number of images and, for 75% of the images, Social Security numbers.

The exposure of this data places patients at risk of identity theft and fraud, although there are other risks. Previously, security researchers have shown that flaws in the DICOM image format allows the insertion of malicious code. Images could therefore be downloaded, have malicious code inserted, and be uploaded back to the PACS. This could all be down without the knowledge of the data owner. For the purpose of the study, Greenbone Networks only investigated reading access, not image manipulation and upload.

Images were accessed and viewed using the RadiAnt DICOM Viewer. Instructions on configuration to view images using the RadiAnt DICOM Viewer are freely available online, as is the viewer and the list of IPs where the images are stored.

Greenbone Networks estimates that the exposed medical images and PHI has a value in excess of $1 billion dollars. The data could be used for a variety of nefarious purposes including identity theft, social engineering and phishing, and blackmail.

The exposure of the data is in violation of the Health Insurance Portability and Accountability Act (HIPAA), the EU’ s General Data Protection Regulation (GDPR), and many other data privacy and security laws. The data relates to more individuals in more than 52 countries.

The post Update Issued on Unsecured PACS as Exposed Medical Image Total Rises to 1.19 Billion appeared first on HIPAA Journal.

Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach

Posted by HIPAA Journal

U.S. Senator, Mark. R. Warner (D-VA) has written to the Director of the HHS’ Office for Civil Rights, Roger Severino, expressing concern over the HHS response to the mass exposure of medical images by U.S. healthcare organizations.

Sen. Warner is the Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus. This is the latest in a series of communications in which he has voiced concerns about cybersecurity failures that have compromised the personal and private information of Americans. In February, Sen. Warner demanded answers from HHS agencies, NIST, and healthcare associations about healthcare cybersecurity following the continued increase in healthcare data breaches.

His recent letter to OCR was in response to a September 17, 2019 report about the exposure of millions of Americans’ medical images that were stored in unsecured picture archiving and communications systems (PACS).

The report detailed the findings of an investigation by ProPublica, German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, which revealed almost 400 million medical images could be freely downloaded from the internet without authentication.  Sen. Warner pointed out that at the time of writing the letter, “for all U.S. territories there are 114.5 million images accessible, 22.1 million patient records, and 400,000 Social Security numbers, impacting an estimated 5 million patients in 22 states.”

Sen. Warner stated in the letter that the exposure of the medical images not only has potential to cause harm to individuals, it is also damaging to national security. The types of exposed information could potentially be used by cybercriminals in phishing campaigns and for other malicious attacks, such as those aimed at spreading malware. Flaws in the DICOM protocol could be exploited to incorporate malicious code into medical images. Nation state actors or cybercriminal groups could have downloaded the images, inserted malicious code, and then uploaded the images without being detected.

One of the U.S. firms implicated in the ProPublica report was TridentUSA Health Services and one of its affiliates, MobileX USA. In September 2019, following publication of the report, Sen. Warner wrote to TridentUSA Health Services demanding answers about its cybersecurity practices and how the data of millions of Americans, which the company was responsible for keeping private, came to be exposed online and required no password or other means of authentication to access.

In his letter to OCR, Sen. Warner explained that TridentUSA Health Services, a HIPAA-covered entity, responded to his letter and stated it had passed an HHS Security Rule audit in March 2019. That audit was passed even though at the time of the audit medical images under its control were exposed online and could be freely accessed over the internet.

“As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling,” wrote Warner.

The exposure of PACS data was reported to US-CERT by the German Federal Office for Information Security. US-CERT made contact with Greenbone Networks and confirmed the exposed data had been received and said that the matter would be reported to the HHS. Greenbone Networks had no contact from HHS and no further contact from US-CERT.

The researchers in Germany also demonstrated to Sen. Warner that even on October 15, 2019, several US-based PACS have open ports that support unencrypted communications protocols. Those unsecured PACS could be accessed without authentication and a wide range of medical images could be viewed and downloaded, including X-rays and mammograms that contain sensitive patient information such as names and Social Security numbers. Those images and personal information were still accessible freely online on the date of writing the letter (Nov 8, 2019).

“As of writing this letter, TridentUSA Health Services is not included on your breach portal website and I have seen no evidence that, once contacted by US-CERT, you acted on that information in a meaningful way,” wrote Sen. Warner.

Sen. Warner has demanded answers to 5 questions:

The post Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach appeared first on HIPAA Journal.

HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation

Posted by HIPAA Journal

The U.S Department of Health and Human Services’ has increased the civil monetary penalties for HIPAA violations to take inflation into account, in accordance with the Inflation Adjustment Act.

The final rule was issued and took effect on Tuesday November 5, 2019. This rule increases the civil monetary penalties for HIPAA violations that occurred on or after February 18, 2019. Under the new penalty structure, the increases from 2018 to 2019 are detailed in the table below:

Penalty Tier Level of Culpability Minimum Penalty per Violation

(2018 » 2019)

 Maximum Penalty per Violation

(2018 » 2019)

 New Maximum Annual Penalty

(2018 » 2019)*
1 No Knowledge $114.29 » $117 $57,051 » $58,490 $1,711,533 » $1,754,698
2 Reasonable Cause $1,141 » $1,170 $57,051 » $58,490 $1,711,533 » $1,754,698
3 Willful Neglect – Corrective Action Taken $11,410 » $11,698 $57,051 » $58,490 $1,711,533 » $1,754,698
4 Willful Neglect – No Corrective Action Taken $57,051 » $58,490 $1,711,533 » $1,754,698 $1,711,533 » $1,754,698

Penalties for HIPAA violations that occurred prior to February 18, 2019 have increased to $159 per violation, with an annual cap of $39,936 per violation category.

Earlier this year, the HHS’ Office for Civil Rights announced that it had reduced the penalties for HIPAA violations in certain tiers after a review of the wording of the HITECH Act. The maximum penalty for a HIPAA violation in the highest tier remained at $1.711 million, per violation category per year. Prior to the review, the maximum HIPAA violation penalty was $1.711 million in all four penalty tiers.

*The notice of enforcement discretion, announced on April 30, 2019, capped the maximum annual penalties at $10,000 (Tier 1), $100,000 (Tier 2), $250,000 (Tier 3), and $1,711,533 (Tier 4). The notice of enforcement discretion stated that the reviewed penalty tiers would also be adjusted in line with inflation. The multiplier used by OCR to calculate the cost-of-living increases was based on the Consumer Price Index for all Urban Consumers (CPI–U) for October 2019, which was 1.02522. That would make the new maximum penalties under the notice of enforcement discretion $10,252.20 (Tier 1), $102,522 (Tier 2), $256,305 (Tier 3), and $1,754,698 (Tier 4).

While OCR’s notice of enforcement discretion states that OCR will be adopting the new, revised penalties, this has yet to be made official and is pending further rulemaking. The notification of enforcement discretion creates no legal obligations and no legal rights, so OCR could therefore legally use the above maximum penalty amount of $1,754,698 per violation category, per year across all penalty tiers.

Full details of the new penalty structures have been published in the Federal Register for all agencies, including the FDA, ACF, HRSA, AHRQ, OIG, CMS, and OCR and can be viewed here (PDF).

The post HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation appeared first on HIPAA Journal.

Vulnerabilities Identified in Medtronic Valleylab Energy Platform and Electrosurgery Products

Posted by HIPAA Journal

6 vulnerabilities have been identified in the Medtronic Valleylab energy platform and electrosurgery products, including one critical flaw that could allow an attacker to gain access to the Valleylab Energy platform and view/ overwrite files and remotely execute arbitrary code.

The vulnerabilities were identified by Medtronic which reported the flaws to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency under its responsible vulnerability disclosure policy.

Four vulnerabilities have been identified in the following Medtronic Valleylab products

  • Valleylab Exchange Client, Version 3.4 and below
  • Valleylab FT10 Energy Platform (VLFT10GEN) software Version 4.0.0 and below
  • Valleylab FX8 Energy Platform (VLFX8GEN) software Version 1.1.0 and below

The critical vulnerability is an improper input validation flaw in the rssh utility, which facilitates file uploads. Exploitation of the vulnerability would allow an attacker to gain administrative access to files, allowing those files to be viewed, altered, or deleted. The flaw could also allow remote execution of arbitrary code.

The flaw has been assigned two CVE codes – CVE-2019-3464 and CVE-2019-3463. A CVSS v3 base score of 9.8 has been calculated for the flaws.

The products also use multiple sets of hard-coded credentials. If those credentials were discovered by an attacker, they could be used to read files on a vulnerable device. This flaw has been assigned the CVSS code – CVE-2019-13543 – and has a CVSS v3 base score of 5.4.

Vulnerable products use a descrypt algorithm for operating system password hashing. If interactive, network-based logons are disabled, combined with the other vulnerabilities, an attacker could obtain local shell access and view these hashes. The flaw – CVE-2019-13539 – has a CVSS v3 base score of 7.0.

Medtronic has released a patch for the FT10 platform, which should be applied as soon as possible. The FX8 platform will be patched in early 2020. Medtronic notes that the above products are supplied with network connections disabled by default and the Ethernet port is disabled on reboot; however, the company is aware that users often enable network connectivity.

Until the patches are applied to correct the flaws, Medtronic advises users to disconnect vulnerable products from IP networks or ensure those networks are segregated and are not accessible over the internet or via other untrusted networks.

Two further vulnerabilities have been identified in the following Medtronic Valleylab energy and electrosurgery products:

  • Valleylab FT10 Energy Platform (VLFT10GEN)
    • Version 2.1.0 and lower and Version 2.0.3 and lower
  • Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States)
    • Version 1.20.2 and lower

The FT10/LS10 Energy Platform incorporates an RFID security mechanism for authentication between the platform and instruments to prevent inauthentic instruments from being used. This security mechanism can be bypassed. The flaw has been assigned the CVE code, CVS-2019-13531, and has a CVSS v3 base score of 4.8.

The RFID security mechanism does not apply read protection, which could allow full read access to RFID security mechanism data. This flaw – CVE-2019-3535 – has a CVSS v3 base score of 4.6.

A patch has been issued to correct both of these flaws.

The post Vulnerabilities Identified in Medtronic Valleylab Energy Platform and Electrosurgery Products appeared first on HIPAA Journal.

Texas Health and Human Services Commission Pays $1.6 Million HIPAA Penalty

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $1.6 million civil monetary penalty (CMP) on Texas Health and Human Services Commission (TX HHSC) for multiple violations of Health Insurance Portability and Accountability Act (HIPAA) Rules.

TX HHSC is a state agency that operates supported living centers, regulates nursing and childcare facilities, provides mental health and substance abuse services, and administers hundreds of state programs for people in need of assistance, such as individuals with intellectual and physical disabilities.

OCR launched an investigation following receipt of a breach report from the Department of Aging and Disability Services (DADS), a state agency that was reorganized into TX HHSC in September 2017. On June 11, 2015, DADS reported a security incident to OCR which stated that the electronic protected health information (ePHI) of 6,617 individuals had been exposed over the internet. The exposed information included names, addresses, diagnoses, treatment information, Medicaid numbers, and Social Security numbers.

The information was exposed during the migration of an internal CLASS/DBMD application from a private server to a public server. A flaw in the software of the application allowed ePHI to be accessed over the internet without any authentication. As a result of the flaw, private and highly sensitive information could be found and accessed through a Google search.

TX HHSC was unable to provide documentation to demonstrate compliance with three important provisions of HIPAA Rules. OCR determined that TX HHSC had violated four HIPAA provisions.

  • 45 C.F.R. § 164.308(a)(1 )(ii)(A) – Failure to conduct a comprehensive organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of PHI
  • 45 C.F.R. § 164.312(a)(1) – Failure to implement access controls. Credentials were not required to access ePHI contained in its CLASS/DBMD
  • 45 C.F.R. § 164.312(b) – Failure to implement audit controls that recorded user access on the public server, which prevented TX HHSC from determining who had accessed ePHI in the application during the time it was exposed.
  • 45 C.F.R. § 164.502(a) – The above failures resulted in an impermissible disclosure of the ePHI of 6,617 individuals.

Under HIPAA, financial penalties are determined based on the level of culpability. OCR determined that the violations fell short of willful neglect and constituted reasonable cause – the second penalty tier. For each of the above classes of HIPAA violation, the minimum penalty for a violation is $1,000 up to a maximum financial penalty of $100,000 per year. The risk analysis failures, access controls failures, and audit control failures spanned from 2013 to 2017, hence the $1.6 million penalty.

“Covered entities need to know who can access protected health information in their custody at all times,” said OCR Director Roger Severino. “No one should have to worry about their private health information being discoverable through a Google search.”

We initially reported on the HIPAA penalty in March 2019 when it appeared that a settlement had been reached between TX HHSC and OCR over the HIPAA violations. The 86th Legislature of the State of Texas had voted to approve the settlement; however, it would appear that the proposed settlement was rejected. OCR issued a Notice of Proposed Determination on July 29, 2019.

TX HHSC did not contest the findings of OCR’s Notice of Proposed Determination and waived the right to a hearing. OCR imposed the CMP on TX HHSC on October 25, 2019.

This is the second HIPAA penalty to be announced by OCR this week. A few days ago, OCR announced a $3 million settlement had been reached with the University of Rochester Medical Center to resolve HIPAA violations related to the loss of unencrypted devices containing ePHI.

The TX HHSC CMP is the seventh HIPAA penalty of 2019. The latest CMP brings the total HIPAA fines for 2019 up to $9,949,000.

The post Texas Health and Human Services Commission Pays $1.6 Million HIPAA Penalty appeared first on HIPAA Journal.