Healthcare Information Technology

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018.

The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients.

Q2 2018 Healthcare Data Breaches

Month Data Breaches Records Exposed
April 45 919,395
May 50 1,870,699
June 47 353,548

 

Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary.

It is unclear if any healthcare records were stolen in the breach although data theft could not be ruled out. Many physical records were damaged by a fire started by the burglars which activated the sprinkler system which caused water damage. Electronic equipment was taken although it was encrypted.

The second largest data breach of 2018 was reported by MSK Group in May. The orthopedic group detected unauthorized access of parts of its network that contained the protected health information of 566,236 patients.

The third largest breach of 2018 involved the exposure and potential theft of 538,127 records from LifeBridge Health. Malware had been installed on a server on which billing information and medical records were stored.

The fifth and sixth largest breaches of the year to date were reported in June. Oklahoma State University Center for Health Sciences experienced a 279,865-record breach when its computer network was hacked and Med Associates, Inc., discovered a desktop computer had been hacked resulting in the exposure of 276,057 patients’ PHI.

The Threat from Within

Protenus has drawn attention to the threat from insider breaches and the importance of detecting privacy breaches promptly. When medical records are accessed by employees without authorization, there is a 30% chance of an employee violating patient privacy again within 3 months and a 66% chance they will do so again within 6 months. One of the main problems for hospitals is the time taken to investigate and respond to insider threats. On average, one investigator monitors the ePHI access attempts of 4,000 employees across an average of 2.5 hospitals – a significant burden.

Out of every 1,000 healthcare employees, Protenus determined than 9 will breach patient privacy, most commonly by snooping on the medical records of family members.  In Q2, 2018 71.4% of breaches involved employees snooping on family members’ medical records.

30.99% of breaches (44) reported to the Office for Civil Rights in Q2 were insider breaches, and out of the 27 incidents for which details have been disclosed, the records of 421,180 patients were known to have been compromised. There were 25 incidents involving insider error and 18 incidents involving insider wrongdoing.

Healthcare Hacking Incidents Increased in Q2 2018

The biggest cause of healthcare data breaches in Q2, 2018 was hacking/IT incidents which accounted for 36.6% of all reported breaches in the quarter. There were 52 hacking/IT incidents reported in Q2, compared to 30 in Q1 – a 73% increase. Those breaches resulted in the exposure/theft of at least 2,065,813 healthcare records.

Details were available for 44 breaches, ten of which were phishing-related breaches, 7 involved ransomware or malware, and one involved another form of extortion.

There were 23 reported cases of theft of physical or electronic records and a further 23 breaches that did not include enough information for them to be categorized.  Overall, 84% of breaches involved electronic records and 16% involved paper records.

Healthcare providers were the worst hit with 76.37% of reported breaches, following by health plans on 10.91%, business associates on 5.45%, and other entities on 7.27%.

The average time to discover a breach was 204 days and the median time was 18 days. The detection times ranged from one day to 1,587 days. From the available data, the average time to disclose breaches to the Office for Civil Rights was 71 days and the median time was 59 days. The maximum time frame under HIPAA for disclosing breaches is 60 days. California was the worst hit state with 20 incidents followed by Texas on 13.

The Protenus Q2 2018 healthcare data breach report can be downloaded on this link (PDF).

The post At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018 appeared first on HIPAA Journal.

More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched

OpenEMR is an open-source electronic health record management system that is used by many thousands of healthcare providers around the world. It is the leading free-to-use electronic medical record platform and is extremely popular.

Around 5,000 physician offices and small healthcare providers in the United States are understood to be using OpenEMR and more than 15,000 healthcare facilities worldwide have installed the platform. Around 100 million patients have their health information stored in the database.

Recently, the London-based computer research organization Project Insecurity uncovered a slew of vulnerabilities in the source code which could potentially be exploited to gain access to highly sensitive patient information, and potentially lead to the theft of all patients’ health information.

The Project Insecurity team chose to investigate EMR and EHR systems due to the large number of healthcare data breaches that have been reported in recent years. OpenEMR was the natural place to start as it was the most widely used EMR system and with it being open-source, it was easy to test the code without running into legal problems. The findings of the investigation into OpenEMR v5.0.1.3 are detailed in Project Insecurity’s vulnerability report (PDF).

After identifying around 20 serious vulnerabilities, the vendor was contacted on July 7, 2018 and was given a month before public disclosure, allowing time for developers to correct the flaws.

One of the most serious vulnerabilities discovered allowed an attacker to bypass authentication on the Patient Portal Login. The authentication was simple, requiring next to no skill to pull off. An individual only needed to navigate to the registration page and modify the requested URL to access the desired page. By exploiting this flaw, it would be possible to view and alter patient records and potentially compromise all records in the database.

Project Insecurity discovered nine flaws that allowed SQL injection which could be used to view data in a targeted database and perform other database functions, four flaws could be exploited that would allow remote code execution to escalate privileges on the server, several cross-site request forgery vulnerabilities were discovered, three unauthenticated information disclosure vulnerabilities, an unrestricted file upload flaw, and unauthenticated administrative actions and arbitrary file actions were possible.

The vulnerabilities were identified through a manual review of the code and by modifying requests. No source code analysis tools were used. If the flaws had been found by a hacker, huge numbers of medical records could have been accessed, altered, and stolen.

OpenEMR has now issued patches to correct all the flaws identified by the Project Insecurity team.

The post More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched appeared first on HIPAA Journal.

Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps

An advisory has been issued by ICS-CERT about vulnerabilities in MedTronic MyCareLink Patient Monitors and the MiniMed 508 Insulin Pump. This is the second advisory to be issued about MyCareLink Patient Monitors in the past six weeks. In June, ICS-CERT issued a warning about the use of a hard-coded password (CVE-2018-8870) and an exposed dangerous method or function vulnerability (CVE-2018-8868).

The latest vulnerabilities to be discovered are an insufficient verification of data authenticity flaw (CVE-2018-10626) and the storage of passwords in a recoverable format (CVE-2018-10622). The vulnerabilities are present in all versions of the Medtronic MyCareLink 24950 and 24952 Patient Monitors.

If an attacker were to obtain per-product credentials from the monitor and the paired implanted cardiac device, it would be possible for invalid data to be uploaded to the Medtronic Carelink network due to insufficient verification of the authenticity of uploaded data. The vulnerability has been assigned a CVSS v3 score of 4.4 (medium severity).

The way that passwords are stored could allow them to be recovered by an attacker and used for network authentication and encryption of local data at rest. This vulnerability has been assigned a CVSS v3 score of 4.9 (medium severity).

The vulnerabilities were identified by security researchers at Whitescope LLC, who reported them to the National Cybersecurity and Communications Integration Center (NCCIC).

Medtronic has already taken steps to address the vulnerabilities. Server-side updates have been made to correct the data authenticity verification issue and further mitigations will be implemented shortly to enhance data integrity and authenticity. To reduce the risk of exploitation, Medtronic recommends users maintain good physical control over their home monitors and only use monitors that have been obtained from healthcare providers.

Two vulnerabilities have also been identified in the Medtronic MiniMed 508 Insulin Pump by the Whitescope researchers. The first is the cleartext transmission of sensitive information (CVE-2018-40634) and the second is an authentication bypass flaw that could be exploited in a capture replay attack (CVE-2018-14781).

The researchers discovered that communications between the insulin pump and wireless accessories are sent in cleartext, which could allow sensitive information such as the device serial number to be captured by an attacker. The vulnerability has been assigned a CVSS v3 score of 4.8 (medium severity).

When the insulin pump is paired with a remote controller and the easy-bolus and remote bolus options are set, the device is vulnerable to a capture-replay attack which would allow the wireless transmissions to be captured and replayed resulting in an additional insulin (bolus) delivery. The vulnerability has been assigned a CVSS v3 score of 5.3 (medium severity).

The vulnerabilities affect the following MiniMed insulin pumps and associated products: MMT 508 MiniMed insulin pump, MMT – 522 / MMT – 722 Paradigm REAL-TIME, MMT – 523 / MMT – 723 Paradigm Revel, MMT – 523K / MMT – 723K Paradigm Revel, and MMT – 551 / MMT – 751 MiniMed 530G.

Medtronic will not be issuing a fix to correct the flaws as devices are only vulnerable if the remote option is enabled. Devices are not vulnerable in their default configuration. Users can disable to easy bolus and remote bolus options if they have been set. If users wish to continue to use the easy bolus option, they should be attentive to device alerts when enabled and should turn off the easy bolus option when they are not intending to use the remote bolus option.

The post Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps appeared first on HIPAA Journal.

OCR Reminds Healthcare Organizations of HIPAA Rules for Disposing of Electronic Devices and Media

In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media.

Prior to electronic equipment being scrapped, decommissioned, returned to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a secure manner.

HIPAA Rules for disposing of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes.

Healthcare organizations also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which store data on internal hard drives. These devices in particular carry a high risk of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI.

If electronic devices are not disposed of securely and a data breach occurs, the costs to a healthcare organization can be considerable. Patients must be notified, it may be appropriate to pay for credit monitoring and identity theft protection services, and third-party breach response consultants, forensic investigators, and public relations consultants may need to be hired. OCR and/or state attorneys generals may conduct investigations and substantial financial penalties may be applied. Breach victims may also file lawsuits over the exposure of their financial information.

The costs all add up. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute/IBM Security highlighted the high cost of data breaches, in particular healthcare data breaches. The average cost of a breach of up to 100,000 records was determined to be $3.86 million. Healthcare data breaches cost an average of $408 per exposed record to mitigate, while the cost of data breaches of one million or more records was estimated to be between $40 million and $350 million.

It is not possible to ensure that all ePHI is disposed of securely if an organization does not know all systems and devices where PHI is stored. A full inventory of all equipment that stores ePHI must be created and maintained. When new equipment is purchased the list must be updated.

A full risk analysis should be conducted to determine the most appropriate ways to protect data stored on electronic devices and media when they reach the end of their lifespan.

Organizations must develop a data disposal plan that meets the requirements of 45 C.F.R. §164.310(d)(2)(i)-(ii). Paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. OCR notes that “Redaction is specifically excluded as a means of data destruction.”

Electronic devices should be “cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization,” to ensure that ePHI cannot be retrieved. If reusable media are in use, it is important to ensure that all data on the devices are securely erased prior to the devices being reused. Before electronic devices are scrapped or disposed of, asset tags and corporate identifying marks should be removed.

Third party contractors can be used to dispose of electronic devices, although they would be considered business associates and a business associate agreement would need to be in place. All individuals required to handle the devices must be aware of their responsibilities with respect to ePHI and its safe handling and should be subjected to workforce clearance processes.

Organizations should also consider the chain of custody of electronic equipment prior to destruction. Physical security controls should be put in place to ensure the devices cannot be stolen or accessed by unauthorized individuals and security controls should cover the transport of those devices until all data has been destroyed and is no longer considered ePHI.

The OCR newsletter, together with further information on secure disposal of ePHI and PHI, can be found on this link (PDF).

The post OCR Reminds Healthcare Organizations of HIPAA Rules for Disposing of Electronic Devices and Media appeared first on HIPAA Journal.

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform.

The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein.

Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats.

Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams.

However, security teams can struggle to identify real threats quickly. Employees will typically report a wide range of emails, not just malicious messages. Most organizations will see their abuse mailboxes fill up rapidly and security teams often waste valuable time sifting through messages to find the real threats.

Cofense has attempted to solve the problem with the release of a SOAR platform that helps incident response teams identify and mitigate phishing attacks in progress much more rapidly. Cofense Triage allows incident response teams to rapidly assess, analyze, and remediate phishing attacks in real-time by filtering out the noise.

Cofense Triage has recently been enhanced with new features that allow third-party security solutions to be integrated through its REST API to ensure an optimized, security orchestration response. Remediating phishing threats has been made easier through automation using playbooks and workflows – sets of criteria that will automatically execute a response to mitigate an attack if certain criteria are met.

Now the Leesburg, VA-based anti-phishing vendor has developed a new anti-phishing solution – Cofense Vision – which will soon be incorporated into its phishing-specific SOAR. Cofense Vision – due to be generally available in Q4 2018 – will make it easier and quicker to identify all phishing emails in a campaign and quarantine them rapidly to neutralize the threat.

When a phishing email is identified, it is unlikely to be the only copy of the message in an organization’s email system. Tens or even hundreds of copies may be hiding in other inboxes, including carbon copies of the message, variations along the same theme, and totally different messages containing the same malicious payload.

Cofense Vision helps incident response teams search, identify, and quarantine all phishing emails in a particular campaign, querying messages by sender, date, subject, attachment name, attachment hash, and many more criteria. When all messages have been identified, they can be quarantined with a single click, removing all malicious messages from an organization’s entire email system.

This is just one of a host of new anti-phishing solutions that can be deployed to help healthcare organizations deal with the threat of phishing. As news breaks of a million-record-plus healthcare phishing attack, advanced phishing solutions are clearly needed to tackle the threat to the confidentiality, integrity, and availability of PHI.

The post Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform appeared first on HIPAA Journal.

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform.

The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein.

Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats.

Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams.

However, security teams can struggle to identify real threats quickly. Employees will typically report a wide range of emails, not just malicious messages. Most organizations will see their abuse mailboxes fill up rapidly and security teams often waste valuable time sifting through messages to find the real threats.

Cofense has attempted to solve the problem with the release of a SOAR platform that helps incident response teams identify and mitigate phishing attacks in progress much more rapidly. Cofense Triage allows incident response teams to rapidly assess, analyze, and remediate phishing attacks in real-time by filtering out the noise.

Cofense Triage has recently been enhanced with new features that allow third-party security solutions to be integrated through its REST API to ensure an optimized, security orchestration response. Remediating phishing threats has been made easier through automation using playbooks and workflows – sets of criteria that will automatically execute a response to mitigate an attack if certain criteria are met.

Now the Leesburg, VA-based anti-phishing vendor has developed a new anti-phishing solution – Cofense Vision – which will soon be incorporated into its phishing-specific SOAR. Cofense Vision – due to be generally available in Q4 2018 – will make it easier and quicker to identify all phishing emails in a campaign and quarantine them rapidly to neutralize the threat.

When a phishing email is identified, it is unlikely to be the only copy of the message in an organization’s email system. Tens or even hundreds of copies may be hiding in other inboxes, including carbon copies of the message, variations along the same theme, and totally different messages containing the same malicious payload.

Cofense Vision helps incident response teams search, identify, and quarantine all phishing emails in a particular campaign, querying messages by sender, date, subject, attachment name, attachment hash, and many more criteria. When all messages have been identified, they can be quarantined with a single click, removing all malicious messages from an organization’s entire email system.

This is just one of a host of new anti-phishing solutions that can be deployed to help healthcare organizations deal with the threat of phishing. As news breaks of a million-record-plus healthcare phishing attack, advanced phishing solutions are clearly needed to tackle the threat to the confidentiality, integrity, and availability of PHI.

The post Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform appeared first on HIPAA Journal.

Warnings Issued Following Increase in ERP System Attacks

The United States Computer Emergency Readiness Team (US-CERT) has warned businesses about the increasing risk of cyberattacks on enterprise resource planning (ERP) systems such as the cloud-based ERPs developed by SAP and Oracle.

These web-based applications are used to manage a variety of business operations, including finances, payroll, billing, logistics, and human resources functions. Consequently, these systems contain a treasure trove of sensitive data – The exact types of data sought by cybercriminals for fraud and cyber espionage.

Further, many businesses rely on their ERP systems to function. A cyberattack that takes those systems out of action can have catastrophic consequences, making the systems an attractive target for sabotage by hacktivists and nation state backed hacking groups.

The US-CERT warning follows a joint report on the increasing risk of ERP system attacks by cybersecurity firms Digital Shadows and Onapsis. The report focused on two of most widely used ERP systems: SAP HANA and Oracle E-Business.

The authors explained that the number of publicly available exploits for SAP and Oracle E-Business have increased by 100% over the past three years and detailed information on how to attack these systems is being exchanged on darknet forums.

“ERP applications are being actively targeted by a variety of cyber-attackers across different geographies and industries,” wrote the authors. Some hackers have repurposed banking malware (Dridex) to obtain ERP system logins as demand for stolen credentials has increased significantly.

Access to ERP servers is often sought in order to mine cryptocurrencies. The researchers note that one cybercriminal group used a publicly available exploit for WebLogic to gain access to servers to install Monero mining software. Through that single attack the group managed to generate $226,000 in Monero coins. The researchers note that there is plenty of chat about using SAP servers to mine cryptocurrency on Internet Relay Chat (IRC) channels.

When ERP systems are connected to the Internet they are much more vulnerable to attack. The researchers note that internet-connected ERP systems are not difficult to find. More than 17,000 internet-connected ERPs were identified by the researchers that could potentially be accessed using dictionary or brute force tactics to guess logins. Many exploits are available for vulnerabilities that allow remote code execution, with more than 50 SAP exploits and 30 Oracle exploits being actively traded on darknet forums.

ERP system developers regularly release patches to address flaws in the software. As with any software solution, patches should be applied promptly. However, all too often patching is delayed due to the complexity of system architectures and customized functionality, which can make patching problematic. Those delays or the failure to apply patches plays into cybercriminals’ hands.

The researchers explain that prompt patching is critical. Additionally, strong, unique passwords should be used, and users should only have the privileges they need for their job role. ERP applications should be checked for uninstalled patches and insecure configurations, and unused APIs and unnecessary internet-facing logins should be disabled. Companies need to do as much as they can to reduce the attack surface.

The report is essential reading for IT security teams at all businesses that use ERP systems. The ERP Applications Under Fire report can be downloaded on this link.

The post Warnings Issued Following Increase in ERP System Attacks appeared first on HIPAA Journal.

FDA Issues New Guidance on Use of EHR Data in Clinical Investigations

The U.S. Food and Drug Administration has released new guidance on the use of EHR data in clinical investigations and the requirement to ensure that appropriate controls are in place to ensure the confidentiality, integrity, and availability of data.

While the guidance is non-binding, it provides healthcare organizations with valuable information on steps to take when deciding whether to use EHRs as a source of data for clinical investigations, how to use them and ensure the quality and integrity of EHR data, and how to make sure that any data collected and used as an electronic source of data meets the FDA’s inspection, recordkeeping and data retention requirements.

The aim of the guidance is to promote the interoperability of EHR and EDC systems and facilitate the use of EHR data in clinical investigations, such as long-term studies on the safety and effectiveness of drugs, medical devices, and combination products.

The guidance does not apply to data collected for registries and natural history studies, the use of EHR data to evaluate the feasibility of trial design or as a recruitment tool for clinical investigations, or the use of EHR data in postmarketing observational pharmacoepidemiologic studies that assess adverse events and risks associated with drug exposure or those that are designed to test prespecified hypotheses for such studies.

The FDA is aware that EHRs have the potential to provide researchers with access to real time data for reviews and allow post-trail follow ups on patients to determine the long -term effectiveness of specific treatments. They also provide access to the data or large numbers of patients, which can be particularly useful in clinical investigations, especially when certain outcomes are rarely observed. The use of EHR data in clinical investigations is broadly encouraged by the FDA.

However, it is important for best practices to be adopted to ensure patient privacy is protected, data integrity is maintained, and data are secured at all times.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 required the Office of the National Coordinator of Health IT (ONC) to establish a voluntary certification program for Health IT. Certified EHRs comply with 45 CFR part 170 of the HITECH Act which covers interoperability and data security and confirms EHRs meet minimum requirements for privacy and security.

The FDA recommends that only certified EHR systems are used in clinical investigations and that policies and procedures on their use should be developed. The FDA recommends that a list of EHR systems is maintained, detailing the manufacturer of the system, the model number, version number, and whether it is certified by ONC.

There may be times when EHRs are de-certified by ONC during the clinical investigation, as they may no longer meet appropriate standards. In such cases, sponsors should determine the reason for de-certification and its impact on the quality and integrity of data used in the clinical investigation.

At times, it may be necessary to incorporate data from EHR systems used in other countries, which are not certified by ONC. While the use of data from these systems is acceptable, and can be highly beneficial for clinical investigations, sponsors should evaluate whether the systems have appropriate privacy and security controls in place to ensure the confidentiality, integrity, and availability of data.

Sponsors should ensure that policies and procedures for these EHRs are in place at the investigation site and appropriate measures have been implemented to protect study data. They must also ensure that access to the electronic systems housing the EHRs is limited to authorized personnel. Authors of the records must be clearly identifiable, audit trails need to be maintained, and records need to be available and retained for FDA inspection.

If these controls are not in place, sponsors should consider the risks associated with using those systems, including the potential for harm to research subjects, the impact on data integrity of the clinical investigation, and the regulatory implications.

The guidelines also suggest EHRs not certified by ONC should meet various data standards, and the guidance offers advice about choosing between structured and unstructured data, and the validation of interoperability between EHRs and electronic data capture (EDC) systems.

The post FDA Issues New Guidance on Use of EHR Data in Clinical Investigations appeared first on HIPAA Journal.

Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data

The UK’s National Health Service (NHS) has announced that approximately 150,000 patients who had opted out of having their health data shared for the purposes of clinical research and planning have had their data shared against their wishes.

In the UK, there are two types of opt-outs patients can choose if they do not want their confidential health data shared. A type 1 opt-out allows patients to stop the health data held in their general practitioner (GP) medical record from being used for anything other than their individual care. A Type 2 opt-out is used to prevent health care data being shared by NHS Digital for purposes other than providing individual care.

150,000 patients who had registered a Type 2 opt-out have had their data shared. The impermissible sharing of health data occurred as a result of an error by one of its EHR vendors, TPP. TPP provides the NHS with the SystmOne EHR system, which is use in many GP practices throughout the UK.

A coding error in the system meant that these Type 2 requests were not passed on to NHS Digital, and as a result, NHS Digital was unaware that opt-outs had been registered. Patients affected had opted out after March 31, 2015.

Action has now been taken to correct the error and all patients affected have been notified. NHS Digital has also contacted all organizations with whom the data were shared and they have been instructed to permanently delete the data received since the opt-outs were registered.

The NHS had implemented changes prior to the discovery of this breach that will prevent such an incident from occurring in the future. The type 2 opt outs have now been replaced with a national opt out system, in which patients are able to control their data sharing preferences via a secure website, by phone, or by submitting a written request. This system ensures that NHS Digital receives the requests directly, rather than the previous system which saw the requests recorded via GP practices on a third-party systems.

While the issue has now been corrected and similar privacy breaches should be prevented, what is of particular concern is the length of the breach. This suggests the appropriate processes were not in place to continuously monitor the EHR system for errors.

Healthcare organizations in the U.S. should take note of the breach and take steps to ensure similar privacy breaches cannot occur at their own organization. It is important to ensure that current and future vendors have appropriate systems in place to monitor for errors and security flaws and that they meet all appropriate standards.

While EHR vendors, as business associates, can be fined directly for errors and mistakes that lead to the exposure of PHI, healthcare providers can similarly be fined if they have failed to obtain assurances that HIPAA Rules will be followed by their vendors, and breaches can also cause significant damage to reputation.

The post Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data appeared first on HIPAA Journal.