HIPAA Breach News

Electrostim Medical Services Data Breach Impacts 543,000 Patients

Posted by Steve Alder

The Florida medical device company Electrostim Medical Services, Inc., which does business as EMSI, has recently confirmed that it suffered a cyberattack in May 2023 which involved access to parts of the network containing patient data. The Electrostim Medical Services data breach has recently been reported to the HHS’ Office for Civil Rights as affecting 542,990 patients.

Suspicious activity was detected within its network on May 13, 2023, and after securing its systems, third-party cybersecurity specialists were engaged to assess the nature and scope of the incident. The investigation confirmed that unauthorized individuals had access to its network for around two weeks between April 27, 2023, and May 13, 2023. While data theft was not confirmed, the unauthorized individuals had access to parts of the network containing patients’ protected health information and that information may have been copied. Electrostim Medical Services said it has not learned of any instances of attempted or actual misuse of patient data as a result of the security incident.

The breach notifications explained that the delay in notifications was due to an extensive review of its network to determine the individuals and data types involved, and a review of internal records to identify contact information to allow notification letters to be sent. The types of information involved varied from individual to individual and may have included the following: name, address, email address, phone number(s), diagnosis, insurance information, subscriber number, and product(s) prescribed and billed.

Electrostim Medical Services said notification letters were mailed in late December and steps have been taken to improve network security.

The post Electrostim Medical Services Data Breach Impacts 543,000 Patients appeared first on HIPAA Journal.

ConsensioHealth Ransomware Attack Affects 61,000 Patients

Posted by Steve Alder

The Wisconsin-based medical billing service, ConsensioHealth, has recently notified 60,871 individuals about a July 2023 ransomware attack. The attack was discovered on July 3, 2023, when staff were prevented from accessing files on the network. Steps were immediately taken to prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation and to help determine whether patient data was accessed or copied from its systems. The investigation confirmed that data had been stolen, and on November 7, 2023, it was confirmed that some of those files contained the data of patients of the following covered entities:

  • Emergency Medicine Specialists, S.C.
  • Ascension Wisconsin
  • Wisconsin Urgent Care
  • Kenosha Urgicare
  • Fox Valley Emergency Medicine
  • Dr. Linda Jingle
  • Woundcare Innovations of Golf Land

The impacted data varied from individual to individual and may have included the following data types: Name, address, date of birth, driver’s license or other state identification number, Social Security number, account access credentials, health insurance information, medical treatment and diagnosis information, medical treatment cost information, patient account number, Medicare or Medicaid number, healthcare provider information, and prescription information.

ConsensioHealth said its information security practices have been reviewed and updated and additional security measures have been implemented.

Southeastern Orthopaedic Specialists Data Incident Affects 35,500 Patients

Southeastern Orthopaedic Specialists in Greensboro, NC, have identified unauthorized access to its network and the potential theft of the protected health information of 35,533 patients.

The Southeastern Orthopaedic Specialists substitute breach notice is devoid of any meaningful information about the data incident, which is described as “a cybersecurity incident that impacted its IT systems.” The breach notice does not state when the breach occurred, when it was detected, for how long hackers had access to the network, whether there was access to patient data, if data was stolen, what types of data were exposed or stolen, or the nature of the attack.

The December 19, 2023, notice only states that no evidence of fraud or identity theft was identified, which may lead the affected individuals to believe that there is little risk; however, there is insufficient information in the notice to allow the affected individuals to gauge the level of risk they face. The breach was sufficiently severe to warrant providing the affected individuals with complimentary credit monitoring and identity theft protection services, and it is strongly advisable to take advantage of those services.

Data of Healthcare Clients Exposed in Burr & Forman Cyberattack

The Birmingham, Alabama Am Law 200 firm, Burr & Forman, has recently confirmed that it fell victim to a cyberattack in October 2023 which resulted in unauthorized access to client data, including two clients that are covered by HIPAA. Suspicious activity was detected on one of its laptops in October and the laptop was immediately isolated to prevent further access.

According to the law firm Constangy, Brooks, Smith & Prophete, which is representing Burr & Forman, the cyberattack was detected promptly and was rapidly contained but it was not possible to prevent unauthorized access to documents on its systems. On November 10, 2023, it was confirmed that there had been access to the data of its client Oceans Healthcare, and one other unnamed HIPAA-covered entity. In total the personal and protected health information of 19,893 individuals was exposed.

Burr & Forman was provided with personal information in connection with the legal services provided to its healthcare clients and that information included names, Social Security numbers, medical coding information, dates of service, and insurance information. In its substitute breach notification, Burr & Forman confirmed it is notifying the individuals affected and has provided resources to assist them, and has enhanced network security to prevent similar breaches in the future.

Sharp Health Plan Notifies Members About MOVEit Hack and Mismailing Incident

8,200 Sharp Health Plan members have recently been notified that some of their protected health information was compromised in a hacking incident at one of its business associates, Delta Dental. Delta Dental used the MOVEit Transfer file transfer solution, which was hacked by the Clop hacking group and data were exfiltrated between May 27 and May 30, 2023. Delta Dental’s investigation indicated in July 2023 that Sharp Health Plan member information may have been involved, and that was confirmed on November 17, 2023; however, it took until late December to determine which members had been affected. The stolen data was limited to members’ first and last names, Social Security numbers, dental provider names, health insurance, and treatment cost information. The affected individuals are being notified directly by Delta Dental.

Sharp Health Plan has also notified certain members about a mismailing incident that occurred on December 26, 2023. A system error in the software of the health plan’s mailing vendor resulted in members’ names being omitted from the envelopes. Without a name on the letters, other household members may have opened the letters. The letters listed the intended recipient’s name, address, behavioral health provider’s name, and that confirmed that the member visited the provider in 2023.

Rebekah Children’s Services Reports September 2023 Cyberattack

Rebekah Children’s Services in Gilroy, CA, identified suspicious activity on its network on September 5, 2023, and engaged a third-party forensics firm to investigate to determine the nature of the attack. The forensic investigation confirmed that hackers had gained access to parts of the network where protected health information was stored, and the file review confirmed that names, addresses, Social Security numbers, dates of birth, health information, health insurance information, treatment information, medications, and driver’s license numbers had potentially been obtained. Steps have been taken to improve security and the 2,805 affected individuals have been notified and offered complimentary access to single bureau credit monitoring services.

The post ConsensioHealth Ransomware Attack Affects 61,000 Patients appeared first on HIPAA Journal.

Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit

Posted by Steve Alder

Novant Health has agreed to settle a class action lawsuit that stemmed from its use of tracking pixels on its MyChart patient portal. The pixel code on the patient portal collected the personally identifiable information of users with the goals of “improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” however the information collected was also transferred to third-party technology companies that were not authorized to receive the data.

The North Carolina Health System was the first healthcare provider to report a pixel-related HIPAA violation to the HHS Office for Civil Rights (OCR). In the summer of 2022, Novant Health said the protected health information of up to 1,362,296 individuals had been disclosed to third parties such as Meta (Facebook) between May 1, 2020, to Aug. 12, 2022. The HIPAA breach was reported several months before OCR issued guidance on HIPAA and tracking pixels confirming that pixel-related disclosures of protected health information to third parties violated HIPAA. Novant Health was one of many health systems to use the code on its patient portal. According to one study, 99% of hospitals in the United States used pixels or other tracking technologies on their websites, apps, or patient portals that collected visitor information and transferred that data to third parties.

The lawsuit against Novant Health was filed on behalf of 10 Novant Health patients and similarly situated individuals who used the patient portal while the Meta Pixel code was present and alleged invasion of privacy, breach of contract, and violations of the Health Insurance Portability and Accountability Act. Novant Health maintains there was no wrongdoing and the decision to settle the lawsuit was taken to put an end to the litigation and avoid further legal costs and the uncertainty of trial.

“Novant Health takes privacy and the care of personal information very seriously and values patient trust to keep patients’ medical information private. Novant Health will continue to be as transparent as possible and provide information to patients,” said a spokesperson for Novant Health regarding the proposed settlement. “The proposed settlement is not admission of wrongdoing, and the court did not find any wrongdoing on the part of Novant Health.”

Under the terms of the settlement, class members – individuals who used the MyChart portal between May 1, 2020, to Aug. 12, 2022 – will be eligible to submit claims for a share of the $6.6 million settlement fund. Claims will be paid pro rata once legal costs, expenses, and attorneys’ fees have been paid. Novant Health is one of several healthcare providers to have been sued over the use of pixels and other tracking technologies, including Advocate Aurora Health, which chose to settle its lawsuit for $12.225 million.

The post Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit appeared first on HIPAA Journal.

LockBit Ransomware Group Behind Capital Health Cyberattack

Posted by Steve Alder

Capital Health Systems in New Jersey has recently announced that it fell victim to a cyberattack in late November that temporarily disrupted its IT systems. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell – and an outpatient facility in Hamilton Township. While the attack caused a network outage, care continued to be provided to patients at its hospitals and their emergency rooms continued to receive patients.

Capital Health has confirmed that all systems have now been restored and all services are available at Capital Health facilities; however, the investigation into the cyberattack is ongoing and it has yet to be determined to what extent patient and employee data was involved. Capital Health said law enforcement was immediately notified about the attack and third-party forensic and information technology experts were engaged to assist with the investigation and breach response.

Capital Health has yet to confirm the extent of any data breach but the hacking group behind the attack claims to have stolen more than 10 million files, including 7 TB of medical confidentiality data, and threatened to publish the stolen data if the ransom is not paid. The LockBit ransomware group usually engages in double extortion tactics, where sensitive data are stolen and files are encrypted using ransomware. A ransom demand is issued, and payment is required to obtain the keys to decrypt files and to prevent the publication of the stolen data. In this attack, the group said it deliberately did not encrypt files and only stole patient data as it was not its intention to cause any disruption to patient care. While ransomware was not used, these attacks can still cause network outages as part of incident response processes and therefore still have the potential to disrupt patient care.

Capital Health was given a deadline of January 9, 2024, to prevent the release of the stolen data. While Capital Health was added to the LockBit 3.0 data leak site, the listing has since been removed. Further information on the extent of the data breach will be released as the investigation progresses and notification letters will be issued if data theft is confirmed.

Lawsuit Filed Over Capital Health Cyberattack

The extent of the data breach has yet to be confirmed and notification letters have not yet been mailed by Capital Health but a lawsuit has already been filed against Capital Health over an alleged data breach. The lawsuit was filed on behalf of Capital Health patient Bruce Graycar and similarly situated individuals by attorney Ken Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert.

The lawsuit alleges the plaintiff has suffered injuries as a result of the attack and that the failure of Capital Health to issue prompt notifications to the affected individuals has exacerbated the injuries, as the plaintiff and class were unaware that it was necessary to take steps to protect themselves against misuse of their private healthcare information. The lawsuit alleges injuries have been suffered including damage to and the diminution in the value of private information, invasion of privacy, and a present, imminent, and impending injury due to an increased risk of identity theft and fraud.

The post LockBit Ransomware Group Behind Capital Health Cyberattack appeared first on HIPAA Journal.

ReproSource Fertility Diagnostics Proposes $1.25 Million Class Action Data Breach Settlement

Posted by Steve Alder

ReproSource Fertility Diagnostics has proposed a settlement to resolve litigation stemming from a 2021 ransomware attack that potentially resulted in the theft of the sensitive health data of up to 350,000 patients. The Marlborough, MA-based fertility testing laboratory, which is owned by Quest Diagnostics, had its network breached on August 8, 2021. The intrusion was detected on August 10 when ransomware was deployed. The forensic investigation confirmed that the parts of the network that the threat actors could access included files that contained sensitive health information.

The data exposed included names, addresses, phone numbers, email addresses, dates of birth, billing, and health information, such as CPT codes, diagnosis codes, test requisitions, and results, test reports and/or medical history information, health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians, and for a limited number of individuals, Social Security numbers, financial account numbers, driver’s license numbers, passport numbers, and/or credit card numbers.

While no evidence of data exfiltration was found, data theft could not be ruled out, so ReproSource notified approximately 350,000 individuals on October 21, 2023, and was promptly sued. Two class action lawsuits were consolidated into a single lawsuit as they made similar allegations – that ReproSource was negligent by failing to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to patient data. The lawsuits alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and data breach notification and consumer protection laws in Massachusetts.

The decision was taken to settle the litigation with no admission of wrongdoing. Under the terms of the settlement, class members may submit claims for up to $3,000 to cover out-of-pocket, unreimbursed losses that are reasonably traceable to the data breach, including up to 8 hours of lost time, three years of credit monitoring services, and a $1 million identity theft insurance policy. Alternatively, class members can claim a cash payment of $50. $1.25 million has been set aside to cover claims, which will be paid pro rata if that total is reached. Class members who were California residents at the time of the breach will be entitled to an additional $50 payment.

The consolidated lawsuit also sought injunctive relief, which included major upgrades to data security to prevent similar cyberattacks and data breaches in the future. The settlement also includes the requirement for ReproSource to make significant improvements to its information security program, including enhancing its monitoring and detection tools. The settlement will need to receive final approval from a Massachusetts judge.

The post ReproSource Fertility Diagnostics Proposes $1.25 Million Class Action Data Breach Settlement appeared first on HIPAA Journal.

HMG Healthcare Data Breach Affects 80,000 Individuals

Posted by Steve Alder

HMG Healthcare, LLC, a Texas-based healthcare services provider, has recently confirmed that the protected health information of up to 80,000 individuals was exposed and potentially stolen in a cyberattack that was detected in November 2023.

A forensic investigation was launched after suspicious network activity was detected, which confirmed that unauthorized individuals first gained access to its network in August 2023. The investigation also confirmed that unencrypted files were copied but it “was not feasible” to identify exactly what types of information were obtained by the hackers. It is unclear why that determination was made, such as whether there was insufficient logging or if a comprehensive review would prove too timely and costly. HMG Healthcare said the files that were removed from its network likely contained information such as names, dates of birth, contact information, general health information, medical treatment information, Social Security numbers, and/or employment records.

The exact nature of the attack was not disclosed; however, HMG Healthcare did explain that it “worked diligently to ensure the stolen files were not further shared by the hackers,” which suggests that the hacking group behind the attack attempted to extort HMG Healthcare and payment was made to prevent the publication/sale of the stolen data. It is currently unclear which group was behind the attack.

The breach has affected employees and residents at 40 affiliated nursing facilities in Texas and Kansas:

  • Accel at College Station
  • Arbor Court Retirement Community at Alvamar (Independent Living)
  • Arbor Court Retirement Community at Salina (Independent Living)
  • Arbor Court Retirement Community at Topeka (Independent Living)
  • Arbrook Plaza
  • Cimarron Place Health & Rehabilitation Center
  • Crowley Nursing and Rehabilitation
  • Deerbrook Skilled Nursing & Rehab
  • Forum Parkway Health & Rehabilitation
  • Friendship Haven Healthcare & Rehab Center
  • Green Oaks Nursing and Rehabilitation
  • Gulf Pointe Plaza
  • Gulf Pointe Village (Assisted Living Only)
  • Harbor Lakes Nursing and Rehabilitation Center
  • Hewitt Nursing and Rehabilitation
  • Holland Lake Rehabilitation and Wellness Center
  • Lone Star Rehabilitation and Wellness Center
  • Methodist Transitional Care Center
  • Mission Nursing and Rehabilitation Center
  • Northgate Plaza (Legacy)
  • Park Manor of BeeCave (Legacy)
  • Park Manor of Conroe
  • Park Manor of CyFair
  • Park Manor of Cypress Station
  • Park Manor of Humble
  • Park Manor of Mckinney (Legacy)
  • Park Manor of Quail Valley
  • Park Manor of South Belt
  • Park Manor of The Woodlands
  • Park Manor of Tomball
  • Park Manor of Westchase
  • Pecan Bayou Nursing and Rehabilitation
  • Red Oak Health and Rehabilitation Center
  • Silver Spring Health & Rehabilitation Center
  • Smoky Hill Health and Rehabilitation
  • Stallings Court Nursing and Rehabilitation
  • Stonegate Nursing and Rehabilitation
  • Tanglewood Health and Rehabilitation
  • Treviso Transitional Care
  • Willowbrook Nursing Center

The substitute breach notice on the HMG Healthcare website advises the affected individuals to monitor their account statements and credit reports to identify any suspicious activity but makes no mention of credit monitoring and identity theft protection services being offered. HMG Healthcare said it has increased its data security protocols to prevent similar cyberattacks and data breaches in the future.

The post HMG Healthcare Data Breach Affects 80,000 Individuals appeared first on HIPAA Journal.

PHI Exposure Reported by Lone Peak Physical Therapy and First Choice Dental

Posted by Steve Alder

Patient Records Potentially Viewed at Lone Peak Physical Therapy

Lone Peak Physical Therapy, the operator of 10 physical therapy centers in Montana, had a break-in at its Bozeman billing office and clinical space on October 21, 2023. The robbery was detected on Monday, October 23, 2023, when staff returned to work. The robbery was reported to law enforcement and an inventory was conducted to determine which items had been stolen. They included a safe containing patient payments, billing information, and laptop computers. The laptop computers were encrypted so data on those devices cannot be accessed, nor can they be used to access the network. If the intruder attempts to pawn any of the stolen data, the Gallatin County Sheriff’s Department will be notified.

There were locked filing cabinets in the office that contained hard copies of patient records. Lone Peak Physical Therapy said none of the hard copies appear to have been removed, but it is not possible to tell if any of those files were viewed. The files contained the records of 5,809 patients and out of an abundance of caution, those individuals have been offered complimentary credit monitoring services.

“Lone Peak apologizes for the stress and worry this situation may have caused its patients and is taking appropriate measures to avoid an incident of this nature from happening in the future.”

First Choice Dental Alerts Patients About the Potential Exposure of their PHI

First Choice Dental, the operator of 11 clinics in Madison and Dane County, WI, has recently reported a 1,000-record data breach to the Office for Civil Rights. Since this is an interim notification, that figure may be amended up or down pending the completion of its investigation.

According to its notification letters, unauthorized network activity was detected on October 22, 2023. A third-party cybersecurity firm was engaged to investigate the breach and determined that an unauthorized third party had accessed its network. The investigation into the incident is ongoing and the data exposed is still being analyzed. Formal data breach notifications will be mailed to the affected individuals when the investigation and file review is completed and it has been determined exactly what types of data have been exposed. In the interim, out of full transparency, patients have been informed about the cyberattack via a website notice.

First Choice Dental took prompt action to block any further access to its network and has implemented several additional safeguards to better protect patient data. They include an XDR/EDR solution on all PC & server endpoints, immutable off-site backups of critical servers and site servers, full password resets for admin accounts, removal of unnecessary admin accounts, patching of the ESXiArgs vulnerability on its Vmware vSphere environment, and the implementation of a fine-grained AD password policy for all users. First Choice Dental is also replacing its multifactor authentication and firewall and has disabled remote access until the implementation is complete.

Credit should be given to First Choice Dental for the transparency about the data breach and for providing a detailed interim notification to patients.

The post PHI Exposure Reported by Lone Peak Physical Therapy and First Choice Dental appeared first on HIPAA Journal.

Former Executive Sentenced to Probation for HIPAA Violation

Posted by Steve Alder

Mark Kevin Robison, a former vice president of Commonwealth Health Corporation (now Med Center Health) in Kentucky has been sentenced to 2 years’ probation and ordered to pay $140,000 in restitution after reaching a plea agreement with federal prosecutors over a HIPAA violation.

Robison pled guilty to knowingly disclosing the protected health information of patients of Commonwealth Health Corporation (CHC) under false pretenses to an unauthorized third party between 2014 and 2015. Robison did not have authorization from the patients concerned nor from CHC to disclose the records.

While Vice President of CHC, Robison hired Randy Dobson as a patient account collection vendor for CHC. In March 2011, Robison and Dobson set up a corporation – OPTA LLC – in Kentucky. The pair were the only registered members and Robison was the registered agent. Dobson was developing a software solution and together the pair hoped to market the software to healthcare companies.

OPTA Kentucky was dissolved in 2014, and Delaware OPTA was incorporated the same year with Dobson listed as the sole owner. Delaware OPTA continued to develop the same software, and Robison hoped to share in the profits from the sale of the software when he left CHC. In 2014, Robison instructed the CHC IT department to share patient data with Dobson to test the software. The disclosures occurred between 2014 and 2015 without authorization from CHC or the patients concerned.

CHC learned of the relationship between Robison and Dobson, Robison was fired by CHC in December 2016, and the HIPAA violation was reported to law enforcement. Dobson is not believed to have disclosed the patient data to any other individuals and only used the data to test the software. While patients appear not to have suffered any harm, the potential penalty for the violation was severe.

Robison faced a maximum penalty of five years imprisonment and a fine of up to $100,000 for the HIPAA violation. Robison pled guilty to one count of impermissibly disclosing protected health information in a plea deal that saw him avoid jail and instead be placed on probation for 2 years. Robison was also ordered to pay CHC $140,000 in restitution. Half of that amount has already been paid and Robison intends to pay the remainder by the end of January.

The post Former Executive Sentenced to Probation for HIPAA Violation appeared first on HIPAA Journal.

Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment

Posted by Steve Alder

New York Attorney General Letitia James has announced that an agreement has been reached with Refuah Health Center Inc. to resolve allegations it failed to maintain reasonable and appropriate cybersecurity controls to protect and limit access to sensitive patient data stored on its network. Under the terms of the agreement, Refuah Health Center has agreed to invest $1.2 million in cybersecurity and will pay $450,000 in penalties and costs.

The NY AG launched an investigation of Refuah Health Center after being notified about a May 2021 ransomware attack that compromised the personal and protected health information of 260,740 individuals, including 175,077 New Yorkers.  The Lorenz ransomware group gained access to internal systems in late May 2021, initially compromising a system that was used for viewing videos from internal cameras monitoring its facilities. That system was only protected with a four-digit code.

The attackers stole administrator credentials that were used by a former IT vendor to remotely access the network. The credentials had not been changed for 11 years and had not been deleted or disabled, even though they had not been used by the IT vendor in 7 years. The account did not have multifactor authentication enabled. The credentials allowed access to a large number of files containing patient information that had not been encrypted at the file level.

The Lorenz group exfiltrated data and encrypted files with ransomware. They contacted Refuah and issued a ransom demand and provided proof of data theft, including a list of files that were copied and a screenshot of patient data consistent with a database associated with Refuah’s dental practice. The third-party forensic investigation concentrated on the files that were stored on the shared network space but Refuah did not investigate to determine whether the database had been accessed, even though the attackers provided a screenshot of that database that displayed the records of 34 patients.

Refuah completed its analysis of the files on March 2, 2022, then mailed notification letters on April 29, 2022. The data compromised in the attack included patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account numbers, and health insurance policy numbers.

Multiple HIPAA Security Rule Failures Identified

The NY AG looked at the administrative and technical safeguards that had been implemented and identified widespread noncompliance with the HIPAA Security Rule. Refuah Health Center had not conducted a risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information since March 2017 in violation of 45 C.F.R § 164.308(a)(1)(ii)(A) and (B) and had not addressed vulnerabilities that were identified in that risk analysis in the four years since it was conducted, in violation of § 164.306(a).

There were insufficient policies and procedures to prevent, detect, contain, and correct security violations, in violation of § 164.308(a)(1)(i), a lack of policies and procedures authorizing access to ePHI in violation of § 164.308(a)(4)(i), and no procedures for regularly reviewing logs of information system activity, in violation of § 164.308(a)(1)(ii)(D).

Policies and procedures for granting right of access based on access authorization policies were not present, in violation of § 164.308(a)(4)(ii)(B) and (C), there were no procedures for monitoring log-in attempts and reporting discrepancies nor procedures for creating, changing, and safeguarding passwords, in violation of § 164.308(a)(5)(ii)(C) and (D), and insufficient policies and procedures to address security incidents, and identifying and responding to suspected or known security incidents, in violation of § 164.308(a)(6)(i) and (ii).

Further, there were insufficient periodic technical and nontechnical evaluations of security policies and procedures (§ 164.308(a)(8)), insufficient technical policies and procedures for systems that maintain ePHI to allow access to persons granted access rights and no mechanism to encrypt ePHI (§ 164.312(a)(1) and (2)(iv)), insufficient controls for recording and examining activity in systems that contain or use ePHI (§ 164.312(b)), and insufficient verification of persons seeking access to ePHI to ensure they are who they claim to be (§ 164.312(d)).

The NY AG also determined there had been two violations of New York General Business Law, which requires the implementation and maintenance of reasonable safeguards to protect consumer information (§ 899-bb), and the  disclosure of a data breach in the most expedient time possible and without unreasonable delay (§ 899-aa). The later was also determined to be a violation of the HIPAA Breach Notification Rule (§ 164.404).

The agreement with the NY AG includes the requirement to invest $1.2 million in cybersecurity and make substantial improvements to its information security program, data retention policies, and incident response policies and procedures. Refuah is also required to issue notifications to all individuals whose data was compromised within 90 days.

“New Yorkers should receive medical care and trust that their personal and health information is safe,” said Attorney General James. “This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

The post Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment appeared first on HIPAA Journal.