HIPAA Breach News

4 More U.S. Healthcare Providers Discover Email Account Breaches

Posted by HIPAA Journal

Alameda Health System (AHS), an Alameda, CA-based provider of emergency, inpatient, outpatient, and wellness services in the East Bay area, has discovered an unauthorized individual temporarily gained access to the email account of an employee.

AHS learned that the account was accessed for a brief period on April 8, 2020. The breach was discovered by AHS on June 17, 2020.

Assisted by a leading forensic security firm, AHS determined that the following types of information were potentially compromised: names, dates of birth, medical record numbers, appointment dates, limited medical information, health insurance information, Social Security numbers and driver’s license numbers.

AHS and the forensic investigators found no evidence to suggest any information was stolen or misused for the purpose of committing identity theft or fraud, but as a precaution, individuals whose Social Security number was potentially compromised have been offered complimentary membership to credit monitoring and identity theft protection services.

The breach report submitted to the HHS’ Office for Civil Rights shows 2,691 individuals were affected by the breach.

EyeMed Vision Care Suffers Email Account Breach

Ohio-based EyeMed Vision Care LLC, a vision benefits company, has discovered an unauthorized individual has gained access to a corporate email mailbox and used it to send phishing emails to individuals in the address book. The breach was discovered on July 1, 2020 and the account was immediately secured.

An investigation into the breach confirmed access to the email account was gained on June 24, 2020. A review of the email account revealed it contained the electronic protected health information of individuals who currently or have previously received vision benefits through EyeMed. Information in the email account included names, addresses, dates of birth, phone numbers, email addresses, and vision insurance account/identification numbers and, for a limited number of individuals, diagnoses and eye conditions, treatment information, and full or partial Social Security numbers.

It was not possible to determine whether any of the information was viewed or obtained during the time the account was accessible, but no reports have been received to suggest any information has been misused. Affected individuals have been offered a 2-year complimentary membership to credit monitoring and identity protection services.

EyeMed has since provided additional security awareness training to the workforce and has implemented further security measures for authorized access to its network.

Century Specialty Script Alerts Customers about Email Security Breach

The New York specialty pharmacy, Century Specialty Script, LLC, has discovered the Office 365 account of one of its employees has been accessed by an unauthorized individual. The breach was detected on or around July 28, 2020 and the account was immediately secured.

A forensic investigation firm was retained to investigate the breach and confirmed that the attacker only gained access to a single Office 365 account, and the breach was limited to the Office 365 environment. As a precaution, the passwords for all Office 365 accounts were changed.

. The email account was found to contain the following data elements: names, dates of birth, address, contact information, prescription information, and insurance information. The forensic investigation firm was unable to determine if any information in the account was obtained by the attacker

Century Specialty Script has since taken steps to strengthen email security to prevent similar breaches in the future.

Stark Summit Ambulance Suffers Multi-Email Account Breach

Stark Summit Ambulance, a provider of emergency and non-emergency medical transportation services in Northeast and Central Ohio, identified suspicious activity in an email account on May 28, 2020. While investigating the breach over the following two months it was discovered that several more email accounts had been compromised.

An analysis of the compromised accounts revealed 6 contained electronic protected health information which may have been viewed or obtained by the individual(s) behind the attack.

The information in the accounts varied from individual to individual and may have included patients names along with one or more of the following data types: Social Security number, driver’s license number, state ID number, passport number, medical diagnosis, medical treatment information, treatment type, treatment location, clinical information, mental or physical condition, health care provider/doctor name, date of service, medical history information, health insurance information, Medicare/Medicaid number, other health care payment/cost information, prescription information, checking or savings account, credit or debit card number, or personal identification code.

The post 4 More U.S. Healthcare Providers Discover Email Account Breaches appeared first on HIPAA Journal.

MU Health Care Phishing Attack Impacts 5,000 Patients

Posted by HIPAA Journal

MU Health Care in Missouri has experienced a phishing attack that saw several employee email accounts compromised between May 4 and May 6, 2020. An investigation into the breach revealed the compromised email accounts contained patient information including names, account numbers, dates of birth, health insurance information, Social Security numbers, and driver’s license numbers.

MU Health Care has notified all patients affected by the attack and has offered them complimentary credit monitoring services. No reports have been received that suggest any patient information has been misused.

The compromised email accounts contained the protected health information of 5,074 patients.

Data Leaked Following University Hospital SunCrypt Ransomware Attack

University Hospital, a teaching hospital in Newark, NJ, has experienced a ransomware attack involving SunCrypt ransomware. The attack occurred in September 2020. Prior to the use of ransomware, the attackers exfiltrated around 48,000 documents, some of which were published on the ransomware operator’s data leak site.

It is unclear at this stage how many patients have been affected by the breach, but the leaked data did include some patient data, including names, dates of birth, Social Security numbers, driver’s license numbers, and other data.

The attack appears to have started with a phishing email that resulted in the TrickBot Trojan being downloaded. SunCrypt ransomware was delivered as a secondary payload.

PHI of 4,806 Patients Potentially Compromised in UCare Minnesota Phishing Attack

The non-profit health plan, UCare Minnesota, has experienced a phishing attack involving several employee email accounts. An investigation was launched into a suspected breach when suspicious network activity was detected in April 2020. On May 4, 2020, UCare Minnesota determined certain email accounts had been accessed by an unauthorized individual. The email accounts were immediately secured and were subjected to a review to determine whether member information had been accessed.

UCare Minnesota learned on September 1, 2020 that the email accounts contained the personal and protected health information of 4,806 individuals, including names, birth dates, healthcare provider names, diagnosis information, and health insurance ID numbers.

No evidence was found to suggest any information was exfiltrated or misused by the individuals responsible for the attack. UCare Minnesota has since re-educated employees on phishing attacks and has bolstered email security.

Nebraska Medicine Suffers Cyberatack

Nebraska Medicine has announced it has suffered a cyberattack that has taken its computer systems out of action. The cyberattack occurred on Sunday September 25, 2020 resulting an outage that caused “significant information technology system downtime.”

Without access to critical IT systems, Nebraska Medicine was forced to postpone appointments for patients who were due to have elective procedures or had other non-emergent health concerns. Medicine issued a statement on September 24 stating normal operations would resume “in days”. The emergency room remained open and no ER patients were diverted to alternate facilities.

It is unclear whether patient records were accessed or stolen in the attack, but Nebraska Medicine confirmed that no patient records were deleted or destroyed and that all patient data could be recovered from backups.

The post MU Health Care Phishing Attack Impacts 5,000 Patients appeared first on HIPAA Journal.

Universal Health Services Ransomware Attack Cripples IT Systems Across United States

Posted by HIPAA Journal

Universal Health Services (UHS), a King of Prussia, PA-based health system with more than 400 healthcare facilities in the United States and UK, has suffered a major security breach that has seen its IT systems crippled.

The Fortune 500 healthcare provider has more than 90,000 employees and serves around 3.5 million patients each year. According to a statement published on its website, the company “experienced an information technology security incident in the early morning hours of September 27, 2020.” Upon discovery of the breach, UHS “suspended user access to its information technology applications related to operations located in the United States.”

UHS has implemented information security and emergency protocols and is working closely with its security partners to mitigate the attack and restore its IT operations as quickly as possible. The cyberattack crippled its IT systems, leaving affected hospitals without access to their computer and phone systems. UK facilities were unaffected by the attack.

The attack forced UHS to redirect ambulances to other healthcare providers and patients in need of surgery have been relocated to other nearby hospitals. The notice on the UHS website now says, “While this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”

UHS President Marc Miller issued a statement on Monday saying UHS took its systems offline on Sunday in an attempt to contain a malware attack. Those systems were used by approximately 250 U.S. healthcare facilities and included medical record systems and those used by laboratories and pharmacies across the country.

Marc Miller did not provide any details about the nature of the malware, but several individuals who claim to work for UHS have provided information about the attack that strongly suggests ransomware was involved. According to BleepingComputer, which was contacted by an employee of UHS, prior to systems being shut down, files were being renamed and had the .ryk extension added, which is used by Ryuk ransomware.

Several other employees have reported seeing a ransom note on their computers containing the text “Shadow of the Universe,” which is associated with Ryuk ransom notes.

Ryuk ransomware is often deployed as a secondary payload by the TrickBot Trojan, with TrickBot delivered by the Emotet Trojan. Emotet infections commonly start with a phishing email. According to Vitali Kremez of Advanced Intel, their Andariel platform detected multiple Emotet and TrickBot infections at UHS throughout 2020, with the latest detection in September.

The Ryuk ransomware operators are known to exfiltrate data prior to the use of ransomware; however, UHS says on its website that “no patient or employee data appears to have been accessed, copied or otherwise compromised in the attack.”

The post Universal Health Services Ransomware Attack Cripples IT Systems Across United States appeared first on HIPAA Journal.

OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85 million HIPAA penalty on Premera Blue Cross to resolve HIPAA violations discovered during the investigation of a 2014 data breach involving the electronic protected health information of 10.4 million individuals.

Mountainlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest and serves more than 2 million individuals in Washington and Alaska. In May 2014, an advanced persistent threat group gained access to Premera’s computer system where they remained undetected for almost 9 months. The hackers targeted the health plan with a spear phishing email that installed malware. The malware gave the APT group access to ePHI such as names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.

The breach was discovered by Premera Blue Cross in January 2015 and OCR was notified about the breach in March 2015. OCR launched an investigation into the breach and discovered “systemic noncompliance” with the HIPAA Rules.

OCR determined that Premera Blue Cross had failed to:

  • Conduct a comprehensive and accurate risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI.
  • Reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
  • Implement sufficient hardware, software, and procedural mechanisms to record and analyze activity related to information systems containing ePHI, prior to March 8, 2015.
  • Prevent unauthorized access to the ePHI of 10,466,692 individuals.

Due to the nature of the HIPAA violations and scale of the breach, OCR determined a financial penalty was appropriate. Premera Blue Cross agreed to settle the HIPAA violation case with no admission of liability. In addition to the financial penalty, Premera Blue Cross has agreed to adopt a robust corrective action plan to address all areas of noncompliance discovered during the OCR investigation. Premera Blue Cross will also be closely monitored by OCR for two years to ensure compliance with the CAP.

“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR Director.

“We are pleased to have reached an agreement with the federal Office for Civil Rights to resolve legal inquiries into the 2014 cyberattack on our data network,” said Premera Blue Cross in a statement. “The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information.”

Last year, Premera Blue Cross agreed to settle a $10 million HIPAA violation lawsuit over the breach. The health plan had been investigated by 30 state attorneys general who determined Premera Blue Cross had not met its obligations under HIPAA and Washington’s Consumer Protection Act. In 2019, Premera Blue Cross also agreed to settle a $74 million lawsuit filed on behalf of individuals whose ePHI was exposed in the breach.

The latest penalty is the second largest HIPAA penalty imposed on a covered entity or business associate by OCR to resolve HIPAA violations, behind the $16 million financial penalty imposed on Anthem Inc. over its 2015 data breach involving the ePHI of 79 million individuals.

The fine is the 11th HIPAA violation penalty to be announced by OCR in 2020 and the 8th to be announced this month. So far in 2020, OCR has been paid $10,786,500 to resolve HIPAA violations discovered during investigations of data breaches and HIPAA complaints.

The post OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross appeared first on HIPAA Journal.

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days.

The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals.

CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule.

On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed CHSPSC’s information systems via its virtual private network (VPN) solution. CHSPSC failed to detect the intrusion and was notified by the Federal Bureau of Investigation on April 18, 2014 that its systems had been compromised.

During the time the hackers had access to CHSPSC systems, the ePHI of 6,121,158 individuals was exfiltrated. The data had been provided to CHSPSC through 237 covered entities that used CHSPSC’s services. The types of information stolen in the attack included the following data elements: name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information.

OCR launched an investigation into the breach and uncovered systemic noncompliance with the HIPAA Security Rule. While it may not always be possible to prevent cyberattacks by sophisticated threat actors, when an intrusion is detected action must be taken quickly to limit the harm caused. Despite being notified by the FBI in April 2014 that its systems had been compromised, the hackers remained active in its systems for 4 months, finally being eradicated in August 2014. During that time, CHSPSC failed to prevent unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the hackers continued to steal ePHI.

The failure to respond to a known security incident between April 18, 2014 and June 18, 2014 and mitigate harmful effects of the security breach, document the breach, and its outcome, was in violation of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators found CHSPSC had failed to conduct an accurate and thorough security risk analysis to identify the risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical policies and procedures permitting access to information systems containing ePH maintained by CHSPSC only by authorized individuals and software programs had not been implemented, in violation of 45 C.F.R. § 164.312(a).

Procedures had not been implemented to ensure information system activity records such as logs and system security incident tracking reports were regularly reviewed, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D).

“The health care industry is a known target for hackers and cyberthieves.  The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino. A sizeable financial penalty was therefore appropriate.

CHSPSC chose not to contest the case and agreed to pay the financial penalty and settled with OCR. The settlement also requires CHSPSC to adopt a robust and extensive corrective action plan to address all areas of noncompliance, and CHSPSC will be closely monitored by OCR for 2 years.

The post Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures appeared first on HIPAA Journal.

Montefiore Medical Center and Geisinger Fire Employees for Improper PHI Access

Posted by HIPAA Journal

Montefiore Medical Center in Bronx, NY has fired an employee over the alleged theft of the protected health information of approximately 4,000 patients. Montefiore became aware of a potential internal data breach in July 2020 and launched an investigation into unauthorized medical record access.

Montefiore had implemented a technology solution that monitors EHRs for inappropriate access, which identified the employee. The investigation confirmed that the employee had accessed medical records without any legitimate work reason between January 2018 and July 2020.

Accessing the medical records of patients when there is no legitimate reason for doing so is a violation of HIPAA and hospital policies. Montefiore said criminal background checks are performed on all employees prior to being given a position at the medical center and Montefiore provides HIPAA training to all employees. The employee in question had received significant privacy and security training but had chosen to violate internal policies and HIPAA Rules.

The investigation into the breach is ongoing and the matter has been reported to NYPD, which has launched a criminal investigation.

“Montefiore deeply regrets this incident and will not tolerate any violation of patient privacy,” said a spokesperson for the medical center. “In support of all HIPAA guidance and laws, we view this activity to be criminal in nature and are fully cooperating with law enforcement as the case moves forward.”

The types of information accessed by the former employee included names, addresses, dates of birth, and Social Security numbers. Affected patients have been offered complimentary identity theft protection services for 12 months and are protected against financial loss by a $1,000,000 identity theft insurance policy.

Montefiore Medical Center is now expanding its monitoring capabilities and employee training programs.

Geisinger Fires Employee for Unauthorized Medical Record Access

Geisinger has fired an employee for improper medical record access.  A member of the workforce alerted the Geisinger Privacy Office about an employee who was suspected of accessing the medical records of patients when there was no legitimate work reason for doing so.

The report was received on June 3, 2020 and an investigation into unauthorized access was immediately launched. The investigation was concluded on September 8, 2020. The employee in question worked at a Geisinger Clinic and was authorized to access patient records, but the investigation revealed the records of around 700 patients had been accessed without any work reason for doing so. The unauthorized access started in June 2019 and continued until June 2020.

The types of information that could be viewed included names, dates of birth, medical record numbers, dates of service, social security numbers, addresses, phone numbers, medical conditions, diagnoses, medications, treatment information and other clinical notes. A review of the employee’s network activity uncovered no evidence to suggest information had been stolen but, out of an abundance of caution, all affected patients have been offered complimentary credit monitoring and identity theft protection services.

“At Geisinger, protecting our patients’ and members’ privacy is of the utmost importance and we are constantly working on safeguards and protocols to identify incidents such as these so we can prevent such occurrences in the future,” said Geisinger Chief Privacy Officer, Jonathan Friesen.

The post Montefiore Medical Center and Geisinger Fire Employees for Improper PHI Access appeared first on HIPAA Journal.

August 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average.

The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.

 

 

Largest Healthcare Data Breaches Reported in August 2020

 

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack
Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack
MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud ransomware attack
Imperium Health LLC Business Associate 139,114 Hacking/IT Incident Email Phishing attack
University of Florida Health Healthcare Provider 135,959 Hacking/IT Incident Network Server Blackbaud ransomware attack
Utah Pathology Services, Inc. Healthcare Provider 112,124 Hacking/IT Incident Email Phishing attack
Dynasplint Systems, Inc. Healthcare Provider 102,800 Hacking/IT Incident Network Server Ransomware attack
Main Line Health Healthcare Provider 60,595 Hacking/IT Incident Network Server Blackbaud ransomware attack
Northwestern Memorial HealthCare Healthcare Provider 55,983 Hacking/IT Incident Network Server Blackbaud ransomware attack
Richard J. Caron Foundation Healthcare Provider 22,718 Hacking/IT Incident Network Server Blackbaud ransomware attack
UT Southwestern Medical Center Healthcare Provider 15,958 Unauthorized Access/Disclosure Other Unconfirmed
City of Lafayette Fire Department Healthcare Provider 15,000 Hacking/IT Incident Network Server Ransomware attack
Hamilton Health Center, Inc. Healthcare Provider 10,393 Unauthorized Access/Disclosure Email Misdirected Email

 

Causes of August 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, with the 24 reported incidents making up 64.9% of the month’s data breaches. 2,127,070 records were compromised in those breaches, which is 98.15% of all records breached in August. The average breach size was 88,628 records and the median breach size was 11,550 records.

There were 8 unauthorized/access disclosure incidents involving 32,205 records. The average breach size was 4,026 records and the median breach size was 992 records. There were 5 loss (2) and theft (3) incidents reported. The average breach size was 1,581 records and the median breach size was 1,768 records.

While phishing attacks usually dominate the healthcare data breach reports, in August, attacks on network servers were more common. The increase in network server attacks is largely due to ransomware attacks, notably, an attack on Blackbaud, a business associate of many healthcare organizations in the United States. Blackbaud offers a range of services to healthcare providers, including patient engagement and digital data storage related to donors and philanthropy.

Between February 7, 2020 and May 20, 2020, hackers had access to Blackbaud’s systems and obtained backups of several of its clients’ databases before deploying ransomware. Blackbaud paid the ransom to ensure data stolen in the attack were destroyed.

Only a small percentage of its clients were affected by the attack, but so far at least 52 healthcare organizations have confirmed that their donor data were compromised in the attack. We have data for 17 of those attacks and so far, more than 3 million individuals are known to have been affected. That number is likely to grow significantly over the next few weeks now the deadline for reporting the breach is approaching.

There were also two major phishing incidents reported in August. Imperium Health suffered an attack in which the records of 139, 114 individuals were potentially compromised, and Utah Pathology Services suffered an attack involving the records of 112,124 individuals.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 24 data breaches reported in August. Three breaches were reported by health plans and five breaches were reported by business associates; however, a further 9 breaches had some business associate involvement.

States Affected by August 2020 Data Breaches

Data breaches were reported by entities in 24 states in August. Pennsylvania was the worst affected state with 6 breaches of 500 or more healthcare records, followed by Kentucky with 4, Texas with 3, and Arizona, Ohio, and Washington with 2.  One breach was reported in each of Arkansas, California, Colorado, Connecticut, Florida, Iowa, Idaho, Illinois, Indiana, Maryland, Maine, Michigan, Missouri, New York, Oklahoma, South Carolina, Utah, and Wisconsin.

HIPAA Enforcement Activity in August 2020

There were no HIPAA enforcement actions announced in August by either the HHS Office for Civil Rights or state attorneys general.

The post August 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Systemic Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced a settlement has been reached with Athens Orthopedic Clinic PA to resolve multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules.

OCR conducted an investigation into a data breach reported by the Athens, GA-based healthcare provider on July 29, 2016.  Athens Orthopedic Clinic had been notified by Dissent of Databreaches.net on June 26, 2026 that a database containing the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients had been listed for sale online by a hacking group known as The Dark Overlord. The hackers are known for infiltrating systems, stealing data, and issuing ransom demands, payment of which are required to prevent the publication/sale of data.

Athens Orthopedic Clinic investigated the breach and determined that the hackers gained access to its systems on June 14, 2016 using vendor credentials and exfiltrated data from its EHR system. The records of 208,557 patients were stolen in the attack, including names, dates of birth, Social Security numbers, procedures performed, test results, clinical information, billing information, and health insurance details.

OCR accepts that it is not possible to prevent all cyberattacks, but when data breaches occur as a result of the failure to comply with the HIPAA Rules, financial penalties are appropriate.

“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.

The OCR investigation into the breach revealed systemic noncompliance with the HIPAA Rules. Athens Orthopedic Clinic had not conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B).

Security procedures had not been implemented to reduce the potential risks to ePHI to a reasonable and appropriate level, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

From September 30, 2015 to December 15, 2016, Athens Orthopedic Clinic failed to implement appropriate hardware, software, and procedures for recording and analyzing information system activity, in violation of 45 C.F.R. §§ 164.312(b).

It took until August 2016 for HIPAA policies and procedures to be maintained, in violation of 45 C.F.R. § 164.530(i) and (j), and prior to August 7, 2016, the clinic had not entered into business associate agreements with three of its vendors, in violation of 45 C.F.R. § 164.308(b)(3).

Prior to January 15, 2018, Athens Orthopedic Clinic had not provided HIPAA Privacy Rule training to the entire workforce, in violation of 45 C.F.R. § 164.530(b).

As a result of the compliance failures, Athens Orthopedic Clinic failed to prevent unauthorized access to the ePHI of 208,557 patients, in violation of 45 C.F.R. §164.502(a)).

In addition to the financial penalty, Athens Orthopedic Clinic has agreed to adopt a corrective action plan covering all aspects of noncompliance discovered during the OCR investigation. The clinic settled the case with no admission of liability.

This is the sixth HIPAA settlement to be announced by OCR in September and the 9th HIPAA penalty of 2020. Earlier this month, OCR announced five settlements had been reached with HIPAA-covered entities under its HIPAA Right of Access initiative for failing to provide patients with a copy of their health information.

The post Systemic Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic appeared first on HIPAA Journal.

HIPAA Right of Access Failures Result in Five OCR HIPAA Fines

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced five settlements have been reached to resolve HIPAA violations discovered during the investigation of complaints from patients who had experienced problems obtaining a copy of their health records.

The HIPAA Privacy Rule gives individuals the right to have timely access to their health records at a reasonable cost. If an individual chooses to exercise their rights under HIPAA and submit a request for a copy of their health records, a healthcare provider must provide those records without reasonable delay and within 30 days of receiving the request.

After receiving multiple complaints from individuals who had been prevented from obtaining a copy of their health records, OCR launched its HIPAA right of access initiative in 2019 and made compliance with the HIPAA right of access one of its enforcement priorities.

Two settlements were reached with HIPAA covered entities in 2019 over HIPAA right of access failures. Bayfront Health St Petersburg and Korunda Medical, LLC were each ordered to pay a financial penalty of $85,000 to settle the case and adopt a corrective action plan to ensure that access requests were processed in a timely manner in the future.

The latest 5 settlements were agreed with Beth Israel Lahey Health Behavioral Services, Housing Works, Inc., All Inclusive Medical Services, Inc., King MD, and Wise Psychiatry, PC. The financial penalties ranged from $3,500 to $70,000, with OCR considering several factors when determining an appropriate penalty.

The settlements are intended to send a message to healthcare organizations that compliance with the HIPAA right of access is not optional. When complaints are received alleging non-compliance, they will be investigated, and a financial penalty may be deemed appropriate.

“Patients can’t take charge of their health care decisions, without timely access to their own medical information,” said OCR Director Roger Severino. “Today’s announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough.”

Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services (BILHBS) is the largest provider of mental health and substance use disorder services in eastern Massachusetts. In April 2019, OCR received a complaint alleging BILHBS had failed to respond to a request from a personal representative seeking a copy of her father’s medical records. The complainant requested the records in February 2019, but they had still not been provided two months later.

In response to the OCR investigation, the patient received her father’s medical records in October 2019. OCR determined there had potentially been a violation of the HIPAA Right of Access. BILHBS agreed to settle the case for $70,000 and has adopted a corrective action plan and will be monitored by OCR for one year.

Housing Works

Housing Works, Inc. is a New York City based non-profit healthcare organization that provides healthcare, homeless services, advocacy, job training, re-entry services, and legal aid support for people living with and affected by HIV/AIDS.

In June 2019, a patient requested a copy of his medical records from Housing Works, Inc. In July 2019, a complaint was filed with OCR alleging Housing Works had not provided those records. OCR investigated and provided technical assistance on the HIPAA right of access and closed the case. However, the complainant was still not provided with a copy of his medical records and filed a second complaint with OCR in August 2019.

OCR reopened the investigation and determined that the failure to provide those records was in violation of the HIPAA right of access and a financial penalty was warranted. Housing Works provided the complainant with his medical records in November 2019. The case was settled for $38,000 and Housing Works agreed to adopt a corrective action plan. OCR will monitor Housing Works for one year.

All Inclusive Medical Services, Inc.

All Inclusive Medical Services, Inc. (AIMS) is a Carmichael, CA-based multi-specialty family medicine clinic that provides a range of services including internal medicine, pain management, and rehabilitation.

In January 2018, a patient requested a copy of her medical records, but AIMS allegedly refused to provide those records. The patient sent a complaint to OCR in April 2018 and an investigation was launched. OCR determined the failure to allow the patient to inspect and receive a copy of her medical records was in violation of the HIPAA right of access. The patient was sent a copy of her records in August 2020.

AIMS was ordered to pay OCR $15,000 to settle the case and adopt a corrective action plan. OCR will monitor AIMS for compliance for 2 years.

King MD

King MD is a small provider of psychiatric services in Virginia. OCR received a complaint in October 2018 from a patient who had not been provided with a copy of her medical records within two months of submitting the request. OCR contacted King MD and provided technical assistance on the HIPAA right of access; however, in February 2019, OCR received a second complaint as King MD had still not provided the patient with her medical records. Those records were finally provided in July 2020.

OCR agreed to settle the case for $3,500. King MD has adopted a corrective action plan and will be monitored by OCR for two years.

Wise Psychiatry, PC.

Wise Psychiatry is a small provider of psychiatric services in Colorado.  In November 2017, a personal representative submitted a request for a copy of her minor son’s medical records. Those records had still not been provided by February 2018 and a complaint was filed with OCR. OCR investigated and provided technical assistance on the HIPAA right of access and closed the case.

A second complaint was received in October 2018 from the same individual who still had not been provided with her son’s records. Those records were finally provided in May 2019 as a result of the OCR investigation. The case was settled for $10,000 and Wise Psychiatry agreed to adopt a corrective action plan and will be monitored by OCR for one year.

The post HIPAA Right of Access Failures Result in Five OCR HIPAA Fines appeared first on HIPAA Journal.