HIPAA Breach News

Phishing Attacks Reported by University of Utah Health, Oregon DHS, and LifeSprk

Posted March 23, 2020 by HIPAA Journal

The Minnesota-based senior care provider LifeSprk is notifying 9,000 of its clients that some of their protected health information was potentially compromised as a result of a November 2019 phishing attack.

On January 17, 2020, Lifesprk discovered an unauthorized individual had gained access to the email account of one of its employees. The account was immediately secured and a third-party cybersecurity firm was engaged to investigate the breach. The cybersecurity firm determined that a limited number of employee email accounts were compromised from November 5 through November 7, 2019.

For the majority of affected individuals, information in the compromised accounts was limited to names, medical record numbers, health insurance information, and some health information. Certain patients also had financial information and/or their Social Security number exposed.

The investigation into the breach is ongoing. To date, no evidence of data theft or misuse of protected health information has been found.

Affected patients started to be notified on March 17, 2020. The delay in sending notifications was due to “unprecedented actions taken in response to the Covid-19 (“Coronavirus”) pandemic.” Individuals whose Social Security number was exposed have been offered complimentary credit monitoring and identity theft protection services. Lifesprk is now enhancing email security and will reinforce education with its employees about phishing emails.

PHI of Patients University of Utah Health Patients Has Potentially Been Compromised

University of Utah Health announced on Friday that unauthorized individuals gained access to the email accounts of a limited number of employees between January 7, and February 21, 2020 and potentially accessed patients’ protected health information.

University of Utah Health discovered on February 3, 2020 that malware had been installed on an employee’s workstation which potentially gave unauthorized individuals access to patients’ protected health information.

The information stored in the email accounts and on the affected computer was limited to names, birth dates, medical record numbers, and some clinical information related to the care provided by University of Utah Health.

Affected patients are now being notified, security procedures are being reviewed and updated, and education will be reinforced with members of the workforce.

It is currently unclear how many patients have been affected by the breach.

Oregon Department of Human Services Investigating Spear Phishing Attack

The Oregon Department of Human Services has discovered an unauthorized individual gained access to the email account of one of its employees as a result of a response to a spear phishing email.

Information technology security processes had been put in place to detect email account compromises rapidly, which has limited the potential for data theft. The email security breach was detected on March 6, 2020 and the account was immediately secured. The Oregon DHS will be seeking assistance from a third-party entity to review the incident and determine what information has been exposed and how many individuals have been affected. Those individuals will be notified in due course.

At this stage, there is no indication that any protected health information has been accessed, copied, or misused; however, out of an abundance of caution, identity theft protection services will be offered to all affected clients.

The post Phishing Attacks Reported by University of Utah Health, Oregon DHS, and LifeSprk appeared first on HIPAA Journal.

Roundup of Recent Healthcare Data Breaches

Posted March 20, 2020 by HIPAA Journal

A roundup of healthcare data breaches and security incidents recently reported to the HHS’ Office for Civil Rights and by media.

Texas Network of Walk-in Clinics Attacked with Maze Ransomware

AffordaCare Urgent Care Clinic, a network of walk-in clinics in Texas, has been attacked by the Maze ransomware gang. According to a recent report on DataBreaches.net, the hackers stole 40GB of data prior to encrypting files. Some of the stolen data was published online when AffordaCare refused to pay the ransom.

The published data included patient contact details, medical histories, diagnoses, billing information, health insurance information, and employee payroll data. The information is still accessible on the Maze ransomware website.

It is currently unclear how many patients have been affected as the breach has not yet appeared on the HHS’ Office for Civil Rights breach portal

Tandem Diabetes Care Patients Notified About Phishing Attack

Tandem Diabetes Care, Inc. in San Diego, CA has been targeted by cybercriminals who gained access to the email accounts of a limited number of its employees between January 17, 2020 and January 20, 2020. The attack was discovered on January 17, 2020 and a cybersecurity firm was engaged to assist with the investigation.

An analysis of the compromised accounts revealed they contained patients’ names, contact information, clinical information related to diabetes care, and information about customers’ use of Tandem’s products and services. A limited number of Social Security numbers may also have been compromised.

Tandem is enhancing its email security controls, strengthening user authorization and authentication, and has changed its policies and procedures to limit the types of data that can be sent via email. Affected patients were notified about the breach on March 17, 2020.

Foundational Medicine Email Account Breach Detected

The Cambridge, MA-based provider of genomic profiling services, Foundational Medicine, has discovered the email account of an employee has been compromised as a result of a response to a phishing email.

The incident was discovered on January 14, 2020. A third-party forensics firm was engaged to conduct an investigation and determined the email account was accessible between December 17, 2019 and January 14, 2020. During that time, an unauthorized individual potentially accessed patient information in the email account which included patient names, dates of birth, ages, test names, ordering physicians’ names, and FMI ID numbers.

Foundational Medicine has notified all affected patients and additional security awareness training has been provided to the workforce.

Randleman Eye Center Suffers Ransomware Attack

Randleman Eye Center in North Carolina has experienced a ransomware attack that affected a server containing patients’ protected health information. The attack was detected on January 13, 2020 and a third-party computer forensics firm was retained to assist with the investigation.

The investigation is ongoing, but the investigators have determined patient information was encrypted in the attack and could potentially have been accessed by the attackers. The server contained, names, dates of birth, genders, and digital retinal images.

Randleman Eye Center has notified affected patients and will be taking steps to improve security to prevent similar attacks in the future.

Torrance Memorial Medical Center Discovers Exposure of Patients’ Radiology Images

Torrance Memorial Medical Center (TMMC) in California has discovered a server used by a third-party radiology vendor had security protections removed that allowed certain patient information to be accessed by unauthorized individuals.

TMMC was notified about the potential data breach by its radiology vendor on January 6, 2020. The investigation revealed protections were accidentally removed on June 20, 2019 and the server could be accessed by unauthorized individuals up to December 13, 2020.

The risk to each patient is believed to be low, as radiology images were only stored on the server for a short period of time. Every 24 hours, images on the server are automatically deleted. However, over the course of 6 months, the server temporarily stored the medical images of 3,448 patients. Those radiology images included names, dates of birth, gender, accession number, medical record number, and referring physician names.

Even though the risk to patients is believed to be low, TMMC has offered complimentary identity theft protection services to all affected patients.

PHI of 2,190 Patients Stolen in Burglary at California Dental Practice

On January 16, 2020, Genuine Dental Care in Saratoga, CA discovered thieves had broken into its offices and had stolen a server that contained the protected health information of 2,190 patients. Data on the server required multiple passwords to be entered in order for patient information to be accessed; however, it is possible that the thieves accessed patient data.

Patient information stored on the server included names, addresses, telephone numbers, Social Security numbers, drivers’ license numbers, health insurance information, dental records, and some financial information including credit card numbers. Genuine Dental Care also reports that medical images of certain patients that received dental treatment between June 2019 and January 2020 have been permanently lost.

The incident was reported to the San Jose Police Department, which is conducting an investigation. Genuine Dental Care has taken steps to improve physical security and additional technical controls have been implemented to further protect patient data.

The post Roundup of Recent Healthcare Data Breaches appeared first on HIPAA Journal.

University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack

Posted March 9, 2020 by HIPAA Journal

The University of Kentucky (UK) has been battling to remove malware that was downloaded on its network in February 2020. Cybercriminals gained access to the UK network and installed cryptocurrency mining malware that used the processing capabilities of UK computers to mine Bitcoin and other cryptocurrencies.

The malware caused a considerable slowdown of the network, with temporary failures of its computer system causing repeated daily interruptions to day to day functions, in particular at UK healthcare.

UK believes the attack was resolved on Sunday morning after a month-long effort. On Sunday morning, UK performed a major reboot of its IT systems – a process that took around 3 hours. UK believes the attackers have now been removed from its systems, although they will be monitoring the network closely to ensure that external access has been blocked. The attack is believed to have originated from outside the United States.

UK Healthcare, which operates UK Albert B. Chandler Hospital and Good Samaritan Hospital in Lexington, KY, serves more than 2 million patients. While computer systems were severely impacted at times, patient care was not affected and patient safety was not put at risk.

An internal investigation was launched and third-party computer forensics specialists were engaged to assist with the investigation. University spokesman Jay Blanton said it is hard to determine whether any sensitive data was viewed or downloaded. The belief is that the malware attack was solely conducted to hijack the “vast processing capabilities” of the UK network to mine cryptocurrency.

UK has taken steps to improve cybersecurity, including installing CrowdStrike security software. More than $1.5 million has been spent ejecting the hackers from the network and bolstering security.

Arkansas Children’s Hospital Reboots Systems to Deal with ‘Cybersecuirty Threat’

Arkansas Children’s Hospital in Little Rock has experienced a cyberattack that has impacted Arkansas Children’s Hospital and Arkansas Children’s Northwest. Its IT systems have been rebooted in an attempt to deal with the cyberthreat and a third-party digital forensics firm has been engaged to assist with the investigation.

The exact nature of the threat has not yet been disclosed and it is currently unclear when the attack will be resolved. All facilities are continuing to provide medical services to patients, but some non-urgent appointments may have to be rescheduled.

The investigation into the attack is ongoing, but at this stage, no evidence has been found to suggest patient information has been affected.

The post University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack appeared first on HIPAA Journal.

53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months

Posted March 9, 2020 by HIPAA Journal

The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses Report from Keeper Security shows approximately two thirds of healthcare organizations have experienced a data breach in the past and 53% have experienced a breach of protected health information in the past 12 months.

The survey was conducted by the Ponemon Institute on 2,391 IT and IT security professionals in the United States, United Kingdom, DACH, Benelux, and Scandinavia, including 219 respondents from the healthcare industry.

Keeper Security reports indicates the average healthcare data breach results in the exposure of more than 7,200 confidential records and the average cost of a healthcare data breach is $1.8 million, including the cost of disruption to normal operations. The most common causes of healthcare data breaches are phishing attacks (68%), malware infections (41%), and web-based attacks (40%).

Healthcare data breaches have increased considerably in the past few years. Even though there is a high risk of an attack, healthcare organizations do not feel that they are well prepared. Only one third of IT and IT security professionals in the healthcare industry said they had enough budget to mount a strong defense to prevent cyberattacks. 90% of healthcare organizations devote less than 20% of their IT budget to cybersecurity, with an average allocation of just 13%. 87% said they did not have the personnel to achieve a more efficient cybersecurity posture. Even though emergency planning is a requirement of HIPAA, less than one third of respondents said they had a plan for responding to cyberattacks.

When asked about the importance of passwords for preventing data breaches, 66% of healthcare organizations agreed that good password security was an important part of their security defenses, but fewer than half of surveyed organizations have visibility into the password practices of their employees.

A second study conducted by the Ponemon Institute, on behalf of Censinet, shows healthcare vendors are also being targeted and are struggling to defend against cyberattacks. That survey revealed 54% of healthcare vendors have experienced at least one data breach in the past, and 41% of those respondents have experienced six or more data breaches in the past 2 years. For healthcare vendors, the average size of a data breach is over 10,000 records and the average cost of a breach is $2.75 million

When healthcare vendors experience a data breach it is common for customers to take their business elsewhere. 54% of healthcare vendors said a single data breach would result in a loss of business and 28% of healthcare vendors said they lost a customer when security gaps were discovered.

It is common for security gaps to go unnoticed, as 42% of respondents said healthcare providers do not require them to provide proof they are in compliance with privacy and data protection regulations. Even when security gaps are discovered, 41% of healthcare vendor respondents said they were not required to take any action.

Risk assessments are a requirement of HIPAA, but they are costly and time consuming to perform. Vendors spend an average of $2.5 million a year conducting risk assessments, but only 44% believe risk assessments improve their security posture which Censinet believes could be due to 64% of vendors finding risk assessments confusing and ambiguous.

59% of healthcare vendors said risk assessments become out of date within 3 months of being conducted, yet only 18% of respondents said their healthcare clients require them to complete risk assessments more than once a year.

“According to the research, 55 percent of vendors say that these certifications do not provide enough value for the cost, while 77 percent indicate challenges with the certification process, including respondents who believe it is too time-consuming, too costly and too confusing.” The solution could be automation. 61% of vendors believe workflow automation would streamline the risk assessment process and 60% believe workflow automation would reduce the cost of risk assessments by up to 50%.

The post 53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months appeared first on HIPAA Journal.

Relation Insurance and Rainbow Hospice Care Experience Email Security Breaches

Posted March 6, 2020 by HIPAA Journal

Relational Insurance Inc., an insurance brokerage firm doing business as Relation Insurance Services of Georgia (RISG), experienced an email security breach in August 2019. An unauthorized individual was discovered to have gained access to the email account of an employee and potentially viewed or copied emails containing protected health information (PHI).

The breach was detected on August 15, 2019 when suspicious activity was detected in the email account. A third-party computer forensics firm assisted with the investigation and determined the account was accessed by an unauthorized individual between August 14 and August 15.

On August 16, 2019, RISG determined the account contained PHI; however, it took until December 13, 2019 for a full review of the account to be completed to determine which individuals had been affected and exactly what information was potentially compromised.

The account was found to contain a wide range of information, which differed from individual to individual. The breached PHI may have included: Name, address, telephone number, email address, date of birth, driver’s license number, Social Security number, passport number, state issued identification number, copies of marriage or birth certificates, account and routing number, financial institution name, credit/debit card number, PIN, expiration date, treatment information, prescription information, provider name, medical record number, patient ID, health insurance information, treatment cost, medical history, mental or physical condition, diagnosis code, procedure type, procedure code, treatment location, admission date, discharge date, medical device number, and date of death.

Steps have been taken to improve email security and prevent similar breaches in the future. The breach report submitted to the HHS’ Office for Civil Rights indicates the PHI of up to 4,335 individuals was potentially compromised.

Email Security Breach Discovered by Rainbow Hospice Care, Inc.

Jefferson, WI-based, Rainbow Hospice Care, Inc. has discovered an employee’s email account has been accessed by an unauthorized individual and the protected health information of 2,029 current and former patents may have been viewed or downloaded.

Third-party forensic investigators were engaged to investigate the breach. While they confirmed that the account had been accessed by an unauthorized individual, they were unable to determine whether any patient information was accessed or exfiltrated. An analysis of the compromised account revealed it contained patient names, dates of birth, treatment information, medical record numbers, and Social Security numbers.

Patients have been notified about the breach and have been offered complimentary credit monitoring services through Experian. Rainbow Hospice Care is unaware of any cases of misuse of patient information and said in its substitute breach notice that it believes misuse of patient information is unlikely.

The post Relation Insurance and Rainbow Hospice Care Experience Email Security Breaches appeared first on HIPAA Journal.

6 Healthcare Organizations Discover PHI Has Potentially Been Compromised

Posted March 5, 2020 by HIPAA Journal

Six possible data breaches have been reported by healthcare organizations in the past few days that may have resulted in an impermissible disclosure of patient data. 8,701 patients are known to have been affected by the breaches.

Harris Health System Notifies Patients About Potential Privacy Breach

Houston, TX-based Harris Health System has notified 2,298 patients that some of their protected health information (PHI) has been exposed.

On December 30, 2019, two envelopes were sent to Ben Taub Hospital to be scanned and archived in the Harris Health electronic medical record system, but the envelopes were lost in transit.

The envelopes contained 143 sheets which are believed to include data from patients who visited Gulfgate Health Center for medical services between December 9, 2019 and December 27, 2019. The sheets contained information such as names, dates of birth, addresses, telephone numbers, test results, diagnoses, health insurance information, medical information, provider information, and Social Security numbers.

Since it was not possible to determine which patients were affected, the decision was taken to notify all patients who potentially had their PHI exposed. Harris Health System’s chief compliance and risk officer, Carolynn R. Jones, believes the envelopes contained the PHI of approximately 25 patients.

The employee tasked with transporting the information has been sanctioned and policies and procedures for transporting patient data have been reviewed and revised to prevent similar incidents in the future. All individuals potentially affected have been offered complimentary membership to credit monitoring services for one year.

Kaiser Permanente Alerts Patients About Mailing Error

Kaiser Permanente has discovered letters have accidentally been mailed to patients’ former addresses. Kaiser Permanente had embarked on a project to improve mailing addresses for correspondence with members in Southern California. An error was identified on November 1, 2019 that caused the letters to be sent to incorrect addresses. An investigation revealed the error was introduced on October 6, 2019. Addresses were corrected on December 20, 2019.

The mailings sent during that period included referral letters, surveys, care reminders, appointment reminders, and Explanation of Benefits statements. Those letters contained demographic information, details of medications, diagnoses, billing information, and health insurance information. No Social Security numbers or financial information was exposed.

Kaiser Permanente has provided additional training to the staff to prevent further errors in the future. Letters have now been resent to the correct addresses. The HHS’ Office for Civil Rights (OCR) breach portal indicates up to 500 patients may have been affected.

Backup Drive Containing ePHI Stolen from Elk Ridge Dentistry

The Estes Park, CO dentist practice, Elf Ridge Dentistry, has discovered a portable hard drive used to store backups was stolen from the practice. The hard drive was among several items taken from the practice. The incident was reported to law enforcement, but the hard drive has not been recovered.

The dental practice learned on January 31, 2020 that the hard drive contained the records of 2,793 patients and included names, addresses, dates of birth, healthcare information, X-ray images, and a limited number of Social Security numbers. Treatment consent forms, referral letters, and emails were also backed up on the device. All affected patients have been offered complimentary membership to identity theft protection services through ID Experts.

PHI Potentially Compromised in Break-in at Armada Physical Therapy

Armada Physical Therapy experienced a break-in around December 19, 2019 at its Menaul Clinic on Menaul Boulevard in Albuquerque, NM and a server was stolen. The theft was reported to law enforcement and the investigation is ongoing, but the stolen server has not been recovered.

It was not possible to determine the exact information stored on the server, but it was known to contain intake forms for patients who received treatment prior to December 4, 2017. Patients who received treatment after that date had their information stored in a different location.

The intake forms contained names, addresses, telephone numbers, email addresses, insurance numbers, and Social Security numbers. Armada Physical Therapy does not believe financial information was stored on the stolen server. It was not possible to determine exactly how many patients were affected by the breach. The breach report submitted to the HHS’ Office for Civil Rights indicates up to 500 patients may have been affected.

Mailing Vendor Error Discovered by Riverview Health

An error at a printing and mailing vendor used by the Noblesville, IN-based healthcare provider, Riverview Health, has resulted in the exposure of the names of 2,610 patients.

The mailing vendor was instructed to send patient notification letters advising them about a potential change to two primary care providers, but an error resulted in letters being sent to incorrect addresses on January 6, 2020. Riverview learned of the error on January 14, 2020.

The letters identified individuals as patients of one of the two Riverview Health primary care providers. No other information was compromised.

Steps have now been taken to prevent similar errors from occurring in the future, including the addition of further review methods prior to the mailing of patient notification letters.

Mental Health Records Found Abandoned in Chicago Street

Physical medical records from the Community Mental Health Council have been found abandoned in an alley in West Englewood, Chicago. The Community Mental Health Council permanently closed its clinics after funding was lost in 2012.

Hundreds of former patients have had their sensitive data exposed. The documents included the names, addresses, Social Security numbers, diagnosis information, medical records, and other sensitive information. They were found strewn across an alley off Hermitage Avenue by a local resident when she took out her trash. City officials were contacted, and the records have now been collected and secured. City officials are now trying to determine who was responsible for dumping the records.

The post 6 Healthcare Organizations Discover PHI Has Potentially Been Compromised appeared first on HIPAA Journal.

Flaw in Walgreens Mobile App Secure Messaging Feature Exposed PHI

Posted March 4, 2020 by HIPAA Journal

Walgreens has started notifying customers that some of their protected health information may have been accessed by other individuals as a result of an error in the personal secure messaging feature of the Walgreens mobile app.

The secure messaging feature allows registered customers to receive SMS prescription refill notifications and deals and coupons. An undisclosed error in the app was identified that allowed certain information in its database to be viewed by other customers.

Affected customers have been advised that one or more personal messages may have been viewed by other individuals between January 9, 2020 and January 15, 2020. The personal messages included patients’ first and last names, drug name and prescription number, store number, and shipping address. Walgreens said health-related information was only exposed for a limited number of affected customers. The messages did not include any Social Security numbers or financial information.

According to a breach notice submitted to the California Attorney General on Friday, the error was detected by Walgreens on January 15, 2020. Walgreens immediately disabled message viewing to prevent any further unauthorized disclosures while the incident was investigated. Walgreens determined an internal application error was to blame and a technical correction was implemented to resolve the issue.

The Walgreens mobile app has been downloaded more than 10 million times from the Google Play store, but the error only impacted a small percentage of customers. According to the data breach summary on the Department of Health and Human Services’ Office for Civil Rights breach portal, 6,681 individuals were affected by the breach. It is unclear how many personal messages were accessed by other customers as a result of the error.

Walgreens will be conducting additional tests of the mobile app in the future before any updated versions are released to ensure updates do not impact the privacy of its customers.

The post Flaw in Walgreens Mobile App Secure Messaging Feature Exposed PHI appeared first on HIPAA Journal.

Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval

Posted March 4, 2020 by HIPAA Journal

A federal judge has given final approval of a settlement to resolve a class action lawsuit filed against the New Jersey-based medical laboratory company, Quest Diagnostics Inc., over its 2016 data breach. The $195,000 settlement provides up to $325 compensation for each breach victim.

On November 26, 2016 hackers gained access to the Care360 MyQuest mobile app that is used by patients to store and share their electronic test results and make appointments. The health app contained names, dates of birth, telephone numbers, and lab test results which, for some patients, included their HIV test results. 34,000 patients were affected by the breach.

A class action lawsuit was filed on behalf of patients affected by the breach in 2017. The lawsuit alleged Quest Diagnostics had been negligent and failed to protect the sensitive data of app users. The lawsuit states, “Despite the fact that it was storing sensitive Private Information that it knew or should have known was valuable to and vulnerable to cyber attackers, Quest and its fellow Defendants failed to take adequate measures that could have protected user’s information.” The plaintiffs also alleged Quest Diagnostics did not provide timely, accurate, and adequate notification about the breach.

In the fall of 2019, Quest Diagnostics proposed a settlement that provided compensation for the breach victims in order to avoid further legal costs and the risks of continuing litigation. A maximum of $325 per breach victim was proposed, which reflected the strengths and weaknesses of the claims and defenses in the case. Quest Diagnostics and the other defendants in the case have not admitted any wrongdoing.

The settlement received preliminary approval from a federal court judge in October 2019. Final approval was issued on February 25, 2020.

Each class member can claim up to $325, which is comprised of up to $250 to cover provable out-of-pocket expenses incurred as a result of the breach. A further $75 can be claimed by each patient whose HIV test results were exposed, even if patients did not incur any losses. Plaintiffs are required to submit a claim in order to receive a share of the settlement and claims must be submitted by May 22, 2020.

Another class action lawsuit has been filed against Quest Diagnostics and Care360 over the theft of almost 12 million patient records from its business associate, American Medical Collection Agency (AMCA) in 2019. The plaintiffs in that case similarly allege the defendants were negligent for failing to protect their personal and protected health information and did not provide timely and accurate notifications.

The post Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval appeared first on HIPAA Journal.

HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020

Posted March 3, 2020 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first HIPAA penalty of 2020. The practice of Steven A. Porter, M.D., has agreed to pay a financial penalty of $100,000 to resolve potential violations of the HIPAA Security Rule and will adopt a corrective action plan to address all areas of noncompliance discovered during the compliance investigation.

Dr. Porter’s practice in Ogden, UT provides gastroenterological services to more than 3,000 patients. OCR launched an investigation following a report of a data breach in November 13, 2013. The breach concerned a business associate of Dr. Porter’s electronic medical record (EHR) company which was allegedly impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until Dr. Porter paid the company $50,000.

The breach investigation uncovered serious violations of the HIPAA Security Rule at the practice. At the time of the audit, Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(i), the practice had not reduced risks to a reasonable and appropriate level, and had not implemented policies and procedures to prevent, detect, contain, and correct security violations.

Since at least 2013, the practice had allowed Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on behalf of the practice, without first receiving satisfactory assurances that the company would implement safeguards to ensure the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(b).

Throughout the course of the investigation, OCR provided significant technical assistance, yet a risk analysis was not conducted after the breach and appropriate security measures were not implemented to reduce risks to a reasonable and appropriate level.

The financial penalty shows that healthcare providers of all sizes must take their responsibilities under HIPAA seriously. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry,” said OCR Director, Roger Severino.

The post HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020 appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information