HIPAA Breach News

Healthcare Data Breach Statistics

Posted by HIPAA Journal

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website.

The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR.

Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published.

There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches is now hacking/IT incidents, with unauthorized access/disclosures also commonplace.

Healthcare Data Breaches by Year

Between 2009 and 2017 there have been 2,181 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 176,709,305 healthcare records.  That equates to more than 50% of the population of the United States (54.25%). Healthcare data breaches are now being reported at a rate of more than one per day.

Healthcare data breaches 2019-2017

Healthcare Records Exposed by Year

While there has been a general upward trend in the number of records exposed each year, there was a massive improvement in 2017 – the best year since 2012 in terms of the number of records exposed. However, while breaches were smaller in 2017, it was a record breaking year in terms of the number of healthcare data breaches reported – 359 incidents.

Records Exposed in Healthcare data breaches

Average/Median Healthcare Data Breach Size by Year

Average Size of Healthcare Data Breaches

 

Median Size of Healthcare Data Breaches

 

Largest Healthcare Data Breaches (2009-2017)

Rank Year Entity Entity Type Records Exposed/Stolen Cause of Breach
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2011 Science Applications International Corporation Business Associate 4900000 Loss
5 2014 Community Health Systems Professional Services Corporation Business Associate 4500000 Theft
6 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
7 2013 Advocate Medical Group Healthcare Provider 4029530 Theft
8 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
9 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
10 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
11 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
12 2014 Xerox State Healthcare, LLC Business Associate 2000000 Unauthorized Access/Disclosure
13 2011 IBM Business Associate 1900000 Unknown
14 2011 GRM Information Management Services Business Associate 1700000 Theft
15 2010 AvMed, Inc. Health Plan 1220000 Theft
16 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
17 2014 Montana Department of Public Health & Human Services Health Plan 1062509 Hacking/IT Incident
18 2011 The Nemours Foundation Healthcare Provider 1055489 Loss
19 2010 BlueCross BlueShield of Tennessee, Inc. Health Plan 1023209 Theft
20 2011 Sutter Medical Foundation Healthcare Provider 943434 Theft

Healthcare Hacking Incidents by Year

Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although healthcare organizations are now much better at detecting breaches when they do occur. The low hacking/IT incidents in the earlier years is likely to be due, in part, to the failure to detected hacking incidents and malware infections quickly. Many of the hacking incidents in 2014-2017 occurred many months, and in come cases years, before they were detected.

Healthcare Data Breaches - Hacking

 

Records Exposed in Healthcare Data Breaches - Hacking

Unauthorized Access/Disclosures by Year

As with hacking, healthcare organizations are getting better at detecting internal breaches and also reporting those breaches to the Office for Civil Rights. While hacking is the main cause of breaches, unauthorized access/disclosure incidents are in close second.

Healthcare Data Breaches - unauthorized access/disclosures

 

records exposed in authorized access/disclosures

Loss/Theft of PHI and Unencrypted ePHI by Year

Our healthcare data breach statistics show HIPAA covered entities and business associates have got significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public.

healthcare theft/loss data breaches

 

records exposed by healthcare theft/loss data breaches

Improper Disposal of PHI/ePHI by Year

healthcare data breaches - improper disposal incidents

 

records exposed in healthcare improper disposal incidents

 

Breaches by Entity Type

Year Provider Health Plan Business Associate Other Total
2009 14 1 3 0 18
2010 134 21 44 0 199
2011 137 20 42 1 200
2012 155 22 36 4 217
2013 199 18 56 5 278
2014 202 71 41 0 314
2015 196 62 11 0 269
2016 257 51 19 0 327
2017 288 52 19 0 359
Total 1582 318 271 10 2181

OCR Settlements and Fines for HIPAA Violations

The penalties for HIPAA violations can be severe with multi-million-dollar fines possible when violations have been allowed to persist for several years or when multiple violations of HIPAA Rules have been allowed to occur.

The penalty structure for HIPAA violations is detailed in the infographic below:

Penalty Structure for HIPAA Violations

OCR Settlements and Fines Over the Years

The data for the healthcare data breach statistics on fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines issued by OCR between 2008 and 2018. As the graph below shows, there has been a steady increase in HIPAA enforcement over the past 9 years.

HIPAA Fines and Settlements 2008-2017

 

How Much Has OCR Fined HIPAA Covered Entities and Business Associates?

In addition to an increase in fines and settlements, the level of fines has increased substantially. Multi-million-dollar fines for HIPAA violations are now the norm.

HIPAA Fine and Settlement Amounts 2008-2017

 

average HIPAA Fines and Settlements 2008-2017

 

Median HIPAA Fines and Settlements 2008-2017

As the graphs above show, there has been a sizable increase in both the number of settlements and civil monetary penalties and the fine amounts in recent years. OCR’s budget has been cut so there are fewer resources to put into pursuing financial penalties in HIPAA violation cases. 2018 is likely to see fewer fines for HIPAA covered entities than the past two years, although settlement amounts are likely to remain high and even increase in 2018.OCR Director Roger Severino has indicated financial penalties are most likely to be pursued for particularly egregious HIPAA violations.

State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations

State attorneys general can issue fines ranging from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.

Even when action is taken by state attorneys general over potential HIPAA violations, healthcare organizations are typically fined for violations of state laws. Only a handful of U.S. states have issued fines solely for HIPAA violations

Some of the major fines issued by state attorneys general for HIPAA violations and violations of state laws are listed below.

 

Year State Covered Entity Amount Individuals affected Settlement/CMP Reason
2018 NY EmblemHealth $575,000 81,122 Settlement Mailing error
2018 NY Aetna $1,150,000 12,000 Settlement Mailing error
2017 CA Cottage Health System $2,000,000 More than 54,000 Settlement Failure to adequately protect medical records
2017 MA Multi-State Billing Services $100,000 2,600 Settlement Theft of unencrypted laptop containing PHI
2017 NJ Horizon Healthcare Services Inc., $1,100,000 3.7 million Settlement Loss of unencrypted laptop computers
2017 VT SAManage USA, Inc. $264,000 660 Settlement Spreadsheet indexed by search engines and PHI viewable
2017 NY CoPilot Provider Support Services, Inc $130,000 221,178 Settlement Delayed breach notification
2015 NY University of Rochester Medical Center $15,000 3,403 Settlement List of patients provided to nurse who took it to a new employer
2015 CT Hartford Hospital/ EMC Corporation $90,000 8,883 Settlement Theft of unencrypted laptop containing PHI
2014 MA Women & Infants Hospital of Rhode Island $150,000 12,000 Settlement Loss of backup tapes containing PHI
2014 MA Boston Children’s Hospital $40,000 2,159 Settlement Loss of laptop containing PHI
2014 MA Beth Israel Deaconess Medical Center $100,000 3,796 Settlement Loss of laptop containing PHI
2013 MA Goldthwait Associates $140,000 67,000 Settlement Improper disposal
2012 MN Accretive Health $2,500,000 24,000 Settlement Mishandling of PHI
2012 MA South Shore Hospital $750,000 800,000 Settlement Loss of backup tapes containing PHI
2011 VT Health Net Inc. $55,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications
2011 IN WellPoint Inc. $100,000 32,000 Settlement Failure to report breach in a reasonable timeframe
2010 CT Health Net Inc. $250,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications

The post Healthcare Data Breach Statistics appeared first on HIPAA Journal.

Analysis of February 2018 Healthcare Data Breaches

Posted by HIPAA Journal

Our February 2018 healthcare data breach report details the major data breaches reported by healthcare providers, health plans, and business associates in February 2018.

Summary of February 2018 Healthcare Data Breaches

February may have been a shorter month, but there was an increase in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered entities and business associates reported 25 breaches – a 19% month on month increase in breaches.

Healthcare Data Breaches by Month

While there was a higher breach tally this month, the number of healthcare records exposed as a result of healthcare data breaches fell by more than 100,000. In January 428,643 healthcare records were exposed. February 2018 healthcare data breaches saw 308,780 healthcare records exposed.

Records exposed in Healthcare Data Breaches

Largest Healthcare Data Breaches of February 2018

The largest healthcare data breaches reported to the Office for Civil Rights in February are listed below.

Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident Network Server
Tufts Associated Health Maintenance Organization, Inc. Health Plan 70,320 Unauthorized Access/Disclosure Paper/Films
Triple-S Advantage, Inc. Health Plan 36,305 Unauthorized Access/Disclosure Paper/Films
CarePlus Health Plan Health Plan 11,248 Unauthorized Access/Disclosure Paper/Films
Union Lake Supermarket, LLC Healthcare Provider 9,956 Improper Disposal Other Portable Electronic Device

The top five data breaches were responsible for 85% of all exposed healthcare records in February. The largest data breach – a malware-related incident at St. Peter’s Surgery & Endoscopy Center – accounted for 43.6% of the exposed healthcare records in February.

Main Causes of February 2018 Healthcare Data Breaches

Unauthorized access/disclosures topped the list of the main causes of healthcare data breaches in February 2018 with 12 incidents and included three of the most serious breaches. Hacking incidents were in close second with 9 breaches, followed by three loss/theft incidents and one case of improper disposal of ePHI.

Causes of February 2018 Healthcare Data Breaches

Records Exposed by Breach Type

Hacking/IT incidents were the second biggest cause of healthcare data breaches in February, but the incidents resulted in the exposure/theft of the largest amount of healthcare data.

Records Exposed by Breach Type

Location of Breached Records

Overall, there were more breaches involving electronic health data than physical records, although breaches involving paper/films were the most numerous with 6 incidents. The breach reports show that while technological controls are essential to prevent hacks and unauthorized access/disclosures of electronic records, physical security is important for paper records and administrative safeguards are necessary to prevent unauthorized access. All six of the breaches involving paper/films were unauthorized access/disclosures.

Location of breached healthcare records (February 2018)

Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in February with 15 incidents (reported by 14 healthcare providers). There were three breaches reported by pharmacies in February. 8 data breaches were reported by 7 health plans and two security incidents were reported by business associates.

Data Breaches by Covered Entity (February 2018)

Healthcare provider breaches exposed the most health records in February. 168,732 records were exposed by healthcare providers. The mean breach size was 11,248 records and the median breach size was 1,670 records.

Health plans experienced fewer breaches, but the incidents were more severe. 133,580 records were exposed by health plans. The mean breach size was 16,698 records and the median breach size was 6,075 records. The mean and median breach size for business associate data breaches was 3,234 records.

Records exposed by covered entity (February 2018)

February 2018 Healthcare Data Breaches by State

Healthcare organizations based in 18 states reported data breaches in February 2018. There were six states that experienced 2 data breaches– Alabama, California, Massachusetts, Mississippi, Rhode Island, and Wisconsin.

Arkansas, Connecticut, Illinois, Kentucky, Maine, Michigan, Missouri, North Carolina, New Jersey, New York, Tennessee, and Virginia each had one data breach reported.

Financial Penalties for HIPAA Covered Entities in February 2018

The Office for Civil Rights settled one HIPAA violation case in February. Filefax Inc, agreed to settle potential HIPAA violations with OCR for $100,000. The financial penalty sent a message to HIPAA-covered entities and their business associates that HIPAA responsibilities do not end when a business ceases trading. The fine relates to HIPAA violations that occurred after the business closed – the improper disposal of paperwork containing protected health information.

The post Analysis of February 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

Multiple Email Accounts Compromised at Primary Health Care

Posted by HIPAA Journal

Primary Health Care Inc., a non-profit network of community health centers in Des Moines, Marshalltown and Ames, IA, has discovered malicious actors have gained access to the email accounts of four employees and have potentially viewed or obtained patients’ protected health information.

Primary Health Care issued a press release and uploaded a substitute breach notice to its website on March 16, 2018 explaining the breach occurred on February 28, 2017. The breach was detected the following day on March 1, 2017. Primary Health Care is in the process of notifying affected patients and will be reporting the incident to the Department of Health and Human Services’ Office for Civil Rights. No explanation is provided as to why the breach took a year to report, although the timing of the breach notice suggests the year stated in the breach notice may be a typo and that the breach occurred this year.

Primary Health Care responded quickly to the breach and terminated access to the compromised email accounts and hired a third-party computer forensics expert to conduct an investigation into the attack. The investigation revealed access to four email accounts and their associated Google Drives was gained by the attacker(s), although it was not possible to tell whether any emails were opened and if any protected health information was viewed.

An analysis of the email accounts revealed they contained information such as patients’ names along with driver’s license numbers, Social Security numbers, diagnoses, treatment information, medical histories, health insurance/payor information, facilities and providers visited, financial account numbers, credit/debit card numbers, dates of service, and in some cases, Medicaid numbers.

No evidence has been found to suggest any information has been misused, although out of an abundance of caution, affected individuals have been offered 12 months of identity theft protection services through AllClear without charge.

Primary Health Care is in the process of implementing additional security measures to enhance the privacy and security of its information systems to prevent further breaches of this nature.

The post Multiple Email Accounts Compromised at Primary Health Care appeared first on HIPAA Journal.

Almost 10,000 Individuals Notified of Improper PHI Disposal Incident by ShopRite

Posted by HIPAA Journal

A ShopRite pharmacy in Millville, New Jersey has discovered an electronic device used to capture the signatures of customers has been disposed of without first wiping the device of all stored protected health information.

A limited amount of protected health information was stored on the device, which included patients’ names, dates of birth, phone numbers, zip codes, prescription numbers, medication names, signatures, date and time of collection/delivery, and in some cases, details of over-the-counter medications containing pseudoephedrine (PSE).

The device was used by customers to acknowledge the store’s privacy policy and payment for prescriptions by insurance carriers. Information was also collected on sales of products containing PSE to meet legal requirements.

Individuals affected by the incident had collected prescriptions or purchased PSE products between 2007 and 2013. The device was disposed of in June 2016.

The improper disposal of the device is not understood to have resulted in PHI being compromised and no reports of PHI access or misuse have been received by ShopRite, Union Lake Supermarket, or Wakefern Food Corp.

Individuals whose PHI has been exposed have been notified by mail and advised of the steps they can take to reduce the risk of PHI misuse, such as checking their financial accounts closely and monitoring Explanation of Benefits statements for signs of misuse of their insurance information.

ShopRite has responded to the incident by updating and strengthening its policies and procedures regarding removal of PHI from computers and other electronic devices and the safe and secure disposal of electronic equipment. Pharmacy staff have also been retrained on privacy and security.

The breach report submitted to the HHS’ Office for Civil Rights indicates 9,956 individuals have been impacted by the incident.

HIPAA Rules require all electronic data to be permanently erased from electronic devices prior to disposal. All PHI must be rendered essentially unreadable and indecipherable, and a method should be used to erase data that prevents the information from being reconstructed.

In the case of ePHI this can be achieved through secure clearing and overwriting of data, purging by degaussing or exposing the device to strong magnetic fields, or destroying the device through burning, pulverization, melting, or incineration.

The post Almost 10,000 Individuals Notified of Improper PHI Disposal Incident by ShopRite appeared first on HIPAA Journal.

QuadMed Discovers PHI of More than 5,300 Patients Was Impermissibly Disclosed to Employees

Posted by HIPAA Journal

QuadMed, a Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services, has discovered the protected health information of 5,305 patients has potentially been impermissibly disclosed to certain employees.

In November 2013, QuadMed took over an onsite clinic at Hillenbrand Inc. Occupational health information of employees of the Batesville, IN-based manufacturer was maintained in an electronic medical record system and access to the system was shared with QuadMed.

Certain QuadMed employees required access to the data for the administration of occupational health matters. Take overs of clinics at WI-based Stoughton Trailers and Whirlpool Corporation’s Clyde, OH plant also saw occupational health-related information in EMRs shared with the firm and made accessible to some of its employees.

On December 26, 2017, QuadMed discovered a technical issue affected the PHI stored in the EMRs used at the Hillenbrand and Stoughton Trailers clinics which allowed its employees to access more than the minimum necessary amount of PHI than was permissible. Employees had access to more information than was necessary since May 9, 2016.

A similar breach affected the Whirlpool clinic, which QuadMed took over in January 2017. In that case, the EMR system should have had additional administrative and technical controls applied that would enable QuadMed to protect the privacy of health information; however, the controls had not been fully implemented. QuadMed discovered the potential issue in February 2017 prompting an investigation, although it took until October 2017 for QuadMed to be given the level of system access necessary to investigate this issue.

At all three locations, the types of protected health information that could potentially have been accessed included patients’ names, onsite clinic service dates, test and evaluation results, diagnoses, medical histories, information on examinations and physicals, vaccinations, travel medicine prescriptions, and workers’ compensation data.

QuadMed reports that the technical issue has now been corrected and new controls have been implemented to ensure protected health information remains confidential and can only be accessed by authorized individuals. Additional staff training has also been provided on the requirements of HIPAA with respect to protecting health information.

All individuals whose PHI was potentially accessed without authorization have now been notified of the privacy breach by mail. The unauthorized access/disclosures have been reported to the Department of Health and Human Services’ Office for Civil Rights as two separate breaches impacting 2,471 and 2,834 individuals.

The post QuadMed Discovers PHI of More than 5,300 Patients Was Impermissibly Disclosed to Employees appeared first on HIPAA Journal.

PHI of 33,420 BJC Healthcare Patients Exposed on Internet for 8 Months

Posted by HIPAA Journal

The protected health information of 33,420 patients of BJC Healthcare has been accessible on the Internet for eight months without any need for authentication to view the information.

BJC Healthcare is one of the largest not-for profit healthcare systems in the United States. The St. Louis-based healthcare organization runs two nationally recognized hospitals in Missouri – Barnes-Jewish Hospital and St. Louis Children’s Hospital along with 13 others. The health system employs more than 31,000 individuals, has over 154,000 hospital admissions and performs more than 175,000 home health visits a year.

On January 23, 2018, BJC Healthcare performed a security scan which revealed one of its servers had been misconfigured which allowed sensitive information to be accessed without authentication. Action was immediately taken to reconfigure and secure the server to prevent data from being accessed.

The investigation revealed an error had been made configuring the server on May 9, 2017, leaving documents and copies of identification documents accessible. Highly sensitive information such as Social Security numbers, insurance cards, and driver’s license numbers were exposed along with patients’ names, addresses, contact telephone numbers, dates of birth, and treatment related information.

The scanned documents stored on the server contained information collected from patients between 2003 and 2009. Patients who visited BJC Healthcare facilities after 2009 were not impacted by the breach.

The investigation did not uncover evidence to suggest any of the documents were accessed by unauthorized individuals, although data access could not be ruled out with a high degree of certainty. Therefore, out of an abundance of caution, all patients whose protected health information was exposed have been offered identity theft protection services without charge for 12 months.

The security incident has prompted BJC Healthcare to review its information system policies and processes, which have been updated to prevent any further incidents of this nature from occurring.

The post PHI of 33,420 BJC Healthcare Patients Exposed on Internet for 8 Months appeared first on HIPAA Journal.

HIMSS Survey Reveals Top Healthcare Security Threats

Posted by HIPAA Journal

HIMSS has published the results of its annual healthcare cybersecurity survey, which provides insights into the state of cybersecurity in healthcare and identified the top healthcare security threats.

The HIMSS 2018 cybersecurity survey was conducted on 239 respondents from the healthcare industry between December 2017 and January 2018. The results of the survey were announced at the HIMSS 2018 Conference & Exhibition in Las Vegas.

36.8% of respondents had positions in executive management and 37.2% were employed in non-executive management positions. The remaining 25.9% were in non-management positions such as cybersecurity specialists and analysts. 41.2% of respondents were primarily responsible for cybersecurity, 32.6% had some responsibility, and 11.8% sometimes had responsibility for cybersecurity.

Most Healthcare Organizations Have Experienced a Significant Security Incident in the Past 12 Months

The threat of healthcare cyberattacks is greater than ever and the past 12 months has been a torrid year. In the past 12 months, 75.7% of respondents said they had experienced a recent significant security incident. 96% of those respondents were able to characterize the threat actor responsible, with the top three being online scam artists such as phishers (37.6%), negligent insiders (20.8%), and hackers (20.1%).

61.4% of respondents said email was the main initial point of compromise. In second place was ‘other’ which included compromised customer networks, web application attacks, guessed passwords, misconfigured software/cloud services, and human error. In joint third – both with 3.2% of responses – was a compromised organizational website and hardware/software pre-loaded with malware.  11.6% said they did not know how the attackers gained access to their networks/data.

In the majority of cases (68.2%), incidents were discovered internally (40.7% by security teams / 27.5% by non-security personnel). 67.7% of breaches were detected within 7 days, with 47.1% detected within 24 hours.

Healthcare Cybersecurity Is Improving

The past 12 months have seen an increase in healthcare security incidents, although the severity of data breaches has reduced year over year. This indicates cybersecurity in healthcare is improving, which was backed up by the HIMSS survey results.

84.3% of respondents said more resources are now being used to address cybersecurity with only 3.3% saying resources have decreased year over year.  60% of respondents said their organization now employs a senior information security leader.

55.8% of respondents said a dedicated or defined amount of the current budget is allocated for cybersecurity. 26.5% of respondents said there was no specific carve out for cybersecurity but money was being spent as needed or could be requested. Only 2.8% said no money is spent on cybersecurity.

HIPAA requires healthcare organizations to conduct regular risk assessments to identify potential threats to the confidentiality, integrity, and availability of protected health information. The survey revealed healthcare organizations are being proactive and are conducting risk assessments and using the results to direct their cybersecurity efforts.

45.5% said they are performing security risk assessments annually, 5.6% were conducting risk assessments every 6 months, 9% performed risk assessments once a month, and 9.6% said they performed risk assessments daily. Alarmingly, 5.1% said they do not perform risk assessments and 4.5% conducted risk assessments less frequently than once a year.

Actions Directed by Risk Assessments

Source: HIMSS

Plenty of Room for Improvement

While cybersecurity is improving, there are still multiple areas where improvements can and should be made and too little is being done to deal with the main healthcare security threats. The recent HIPAA compliance audits and penalties for HIPAA violations have prompted many healthcare organizations to concentrate on HIPAA compliance, which has been a greater priority than security.

HIMSS says compared to other industry sectors, healthcare cybersecurity programs lack maturity and that typically cybersecurity programs have only been running for five or fewer years. HIMSS suggests that even with the healthcare industry being heavily targeted by cybercriminals, “many cybersecurity professionals are still getting used to the idea that there are bad actors out there that are directly or indirectly targeting healthcare organizations.”

The main barriers for remediating and mitigating cyberattacks were a lack of appropriate personnel (52.4%) and a lack of financial resources (46.6%). Other barriers were too many application vulnerabilities (28.6%), too many endpoints (27.5%), too many new and emerging threats (27%) not enough cyber security intelligence (23.3%) and a network infrastructure that was too complex to secure (20.6%).

13.3% said they had no cybersecurity staff and 43.2% said their ratio of cybersecurity staff to IT users was greater than 1:500.

The majority of organizations are spending 6% or less of their IT budgets on cybersecurity, 16.9% of organizations had not adopted a cybersecurity framework, and 37.1% of organizations only conducted penetration tests annually. Even though the threat from within is significant, 24.2% of healthcare organizations did not have an insider threat management program and 27% said they had such a program but it was informal.

Phishing and email attacks are major concerns and are behind the majority of healthcare security breaches and OCR has also made it clear that phishing and security awareness training should be an ongoing process, yet 51.8% of healthcare organizations are still only conducting security awareness training annually. Only 32.9% said they test their employees phishing awareness with phishing simulations.

Top Healthcare Security Threats

There are many healthcare security threats, although some are perceived to pose more of a threat than others. There was little to choose between the three main threats to network and data security. Data breaches and data leakage were ranked as top healthcare security threats by 11.8% of respondents, ransomware was in second place rated as a top cybersecurity threat by 11.3% of respondents, with credential stealing malware in third place on 11%. Malicious insiders were seen as a major threat by 10.1% of respondents and wiper malware was rated as a serious threat by 10% of respodents.

When asked about future cybersecurity priorities the top areas were incident response (11.9%), risk assessment and management (11.9%), business continuity and disaster recovery (11.8%), awareness training programs (11.6%), cloud security (11.2%), website security (10.8%), physical security (10.7%), and information sharing (10.4%).

The full results of the HIMSS 2018 Cybersecurity survey can be viewed here.

The post HIMSS Survey Reveals Top Healthcare Security Threats appeared first on HIPAA Journal.

Alabama Data Breach Notification Act Passed by State Senate

Posted by HIPAA Journal

The Alabama Data Breach Notification Act (Senate Bill 318) has advanced for consideration by the House of Representatives after being unanimously passed by the Alabama Senate last week.

Alabama is one of two states that has yet to introduce legislation that requires companies to issue notifications to individuals whose personal information is exposed in data breaches. The other state – South Dakota – is also considering introducing similar legislation to protect state residents.

The Alabama Data Breach Notification Act, proposed by Sen. Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to issue notifications to state residents when their sensitive personal information has been exposed and it is reasonably likely to result in breach victims coming to substantial harm.

Entities that would be required to comply with the Alabama Data Breach Notification Act are persons,

sole proprietorships, partnerships, government entities, corporations, non-profits, trusts, estates, cooperative associations, and other business entities that acquire or use sensitive personally identifying information.

Sensitive personally identifying information is defined as a first name/first initial and last name combined with any of the following data elements, provided they are not truncated, encrypted, or hashed:

  • Social Security number
  • Tax ID number
  • Driver’s license number
  • State identification card number
  • Military identification number
  • Passport number
  • Other unique government identification number
  • Medical information such as health history, treatment or diagnosis or mental/physical condition
  • Health insurance number or unique identifiers used by health insurers for identification of an individual
  • Financial account number (bank account, credit card, or debit card) combined with an expiry date, security code, PIN, password, or other information that would allow a financial transaction to be conducted
  • Username or email address along with a password or security question answer that would allow an account to be accessed

The Alabama Data Breach Notification Act also calls for entities holding the above information to implement and maintain reasonable security measures to protect sensitive personally identifiable information. A risk analysis must be conducted to identity potential security risks and safeguards would need to be adopted reduce those risks to a reasonable level. Measures to protect data should be appropriate for the sensitivity of the data, the amount of data held, the size of the organization, and the cost of safeguards relative to the company’s resources.

If the Alabama Data Breach Notification Act is passed, state residents would have to be notified of data breaches within 45 days of discovery of a breach. Companies that fail to issue the notifications could potentially be fined up to $5,000 per day for any delay in issuing notifications up to a maximum of $500,000 per breach. Lawsuits could be filed by the attorney general’s office on behalf of breach victims, although private actions would not be possible.

Breach notices would be required to include the date or estimated date of the breach, a description of the information exposed, details of the steps that can be taken by breach victims to protect themselves against harm, details of the steps taken by the breached entity to restore security and confidentiality of data, and contact information for further information about the breach. A breach notice would also need to be submitted to the state attorney general’s office if the breach impacts more than 1,000 individuals.

In contrast to data breach notification laws in some US states that exempt HIPAA covered entities that are in compliance with HIPAA laws, the Alabama Data Breach Notification Act would apply to HIPAA covered entities.

The current maximum time frame for HIPAA covered entities is 60 days from the date of discovery of a breach. For Alabama residents at least, that time frame would be reduced by 15 days.

The post Alabama Data Breach Notification Act Passed by State Senate appeared first on HIPAA Journal.

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

Posted by HIPAA Journal

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General.

While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members.

Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information.

The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law § 399-ddd(2)(e).

In addition to the $575,000 settlement, EmblemHealth is required to adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents. The results of that risk analysis must be reported to the Attorney General’s office within 180 days. Policies and procedures related to mailings must also be reviewed and updated based on the findings of the risk analysis.

EmblemHealth must catalogue, review, and monitor mailings and ensure that all employees involved in mailings receive appropriate training. They must also be instructed to report any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow prompt action to be taken manage risks to plan members. EmblemHealth is also required to report all security incidents to the Attorney General’s office for a period of 3 years from the date of the settlement.

According to Attorney General Schneiderman, New York has “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017. There will now be a further push to get the SHIELD Act passed. Schneiderman claims the SHIELD Act will improve protections for state residents. Businesses will also be held accountable for data breaches that result in customers’ personal data being exposed.

“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

The post EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach appeared first on HIPAA Journal.