HIPAA Breach News

Patients Notified of White and Bright Family Dental Server Hack

Posted by HIPAA Journal

Fresno, CA-based White and Bright Family Dental has discovered one of its servers containing patients’ protected health information has been accessed by hackers. Access to the server was gained by the attackers on January 30, 2018.

The Fresno Police Department was immediately notified of the incident “so that identification and prosecution of those involved could begin.” That investigation, along with the internal White and Bright Family Dental investigations, are continuing. The dental practice is also in the process of augmenting its security protections to prevent further incidents of this nature from occurring.

While HIPAA covered entities have up to 60 days following the discovery of a breach to issue notifications to patients and the Department of Health and Human Services, White and Bright Family Dental acted quickly and sent notifications in the shortest possible time frame to allow victims to take steps to protect their identities. Letters were sent to patients on February 16 and the state attorney general’s office was notified of the breach on February 19.

White and Bright Family Dental believes the protected health information of patients was accessed by the attackers, although no evidence has been uncovered to suggest any information has been copied, stolen or misused.

An analysis of the server revealed the following types of information were potentially accessed: Names, addresses, telephone numbers, birth dates, Social Security numbers, insurance information, driver’s license numbers, and dental histories.

Patients have been advised to be alert to the risk of identity theft and fraud and should monitor their health and account statements for any sign of fraudulent activity.

The incident has yet to appear on the HHS’ Office for Civil Rights’ breach portal so it is currently unclear how many patients have been impacted by the incident.

The post Patients Notified of White and Bright Family Dental Server Hack appeared first on HIPAA Journal.

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Posted by HIPAA Journal

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection.

The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients.

The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician.

Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23, 2017, following an extensive investigation into the hacker’s activities. Patients impacted by the breach were notified by mail this month.

UVa has since implemented a number of additional security controls to prevent further incidents of this nature from occurring.

Thousands of Victims’ Sensitive Information Viewed

fruitfly malware

Phillip R. Durachinsky

UVa is only one victim of the hacker. Other businesses were also affected and had information compromised, although the extent of the hacker’s activities have not fully been determined. The FBI investigation is continuing, although the hacker has been arrested and charged in a 16-count indictment for numerous computer offenses including violations of the Computer Fraud and Abuse Act and Wiretap Act, in addition to aggregated identity theft and the production of child pornography.

The hacker has been identified as Phillip R. Durachinsky, 28, of North Royalton, Ohio. Durachinsky allegedly developed a Mac malware called FruitFly more than 13 years ago and used the malware to spy on thousands of individuals and companies. The malware provided Durachinsky with full access to an infected device, including access to the webcam. The malware took screenshots, allowed the uploading and downloading of files, and could log keystrokes. Durachinsky also developed the malware to give him a live feed from multiple infected computers simultaneously.

Victims include schools, businesses, healthcare organizations, a police department, and local, state, and federal government officials. Over 13 years, Durachinsky spied on thousands of individuals, mainly using the Mac form of the malware, although a Windows-based variant was also used.

In addition to gaining access to UVa patients records, Durachinsky used the malware to view highly sensitive information of other non-UVa victims. He was able to gain access to financial accounts, photographs, tax records, and internet search histories. Durachinsky also allegedly surreptitiously took photographs of his victims via webcams and kept notes on what he was able to view.

The FBI discovered that an IP address associated with the malware was also used to access Durachinsky’s alumni email account at Case Western Reserve University, which led to his arrest. More than 20 million images were discovered on Durachinsky’s devices by the FBI agents.

The post 1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware appeared first on HIPAA Journal.

Sutter Health Notifies Patients of Business Associate Phishing Incident

Posted by HIPAA Journal

Sutter Health is notifying certain patients that some of their protected health information has been exposed following a phishing attack on one of its business associates – the legal firm Salem and Green.

On or around October 11, 2017, a phishing email was received by a staff member at Salem and Green, the response to which gave the attackers access to that individual’s email account. Upon discovery of the attack, a forensics firm was contracted to perform an analysis of the affected computer and network to determine the extent of the attack and whether any sensitive information had been obtained.

The investigation revealed the security breach was limited to a single email account and that access to the account was only possible for two days. During the time that the email account was accessible, the attacker had access to all emails in the account, some of which contained the protected health information of certain Sutter Health patients.

The types of information potentially accessed by the attacker was limited to names, dates of birth, driver’s license numbers, Social Security numbers, and other professional ID numbers.

Data access and theft was not confirmed, although it was also not possible to rule out data access/theft with a high degree of confidence. Sutter Health believes the risk of data misuse is low.

Out of an abundance of caution, all individuals impacted by the incident have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Sutter Health reports that the legal firm has taken steps to enhance security to prevent further breaches of this nature and staff have been provided with security awareness training to help them identify email threats such as phishing. The legal firm has also now implemented 2-factor authentication controls on all email accounts which will prevent account access from unknown devices.

The post Sutter Health Notifies Patients of Business Associate Phishing Incident appeared first on HIPAA Journal.

AJMC Study Reveals Common Characteristics of Hospital Data Breaches

Posted by HIPAA Journal

The American Journal of Managed Care has published a study of hospital data breaches in the United States. The aim of the study was to identify common characteristics of hospital data breaches, what the biggest problem areas are, the main causes of security incidents and the types of information most at risk.

The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30% of all large healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights by providers between 2009 and 2016.

Over that 7-year time period there were 215 breaches reported by 185 nonfederal acute care hospitals and 30 hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals experienced 2 breaches. In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the theft/exposure of the highest number of health records.

While hacks were commonly experienced, it was not electronic healthcare data that was the biggest problem area. Paper and film were the most common locations of breached protected health information. 65 hospitals reported paper/film data breaches over the time period that was studied; however, while those breaches were the most common, they typically affected a relatively small number of patients.

Recently, there has been an increase in hacks and malware and ransomware attacks on network servers, although between 2009 and 2016 – for hospitals at least – network servers were the least common location of breached PHI. While the least common, they were the most severe. Network server breaches resulted in the highest number of stolen records.

The second most common location of breaches was PHI stored in locations other than paper/film, laptops, email, desktops, EHRs, or network servers. Those breaches had been reported by 56 hospitals. In third place was laptop breaches, reported by 51 hospitals.

The types of data breaches most commonly experienced were theft incidents, which had been reported by 112 hospitals. Unauthorized access/disclosures were in second place with incidents reported by 54 hospitals. Hacking/IT incidents was third and was behind 27 hospital data breaches.

Multivariate logistic regression analyses were performed to explore factors associated with hospital data breaches. The researchers found significant differences between hospitals that had experienced a data breach and those that had not.

Teaching hospitals and pediatric hospitals were found to be the most susceptible to data breaches. 18% of teaching hospitals had experienced at least one data breach, compared to 3% without a breach. Six percent of pediatric hospitals had experienced a breach compared to 2% that had not.

Larger hospitals were also more prone to data breaches than smaller facilities. 26% of large hospitals had experienced a data breach, compared to 10% that had no breaches. Investor-owned hospitals had reported fewer breaches than not-for profit hospitals.

There were no significant differences based on the level of IT sophistication, health system membership, biometric security use, hospital region, or area characteristics.

The researchers suggest that while hospitals have invested in technology and have digitized health data to meet Meaningful Use requirements, security has not been a major focus and investment in data security has been lacking. Hospitals are typically only spending 5% of their IT budgets on security and that needs to improve if hospital data breaches are to be prevented. Security measures also need to be improved for paper/films to reduce the opportunity for unauthorized access and theft.

The researchers suggest hospitals should be conducting regular audits to determine who is accessing PHI, while audits of data security protections will help hospitals identify vulnerabilities before they are exploited.

The use of biometric identifiers can limit the potential for unauthorized access of ePHI and 2-Factor authentication should be implemented on all user accounts.

The researchers also suggest access to PHI should be limited to the minimum necessary amount to allow employees to complete their work duties. By restricting access, the severity of data breaches will be reduced.

The methodology, full results, and conclusions can be found on this link.

The post AJMC Study Reveals Common Characteristics of Hospital Data Breaches appeared first on HIPAA Journal.

Another Major Triple-S Advantage Data Breach Has Occurred: 36,000 Affected

Posted by HIPAA Journal

The Puerto Rico Health Plan Triple-S Advantage has experienced a privacy breach that has impacted 36,000 plan members. The breach was the result of a mailing error which saw sensitive information of plan members disclosed to incorrect individuals.

The protected health information exposed as a result of the mailing was limited and did not include Social Security numbers or financial information; however, plan members’ ID numbers were impermissibly disclosed along with names, dates of service, and treatment codes.

The mailing error occurred in November but was not discovered by Triple-S until December 5, 2017. An extensive investigation was launched to determine how the error occurred and action has now been taken to ensure that similar errors do not occur in future mailings to plan members and healthcare providers.

Triple-S said in its substitute breach notice that its mailing processes have been changed and that those processes have now been tested. Another mailing run has been conducted and copies of the original letters have now been sent to the correct addresses. Affected plan members have also been notified of the exposure of their PHI by first class mail.

Since plan member ID numbers have been exposed, affected individuals have been advised to check their Explanation of Benefits statements carefully to make sure only services that have been received are listed. Since there is potential for malicious actors to change addresses, plan members have been told to check to make sure regular correspondence from Triple S is still being received.

Triple S notes that it has not received any notifications to suggest that any PHI has been accessed or misused by unauthorized individuals.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 36,305 plan members were affected by the mailing error.

While all privacy breaches are bad news, this incident will be especially concerning for Triple-S. In 2015, following an investigation into data breaches by the HHS’ Office for Civil Rights, Triple S Management Corporation – the parent company of Triple-S Advantage – settled multiple HIPAA violations with OCR for $3.5 million. Triple S was also fined $1.5 million by the Puerto Rico Health Insurance Administration.

The multi-million dollar settlement with OCR resolved serial violations of HIPAA Rules and multiple compliance failures that contributed to eight data breaches by Triple S Management Corporation subsidiaries between 2010 and 2014.

The company will still be on OCR’s radar and the latest breach is certain to be very carefully scrutinized for any sign of noncompliance with HIPAA Rules.

The post Another Major Triple-S Advantage Data Breach Has Occurred: 36,000 Affected appeared first on HIPAA Journal.

January 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

Our January 2018 Healthcare Data Breach Report details the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights in January 2018. There were 21 security breaches reported to OCR in January which is a considerable improvement on the 39 incidents reported in December 2017.

Healthcare data breaches by Month (August 2017-January 2018)

Last month saw 428,643 healthcare records exposed. While there was a 46.15% drop in the number of healthcare data breaches reported in January month over month, 87,022 more records were exposed or stolen than in December. January was the third consecutive month where the number of breached records increased month over month.

records exposed in January 2018 Healthcare Data Breaches

The mean breach size in January was 20,412 records – very similar to the mean breach size in December 2017 (20,487 records). However, the high mean value was due to a particularly large breach of 279,865 records reported by Oklahoma State University Center for Health Sciences. In January, the healthcare data breaches reported were far less severe than in December. In January the median breach size was 1,500 records. In December it was 15,857 records.

Largest Healthcare Data Breaches in January 2018

In January there were only four breaches reported that impacted more than 10,000 individuals, compared to nine such incidents in December 2017. Hacking incidents continue to result in the largest data breaches with five of the top six breaches the result of hacking/IT incidents, which includes hacks, malware infections and ransomware attacks.

 

Covered Entity Entity Type Individuals Affected Type of Breach
Oklahoma State University Center for Health Sciences Healthcare Provider 279865 Hacking/IT Incident
Onco360 and CareMed Specialty Pharmacy Healthcare Provider 53173 Hacking/IT Incident
Agency for Health Care Administration Health Plan 30000 Hacking/IT Incident
Decatur County General Hospital Healthcare Provider 24000 Hacking/IT Incident
Charles River Medical Associates, pc Healthcare Provider 9387 Loss
Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc. Healthcare Provider 5228 Hacking/IT Incident
RGH Enterprises, Inc. Healthcare Provider 4586 Unauthorized Access/Disclosure
Gillette Medical Imaging Healthcare Provider 4476 Unauthorized Access/Disclosure
Zachary E. Adkins, DDS Healthcare Provider 3677 Theft
Steven Yang, D.D.S., INC. Healthcare Provider 3202 Theft

Main Causes of Healthcare Data Breaches in January 2018

While hacking/IT incidents and unauthorized access/disclosures shared top spot in January, the biggest cause of breaches was actually errors made by employees and insider wrongdoing. Insiders were behind at least 11 of the 21 breaches reported in January.  Four of the five loss/theft incidents involved portable electronic devices. Those incidents could have been avoided if encryption had been used.

Main Causes of January 2018 Data Breaches

  • Hacking/IT Incidents: 7 breaches
  • Unauthorized Access/Disclosure: 7 breaches
  • Loss/theft of physical records and portable devices: 5 breaches

January 2018 Healthcare Data Breaches by Incident Type

 

Records Exposed by Breach Type

The vast majority of individuals impacted by healthcare data breaches in January 2018 had their health data accessed or stolen in hacking/IT incidents. January saw a significant reduction in records exposed due to loss or theft – In December, incidents involving the loss or theft of devices and physical records impacted 122,921 individuals.

Main Causes of Exposed Healthcare Records in January 2018

  • Hacking/IT Incidents: 394,787 healthcare records exposed in 7 security incidents
  • Loss/theft of physical records and portable devices: 18,519 records exposed in 5 incidents
  • Unauthorized Access/Disclosure: 13,329 healthcare records exposed in 7 incidents

Main Causes of Healthcare Data Breaches in January 2018 - Records by breach type

Location of Data Breaches in January 2018

Overall, more incidents were reported involving electronic copies of health data in January, but covered entities must ensure that appropriate physical security and access controls are in place to prevent unauthorized accessing and theft of paper records. Training must also be provided to staff on disposing of physical records. Two improper disposal incidents were reported in January involving physical records.

Main Locations of Exposed Healthcare Records in January 2018

  • Paper/Films: 13,514 records exposed in 7 incidents: 4 unauthorized access/disclosures; 2 improper disposal incidents, and one incident involving the loss of records
  • Network Servers: 310,593 healthcare records exposed in 4 hacking/IT incidents involving network servers: 1 Hack, 2 malware incidents and one incident for which the cause is unknown
  • Laptop computers: 3 incidents involving laptop computers: 2 stolen devices and one hack/IT incident
  • Email: Three incidents involving unauthorized access/disclosure due to phishing and two hacking incidents
  • EMRs:  3 incidents involving EMRs: 2 unauthorized access incidents (Physician/nurse) and 1 hacking incident

January 2018 Healthcare Data Breaches - Location of breached PHI

January 2018 Healthcare Data Breaches by Covered Entity

In January, no business associates of HIPAA covered entities reported data breaches, and according to the OCR breach summaries, none of the 21 security breaches had any business associate involvement. Healthcare providers were the worst affected with 19 breaches reported.

Healthcare Records Breached

  • Healthcare providers: 398,009 healthcare records exposed in 19 incidents
  • Health plans: 30,634 healthcare records exposed in 2 incidents

January 2018 Healthcare Data Breaches by Entity Type

January Healthcare Data Breaches by State

In January, covered entities based in 15 states reported data breaches that impacted more than 500 individuals.

California was the worst hit state by some distance with 5 covered entities reporting breaches. Tennessee and Wyoming had two breaches apiece, with one incident reported by organizations based in Florida, Illinois, Kentucky, Massachusetts, Maryland, New Mexico, Nevada, Ohio, Oklahoma, Pennsylvania, Utah, and Washington.

Financial Penalties for HIPAA Covered Entities in January

There were no OCR HIPAA fines or settlements announced in January to resolve violations of HIPAA Rules, although the New York Attorney General did settle a case with health insurer Aetna.

Aetna was required to pay the NY AG’s office $1.15 million to resolve violations of HIPAA Rules and state laws. The violations were discovered during an investigation into a serious privacy breach experienced in July 2017. A mailing was sent to approximately 12,000 members in which details of HIV medications were visible through the clear plastic windows of the envelopes – An unauthorized disclosure of PHI. The mailing was sent on behalf of Aetna by a settlement administrator.

Further, it was alleged that Aetna provided PHI to its outside counsel, who in turn provided that information to the settlement administrator – a subcontractor – yet no business associate agreement was in place prior to that disclosure.

Aetna also settled a class action lawsuit in January over the breach. The lawsuit was filed by HIV/AIDS organizations on behalf of the victims of the breach. Aetna settled the lawsuit for $17,161,200.

That is unlikely to be the end of the fines. OCR may decide to take action over the breach and alleged HIPAA violations, and other state attorneys general have opened investigations. Aetna is also embroiled in costly legal action with its settlement administrator.

Data source for breaches: Department of Health and Human Services’ Office for Civil Rights.

The post January 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Coastal Cape Fear Eye Associates Ransomware Attack Impacts 925 Patients

Posted by HIPAA Journal

A Coastal Cape Fear Eye Associates ransomware attack has seen the protected health information of 925 patients compromised.

North Carolina’s Coastal Cape Fear Eye Associates, P.A., discovered its systems had been breached on December 5. 2017. Upon discovery of the ransomware attack, Coastal Cape Fear Eye Associates brought in external IT professionals to contain the attack and remove the ransomware. The IT consultants were able to limit the harm caused and the malware was removed, although some files remained locked and inaccessible for some time.

According to a substitute breach notice uploaded to the healthcare provider’s website on February 1, 2018, the delay in issuing notifications to affected patients was because it was not possible to access certain files to determine what information was involved and which patients were affected. Coastal Cape Fear Eye Associates has only recently been able to access all encrypted files.

Under HIPAA Rules, healthcare organizations are required to report ransomware attacks unless the attacked entity establishes there was a low probability of PHI being compromised. Ransomware typically blindly encrypts files and file access is not normally involved, even so, the Department of Health and Human Services’ Office for Civil Rights has released guidance on ransomware attacks that indicate – in most cases – ransomware attacks should be reported and patients notified.

In this case, the investigation into the attack revealed that data access was likely to have occurred, although no evidence was uncovered to suggest any information had been stolen by the attacker.

The files contained a wide range of highly sensitive information including names, dates of birth, addresses, phone numbers, email addresses, Social Security numbers, insurance card numbers, driver’s license numbers, emergency contact details, ethnicities, medications, medical histories, diagnosis records, physician notes, billing and payment histories, legal documents, and scanned copies of driver’s licenses, insurance cards and Medicare cards.

Coastal Cape Fear Eye Associates and its IT consultants are continuing to investigate the attack and will be implementing additional security controls to prevent future security breaches of this nature.

The post Coastal Cape Fear Eye Associates Ransomware Attack Impacts 925 Patients appeared first on HIPAA Journal.

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

Posted by HIPAA Journal

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses closes the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading.

FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations.

An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork.

That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In total, the records of 2,150 patients were included in the paperwork.

OCR determined that between January 28, 2015 and February 14, 2015, FileFax had impermissibly disclosed the PHI of 2,150 patients as a result of either: A) Leaving the records in an unlocked truck where they could be accessed by individuals unauthorized to view the information or; B) By granting permission to an individual to remove the PHI and leaving the unsecured paperwork outside its facility for the woman to collect.

Since FileFax is no longer in business – the firm was involuntarily dissolved by the Illinois Secretary of State on August 11, 2017 – the HIPAA penalty will be covered by the court appointed receiver, who liquidated the assets of FileFax and is holding the proceeds of that liquidation.

A corrective action plan has also been issued that requires the receiver to catalogue all remaining medical records and ensure the records are stored securely for the remainder of the retention period. Once that time period has elapsed, the receiver must ensure the records are securely and permanently destroyed in accordance with HIPAA Rules.

The settlement has been agreed with no admission of liability.

HIPAA Retention Requirements and Disposal of PHI

There are no HIPAA retention requirements – Covered entities and their business associates are not required to keep medical records after their business has ceased trading. However, that does not mean medical records and PHI can be disposed of immediately. Businesses are bound by state laws, which do require documents to be retained for a set period of time. For instance, in Florida, physicians must maintain medical records for 5 years after the last patient contact and in North Carolina hospitals must maintain records for 11 years following the last date of discharge.

During that time, HIPAA requires appropriate administrative, technical, and physical safeguards to be implemented to ensure those records are secure and remain confidential. After the retention period is over, all PHI must be disposed of in a compliant manner.

In the case of paper records, disposal typically means shredding, burning, pulping, or pulverization. Whatever method chosen must render the documents indecipherable and incapable of reconstruction.

This HIPAA breach is similar to several others that have occurred over the past few years. Businesses have ceased trading and paper records containing the protected health information of patients have been dumped, abandoned, or left unsecured. There have also been cases where businesses have moved location and left paperwork behind, only for contractors performing a cleanup or refurb of the property to find the paperwork and dispose of it with regular trash.

The failure to secure PHI during the retention period and the incorrect disposal of records after that retention period is over are violations of HIPAA Rules that can attract a significant financial penalty.

“The careless handling of PHI is never acceptable,” said OCR Director Roger Severino in a press release about the latest HIPAA settlement. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

The post $100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes appeared first on HIPAA Journal.

How Many HIPAA Violations in 2017 Resulted in Financial Penalties?

Posted by HIPAA Journal

We are often asked about healthcare data breaches and HIPAA violations and two of the most recent questions are how many HIPAA violations in 2017 resulted in data breaches and how many HIPAA violations occurred in 2017.

How Many HIPAA Violations Occurred in 2017?

The problem with determining how many HIPAA violations occurred in 2017 is many violations are not reported, and out of those that are, it is only the HIPAA breaches that impact more than 500 individuals that are published by the Department of Health and Human Services’ Office for Civil Rights on its breach portal – often incorrectly referred to as the “Wall of Shame”.

To call it a ‘Wall of Shame’ is not fair on healthcare organizations because the breach reports show organizations that have experienced data breaches, NOT organizations that have violated HIPAA Rules. Even organizations with multi-million-dollar cybersecurity budgets, mature security defenses, and advanced employee security awareness training programs can experience data breaches. All it takes if for a patch not to be applied immediately or an employee to accidently click on a phishing link for a data breach to occur. The breach reports are therefore not an accurate guide to the number of HIPAA violations that have occurred.

Some attorneys general publish details of data breaches, and many of those breaches are the result of HIPAA violations; however, only a small number of states publish that data breach summaries and as with OCR’s breach portal, there are many breaches that have occurred at organizations that are fully compliant with HIPAA Rules. It is also not possible to say how many of those breaches were the result of HIPAA violations. That can only be determined with a detailed investigation.

Complaints about potential HIPAA violations are frequently submitted to OCR. These tend to be smaller incidents involving relatively few individuals, such as a patient who believes HIPAA Rules have been violated or employees who believe colleagues have violated HIPAA Rules. OCR occasionally releases figures on the number of complaints that it receives, but many of those complaints turn out to be unfounded and, in many cases, OCR cannot prove beyond reasonable doubt that a HIPAA violation has occurred.

It is also not possible to gauge the level of serious HIPAA violations that have occurred based on settlements and civil monetary penalties. Even when there is evidence to suggest HIPAA Rules have been violated, financial settlements are typically only pursued when a case against a HIPAA-covered entity is particularly strong and likely to be won.

It is therefore not possible to determine how many HIPAA violations in 2017 resulted in data breaches nor how many violations occurred last year.

How Many HIPAA Violations in 2017 Resulted in Financial Settlements?

It is also not possible to determine how many HIPAA violations in 2017 have resulted in financial penalties being issued, at least not yet. OCR and state attorneys general open investigations when data breaches are experienced or complaints are received about potential HIPAA violations. However, it takes time to conduct investigations and gather evidence. Even when there is evidence of HIPAA violations, cases can take years before settlements are reached or civil monetary penalties are issued.

The latest HIPAA settlement is a good example. Fresenius Medical Care North America settled its case with OCR for $3,500,000 in 2018, yet the data breaches that triggered the investigation occurred in 2012. The list below shows the settlements and civil monetary penalties issued in 2017 and the years in which the violations occurred.

So unfortunately, it is not possible to say how many HIPAA violations in 2017 resulted in financial penalties, as that will not be known for many years to come

HIPAA Settlements and Civil Monetary Penalties in 2017

 

Covered Entity Penalty Amount Penalty Type Reason for Penalty Date of Violation(s)
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations 2015
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI 2015
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI 2014
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement 2003-2015
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI 2011
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process 2011
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls 2007-2012
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI 2006-2013
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI 2011
Presense Health $475,000 Settlement Delayed Breach Notifications 2013

 

What we can say is HIPAA violations have occurred at most healthcare organizations, although oftentimes the violations are minor and inconsequential. We can go further and say that a majority of healthcare organizations have failed to follow HIPAA Rules to the letter all of the time.

The evidence comes from the second round of HIPAA compliance audits conducted by OCR in late 2016 and 2017. A final report on the findings of the audits has yet to be published, but last September preliminary results were released. They showed that healthcare organizations are still not getting to grips with HIPAA Rules and noncompliance is commonplace.

Findings of the 2017 HIPAA Compliance Audits

Listed below are the preliminary findings of the second round of HIPAA compliance audits. The audits consisted of ‘Desk Audits’ conducted on 166 covered entities on the HIPAA Privacy, Security, and Breach Notification Rules and 41 business associates of HIPAA covered entities on the Security and Breach Notification Rules.

OCR gave each audited entity a rating from 1-5 based on the level of compliance. A rating of 1 means the organization was in compliance with the goals and objectives of the audited standards and implementation specifications. A rating of 5 was given to entities that did not provide OCR with evidence to show that a serious attempt had been made to comply with HIPAA Rules.

HIPAA Rule Aspect of HIPAA Rule 1 Rating 2 Rating 3 Rating 4 Rating 5 Rating N/A
Breach Notification Rule Timeliness of Notification 65% 6% 2% 9% 11% 7%
Breach Notification Rule Content of Notification 14% 14% 23% 37% 7% 5%
Privacy Rule Patient Right to Access 1% 10% 27% 54% 11% N/A
Privacy Rule Notice of Privacy Practices 2% 33% 39% 11% 15% 2%
Privacy Rule Provision of eNotice 57% 15% 4% 6% 15% 3%
Security Rule Risk Analysis 0% 2% 19% 23% 13% N/A
Security Rule Risk Management 1% 3% 13% 29% 17% N/A

The post How Many HIPAA Violations in 2017 Resulted in Financial Penalties? appeared first on HIPAA Journal.