HIPAA Breach News

$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR

Posted by HIPAA Journal

A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI.

The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases.

21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals.

As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That investigation uncovered multiple potential violations of HIPAA Rules.

OCR determined that 21st Century Oncology failed to conduct a comprehensive, organization-wide risk assessment to determine the potential risks to the confidentiality, integrity, and availability of electronic protected health information, as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).

21st Century Oncology was also determined to have failed to implement sufficient measures to reduce risks to an appropriate and acceptable level to comply with 45 C.F.R. § 164.306(A).

21st Century Oncology also failed to implement procedures to regularly review logs of system activity, including audit logs, access reports, and security incident tracking reports, as required by 45 C.F.R. §164.308(a)(1)(ii)(D).

The breach resulted in the impermissible disclosure of the protected health information of 2,213,597 patients.

Further, protected health information of patients was disclosed to business associates without first entering into a HIPAA-compliant business associate agreement and obtaining satisfactory assurances that HIPAA requirements would be followed.

To resolve those potential HIPAA violations, 21st Century Oncology agreed to pay OCR $2.3 million. In addition to the financial settlement, 21st Century Oncology has agreed to adopt a comprehensive corrective action plan (CAP) to bring its policies and procedures up to the standards demanded by HIPAA.

Under the CAP, 21st Century Oncology must appoint a compliance officer, revise its policies and procedures with respect to system activity reviews, access establishment, modification and termination, conduct an organization-wide risk assessment, develop internal policies and procedures for reporting violations of HIPAA Rules, and train staff on new policies.

21st Century Oncology is also required to engage a qualified, objective, and independent assessor to review compliance with the CAP.

Separate $26 Million Settlement Resolves Meaningful Use, Stark Law, and False Claims Act Violations

In addition to the OCR settlement to resolve potential HIPAA violations, 21st Century Oncology has also agreed to a $26 million settlement with the Department of Justice to resolve allegations that it submitted false or inflated Meaningful Use attestations in order to receive incentive payments. 21st Century Oncology self-reported that employees falsely submitted information relating to the use of EHRs to avoid downward payment adjustments. Fabricated reports were also submitted, and the logos of EHR vendors were superimposed on reports to make them appear genuine.

The settlement also resolves allegations that the False Claims Act was violated by submitting or enabling the submission of claims that involved kickbacks for physician referrals, and also violations of the Stark Law, which covers physician self-referrals.

According to the Department of Justice, “The Stark Law prohibits an entity from submitting claims to Medicare for designated health services performed pursuant to referrals from physicians with whom the entity has a financial relationship unless certain designated exceptions apply.”

“We appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures,” said Middle District of Florida Acting U.S. Attorney Stephen Muldrow.

In addition to paying the settlement amount, 21st Century Oncology has entered into a 5-year Corporate Integrity Agreement with the HHS’ Office of Inspector General (OIG).

The post $2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR appeared first on HIPAA Journal.

Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI

Posted by HIPAA Journal

Midland Memorial Hospital in Midland, TX, and Washington Health System Greene in Waynesburg, PA, have announced they have discovered patients’ protected health information has been exposed.

Washington Health System Greene Discovers Hard Drive Missing

Washington Health System Greene is alerting 4,145 patients that some of their protected health information has been exposed after a hard drive was discovered to be missing.

A portable hard drive used with a bone densitometry machine in the Radiology department was discovered to be missing on October 11, 2017. While it is possible that the hard drive may have been misplaced, a search of the hospital did not uncover the device, and the missing device has been reported to the Pennsylvania State Police Department as a potential theft.

The device contained information on patients who visited the hospital for bone density scans between 2007 and October 11, 2017. The information stored on the device was limited to names, height, weight, race, and gender, while some patients also had details of health issues, the name of their prescribing physician, and medical record numbers stored on the device. No financial information, Social Security numbers, insurance details, or other highly sensitive information was exposed.

As required by HIPAA, patients have been notified of the breach. Due to the limited nature of data exposed, even if the device has been stolen, Washington Health Greene does not believe patients are at risk of identity theft or fraud.

Midland Memorial Hospital Discovers Email Account Compromise

Midland Memorial Hospital has experienced a breach of a limited amount of patients’ protected health information. More than 1,000 patients are understood to have been affected.

Midland Memorial Hospital discovered an unauthorized individual gained access to the email account of an employee at the hospital, in what appears to be an attempted Business Email Compromise (BEC) attack. The aim of the attacker appeared to be to fool employees into making bank account transfers to an inappropriate bank account.

The breach was discovered on October 13, 2017, with access to the email account believed to have been gained on or around October 10.  Upon discovery of the security breach, access the email account was terminated and a full investigation was conducted. The email account was determined to contain some protected health information including first and last names, medical record numbers, account numbers, and information relating to radiology procedures that had been performed at the hospital between August and September 2017. No financial information, driver’s license numbers, or Social Security numbers were exposed, and no evidence has been uncovered to suggest any patient information has been used inappropriately.

Midland Memorial Hospital has taken steps to prevent further incidents of this nature from occurring, including revising policies and procedures and retraining staff.

The post Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI appeared first on HIPAA Journal.

Illinois Physicians Network Discovers Paper Records Missing from Storage Facility

Posted by HIPAA Journal

Over the past two months there have been several data breaches reported by HIPAA-covered entities involving the loss or theft of physical records. In November, 7 breaches involving paper records were reported to the HHS’ Office for Civil Rights, and a further 5 incidents were reported the previous month.

Now another incident has been reported in Illinois. Franciscan Physician Network of Illinois and Specialty Physicians of Illinois LLC have discovered payment records that were kept in a storage facility are missing. The storage facility in Chicago Heights was shared by both physician groups.

The loss/theft of the paperwork is one of the largest breaches of the past few months, potentially impacting as many as 22,000 patients. The payment records were from 2015-2017 and 2010.

The boxes of files were confirmed as missing on November 21, 2017, with notifications issued on December 13, 2017. The loss of files was discovered following a routine records request, but the records could not be located. An inventory of the storage facility was conducted, and 40 boxes of files were determined to be missing and potentially stolen.

The records only contained a limited amount of patient information related to payments received, and included names and addresses, payment methods, payment amounts, office location, and the last four digits of credit card numbers. For a limited number of patients who paid their bill by check, their routing number, bank account number and Social Security number were also present in the files.

Some of the records from 2010 may also have included insurance ID numbers, facility-assigned account numbers, dates of birth, type of visit, diagnoses, provider names and addresses, dates of service, descriptions of services provided, and procedure codes.

While it is a possibility that the files have been stolen, foul play is not suspected. Out of an abundance of caution, individuals impacted by the incident have been offered two years of identity theft protection services without charge.

The post Illinois Physicians Network Discovers Paper Records Missing from Storage Facility appeared first on HIPAA Journal.

November 2017 Healthcare Data Breach Report

Posted by HIPAA Journal

In November 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) received 21 reports of healthcare data breaches that impacted more than 500 individuals; the second consecutive month when reported breaches have fallen.

healthcare data breaches by month (November 2017)

While the number of breaches was down month on month, the number of individuals impacted by healthcare data breaches increased from 71,377 to 107,143.

breached healthcare records November 2017

Main Causes of November 2017 Healthcare Data Breaches

In November there was an even spread between hacking/IT incidents, unauthorized disclosures, and theft/loss of paper records or devices containing ePHI, with six breaches each. There were also three breaches reported involving the improper disposal of PHI and ePHI. Two of those incidents involved paper records and one involved a portable electronic device.

The two largest data breaches reported in November – the 32,000-record breach at Pulmonary Specialists of Louisville and the 16,474-record breach at Hackensack Sleep and Pulmonary Center – were both hacking/IT incidents. The former involved an unauthorized individual potentially gaining access to electronic medical records, while the latter was a ransomware attack.

Seven of the 21 breaches reported in November impacted more than 5,000 individuals. The mean breach size was 5,102 records. The median breach size was 1,551 records.

 

causes of healthcare data breaches November 2017

records exposed by breach type

Location of Exposed and Stolen Protected Health Information

The OCR breach reports show the importance of implementing physical safeguards to ensure the confidentiality of paper records. In November, one third of reported data breaches (7 incidents) involved paper/films. Last month there were five reported incidents involving paper records.

A recent Accenture/HIMSS Analytics survey revealed email was the most common vector in cyberattacks on healthcare organizations. That was the case in October when email was the common location of breached data. In November, email was the second most common location of breached PHI behind paper films, with four email-related breaches reported.  There was an even spread between all other locations of breached PHI.

Location of PHI in November 2017 healthcare data breaches

 

November 2017 Healthcare Data Breaches by Covered Entity Type

November 2017 saw 19 data breaches reported by healthcare providers and two breaches affecting health plans. The breach reports indicate no business associates of covered entities were involved in any incidents reported in November.

 November 2017 Healthcare Data Breaches by Covered Entity Type

 

Largest Healthcare Data Breaches of November 2017

 

Breached Entity Entity Type Breach Type Individuals Affected
Pulmonary Specialists of Louisville, PSC Healthcare Provider Hacking/IT Incident 32,000
Hackensack Sleep and Pulmonary Center Healthcare Provider Hacking/IT Incident 16,474
Shop-Rite Supermarkets, Incorporated Healthcare Provider Improper Disposal 12,172
The Medical College of Wisconsin, Inc. Healthcare Provider Hacking/IT Incident 9,500
Valley Family Medicine Healthcare Provider Unauthorized Access/Disclosure 8,450
Sports Medicine & Rehabilitation Therapy, Inc. Healthcare Provider Hacking/IT Incident 7,000
Humana Inc Health Plan Unauthorized Access/Disclosure 5,764
Alere Toxicology Healthcare Provider Unauthorized Access/Disclosure 2,146
Family & Cosmetic Dentistry of the Rockies Healthcare Provider Improper Disposal 1,850
Aetna Inc. Health Plan Unauthorized Access/Disclosure 1,600

 

November 2017 Healthcare Data Breaches by State

The reported breaches in November were spread across 15 states. The states worst affected were Kentucky and Massachusetts with 3 breaches apiece, followed by Colorado and New Jersey each with 2 breaches. One breach was reported by healthcare organizations based in Alabama, California, Connecticut, Florida, Indiana, New York, Pennsylvania, Texas, Virginia, Washington, and Wisconsin.

The post November 2017 Healthcare Data Breach Report appeared first on HIPAA Journal.

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Posted by HIPAA Journal

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules.

The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities.

Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed.

The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations, little has changed since the first phase of compliance audits were conducted in 2011/2012. Noncompliance with HIPAA is still widespread.

A few years ago, the risk of the discovery of a HIPAA violation was relatively low. Even when HIPAA violations were discovered, OCR rarely issued financial penalties. Similarly, even though the HITECH Act permits state attorneys general to issue fines for HIPAA violations, relatively few have exercised that right.

Today, the risk of HIPAA violations being discovered is significantly higher. Patients are now much more knowledgeable about their rights under HIPAA, and OCR has made it easy for them to file complaints about suspected HIPAA violations. HIPAA complaints are investigated by OCR.

The rise in cyberattacks on healthcare organizations mean data breaches are now far more likely to occur. A recent study by HIMSS Analytics/Mimecast showed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, while an Accenture/AMA report showed 83% of physicians have experienced a cyberattack.

OCR investigates all breaches of more than 500 records to determine whether HIPAA Rules are being followed. When a breach occurs, organizations’ HIPAA compliance programs will be scrutinized.

OCR has also stepped up enforcement of HIPAA Rules and financial penalties are far more common. Since January 1, 2016, there have been 20 settlements reached between OCR and HIPAA covered entities and their business associates, and two civil monetary penalties issued.

OCR has yet to state whether financial penalties will be pursued as a result of the HIPAA audits, but OCR is not expected to turn a blind eye to major HIPAA failures. Multiple violations of HIPAA Rules could well see financial penalties pursued.

The higher likelihood of a data breach occurring or a complaint being filed means noncompliance with HIPAA is likely to be discovered. But what are the costs of noncompliance with HIPAA? What are the incentives for ensuring all HIPAA Rules are followed?

The Cost of Noncompliance with HIPAA

The high cost of HIPAA noncompliance has been summarized in the infographic below:

 

The Cost of Noncompliance with HIPAA

The post Noncompliance with HIPAA Costs Healthcare Organizations Dearly appeared first on HIPAA Journal.

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Posted by HIPAA Journal

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture.

The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently.

83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare.

48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium to large practices were twice as likely to experience those types of cyberattacks than those at small practices.

When cyberattacks occur, they can result in considerable downtime. 64% of physicians said they experienced up to 4 hours of downtime following an attack, while 29% of physicians at medium-sized practices experienced downtime of up to one day.

Given the frequency of cyberattacks and the difficulty physician practices have at preventing those attacks, it is not surprising that the threat of attack is a major cause of concern. 55% of physicians were very or extremely worried about further cyberattacks at their practice. 74% said they were most concerned that future attacks would disrupt clinical practices and the same percentage were concerned that cyberattacks would result in breaches of patients’ protected health information. 53% were concerned that cyberattacks would have an impact on patient safety.

Physicians are aware that HIPAA compliance is important for cybersecurity, but simply doing the minimum and ensuring HIPAA requirements are met is not sufficient to prevent attacks. 83% of physicians said a more holistic approach to prioritizing risks is required than simply complying with HIPAA.

Kaveh Safavi, head of Accenture’s global practice said “Physician practices should not rely on compliance alone to enhance their security profile. Keeping pace with the sophistication of cyberattacks demands that physicians strengthen their capabilities, build resilience and invest in new technologies to support a foundation of digital trust with patients.”

Interestingly, while 87% of physicians believed their practice was compliant with HIPAA Rules, two thirds of physicians still have basic questions about HIPAA, suggesting their compliance programs may not be quite as comprehensive as they believe.

While the sharing of ePHI can introduce new risks, 85% believed PHI sharing was important, and 2 in 3 physicians thought that more access to patient data could improve the care provided to patients.

“New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data,” said AMA President David. O. Barbe.

The post AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack appeared first on HIPAA Journal.

Email Top Attack Vector in Healthcare Cyberattacks

Posted by HIPAA Journal

A recent study conducted by HIMSS Analytics for email security firm Mimecast has revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months.

Far from ransomware or malware attacks being occasional events, many of the healthcare organizations that participated in the survey have experienced more than a dozen malware or ransomware attacks in the past year.

While there are several possible ways that ransomware and malware can be installed, healthcare providers rated email as the number one attack vector.

When asked to rank attack vectors, Email was rated as the most likely source of a data breach by 37% of respondents, with the second most likely source of a data breach being ‘other portable devices’, ranked as the main threat by 10% of organizations.

59% of organizations ranked email first, second, or third as the most likely attack vector. In second place was laptops, which were ranked 1, 2, or 3 by 44% of organizations.

Given the frequency of email based attacks this year, it is no surprise that healthcare organizations believe email-related security attacks will continue to cause problems, and that they are likely to increase or significantly increase in the future.

A recent study conducted by Malwarebytes showed ransomware attacks are already 62% more prevalent that 2016, and have occurred at almost 2,000 times the rate in 2015. The 2017 Verizon Data Breach Report suggests 72% of all malware used to target the healthcare industry is ransomware.

Those findings were backed up by the HIMSS Analytics survey. Ransomware was seen as the most serious threat by 83% of respondents. Malware was rated second, followed by spear phishing attacks and Business Email Compromise (BEC) attacks.

The importance of securing email is clear. Email is used to communicate protected health information by approximately 80% of healthcare organization. Email is also rated as an essential communication tool and is considered critical by 93% of respondents, while 43% said email was mission critical and that their organization could not tolerate email downtime.

It is understandable given the frequency of email-based attacks and the importance of email in healthcare that organizations have a high level of concern about cybersecurity and their ability to repel email-based attacks.

Resilience to ransomware and malware attacks was rated as the top initiative for building a cyber resilience strategy, while training employees to be more security aware is the second highest priority over the following 12 months. Securing email was third.

David Hood, Cyber Resilience Strategist for Healthcare at Mimecast said, “This survey clearly demonstrates that email is a mission-critical application for healthcare providers and that cyberthreats are real and growing – surprisingly, even more so than the threats to Electronic Medical Records (EMRs), laptops and other portable electronic devices. It’s encouraging that protecting the organization and training employees are top initiatives for next year, but the survey suggests the industry has work to do.”

Mimecast provided five suggestions on how healthcare organizations can reduce the risk of email-based threats:

  1. Train employees on the risks associated with email and provide real-time reminders rather than relying on an annual training session.
  2. Analyze all inbound email attachments and scan for malware and malware downloaders
  3. Implement a web filtering solution to check URLs when a user clicks, not just at the point emails enter the organization.
  4. Inspect outbound emails and check that protected health information is not being sent to individuals unauthorized to receive it, and also to check emails to determine whether email accounts may have been compromised.
  5. Finally, it is essential that data backups are regularly performed to ensure that in the event of a ransomware attack, healthcare organizations do not face data loss and are not forced to pay ransoms.

The post Email Top Attack Vector in Healthcare Cyberattacks appeared first on HIPAA Journal.

Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach

Posted by HIPAA Journal

In April 2016, the Oklahoma Department of Human Services experienced a data breach, and while notifications were sent to affected individuals and the DHS’ Office of Inspector General shortly after the breach was detected, a breach notice was not submitted to the HHS’ Office for Civil Rights – A breach of HIPAA Rules.

Now, more than 18 months after the 60-day reporting window stipulated in the HIPAA Breach Notification Rule has passed, OCR has been notified. OCR has instructed the Oklahoma Department of Human Services to re-notify the 47,000 Temporary Assistance for Needy Families clients that were impacted by the breach to meet the requirements of HIPAA.

The breach in question occurred in April 2016 when an unauthorized individual gained access to a computer at Carl Albert State College in Poteau, Oklahoma. The computer contained records of current and former Temporary Assistance for Needy Families clients. The data on the server included names, addresses, dates of birth, and Social Security numbers.

Once the breach was identified, Carl Albert State College secured its systems to prevent further access and implemented new controls to monitor for potential breaches. In May 2016, the HHS Office of Inspector General was notified of the breach, and breach notification letters were sent to all individuals impacted by the attack in August 2016. However, no breach report was sent to the HHS’ Office for Civil Rights.

Now, not only must the Oklahoma Department of Human Services cover the cost of re-notifying 47,000 clients, overlooking the requirements of HIPAA to notify the HHS Secretary of the breach places the health department at risk of a considerable fine for non-compliance.

Earlier this year, OCR sent a message to all healthcare organizations that HIPAA Breach Notification Rule failures would not be tolerated when Presense Health was fined $475,000 for unnecessarily delaying the issuing of breach notification letters. Notifications were issued one month after the 60-day Breach Notification Rule deadline.

The post Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach appeared first on HIPAA Journal.

UNC Health Care Breach Potentially Impacts 24,000 Patients

Posted by HIPAA Journal

A computer used by UNC Dermatology & Skin Cancer Center in Chapel Hill, NC, has been stolen, exposing the protected health information of approximately 24,000 patients.

The computer was stolen by thieves during a burglary on October 8, 2017. UNC Health Care said a database on the stolen computer contained the protected health information of patients who had previously visited the Burlington Dermatology Center at 1522 Vaughn Road. UNC Healthcare took over the practice in September 2015, and details of patients who had visited the center for treatment prior to September 2015 were stored in the password-protected database.

Since the database requires a password to gain access to patient information, it is possible that no PHI has been disclosed. However, since passwords can be guessed, and the database was not encrypted, patients are being notified of the potential privacy breach to meet HIPAA and N.C. Identity Theft Act requirements.

The database contained information such as names, addresses, phone numbers, dates of birth, Social Security numbers, and the employment status of patients and the names of employers at the time of their visit. While it is possible that diagnosis codes were also present in the database, UNC Health Care does not believe details of diagnoses, treatments, and prescriptions have been exposed.

The burglary has been reported to law enforcement and an investigation is ongoing, but the stolen computer has not been recovered to date.

As a precaution against identity theft and fraud, all patients impacted by the breach have been offered credit monitoring services for 12 months without charge.

CCRM Minneapolis Alerts Patients of Ransomware Attack

CCRM Minneapolis, P.C., has experienced a ransomware attack that has potentially allowed the attackers to gain access to the protected health information of 3,280 patients.

The attack occurred on or around October 3, 2017. While data access and PHI theft are not suspected, and no evidence was uncovered to suggest this was anything other than an extortion attempt involving the encryption of data, CCRM Minneapolis reports that data stored on the compromised server may have been viewed.

Data potentially exposed includes names, phone numbers, addresses, dates of birth, email addresses, driver’s license numbers, Social Security numbers, medical records, and insurance identification numbers.

The post UNC Health Care Breach Potentially Impacts 24,000 Patients appeared first on HIPAA Journal.