HIPAA Breach News

Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen

Posted by HIPAA Journal

This week, OCR announced a new settlement with a covered entity to resolve HIPAA violations discovered during the investigation of an impermissible disclosure of ePHI. The incident that sparked the investigation was the theft of an unencrypted laptop computer from the vehicle of a CardioNet employee.

This week has also seen two data breaches reported that have similarly involved the theft of portable devices. Earlier this week, Lifespan announced that a MacBook had been left in an employee’s vehicle from where it was stolen. The device was not encrypted and neither protected with a password. ePHI was accessible via the employee’s email account. More than 20,000 patients’ ePHI was potentially compromised.

The second incident involved a flash drive rather than a laptop. Western Health Screening (WHS), a Billings, MT-based provider of on-site blood screening services, announced that patients’ names, phone numbers, addresses and some Social Security numbers have been exposed. The data on the drive related to individuals who had undergone blood screening tests between 2008 and 2012.

A WHS employee was on route to a health fair in a WHS-owned vehicle on February 7, 2017 when the vehicle was stolen. The flash drive had been left in the van. In this case, the flash drive was password protected, although WHS determined on February 15, 2017 that encryption had not been used on the device. The theft was reported to law enforcement, but the vehicle and flash drive have not been recovered.

WHS has not received any reports suggesting data on the device have been accessed or used inappropriately, although an impermissible disclosure could not be ruled out.  In response to the incident, WHS has taken steps to enhance its procedures relating to the storage of sensitive data on mobile devices and employees have been retrained on safeguarding sensitive information. Individuals affected by the breach have also been offered credit monitoring and identity theft protection services out of an abundance of caution.

The CardioNet, Lifespan, and WHS breaches could all have been prevented if encryption had been used. If an encrypted device is lost or stolen, the incident does not need to be reported to OCR, patients do not need to be notified, and most importantly, patients’ ePHI will not be exposed if devices are lost or stolen.

While HIPAA Rules do not require encryption to be used to protect ePHI on portable storage devices, if the decision is taken not to use encryption, an equivalent safeguard must be used.

While the use of a strong password may prevent data being accessed by thieves, it would not be sufficient to prevent a determined individual from gaining access to a device. A strong password is therefore not a safeguard equivalent to encryption. OCR would determine the use of a password – rather than encryption – to be a violation of the HIPAA Security Rule.

The simple solution to ensure that ePHI is safeguarded is to use encryption (following NIST recommendations) on all portable devices used to store ePHI. While encryption carries a cost, it is likely to be much cheaper than an OCR fine. The decision not to encrypt data on portable storage devices ended up costing CardioNet $2.5 million.

The post Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen appeared first on HIPAA Journal.

Lifespan Laptop Theft Exposes ePHI of 20,000 Patients

Posted by HIPAA Journal

Lifespan has announced a laptop computer has been stolen from the vehicle of one of its employees. A thief stole a number of items from the employee’s car on February 25, 2017, including a MacBook laptop that contained the electronic protected health information of certain Lifespan patients.

An investigation into the incident revealed the laptop was not encrypted, and neither was a password required to gain access to the device. Consequently, ePHI contained in the employee’s email account could potentially have been accessed and viewed.

An analysis of the email account confirmed that no financial information, Social Security numbers, medical records, nor medical diagnoses were exposed, although emails did contain patients’ names, partial addresses, medical record numbers, demographic information and details of prescriptions.

Lifespan took prompt action to secure the email account by changing the employee’s login credentials. While the data stored on the device could have been accessed, the investigation into the incident has not uncovered any evidence to suggest that any information on the device was accessed and no reports have been received to suggest any patient data have been misused.

The incident has prompted Lifespan to conduct a review of the security protections used to safeguard ePHI stored on MacBooks and policies and procedures will be enhanced to prevent future incidents of this nature from resulting in the exposure of patients’ ePHI. Lifespan will also be re-educating its employees on device security.

All patients impacted by the incident were notified of the privacy incident by mail on April 21, 2017. The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 20,431 patients were impacted.

The incident underscores the importance of implementing safeguards to ensure ePHI stored on portable devices – or can be accessed using the devices– is protected with appropriate security solutions.

The failure to implement appropriate safeguards can prove costly for healthcare organizations. This week, OCR announced it has agreed to settle potential HIPAA violations with CardioNet, which experienced a similar incident in 2011. In that case, an unencrypted laptop computer was stolen from the vehicle of an employee resulting in the exposure of 1,391 individuals’ ePHI. CardioNet must pay OCR $2.5 million and adopt a corrective action plan to address HIPAA failures that contributed to the breach.

The post Lifespan Laptop Theft Exposes ePHI of 20,000 Patients appeared first on HIPAA Journal.

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

Posted by HIPAA Journal

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine.

A $2.5 million settlement has been agreed with CardioNet to resolve HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias.

Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider.

While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures.

In this case, the settlement relates to a data breach reported to OCR in January 2012. In 2011, an employee of CardioNet left a laptop computer in a vehicle that was left outside that individual’s home. The laptop computer was stolen, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).

As is customary following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR conducted an investigation to determine whether the breach was a direct result of violations of HIPAA Rules.

In this case, a risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, at the time of the breach, there were inadequacies in CardioNet’s risk management process.

By 2011, all HIPAA-covered entities were required to comply with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been implemented. OCR requested final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation regarding the implementation of ePHI safeguards for mobile devices.

CardioNet was also determined to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the failure to implement encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.

Any laptop computer or other mobile device that is used to store the ePHI of patients is vulnerable to theft or loss. When those devices are removed from the premises of a HIPAA-covered entity, the risk of theft or loss increases considerably. Covered entities must therefore implement appropriate safeguards to ensure that in the event of loss or theft of those devices, ePHI remains protected.

OCR Director, Roger Severino, said the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The latest HIPAA settlement should send a strong message to covered entities that the failure to comply with HIPAA Rules can prove very costly. Also, that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to comply with HIPAA Rules.

2017 HIPAA Settlements

The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • The Center for Children’s Digestive Health- $31,000
  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million appeared first on HIPAA Journal.

OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information.

Yesterday, OCR announced it has agreed to settle potential violations of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois.

On August 13, 2015, OCR conducted a HIPAA compliance review of CCDH following an investigation of FileFax Inc., which was contracted by CCDH to store inactive patient records. The FileFax investigation revealed the company had not signed a business associate agreement prior to being provided with patients’ PHI.

The subsequent compliance review of CCDH similarly revealed that no signed business associate agreement existed. CCDH had therefore impermissibly disclosed patients’ PHI to FileFax in violation of HIPAA Rules.

CCDH had provided paper records relating to 10,728 patients without officially advising FileFax, by means of a BAA, of the firm’s responsibilities to safeguard patients’ data. CCDH also received no HIPAA-compliant assurances that appropriate safeguards had been implemented to ensure the confidentiality, integrity, and availability of PHI prior to the disclosure.

FileFax had been storing documents containing the PHI of patients of CCDH since 2003, yet the earliest business associate agreement produced by CCDH and FileFax was dated October 12, 2015.

CCDH has agreed to pay OCR $31,000 to resolve the potential HIPAA violations and will adopt a corrective action plan that involves updating policies and procedures, conducting staff training on those policies and procedures and ensuring one or more employees are made responsible for ensuring HIPAA-compliant business associate agreements are obtained from all business associates.

HIPAA-covered entities are permitted to disclose the PHI of patients to their business associates; however, before any PHI is disclosed, the covered entity must enter into a contract with the business associate. The contract must explain the responsibilities the business associate has to ensure PHI is secured and safeguards are implemented to prevent unauthorized disclosures. The business associate must also be advised of the allowable uses and disclosures of PHI and must agree not to use or disclose any PHI unless required to do so under the terms of the contract or if required to do so by law.

The business associate must also be advised of the requirement to notify the covered entity in the event that any PHI is accidentally or deliberately accessed or disclosed along with the timescale for doing so. The business associate must also be advised that the failure to comply with HIPAA Rules can result in financial penalties being issued.

Further information on HIPAA Rules concerning business associate agreements can be viewed on this link.

2017 HIPAA Settlements

Last year, OCR issued one civil monetary penalty and agreed to settle potential HIPAA violations with 12 covered entities to resolve HIPAA violations – More than any other year since the HIPAA Enforcement Rule was introduced.

This year looks set to see even more HIPAA enforcement actions. The Center for Children’s Digestive Health HIPAA settlement is the sixth financial penalty in less than four months, bringing the total amount of HIPAA fines in 2017 to $11,806,000.  The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements appeared first on HIPAA Journal.

Cardiology Center of Acadiana Ransomware Attack Impacts 9,700 Patients

Posted by HIPAA Journal

A recent Cardiology Center of Acadiana ransomware attack has resulted in the exposure of almost 9,700 patients’ protected health information. The ransomware attack occurred on February 7, 2017 and was discovered the following day.

The attackers targeted a server used by the Lafayette, LA-based cardiology practice and deployed ransomware, which encrypted a range of files containing patients’ names, dates of birth, addresses, billing information, clinical data, medical images and social security numbers.

Cardiology Center of Acadiana has not disclosed exactly how the attack occurred, nor the variant of ransomware used in the attack, although the breach report suggests the attackers utilized open external ports on the server. All external ports have now been closed to prevent future attacks and the cardiology center’s antivirus protections have been upgraded.

Cardiology Center of Acadiana has not received any reports suggesting patients’ PHI has been copied or misused, although all patients impacted by the incident have been advised to exercise caution in case the attackers were able to steal their PHI.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 9,681 patients were impacted.

A recent study published in JAMA Internal Medicine indicates larger healthcare organizations face a higher risk of experiencing data breaches, but when it comes to ransomware, healthcare organizations of all sizes are at risk.

So far in 2017, the following healthcare organizations have reported being attacked with ransomware:

Ashland Women’s Health

ABCD Pediatrics

Estill County Chiropractic

Urology Austin

Metropolitan Urology

Cosmetic Surgery Center

Steps to Take to Protect Against Ransomware Attacks

Unfortunately, there is no single cybersecurity solution that can be deployed to prevent ransomware attacks. The best approach is to adopt a layered approach to cybersecurity which should include an advanced firewall along with solutions to block the main attack vectors.

Anti-virus and anti-malware solutions should be implemented and malware definitions kept up to date, a spam filtering solution should be deployed that is capable of analyzing inbound emails and blocking email attachments that pose a threat. Web filter should also be considered to reduce the risk of attacks via exploit kits. Word Macros should also be blocked.

Ransomware will typically run in the app data and local app data folders. Many cybersecurity solutions prevent ransomware from being executed in these folders if downloaded. Ransomware typically requires access to a C2 server to allow data to be encrypted. An intrusion detection system (IDS) can be used to block those communications and prevent file encryption.

In addition to technical solutions, all users should receive security awareness training highlighting the risk of opening email attachments from unknown senders, running macros, or installing unauthorized software.

Steps should also be taken to reduce the impact of a ransomware attack. Regular backups should be performed to ensure data can always be recovered. User privileges should also be restricted as ransomware will gain access to the same resources as the user. Access to mapped network drives should therefore be restricted.

Most ransomware attacks are not targeted. Cybercriminals take advantage of vulnerabilities that have not been addressed to gain access to end points and servers. It is therefore important to ensure security patches are applied promptly and vulnerability scans are regularly performed.

The post Cardiology Center of Acadiana Ransomware Attack Impacts 9,700 Patients appeared first on HIPAA Journal.

Employee Terminated for Improperly Dumping PHI

Posted by HIPAA Journal

An employee of New Jersey-based BioReference Laboratories has been terminated for failing to follow company protocols – and HIPAA Rules – regarding the secure disposal of documents containing the protected health information of patients.

BioReference Laboratories is the third largest full service clinical diagnostic laboratory in the United States, with locations in New York, New Jersey, Maryland, Massachusetts, Rhode Island, Ohio, Florida, Texas and California. The incident occurred at its facilities in Florida.

Company policies require all sensitive paperwork to be securely shredded prior to disposal, in accordance with HIPAA Rules. However, on March 14, 2017, BioReference Laboratories discovered that documents provided to the employee had been disposed of in a dumpster in Davenport, Florida.

Upon discovery of the incident, BioReference Laboratories launched an investigation and identified the individual responsible. The decision was taken to terminate the employee for the HIPAA breach.

BioReference Laboratories promptly arranged for the documents to be collected and securely destroyed. While PHI was exposed for a short period of time, no evidence was uncovered to suggest any of the documents had been accessed or removed from the dumpster. However, out of an abundance of caution, BioReference Laboratories is providing credit monitoring services to all patients impacted by the incident for a period of 12 months without charge.

The documents contained a range of highly sensitive PHI including patients’ names, addresses, dates of birth, medical record numbers, insurance information, Social Security numbers, diagnosis codes, details of medical tests that had been ordered.

The investigation revealed this was an isolated incident and steps have now been taken to ensure that future HIPAA breaches of this nature do not occur. BioReference Laboratories has taken the decision to update its safeguards and policies and staff will also be reeducated on the importance of securely destroying documents containing protected health information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 1,772 patients have been affected.

The post Employee Terminated for Improperly Dumping PHI appeared first on HIPAA Journal.

Amedisys Notifies Patients of Improper Disposal Incident

Posted by HIPAA Journal

The medical information of certain patients of Amedisys Home Health of Fayetteville, NC has been disposed of improperly, although all information is believed to have been retrieved.

Amedisys ensures all paper copies of patients’ protected health information is shredded and rendered unreadable, indecipherable, and otherwise cannot be reconstructed, in accordance with HIPAA Rules.

However, Baton Rouge, LA-based Amedisys was recently informed that two shredding bins had been found behind a Fayetteville business and had not shredded in accordance with company policies. The bins should have been taken to a recycling center where the documents could be securely shredded.

After being notified of the HIPAA breach, Amedisys arranged for the bins to be retrieved. A full inventory of the documents was then performed to determine whether patients’ protected health information was present in the documents and which patients had PHI exposed. The documents were discovered to contain patients’ names, demographic information and some medical information related to the services provided by Amedisys.

Out of an abundance of caution, all patients impacted by this incident will be offered identity theft protection services, although Amedisys does not believe any of the information in the documents has been accessed by unauthorized individuals other than by the individuals who discovered and reported their find. It also did not appear as if any documents had been removed from the bins, although the possibility cannot be ruled out.

Since the bins were found behind a local business, out of eyesight of the public, it is not believed that anyone other than the individuals who found the documents knew they were there.

An internal investigation is now being conducted by Amedisys to determine how the documents failed to make it to the shredding facility. A review of policies and procedures covering the shredding of sensitive documents is also being conducted. Amedisys will extend that review to the vendor used to collect and shred documents and the subcontractor used to service Amedisys Home Health of Fayetteville.

All patients impacted by the incident are now being notified of the potential privacy violation by mail.

The post Amedisys Notifies Patients of Improper Disposal Incident appeared first on HIPAA Journal.

21 Employees Found to Have Accessed PHI Without Authorization

Posted by HIPAA Journal

A routine audit at Virginia Mason Memorial has revealed that employees have been accessing the protected health information of patients without authorization.

Audits of PHI access logs occasionally reveal rogue employees have been improperly accessing the medical records of patients, but what makes this incident stand out is the number of employees that were discovered to have improperly viewed PHI. The audit revealed 21 employees had deliberately accessed PHI without authorization.

Virginia Mason Memorial conducted the audit in January and immediately terminated access to PHI to prevent further privacy breaches. The investigation revealed those 21 employees had accessed the PHI of 419 patients. All of the patients had visited the hospital’s emergency room.

The investigation was conducted internally, although the hospital also brought in a third-party cybersecurity firm to conduct a forensic analysis of its systems. That firm has also been searching the darknet to find out if any of the accessed records have made it onto darknet marketplaces. To date, no patient information appears to have been listed for sale.

A spokesperson for the hospital issued a statement saying, “We believe this to be a case of snooping, or individuals who were bored.” The hospital does not believe the records were accessed with malicious intent.  As a precaution, all affected patients have been offered credit monitoring services without charge.

The employees concerned have been interviewed and disciplined, although for legal reasons, the hospital has not disclosed whether those employees have been terminated for their actions.

The types of information accessed includes demographic information and patients’ medical records. In some instances, it is possible that Social Security numbers were viewed, although financial information was not accessed by any of the employees.

Patients impacted by the breach were notified of the privacy violation last week by mail, according to a report in the Yakima Herald. While it is not clear exactly when in January the privacy violations were discovered, patient breach notifications appear to have been sent outside the 60-day breach notification window of the HIPAA Breach Notification Rule.

In response to the breach, Virginia Mason Memorial has re-educated employees on HIPAA and hospital rules concerning patient privacy and the hospital will now be monitoring access logs more proactively, with “audits going around the clock”.

The incident shows how important it is for healthcare organizations to conduct regular audits of PHI access logs to identify privacy issues before they become a major problem, and the importance of not only providing training on HIPAA Rules and patient privacy, but also regularly reminding employees of the requirements of HIPAA and the penalties for improper PHI access.

The post 21 Employees Found to Have Accessed PHI Without Authorization appeared first on HIPAA Journal.

Protenus Publishes Healthcare Data Breach Report for March 2017

Posted by HIPAA Journal

Protenus has released its Breach Barometer report for March 2017, which shows a significant increase in healthcare data breaches and a major jump in the number of individuals who have had their sensitive data exposed or stolen.

In both January and February there were 31 reported healthcare data breaches, although March saw the figure jump to 39 incidents.  February saw relatively few individuals affected by healthcare data breaches. 206,151 patients and health plan members had some of their protected health information exposed last month. However, in March the figure jumped to 1,519,521 – more than 2.5 times the number of individuals impacted by healthcare data breaches in January and February combined. Almost half of those individuals had their ePHI exposed in the same incident – a 697,800-record theft incident reported by Commonwealth Health Corporation.

The Protenus report shows insiders were the biggest cause of the healthcare data breaches reported in March, accounting for 44% of the total. There were 10 insider incidents reported in March that involved insider error and seven were the result of insider wrongdoing.

Hacking incidents made up 28% of the total and resulted in the theft or exposure of 600,270 records. 21% of incidents involved the loss or theft of physical records and devices containing ePHI.  While loss and theft was responsible for the fewest data breaches, those incidents resulted in the exposure of the most records in March, with 737,131 individuals impacted by those incidents. The remaining 8% of breaches could not be categorized as the cause has not been disclosed.

Healthcare providers were the worst hit, registering 84.6% of the incidents. Four incidents were reported by health plans and there was one breach reported by a business associate.

Protenus reports that virtually all data breaches were reported within the 60-day window of the HIPAA Breach Notification Rule. There was a marked improvement in reporting times, taking an average of 45 days from the discovery of the breach to the submission of the breach report to the Department of Health and Human Services’ Office for Civil Rights. In February, the average time from the discovery of the breach to submitting a report to OCR was 478 days. In March, only two covered entities submitted late breach reports – one took 77 days and another took 89 days.

While California is usually the worst affected state, this month Texas gets that honor with 6 reported incidents. Tennessee, Pennsylvania, Kentucky, and Missouri each had three data breaches.

The post Protenus Publishes Healthcare Data Breach Report for March 2017 appeared first on HIPAA Journal.