HIPAA Breach News

Covered Entities Flirting with Fines for Late Data Breach Reports

Posted by HIPAA Journal

Last month, the Department of Health and Human Services’ Office for Civil Rights sent a message to covered entities regarding the late reporting of data breaches with the announcement of a settlement with Chicago-based healthcare network Presense Health.

The settlement was the first reached with a covered entity purely to resolve HIPAA Breach Notification Rule violations. Presense Health had delayed the issuing of breach notification letters to patients. Presense Health agreed to settle with OCR for $475,000 to resolve the potential HIPAA violations.

However, since the announcement was made, there have been a number of instances where covered entities have unnecessarily delayed the issuing of breach notification letters to patients and data breach reports to OCR.

The January Breach Barometer – released by Protenus yesterday – indicates 40% of data breaches reported in January 2017 had notifications sent outside of the timescale required by the Health Insurance Portability and Accountability Act’s Breach Notification Rule.

The loss, theft, or exposure of patients’ electronic protected health information potentially places them at an elevated risk of suffering identity theft and fraud. When data breaches are reported promptly, patients can take rapid action to protect their identities, secure their accounts, and mitigate risk. However, when breach notification letters are delayed unnecessarily patients face a higher risk of suffering financial losses since mitigations will not be in place.

Summary of the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule was introduced to ensure that patients are made aware of any ePHI breach promptly. Any breach of unsecured protected health information requires individual notices to be sent to all affected patients by first class mail (or email if patients have elected to receive electronic communications) “in no case later than 60 days following the discovery of a breach.” However, breach notification letters should be sent without unreasonable delay.

Notification letters should include a summary of the nature of the breach, details of the information that was exposed or stolen, information about the steps that are being taken by the covered entity/business associate to prevent future data breaches, and steps that can be taken by the individual to protect themselves from potential harm. A toll-free number should also be provided to allow affected individuals to make contact for further information.  That toll-free number must remain active for 90 days from the date of the notification letters.

Additionally, a substitute breach notice must be placed on a prominent part of the covered entity’s website notifying individuals of the breach if contact information is not held for 10 or more individuals, or if that contact information is out of date and incorrect.

A media notice must be issued if a breach affects more than 500 residents of a state or jurisdiction. That breach notice must be issued to a prominent media outlet serving the state or jurisdiction. The media notice must also be issued within 60 days of the discovery of the breach.

The Secretary of the Department of Health and Human Services must be notified of a breach of more than 500 individuals’ ePHI via the Office for Civil Rights’ breach reporting tool. That notification should be provided without unreasonable delay and no later than 60 days following the discovery of the breach. Notifications about smaller breaches – those impacting fewer than 500 individuals – can be made up until 60 days following the end of the calendar year when the breach was discovered. However, notifications to affected individuals must still be issued within 60 days of the discovery of the breach.

The Breach Notification Rule and Business Associate Data Breaches

The 60-day window for issuing breach notification letters applies to both covered entities and business associates of covered entities. In the case of the latter, the covered entity may delegate responsibility for the issuing of breach notification letters to its business associate.

Covered entities should consider whether the business associate is in the best position to issue breach notification letters before the responsibility is delegated.

Recently, a breach at a business associate of a covered entity saw the business entity issue breach notification letters to affected individuals. However, since the affected individuals were unaware that the business associate was contracted to their insurance provider, the letters caused some confusion. The letters provided the necessary information to allow patients to take steps to protect their identities, but with no mention of the covered entity, some patients thought the letters were some sort of scam.

While not stated in the Breach Notification Rule, it would be of benefit in such situations to include the name of the covered entity in the letters or for the covered entity – and not the business associate – to issue notifications to patients.

Penalties for Late Breach Notifications

Office for Civil Rights has shown that breach notification delays do warrant the issuing of financial penalties in certain situations, and the penalties can be severe. While Presense Health was only fined $475,000 for delaying the issuing of breach notification letters for one month, considerably higher fines are possible.

OCR is permitted to fine covered entities, or their business associates, a maximum of $1,500,000 for each violation of HIPAA Rules. The HIPAA violation penalties are determined based four categories of violations, with the penalties ranging from $100 per violation up to a maximum of $50,000 per violation.

Given the willingness of OCR to penalize covered entities for HIPAA Breach Notification Rule violations, covered entities should make sure that their data breach policies and procedures include the timescales for issuing breach notifications to patients/OCR, and to ensure that those notifications are issued within the allowed timeframe.

The post Covered Entities Flirting with Fines for Late Data Breach Reports appeared first on HIPAA Journal.

Summary of January 2017 Healthcare Data Breaches Released

Posted by HIPAA Journal

Protenus, in conjunction with databreaches.net, has released a summary of January 2017 healthcare data breaches. The report shows that 2017 started where 2016 left off, with similarly high numbers of healthcare data breach reported.

January 2016 saw the lowest number of data breaches of any month in 2016 (21) and also the lowest number of records exposed of any month in the year (104,056 records). 2017 did not start nearly as well. While lower than the average monthly breaches for 2016 (37.5), January saw 31 healthcare data breaches disclosed. Those breaches resulted in the exposure of 388,307 patient and health plan member records.

The largest healthcare data breach of January 2017 affected CoPilot Provider Support Services, Inc. The breach impacted 220,000 individuals. However, the breach actually occurred in October 2015, with CoPilot discovering the incident two months later in December 2015. The Department of Health and Human Services’ Office for Civil Rights was only notified of the incident last month, well outside the 60-day deadline for reporting breaches.

That was a recurrent theme in January. According to the Breach Barometer report, 40% of HIPAA-covered entities that disclosed in January 2017 reported the incident outside of the 60-day reporting window of the HIPAA Breach Notification Rule. January also saw the first settlement with a covered entity based solely on delayed breach notifications. Presense Health paid OCR $475,000 after breach notifications were delayed by a month.

In January, 12 hacking and IT incidents were disclosed which resulted in the theft of 145,636 records. Those incidents also included phishing attacks on covered entities. However, the biggest cause of healthcare data breaches by far was insider incidents. 58.4% of breaches, where the cause was known, and 59.2% of breached records (230,044) were the result of insiders.

Protenus reports that four incidents were the result of insider wrongdoing and 4 incidents were the result of insider errors.

Healthcare providers were the worst affected with 25 incidents in January, four health plans disclosed data breaches, and two business associates of covered entities reported breaches.

The average number of days between the breach occurring and the incident being reported to OCR was 174 days. It took an average of 123.5 days for healthcare organizations to discover a breach had occurred.

Healthcare data breaches in January 2017 were spread across 21 states, with California accounting for the highest number (6) followed by Maryland (3).

The post Summary of January 2017 Healthcare Data Breaches Released appeared first on HIPAA Journal.

Automatic Email Forwarding Rule Sent 1,700 Patients’ PHI to Employee’s Personal Email Account

Posted by HIPAA Journal

Health Department officials in Multnomah County, OR, have discovered that an employee set up an automatic mail forwarder on an email account that sent all email correspondence to a personal Google email account for a period of around three months.

The emails were forwarded to an account outside the control of Multnomah County, in violation of the Health Insurance Portability and Accountability Act. Since the employee works in the Health Department, emails sent to that individual’s official email account contained a range of patients’ electronic protected health information (ePHI). The ePHI included first and last names, ages, medical record numbers, medical diagnoses, dates of service, medication names and prescription numbers.

The email forwarder was discovered during a random audit that was conducted on November, 22, 2016. An internal investigation into the incident revealed that the ePHI of 1,700 patients was exposed. The investigation did not uncover any evidence to suggest that any of the forwarded emails had been opened or read, but the possibility that ePHI was inappropriately accessed could not be ruled out.

Multnomah County has now confirmed that the email account has been deleted and none of the forwarded emails can be accessed by the employee. Multnomah County believes the risk of ePHI being used inappropriately is low and no reports have been received to suggest any ePHI has been used inappropriately. Multnomah County has also confirmed that no Social Security numbers, home addresses, or phone numbers were present in the emails or email attachments forwarded to the personal account.

The incident has prompted Multnomah County to conduct a review of policies and procedures with the member of staff concerned. Policies, controls, business practices, and data protection solutions are also being reviewed in direct response to this incident.

It is unclear why the emails were being forwarded to the personal account and it would appear from the substitute breach notice issued by Multnomah County that the matter has been dealt with internally and the employee in question has not been terminated.

The post Automatic Email Forwarding Rule Sent 1,700 Patients’ PHI to Employee’s Personal Email Account appeared first on HIPAA Journal.

Singh and Arora Oncology Hematology Breach Notifications Sent After 5 Months

Posted by HIPAA Journal

A Singh and Arora Oncology Hematology breach is finally being communicated to individuals who had their electronic protected health information exposed, although it has taken 5 months for those letters to be sent.

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires covered entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to send breach notification letters to patients within 60 days of the discovery of an ePHI breach. The Department of Health and Human Services’ Office for Civil Rights (OCR) must also be notified of a breach in the same timeframe.

However, in the case of the Singh and Arora Oncology Hematology breach, the Flint, MI-based cancer treatment center discovered that its systems had been breached on August 22, 2016. While OCR was notified of the breach on October 21, 2016, patients have only just started receiving their letters.

The Singh and Arora Oncology Hematology breach actually occurred between February 27, 2016 and July 14, 2016. An unauthorized individual gained access to a server containing ePHI. It took around a year from when access to ePHI was first gained for patients to be informed that their sensitive data had potentially been accessed.

According to the OCR breach notice, the incident resulted in the exposure of 16,000 patients’ ePHI. ABC12, which was contacted by some of the affected patients, were told that the breach included patients’ names, addresses, phone numbers, dates of birth, Social Security numbers, current procedural terminology codes and health insurance details.

While the delay in the discovery of the breach is perhaps understandable – it is rarely a simple task to determine a cyberattack has occurred – the delay in the issuing of notification letters is not, especially when OCR was informed of the cyberattack and potential ePHI exposure within 2 months.

In some situations, patient breach notification letters are delayed so as not to interfere with a criminal investigation. There have been numerous instances where law enforcement has requested that HIPAA-covered entities delay the issuing of notifications to patients. However, in this case, no mention has been made of any law enforcement-requested delay.

The delay in issuing breach notification letters to patients was allegedly due to the healthcare provider being unable to determine whether data had actually been compromised. The letters explain to patients that the attacker was not believed to have been looking for ePHI and no indications that ePHI was accessed or used inappropriately have been discovered. However, it has not been possible to rule out the possibility that ePHI was accessed.

To protect patients, all affected individuals have been offered a year of credit monitoring services without charge. Given the delay in notification, patients should obtain credit reports and check back for any sign of suspicious activity over the past 12 months. EoB statements should also be carefully checked.

As with all breaches of more than 500-records, OCR will conduct an investigation. Given that OCR has recently penalized a healthcare organization solely for delaying the issuing of breach notification letters to patients, it doesn’t bode well for Singh and Arora Oncology Hematology.

The post Singh and Arora Oncology Hematology Breach Notifications Sent After 5 Months appeared first on HIPAA Journal.

Hacker Gains Access to Records of 4,668 Princeton Pain Management Patients

Posted by HIPAA Journal

Princeton Pain Management, a healthcare provider specializing in the management of chronic pain, has reported a hacking incident has impacted 4,668 of its patients.

The breach affects individuals who visited its medical centers in New Jersey, Pennsylvania, and New York for treatment.

It is not known for how long the hacker had access to Princeton Pain Management’s systems, although the breach was discovered on November 28, 2016. Upon discovery of the breach, a cybersecurity firm was retained to conduct a thorough forensic investigation to determine how access to its systems had been gained, the types of information that were potentially accessed, and which patients were impacted. An internal investigation into the breach was also launched.

The investigation revealed that a wide range of sensitive electronic protected health information (ePHI) had potentially been accessed, including names, telephone numbers, addresses, birth dates, Social Security numbers, driver’s license numbers, Medicare numbers, government identification numbers, diagnostic information, treatment information, and medical and health insurance identifiers.

Princeton Pain Management responded to the breach by conducting a review of its security processes and systems. The security review identified a number of areas where protections could be improved. System security has now been enhanced to prevent similar data breaches from occurring in the future.

The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights and affected patients have been notified of the breach.

So far in 2017, seven healthcare hacking/IT incidents have been reported to OCR. Hacking/IT incidents account for 29% of all healthcare breaches reported so far this year.

The main cause of healthcare data security incidents in 2017 is unauthorized access/disclosure. 10 incidents have been reported: 42% of the year-to-date total.

The year may be young, but 24 incidents have already been reported to OCR in 2017. Those incidents have impacted 151,970 healthcare patients and health plan members.

The post Hacker Gains Access to Records of 4,668 Princeton Pain Management Patients appeared first on HIPAA Journal.

WellCare Health Reports Security Breach Affecting 24,800 Patients

Posted by HIPAA Journal

In August 2016, Summit Reinsurance Services experienced a data breach affecting a number of its healthcare clients. Highmark Blue Cross Blue Shield of Delaware was informed in early January that 19,000 of its members were impacted by the breach. Now, WellCare Health Plans has announced that 24,809 of its members have also been impacted by that security incident.

Summit Reinsurance Services had previously been contracted by WellCare to provide reinsurance services. WellCare no longer uses SummitRe as its reinsurance service provider, although the breach dates back to before WellCare’s association with the company was terminated.

WellCare was informed on December 27, 2016 that a ransomware infection had occurred at SummitRe on August 8, 2016 and that its members’ electronic protected health information had potentially been accessed by the attacker.

The ransomware encrypted a range of sensitive data including names, member IDs, home addresses, dates of birth, Social Security numbers, medical diagnoses and provider names and locations.

While many ransomware infections occur randomly as a result of employees opening malicious email attachments or from visiting malware-infected websites, in this case the investigation into the breach revealed that access to SummitRe’s system was first gained on March 12, 2016, approximately 5 months prior to ransomware being installed. That suggests the attacker had time to view sensitive information stored on its system and installed ransomware when there was no further need for system access.

While data were potentially accessed and viewed, neither Summit Reinsurance Services nor WellCare has uncovered any evidence to suggest that PHI was stolen by the attackers, nor that any ePHI has been misused.

75,000-Record Breach Discovered at Texas Medical Clinic

The breach would take the title of the worst healthcare data breach of 2017 to date, having resulted in the exposure of more than twice the number of records as the Verity Health System breach; however, yesterday, a new report appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal.

Stephenville Medical & Surgical Clinic in Stephenville, Texas, reported a security breach has impacted 75,000 individuals. The incident involved the unauthorized accessing of a desktop computer, although at present few details of the incident have been released. An incident report will be posted on this site when further information becomes available.

The post WellCare Health Reports Security Breach Affecting 24,800 Patients appeared first on HIPAA Journal.

Verity Health System Announces Details of 10K-Record Data Breach

Posted by HIPAA Journal

Verity Health System – A Redwood City-based Californian health system comprising six hospitals, the Verity Medical Foundation, and the Verity Physician Network – has discovered that one of its websites was breached by a hacker who gained access to the electronic protected health information (ePHI) of thousands of its former patients.

The unauthorized individual accessed a Verity Medical Foundation (San Jose) Medical Group website that contained a wide range of protected health information on “more than 9,000 patients”.

Verity Health System discovered that its systems had been breached on January 6, 2017. An investigation into the breach was immediately launched and a third-party cybersecurity firm was brought in to conduct a full forensic analysis.

That analysis determined that access to the website was first gained in October 2015 and continued until early January 2017.

Verity Health System reports that Social Security numbers were not stored on the website and financial information was not viewed, apart from the last four digits of credit/debit card numbers. The website that was accessed was no longer in use and upon discovery of the breach, access to the website was immediately terminated and the site was secured.

No medical records were viewed and the breach was limited to ID numbers and patients’ personal information. That information included patients’ names, addresses, email addresses, phone numbers, dates of birth, and medical record numbers.

The incident was reported to the Department of Health and Human Services’ Office for Civil Rights on January 11. The OCR breach notification shows that 10,164 patients were impacted.

According to a statement from Verity Health System, “We are working with a leading cyber-security firm to further evaluate the integrity of our information systems.”

Given the length of time that the system remained accessible, it is fair to assume that patient information has been accessed. However, Verity Health System has not received any reports to suggest that ePHI has been used in an “unauthorized fashion.”

Patients affected by the incident had visited Verity Health System facilities for treatment between 2010 and 2014. All patients affected have been notified of the data breach by mail and have been offered 12 months of credit monitoring services without charge.

The post Verity Health System Announces Details of 10K-Record Data Breach appeared first on HIPAA Journal.

Family Medicine East, Chartered Alerts 6,800 Patients to ePHI Exposure

Posted by HIPAA Journal

Family Medicine East, Chartered of Wichita, KS, has reported the theft of a computer from its Rock Road facilities. Thieves broke into the locked clinic on December 8, 2016 and stole a desktop computer and a printer. The computer, which was unencrypted, contained the protected health information of almost 7,000 patients.

Law enforcement was notified of the break-in and theft, although the individual(s) responsible have not been apprehended and the stolen computer has not been recovered.

The data on the computer were backed up so the theft has not resulted in the loss of any ePHI although an investigation of data backups did reveal that a considerable number of images and office notes were stored on the device.

The medical notes were mostly transcriptions of dictated physicians’ notes and related to patients that had visited Family Medicine East, Chartered for medical services between 2003 and 2004. The notes contain details of what was discussed during patients’ appointments and included patients’ names, birth dates, appointment dates, physician’s names, symptoms, details of examinations, diagnoses and orders. In additions to the physicians’ notes, some letters were stored on the stolen device which detailed patients’ names and medical conditions. The letters related to referrals of patients to other physicians.

Family Medicine East, Chartered has now notified all affected patients of the breach and has reassured them that no financial information, Social Security numbers, or addresses were stored on the computer. Only images and notes typed by transcriptionists were exposed as a result of the theft.

Family Medicine East, Chartered pointed out in its notification letters that files should not have been stored on the computer and therefore were not flagged during risk analyses conducted prior to the theft. The files had been stored on the stolen device “as a result of an employee’s oversight” according to the clinic’s substitute breach notification letter.

Due to the nature of data stored on the device, Family Medicine East, Chartered says “it is hoped that the risk of information being misused is low,” although the clinic has agreed to make credit reports available to affected patients free of charge.

Prior to the theft, Family Medicine East, Chartered had already started the process of encrypting all devices that contained patients’ protected health information and the clinic reports that that process has now been completed.  Security at its facilities has also been augmented to reduce the risk of further burglaries.

The post Family Medicine East, Chartered Alerts 6,800 Patients to ePHI Exposure appeared first on HIPAA Journal.

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years.

It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority of cases when serious violations of the Health Insurance Portability and Accountability Act are discovered by OCR investigators, the covered entity in question enters into a voluntary settlement with OCR.

Typically, this sees the covered entity pay a lower amount to OCR to resolve the HIPAA violations. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. In the Notice of Proposed Determination, OCR explained that Children’s Medical Center of Dallas could file a request for a hearing, although no request was received. Consequently, Children’s Medical Center of Dallas was required to pay the full civil monetary penalty of $3,217,000, making this the biggest HIPAA violation penalty of 2017, eclipsing the payments made by Presense Health ($475,000) and MAPFRE Life Insurance Company of Puerto Rico ($2.2 million).

Children’s Medical Center of Dallas is run by Children’s Health, a Dallas-based healthcare system comprising three hospitals and numerous clinics in North Texas. On January 18, 2010, OCR was notified by Children’s Medical Center that a breach of patients’ electronic protected health information (ePHI) had occurred. The breach involved the loss of a Blackberry device containing the ePHI of 3,800 patients. The device had not been encrypted and was not protected with a password, allowing any individual who found the device to access the ePHI of patients.

An investigation into the breach was launched on or around June 14, 2010. As part of the investigation, Children’s Medical Center provided OCR with a Security Gap Analysis conducted by Strategic Management Systems, Inc., (SMS) between December 2006 and February 2007. That analysis revealed a lack of risk management at Children’s Medical Center. In the report, SMS recommended that Children’s Medical Center implement encryption on portable devices such as laptop computers to prevent the exposure of ePHI in the event that a device be lost or stolen. Children’s Medical Center failed to act on that recommendation.

PricewaterhouseCoopers (PwC) conducted an analysis of threats and vulnerabilities to ePHI in August 2008. In the PwC report, it was also recommended that Children’s Medical Center implement encryption on laptop computers, workstations, mobile devices, and portable storage devices such as USB thumb drives. PwC determined that the use of encryption was “necessary and appropriate.” Children’s Medical Center failed to act on PwC’s recommendations, even though encryption was rated as a “high priority” item.

To OCR it was clear that Children’s Medical Center was aware of the risks to the confidentiality, integrity, and availability of ePHI and that were was a lack of appropriate safeguards for ePHI at rest. Children’s Medical Center was aware of the risks as early as March 2007, more than a year before the security incident occurred and ePHI was exposed. Had Children’s Medical Center acted on the recommendations of SMS or PwC the breach could have been avoided.

In addition to the lost Blackberry in 2010, Children’s Medical Center reported the loss of an unencrypted iPod containing the ePHI of 22 patients. The loss occurred in December 2010. On July 5, 2013, Children’s Medical Center notified OCR of another breach involving an unencrypted device. In this case, the laptop theft resulted in the exposure of 2,462 individuals’ ePHI.

Even after the data breaches were experienced, Children’s Medical Center failed to act; only implementing encryption on portable devices in April, 2013. From 2007 to April 9, 2013, nurses were using unprotected Blackberry devices that contained ePHI, while other workers were using unencrypted laptop computers and mobile devices until April 9, 2013.

Encryption of ePHI is not mandatory for HIPAA-covered entities. The use of encryption to safeguard the confidentiality, integrity, and availability of ePHI is an ‘addressable’ issue.

HIPAA-covered entities are required to conduct a comprehensive, organization-wide risk assessment to determine vulnerabilities that could potentially result in the exposure of ePHI. If, after performing the risk assessment, the covered entity determines that encryption is not ‘reasonable and appropriate’, the reasons why encryption is not deemed necessary must be documented and an equivalent measure must still be implemented to ensure ePHI is appropriately secured. Children’s Medical Center failed to document why encryption had not been used and also failed to implement an equivalent security measure.

Furthermore, OCR determined that prior to November 9, 2012, Children’s Medical Center did not have sufficient policies and procedures governing the removal of hardware and electronic equipment from its facilities or movement of the devices within its facilities. Until November 9, 2012, Children’s Medical Center could not tell how many devices those policies and procedures should apply to: A full inventory was only completed on November 9, 2012. While devices had been inventoried prior to November 9, 2012, devices managed by the Biomedical department were not included in that inventory, breaching the HIPAA Security Rule (45 C.P.R. § 164.310(d)(l)).

While efforts were made to resolve the HIPAA violations informally, Children’s Medical Center was unable to ‘provide written evidence of mitigating factors or affirmative defenses and/or its written evidence in support of a waiver of a CMP.’

OCR determined that the violations were due to reasonable cause and not willful neglect of HIPAA Rules. Had that not been the case, the penalty would have been considerably higher. OCR considered the fact that there had been no apparent harm caused to patients as a result of the lost devices, and chose the minimum penalty amount of $1,000 per day that the violations were allowed to persist.

OCR’s Final Notice of Determination can be viewed on this link.

According to OCR Acting Director Robinsue Frohboese, “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential.” Frohboese also explained that the lack of risk management can be costly for covered entities, “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

The post $3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas appeared first on HIPAA Journal.