HIPAA Breach News

Ransomware Attack at Fitzgibbon Hospital Affects 112,000 Patients

Posted by HIPAA Journal

Back in June 2022, HIPAA Journal reported on a cyberattack on Fitzgibbon Hospital in Marshall, MO, after being contacted directly by a spokesperson for a threat group called DAIXIN Team, who claimed responsibility for the attack. That individual said the hospital’s systems had been compromised and 40GB of data had been exfiltrated, which included files containing patient names, dates of birth, medical record numbers, patient account numbers, Social Security numbers, and medical and treatment information. Some of that information was released on the group’s dark web data leak site.

6 months after the attack, the hospital has now confirmed that a data breach occurred involving the protected health information of 112,072 patients. According to Fitzgibbon Hospital, the attack was detected on June 6, and an investigation was immediately launched to determine the nature and scope of the breach. Third-party cybersecurity professionals were engaged to investigate and, according to the December 2022 breach notice, that investigation is still ongoing. Fitzgibbon Hospital said it discovered on December 1, 2022, that some patient data had been compromised in the attack including “full names, Social Security numbers, driver’s license numbers, financial account numbers, health insurance information, and/or medical information,” with the data involved varying from individual to individual.

Fitzgibbon Hospital said it is unaware of any misuse of the stolen data at the time of issuing notifications to patients, which were sent on December 30, 2022, and that, “out of an abundance of caution,” individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. Fitzgibbon Hospital confirmed that it had taken many steps to protect patient information prior to the cyberattack and continually evaluates and modifies its practices to enhance the security and privacy of its patients’ information. This includes the education and counseling of its workforce regarding patient privacy matters.

Howard Memorial Hospital Announces December 2022 Cyberattack

Howard Memorial Hospital in Nashville, AR, has recently announced that it detected suspicious activity within its computer network on December 4, 2022. Prompt action was taken to secure the network and investigate to determine the nature and scope of the incident, with third-party cybersecurity professionals engaged to assist with that process. On December 29, 2022, the hospital confirmed that unauthorized individuals had gained access to its network on November 14, 2022, and access remained possible until December 4, 2022, when its network was secured.

During that time the threat actor had access to and exfiltrated certain files, some of which contained patient information. It is unclear how many individuals have been affected as the review of the affected files is ongoing, but it has been confirmed that information such as names, contact information, dates of birth, and Social Security numbers have been affected, along with employee data that may also have included direct deposit bank account information. Notification letters will be sent to affected individuals when they have been identified and up-to-date contact information has been obtained.

The post Ransomware Attack at Fitzgibbon Hospital Affects 112,000 Patients appeared first on HIPAA Journal.

Diagnostic Lab Settles Medical Record Access Case for $16,500

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has announced its first HIPAA enforcement action of 2023, which serves as a reminder that individuals and their personal representatives must be provided with timely access to their medical records. Life Hope Labs, LLC, has agreed to settle the case and will pay a $16,500 penalty.

43 Enforcement Actions for HIPAA Right of Access Failures

The HIPAA Right of Access requires covered entities to provide a copy of an individual’s protected health information that is maintained in a designated record set within 30 days of receipt of that request. In certain circumstances, a delay of up to 30 days is permitted, provided the individual is notified about the reason for the delay and the individual is informed in that response when the request will be satisfied.

OCR launched a new HIPAA compliance initiative in the fall of 2019 targeting organizations that were not providing individuals and their personal representatives with a copy of the requested medical records in a timely manner, and organizations that were charging unreasonable fees for providing those records. Including the latest settlement, OCR has imposed financial penalties on 43 healthcare organizations for potential HIPAA Right of Access violations.

Life Hope Labs Enforcement Action

Life Hope Labs is a Sandy Springs, GA-based full-service diagnostic laboratory. On August 24, 2021, OCR received a complaint from the personal representative of a patient’s estate for the medical records of the decedent. The complainant alleged a request had been made with Life Hope Labs on July 7, 2021, but the records were not provided. It took Life Hope Labs seven months (225 days) from the initial request to provide those records. The complainant – the daughter of the decedent – received the complete set of records on February 16, 2022. OCR confirmed that the delay in providing the requested records was a violation of the HIPAA Right of Access, as detailed in 45 C.F.R. § 164.524.

Life Hope Labs agreed to settle the case with OCR and paid a $16,500 penalty to settle the potential HIPAA Right of Access violation, with no admission of wrongdoing. Under the terms of the settlement, Life Hope Labs is required to adopt a corrective action plan that includes the requirement to develop, maintain, and revise, as necessary, written policies regarding the HIPAA Privacy Rule, including the right of patients to access and obtain a copy of their PHI and to distribute those policies to all members of the workforce. HIPAA training on those policies must also be provided to all new staff members within 30 days of commencing employment. The settlement also includes two years of monitoring.

“Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories,” said OCR Director Melanie Fontes Rainer. “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.”

The post Diagnostic Lab Settles Medical Record Access Case for $16,500 appeared first on HIPAA Journal.

Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty

Posted by HIPAA Journal

Avalon Healthcare has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws with the Oregon and Utah Attorneys General that were uncovered during an investigation of a 2019 breach of the personal and protected health information of 14,500 of its employees and patients.

Avalon Healthcare is part of the Avalon Health Care Group and provides skilled nursing, therapy, senior living, assisted living, and other medical services throughout Oregon, Utah, California, Nevada, Washington, and Hawaii. In July 2019, an employee responded to a phishing email and disclosed credentials that allowed an email account to be accessed by unauthorized individuals. The account contained sensitive information such as names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, and some financial information. It took 10 months from the date of the breach for the incident to be reported to the HHS and state attorneys general, and for affected individuals to be notified.

Oregon Attorney General Ellen Rosenblum and Utah Attorney General Sean Reyes launched an investigation into the data breach that focused on the email security practices at Avalon Healthcare and compliance with the HIPAA Security and Breach Notification Rules and state data breach notification statutes. The HIPAA Breach Notification Rule requires notifications to be issued about breaches of protected health information without undue delay and no more than 60 days from the date of the breach. In Oregon, data breach notifications must be issued in the most expeditious manner, and no later than 45 days after the date of discovery of the breach. The investigation uncovered potential violations of the Oregon Unlawful Trade Practices Act and HIPAA with respect to breach notifications and data security. Avalon Healthcare agreed to settle the case to avoid further controversy and expense.

Under the terms of the settlement, Avalon Healthcare has agreed to comply with the requirements of state laws and HIPAA and will develop, implement, and maintain an information security program that includes reasonable data security practices to ensure all personal information and protected health information is adequately protected. An individual will be designated as having overall control of the information security program and a HIPAA compliance officer will be appointed. The information security program will include logging and monitoring of the network, multi-factor authentication, email filtering, and at least twice-yearly security awareness training for the workforce. Security awareness training must cover phishing and social engineering, and include phishing simulation exercises. Avalon Healthcare has also agreed to develop, implement, maintain, and test a data incident response plan and to implement and maintain a risk assessment and risk management program. Avalon Healthcare will also revise its email data retention policies to ensure that data is only kept in email accounts for as long as there is a legal basis to retain the information and all emails containing PHI will be encrypted.

In addition to the commitment to compliance with HIPAA and state laws, Avalon Healthcare will pay a $200,000 financial penalty, which will be split equally between the Oregon and Utah state attorneys general and will be used to pay for legal fees, investigation costs, and the future enforcement of compliance with HIPAA and state laws.

“Companies, like Avalon, that retain consumers’ protected health information, have a duty to keep this data safe from unauthorized access,” said Attorney General Rosenblum. “Avalon dealt with the personal health-related information of some of our most vulnerable residents. Close to 2,000 Oregonians assumed—incorrectly—their information was safe with Avalon. Data breaches continue to be a problem in Oregon, and we are committed to working with companies to make sure they have the highest data privacy safeguards in place.”

The post Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty appeared first on HIPAA Journal.

Fertility Centers of Illinois Proposes $450,000 Settlement to Resolve Data Breach Lawsuit

Posted by HIPAA Journal

Fertility Centers of Illinois has proposed a $450,000 settlement to resolve a lawsuit filed on behalf of patients and employees who were affected by its February 2021 data breach.

On February 1, 2021, hackers gained access to the network where sensitive employee and patient information was stored, including names, employee ID numbers, Social Security numbers, passport numbers, financial account and payment information, diagnoses, treatment information, medical record numbers, billings and claims information, occupational health information, Medicare/Medicaid information, and usernames and passwords with PINs or account login information.

The investigation of the breach took six months, but it then took a further four months for affected individuals to be notified. Notification letters were finally sent in December 2021 and the data breach was reported to the HHS’ Office for Civil Rights on December 27, 2021, as affecting 79,943 patients. It should be noted that the HIPAA Breach Notification Rule requires the HHS and affected individuals to be notified about breaches of protected health information within 60 days of the discovery of a data breach.

The lawsuit – Monegato, et al. v. Fertility Centers of Illinois PLLC – was filed in the Circuit Court of Cook County, IL, and takes issue with the length of time it took to issue notifications, alleging Fertility Centers of Illinois unnecessarily delayed notifications, attempted to conceal the severity of the breach, and misrepresented the nature of the breach and the threat posed to affected individuals. The lawsuit also alleges Fertility Centers of Illinois failed to adequately protect patient data, with the alleged lack of safeguards and breach notification delay in violation of Illinois law.

The alleged security failures include storing protected health information (PHI) and personally identifiable information (PII) in multiple locations, each with different security safeguards; a failure to adequately train employees on security protocols; and inadequate security measures for protecting PHI/PII. The lawsuit also alleges an ineffective breach response that took 6 months to determine hackers accessed PHI/PII. Also, the breach notification letters stated, in bold and underlined text, that electronic medical records had not been accessed when the next paragraph made it clear that the information contained in medical records had in fact been accessed.

The lawsuit claims victims of the data breach now face a lifetime risk of identity theft and fraud, they will continue to suffer damages, including monetary losses, lost time, anxiety, and emotional distress, and have lost the opportunity to control how their PHI/PII is used, suffered a diminution in value of their PII and PHI, and will have to deal with the continuing publication of their PII and PHI. Despite these risks, only 12-24 months of identity theft protection services were provided.

Fertility Centers of Illinois has not admitted any wrongdoing and chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, individuals affected are entitled to submit a claim for up to $450 for ordinary losses such as out-of-pocket expenses incurred as a result of the data breach, and reimbursement for up to four hours of lost time at $20 per hour. Claims up to the value of $5,000 are permitted for documented extraordinary losses incurred between February 1, 2021, and June 5, 2023, that are not covered under ordinary losses. The settlement is capped at $450,000 and claims will be paid pro rata if that amount is reached. In addition, all affected individuals are entitled to claim an additional 24 months of credit monitoring services (via Pango) from the effective date of the settlement.

The post Fertility Centers of Illinois Proposes $450,000 Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Scripps Health Proposes $3.5M Settlement to Resolve Class Action Ransomware Lawsuit

Posted by HIPAA Journal

A settlement has been proposed by Scripps Health to resolve a consolidated class action lawsuit – In Re: Scripps Health Data Incident Litigation – to resolve all claims related to its 2021 ransomware attack.

In April 2021, Scripps Health suffered a ransomware attack that was reported to the Department of Health and Human Services as affecting 147,267 patients. The attack caused major disruption at Scripps Health hospitals. Scripps Health had to redirect ambulances and cancel scheduled appointments, and the staff was forced to record patient information on paper while the San Diego-based health system restored its IT systems – a process that around a month.

The investigation revealed the hackers stole files from its network on April 29, 2021, which contained protected health information such as names, Social Security numbers, driver’s license numbers, and healthcare information, including information stored in medical records. The ransomware attack has proven to be incredibly costly for Scripps Health. Its financial statements show the attack cost at least $113 million in lost revenue.

Multiple lawsuits were filed against Scripps Health in the San Diego County Superior Court in the wake of the data breach on behalf of individuals affected by the ransomware attack. The lawsuits allege Scripps Health failed to implement and maintain adequate security measures to protect patient information and had inadequate policies and procedures for detecting and remediating cyberattacks, despite being aware of the high risk of an attack.

The plaintiffs allege they have suffered lost time, annoyance, interference, and inconvenience as a result of the data breach, including being prevented from accessing the MyScripps patient portal, which is used by patients to access their healthcare information, request prescription refills, manage appointments, and communicate with doctors. The lawsuits sought damages, reimbursement of out-of-pocket expenses, and injunctive relief, requiring Scripps Health to implement adequate security measures to better protect patient data in the future.

Scripps Health has not admitted any wrongdoing and does not accept liability for the ransomware attack and data breach. The decision was taken to settle the lawsuit to prevent further legal costs, avoid the uncertainty of trial, and resolve all claims related to the data breach. Under the terms of the settlement, class members are entitled to submit a claim for a cash payment of up to $100 which is subject to a pro rata increase based on the number of claims received. In addition, class members are entitled to submit claims for documented ordinary and extraordinary losses. The settlement amount is expected to exceed $3.5 million.

Claims for reimbursement of ordinary out-of-pocket are permitted up to a maximum of $1,000 per class member. Ordinary losses include unreimbursed bank fees, card re-issuance fees, overdraft fees, over-limit fees, telephone charges, costs of credit reports, and similar losses that can be reasonably traced to the ransomware attack.

Extraordinary losses are those related to identity theft that are fairly traceable to the ransomware attack and were suffered between April 29, 2021, and March 23, 2023. To qualify for reimbursement for extraordinary losses, class members must have made reasonable efforts to avoid suffering losses and to have exhausted available avenues for recovering losses related to identity theft.

Class members wishing to exclude themselves from or object to the settlement have until March 8, 2023, to do so. The deadline for submitting claims is March 23, 2023. The final approval hearing is scheduled for April 7, 2023.

The post Scripps Health Proposes $3.5M Settlement to Resolve Class Action Ransomware Lawsuit appeared first on HIPAA Journal.

Lake Charles Memorial Health System Cyberattack Affects Almost 270,000 Patients

Posted by HIPAA Journal

Southwest Louisiana Health Care System, Inc. has confirmed that the protected health information of up to 269,752 patients of Lake Charles Memorial Health System has been compromised. The Louisiana healthcare system said suspicious activity was detected by its security team on October 21, 2022, and steps were taken to contain the activity and investigate a potential breach. On October 25, it was confirmed that an unauthorized third party had gained access to the network, with the forensic investigation confirming the attack started between October 20 and October 21, 2022, and involved the theft of patient data from the network.

The review of the exfiltrated files determined they contained information such as names, addresses, dates of birth, medical record numbers, patient identification numbers, health insurance information, payment information, and limited clinical information. Some Social Security numbers were also compromised. Notification letters were sent to affected individuals on December 23, 2022, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were compromised.

Southwest Louisiana Health Care System did not disclose the exact nature of the cyberattack, but the Hive ransomware gang claimed responsibility. While Hive is known for using ransomware to encrypt files, the gang claims only to have exfiltrated patient data. Files were not encrypted. A ransom demand was issued, payment of which was required to ensure the stolen data was deleted. Payment does not appear to have been made as the Hive gang started dumping the stolen data last month.

FoundCare Email Account Breach Affects 14,000 Patients

The Palm Springs, FL-based federally qualified health center, FoundCare Inc., has announced that unauthorized individuals have gained access to its email environment and potentially viewed or obtained emails and files that contained the protected health information of 14,194 patients.

Suspicious activity was detected within its email environment on September 2, 2022, and a third-party digital forensics firm was engaged to conduct an investigation. FoundCare said it determined on October 18, 2022, that files in the email account contained patient data. The review of those files and verification of patient contain information has recently concluded and notification letters are now being sent to the affected individuals. Data exposed in the attack included names, addresses, email addresses, credit card numbers, Social Security numbers, birth dates, passport numbers, other government ID numbers, medical conditions, diagnoses, treatment information, health insurance information, and internal patient identifiers. FoundCare said the vast majority of individuals only had limited medical information exposed.

FoundCare has implemented additional security measures in response to the breach, including turning on multifactor authentication for all users, blocking basic authentication measures, adding a warning to all emails from new email addresses, and providing continuous phishing awareness training to all employees.

Ransomware Attack Affects 6,800 Patients of Midwest Orthopaedic Consultants

Midwest Orthopaedic Consultants in Illinois has announced that unauthorized individuals gained access to its computer network and used ransomware to encrypt files. The cyberattack was detected on September 29, 2022, and steps were immediately taken to contain the attack. A third-party forensic security firm was engaged to investigate the breach and determined that the attackers gained access to the network on September 27, 2022, and exfiltrated certain documents before encrypting files. Midwest Orthopaedic Consultants discovered on November 4 that the files contained patient data, with a comprehensive review of those documents confirming on November 21, 2022, that individually identifiable health information had been exposed such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, diagnosis and treatment information, and health insurance information. Notification letters were sent to affected individuals on December 22, 2022. Midwest Orthopaedic Consultants said the encrypted files were recovered from backups.

Complimentary identity theft protection services have been offered to individuals whose Social Security numbers or driver’s license numbers were compromised and additional technical measures have been implemented to prevent similar incidents in the future. The breach has been reported to the HHS’ Office for Civil Rights as affecting 6,818 patients.

MultiCare Health System Affected by ransomware Attack on Mailing Vendor

MultiCare Health System in Washington has recently confirmed that the protected health information of more than 23,000 patients has potentially been compromised in a data breach at its mailing vendor, Kaye-Smith. Kaye-Smith detected suspicious activity within its digital environment in June 2022. The forensic investigation revealed hackers had gained access to its systems and used ransomware to encrypt files discretely since May 2022. MultiCare Health System was one of several health systems to be affected by the incident.

MultiCare Health System said the attackers may have accessed or acquired files that contained patients’ names, addresses, and Social Security numbers. Kaye-Smith said it has enhanced security and monitoring in response to the incident.

Collections Vendor Data Breach Affects Prairie Lakes Healthcare Patients

Watertown, SD-based Prairie Lakes Healthcare System, which serves patients in South Dakota and Western Minnesota, has recently announced that the protected health information of 1,059 patients has been exposed in a data breach at one of its business associates. Prairie Lakes Healthcare uses AAA Collections, Inc. which does business as Advanced Asset Alliance (AAA), to collect unpaid medical bills.

Between September 5, 2022, and September 7, 2022, hackers gained access to AAA’s systems and potentially obtained files containing the protected health information of patients of Prairie Lakes Healthcare and former Glacial Lakes Orthopaedics patients. An analysis of the files confirmed they contained information such as names, addresses, dates of birth, medical record numbers, provider/facility names, conditions, diagnoses, treatment information, payment information, and dates of service. Notifications were mailed by AAA to affected individuals on December 15, 2022. Prairie Lakes Healthcare said it is working with its vendor to prevent similar events from occurring in the future.

The post Lake Charles Memorial Health System Cyberattack Affects Almost 270,000 Patients appeared first on HIPAA Journal.

Class Action Data Breach Lawsuit Settled by Morley Companies

Posted by HIPAA Journal

Morley Companies has agreed to settle a class action lawsuit filed on behalf of individuals affected by a major data breach that occurred on or around August 1, 2022. A fund of $4.3 million has been created to cover claims from individuals affected by the data breach.

On or around August 1, 2021, Morley Companies, a Saignaw, MI-based provider of business services, suffered a cyberattack in which hackers gained access to parts of its network. Morley Companies said the attack prevented access to its information systems when files were encrypted, with the investigation confirming that the attackers exfiltrated files containing protected health information.

Approximately 628,000 breach notification letters were mailed, and the breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 521,046 individuals. The breached information included names, addresses, Social Security numbers, birthdates, client identification numbers, medical diagnostic and treatment information, and health insurance information. Morley Companies accepts no liability for the incident and has admitted no wrongdoing but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the settlement, class members can submit a claim to receive reimbursement of up to $2,500 for documented out-of-pocket expenses that are reasonably traceable to the cyberattack and data breach. These can include unreimbursed losses relating to fraud or identity theft, professional fees including attorneys’ and accountants’ fees, and fees for credit repair services, costs associated with freezing or unfreezing credit with any credit reporting agency, credit monitoring costs incurred on or after August 1, 2021, and miscellaneous expenses such as notary, data charges, fax, postage, copying, mileage, cell phone charges, and long-distance telephone charges (conditions apply).

Class members can also claim up to four hours of lost time at a rate of $20 per hour, and residents of California at the time of the breach can claim a payment of $75. In addition, individuals who did not previously claim the credit and identity monitoring services provided by Morley Companies through IDX will be provided with a new offer and activation code valid for 90 days to claim 3-bureau credit monitoring for a three-year period from the effective date of the settlement. Class members will also be provided with a one-year membership to the Dashlane password management service.

Class members have until February 7, 2023, to object to or exclude themselves from the settlement. Claims must be submitted by March 20, 2023. The final approval hearing for the settlement has been scheduled for April 19, 2023.

The post Class Action Data Breach Lawsuit Settled by Morley Companies appeared first on HIPAA Journal.

Privacy Breaches Reported by Blue Shield of California and VA Medical Center

Posted by HIPAA Journal

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights and state attorneys general.

Blue Shield of California

Blue Shield of California has started notifying certain health plan members about a privacy violation by one of its employees. A spreadsheet containing plan members’ names, phone numbers, email addresses, addresses, Social Security numbers, and/or Taxpayer ID numbers was emailed from the employee’s work account to a personal email address on June 17, 2022. Blue Shield of California’s Privacy Officer, David Keystone, said the privacy breach was discovered on October 30, 2022, and the employee was interviewed and instructed to delete the email and any copies of the spreadsheet.

The incident has prompted Blue Shield of California to strengthen its system detection tools to prevent further impermissible disclosures of PHI. As a precaution against identity theft, affected individuals have been offered complimentary access to a credit monitoring and identity theft protection service for 12 months.

HIPAA Journal has not been able to confirm how many individuals have been affected.

Medstar Mobile Healthcare

Medstar Mobile Healthcare, which operates an emergency and non-emergency ambulance service in Tarrant County, TX, has recently announced that it was the victim of a cyberattack in which patient information was potentially compromised. Suspicious network activity was detected on October 20, 2022, and it was later confirmed that an unauthorized third party had gained access to parts of the network where patient data was stored. It was not possible to determine if those files had been accessed or copied. The review of the files revealed they mostly included non-financial billing information only; however, some individuals also had their full name, date of birth, contact information, and limited medial information exposed.  The investigation into the breach is ongoing.

HIPAA Journal has not been able to confirm how many individuals have been affected.

Pediatrics West & Allergy West

Pediatrics West & Allergy West in Massachusetts have notified 1,364 patients that some of their protected health information was stored on a system that was accessed by unauthorized individuals. The breach was detected on October 17, 2022, with the forensic investigation confirming the unauthorized access occurred between August 19, 2021, and August 15, 2022. The files on the system included names, contact information, demographic information, dates of birth, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and/or health insurance information. Pediatrics West said it has implemented additional safeguards and technical security measures to further protect and monitor its IT infrastructure.

The Louis A. Johnson VA Medical Center

The Louis A. Johnson Veterans’ Administration Medical Center in West Virginia has recently announced a privacy breach involving the protected health information of 736 individuals. An error was made in a mailing to veterans which resulted in their full Social Security numbers being visible on the letters.  Affected veterans have been notified by mail and have been offered complimentary access to credit monitoring services. The VA has also formed a work group to investigate mailing processes to assess potential vulnerabilities, and additional controls will be put in place to prevent similar errors in the future.

The post Privacy Breaches Reported by Blue Shield of California and VA Medical Center appeared first on HIPAA Journal.

Editorial: Lessons from Biggest HIPAA Breaches of 2022

Posted by HIPAA Journal

It has been another bad year for healthcare data breaches, with some of the biggest HIPAA breaches of 2022 resulting in the impermissible disclosure of well over a million records. While it does not currently look like last year’s record of 714 data breaches of 500+ records will be exceeded this year, with 674 data breaches reported up until December 22, 2022, any reduction is likely to be minimal. In addition to the high number of data breaches, 2022 stands out for the sheer number of healthcare records breached, which currently stands at 49.8 million records. That’s more than any other year to date apart from 2015 when Anthem Inc reported its 78.8 million-record data breach. In 2022, 12 data breaches were reported that exposed more than 1 million records, and a further 13 data breaches exposed between 500,000 and 1 million records.

The Biggest HIPAA Breaches of 2022

One notable observation from the biggest HIPAA breaches of 2022 is the number that occurred at business associates of HIPAA-covered entities. Many of these business associate data breaches affected dozens of healthcare clients, with one notable branch in the list below affecting 657 HIPAA-covered entities. Out of the 25 data breaches of 500,000 or more records, 52% occurred at business associates, including 60% of the 10 largest data breaches. The 12 biggest HIPAA breaches of 2022 affected almost 22.66 million patients and health plan members.

OneTouch Point – Ransomware Attack Involving 4.11 Million Records

On July 27, the mailing and printing vendor, OneTouchPoint (OTP), reported a hacking incident to the HHS’ Office for Civil Rights that affected more than one million individuals; however, as the investigation progressed it was determined that the breach was much more extensive than first thought, and had involved the protected health information of 4,112,892 individuals. Hackers had gained access to its network and used ransomware to encrypt files, with that information also potentially stolen in the attack. The compromised data included names, contact IDs, and information provided during health assessments. More than 35 of the company’s clients were affected, many of which were health plans.

Eye Care Leaders – Hacking Incident Involving at least 3.65 Million Records

Eye Care Leaders is a North Carolina provider of an electronic health record solution (myCare Integrity) to ophthalmology practices across the country. Affected providers started to be notified in March that hackers had gained access to its databases in December 2021. The databases contained extensive patient information, such as contact information, health insurance information, medical record numbers, Social Security numbers, driver’s license numbers, and medical information. As is relatively common in business associate data breaches, each affected healthcare provider reported the breach separately. Texas Tech University Health Sciences Center was one of the worst affected healthcare providers, with 1,290,104 records exposed. HIPAA Journal has tracked the reported data breaches and at least 41 eye care providers and 3,649,470 patients were affected.

Advocate Aurora Health – Impermissible Disclosure of up to 3 Million Records

On October 14, Wisconsin-based Advocate Aurora Health notified OCR about an impermissible disclosure of the protected health information of up to 3,000,000 patients. The disclosure occurred due to the addition of third-party tracking code on its websites, patient portals, and applications. The tracking code was used to gain insights into the use of its patient-facing digital services to improve the patient experience; however, the tracking code transmitted patient information to the developers of that code, including Meta (Facebook) and Google.  The information transmitted was based on each user’s interactions and may have included health information that could be tied to individuals. The transmitted information may have included names, appointment dates/times, provider names, procedure types, insurance information, and communications through the MyChart patient portal. Advocate Aurora Health was not alone. Several health systems had used the code on their websites and transferred patient data to third parties without consent or a business associate agreement in place.

Connexin Software – Hacking Incident Involving 2.2 Million Records

Connexin Software is a Wisconsin-based provider of an electronic health record solution to pediatric practices across the country, operating as Office Practicum. A breach of its network was detected in August 2022, with the investigation confirming the hackers accessed and exfiltrated an offline set of data used for data conversion and troubleshooting. That data set included names, Social Security numbers, health insurance information, billing and/or claims data, and clinical information such as treatment information, procedures, diagnoses, and prescriptions. The breach was reported to OCR on November 11, as affecting 2,216,365 individuals. 119 pediatric practices were affected by the data breach.

Shields Health Care Group – Hacking Incident Involving 2 Million Records

Shields Healthcare Group is a Massachusetts-based vendor that provides MRI, PET/CT, radiation oncology, and surgical services. On May 27, Shields notified OCR about a breach that affected up to 2,000,000 patients from 60 healthcare practices. Hackers had gained access to its network, with the investigation confirming files containing patient data were exfiltrated over two weeks in March. The stolen data included names, contact information Social Security numbers, insurance information, billing information, and clinical information such as diagnoses and treatment information.

Professional Finance Company – Ransomware Attack Involving 1.92 Million Records

Professional Finance Company is a Colorado-based vendor that provides debt recovery services. On February 26, the company detected and stopped what it described as a sophisticated ransomware attack, in which certain systems were accessed by the attackers and disabled. The forensic investigation revealed the attackers had access to files containing names, addresses, accounts receivable balances, information regarding payments made to accounts, Social Security numbers, health insurance information, and medical treatment information. The breach was reported to OCR on July 1 as affecting 1,918,941 patients at 657 of its healthcare provider clients.

Baptist Medical Center – Malware Infection Involving 1.6 Million Records

Baptist Medical Center and Resolute Health Hospital in Texas were affected by a security breach that was detected on April 20. Malicious code was detected on its network that allowed hackers to exfiltrate patient data. The investigation into the breach determined the hackers first gained access to its network in late March. The analysis of the affected files revealed they contained protected health information such as names, Social Security numbers, health insurance information, medical record numbers, diagnosis information, and billing and claims information. The breach was reported to OCR on June 15 as affecting 1,608,549 patients of Baptist Medical Center and 54,209 Resolute Health Hospital patients.

Community Health Network – Impermissible Disclosure of up to 1.5 Million Records

The Indiana-based healthcare provider, Community Health Network, notified OCR on November 18 about the impermissible disclosure of the protected health information of up to 1,500,000 individuals. Third-party tracking code from Meta and Google had been added to its websites to provide insights that would allow the improvement of access to information about critical care services and its patient-facing websites. Community Health Network was unaware that adding the code to its websites would result in identifiable health information being transmitted to Meta and Google. The data transferred included IP addresses, appointment information, patient, portal communications, procedure types, and other information based on the interactions of users on its website.

Novant Health – Impermissible Disclosure of up to 1.36 Million records

The North Carolina-based healthcare provider, Novant Health, notified OCR on August 14 about an impermissible disclosure of the protected health information of 1,362,296 individuals. The notification was issued on behalf of Novant Health ACE, a contractor for NMG Services Inc. Novant Health was the first HIPAA-regulated entity to notify OCR about a HIPAA violation related to the use of third-party tracking technologies on its website. Novant Health said the tracking code had been misconfigured, which allowed patient information to be sent to Meta such as names, appointment types and dates, provider names, button/menu selection details that may have included information about health conditions, and information submitted by patients in free text boxes.

Broward Health – Hacking Incident Involving 1.35 Million Records

The Florida-based healthcare provider, Broward Health, reported a breach of the PHI of 1,351,431 patients to OCR on January 2, which was the result of hackers gaining access to its network in October 2021. The delay in reporting was at the request of the Department of Justice, so as not to interfere with the investigation. The network was breached via a connected third-party vendor and the hackers had access to the network for 4 days during which time employee and patient information was exfiltrated including names, Social Security numbers, driver’s license numbers, financial information, medical histories, and medical record numbers.

Doctors’ Center Hospital – Ransomware Attack Involving 1.2 Million Records

On November 9, Doctor’s Center Hospital in Puerto Rico reported a hacking incident to OCR involving the protected health information of 1,195,220 patients. Hackers gained access to its network and deployed ransomware on or around October 17. A ransomware group called Project Relic was behind the attack and claimed to have exfiltrated 211 GB of data prior to encrypting files, including employee data and patient information such as names, medical record numbers, and medical notes.

MCG Health – Hacking Incident Involving 1.1 Million Records

The Seattle, WA-based software company, MCG Health, which provides patient care guidelines to healthcare providers and health plans, notified OCR on June 10 about a cyberattack on its network. The investigation suggested the hackers gained access to its network as early as February 2020, but the security breach was not detected until March 2022. The hackers exfiltrated files that contained patient and plan member data such as names, addresses, phone numbers, dates of birth, medical codes, and Social Security numbers. The breach was reported to OCR by MCG Health as affecting 793,283 individuals, but some health plan and healthcare provider clients reported the breach separately.  More than 10 U.S. healthcare providers and health plans were affected and 1.1 million individuals are understood to have been affected.

Lessons Learned from the Biggest HIPAA Breaches of 2022

All of these breaches are being investigated by the HHS’ Office for Rights to determine if these organizations were fully compliant with HIPAA and if non-compliance with the requirements of HIPAA caused the data breach, and in some cases, state attorneys general have opened investigations. Class action lawsuits have also been filed against these entities seeking damages and reimbursement of out-of-pocket expenses and losses suffered as a result of misuse of patient and health plan member data. The investigations will uncover whether there have been any HIPAA violations or violations of state law and whether compliance with these regulations would have likely prevented these breaches. While specific information about HIPAA violations is not yet known, there are lessons to be learned by other healthcare providers, health plans, and business associates from these data breaches.

Business Associate Risks Must be Managed

What is clear from the largest HIPAA breaches of 2022 is cyberattacks on business associates can be particularly damaging, often affecting many HIPAA-covered entities. Business associates provide important services to healthcare organizations that are difficult or too costly to perform in-house, but providing patient information to any third-party increases the risk that the information will be exposed, and the more business associates that are used, the greater the risk to patient and plan member data.

Healthcare organizations cannot operate efficiently without third-party vendors, but prior to using any vendor their security measures and protocols should be assessed. HIPAA-covered entities must ensure that a signed business associate agreement (BAA) is obtained, but a BAA alone is not sufficient. The BAA should specify the responsibilities of the business associate with respect to cybersecurity, incident response, and breach reporting, and it may be necessary to enter into a service level agreement with the vendor. HIPAA-covered entities should review their relationships with vendors and their BAAs regularly, conduct annual audits of their vendors to check the cybersecurity measures they have in place, and they should stipulate that vendors must conduct annual risk assessments. It is also worth considering consolidating vendors, where possible.

Care Must be Taken with Tracking Technologies

The use of tracking technologies has come under the spotlight in 2022. These tracking technologies are usually provided by third parties such as big tech firms and are commonly used for website analytics. These tools can be incredibly useful but in healthcare, there is considerable potential for privacy violations. It should be noted that there is no problem with the tools themselves, the problem comes with how they are used and their potential to collect and transmit patient information based on the interactions of individuals.

Due to the potential for disclosures of PHI, HIPAA-compliant patient authorizations may be required and it may be necessary to enter into a business associate agreement with the developer of the code. So far, only a handful of healthcare organizations have reported data breaches associated with tracking technologies, but many hospitals and health systems have used these tracking technologies and may have violated HIPAA and patient privacy. A study by The Markup earlier this year indicated one-third of the top 100 hospitals in the United States had added tracking technologies such as Meta Pixel to their websites. These breaches have highlighted the risks associated with these tools and the importance of conducting a careful assessment of any third-party code prior to adding it to a website or application to verify that it is not transferring data to third parties. If it does, business associate agreements must be in place and patient authorizations may need tobe obtained. OCR has recently issued guidance on the use of these tracking technologies and the requirements for HIPAA compliance.

Develop and Test an Incident Response Plan for Ransomware Attacks

The healthcare industry continues to be targeted by ransomware gangs, who steal sensitive data and encrypt files for extortion. Stolen records are published or sold to other cybercriminal gangs, placing victims at a very real risk of identity theft and fraud, but these attacks also put patient safety at risk. Patients often have to be redirected to other facilities, the lack of access to EHRs requires appointments to be canceled, and the attacks delay diagnosis and essential medical care. In many attacks, electronic systems are taken out of action for several weeks and studies suggest mortality rates increase following a ransomware attack and patient outcomes are affected.

Protecting against ransomware attacks can be a challenge, as ransomware gangs use multiple attack vectors to gain initial access to healthcare networks. Healthcare organizations should keep up to date on the latest threat intelligence and adopt a defense-in-depth approach covering all potential attack vectors. Regaining access to patient data quickly can help to limit the harm caused, and in this regard, it is vital to follow best practices for backups and ensure multiple copies of backups are created with at least one copy stored securely off-site. The key to a fast recovery is contingency planning and implementing a comprehensive incident response plan. Those plans must also be regularly tested with tabletop exercises involving members of all teams involved in the breach response. Some of the most damaging ransomware attacks and hacking incidents were due to contingency and incident response planning failures.

Adopting Recognized Security Practices is Strongly Advisable

An update to the HITECH Act in January 2021 required OCR to consider the recognized security practices an organization has implemented continuously for the 12 months prior to a data breach when making determinations about penalties and sanctions. While HIPAA Security Rule compliance is mandatory, HIPAA-regulated entities are not required by law to implement recognized security practices, but it is strongly advisable. Not only will following recognized security practices reduce the risk of a cyberattack and limit the harm caused, OCR will reduce the length of audits and investigations and the financial penalties imposed.

Issue Breach Notifications Promptly

Several of the biggest HIPAA breaches of 2022 involved delays in issuing breach notifications to OCR and the individuals affected. HIPAA is clear about the maximum time frame for reporting breaches of protected health information, which is 60 days of the discovery of a data breach; however, branch notifications should be issued to OCR and affected individuals without necessary delay. Prompt notification is important as it allows the individuals affected by the breach to take steps to protect themselves against identity theft and fraud. OCR recently issued a reminder about the requirements for responding to security incidents, in which the breach notification requirements of HIPAA were confirmed. This could indicate OCR may be looking at enforcing this aspect of HIPAA compliance more rigorously in the future, as unnecessary delays in issuing breach notifications are common.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Lessons from Biggest HIPAA Breaches of 2022 appeared first on HIPAA Journal.