HIPAA Breach News

November 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

November was a relatively quiet month for healthcare data breaches with 31% fewer breaches reported than the previous month. November’s total of 49 breaches of 500 or more records was also well below the 12-month average of 58 breaches a month. 643 healthcare data breaches have been reported to the HHS’ Office for Civil Rights so far in 2022, which makes this year the second worst year to date for healthcare data breaches.

Despite the fall in reported breaches, the number of breached records increased by 10% from October. November was the worst month of 2022 in terms of the number of breached healthcare records, with 6,904,441 records exposed or impermissibly disclosed – Well above the 12-month average of 3.99 million records a month. So far in 2022, 44,852,648 healthcare records have been breached.

Largest Healthcare Data Breaches in November

17 breaches of 10,000 or more records were reported to OCR in November, five of which involved more than half a million records and three incidents involved the impermissible disclosure of more than 1 million records. The largest data breach was a hacked network server at the Pennsylvania-based business associate Connexin Software – A provider of electronic medical records to pediatric practices. An unauthorized individual gained access to an offline set of patient data that was used for data conversion and troubleshooting. The records of 2,216,365 patients were exposed and potentially stolen.

The Indiana-based healthcare provider, Community Health Network, reported an impermissible disclosure of the protected health information of up to 1.5 million patients. Tracking code had been added to its website that resulted in patient information being transferred to third parties such as Meta and Google, without obtaining consent from patients or having a business associate agreement in place. Several healthcare providers have reported similar breaches this year, prompting OCR to issue a warning to HIPAA-regulated entities this month over the use of tracking technologies on websites and mobile applications.

Doctors’ Center Hospital in Puerto Rico suffered a ransomware attack that exposed the protected health information of up to 1,195,220 patients. Major ransomware attacks were also reported by the Michigan-based prosthetics and orthotics provider, Wright & Filippis, and Health Care Management Solutions in West Virginia.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Data Breach
Connexin Software, Inc. PA Business Associate 2,216,365 Hacking/IT Incident Hacking of network server
Community Health Network, Inc. as an Affiliated Covered Entity IN Healthcare Provider 1,500,000 Unauthorized Access/Disclosure Website tracking code transmitted PHI to third parties
Doctors’ Center Hospital PR Healthcare Provider 1,195,220 Hacking/IT Incident Ransomware attack
Wright & Filippis LLC MI Healthcare Provider 877,584 Hacking/IT Incident Ransomware attack
Health Care Management Solutions, LLC WV Business Associate 500,000 Hacking/IT Incident Ransomware attack on subcontractor of CMS business associate
Gateway Rehabilitation Center PA Healthcare Provider 130,000 Hacking/IT Incident Hacking of network server
Mena Regional Health System AR Healthcare Provider 84,814 Hacking/IT Incident Hacking of network server
Dallam Hartley Counties Hospital District TX Healthcare Provider 69,835 Hacking/IT Incident Hacking of network server (data theft confirmed)
Consumer Directed Services in Texas, Inc. TX Healthcare Provider 56,728 Hacking/IT Incident Hacking incident at a business associate
Stanley Street Treatment and Resources, Inc. MA Healthcare Provider 45,785 Hacking/IT Incident Hacking of network server (data theft confirmed)
South Walton Fire District FL Healthcare Provider 25,331 Hacking/IT Incident South Walton Fire District
Rosenfeld VanWirt, PC PA Business Associate 18,719 Hacking/IT Incident Hacking incident affecting multiple affiliates of the Lehigh Valley Health Network
CCA Health Plans of California, Inc d/b/a CCA Health CA CA Health Plan 14,631 Hacking/IT Incident Hacking of network server (data theft confirmed)
CareFirst Administrators MD Health Plan 14,538 Hacking/IT Incident Phishing attack on business associate
Work Health Solutions CA Healthcare Provider 13,157 Hacking/IT Incident Phishing attack
New York-Presbyterian Hospital NY Healthcare Provider 12,000 Hacking/IT Incident Hacking of network server
Epic Management LLC TN Healthcare Provider 10,862 Hacking/IT Incident Unauthorized email account access

Causes of November Data Breaches

All but one of the 17 data breaches of 10,000 or more records were due to hacking incidents, several of which were ransomware attacks. Many hacking incidents involve ransomware, although it is common for HIPAA-regulated entities not to disclose the exact nature of these attacks. It is therefore difficult to determine the extent to which ransomware is used in cyberattacks on the healthcare industry. 5,374,670 records were exposed or stolen in these hacking incidents – 77.8% of all records breached in November. The average breach size was 134,367 records and the median breach size was 7,158 records.

There were 8 unauthorized access/disclosure incidents reported that involved the records of 1,521,788 individuals. The majority of those records were impermissibly disclosed by one healthcare provider. The average breach size was 190,224 records and the median breach size was 2,275 records.  There was also one theft incident reported involving the records of 7,983 individuals. In the majority of reported incidents, the breached protected health information was located on network servers. There were also 7 incidents involving breaches of email data, and four incidents involving electronic health records.

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entities in November, with 26 reported breaches, one of which occurred at a business associate but was reported by the healthcare provider. 6 data breaches were reported by health plans, with one of those breaches occurring at a business associate. Business associates self-reported 17 breaches in November. The pie chart below shows the breakdown of data breaches based on where they occurred, rather than the entities reporting the data breaches.

Healthcare Data Breaches by State

Data breaches were reported by HIPAA-regulated entities in 18 states and Puerto Rico. Pennsylvania was the worst affected state with 12 breaches, which involved 34.8% of the month’s breached records. 10 of those breaches were due to a hacking incident involving healthcare providers that are part of the Lehigh Valley Health Network. HIPAA-regulated entities in California reported 6 breaches, but these were relatively minor, only involving the protected health information of 41,382 patients.

State Breaches
Pennsylvania 12
California 6
Florida & New York 4
Texas 3
Arkansas, Connecticut, Indiana, Maryland, Massachusetts & Tennessee 2
Georgia, Michigan, New Jersey, Nevada, Oregon, Washington, West Virginia, and Puerto Rico 1

HIPAA Enforcement Activity in November

No civil monetary penalties or settlements were announced by OCR in November. Even so, 2022 has seen more HIPAA enforcement actions than in any other year since OCR was given the authority to enforce HIPAA compliance. The majority of the financial penalties in 2022 have been imposed for violations of the HIPAA right of access, and 55% of the year’s enforcement actions over HIPAA violations were on small healthcare providers.

In November, the state of Massachusetts announced that Aveanna Healthcare had been fined $425,000 for a breach of the PHI of 166,000 individuals, 4,000 of whom were Massachusetts residents. Aveanna Healthcare had suffered a phishing attack, with the Massachusetts Attorney General discovering a lack of safeguards such as multi-factor authentication and security awareness training.

The post November 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Six Data Breaches Reported by Healthcare Providers and Business Associates

Posted by HIPAA Journal

Work Health Solutions, a San Jose, CA-based occupational health services provider, has confirmed that the protected health information of 13,157 individuals has been exposed and potentially obtained by unauthorized individuals who had access to an employee email account between February 16, 2-022 and March 24, 2022.

Following an investigation by third-party cybersecurity professionals, Work Health Solutions determined that the email account contained files that included the information of individuals who had received services from the company. The manual review of those files concluded on October 11, 2022. Work Health Solutions then verified contact information and sent notifications on November 9, 2022.

The exposed files contained names, Social Security numbers, driver’s license numbers, health insurance information, and/or medical information. Complimentary credit monitoring services have been offered to individuals whose Social Security numbers were potentially compromised. Work Health Solutions said it continuously evaluates and modifies its practices to improve privacy and security, which includes educating its workforce regarding privacy matters.

Epic Management Email Account Breach Affects More Than 10,500 Individuals

The healthcare management company, Epic Management LLC, has recently announced that unauthorized individuals gained access to its digital environment and accessed files and data stored in its email system. Epic Management did not disclose when the breach occurred but said the review of affected files was complex and time-consuming, and that process was completed on December 9, 2022.

The information in the email system included first and last names, dates of birth, Social Security numbers, health insurance information, medical information, driver’s licenses, passport numbers, financial account numbers and routing numbers, biometric data, usernames and passwords, and/or payment card numbers and expiration dates and/or security codes.

Credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were exposed and updates have been made to its cyber environment to prevent similar incidents in the future.

NYC Health + Hospitals Alerts Patients About Loss of Device Containing PHI

NYC Health + Hospitals says a defective hard drive that contained the protected health information of 2,174 patients was discovered to be missing from a visual field testing device located at its NYC Health + Hospitals/Woodhull facility in Brooklyn, NY. Because the drive could not be located it was not possible to tell if the data on the device could be accessed, but it was confirmed that the device contained patients’ names, dates of birth, medical record numbers, and visual field test results.

In response, NYC Health + Hospitals has re-educated staff on its policy for the proper chain of custody for devices containing protected health information when those devices are taken out of service. Further, a new policy has been implemented that requires PHI to be removed from visual testing devices on a regular basis. Training has also been enhanced to ensure all employees are aware of the need to promptly notify officials about potential breaches of PHI.

Missouri Law Firm Discovers Unauthorized System Access

Polsinelli PC, a Kansas City, MO-based law firm that provides corporate legal services to hospitals, says files that contained patient information were accessed on September 9, 2022, from two locations by unauthorized individuals. A third-party cybersecurity firm was engaged to investigate the breach and determined that its network and main document repository were not affected; however, the files that were accessed included limited patient information, including names, addresses, Social Security numbers, birth dates, medical record numbers, patient account numbers, health insurance information, and very limited clinical information. Patients of St. Luke’s Health Brazosport are known to have been affected.

Credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved, although the law firm does not believe that any of the compromised information will be used for identity theft or fraud. The breach has been reported to the HHS’ Office for Civil Rights as affecting 1,220 individuals.

Patient Data Exposed in Cyberattack on Hawaiian Eye Center

Hawaiian Eye Center in Wahiawa, HI, has recently started notifying certain patients that some of their protected health information was stored on a server that was accessed by unauthorized individuals. The server was discovered to be unresponsive on November 2, 2022, with the investigation confirming the server and the network had been accessed by an unauthorized individual. The investigation confirmed that files containing patient information had been exfiltrated from its system by the attackers.

Those files contained names, addresses, email addresses, dates of birth, Social Security Numbers, driver’s license numbers, medical record numbers, and health insurance information. Affected individuals have been notified and provided with single-bureau credit monitoring services. Third-party cybersecurity experts have been engaged to conduct a review of its security practices and systems, and appropriate upgrades will be implemented to prevent further incidents in the future.

It is currently unclear how many individuals have been affected.

The Elizabeth Hospice Identifies Insider Data Breach

The Elizabeth Hospice, a non-profit hospice with locations in Carlsbad, Escondido, San Diego, and Temecula, CA, has discovered that a former employee had been forwarding emails from her work email account to a personal account while she was employed by the hospice. A review of the emails was completed on November 14, 2022, and confirmed they contained first and last names, dates of admission, dates of discharge, patient account numbers, and basic health information. The Elizabeth Hospice said it is unaware of any actual or attempted misuse of patient data but has advised affected individuals to be vigilant and monitor their accounts and statements for unauthorized activity.

It is currently unclear how many individuals have been affected.

The post Six Data Breaches Reported by Healthcare Providers and Business Associates appeared first on HIPAA Journal.

Avem Health Partners and Emory Healthcare Notify Patients About Data Breaches

Posted by HIPAA Journal

Avem Health Partners, an Oklahoma City-based provider of administrative and technology services to healthcare organizations, has recently started notifying its healthcare clients about a data breach that occurred at one of its vendors, 365 Data Centers.

On September 9, 2022, 365 Data Centers notified Avem Health Partners that an unauthorized third party had gained access to its servers. The breach was detected on May 16, 2022, with the investigation confirming there may have been unauthorized access to data stored on those servers prior to May 14, 2022. Avem Health Partners did disclose in its website substitute breach notice when its vendor’s servers were first breached.

A review of the files on the compromised servers confirmed that protected health information such as patient names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and diagnosis and treatment information had been exposed. Avem Health Partners is issuing breach notification letters to affected individuals on behalf of its vendor and complimentary credit monitoring and identity theft protection services have been offered to individuals who had their Social Security numbers or driver’s license numbers exposed. Avem Health Partners said it is re-evaluating its vendor relationships and the security measures that its vendors have implemented.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, but the website of the Texas Attorney General indicates 73,134 individuals have been affected.

Emory Healthcare Reports Insider Data Breach

Atlanta, GA-based Emory Healthcare has recently announced that a former employee has accessed the records of approximately 1,600 patients without authorization. Emory Healthcare was notified about the privacy breach by the U.S. Department of Labor (DOL) on August 24, 2022. An investigation was immediately launched and access logs were checked, which confirmed that the records of patients had been accessed by the employee between December 2020 and December 2021 when there was no legitimate work reason for doing so. Over the space of one year, the records of at least 1,600 patients were accessed.

According to the DOL, the former Emory Healthcare employee is known to have disclosed the demographic information of several hundred Emory Healthcare patients to individuals who were involved in unemployment benefits fraud. The DOL and the U.S. Department of Justice (DOJ) have charged eight individuals in connection with the fraud, including the former Emory Healthcare employee. Emory Healthcare said it cooperated fully with law enforcement during the investigation, arrest, and prosecution of those individuals. Notification letters are now being sent to all affected individuals, who have been offered free credit monitoring and identity theft protection services.

The data stolen included names, dates of birth, and Social Security numbers. Health information, insurance details, and financial information did not appear to have been stolen. Emory Healthcare said it has reinforced privacy and security education with its patient care teams and is continuing to implement best practice technology protocols to protect patient data and detect unauthorized access.

The post Avem Health Partners and Emory Healthcare Notify Patients About Data Breaches appeared first on HIPAA Journal.

Florida Primary Care Provider Fined $20,000 for HIPAA Right of Access Violation

Posted by HIPAA Journal

The Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc. (HSCF), has paid a $20,000 financial penalty to settle a HIPAA Right of Access case with the HHS’ Office for Civil Rights.

OCR launched an investigation in response to a November 22, 2019, complaint from a woman who had not been provided with a copy of her deceased father’s medical records. The initial request was made in writing on August 29, 2019, and an Authorization for Release of Medical Record Information form was provided to HSCF along with a copy of the original Letters of Administration. It took multiple requests and almost 5 months for all of the requested medical records to be provided. The complete set of records was received by the woman on January 27, 2020.

The HIPAA Right of Access requires healthcare providers to provide a copy of the requested medical records within 30 days of the request being submitted. In certain circumstances, a 30-day extension is applicable. OCR determined that the delay in providing the requested records was a violation of the HIPAA Right of Access. In addition to paying a $20,000 financial penalty, HSCF has agreed to undertake a corrective action plan, which involves developing, implementing, and maintaining HIPAA Privacy Rule policies and procedures concerning the HIPAA Right of Access, distributing those policies and procedures to staff members, and providing training on those policies and procedures. HSCF will also be monitored by OCR for a period of two years from the date of the settlement.

“The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously. We will continue to ensure that health care providers and health plans take this right seriously and follow the law,” said OCR Director, Melanie Fontes Rainer, announcing the settlement. “Today’s announcement speaks to the importance of accessing information and regulated entities taking steps to implement procedures and workforce training to ensure that they are doing all they can to help patients access.”

The HIPAA Right of Access enforcement initiative was launched by OCR in the fall of 2019. Since then, $2,423,650 has been paid by healthcare providers to resolve HIPAA Right of Access violations in 42 enforcement actions. The fines range from $3,500 to $240,000.

The post Florida Primary Care Provider Fined $20,000 for HIPAA Right of Access Violation appeared first on HIPAA Journal.

Up to 254,000 Medicare Beneficiaries Affected by Ransomware Attack on CMS Subcontractor

Posted by HIPAA Journal

On November 14, 2022, Fairmont, WV-based Health Care Management Solutions (HMS) reported a data breach to the HHS’ Office for Civil Rights that affected up to 500,000 individuals. At the time, few details about the breach were released. It has now been confirmed that HMS suffered a ransomware attack on October 8, 2022.

HMS is a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), which is a business associate of the HHS’ Centers for Medicare and Medicaid Services (CMS). The services provided include resolving system errors related to beneficiary entitlement and premium payment records, as well as supporting the collection of Medicare premiums from the direct-paying beneficiary population.

The CMS said the HMS does not handle Medicare claims information so no claims data was affected and CMS systems were not breached; however, the cybercriminals behind the attack may have accessed Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). The CMS says up to 254,000 Medicare beneficiaries have potentially been affected and had some of their PII and PHI exposed.

The information exposed and potentially stolen in the attack included names, addresses, birth dates, phone numbers, Social Security numbers, Medicare beneficiary identifiers, banking information, and Medicare entitlement, enrollment, and premium information. The CMS is issuing notification letters to affected Medicare beneficiaries and said they will be issued with updated Medicare cards with new beneficiary identifiers. Complimentary credit monitoring services are being provided.

HMS notified the CMS about the ransomware attack on October 9, 2022, and on October 18, 2022, the CMS determined with a high degree of confidence that Medicare beneficiary information was involved. Since that date, the CMS has been working with its contractor to determine which individuals were affected. The CMS investigation into the ransomware attack is ongoing, but the initial information indicates HMS acted in violation of its obligations to CMS. The CMS said it is unaware of any attempted or actual misuse of the PII and PHI of Medicare beneficiaries.

“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”

The post Up to 254,000 Medicare Beneficiaries Affected by Ransomware Attack on CMS Subcontractor appeared first on HIPAA Journal.

Up to 254,000 Medicare Beneficiaries Affected by Ransomware Attack on CMS Subcontractor

Posted by HIPAA Journal

On November 14, 2022, Fairmont, WV-based Health Care Management Solutions (HMS) reported a data breach to the HHS’ Office for Civil Rights that affected up to 500,000 individuals. At the time, few details about the breach were released. It has now been confirmed that HMS suffered a ransomware attack on October 8, 2022.

HMS is a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), which is a business associate of the HHS’ Centers for Medicare and Medicaid Services (CMS). The services provided include resolving system errors related to beneficiary entitlement and premium payment records, as well as supporting the collection of Medicare premiums from the direct-paying beneficiary population.

The CMS said the HMS does not handle Medicare claims information so no claims data was affected and CMS systems were not breached; however, the cybercriminals behind the attack may have accessed Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). The CMS says up to 254,000 Medicare beneficiaries have potentially been affected and had some of their PII and PHI exposed.

The information exposed and potentially stolen in the attack included names, addresses, birth dates, phone numbers, Social Security numbers, Medicare beneficiary identifiers, banking information, and Medicare entitlement, enrollment, and premium information. The CMS is issuing notification letters to affected Medicare beneficiaries and said they will be issued with updated Medicare cards with new beneficiary identifiers. Complimentary credit monitoring services are being provided.

HMS notified the CMS about the ransomware attack on October 9, 2022, and on October 18, 2022, the CMS determined with a high degree of confidence that Medicare beneficiary information was involved. Since that date, the CMS has been working with its contractor to determine which individuals were affected. The CMS investigation into the ransomware attack is ongoing, but the initial information indicates HMS acted in violation of its obligations to CMS. The CMS said it is unaware of any attempted or actual misuse of the PII and PHI of Medicare beneficiaries.

“The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.”

The post Up to 254,000 Medicare Beneficiaries Affected by Ransomware Attack on CMS Subcontractor appeared first on HIPAA Journal.

OCR Fines California Dental Practice for PHI Disclosures on Yelp

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has announced a settlement has been reached with a Californian dental practice to resolve multiple HIPAA violations that were identified during investigations of a complaint about impermissible disclosures of protected health information on the review platform Yelp.

New Vision Dental is a Californian general dental practice with offices in South Pasadena and Glendora. On November 29, 2017, OCR received a complaint alleging Dr. Brandon Au, owner and CEO of New Vision Dental, had posted responses to several reviews by patients on Yelp and frequently disclosed protected health information in the responses. In some of the posts, patients were identified and their full names were disclosed, when they had chosen to only use a moniker on the platform. Other information allegedly posted by Dr. Au included detailed information about the patients’ visits, treatment, and insurance, when that information had not been posted publicly by the patients.

The investigation into the impermissible disclosures also included an on-site visit to New Vision Dental. OCR’s investigators were able to confirm that Dr. Au had impermissibly disclosed the protected health information of patients on multiple occasions on Yelp, that the practice did not have the required content in its Notice of Privacy Practices, and had not implemented appropriate policies and procedures concerning protected health information, including the release of protected health information on social media platforms and in public places.

New Vision Dental chose to settle the case and paid a $23,000 financial penalty, has agreed to adopt a corrective action plan to address the aspects of non-compliance identified by OCR, and will be subject to monitoring by OCR for a period of two years.

“This latest enforcement action demonstrates the importance of following the law even when you are using social media.  Providers cannot disclose [the] protected health information of their patients when responding to negative online reviews. This is a clear NO.,” said OCR Director, Melanie Fontes Rainer. “OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”

This is the 21st financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations – more than in any other year since OCR was given the authority to enforce HIPAA compliance.

The post OCR Fines California Dental Practice for PHI Disclosures on Yelp appeared first on HIPAA Journal.

Data Breaches Reported by CareFirst Administrators, Legacy Health & Blakehurst

Posted by HIPAA Journal

CareFirst Administrators (CFA) has notified 14,538 individuals about a phishing attack on its revenue cycle management vendor, Conifer. CFA was one of several healthcare organizations to be affected by the incident. A security breach was identified by Conifer in late March, with the investigation determining several Microsoft 365 had been accessed by unauthorized individuals between March 17 and March 22, 2022. CFA was informed about the breach on June 23, 2022.

One of the compromised email accounts was determined to contain the protected health information of CFA members, including names, addresses, birth dates, Social Security numbers, health insurance information, medical information, and billing and claims information.

Conifer said it has implemented additional security measures to better protect its Microsoft 365 email environment to reduce the risk of further breaches.

Legacy Health Identifies Insider Breach

Legacy Health in Oregon has recently reported a breach of the protected health information of 7,983 patients. According to the substitute breach notice, the Privacy Office learned on July 25, 2022, that an employee had saved files containing patients’ protected health information to external devices without authorization. An internal investigation was launched, and it was determined that the employee had transferred files containing patient data to a personal storage device via external drives and email.

The employee had access to patient data suspended while the investigation was conducted. In multiple interviews, the employee was unable to provide a valid work reason for those actions. A review of the files revealed they contained patients’ names, birth dates, medical record numbers, dates of service, provider names, health insurance information, diagnosis and/or treatment information, and some Social Security numbers. Patients started to be notified on November 23, 2022.

Legacy Health does not believe patient information has been further disclosed or misused, although patients have been advised to monitor their credit reports and account statements for signs of misuse of their data. Free credit monitoring services are being offered to affected patients. Legacy Health has reinforced training with its workforce regarding appropriate uses and disclosures of patient data.

Maryland Senior Living Facility Announces Data Breach

Blakehurst, a senior living facility in Towson, MD, has recently announced that the personal and protected health information of current and former employees and patients has potentially been compromised in a cyberattack. Around February 7, 2022, unusual activity was detected in its email environment. The forensic investigation determined several employee email accounts had been subjected to unauthorized access., and on August 4, 2022, Blakehurst confirmed that the email accounts contained patient data.

The review of emails and attachments was completed on September 20, 2022, and revealed names, dates of birth, medical information, Social Security numbers, health insurance information, driver’s license numbers, and financial account numbers had potentially been compromised. Affected individuals were notified about the breach on December 6, 2022, and have been offered complimentary credit monitoring and identity theft protection services and will be covered by a $1,000,000 identity theft insurance policy. Blakehurst said it has taken steps to improve the security of its email environment to prevent similar breaches in the future.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Data Breaches Reported by CareFirst Administrators, Legacy Health & Blakehurst appeared first on HIPAA Journal.

Telehealth Websites are Transmitting Sensitive Health Information to Big Tech Firms

Posted by HIPAA Journal

The private information of visitors to telehealth websites is being shared with big tech companies without user consent due to the use of tracking code snippets on the websites, according to a recent analysis by The Markup.

The websites of 50 direct-to-consumer telehealth companies were analyzed for the presence of third-party tracking code, 49 of which were found to have tracking code that transmitted the information of visitors to third parties, including Meta/Facebook and Google.

The study follows on from an analysis of the websites of the top 100 hospitals in the United States in the summer, which revealed one-third were using tracking code on their websites that was sending data to third parties without consent, valid HIPAA authorizations, or business associate agreements. In a handful of cases, the tracking code was added behind password-protected patient portals.

The latest study of telehealth websites included sites that collect highly sensitive information from visitors, such as the personal and health information of people suffering from Substance Abuse Disorder (SAD) who are seeking treatment. In many cases, the answers to medical questionnaires were also sent to big tech firms from questions relating to that health conditions, medical histories, and drug use.

The report, jointly published by The Markup and STAT, found that 49 of the 50 sites studied transmitted the URLs that an individual had visited, with 35 sites also transferring personal information such as email addresses, phone numbers, and full names. 19 sites recorded and transmitted when the user-initiated checkout, 13 sites sent the answers to questionnaires to third parties, 11 sites sent data confirming when the user had added an item to their cart (such as a treatment plan), and 9 sites transferred the date the user created the account.

The 13 sites that sent questionnaire data were of particular concern, as the answers were to health questions. That information was sent to a variety of companies, including Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, and Pinterest. 25 sites told big tech firms when a user had added an item such as a prescription medication to their cart or checked out with a treatment plan.

All but one of the 50 websites transferred the URLs that a user had visited on the site. The websites provide health and treatment information, so the information detailed on certain pages may be for a specific health complaint. That information is then tied to an individual or a household via an IP address. Amazon Clinic was the only website that did not share website data with third parties.

Potential HIPAA Violations

Healthcare providers are HIPAA-covered entities and disclosures of protected health information are restricted by the HIPAA Privacy Rule. SUD information is also subject to the 45 CFR Part 2 Confidentiality of Substance Use Disorder (SUD) Patient Records regulations. Recently, the HHS’ Office for Civil Rights published guidance for HIPAA-regulated entities that confirmed that the use of third-party tracking code on websites violates HIPAA if that tracking code collects and transfers protected health information (PHI) to third parties unless the third party qualifies as a business associate under HIPAA. In such cases, a HIPAA-compliant business associate agreement is required before the code can be used. If a third party is not a business associate, HIPAA-compliant patient authorizations are required before that code can be used.

HIPAA applies to healthcare providers, health plans, healthcare clearing houses, and business associates of those entities, but many of the telehealth sites studied operate in a gray area, as the websites are not run by HIPAA-regulated entities or SUD treatment providers, therefore the HIPAA and Part2 regulations do not apply, even though the data collected is the same data that would be classed as PHI or SUD records if collected by a covered entity.

The information collected through these websites is passed on to HIPAA-covered entities and entities covered by Part 2, but the websites themselves are intermediaries and are therefore not bound by HIPAA or the Part 2 regulations. For example, one website run by Cerebral Inc. collected HIPAA-covered data but is not a HIPAA-covered entity. The website passes the information to Cerebral Medical Group, P.A., which is a HIPAA-covered entity. The transfer of data to the big tech firms occurred before the transfer to the Cerebral Medical Group, P.A.

WorkIt Health provides healthcare services including SUD treatment. Its website states in its Notice of Privacy Practices (NPP) that, “You are receiving this NPP because you are or intend to receive health care services from a Workit Health Clinic… Each Workit Health Clinic together designates themselves as a single Affiliated Covered Entity (“ACE”) for purposes of compliance with HIPAA.” However, the WorkIt website had trackers from Google, Facebook, Bing, and Twitter, and transferred URLs, personal information, and answers to questionnaires. The Markup contacted WorkIt Health regarding the findings of the study and WorkIt Health removed the tracking technology from its website and initiated an investigation into the privacy breach.

Visitors to These Websites Expect Privacy

Many healthcare organizations add these tracking technologies to their websites with good intentions, as the technology can provide data that can help to improve the user experience on websites and gauge the effectiveness of marketing campaigns, but the extent to which patient information is being shared is not fully understood.

Individuals who visit these websites are unlikely to be aware that any information they provide directly through answers on web forms and medical questionnaires, and indirectly via the sites they visit, is not being kept private and confidential, and that is a big concern. Many of these sites mention HIPAA and Part 2 in their NPPs, yet the extent to which those regulations apply is unclear. The Markup notes that at least 12 of the studied companies state that they are HIPAA compliant, but that does not necessarily mean that the information provided on the site is kept private or is indeed covered by HIPAA at the point it is collected.

The study shows that there is a trade-off when using these websites. Patients get convenience, but it may come at the expense of their privacy. There is a massive gap in HIPAA, which has not been updated to account for changes in how healthcare is being provided, and there are also suggestions of deceptive privacy practices, albeit in many cases unwittingly deceiving visitors about privacy.

“Sensitive health information is being shared, inadvertently, online every day. Hospital websites, online pharmacies, and health information sites, use a variety of applications (site analytics, links to social media, advertising) that collect and share site visitors’ data, including the healthcare terms and medical conditions that the user is searching,” Ian Cohen, CEO of LOKKER told HIPAA Journal. “For example, in LOKKER’s recent research of over 170,000 websites, we identified the Meta Pixel (Facebook) on over 40% of healthcare sites. Similar data was found about data being shared with TikTok, Snapchat, Pinterest, Microsoft, and Google, as well.” Cohen went on to say, “Not only are consumers and patients unaware that their information is being collected and shared, we believe that the website owners don’t fully understand the extent to which they are sharing data back to the social networks.”

The Markup explained that its researchers did not test all webpages on the sites of the telehealth providers, so the full extent to which tracking code has been used is not known. Tracking code can also be configured differently on different web pages.

It is also unclear what the big tech firms do with the transferred data. Several big tech firms state that they do not allow targeted advertising related to health conditions, although there are ways around that by using closely related terms. Meta, for instance, claims to strip out any data it should not receive and does not provide that information to third-party advertisers. The extent to which that occurs is also unclear. Meta is the subject of several lawsuits over this very matter, some of which allege health data has been used to serve targeted ads to patients whose information was collected through the Meta Pixel code snippet.

Steps Operators of Health Websites Should Take

The HHS’ Office for Civil Rights has made clear in its recent guidance that tracking technology on websites violates HIPAA and that this issue needs to be addressed immediately. HIPAA-regulated entities are required to report any HIPAA violations related to the use of third-party tracking technologies. So far, only a few HIPAA-regulated entities have done so, despite huge numbers having added tracking code to their websites. Even if the websites are not run by HIPAA-regulated entities, the operators of those websites have a moral responsibility to protect the privacy of their visitors with respect to their sensitive health information. Ian Cohen suggests all healthcare organizations should take the following actions:

  1. Take inventory of what data your websites and apps are collecting and if you’re violating your own privacy policy, other privacy laws, or your customers’ trust
  2. Know your partners and ensure they aren’t exploiting your customers’ information
  3. Build customer privacy ‘muscle’ by forming teams that include Marketing, IT, and Legal and establish routines for better data hygiene
  4. Don’t just ask for customer consent for bad practices, re-evaluate how you want to better serve your customers and build trust with every interaction by communicating clearly

The post Telehealth Websites are Transmitting Sensitive Health Information to Big Tech Firms appeared first on HIPAA Journal.