HIPAA Breach News

U.S. Vision Subsidiary and Florida Addiction Treatment Center Announce 2021 Data Breaches

Posted by HIPAA Journal

USV Optical, a subsidiary of U.S. Vision, has recently confirmed that the information of patients at several entities within its network has been exposed. Suspicious activity was detected within its network on May 12, 2021, with the forensic investigation confirming unauthorized individuals had access to its network for a month between April 20, 2021, and May 17, 2021. During that time, the attackers may have viewed or acquired sensitive patient data.

The breach was reported to U.S. Vision shortly after it was detected; however, at the time it was unclear which entities and patients had been affected. Nationwide Optical Group acquired or became affiliated with several U.S. Vision entities in September 2019, including Nationwide Optometry and SightCare. USV Optical started to provide administrative services to those entities around that time. Nationwide Optical Group was informed about the breach and requested U.S. Vision investigate the incident further to find out more information and recommended monitoring the dark web to determine if any sensitive data had been released. No further information was subsequently provided about any dark web detections.

On September 22, 2022, Nationwide Optical Group was informed that the review of the files on the compromised parts of the network had been completed, and it was confirmed that the following types of information had potentially been stolen: full names, dates of birth, addresses, Social Security numbers, taxpayer identification numbers, driver’s license numbers, financial account information, medical and/or treatment information, prescription medications, health insurance information, and billing and claims information. The types of information exposed varied from patient to patient.

The information provided was validated and correct contact information was obtained, allowing individual notification letters to be sent. That process was completed on October 17, 2022. Affected individuals have now been notified and have been offered complimentary credit monitoring and identity theft protection services.

Phoenix House Florida Email Accounts Compromised

Phoenix House Florida, a non-profit residential addiction treatment program provider, has recently announced that the protected health information of 6,594 patients has been exposed and potentially obtained by unauthorized individuals who gained access to certain employee email accounts.

The email accounts contained the protected health information of patients of Phoenix Programs of Florida, including names, Social Security numbers, driver’s license numbers, birth dates, credit/debit card numbers, expiry dates, and CVV codes, digitized or electronic signatures, Client IDs, medical information such as condition, treatment, or diagnosis, and health insurance information.

Phoenix House Florida did not disclose when the security breach was detected but said the email accounts were compromised between July 13, 2021, and November 1, 2021. The forensic investigation confirmed on September 2, 2022, that protected health information had been exposed, and notification letters were sent to affected individuals on October 19, 2022. No evidence was uncovered that suggested information in the email accounts was viewed or acquired. Complimentary identity theft protection services have been offered to individuals whose Social Security numbers or driver’s license numbers were involved.

The post U.S. Vision Subsidiary and Florida Addiction Treatment Center Announce 2021 Data Breaches appeared first on HIPAA Journal.

St. Luke’s Health Reports Third Party Data Breach

Posted by HIPAA Journal

St. Luke’s Health has recently notified 16,906 patients that some of their protected health information has been exposed in a security incident at a vendor that provides consulting services. On November 5, 2021, the email accounts of two employees of Adelanto Healthcare Ventures (AHCV) were accessed by an unauthorized individual.

An investigation was launched into the incident, which initially determined no patient information had been exposed; however, a subsequent review determined the information of certain St. Luke’s Health patients was present in the email accounts and could potentially have been accessed or acquired by the attackers. The exposed information included names, addresses, dates of birth, Social Security numbers, dates of service, medical record numbers, Medicaid numbers, and some limited clinical information, such as treatment and diagnosis codes. St. Luke’s Health was notified about the breach on September 1, 2022

St. Luke’s Health explained in its breach notification letters that no reports have been received that suggest there has been any misuse of patient data; however, as a precaution, AHCV is offering affected individuals complimentary identity theft and credit monitoring services.

St. Luke’s Health is currently recovering from a ransomware attack on its parent company, CommonSpirit Health, that occurred more than a month ago. CommonSpirit Health is still facing disruption to business operations as a result of the attack but has now restored the MyChart patient portal and providers can now access their patients’ electronic medical records.

Tift Regional Health System Investigating Cyberattack and Data Breach

Tift Regional Health System (TRHS) in Tifton, GA, has recently announced that its systems have been compromised and that the attackers potentially accessed and obtained the protected health information of some of its patients. The unauthorized system access occurred on or around August 16, 2022. Prompt action was taken to secure its systems and an investigation was launched to determine the nature and scope of the attack.

TRHS said files on its systems were not encrypted, and its electronic medical record system was not accessed; however, the forensic investigation was unable to rule out unauthorized access and theft of files that contained patient information. The files on the compromised part of the network contained Social Security numbers, patient identification numbers, driver’s license numbers, medical information, treatment information, diagnosis information, health insurance information, and dates of birth.

TRHS said it is reviewing its existing policies and procedures regarding cybersecurity and additional safeguards are being evaluated to protect against this type of incident in the future. The breach has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals. That number is often used as a placeholder until the full extent of the breach is known.

Wenco Management Reports Breach of Health and Welfare Benefit Plan Member Data

The protected health information of 20,526 employees of Wenco Management, LLC, has been exposed and potentially obtained by unauthorized individuals. Wenco Management operates the Wendy’s fast-food chain. Affected employees were members of its Health and Welfare Benefit Plan.

Wenco Management identified the breach on August 21, 2022. After its systems were secured, a forensic investigation was launched to determine the nature and scope of the breach, which confirmed an unauthorized individual had accessed its network and potentially viewed and obtained employee records that included names, Social Security numbers, and plan selection information. The breach occurred on the same day it was identified and blocked. Affected individuals have been offered complimentary credit monitoring services. Wenco Management said it has taken steps to improve the security of its systems to prevent further data breaches in the future.

The post St. Luke’s Health Reports Third Party Data Breach appeared first on HIPAA Journal.

Lawsuits Filed Against OakBend Medical Center and Keystone Health Over Data Breaches

Posted by HIPAA Journal

Oakbend Medical Center in Richmond, TX, and Keystone Health in Chambersburg, PA, are facing class action lawsuits over recent hacking incidents that resulted in the exposure and theft of the protected health information of hundreds of thousands of patients.

OakBend Medical Center

On September 1, 2022, OakBend Medical Center discovered its systems had been compromised and files had been encrypted. The breach was contained and access to its network was terminated, and a forensic investigation was conducted to determine the nature and scope of the attack. The forensic investigation confirmed that the attackers had exfiltrated files containing patient data. OakBend Medical Center said entire medical records do not appear to have been stolen. The stolen data included names, contact information, dates of birth, and Social Security numbers. The threat actors behind the attack – Daixin Team – claim the data they stole included 1 million patient records, although that has yet to be confirmed by Oakbend Medical Center.

On October 28, 2022, two patients affected by the data breach – Ryan Higgs and Alissa Wojnar – took legal action over the theft of their protected health information. The lawsuit was filed by Dallas, TX-based attorney, Joe Kendall, in the District Court for the Southern District of Texas and alleges Oakbend Medical Center maintained the private information of patients “in a reckless manner,” and failed to properly monitor its IT network. The lawsuit alleges negligence, negligence per se, breach of implied contract, breach of fiduciary duty, intrusion upon seclusion, invasion of privacy, and unjust enrichment.

The plaintiffs claim they have suffered the loss of the benefit of their bargain, out-of-pocket expenses, the value of their time that was incurred to remedy and mitigate the effects of the attack, emotional distress, and the imminent risk of future harm caused by the compromise of their sensitive personal information. The lawsuit seeks class action status, compensatory damages, reimbursement of out-of-pocket expenses, and injunctive relief that requires OakBend Medical Center to implement additional security measures to better protect patient data and to also provide adequate credit monitoring services to affected patients.

Keystone Health

On August 19, 2022, Keystone Health discovered its network had been compromised. After systems were secured, a forensic investigation was launched to determine the scope of the attack, and it was confirmed that hackers had access to its network between July 28, 2022, and August 19, 2022. During that time, they had access to sensitive patient data including names, Social Security numbers, and clinical information. The breach affected 235,237 patients, who were notified on October 14, 2022.

A lawsuit was filed in the District Court for the Middle District of Pennsylvania by the law firm Milberg Coleman Bryson Phillips Grossman, PLLC that named Jacob Whitehead as plaintiff, on behalf of his minor son. The lawsuit alleges Keystone Health failed to properly secure and safeguard personally identifiable information, and that the private information of patients was maintained in a reckless and negligent manner that made it vulnerable to cyberattacks.

The lawsuit alleges negligence for failing to implement minimum industry standards for protecting patient data and claims Keystone Health failed to meet its obligations under the HIPAA Security Rule as appropriate safeguards had not been implemented to protect patients’ electronic protected health information. The lawsuit also alleges a violation of the HIPAA Breach Notification Rule for failing to properly notify patients about the data breach.

The lawsuit claims the plaintiff and others affected by the data breach are now at significant risk of identity theft and various other forms of personal, social, and financial harm. They allege an injury has been sustained in the form of the lost or diminished value of their private information, out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their private information, lost time and opportunity, and a continued and substantially increased risk of cyberattacks and fraud.

The lawsuit seeks class action status, a jury trial, damages, and equitable and injunctive relief, including a requirement for Keystone Health to ensure it has an effective and comprehensive security program, to undergo independent security audits and penetration tests, to engage internal personnel to run automated security monitoring, and to provide security awareness training to all employees, at least annually.

The post Lawsuits Filed Against OakBend Medical Center and Keystone Health Over Data Breaches appeared first on HIPAA Journal.

Advocate Aurora Health and WakeMed Sued Over Meta Pixel Privacy Breaches

Posted by HIPAA Journal

Two class action lawsuits have been filed on behalf of patients whose protected health information (PHI) was impermissibly disclosed to Meta/Facebook as a result of the use of the Meta Pixel JavaScript code snippet on the websites and web applications of Advocate Aurora Health and WakeMed Health and Hospitals. Advocate Aurora Health said the PHI of up to 3 million patients had potentially been disclosed to Meta/Facebook, and WakeMed said around 495,000 patients were affected due to the inclusion of the code on the MyChart patient portal and its appointment scheduling page. Both healthcare providers have admitted to an impermissible disclosure of PHI but said at the time of issuing notifications that they were unaware of any cases of misuse of patient information and that there are no indications that employees of Meta or Facebook viewed the transmitted data.

The lawsuit against Advocate Aurora Health, which also names Meta as a defendant, was filed in the U.S. District Court for the Northern District of Illinois and names Alistair Stewart, of Illinois, as the lead plaintiff. The lawsuit seeks class action status, damages, and injunctive and other equitable relief. According to the lawsuit, “Whenever a patient uses Advocate’s websites and applications, including its LiveWell portal, Advocate and Facebook intercept, contemporaneously cause transmission of, and use personally identifiable patient information and PHI without patients’ knowledge, consent, or authorization.” The lawsuit alleges Advocate Aurora Health and Meta were aware that protected health information was being transmitted, and that this was in violation of the HIPAA Rules. “This was evidenced from, among other things, the functionality of the Pixel, including that it enabled Advocate’s LiveWell portal to show targeted advertising to its digital subscribers based on the products those digital subscribers had previously viewed on the website, including certain medical tests or procedures, for which Advocate received financial remuneration.”

Advocate Aurora Health maintains that the tracking code was only used to improve the consumer experience across its websites, and to encourage individuals to schedule necessary preventive care, and said it has stopped using the code and has implemented additional safeguards and third-party code-checking procedures to prevent similar breaches in the future.

The lawsuit against WakeMed was filed in the Wake County Superior Court in North Carolina by attorneys Gary Jackson and Tom Wilmoth and similarly seeks class action status, damages, and injunctive relief. The lawsuit makes similar claims and also alleges that the code was added to the website in the knowledge that sensitive patient data would be shared with Meta, and that WakeMed received financial benefits from sharing that information with Meta. The lawsuit alleges violations of FTC Rules and HIPAA, as sensitive healthcare data, including PHI, was shared with Meta without the knowledge or consent of the plaintiff and class members.

The lawsuit states the plaintiff reasonably expected her online communications with WakeMed to be confidential and would not be shared with or intercepted by a third party, and that consent to share her data had not been requested or obtained. The lawsuit alleges negligence for failing to implement reasonable safeguards to prevent improper disclosures of PHI, failing to adequately train employees, and failing to follow industry-standard data security practices.

In order for healthcare data breach lawsuits to succeed, an actual injury must have been sustained. In contrast to data breach lawsuits filed against healthcare organizations that have been hacked, the plaintiffs’ PHI is not in the hands of cybercriminals and there has been no injury through fraud or identity theft. The lawsuits allege an injury has been suffered in the form of the diminution in the value of the plaintiffs’ and class members’ private information. The plaintiff in the WakeMed lawsuit alleges she has lost time and experienced annoyance, interference, and inconvenience, which has led to her suffering anxiety, emotional distress, and increased concerns about her loss of privacy.

Many healthcare providers added Meta Pixel code to their websites. A study conducted by The Markup revealed 33 of the top 100 hospitals in the United States used the code, several of which added Meta Pixel to their patient portals. In August 2022, Novant Health announced that the PHI of up to 1.36 million patients had potentially been disclosed to Meta/Facebook, and many other healthcare providers are expected to make similar announcements in the coming weeks. Lawsuits have already been filed against Medstar Health System in Maryland, UCSF Medical Center and Dignity Health Medical Foundation, and Northwestern Memorial Hospital in Chicago, due to the use of the tracking code on their websites.

The post Advocate Aurora Health and WakeMed Sued Over Meta Pixel Privacy Breaches appeared first on HIPAA Journal.

Georgia Home Health Company Settles Phishing Investigation and Pays $425,000 Penalty

Posted by HIPAA Journal

Aveanna Healthcare has agreed to pay a $425,000 financial penalty to the Office of the Attorney General of Massachusetts for failing to implement appropriate safeguards to prevent phishing attacks, in violation of state and federal laws.

Aveanna Healthcare operates in 33 states and is the nation’s largest provider of pediatric home care. In the summer of 2019, Aveanna Healthcare was targeted in a phishing campaign that saw more than 600 phishing emails sent to its employees. The phishing emails attempted to trick the recipients into providing credentials, money, or other sensitive information. The first email account was breached in July 2019, with the attacks continuing throughout the summer. Aveanna Healthcare discovered the breach on August 24, 2019.

The forensic investigation revealed multiple employees had been tricked into disclosing their account credentials, which provided the attackers with access to parts of the network that contained the protected health information (PHI) of 166,000 patients, including the PHI of approximately 4,000 Massachusetts residents. The patient information exposed and potentially copied included names, Social Security numbers, driver’s license numbers, financial account numbers, and health information such as diagnoses, medications, and treatment information. The threat actors also logged into the human resources system and attempted to change the direct deposit information of employees to divert payments.

The Massachusetts AG’s Office launched an investigation into the phishing attacks and determined that Aveanna Healthcare had failed to implement appropriate safeguards to protect against phishing attacks. The AG’s Office alleged Aveanna was aware that its cybersecurity program was insufficient at the time of the phishing attacks and that it did not have sufficient tools in place to adequately defend against phishing attacks, such as multifactor authentication and sufficient security awareness training for its workforce. The Massachusetts AG’s Office determined that Aveanna’s security program had not met the minimum level of security required by the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts nor the minimum standards for security demanded by the HIPAA Security Rule.

The consent judgment requires Aveanna to pay a financial penalty of $425,000 to the Massachusetts AG’s office to resolve the violations, and adopt a corrective action plan that requires Aveanna to develop, implement, and maintain a security program that includes phishing protection technology, multi-factor authentication, and other systems designed to detect and address intrusions. Aveanna must also provide additional security awareness training to the workforce, including providing regular updates on the latest security threats. Aveanna is required to undergo annual independent assessments of its compliance with the consent order and will be monitored by the Massachusetts AG’s Office for a period of four years.

“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information,” said Massachusetts Attorney General Maura Healey. “As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and take steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”

Aveanna Healthcare is also facing a class action lawsuit over the exposure of patient data. The lawsuit alleges the failure to implement appropriate security measures also takes issue with the length of time it took Aveanna to announce the data breach – 5 months after the breach was detected.

The post Georgia Home Health Company Settles Phishing Investigation and Pays $425,000 Penalty appeared first on HIPAA Journal.

Update: CorrectCare Integrated Health Data Breach Affects Hundreds of Thousands of Inmates

Posted by HIPAA Journal

The medical claims processor, CorrectCare Integrated Health, has recently notified its clients that the protected health information of some of their patients was accidentally exposed over the Internet and may have been accessed by unauthorized individuals. On July 6, 2022, CorrectCare discovered two file directories on its web server had been misconfigured and could be accessed over the Internet without authentication.

The breach has affected patients treated by Mediko, Inc. – the largest provider of health care services to individuals in correctional facilities in Virginia. Mediko has reported the breach to the HHS’ Office for Civil Rights (OCR) as affecting 2,809 individuals. Sacramento County Adult Correctional Health says 5,372 individuals have been affected, and the Louisiana Department of Public Safety and Corrections says 85,466 individuals incarcerated in facilities in the state have been affected. Health Net Federal Services (HNFS) in California, a business associate of the California Correctional Health Care Services (CCHCS)/ California Department of Corrections and Rehabilitation (CDCR), has had data exposed, although at this stage it is unclear how many individuals have been affected.

CorrectCare said the web server was secured within 9 hours of the discovery of the misconfiguration. The forensic investigation confirmed the files were exposed from January 22, 2022, to July 7, 2022. The exposed data related to individuals treated between January 1, 2012, and July 7, 2022. The files in the exposed directories included names, dates of birth, inmate numbers, and limited health information, including diagnosis codes, CPT codes, treatment providers, dates of treatment, and, for some individuals, Social Security numbers.

On October 31, 2022, CorrectCare submitted three breach reports to OCR confirming the protected health information of 496,589 individuals had been exposed. The final breach total is not yet known, but more than 590,236 individuals are now known to have been affected.

Regions Hospital Reports Hackling Incident

Regions Hospital in St. Paul, MN, has recently confirmed that unauthorized individuals gained access to the protected health information of 978 patients. The attacker is believed to have accessed its secure network to steal payments from a health insurer, rather than to obtain patient information.

However, as part of that activity, a document on the network was opened that contained patient information, including first and last names and Social Security numbers. Affected individuals have been notified by mail and offered a 12-month membership to an identity theft protection service.

The post Update: CorrectCare Integrated Health Data Breach Affects Hundreds of Thousands of Inmates appeared first on HIPAA Journal.

Anesthesia, Eye Care, and Telehealth Providers Announce Third-Party Data Breaches

Posted by HIPAA Journal

Several more providers of anesthesia services have confirmed they have been affected by a data breach at their management services organization (MSO). Last month, HIPAA Journal reported that 13 providers of anesthesia services to hospitals had been affected by the breach. At least five more healthcare providers are now known to have been affected. The latest announcements bring the breach total up to 410,842 records.

  • Somnia Pain Mgt of Kentucky – 10,849 individuals
  • Resource Anesthesiology Associates of KY PSC – 8,995
  • Saddlebrook Anesthesia Services PC – 8,861 individuals
  • Somnia, Inc. – 1,326 individuals
  • Mid-Westchester Anesthesia Services – 707 individuals

The breach was detected by the MSO on July 11, 2022, with the forensic investigation determining information stored on its systems had been compromised. The affected companies were notified about the breach on September 22, 2022.

The breach involved names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, medical record numbers, Medicaid/Medicare IDs, and health information, including diagnosis and treatment information.

Massengale Eye Care Affected by Eye Care Leaders’ Data Breach

Massengale Eye Care in Moore, OK, has recently announced that the protected health information of up to 15,000 patients has been compromised in a data breach at its EHR vendor, Eye Care Leaders. Massengale Eye Care said it has used the myCare Integrity electronic health records platform since 2017. On or around December 4, 2021, unauthorized individuals gained access to the platform and potentially obtained patient information.

Eye Care Leaders said it is unaware of any misuse of patient data, and no specific evidence was found to indicate the records of Massengale Eye Care patients were viewed or obtained. Since unauthorized access to protected health information could not be ruled out, notifications have been sent to affected individuals. The information potentially accessed includes names, addresses, dates of birth, Social Security numbers, diagnostic information, and health insurance information. Massengale Eye Care confirmed that the breach was confined to the Eye Care Leaders platform.

41 eye care providers are now known to have been affected and the records of at least 3,649,470 patients have been exposed.

Telehealth Vendor Announces 3-Year Data Breach

Miramar, FL-based telehealth provider, MDLIVE Medical Group, has recently announced that the protected health information of 7,439 individuals has been impermissibly disclosed as a result of a third-party analytics tool on its website. MDLIVE Medical Group did not confirm which analytics tool was involved, but similar breaches have been reported by other healthcare providers recently that involved the Meta Pixel tool, which is used for a similar purpose.

MDLIVE Medical Group said the tool was used to better understand how patients interacted on its website and patient portal, in order to make improvements to the portal to improve the quality of care provided to patients. The tool was first added to the website in June 2019 but was accidentally configured to monitor activity on the patient login page of its portal. The tool was removed in August 2022. The data disclosed to the provider of the tool included usernames, passwords, and dates of birth only. There is no indication that the information has been viewed or misused.

The post Anesthesia, Eye Care, and Telehealth Providers Announce Third-Party Data Breaches appeared first on HIPAA Journal.

OCR Explains HITECH Recognized Security Practices and How to Demonstrate They are in Place

Posted by HIPAA Journal

The Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) has released a video presentation on its YouTube channel that explains in detail how the 2021 HITECH Act amendment regarding “Recognized Security Practices” applies to HIPAA-regulated entities, and how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place for the 12 months prior to a security breach.

Background

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, part of the American Recovery and Reinvestment Act (ARRA), was introduced by the Obama administration to encourage the adoption of health information technology to improve quality, safety, and efficiency; engage patients in their care; increase coordination of care; improve the health status of the population; and ensure the privacy and security of healthcare data.

On January 5, 2022, H.R 7898 was signed into law which amended Section 13412 of the HITECH Act to require the HHS to take the Recognized Security Practices of HIPAA-regulated entities into account in certain HIPAA Security Rule enforcement and audit activities, when a HIPAA-regulated entity is able to demonstrate Recognized Security Practices have been in place continuously for the 12 months prior to a security incident.

The HITECH Act update does not create a safe harbor for organizations that have implemented Recognized Security Practices granting them immunity from liability for HIPAA Security Rule violations, and it will not prevent OCR from imposing financial penalties when HIPAA Security Rule violations are discovered. Organizations that can demonstrate they have implemented Recognized Security Practices can mitigate fines under section 1176 of the Social Security Act, mitigate the remedies that would otherwise be agreed in agreements to resolve violations of the HIPAA Security Rule, and reduce the length and extent of audits and investigations. The HITECH Act amendment acts as an incentive for HIPAA-regulated entities to implement Recognized Security Practices and do everything in their power to safeguard patient data. OCR has confirmed that implementing Recognized Security Practices is voluntary.

On April 6, 2022, OCR issued a Request for Information (RFI) seeking input from the public on the HITECH Act amendment, specifically on how HIPAA-regulated entities were implementing Recognized Security Practices, and how they anticipated demonstrating that they are in place and have been for 12 months. The RFI also included a request for comment on the long-awaited implementation of the HITECH Act requirement for OCR to share a proportion of the civil monetary penalties and settlements collected through its HIPAA enforcement activities with individuals who have been harmed due to HIPAA violations.

What Are Recognized Security Practices?

In the video, Nick Heesters, senior advisor for cybersecurity at OCR, explains how the HITECH Act was amended, what constitutes Recognized Security Practices, and how they can be implemented to reduce liability. Recognized Security Practices are standards, guidelines, best practices, methodologies, procedures, and processes developed under:

  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • Section 405(d) of the Cybersecurity Act of 2015, or
  • Other programs that address cybersecurity that are explicitly recognized by statute or regulation

HIPAA-regulated entities are free to choose the Recognized Security Practices that are best suited to their organization.

OCR Security Rule Audits and HIPAA Security Rule Investigations of Potential Violations

Heesters confirmed that in the event of an audit or investigation into potential HIPAA Security Rule violations, OCR will send a data request to the regulated entity to inform them they can voluntarily provide evidence that Recognized Security Practices have been in place. This will increase awareness of the HITECH Act amendment and also allow the regulated entity to submit evidence as a mitigating factor. The request will also include guidance on how that evidence can be provided and the types of evidence that a HIPAA-regulated entity can consider submitting.

How to Demonstrate Recognized Security Practices Have Been in Place

Heesters explained how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place and the types of evidence that they can consider submitting. OCR will not limit the evidence that can be provided and the request is not a one-time opportunity to provide evidence. Evidence can be provided to OCR continuously.

The regulated entity must demonstrate that Recognized Security Practices have been fully implemented and have been and continue to be actively and consistently in use. Simply providing documentation that only establishes the initial adoption of Recognized Security Practices is insufficient and OCR will not consider documentation stating the organization plans to implement Recognized Security Practices in the future. Documentation must demonstrate the implementation of Recognized Security Practices throughout the enterprise.

In the response, HIPAA-regulated entities should state which Recognized Security Practices have been implemented. If a HIPAA-regulated entity has chosen “other programs,” OCR will need to be provided with statutory or regulatory citations showing they were developed, recognized, or promulgated by statute or regulation.

OCR suggests the following can be provided as evidence, although the list is not exhaustive:

  • Policies and procedures regarding the implementation and use of RSPs
  • RSP implementation project plans and meeting minutes
  • Diagrams and narrative detail of RSP implementation and use
  • Training materials regarding RSP implementation and use
  • Application screenshots and reports showing RSP implementation and use
  • Vendor contracts and statements of work regarding RSP implementation
  • OCR also requires dates that support the implementation and use of RSPs for the previous 12 months

Heesters confirmed that organizations that have implemented Recognized Security Practices, and are able to demonstrate that sufficiently, will not avoid financial penalties, but OCR will consider the Recognized Security Practices as a mitigating factor. These practices only mitigate against HIPAA Security Rule investigations and audits, not other investigations and audits, such as investigations into potential HIPAA Privacy Rule violations. Heesters also confirmed that the lack of Recognized Security Practices will not be considered an aggravating factor and will not result in increased penalties.

The post OCR Explains HITECH Recognized Security Practices and How to Demonstrate They are in Place appeared first on HIPAA Journal.

PHI of Almost 34,000 Patients Potentially Compromised in Michigan Medicine Phishing Attack

Posted by HIPAA Journal

University of Michigan Health (Michigan Medicine) has recently announced that the protected health information of approximately 33,850 patients has potentially been compromised in a phishing attack. Suspicious activity was detected within its email environment and steps were immediately taken to secure the accounts to prevent further unauthorized access.

Michigan Medicine said it was targeted in a phishing campaign between August 15 and August 23, 2022, and four email accounts were compromised. Michigan Medicine said in its breach notice that employee email accounts were protected with multi-factor authentication at the time of the attack. Four employees responded to the phishing emails, visited a malicious website, disclosed their Michigan Medicine login information, and responded to the multi-factor authentication prompts, which allowed their accounts to be accessed.

The forensic investigation found no evidence of data theft and it appeared that the accounts were not compromised in order to obtain patient information; however, Michigan Medicine has assumed that all information in the accounts has been compromised. The review of the email accounts was completed on October 17, 2022, and notification letters have now been mailed.

The compromised accounts contained job-related communications for the coordination and care of patients. The information in the emails varied from patient to patient and may have included names, along with one or more of the following types of information: address, date of birth, diagnostic and treatment information, and health insurance information. Michigan Medicine said it has implemented additional technical safeguards to its email system and the infrastructure that supports it to prevent further incidents of this nature.

This is the second email account breach to be reported by Michigan Medicine this year. In late February, Michigan Medicine announced that a single email account containing the PHI of 2,920 patients had been compromised. Michigan Medicine was also targeted in a phishing campaign in 2019, which saw 3,200 of its employees receive phishing emails. In that attack, three employees responded, resulting in the exposure of the PHI of 5,466 patients.

Ascension St. Vincent’s Coastal Cardiology Brunswick Suffers Ransomware Attack

Ascension St. Vincent’s Coastal Cardiology Brunswick in Georgia has started notifying 71,227 patients about a security breach that affected its legacy systems, including its legacy electronic medical record system. The incident was detected on August 15, 2022, and all systems were immediately secured to prevent further unauthorized access and; however, it was not possible to prevent the encryption of certain files on those systems. The investigation confirmed the attack was confined to its legacy systems. No Ascension networks or systems were affected, nor was the electronic medical system that is currently in use. The legacy Coastal Cardiology network was primarily used to retain patient data to meet regulatory requirements and was not used for current business operations.

Ransomware attacks often involve data theft prior to the encryption of files; however, the forensic investigation found no evidence to suggest any information was removed from those systems. The breach notice suggests the ransom was not paid, as the data could not be decrypted. As such, it was not possible to determine the exact types of information that had been encrypted. Ascension said the systems would have contained demographic and health information related to visits at Coastal Cardiology prior to October 5, 2021. That information would have included names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, clinical information, and billing and insurance information.

Complimentary credit and identity theft protection services have been offered to affected individuals. Ascension said it has conducted a security risk assessment, realigned staff responsibilities, removed access rights to the legacy system, and is providing further training to its associates.

Delta Dental of Washington Members Affected by Mailing Vendor Hacking Incident

Delta Dental of Washington has announced that the protected health information of 6,361 members of its dental benefits plans has potentially been compromised in a cyberattack on its mail and printing vendor, Kaye-Smith. The attack occurred in June 2022 and resulted in the exposure of information such as names, addresses, group numbers, and Delta Dental Member ID numbers. Delta Dental of Washington was one of several organizations affected by the data breach.

Kaye-Smith is notifying affected individuals on behalf of Delta Dental of Washington and has offered complimentary credit monitoring services for 12 months.

The post PHI of Almost 34,000 Patients Potentially Compromised in Michigan Medicine Phishing Attack appeared first on HIPAA Journal.