HIPAA Breach News

Evergreen Treatment Services Hacking Incident Affects 21K Patients

Posted by HIPAA Journal

Evergreen Treatment Services, a Washington-based provider of addiction treatment services, announced on February 13, 2023, that unauthorized individuals gained access to its IT systems and potentially accessed patient information, including names, addresses, birth dates, Social Security numbers, and treatment information.

A third-party cybersecurity firm assisted with the investigation but found no instances of fraud or identity theft; however, as a precaution, the 21,325 affected patients have been offered complimentary credit monitoring and identity theft protection services. Evergreen Treatment Services did not state in its breach notice when the incident was detected, for how long the hackers had access to its network, or any information about the nature of the attack. Data security policies have been enhanced in response to the breach to prevent similar incidents in the future.

Data Stolen in Cyberattack on Texas Orthopaedics and Sports Medicine

Tomball, TX-based Texas Orthopaedics and Sports Medicine (TOSM) has confirmed that an unauthorized third party gained access to its network and removed files from its systems which included names, driver’s license numbers, and medical information. The attack was detected on November 28, 2022, when suspicious activity was identified within its network. The forensic investigation revealed the hackers had access to the network between November 22 and November 29. TOSM said it learned that patient information was compromised on February 10, 2023, and notifications were sent to the 1,023 affected individuals on February 23. TOSM said steps are being taken to improve security and further training has been provided to employees. Affected individuals have been offered one year of credit monitoring services.

Sentara Healthcare Patient Data Exposed Online

Norfolk, VA-based Sentara Healthcare, a not-for-profit healthcare provider serving patients in Virginia and northeastern North Carolina, has recently notified 741 patients that some of their protected health information has been exposed online. Sentara Healthcare was tipped off about the exposed data by an anonymous individual who stumbled across a PDF file online while searching for information on how to convert PDF files to a different format. An individual had uploaded a Medicare remittance document to an Adobe Acrobat website that contained the data of Sentara Healthcare patients.

Sentara Healthcare confirmed that the PDF file was still online and had been uploaded on October 17, 2022. The name of the individual who uploaded the file was found, and Sentara Healthcare confirmed it was an employee of Coronis Health, a business associate that provides billing-related services for lab services. Coronis Health was notified about the exposed data on December 19, 2022, and removed the file on December 20. Coronis Health provided further training to its entire team in response to the error. The file contained patient names, Medicare ID numbers, dates of service, CPT codes, location of service, the last 4 digits of account numbers, and outstanding balances. Credit monitoring services have been offered to affected individuals.

Email Account Compromised at Compass Behavioral Health

On February 28, 2023, Garden City, KS-based Compass Behavioral Health notified 537 patients about a security breach that exposed a limited amount of their personal and health information. On or around December 13, 2022, Compass learned that an employee email account and associated OneDrive account had been compromised. The forensic investigation determined the account contained a spreadsheet that included a list of incident reports maintained by Compass for recording breaches of procedure, injuries, accidents, and unusual occurrences. The spreadsheet included information such as names, addresses, dates of birth, dates of death, location of treatment, medical record numbers, information related to medical incidents, limited medical information, and medication information. Credentials were changed in response to the breach and multi-factor authentication was implemented. There have been no reports of actual or attempted misuse of the exposed information.

The post Evergreen Treatment Services Hacking Incident Affects 21K Patients appeared first on HIPAA Journal.

Data Breaches Reported by The Hutchinson Clinic & 90 Degree Benefits

Posted by HIPAA Journal

The Hutchinson Clinic Reports December 2022 Hacking Incident

The Hutchinson, KS-based healthcare provider, The Hutchinson Clinic, has recently announced that hackers accessed its network between December 19, 2022, and December 22, 2022, and during that time, files containing patient data may have been accessed and stolen. According to the clinic’s website data breach notice, the impacted information included names, contact information, birth dates, Social Security numbers, driver’s license numbers, health insurance information, medical record numbers (MRN), medical histories, diagnoses, treatment information, and physician names.

The exposed files are currently being reviewed and notifications will be mailed to affected individuals when that process is completed. The Hutchinson Clinic said it has conducted a review of its policies and procedures and will be implementing additional administrative and technical safeguards to better secure its systems and prevent further incidents of this nature.

The incident has yet to appear on the HHS’ Office for Civil Right website, so it is currently unclear how many patients have been affected.

90 Degree Benefits Reports Hacking Incident Affecting 175,000 Individuals

On February 8, 2023, the Wisconsin-based employee benefits company, 90 Degree Benefits Inc., reported a data breach to the HHS’ Office for Civil Rights that involved the protected health information of 175,000 individuals. There is currently no notice on the 90 Degree Benefits website about the data breach, and currently, all that is known is that this was a hacking/IT incident involving a network server.

This is the second large-scale data breach to be reported by the firm. On June 6, 2022, 90 Degree Benefits reported a breach to the HHS’ Office for Civil Rights that affected 172,450 individuals. The breach was discovered on February 27, 2022, with the forensic investigation determining hackers had access to its network between February 24 and February 27, 2022. The hackers potentially stole information such as names, addresses, and Social Security numbers.

Bridgewater-Raritan Regional School District Announced Breach of Health Plan Data

Bridgewater-Raritan Regional School District has recently confirmed that hackers gained access to its computer network in December 2022 and potentially viewed or obtained the information of employees who were enrolled in its Health Benefit Plan. Suspicious activity was detected within its network on December 12, 2022, and a third-party cybersecurity firm was engaged to investigate. The investigation confirmed its systems were accessed by unauthorized individuals between December 10 and December 12. During that time, files containing names, Social Security numbers, and enrolment selection information may have been accessed. Affected employees were notified on January 27, 2023, and were offered complimentary memberships to an identity theft monitoring service.

The breach was reported to the HHS’ Office for Civil Rights as affecting up to 3,909 individuals.

The post Data Breaches Reported by The Hutchinson Clinic & 90 Degree Benefits appeared first on HIPAA Journal.

January 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

January is usually one of the quietest months of the year for healthcare data breaches and last month was no exception. In January, 40 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights, the same number as in December 2022. January’s total is well below the 53 data breaches reported in January 2022 and the 12-month average of 58 data breaches a month.

For the second successive month, the number of breached records has fallen, with January seeing just 1,064,195 healthcare records exposed or impermissibly disclosed – The lowest monthly total since June 2020, and well below the 12-month average of 4,209,121 breached records a month.

Largest Healthcare Data Breaches in January 2023

In January there were 13 data breaches involving 10,000 or more records, 8 of which involved hacked network servers and email accounts. The largest data breach of the month affected Mindpath Health, where multiple employee email accounts were compromised. 5 unauthorized access/disclosure incidents were reported that impacted more than 10,000 individuals, three of which were due to the use of tracking technologies on websites. The tracking code collected individually identifiable information – including health information – of website users and transmitted that information to third parties such as Google and Meta, including the month’s second-largest breach at BayCare Clinic. Another notable unauthorized access incident occurred at the mobile pharmacy solution provider, mscripts. Its cloud storage environment had been misconfigured, exposing the data of customers of its pharmacy clients on the Internet for 6 years.

HIPAA-Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Community Psychiatry Management, LLC (Mindpath Health) NC Healthcare Provider 193,947 Compromised email accounts
BayCare Clinic, LLP WI Healthcare Provider 134,000 Impermissible disclosure of PHI due to website tracking technology
DPP II, LLC (Home Care Providers of Texas) TX Healthcare Provider 125,981 Ransomware attack (data theft confirmed)
Jefferson County Health Center (Jefferson County Health Department) MO Healthcare Provider 115,940 Hacked network server
UCLA Health CA Healthcare Provider 94,000 Impermissible disclosure of PHI due to website tracking technology
mscripts®, LLC CA Business Associate 66,372 PHI exposed due to misconfigured cloud storage
Circles of Care, Inc. FL Healthcare Provider 61,170 Hacked network server
Howard Memorial Hospital AR Healthcare Provider 53,668 Hacked network server
Stroke Scan Inc TX Healthcare Provider 50,000 Hacking Incident – No public breach announcement
University of Colorado Hospital Authority CO Healthcare Provider 48,879 Hacking incident at business associate (Diligent)
Insulet Corporation MA Healthcare Provider 29,000 Impermissible disclosure of PHI due to website tracking technology
City of Cleveland OH Health Plan 15,206 Unauthorized access/disclosure incident – No public breach announcement
DotHouse Health Incorporated MA Healthcare Provider 10,000 Hacked network server

Causes of January 2023 Healthcare Data Breaches

Just over half of the 40 data breaches reported in January were hacking/IT incidents, the majority of which involved hacked network servers. Ransomware attacks continue to be conducted, although the extent to which ransomware is used is unclear, as many HIPAA-regulated entities do not disclose the exact nature of their hacking incidents, and some entities have not made public announcements at all. Across the 23 hacking incidents, the records of 698,295 individuals were exposed or stolen. The average breach size was 30,61 records and the median breach size was 5,264 records.

There was an increase in unauthorized access/disclosure incidents in January, with 15 incidents reported. The nature of 7 of the unauthorized access/disclosure incidents is unknown at this stage, as announcements have not been made by the affected entities. 5 of the 15 incidents were due to the use of tracking technologies on websites and web apps. Across the 15 unauthorized access/disclosure incidents, 362,629 records were impermissibly accessed or disclosed. The average breach size was 24,175 records and the median breach size was 3,780 records. There were two theft incidents reported, one involving stolen paper records and one involving a stolen portable electronic device. Across those two incidents, 3,271 records were stolen. No loss or improper disposal incidents were reported.

Where Did the Data Breaches Occur?

Healthcare providers were the worst affected HIPAA-covered entity with 31 reported data breaches and 5 data breaches were reported by health plans. While there were only 4 data breaches reported by business associates of HIPAA-covered entities, 14 data breaches had business associate involvement. 10 of those breaches were reported by the covered entity rather than the business associate. The chart below shows the breakdown of data breaches based on where they occurred, rather than which entity reported the breach.

The chart below highlights the impact of data breaches at business associates. 23 data breaches occurred at health plans, involving almost 275,000 records. The 14 data breaches at business associates affected almost three times as many people.

Geographical Spread of January Data Breaches

California was the worst affected state with 7 breaches reported by HIPAA-regulated entities based in the state, followed by Texas with 6 reported breaches. January’s 40 data breaches were spread across 40 U.S. states.

State Breaches
California 7
Texas 6
Georgia, Massachusetts, Missouri & Pennsylvania 3
Florida, New York & North Carolina 2
Alabama, Arkansas, Colorado, Illinois, Indiana, Minnesota, New Jersey, Ohio & Wisconsin 1

HIPAA Enforcement Activity in January 2023

The Office for Civil Rights announced one settlement in January to resolve potential violations of the HIPAA Right of Access. OCR investigated a complaint from a personal representative who had not been provided with a copy of her deceased father’s medical records within the allowed 30 days. It took 7 months for those records to be provided. Life Hope Labs agreed to pay a $16,500 financial penalty and adopt a corrective action plan that will ensure patients are provided with timely access to their medical records in the future. This was the 43rd penalty to be imposed under OCR’s HIPAA Right of Access enforcement initiative, which was launched in the fall of 2019. No HIPAA enforcement actions were announced by state attorneys general in January.

The post January 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Hacking and Data Theft Incident Reported by CentraState Healthcare System

Posted by HIPAA Journal

Freehold Township, NJ-based CentraState Healthcare System has recently confirmed that its network was compromised by unauthorized individuals in December 2022. Unusual activity was detected within its computer systems on December 29, and immediate action was taken to isolate the network and block unauthorized access. CentraState has been working with the Federal Bureau of Investigation and independent cybersecurity experts to investigate the breach and has determined that the unauthorized party exfiltrated a copy of an archived database that contained the protected health information of patients.

The database included the following information: names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and patient account numbers. Additionally, some information related to care received at CentraState, such as date(s) of service, physician names and departments, treatment plans, diagnoses, visit notes, and prescription information. CentraState said it continually enhances the security of its electronic systems and will continue to do so, and will also implement additional safeguards to prevent future attacks. Notification letters started to be sent to affected individuals on February 10, 2023, and complimentary credit monitoring and identity theft protection services have been offered to individuals who had their Social Security number exposed.

The incident has been reported to the HHS’ Office for Civil Rights but is not yet showing on the HHS Web Breach Portal, so it is currently unclear how many individuals have been affected.

Skin MD Reports Temporary Exposure of Paper Records

Skin MD, a Massachusetts-based provider of cosmetic and laser skin care treatments, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 7,558 patients. The breach involved paper records that were stored in a secured, off-site storage facility, which Skin MD learned had been disposed of in a non-secure manner on November 12, 2022.

Skin MD said a good Samaritan notified authorities about the improper disposal on November 14, 2022, and a law enforcement agent collected the records. Those records have been collected by Skin MD and are now secured. The records were unsecured for 2 days, during which time it is possible they were viewed by unauthorized individuals, although no evidence of theft, unauthorized access, or tampering has been discovered.

The records contained demographic information, medical information, Social Security numbers, and financial information. Affected individuals are now being notified and have been offered 24 months of complimentary credit monitoring and identity theft protection services.

Phishing Attack on Vitra Health Affects 1,600 Patients

The Braintree, MA-based home health service provider, Vitra Health, has notified 1,618 patients that some of their protected health information has been exposed and potentially stolen. On December 8, 2022, Vitra Health discovered an employee email account had been accessed by an unauthorized individual. The investigation revealed access was gained following a response to a phishing email on December 6.  The account was immediately secured, and the forensic investigation confirmed only one email account was compromised.

A third-party review of the account confirmed it contained information such as names, addresses, dates of birth, phone numbers, referral information, diagnoses, and Health Plan ID numbers. Vitra Health has implemented additional email security measures, provided further workforce training, and engaged a third-party firm to conduct a HIPAA Risk assessment.

California Department of Social Services Discovers Insider Breach

The California Department of Social Services (CDSS) has recently notified certain individuals about an insider wrongdoing incident involving their Social Security numbers. On January 6, 2023, the CDSS discovered an employee had emailed a document to a personal email account that contained individuals’ first and last names, Social Security numbers, and bargaining unit numbers. The employee in question was immediately contacted and told to delete the email and the employee complied with that request.

The CDSS said it is in the process of implementing additional security controls to prevent similar incidents in the future. No reason was provided as to why the document was emailed, nor details of the sanctions in relation to the incident. It is currently unclear how many individuals have been affected.

The post Hacking and Data Theft Incident Reported by CentraState Healthcare System appeared first on HIPAA Journal.

Lehigh Valley Health Network and MKS Instruments Recovering from Ransomware Attacks

Posted by HIPAA Journal

Lehigh Valley Health Network (LVHN) in Pennsylvania has confirmed that it is dealing with a ransomware attack that was detected on February 6, 2023. An announcement was made on Monday confirming the Russian-speaking ransomware gang, BlackCat, was behind the attack and demanded a ransom, but no payment was made.

Brian A. Nester, LVHN President and CEO, said the attack has not affected its operations and care continues to be provided to patients. While the attack is still being investigated, Nester has confirmed that the attack was conducted on a network supporting an unnamed physician practice in Lackawanna County and that the network housed a system that was used to store “clinically appropriate patient images for radiation oncology treatment,” and other sensitive information. That practice appears to be Delta Medix in Scranton, PA. It is currently unclear if other physician practices have been affected.

The LVHN technology team launched an investigation when suspicious network activity was detected, its network was immediately secured, and third-party cybersecurity experts were engaged to conduct a forensic analysis to determine the nature and scope of the attack. “We are continuing to work closely with our cybersecurity experts to evaluate the information involved and will provide notices to individuals as required as soon as possible. Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident,” said Nester in a media statement.

This post will be updated when more information is released.

MKS Instruments Affected by Ransomware Attack

MKS Instruments, an Andover, MA-based manufacturer of measuring and control devices, has confirmed that it has been attacked with ransomware. According to the breach notification letters – dated February 16, 2023 – the parent company of MKS and the Atotech group of companies discovered the attack on February 13, 2023 – three days before notifications were sent.

The notice sent to the Attorneys General in California and Montana explains that immediate action was taken in response to the attack and that the investigation into the breach is ongoing. MKS confirmed that the attack affected certain business systems, such as production-related systems, which forced a temporary suspension of certain operations. Systems are being restored as quickly as possible, as it is determined that it is safe to do so.

MKS confirmed that it is currently unaware of any concrete risks or threats to individual data subjects, but says data theft cannot be ruled out. The types of information potentially stolen include names, contact information, addresses, government ID numbers (including SSNs), work login credentials/passwords, marital status, veteran status, nationality, immigration status, race, gender, sexual orientation, bank account information, payment card information, information about compensation status and equity, job positions, time/hours worked, information about disabilities, health and medical conditions, employer union information, health insurance information, and basic information about partners, children, and emergency contact information. Affected individuals have been offered complimentary identity theft monitoring and protection services for 2 years.

It is currently unclear how many individuals have been affected.

The post Lehigh Valley Health Network and MKS Instruments Recovering from Ransomware Attacks appeared first on HIPAA Journal.

Lack of Funding Hampering OCR’s Ability to Enforce HIPAA

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has published a report it sent to Congress that details its HIPAA enforcement activities in 2021, which provides insights into the state of compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The report makes it clear that OCR’s resources are under considerable strain, and without an increase in funding from Congress, OCR will struggle to fulfill its mission to enforce HIPAA compliance, especially considering the large increase in reported data breaches and HIPAA complaints.

OCR reports significant increases in reported data breaches and HIPAA complaints, with large data breaches – 500 or more records – increasing by more than 58% between 2017 and 2021, and HIPAA complaints increasing by 25% between 2020 and 2021, yet between 2017 and 2021, OCR has not had any increases in appropriations, with Congress only increasing funding in line with inflation.

If Congress is unable to increase funding for OCR, the financial strain could be eased through enforcement actions; however, OCR has seen funding through enforcement decline after reassessing the language of the HITECH Act and determining it had been misinterpreted in 2009, resulting in the maximum penalty amounts in three of the four penalty tiers being significantly reduced. To address this and increase funding, OCR sent a request to Congress in September 2021 (HHS FY 2023 Discretionary A-19 Legislative Supplement) calling for an increase in HITECH civil monetary penalty caps), as without such an increase, OCR’s staff and resources will continue to be severely strained, especially during a time of substantial growth in cyberattacks on the healthcare sector.

25% Annual Increase in HIPAA Violation Complaints

There was a sizeable rise in complaints about potential HIPAA and HITECH Act violations in 2021, which increased by 25% year-over-year to 34,077 complaints, 77.5% of which (26,420) were resolved in 2021, 78% of which (20,611 complaints) were resolved without having to initiate an investigation. OCR explained that action can only be taken in response to complaints where the HIPAA violation occurred after the compliance deadline, where the complaint is against a HIPAA-regulated entity, where a HIPAA violation appears to have occurred, and when the complaint is submitted within 180 days of the complainant becoming aware of the violation (unless the complainant shows good cause why the violation was not reported within 180 days).

The most common reasons for closing complaints without an investigation were the complaint was made against a non-HIPAA-regulated entity or allegations were made about conduct that did not violate HIPAA (3%), and due to untimely complaints (1%). OCR said 4,139 complaints were resolved by providing technical assistance in lieu of an investigation, 714 complaints were resolved by the HIPAA-regulated entity taking corrective action, and 789 complaints were resolved through technical assistance taken after an investigation was initiated. There was a 10% year-over-year reduction in initiated compliance investigations, with 1,620 compliance investigations initiated in response to complaints. 50% were resolved as no violation was discovered, 44% were resolved through corrective action, and 6% were resolved through technical assistance after investigation. 13 complaints were resolved through settlements and corrective action plans with penalties totaling $815,150, and 2 were resolved through civil monetary penalties totaling $150,000.

674 compliance reviews were initiated for reasons other than complaints, 609 were initiated in response to large data breaches, 22 due to small data breaches, and a further 43 were initiated in response to incidents brought to OCR’s attention by other means, such as reports in the media. In 2021, OCR closed 573 compliance reviews, resulting in corrective actions or civil monetary penalties in 83% of the investigations. Two compliance reviews resulted in resolution agreements that included $5,125,000 in financial penalties and corrective action plans. The remaining 17% of compliance reviews were resolved through technical assistance (3%), insufficient evidence of HIPAA violations (11%), or where there was a lack of jurisdiction to investigate (3%). OCR said its HIPAA compliance audit program has stalled due to a lack of financial resources.

Click here to view OCR’s Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance

Click here to view a summary of OCR’s Report on Breaches of Unsecured PHI in 2021

The post Lack of Funding Hampering OCR’s Ability to Enforce HIPAA appeared first on HIPAA Journal.

OCR: HIPAA-Regulated Entities Need Continue to Improve HIPAA Security Rule Compliance

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has publicly released two reports that were submitted to Congress that provide insights into data breaches, HIPAA enforcement activity, and the state of HIPAA Privacy and Security Rule compliance for calendar year 2021.

According to OCR, in calendar year 2021, OCR received 609 reports of large data breaches – data breaches affecting 500 or more individuals – with those incidents affecting 37,182,558 individuals. OCR also received 63,571 reports of data breaches affecting fewer than 500 individuals – which are not publicly reported. 319,215 individuals were affected by those smaller data breaches. That’s 64,180 data breaches in total in 2021 affecting 37,501,772 individuals.

If you follow the breach reports and healthcare data breach statistics reported in the HIPAA Journal, you will notice a discrepancy with OCR’s official figures. That is because the statistics are based on the data breaches reported to OCR via the OCR HIPAA Breach Web Portal, which lists 714 data breaches for calendar year 2021. OCR investigates all of those breaches, but the report to Congress only includes data breaches that occurred in 2021 or continued into 2021. 105 of the data breaches reported to OCR in calendar year 2021 occurred and ended prior to 2021, but were reported in 2021.

OCR investigates all data breaches of 500 or more records and initiates HIPAA compliance reviews in all of those breaches to determine whether noncompliance with the HIPAA Rules was a contributory factor. In 2021, OCR launched investigations into all 609 data breaches plus 22 data breaches involving fewer than 500 individuals. 554 data breach investigations were completed in 2021 due to the investigations being closed with no further action as HIPAA violations were not determined to have occurred, or when HIPAA violations were discovered and were resolved through voluntary compliance, technical assistance, or resolution agreements and corrective action plans.

The adjusted data show there was a 7% annual reduction in data breaches of 500 or more records compared to 2020, and a 4% reduction in smaller data breaches. By comparison, there was a 61% increase in large data breaches in 2020 and a 6% increase in small data breaches. From 2017 to 2021, small data breaches increased by 5.4% and large data breaches increased by 58.2%.

In 2021, hacking/IT incidents accounted for 75% of large data breaches and 95% of the affected individuals, with the breached information most commonly stored on network servers. 19% of breaches and 4% of impacted individuals were affected by unauthorized access/disclosure incidents, 3% of reported breaches involved theft (<1% of affected individuals), 1% involved loss of PHI (<1% of affected individuals), and 1% involved improper disposal of PHI (1% of affected individuals). Unauthorized access/disclosure incidents accounted for the majority of small breaches, with those breaches typically involving paper records.

Healthcare providers reported 72% of the data breaches in 2021 (437 reports and 24,389,630 affected individuals), 15% of the breaches were reported by health plans (93 reports and 3,236,443 affected individuals), 13% by business associates (977 reports and 9,554,023 affected individuals), and <1% by healthcare clearinghouses (2 reports affecting 2,462 individuals).

Largest Data Breaches in 2021 in Each Breach Category

Breach Type Individuals Affected Cause
Hacking/IT Incident 3,253,822 Hacked Network Server
Unauthorized Access/Disclosure 326,417 Software Configuration Error Exposed ePHI
Improper Disposal 122,340 Improper disposal of hard drives containing ePHI
Theft 21,601 Theft of laptops and paper records in burglary
Loss of PHI 14,532 Loss of medical records

Lessons Learned from 2022 Data Breaches

OCR reports that the most common vulnerabilities identified during its investigations were failures to follow HIPAA Security Rule standards and implementation specifications. “There is a continued need for regulated entities to improve compliance with the HIPAA Rules,” explained OCR in the report. “In particular, the Security Rule standards and implementation specifications of risk analysis, risk management, information system activity review, audit controls, and access control were areas identified as needing improvement in 2021 OCR breach investigations.”

The most common remedial actions to breaches of 500 or more records were:

  • Implementing multi-factor authentication for remote access
  • Revising policies and procedures
  • Training or retraining workforce members who handle PHI
  • Providing free credit monitoring and identity theft protection services to customers
  • Adopting encryption technologies
  • Imposing sanctions on workforce members who violated policies and procedures for removing PHI from facilities or who improperly accessed PHI
  • Changing passwords
  • Performing a new risk assessment
  • Revising business associate contracts to include more detailed provisions for the protection of health information

When serious violations of HIPAA are identified and/or corrective action has not been proactively taken in response to data breaches, OCR will impose corrective action plans and financial penalties. In 2021, OCR resolved two investigations of data breaches with resolution agreements and corrective action plans, resulting in settlements totaling $5.1 million. One settlement was reached with Excellus Health Plan, which agreed to pay a financial penalty of $5,100,000 to resolve the HIPAA violations that contributed to its 2015 data breach affecting 9.3 million individuals, and a $25,000 penalty was paid by Peachstate Health Management (dba AEON Clinical Laboratories) to resolve HIPAA Security Rule violations.

“The health care industry is one of the most diverse industries in our economy, and OCR is responsible for enforcing the HIPAA Rules to support greater privacy and security of individuals’ protected health information,” said OCR Director Melanie Fontes Rainer. “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.”

Click here to view OCR’s Annual Report to Congress on Breaches of Unsecured Protected Health Information (PDF)

Click here to view a summary of OCR’s enforcement activity in 2021

The post OCR: HIPAA-Regulated Entities Need Continue to Improve HIPAA Security Rule Compliance appeared first on HIPAA Journal.

ACLA Expands Class Action Lawsuit Against RIPTA and UnitedHealthcare New England

Posted by HIPAA Journal

The American Civil Liberties Union of Rhode Island (ACLU of RI) has amended its complaint against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) in their pending class action lawsuit over an August 2021 data breach. RIPTA is a state agency that operates the public bus service in Rhode Island. In August 2021, an unauthorized third party gained access to its computer systems and stole files that contained sensitive employee information, including names, Social Security numbers, and other personal and health data.

RIPTA issued notifications to all affected individuals – approximately 22,000 – 4 months after the data breach; however, many individuals received notification letters who had no connection to RIPTA. It was later explained that the information of approximately 5,000 RIPTA employees was compromised, along with the data of 17,000 non-RIPTA employees. RIPTA held the data of 17,000 employees of other state agencies after the information was mistakenly sent to RIPTA by UHC.

ACLU of RI filed a lawsuit against RIPTA and UHC over the data breach, which initially named two plaintiffs: a University of Rhode Island employee and a retired RIPTA employee, both of whom had been affected by the breach. The plaintiffs represented a class of more than 20,000 individuals. The lawsuit alleges RIPTA and UHC were negligent in failing to properly maintain, protect, purge, and safely destroy data, in violation of two Rhode Island laws. Further, the notification letters did not contain sufficient information about the breach, RIPTA falsely stated on its website that only beneficiaries of its health plan had been affected, and it took 138 days after the discovery of the breach to issue notifications, in violation of state law which requires data breach notifications to be issued within 45 days.

The lawsuit alleges the plaintiffs and class members face an ongoing risk of fraud and identity theft, which requires them to continually monitor their financial accounts, future financial footprints, credit profiles, and identities. After the data breach, one of the plaintiffs experienced fraudulent use of her credit cards and unauthorized bank account withdrawals. The amended complaint adds a further eleven plaintiffs to the lawsuit as class representatives and details the harm that has been caused by the breach, which for some individuals includes losses of thousands of dollars. Some of the stolen data has also been discovered on the dark web. The amended complaint also includes details of the testimonies of RIPTA employees from a January 2022 hearing – which UHC representatives failed to attend – confirming encryption was not employed until after the data breach, and that the data breach also included Medicare ID numbers, providers’ names and dates of service. Despite the data breach occurring more than 18 months ago, it is still unclear why UHC provided RIPTA with the data of non-RIPTA employees or why it took so long for notification letters to be issued.

The lawsuit seeks compensatory and punitive damages, attorneys’ fees, 10 years of credit monitoring services, and the courts to order the defendants to implement a comprehensive information security program.

The post ACLA Expands Class Action Lawsuit Against RIPTA and UnitedHealthcare New England appeared first on HIPAA Journal.

CommonSpirit Health Reports $150 Million Loss Due to Ransomware Attack

Posted by HIPAA Journal

The October 2022 ransomware attack on CommonSpirit Health has cost the health system more than $150 million to date according to its recent quarterly filing, and the costs are continuing to increase as the investigation into the attack and data breach are ongoing. Healthcare data breaches are the costliest data breaches to resolve. The IBM Security Annual Cost of a Data Breach Report for 2022 suggests healthcare data breaches cost an average of $10.1 million, and across all industries cost an average of $164 per record.

The ransomware attack on CommonSpirit Health exposed a considerable amount of patient information – 623,700 individuals were affected by the breach – but it could have been far worse. More than 20 million patients are served across CommonSpirit Health, Catholic Health Initiatives, and Dignity Health. The cost of the CommonSpirit Health ransomware attack and data breach is far higher than IBM Security’s figures suggest because of the continued disruption caused by the attack. CommonSpirit Health suffered a month-long outage due to the attack, and that extended disruption to operations is why the costs have spiraled. The average data breach costs do not account for extended disruption to business operations, which is the costliest element of a cyberattack. Large health systems can incur losses of between $1 million and $2 million per day due to business disruption.

The Catholic health system suffered operating losses of $1.3 billion in the full fiscal year ending June 30, 2022, and $1.85 billion in net losses, with $474 million of reported operating losses for Q4, 2022, which is almost six times the operating losses for the corresponding quarter in 2021 ($81 million). The health system says its cash reserves have fallen $741 million from the previous fiscal year to $1.85 billion as of December 31, 2022, giving it 160 days of cash left to fund its operations.

While the health system is operating at a loss, CommonSpirit Health enjoyed volume growth in the final quarter of the year, although the quarterly report stated operating revenues were down from $8.88 billion in 2021 to $8.30 billion this year. The health system says it is continuing to be affected by the pandemic, labor shortages, and inflation, as well as having to cover the cost of the ransomware attack and data breach.

CommonSpirit said it is taking a number of steps to bolster its financial sustainability, including focusing on reducing costs, operating more efficiently, and scaling programs across the organization to create a better experience for patients and consumers. The health system has also implemented initiatives to help promote staff and clinician wellness and improve employee retention.

The post CommonSpirit Health Reports $150 Million Loss Due to Ransomware Attack appeared first on HIPAA Journal.