HIPAA Breach News

Tallahassee Memorial HealthCare Diverts Ambulances Due to Cyberattack

Posted by HIPAA Journal

Last Thursday, Tallahassee Memorial HealthCare (TMH) in Florida was forced to take its IT systems online, divert ambulances, and suspend all non-emergency medical procedures due to a cyberattack. The hospital issued a statement confirming that it would only be accepting patients with Level 1 traumas from its immediate service area while the cyberattack is investigated and systems are restored.

The hospital said the attack only affected specific systems, but other, unaffected systems were taken offline to contain the attack. Systems are being prioritized and will be brought back online one by one when it is safe to do so. On Thursday, the hospital could not provide any information on the likely timeframe for recovery but said updates will continue to be provided on its website. On Sunday, a statement was issued confirming progress is being made restoring systems, that TMH Physician Partners are still operational, and they will start seeing patients as scheduled from Monday, February 6, 2023; however, all non-emergency surgeries and outpatient procedures scheduled for Monday had been canceled and rescheduled. TMH also confirmed in the Sunday update that downtime procedures are still in place and patient information is being recorded on paper. The ambulance diversion remains in place for certain patients.

“Our teams are working around the clock in collaboration with outside consultants to investigate the cause of the event and safely restore all computer systems as quickly as possible. IT security events take time to investigate and resolve,” explained TMH in its Sunday statement. “Our investigation is ongoing and, as is typical in such situations, we expect it will take some time to determine exactly what happened.” A TMH spokesperson said, “Patient safety remains our number one priority, and protocols for system downtime are being followed to minimize disruption.” The nature of the cyberattack was not disclosed.

The announcement comes just a few days after Atlantic General Hospital in Maryland confirmed that had suffered a ransomware attack, which similarly forced a shutdown of its IT systems. While some ransomware groups have policies that prohibit their affiliates from conducting attacks on the healthcare sector, several groups actively target health systems, hospitals, and other healthcare organizations. In December, an affiliate of the LockBit ransomware group conducted an attack on Hospital for Sick Children (SickKids). The group later issued a statement that the affiliate responsible had violated its terms and conditions and provided the keys to SickKids to allow data to be decrypted for free. However, LockBit recently published data on its data leak site allegedly stolen in cyberattacks on Juva Skin & Laser Center in New York and Arizona Liver Health. Those healthcare providers have yet to issue public statements about any cyberattacks.

The health sector is also coming under attack from Russian hacktivists in response to the U.S. policy of providing military hardware to assist Ukraine. The pro-Russian hacktivist group Killnet is conducting a campaign of distributed denial of service (DDoS) attacks on hospitals, although these attacks appear to be aimed at causing disruption and are not believed to involve data theft. The group has also called on the wider cybercrime community to support its efforts, which could potentially see even more healthcare providers in the U.S. come under attack.

The post Tallahassee Memorial HealthCare Diverts Ambulances Due to Cyberattack appeared first on HIPAA Journal.

Banner Health Settles Alleged HIPAA Security Rule Violations for $1.25 Million

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced its second financial penalty of 2023 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Banner Health has agreed to pay a financial penalty of $1,250,000 and adopt a corrective action plan to resolve the alleged HIPAA Security Rule violations.

Phoenix, AZ-based Banner Health is one of the largest non-profit health systems in the United States. The health system includes 30 hospitals and more than 69 affiliated healthcare facilities in 6 U.S. states and employs more than 50,000 individuals.  On July 13, 2016, Banner Health detected a security breach, with the subsequent investigation confirming hackers gained access to its systems on June 17, 2016. The hackers were able to access systems containing the protected health information (PHI) of 2.81 million individuals, including names, addresses, dates of birth, Social Security numbers, claims information, lab results, medications, diagnoses, and health insurance information. After being informed about the impermissible disclosure of PHI, OCR initiated a review of HIPAA Security Rule compliance to determine if noncompliance was a contributory factor to the data breach.

OCR’s investigators determined that Banner Health had failed to conduct an accurate and thorough analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI. The administrative safeguards of the HIPAA Security Rule include a requirement to conduct regular reviews of information system activity to identify unauthorized access to PHI. OCR determined that Banner Health had not implemented sufficient procedures to conduct regular reviews.

The HIPAA Security Rule requires covered entities to implement technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Banner Health failed to implement sufficient procedures to verify the identity of persons seeking access to ePHI to ensure they are who they claim to be, and insufficient technical security measures had been implemented to protect against unauthorized access to ePHI transmitted over an electronic communications network.

OCR said its investigators found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across the Banner Health organization, which was a serious concern given the size of the covered entity, and the HIPAA violations were sufficiently severe to warrant a financial penalty. In addition to paying a financial penalty, Banner Health has agreed to adopt a corrective action plan (CAP) that includes the requirement to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization and develop a risk management plan to address any vulnerabilities identified by the risk analysis. Policies and procedures must be developed, implemented, and distributed to the workforce covering risk analyses, risk management, system activity reviews, authentication processes, and security measures to protect against unauthorized PHI access. OCR will monitor Banner Health for compliance with the CAP for 2 years.

“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. The Office for Civil Rights provides help and support to health care organizations to protect against cyber security threats and comply with their obligations under the HIPAA Security Rule. Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

The post Banner Health Settles Alleged HIPAA Security Rule Violations for $1.25 Million appeared first on HIPAA Journal.

Organizations Increasingly Opaque About Cause of Data Breaches

Posted by HIPAA Journal

When a data breach occurs and sensitive information is disclosed, the HIPAA Breach Notification Rule requires affected individuals to be notified. The FTC Health Breach Notification Rule also has breach reporting requirements, and all 50 states have enacted data breach notification laws. What is lacking in many of these regulations – at both the federal and state level – is what these notification letters must include.

Just a few years ago, the majority of breach notification letters contained reasonably detailed information about the breach, but it is now much more common for victims of data breaches to be provided with the bare minimum information to comply with federal and state regulations, which makes it difficult for the individuals affected to accurately gauge the level of risk they face.

While it was common for ransomware attacks to be reported as such, these are increasingly reported as hacking incidents with no mention of file encryption or data theft. Even when attacks involved the theft of sensitive data and the publication of that information on data leak sites, victims are often told that the attackers may have accessed or obtained their data.

The 2022 Data Breach Report from the Identity Theft Resource Center (ITRC) has confirmed this trend. In 2022, two-thirds of data breach notices lacked the necessary information to allow individuals and businesses affected by those data breaches to accurately assess potential risk. In 2022, only 34% of breach notices included victim and attack details, the lowest percentage in the past 5 years. To put that figure into perspective, in 2019, almost 100% of notices included attack details, and 72% of notices included both attack and victim details. This is a worrying trend.

According to the ITRC, for most of the past 20 years, data breach notices have included sufficient detail to allow breach victims to accurately gauge risk, but since Q4, 2021, the information included in data breach notices has been reducing and that trend accelerated throughout 2022. In 2022, 747 of the 1,802 data breaches for which ITRC had information did not specify the root cause of the event, even though 1,595 compromises were linked to cyberattacks.

“A sudden lack of transparency in the content of data breach notices created risk for victims and fueled uncertainty about the true scale and impact of data compromises,” said Eva Velasquez, CEO, ITRC. “The result is Individuals are largely unable to protect themselves from the harmful effects of data compromises which are fueling an epidemic – a “scamdemic” – of identity fraud committed with stolen or compromised information.”

The reason for the sudden decline in transparency is unclear, although there are several theories. It is now far more common for lawsuits to be filed following data breaches, especially healthcare data breaches. While legal action was typically reserved for the largest data breaches, now it is common for multiple lawsuits to be filed in response to a data breach within days of the notification letters being sent, oftentimes even when there has been no misuse of stolen data.

There have been many rulings by federal courts dismissing lawsuits due to the failure to provide evidence of actual harm. In many states, it is not possible to sue for an increased risk of future harm due to the exposure of personal data. This could be one of the main reasons why breached entities are now reluctant to disclose detailed information about data breaches, as it could reveal information that could be used in a lawsuit against the company, even though the lack of information for breach victims increases the risk of actual harm being caused.

The ITRC draws attention to several data breaches at companies that made a conscious decision to withhold information about their data breaches, including Samsung, DoorDash, and LastPass. The information disclosed in the data breach notifications was sufficient to meet state requirements yet provided little in the way of information to help victims of the breaches assess risk. The LastPass data breach was a good case in point. Notifications were issued in August 2022 about a data breach involving source code and internal documentation. It took until December for it to be confirmed that the only customer information that had not been breached was the master password for password vaults and for it also to be confirmed that its parent company, GoTo, has also been breached. It is still unknown how many of its customers were affected.

ITRC also suggested that the large number of security incidents now occurring, and the sophistication of these attacks, can make it difficult to quickly determine the cause, the individuals affected, and the potential consequences of those breaches. The economic downturn has resulted in restructuring and reprioritization of budgets, so when forensic analyses of data breaches are undertaken, fewer resources can be devoted to the task, which can increase the time taken to determine what has happened. If data breach reporting requirements demand prompt notifications, those notifications could be issued before detailed information is available about the breach.

In 2022, 1,802 data breaches were tracked by ITRC, the second-highest total of any year since the ITRC started tracking and reporting on data breaches, and the records of at least 422 million individuals were compromised, which means millions of individuals have been left in the dark about the nature of the exposure of their sensitive data and are consequently unable to accurately assess the level of risk they face.

As well as helping consumers determine what actions they need to take to protect themselves against fraud, more accurate reporting would make it far easier to obtain accurate data breach statistics to determine trends. That information would help policymakers make better decisions about where to allocate resources to combat the root cause of these data breaches.

At the federal and state level, laws place the burden of assessing risk on the individuals affected by data breaches, yet compromised organizations are generally not required to provide the information that allows accurate risk assessments to be made. Updating state laws to require certain information about data breaches to be made public could help consumers make better choices about precautions to take to protect against fraud; however, it may not prove to be enough of an incentive to improve reporting, unless compliance was aggressively enforced.

There are federal laws requiring notifications about data breaches, but even these are not being actively enforced in their current form. The FTC has not enforced the Health Data Breach Notification Rule for years and it is rare for the HHS’ Office for Civil Rights (OCR) to impose financial penalties for Breach Notification Rule failures, even when notifications have been issued many months after a data breach was detected. It is difficult to imagine OCR imposing penalties due to the lack of information in breach notices.

The post Organizations Increasingly Opaque About Cause of Data Breaches appeared first on HIPAA Journal.

Ransomware Attacks, Hacks, and Pixel-Related Data Breaches Reported

Posted by HIPAA Journal

UCLA Health Announces Pixel-Related Data Breach

UCLA Health has recently started notifying approximately 94,000 patients about an impermissible disclosure of their protected health information to certain unnamed service providers due to the use of analytics tools on its website and mobile app.

UCLA Health said analytics tools were used to better understand how patients interacted with the website and app. The data collected by UCLA Health was aggregated and used to develop more efficient and effective communication to improve its services to patients. UCLA Health said it was made aware of the potential for these analytics tools to transmit sensitive patient information to service providers in June 2022, and immediately disabled these tools on the website and app. A third-party forensics firm was then engaged to review the data collected and potentially transmitted by these tools to establish the extent of any privacy violation.

The privacy violation occurred due to the use of these tools on the appointment scheduling forms on the website and app, which may have captured and transmitted the URL/website address (which could include provider name, specialty, or ad campaign name), page view, IP address, third-party cookies, and hashed values of certain fields on the appointment request form. The hashed value form fields potentially included first and last name, email address, mailing address, phone number, and gender. UCLA Health confirmed that the tracking tools were not added to the myUCLAhealth online patient portal.

UCLA Health said notification letters were sent on January 13, 2022. The delay was due to the time taken to conduct the forensic investigation. UCLA Health said it has since enhanced its technology evaluation procedures.

Livingston Memorial VNA Health Corporation Announces Ransomware Attack

Livingston Memorial VNA Health Corporation, which provides hospice services in Ventura, CA, has confirmed that hackers gained access to its IT systems and used ransomware to encrypt files on or around February 19, 2022. The forensic investigation confirmed the attackers had access to patient data prior to encrypting files but says no reports of misuse of data have been received to date. The breach also affected patients of its affiliates Livingston Memorial Visiting Nurse Association and Livingston Caregivers.

In the notice to the California attorney general, Livingston explained that the delay in issuing notifications was due to the length of time it took to verify which individuals had been affected. The complete list of affected individuals was finalized on November 3, 2022, and in accordance with HIPAA, a substitute breach notice was placed on its website from May 6, 2022, to August 9, 2022, confirming a security breach had occurred. Affected individuals have been offered complimentary single-bureau credit monitoring services.

Livingston said it has greatly improved its cybersecurity posture, including increasing logging and alerts, adding further internal controls and safeguards, increasing the frequency of third-party penetration tests, and reviewing all security policies and firewall rules.

Benefit Administrative Systems, LLC Confirms Security Breach Involved Data Theft

Benefit Administrative Systems, LLC, a Homewood, IL-based administrator of the Connected Care Health Plan, has notified certain individuals about the exposure of an electronic file that contained sensitive personally identifiable information. An alert was generated when the file was accessed by unauthorized individuals, and steps were immediately taken to protect its systems. The forensic investigation confirmed on November 1, 2022, that the file had been exfiltrated and contained first/last names, email addresses, health insurance member numbers, and health insurance group numbers of certain members.

Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months and steps have been taken to improve security to prevent similar breaches in the future.

Atlantic General Hospital Recovering from Suspected Ransomware Attack

Atlantic General Hospital in Maryland is currently investigating a security incident that resulted in a limited network outage. A spokesperson for the hospital confirmed that the ER is continuing to receive and treat patients and elective surgeries and other outpatient procedures are being performed, although the hospital website says the walk-in outpatient lab is temporarily closed until further notice and the RediScripts pharmacy, pulmonary function testing, and outpatient imaging have been disrupted. At this stage of the investigation, it is too early to tell if, and to what extent, patient data has been exposed.

The post Ransomware Attacks, Hacks, and Pixel-Related Data Breaches Reported appeared first on HIPAA Journal.

Up to 184,000 Clients of Lutheran Social Services of Illinois Impacted by Ransomware Attack

Posted by HIPAA Journal

Des Plaines, IL-based Lutheran Social Services of Illinois, one of the largest providers of social services in the state, has announced that its systems were compromised and ransomware was used to encrypt files. The cyberattack was detected on January 27, 2022, and systems were taken offline to contain the attack. and third-party cybersecurity professionals were engaged to investigate the breach and determine the scope of the attack.

The forensic investigation and document review concluded on December 28, 2022, and confirmed that the attackers had access to its network between December 31, 2021, and January 27, 2022, and may have viewed or obtained files that contained protected health information. Data theft could not be ruled out, but at the time of issuing notifications, no reports had been received to suggest that sensitive information has been used for identity theft or fraud. The data potentially accessed included names, birth dates, Social Security numbers, financial information, driver’s license numbers, biometric information, diagnosis and treatment information, and health insurance information.

The HHS’ Office for Civil Rights data breach portal shows a breach reported by Lutheran Social Services of Illinois on March 25, 2022, indicating 1,000 individuals were affected. This coincides with the 60-day reporting deadline of the HIPAA Breach Notification Rule. This appears to have been a placeholder until the total number of individuals was determined. The breach notification sent to the Maine Attorney General indicates up to 184,183 individuals were affected, including 9 Maine residents. No reason was provided as to why it took 12 months from the date of discovery of the breach to issue breach notification letters to affected individuals.

Affected individuals have been offered complimentary Single Bureau credit monitoring services and Lutheran Social Services of Illinois said it has taken steps to further protect unauthorized access to individual records.

University of Colorado Hospital Authority Announced Third-Party Data Breach

University of Colorado Hospital Authority (UCHealth) has recently announced that one of its vendors has suffered a data breach that has affected 48,879 patients. UCHealth works with a software vendor called Diligent, which provides business operation tools and hosted services. Diligent recently notified UCHealth that it experienced a software incident that involved patient, provider, and employee data. The company’s software was accessed in the attack and attachments were downloaded from the hosted service that included UCHelath files. UCHealth’s email, electronic health records, and internal files were not impacted.

UCHealth said the stolen files included names, addresses, dates of birth, treatment-related information, and for a very limited number of individuals, Social Security numbers and/or financial information. UCHealth has confirmed that Diligent has implemented additional safeguards to prevent further data breaches.

PHI of PharmaCare Services and NextGen Healthcare Patients Posted on Dark Web

Cybercriminals have been attempting to extort money from the EHR and practice management solution provider, NextGen Healthcare, and Blanco, TX-based PharmaCare Services. Both healthcare organizations were recently added to the data leak site of the BlackCat ransomware group. The listing for NextGen Healthcare has since been removed but the PharmaCare Services listing is still live.

At the time of publication, no breach has been reported to the HHS’ Office for Civil Rights by either company. NextGen Healthcare has confirmed that an investigation has been launched into a security incident and that normal operations have resumed. A spokesperson for the company said client data does not appear to have been compromised and no evidence of data theft has been detected.

The BlackCat ransomware group operates under the ransomware-as-a-service model, with affiliates used to conduct attacks on behalf of the group for a percentage of any ransoms they generate. BlackCat claims that its affiliates are not permitted to attack medical institutions, hospitals, and ambulance services, although pharmaceutical firms and private clinics are not off-limits. The HHS has previously issued a warning about BlackCat ransomware, stating that while there appears to be a ban on attacks on the sector, ransomware gangs have previously violated their own bans on attacking healthcare organziations.

The post Up to 184,000 Clients of Lutheran Social Services of Illinois Impacted by Ransomware Attack appeared first on HIPAA Journal.

Logan Health Proposes $4.3 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Logan Health has agreed to settle a class action lawsuit related to a 2021 hacking incident that exposed the protected health information of 213,543 individuals. Under the terms of the settlement, Logan Health has agreed to create a fund of $4.3 million to cover claims from individuals affected by the breach.

Logan Health, formerly Kalispell Regional Medical Center, is a 622-bed health system based in Kalispell, MT, which operates six hospitals and more than 68 provider clinics in the state. On February 18, 2022, Logan Health announced that it was the victim of a sophisticated cyberattack in which hackers gained access to a file server containing patient data. The breach was detected on November 22, 2021, and the investigation confirmed that access to its systems was gained on November 18, 2021. On January 5, 2022, Logan Health learned that the attackers accessed files containing patient information such as names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, insurance claim information, date(s) of service, treating/referring physician, medical bill account number, and/or health insurance informa­tion. Affected individuals were offered complimentary credit monitoring services.

A lawsuitTafelski, et al. v. Logan Health Medical Center – was filed against Logan Health in the Montana Eighth Judicial District Court shortly after notification letters were mailed. The lawsuit alleged Logan Health had failed to implement reasonable and appropriate cybersecurity measures and had not provided sufficient security awareness training to its workforce. Had those measures been implemented, the data breach would have been prevented. In addition to this breach, Logan Health had experienced others while operating as Kalispell Regional Medical Center, which had affected 2,081 state residents in 2021 and 126.805 individuals in 2019. The lawsuit alleged the plaintiffs and class members have suffered damages including the compromise, publication, theft and/or unauthorized use of their PII/PHI, out-of-pocket costs from the prevention, detection, recovery, and remediation from identity theft or fraud, lost opportunity costs and lost wages, that they faced a continued risk to their PII/PHI.

Logan Health chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, affected individuals can submit claims up to a maximum of $25,000 for reimbursement of out-of-pocket expenses that are reasonably traceable to the data breach and were not reimbursable by a third party. Claims can also include lost time up to a maximum of $125 per class member. In addition to claims for reimbursement of losses, class members can choose to claim three years of credit monitoring services or a cash payment in lieu of the credit monitoring services.

The deadline for exclusion from or objections to the settlement is February 13, 2023. Claims must be submitted by April 3, 2023, and the final approval hearing for the settlement has been scheduled for March 9, 2023.

The post Logan Health Proposes $4.3 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Second Class Action Lawsuit Filed Against CommonSpirit Health Over Ransomware Attack

Posted by HIPAA Journal

Another lawsuit has been filed against CommonSpirit Health over its 2022 ransomware attack and data breach that alleges the nation’s largest catholic health system failed to implement reasonable and appropriate safeguards to prevent unauthorized access to sensitive patient data.

CommonSpirit Health announced in early October that it was dealing with a cyberattack that took down its IT systems, then in December confirmed that the individuals behind the ransomware attack had access to certain parts of its network from September 16 through October 3, 2022, during which time they may have accessed or obtained the protected health information of 623,774 patients including names, contact information, birth dates, and internal patient identifiers.

The latest lawsuit was filed on January 13, 2022, in the U.S. District Court for the Northern District of Illinois on behalf of plaintiff Jose Antonio Koch, his two minor children (John/James Doe), and other similarly affected individuals. Koch and his children received medical care at St. Michael Medical Center in Silverdale, WA, a CommonSpirit Health member hospital operated by Virginia Mason Franciscan Health, that was affected by the attack.

CommonSpirit Health provided regular updates on its website about the cyberattack and data breach and notified patients in December when the extent of the breach had been determined, approximately two and a half months after the breach occurred and two months after the breach was detected. The lawsuit alleges CommonSpirit Health “intentionally, willfully, recklessly or negligently” failed to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions, and that “CommonSpirit has not been forthcoming about the data breach.” The lawsuit also suggests the actual number of individuals affected may be much higher, potentially as high as 20 million, and takes issue with the time it took CommonSpirit Health to detect the data breach, which started on September 16, 2022, but was not detected until October 2, 2022.

The lawsuit alleges the plaintiffs and class members have been exposed to a heightened and imminent risk of fraud, financial identity theft, and medical identity theft, and must now cover the cost of credit monitoring services, credit freezes, credit reports, and other protective measures, as that they have had to spend time monitoring their accounts, changing passwords, and taking other measures to protect their identities.

The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and negligence per se, and seeks class action status, at least 7 years of complimentary credit monitoring services, and an award of actual damages, compensatory damages, statutory damages, and statutory penalties, as determined and allowable by law, and an award of punitive damages and attorneys’ fees.

An earlier lawsuit was filed in the U.S. District Court for the Northern District of Illinois on December 29, 2022, by Washington resident, Leeroy Perkins, which makes similar claims that industry-standard cybersecurity measures had not been implemented. That lawsuit seeks damages exceeding $5 million and injunctive relief, which includes the requirement for CommonSpirit Health to implement stronger data security measures to prevent further data breaches.

The post Second Class Action Lawsuit Filed Against CommonSpirit Health Over Ransomware Attack appeared first on HIPAA Journal.

2022 Healthcare Data Breach Report

Posted by HIPAA Journal

For the first time since 2015, there was a year-over-year decline in the number of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), albeit only by 1.13% with 707 data breaches of 500 or more records reported. Even with that reduction, 2022 still ranked as the second-worst-ever year in terms of the number of reported breaches.

As the year drew to an end, data breach numbers started to decline from a high of 75 data breaches in October. Time will tell whether this trend will continue in 2023, although the lull in data breaches appears to have continued so far this year with an atypically low number of breaches currently showing on the OCR data breach portal this month.

In addition to the slight reduction in reported data breaches, there was also a drop in the number of breached records, which fell by 13.15% from 54.09 million records in 2021 to 51.9 million records in 2022.

The theft of protected health information places patients and health plan members at risk of identity theft and fraud, but by far the biggest concern is the threat to patient safety. Cyberattacks on healthcare providers often cause IT system outages, which in many cases have lasted several weeks causing considerable disruption to patient care. While there have not been any known cases of cyberattacks directly causing fatalities, the lack of access to patient data causes diagnosis and treatment delays that affect patient outcomes. Multiple studies have identified an increase in mortality rates at hospitals following ransomware attacks and other major cyber incidents.

 

These cyberattacks and data breaches result in huge financial losses for healthcare organizations. The 2022 IBM cost of a data breach report indicates the average cost of a healthcare data breach increased to an all-time high of $10.1 million in 2023, although data breaches can be significantly more expensive. In addition to the considerable breach remediation costs, security must be improved, cyber insurance premiums increase, and it is now common for multiple class action lawsuits to be filed following data breaches. There is also a risk of financial penalties from regulators.

The largest ever healthcare data breach, suffered by Anthem Inc in 2015, affected 78.8 million members and cost the health insurer around $230 million in clean-up costs, $115 million to settle the lawsuits, $39.5 million to settle the state attorneys general investigation, and $16 million to resolve the OCR investigation. Even much smaller data breaches can prove incredibly costly. Scripps Health suffered a data breach of 1.2 million records in 2021 due to a ransomware attack. The attack caused losses in excess of $113 million due to lost business ($92 million) and the clean-up costs ($21 million). There are also several lawsuits outstanding and there could be regulatory fines.

Largest Healthcare Data Breaches in 2022

There were 11 reported healthcare data breaches of more than 1 million records in 2022 and a further 14 data breaches of over 500,000 records. The majority of those breaches were hacking incidents, many of which involved ransomware or attempted extortion. Notable exceptions were several impermissible disclosure incidents that resulted from the use of pixels on websites. These third-party tracking technologies were added to websites to improve services and website functionality, but the data collected was inadvertently transmitted to third parties such as Meta and Google when users visited the websites while logged into their Google or Facebook accounts. The extent to which these tracking technologies have been used by healthcare organizations prompted OCR to issue guidance on these technologies, highlighting the considerable potential for HIPAA violations.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
OneTouchPoint, Inc. WI Business Associate 4,112,892 Ransomware attack
Advocate Aurora Health WI Healthcare Provider 3,000,000 Pixel-related impermissible disclosure via websites
Connexin Software, Inc. PA Business Associate 2,216,365 Hacking incident and data theft
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking incident and data theft
Professional Finance Company, Inc. CO Business Associate 1,918,941 Ransomware attack
Baptist Medical Center TX Healthcare Provider 1,608,549 Malware infection
Community Health Network, Inc. as an Affiliated Covered Entity IN Healthcare Provider 1,500,000 Pixel-related impermissible disclosure via websites
Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc. NC Business Associate 1,362,296 Pixel-related impermissible disclosure via websites
North Broward Hospital District d/b/a Broward Health (“Broward Health”) FL Healthcare Provider 1,351,431 Hacking incident and data theft
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking incident and data theft
Doctors’ Center Hospital PR Healthcare Provider 1,195,220 Ransomware attack
Practice Resources, LLC NY Business Associate 942,138 Hacking incident and data theft
Wright & Filippis LLC MI Healthcare Provider 877,584 Ransomware attack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking incident and data theft
MCG Health, LLC WA Business Associate 793,283 Hacking incident and data theft
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Ransomware attack
SightCare, Inc. AZ Health Plan 637,999 Hacking incident and data theft
CommonSpirit Health IL Business Associate 623,774 Ransomware attack
Metropolitan Area EMS Authority dba MedStar Mobile Healthcare TX Healthcare Provider 612,000 Ransomware attack
Wolfe Clinic, P.C. IA Healthcare Provider 542,776 Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Ransomware attack
Adaptive Health Integrations ND Healthcare Provider 510,574 Adaptive Health Integrations
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking incident and data theft
Health Care Management Solutions, LLC WV Business Associate 500,000 Hacking incident and data theft
OakBend Medical Center / OakBend Medical Group TX Healthcare Provider 500,000 Ransomware attack

While 2022 saw some very large data breaches reported, the majority of reported data breaches were relatively small. 81% of the year’s data breaches involved fewer than 50,000 records, and 58% involved between 500 and 999 records.

Hacking incidents dominated the breach reports with 555 of the 707 reported breaches (71.4%) classified as hacking/IT incidents, which accounted for 84.6% of all breached records in 2022. The average breach size was 79,075 records and the median breach size was 8,871 records. There were 113 reported unauthorized access/disclosure breaches reported in 2022, accounting for 14.5% of the breached records. The average breach size was 66,610 records due to some large pixel-related data breaches, and the median breach size was 1,652 records.

Theft (23 breaches) and loss (12 breaches) incidents were reported in relatively low numbers, continuing a downward trend from these once incredibly common data breaches. The downward trend is due to better control of devices and the use of encryption. The average breach size was 13,805 records and the median breach size was 1,704 records. There were four incidents involving the improper disposal of devices containing PHI and physical records. The average breach size was 1,772 records and the median was 1,021 records.

The high number of hacking incidents is reflected in the chart below, which shows the location of breached protected health information. Compromised email accounts remain a major source of data breaches, highlighting the importance of multi-factor authentication and training employees on how to recognize the signs of phishing.

Which Entities Suffered the Most Data Breaches?

The raw data on the OCR breach portal does not accurately reflect the extent to which business associate data breaches are occurring. When you factor in business associate involvement it is possible to gain a more accurate gauge of the extent to which data breaches are occurring at business associates. In 2022, 127 data breaches were self-reported by business associates, but there were 394 reported data breaches where business associates were involved – That’s a 337% increase since 2018. Last year, data breaches at business associates outnumbered data breaches at healthcare providers for the first time.

Several major business associate data breaches were reported to OCR in 2022, with some of the data breaches affecting several hundred healthcare organizations. A data breach at the debt collections company, Professional Finance Company, affected 657 of its healthcare clients and involved more than 1.91 million healthcare records. Eye Care Leaders, a provider of electronic health records to eye care providers, suffered a cyberattack that affected at least 41 eye care providers and exposed the data of almost 3.65 million patients.

The graph below shows the sharp increase in data breaches at business associates in recent years. There are several reasons for the increase. Hackers have realized the value of conducting attacks on business associates. One successful attack can provide access to the data, and sometimes networks, of all of the vendor’s clients. Healthcare organizations are now using more vendors to manage administrative functions and risk increases in line with the number of vendors. As more vendors are used, it becomes harder to monitor cybersecurity at the vendors. Managing third-party risk is one of the biggest challenges for healthcare organizations in 2023.

Data breaches by HIPAA-regulated entity type, 2009 to 2022

 

Where Did the Data Breaches Occur?

Healthcare data breaches were reported by HIPAA-regulated entities in 49 states, Washington D.C., and Puerto Rico in 2022. Alaska was the only state to survive the year with no reported data breaches. In general, the most populated states suffer the most data breaches. In 2022, the 10 most populated U.S. states all ranked in the top 15 worst affected states, although it was New York rather than California that topped the list with 68 reported breaches.

State Breaches
New York 68
California & Texas 52
Florida & Pennsylvania 38
New Jersey 27
Georgia 26
Michigan, Virginia & Washington 24
Ohio 23
Illinois & North Carolina 22
Tennessee 17
Arizona & Maryland 16
Massachusetts & Wisconsin 15
Colorado 14
Connecticut, Indiana & Missouri 13
Alabama 11
Kansas, Oklahoma & South Carolina 9
Arkansas, New Hampshire & West Virginia 8
Nebraska & Oregon 7
Minnesota 6
Utah 5
Delaware, Nevada & Rhode Island 4
Hawaii, Kentucky, Louisiana, Mississippi, Montana, South Dakota, % Vermont 3
Iowa, Idaho, Maine, New Mexico, and Washington D.C. 2
North Dakota & Wyoming 1
Alaska 0

HIPAA Enforcement in 2022

HIPAA is primarily enforced by OCR, with state attorneys general also assisting with HIPAA enforcement. OCR imposed more financial penalties for HIPAA violations in 2022 than in any other year to date, with 22 investigations resulting in settlements or civil monetary penalties.

OCR has limited resources for investigations but does investigate all breaches of 500 or more records. That task has become increasingly difficult due to the increase in data breaches, which have tripled since 2010. Despite the increase in data breaches, OCR’s budget for HIPAA enforcement has hardly increased at all, aside from adjustments for inflation. As of January 17, 2022, OCR had 882 data breaches listed as still under investigation. 97% of all complaints and data breach investigations have been successfully resolved.

Some investigations warrant financial penalties, and while the number of penalties has increased, the penalty amounts for HIPAA violations have been decreasing. Most of the financial penalties in 2022 were under $100,000.

HIPAA Settlements and Civil Monetary Penalties 2008-2022

Since 2019, the majority of financial penalties imposed by OCR have been for HIPAA right of access violations, all of which stemmed from complaints from individual patients who had not been provided with their medical records within the allowed time frame. OCR continues to pursue financial penalties for other HIPAA violations, but these penalties are rare.

2022 HIPAA Settlements and Civil Monetary Penalties

Regulated Entity Penalty Amount Type of Penalty Reason
Health Specialists of Central Florida Inc $20,000 Settlement HIPAA Right of Access failure
New Vision Dental $23,000 Settlement Impermissible PHI disclosure, Notice of Privacy Practices, releasing PHI on social media.
Great Expressions Dental Center of Georgia, P.C. $80,000 Settlement HIPAA Right of Access failure (time/fee)
Family Dental Care, P.C. $30,000 Settlement HIPAA Right of Access failure
B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental $25,000 Settlement HIPAA Right of Access failure
New England Dermatology and Laser Center $300,640 Settlement Improper disposal of PHI, failure to maintain appropriate safeguards
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Dr. Brockley $30,000 Settlement HIPAA Right of Access
Jacob & Associates $28,000 Settlement HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., $50,000 Civil Monetary Penalty Impermissible disclosure on social media
Northcutt Dental-Fairhope $62,500 Settlement Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer

HIPAA enforcement by state attorneys general is relatively rare. Only three financial penalties were imposed in 2022 by state attorneys general. In these cases, penalties were imposed for violations of the HIPAA Rules and state laws.

State Regulated Entity Penalty Penalty Type Reason
Oregon/Utah Avalon Healthcare $200,000 Settlement Lack of safeguards and late breach notifications
Massachusetts Aveanna Healthcare $425,000 Settlement Lack of safeguards against phishing
New York EyeMed Vision Care $600,000 Settlement Multiple security failures

The post 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

PHI of More Than 240K Patients Compromised in 5 Healthcare Data Breaches

Posted by HIPAA Journal

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights and state Attorneys General.

BayCare Clinic Announced Pixel-Related Data Breach

The Wisconsin-based healthcare provider, BayCare Clinic, LLP, has recently announced that the protected health information of up to 134,000 of its patients has been impermissibly disclosed to unauthorized third parties as a result of the use of pixels by its partner, Advocate Aurora Health. Advocate Aurora Health previously disclosed a pixel-related data breach that resulted in the personal and protected health information of up to 3 million of its patients being disclosed to third parties such as Google and Meta. The impermissible disclosures occurred when users visited its website and patient portal while logged into either their Google or Facebook accounts.

The types of information involved depended on users’ interactions on the MyChart and LiveWell websites and applications, which may have included the following types of data: IP address, dates, times, and/or locations of scheduled appointments, proximity to a practice location, provider information, type of appointment or procedure, whether the individual had insurance cover, communications between the patient and others through MyChart, which may have included first and last names and medical record numbers, and whether the user had a proxy MyChart account, in which case the first and last name of the proxy may have been disclosed.

Advocate Aurora Health has removed the pixels and will subject all tracking technologies to more stringent checks in the future.  Further information on the nature of the breach can be found in this post.

Rhode Island Department of Health Reports Internal Data Breach

The Rhode Island Department of Health (RIDOH) has announced there has been an internal impermissible disclosure of patient information. The breach was discovered on October 21, 2022, with the investigation confirming patient information was impermissibly disclosed between July and October 2022. A hyperlink to a spreadsheet was included in emails sent to employees and the spreadsheet contained information about the individuals who were receiving food deliveries while in isolation or quarantine during the COVID-19 pandemic. The spreadsheet contained information such as names, addresses, phone numbers, household information, delivery information, and information about the specific food needs of those individuals.

Access to the file was immediately restricted when the issue was detected, and a scan was conducted on email accounts to determine whether the emails had been shared. RIDOH said it is not aware of any misuse of the exposed information. Steps have since been taken to prevent further disclosures of this nature, including providing additional training to employees on the handling of sensitive information. Approximately 8,800 individuals were affected.

DCH Health System Discovers Insider Data Breach

Tuscaloosa, AL-based DCH Health System, has recently announced that a former employee has accessed the medical records of patients without authorization. The unauthorized medical record access was discovered by DCH Health on December 9, 2022, during a routine privacy audit. The audit revealed the employee had viewed the medical records of a patient on December 5, 2022, when there was no legitimate work reason for doing so. During the subsequent investigation, DCH Health discovered this was not the first time that medical records had been accessed by the employee, as the privacy violations had been occurring since September 2021. During that time, the records of approximately 2,530 patients were impermissibly accessed. The types of information viewed included names, addresses, birth dates, Social Security numbers, dates of encounters, diagnoses, vital signs, medications, test results, and clinical/provider notes.

DCH Health said the employee was immediately suspended when the first unauthorized access was discovered and was subsequently terminated over the privacy violations. Complimentary identity theft protection services have been offered to affected patients, although DCH Health said there are no indications that any patient information has been or will be misused. DCH Health said employees will continue to be provided with HIPAA and privacy training on appropriate access, and the incident will be used to improve privacy monitoring tools and processes.

Patient Data Compromised in Rundle Eye Care Hacking Incident

Drs. Keith and Herman Rundle have recently confirmed that the protected health information of certain Rundle Eye Care patients has been accessed and potentially obtained by unauthorized individuals. According to the breach notification letters, the attack occurred “recently” and involved patient names, birth dates, and treatment information.

While data theft may have occurred, there are no indications that patient data have been or will be misused. As a precaution against the misuse of patient data, affected patients have been offered complimentary single bureau credit monitoring services for 12 months. Measures have also been taken to strengthen system security.

While ransomware was not mentioned in the breach notice, the Everest Ransomware Group claimed responsibility for the attack and says 30 GB of data was stolen, including tax records, medical records, and prescription forms.

Satellite Healthcare Reports Breach Affecting 95,000 Patients

San Jose, CA-based Satellite Healthcare has recently reported a breach of the PHI of 95,128 patients to the Texas Attorney General, including 22 Texas residents. Few details are available on the breach at this stage as the incident has yet to appear on the website of the California attorney general and there is no notice on the healthcare provider’s website.

What is known is the breach involved protected health information such as names, medical information, health insurance information, and financial information. Notifications have been issued to affected individuals by mail. Satellite Healthcare was contacted for further information on the breach, but no immediate response was received. This post will be updated when further information becomes available.

The post PHI of More Than 240K Patients Compromised in 5 Healthcare Data Breaches appeared first on HIPAA Journal.