HIPAA Breach News

Scripps Health Proposes $3.5M Settlement to Resolve Class Action Ransomware Lawsuit

Posted by HIPAA Journal

A settlement has been proposed by Scripps Health to resolve a consolidated class action lawsuit – In Re: Scripps Health Data Incident Litigation – to resolve all claims related to its 2021 ransomware attack.

In April 2021, Scripps Health suffered a ransomware attack that was reported to the Department of Health and Human Services as affecting 147,267 patients. The attack caused major disruption at Scripps Health hospitals. Scripps Health had to redirect ambulances and cancel scheduled appointments, and the staff was forced to record patient information on paper while the San Diego-based health system restored its IT systems – a process that around a month.

The investigation revealed the hackers stole files from its network on April 29, 2021, which contained protected health information such as names, Social Security numbers, driver’s license numbers, and healthcare information, including information stored in medical records. The ransomware attack has proven to be incredibly costly for Scripps Health. Its financial statements show the attack cost at least $113 million in lost revenue.

Multiple lawsuits were filed against Scripps Health in the San Diego County Superior Court in the wake of the data breach on behalf of individuals affected by the ransomware attack. The lawsuits allege Scripps Health failed to implement and maintain adequate security measures to protect patient information and had inadequate policies and procedures for detecting and remediating cyberattacks, despite being aware of the high risk of an attack.

The plaintiffs allege they have suffered lost time, annoyance, interference, and inconvenience as a result of the data breach, including being prevented from accessing the MyScripps patient portal, which is used by patients to access their healthcare information, request prescription refills, manage appointments, and communicate with doctors. The lawsuits sought damages, reimbursement of out-of-pocket expenses, and injunctive relief, requiring Scripps Health to implement adequate security measures to better protect patient data in the future.

Scripps Health has not admitted any wrongdoing and does not accept liability for the ransomware attack and data breach. The decision was taken to settle the lawsuit to prevent further legal costs, avoid the uncertainty of trial, and resolve all claims related to the data breach. Under the terms of the settlement, class members are entitled to submit a claim for a cash payment of up to $100 which is subject to a pro rata increase based on the number of claims received. In addition, class members are entitled to submit claims for documented ordinary and extraordinary losses. The settlement amount is expected to exceed $3.5 million.

Claims for reimbursement of ordinary out-of-pocket are permitted up to a maximum of $1,000 per class member. Ordinary losses include unreimbursed bank fees, card re-issuance fees, overdraft fees, over-limit fees, telephone charges, costs of credit reports, and similar losses that can be reasonably traced to the ransomware attack.

Extraordinary losses are those related to identity theft that are fairly traceable to the ransomware attack and were suffered between April 29, 2021, and March 23, 2023. To qualify for reimbursement for extraordinary losses, class members must have made reasonable efforts to avoid suffering losses and to have exhausted available avenues for recovering losses related to identity theft.

Class members wishing to exclude themselves from or object to the settlement have until March 8, 2023, to do so. The deadline for submitting claims is March 23, 2023. The final approval hearing is scheduled for April 7, 2023.

The post Scripps Health Proposes $3.5M Settlement to Resolve Class Action Ransomware Lawsuit appeared first on HIPAA Journal.

Lake Charles Memorial Health System Cyberattack Affects Almost 270,000 Patients

Posted by HIPAA Journal

Southwest Louisiana Health Care System, Inc. has confirmed that the protected health information of up to 269,752 patients of Lake Charles Memorial Health System has been compromised. The Louisiana healthcare system said suspicious activity was detected by its security team on October 21, 2022, and steps were taken to contain the activity and investigate a potential breach. On October 25, it was confirmed that an unauthorized third party had gained access to the network, with the forensic investigation confirming the attack started between October 20 and October 21, 2022, and involved the theft of patient data from the network.

The review of the exfiltrated files determined they contained information such as names, addresses, dates of birth, medical record numbers, patient identification numbers, health insurance information, payment information, and limited clinical information. Some Social Security numbers were also compromised. Notification letters were sent to affected individuals on December 23, 2022, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were compromised.

Southwest Louisiana Health Care System did not disclose the exact nature of the cyberattack, but the Hive ransomware gang claimed responsibility. While Hive is known for using ransomware to encrypt files, the gang claims only to have exfiltrated patient data. Files were not encrypted. A ransom demand was issued, payment of which was required to ensure the stolen data was deleted. Payment does not appear to have been made as the Hive gang started dumping the stolen data last month.

FoundCare Email Account Breach Affects 14,000 Patients

The Palm Springs, FL-based federally qualified health center, FoundCare Inc., has announced that unauthorized individuals have gained access to its email environment and potentially viewed or obtained emails and files that contained the protected health information of 14,194 patients.

Suspicious activity was detected within its email environment on September 2, 2022, and a third-party digital forensics firm was engaged to conduct an investigation. FoundCare said it determined on October 18, 2022, that files in the email account contained patient data. The review of those files and verification of patient contain information has recently concluded and notification letters are now being sent to the affected individuals. Data exposed in the attack included names, addresses, email addresses, credit card numbers, Social Security numbers, birth dates, passport numbers, other government ID numbers, medical conditions, diagnoses, treatment information, health insurance information, and internal patient identifiers. FoundCare said the vast majority of individuals only had limited medical information exposed.

FoundCare has implemented additional security measures in response to the breach, including turning on multifactor authentication for all users, blocking basic authentication measures, adding a warning to all emails from new email addresses, and providing continuous phishing awareness training to all employees.

Ransomware Attack Affects 6,800 Patients of Midwest Orthopaedic Consultants

Midwest Orthopaedic Consultants in Illinois has announced that unauthorized individuals gained access to its computer network and used ransomware to encrypt files. The cyberattack was detected on September 29, 2022, and steps were immediately taken to contain the attack. A third-party forensic security firm was engaged to investigate the breach and determined that the attackers gained access to the network on September 27, 2022, and exfiltrated certain documents before encrypting files. Midwest Orthopaedic Consultants discovered on November 4 that the files contained patient data, with a comprehensive review of those documents confirming on November 21, 2022, that individually identifiable health information had been exposed such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, diagnosis and treatment information, and health insurance information. Notification letters were sent to affected individuals on December 22, 2022. Midwest Orthopaedic Consultants said the encrypted files were recovered from backups.

Complimentary identity theft protection services have been offered to individuals whose Social Security numbers or driver’s license numbers were compromised and additional technical measures have been implemented to prevent similar incidents in the future. The breach has been reported to the HHS’ Office for Civil Rights as affecting 6,818 patients.

MultiCare Health System Affected by ransomware Attack on Mailing Vendor

MultiCare Health System in Washington has recently confirmed that the protected health information of more than 23,000 patients has potentially been compromised in a data breach at its mailing vendor, Kaye-Smith. Kaye-Smith detected suspicious activity within its digital environment in June 2022. The forensic investigation revealed hackers had gained access to its systems and used ransomware to encrypt files discretely since May 2022. MultiCare Health System was one of several health systems to be affected by the incident.

MultiCare Health System said the attackers may have accessed or acquired files that contained patients’ names, addresses, and Social Security numbers. Kaye-Smith said it has enhanced security and monitoring in response to the incident.

Collections Vendor Data Breach Affects Prairie Lakes Healthcare Patients

Watertown, SD-based Prairie Lakes Healthcare System, which serves patients in South Dakota and Western Minnesota, has recently announced that the protected health information of 1,059 patients has been exposed in a data breach at one of its business associates. Prairie Lakes Healthcare uses AAA Collections, Inc. which does business as Advanced Asset Alliance (AAA), to collect unpaid medical bills.

Between September 5, 2022, and September 7, 2022, hackers gained access to AAA’s systems and potentially obtained files containing the protected health information of patients of Prairie Lakes Healthcare and former Glacial Lakes Orthopaedics patients. An analysis of the files confirmed they contained information such as names, addresses, dates of birth, medical record numbers, provider/facility names, conditions, diagnoses, treatment information, payment information, and dates of service. Notifications were mailed by AAA to affected individuals on December 15, 2022. Prairie Lakes Healthcare said it is working with its vendor to prevent similar events from occurring in the future.

The post Lake Charles Memorial Health System Cyberattack Affects Almost 270,000 Patients appeared first on HIPAA Journal.

Class Action Data Breach Lawsuit Settled by Morley Companies

Posted by HIPAA Journal

Morley Companies has agreed to settle a class action lawsuit filed on behalf of individuals affected by a major data breach that occurred on or around August 1, 2022. A fund of $4.3 million has been created to cover claims from individuals affected by the data breach.

On or around August 1, 2021, Morley Companies, a Saignaw, MI-based provider of business services, suffered a cyberattack in which hackers gained access to parts of its network. Morley Companies said the attack prevented access to its information systems when files were encrypted, with the investigation confirming that the attackers exfiltrated files containing protected health information.

Approximately 628,000 breach notification letters were mailed, and the breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 521,046 individuals. The breached information included names, addresses, Social Security numbers, birthdates, client identification numbers, medical diagnostic and treatment information, and health insurance information. Morley Companies accepts no liability for the incident and has admitted no wrongdoing but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the settlement, class members can submit a claim to receive reimbursement of up to $2,500 for documented out-of-pocket expenses that are reasonably traceable to the cyberattack and data breach. These can include unreimbursed losses relating to fraud or identity theft, professional fees including attorneys’ and accountants’ fees, and fees for credit repair services, costs associated with freezing or unfreezing credit with any credit reporting agency, credit monitoring costs incurred on or after August 1, 2021, and miscellaneous expenses such as notary, data charges, fax, postage, copying, mileage, cell phone charges, and long-distance telephone charges (conditions apply).

Class members can also claim up to four hours of lost time at a rate of $20 per hour, and residents of California at the time of the breach can claim a payment of $75. In addition, individuals who did not previously claim the credit and identity monitoring services provided by Morley Companies through IDX will be provided with a new offer and activation code valid for 90 days to claim 3-bureau credit monitoring for a three-year period from the effective date of the settlement. Class members will also be provided with a one-year membership to the Dashlane password management service.

Class members have until February 7, 2023, to object to or exclude themselves from the settlement. Claims must be submitted by March 20, 2023. The final approval hearing for the settlement has been scheduled for April 19, 2023.

The post Class Action Data Breach Lawsuit Settled by Morley Companies appeared first on HIPAA Journal.

Privacy Breaches Reported by Blue Shield of California and VA Medical Center

Posted by HIPAA Journal

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights and state attorneys general.

Blue Shield of California

Blue Shield of California has started notifying certain health plan members about a privacy violation by one of its employees. A spreadsheet containing plan members’ names, phone numbers, email addresses, addresses, Social Security numbers, and/or Taxpayer ID numbers was emailed from the employee’s work account to a personal email address on June 17, 2022. Blue Shield of California’s Privacy Officer, David Keystone, said the privacy breach was discovered on October 30, 2022, and the employee was interviewed and instructed to delete the email and any copies of the spreadsheet.

The incident has prompted Blue Shield of California to strengthen its system detection tools to prevent further impermissible disclosures of PHI. As a precaution against identity theft, affected individuals have been offered complimentary access to a credit monitoring and identity theft protection service for 12 months.

HIPAA Journal has not been able to confirm how many individuals have been affected.

Medstar Mobile Healthcare

Medstar Mobile Healthcare, which operates an emergency and non-emergency ambulance service in Tarrant County, TX, has recently announced that it was the victim of a cyberattack in which patient information was potentially compromised. Suspicious network activity was detected on October 20, 2022, and it was later confirmed that an unauthorized third party had gained access to parts of the network where patient data was stored. It was not possible to determine if those files had been accessed or copied. The review of the files revealed they mostly included non-financial billing information only; however, some individuals also had their full name, date of birth, contact information, and limited medial information exposed.  The investigation into the breach is ongoing.

HIPAA Journal has not been able to confirm how many individuals have been affected.

Pediatrics West & Allergy West

Pediatrics West & Allergy West in Massachusetts have notified 1,364 patients that some of their protected health information was stored on a system that was accessed by unauthorized individuals. The breach was detected on October 17, 2022, with the forensic investigation confirming the unauthorized access occurred between August 19, 2021, and August 15, 2022. The files on the system included names, contact information, demographic information, dates of birth, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and/or health insurance information. Pediatrics West said it has implemented additional safeguards and technical security measures to further protect and monitor its IT infrastructure.

The Louis A. Johnson VA Medical Center

The Louis A. Johnson Veterans’ Administration Medical Center in West Virginia has recently announced a privacy breach involving the protected health information of 736 individuals. An error was made in a mailing to veterans which resulted in their full Social Security numbers being visible on the letters.  Affected veterans have been notified by mail and have been offered complimentary access to credit monitoring services. The VA has also formed a work group to investigate mailing processes to assess potential vulnerabilities, and additional controls will be put in place to prevent similar errors in the future.

The post Privacy Breaches Reported by Blue Shield of California and VA Medical Center appeared first on HIPAA Journal.

Editorial: Lessons from Biggest HIPAA Breaches of 2022

Posted by HIPAA Journal

It has been another bad year for healthcare data breaches, with some of the biggest HIPAA breaches of 2022 resulting in the impermissible disclosure of well over a million records. While it does not currently look like last year’s record of 714 data breaches of 500+ records will be exceeded this year, with 674 data breaches reported up until December 22, 2022, any reduction is likely to be minimal. In addition to the high number of data breaches, 2022 stands out for the sheer number of healthcare records breached, which currently stands at 49.8 million records. That’s more than any other year to date apart from 2015 when Anthem Inc reported its 78.8 million-record data breach. In 2022, 12 data breaches were reported that exposed more than 1 million records, and a further 13 data breaches exposed between 500,000 and 1 million records.

The Biggest HIPAA Breaches of 2022

One notable observation from the biggest HIPAA breaches of 2022 is the number that occurred at business associates of HIPAA-covered entities. Many of these business associate data breaches affected dozens of healthcare clients, with one notable branch in the list below affecting 657 HIPAA-covered entities. Out of the 25 data breaches of 500,000 or more records, 52% occurred at business associates, including 60% of the 10 largest data breaches. The 12 biggest HIPAA breaches of 2022 affected almost 22.66 million patients and health plan members.

OneTouch Point – Ransomware Attack Involving 4.11 Million Records

On July 27, the mailing and printing vendor, OneTouchPoint (OTP), reported a hacking incident to the HHS’ Office for Civil Rights that affected more than one million individuals; however, as the investigation progressed it was determined that the breach was much more extensive than first thought, and had involved the protected health information of 4,112,892 individuals. Hackers had gained access to its network and used ransomware to encrypt files, with that information also potentially stolen in the attack. The compromised data included names, contact IDs, and information provided during health assessments. More than 35 of the company’s clients were affected, many of which were health plans.

Eye Care Leaders – Hacking Incident Involving at least 3.65 Million Records

Eye Care Leaders is a North Carolina provider of an electronic health record solution (myCare Integrity) to ophthalmology practices across the country. Affected providers started to be notified in March that hackers had gained access to its databases in December 2021. The databases contained extensive patient information, such as contact information, health insurance information, medical record numbers, Social Security numbers, driver’s license numbers, and medical information. As is relatively common in business associate data breaches, each affected healthcare provider reported the breach separately. Texas Tech University Health Sciences Center was one of the worst affected healthcare providers, with 1,290,104 records exposed. HIPAA Journal has tracked the reported data breaches and at least 41 eye care providers and 3,649,470 patients were affected.

Advocate Aurora Health – Impermissible Disclosure of up to 3 Million Records

On October 14, Wisconsin-based Advocate Aurora Health notified OCR about an impermissible disclosure of the protected health information of up to 3,000,000 patients. The disclosure occurred due to the addition of third-party tracking code on its websites, patient portals, and applications. The tracking code was used to gain insights into the use of its patient-facing digital services to improve the patient experience; however, the tracking code transmitted patient information to the developers of that code, including Meta (Facebook) and Google.  The information transmitted was based on each user’s interactions and may have included health information that could be tied to individuals. The transmitted information may have included names, appointment dates/times, provider names, procedure types, insurance information, and communications through the MyChart patient portal. Advocate Aurora Health was not alone. Several health systems had used the code on their websites and transferred patient data to third parties without consent or a business associate agreement in place.

Connexin Software – Hacking Incident Involving 2.2 Million Records

Connexin Software is a Wisconsin-based provider of an electronic health record solution to pediatric practices across the country, operating as Office Practicum. A breach of its network was detected in August 2022, with the investigation confirming the hackers accessed and exfiltrated an offline set of data used for data conversion and troubleshooting. That data set included names, Social Security numbers, health insurance information, billing and/or claims data, and clinical information such as treatment information, procedures, diagnoses, and prescriptions. The breach was reported to OCR on November 11, as affecting 2,216,365 individuals. 119 pediatric practices were affected by the data breach.

Shields Health Care Group – Hacking Incident Involving 2 Million Records

Shields Healthcare Group is a Massachusetts-based vendor that provides MRI, PET/CT, radiation oncology, and surgical services. On May 27, Shields notified OCR about a breach that affected up to 2,000,000 patients from 60 healthcare practices. Hackers had gained access to its network, with the investigation confirming files containing patient data were exfiltrated over two weeks in March. The stolen data included names, contact information Social Security numbers, insurance information, billing information, and clinical information such as diagnoses and treatment information.

Professional Finance Company – Ransomware Attack Involving 1.92 Million Records

Professional Finance Company is a Colorado-based vendor that provides debt recovery services. On February 26, the company detected and stopped what it described as a sophisticated ransomware attack, in which certain systems were accessed by the attackers and disabled. The forensic investigation revealed the attackers had access to files containing names, addresses, accounts receivable balances, information regarding payments made to accounts, Social Security numbers, health insurance information, and medical treatment information. The breach was reported to OCR on July 1 as affecting 1,918,941 patients at 657 of its healthcare provider clients.

Baptist Medical Center – Malware Infection Involving 1.6 Million Records

Baptist Medical Center and Resolute Health Hospital in Texas were affected by a security breach that was detected on April 20. Malicious code was detected on its network that allowed hackers to exfiltrate patient data. The investigation into the breach determined the hackers first gained access to its network in late March. The analysis of the affected files revealed they contained protected health information such as names, Social Security numbers, health insurance information, medical record numbers, diagnosis information, and billing and claims information. The breach was reported to OCR on June 15 as affecting 1,608,549 patients of Baptist Medical Center and 54,209 Resolute Health Hospital patients.

Community Health Network – Impermissible Disclosure of up to 1.5 Million Records

The Indiana-based healthcare provider, Community Health Network, notified OCR on November 18 about the impermissible disclosure of the protected health information of up to 1,500,000 individuals. Third-party tracking code from Meta and Google had been added to its websites to provide insights that would allow the improvement of access to information about critical care services and its patient-facing websites. Community Health Network was unaware that adding the code to its websites would result in identifiable health information being transmitted to Meta and Google. The data transferred included IP addresses, appointment information, patient, portal communications, procedure types, and other information based on the interactions of users on its website.

Novant Health – Impermissible Disclosure of up to 1.36 Million records

The North Carolina-based healthcare provider, Novant Health, notified OCR on August 14 about an impermissible disclosure of the protected health information of 1,362,296 individuals. The notification was issued on behalf of Novant Health ACE, a contractor for NMG Services Inc. Novant Health was the first HIPAA-regulated entity to notify OCR about a HIPAA violation related to the use of third-party tracking technologies on its website. Novant Health said the tracking code had been misconfigured, which allowed patient information to be sent to Meta such as names, appointment types and dates, provider names, button/menu selection details that may have included information about health conditions, and information submitted by patients in free text boxes.

Broward Health – Hacking Incident Involving 1.35 Million Records

The Florida-based healthcare provider, Broward Health, reported a breach of the PHI of 1,351,431 patients to OCR on January 2, which was the result of hackers gaining access to its network in October 2021. The delay in reporting was at the request of the Department of Justice, so as not to interfere with the investigation. The network was breached via a connected third-party vendor and the hackers had access to the network for 4 days during which time employee and patient information was exfiltrated including names, Social Security numbers, driver’s license numbers, financial information, medical histories, and medical record numbers.

Doctors’ Center Hospital – Ransomware Attack Involving 1.2 Million Records

On November 9, Doctor’s Center Hospital in Puerto Rico reported a hacking incident to OCR involving the protected health information of 1,195,220 patients. Hackers gained access to its network and deployed ransomware on or around October 17. A ransomware group called Project Relic was behind the attack and claimed to have exfiltrated 211 GB of data prior to encrypting files, including employee data and patient information such as names, medical record numbers, and medical notes.

MCG Health – Hacking Incident Involving 1.1 Million Records

The Seattle, WA-based software company, MCG Health, which provides patient care guidelines to healthcare providers and health plans, notified OCR on June 10 about a cyberattack on its network. The investigation suggested the hackers gained access to its network as early as February 2020, but the security breach was not detected until March 2022. The hackers exfiltrated files that contained patient and plan member data such as names, addresses, phone numbers, dates of birth, medical codes, and Social Security numbers. The breach was reported to OCR by MCG Health as affecting 793,283 individuals, but some health plan and healthcare provider clients reported the breach separately.  More than 10 U.S. healthcare providers and health plans were affected and 1.1 million individuals are understood to have been affected.

Lessons Learned from the Biggest HIPAA Breaches of 2022

All of these breaches are being investigated by the HHS’ Office for Rights to determine if these organizations were fully compliant with HIPAA and if non-compliance with the requirements of HIPAA caused the data breach, and in some cases, state attorneys general have opened investigations. Class action lawsuits have also been filed against these entities seeking damages and reimbursement of out-of-pocket expenses and losses suffered as a result of misuse of patient and health plan member data. The investigations will uncover whether there have been any HIPAA violations or violations of state law and whether compliance with these regulations would have likely prevented these breaches. While specific information about HIPAA violations is not yet known, there are lessons to be learned by other healthcare providers, health plans, and business associates from these data breaches.

Business Associate Risks Must be Managed

What is clear from the largest HIPAA breaches of 2022 is cyberattacks on business associates can be particularly damaging, often affecting many HIPAA-covered entities. Business associates provide important services to healthcare organizations that are difficult or too costly to perform in-house, but providing patient information to any third-party increases the risk that the information will be exposed, and the more business associates that are used, the greater the risk to patient and plan member data.

Healthcare organizations cannot operate efficiently without third-party vendors, but prior to using any vendor their security measures and protocols should be assessed. HIPAA-covered entities must ensure that a signed business associate agreement (BAA) is obtained, but a BAA alone is not sufficient. The BAA should specify the responsibilities of the business associate with respect to cybersecurity, incident response, and breach reporting, and it may be necessary to enter into a service level agreement with the vendor. HIPAA-covered entities should review their relationships with vendors and their BAAs regularly, conduct annual audits of their vendors to check the cybersecurity measures they have in place, and they should stipulate that vendors must conduct annual risk assessments. It is also worth considering consolidating vendors, where possible.

Care Must be Taken with Tracking Technologies

The use of tracking technologies has come under the spotlight in 2022. These tracking technologies are usually provided by third parties such as big tech firms and are commonly used for website analytics. These tools can be incredibly useful but in healthcare, there is considerable potential for privacy violations. It should be noted that there is no problem with the tools themselves, the problem comes with how they are used and their potential to collect and transmit patient information based on the interactions of individuals.

Due to the potential for disclosures of PHI, HIPAA-compliant patient authorizations may be required and it may be necessary to enter into a business associate agreement with the developer of the code. So far, only a handful of healthcare organizations have reported data breaches associated with tracking technologies, but many hospitals and health systems have used these tracking technologies and may have violated HIPAA and patient privacy. A study by The Markup earlier this year indicated one-third of the top 100 hospitals in the United States had added tracking technologies such as Meta Pixel to their websites. These breaches have highlighted the risks associated with these tools and the importance of conducting a careful assessment of any third-party code prior to adding it to a website or application to verify that it is not transferring data to third parties. If it does, business associate agreements must be in place and patient authorizations may need tobe obtained. OCR has recently issued guidance on the use of these tracking technologies and the requirements for HIPAA compliance.

Develop and Test an Incident Response Plan for Ransomware Attacks

The healthcare industry continues to be targeted by ransomware gangs, who steal sensitive data and encrypt files for extortion. Stolen records are published or sold to other cybercriminal gangs, placing victims at a very real risk of identity theft and fraud, but these attacks also put patient safety at risk. Patients often have to be redirected to other facilities, the lack of access to EHRs requires appointments to be canceled, and the attacks delay diagnosis and essential medical care. In many attacks, electronic systems are taken out of action for several weeks and studies suggest mortality rates increase following a ransomware attack and patient outcomes are affected.

Protecting against ransomware attacks can be a challenge, as ransomware gangs use multiple attack vectors to gain initial access to healthcare networks. Healthcare organizations should keep up to date on the latest threat intelligence and adopt a defense-in-depth approach covering all potential attack vectors. Regaining access to patient data quickly can help to limit the harm caused, and in this regard, it is vital to follow best practices for backups and ensure multiple copies of backups are created with at least one copy stored securely off-site. The key to a fast recovery is contingency planning and implementing a comprehensive incident response plan. Those plans must also be regularly tested with tabletop exercises involving members of all teams involved in the breach response. Some of the most damaging ransomware attacks and hacking incidents were due to contingency and incident response planning failures.

Adopting Recognized Security Practices is Strongly Advisable

An update to the HITECH Act in January 2021 required OCR to consider the recognized security practices an organization has implemented continuously for the 12 months prior to a data breach when making determinations about penalties and sanctions. While HIPAA Security Rule compliance is mandatory, HIPAA-regulated entities are not required by law to implement recognized security practices, but it is strongly advisable. Not only will following recognized security practices reduce the risk of a cyberattack and limit the harm caused, OCR will reduce the length of audits and investigations and the financial penalties imposed.

Issue Breach Notifications Promptly

Several of the biggest HIPAA breaches of 2022 involved delays in issuing breach notifications to OCR and the individuals affected. HIPAA is clear about the maximum time frame for reporting breaches of protected health information, which is 60 days of the discovery of a data breach; however, branch notifications should be issued to OCR and affected individuals without necessary delay. Prompt notification is important as it allows the individuals affected by the breach to take steps to protect themselves against identity theft and fraud. OCR recently issued a reminder about the requirements for responding to security incidents, in which the breach notification requirements of HIPAA were confirmed. This could indicate OCR may be looking at enforcing this aspect of HIPAA compliance more rigorously in the future, as unnecessary delays in issuing breach notifications are common.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Lessons from Biggest HIPAA Breaches of 2022 appeared first on HIPAA Journal.

November 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

November was a relatively quiet month for healthcare data breaches with 31% fewer breaches reported than the previous month. November’s total of 49 breaches of 500 or more records was also well below the 12-month average of 58 breaches a month. 643 healthcare data breaches have been reported to the HHS’ Office for Civil Rights so far in 2022, which makes this year the second worst year to date for healthcare data breaches.

Despite the fall in reported breaches, the number of breached records increased by 10% from October. November was the worst month of 2022 in terms of the number of breached healthcare records, with 6,904,441 records exposed or impermissibly disclosed – Well above the 12-month average of 3.99 million records a month. So far in 2022, 44,852,648 healthcare records have been breached.

Largest Healthcare Data Breaches in November

17 breaches of 10,000 or more records were reported to OCR in November, five of which involved more than half a million records and three incidents involved the impermissible disclosure of more than 1 million records. The largest data breach was a hacked network server at the Pennsylvania-based business associate Connexin Software – A provider of electronic medical records to pediatric practices. An unauthorized individual gained access to an offline set of patient data that was used for data conversion and troubleshooting. The records of 2,216,365 patients were exposed and potentially stolen.

The Indiana-based healthcare provider, Community Health Network, reported an impermissible disclosure of the protected health information of up to 1.5 million patients. Tracking code had been added to its website that resulted in patient information being transferred to third parties such as Meta and Google, without obtaining consent from patients or having a business associate agreement in place. Several healthcare providers have reported similar breaches this year, prompting OCR to issue a warning to HIPAA-regulated entities this month over the use of tracking technologies on websites and mobile applications.

Doctors’ Center Hospital in Puerto Rico suffered a ransomware attack that exposed the protected health information of up to 1,195,220 patients. Major ransomware attacks were also reported by the Michigan-based prosthetics and orthotics provider, Wright & Filippis, and Health Care Management Solutions in West Virginia.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Data Breach
Connexin Software, Inc. PA Business Associate 2,216,365 Hacking/IT Incident Hacking of network server
Community Health Network, Inc. as an Affiliated Covered Entity IN Healthcare Provider 1,500,000 Unauthorized Access/Disclosure Website tracking code transmitted PHI to third parties
Doctors’ Center Hospital PR Healthcare Provider 1,195,220 Hacking/IT Incident Ransomware attack
Wright & Filippis LLC MI Healthcare Provider 877,584 Hacking/IT Incident Ransomware attack
Health Care Management Solutions, LLC WV Business Associate 500,000 Hacking/IT Incident Ransomware attack on subcontractor of CMS business associate
Gateway Rehabilitation Center PA Healthcare Provider 130,000 Hacking/IT Incident Hacking of network server
Mena Regional Health System AR Healthcare Provider 84,814 Hacking/IT Incident Hacking of network server
Dallam Hartley Counties Hospital District TX Healthcare Provider 69,835 Hacking/IT Incident Hacking of network server (data theft confirmed)
Consumer Directed Services in Texas, Inc. TX Healthcare Provider 56,728 Hacking/IT Incident Hacking incident at a business associate
Stanley Street Treatment and Resources, Inc. MA Healthcare Provider 45,785 Hacking/IT Incident Hacking of network server (data theft confirmed)
South Walton Fire District FL Healthcare Provider 25,331 Hacking/IT Incident South Walton Fire District
Rosenfeld VanWirt, PC PA Business Associate 18,719 Hacking/IT Incident Hacking incident affecting multiple affiliates of the Lehigh Valley Health Network
CCA Health Plans of California, Inc d/b/a CCA Health CA CA Health Plan 14,631 Hacking/IT Incident Hacking of network server (data theft confirmed)
CareFirst Administrators MD Health Plan 14,538 Hacking/IT Incident Phishing attack on business associate
Work Health Solutions CA Healthcare Provider 13,157 Hacking/IT Incident Phishing attack
New York-Presbyterian Hospital NY Healthcare Provider 12,000 Hacking/IT Incident Hacking of network server
Epic Management LLC TN Healthcare Provider 10,862 Hacking/IT Incident Unauthorized email account access

Causes of November Data Breaches

All but one of the 17 data breaches of 10,000 or more records were due to hacking incidents, several of which were ransomware attacks. Many hacking incidents involve ransomware, although it is common for HIPAA-regulated entities not to disclose the exact nature of these attacks. It is therefore difficult to determine the extent to which ransomware is used in cyberattacks on the healthcare industry. 5,374,670 records were exposed or stolen in these hacking incidents – 77.8% of all records breached in November. The average breach size was 134,367 records and the median breach size was 7,158 records.

There were 8 unauthorized access/disclosure incidents reported that involved the records of 1,521,788 individuals. The majority of those records were impermissibly disclosed by one healthcare provider. The average breach size was 190,224 records and the median breach size was 2,275 records.  There was also one theft incident reported involving the records of 7,983 individuals. In the majority of reported incidents, the breached protected health information was located on network servers. There were also 7 incidents involving breaches of email data, and four incidents involving electronic health records.

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entities in November, with 26 reported breaches, one of which occurred at a business associate but was reported by the healthcare provider. 6 data breaches were reported by health plans, with one of those breaches occurring at a business associate. Business associates self-reported 17 breaches in November. The pie chart below shows the breakdown of data breaches based on where they occurred, rather than the entities reporting the data breaches.

Healthcare Data Breaches by State

Data breaches were reported by HIPAA-regulated entities in 18 states and Puerto Rico. Pennsylvania was the worst affected state with 12 breaches, which involved 34.8% of the month’s breached records. 10 of those breaches were due to a hacking incident involving healthcare providers that are part of the Lehigh Valley Health Network. HIPAA-regulated entities in California reported 6 breaches, but these were relatively minor, only involving the protected health information of 41,382 patients.

State Breaches
Pennsylvania 12
California 6
Florida & New York 4
Texas 3
Arkansas, Connecticut, Indiana, Maryland, Massachusetts & Tennessee 2
Georgia, Michigan, New Jersey, Nevada, Oregon, Washington, West Virginia, and Puerto Rico 1

HIPAA Enforcement Activity in November

No civil monetary penalties or settlements were announced by OCR in November. Even so, 2022 has seen more HIPAA enforcement actions than in any other year since OCR was given the authority to enforce HIPAA compliance. The majority of the financial penalties in 2022 have been imposed for violations of the HIPAA right of access, and 55% of the year’s enforcement actions over HIPAA violations were on small healthcare providers.

In November, the state of Massachusetts announced that Aveanna Healthcare had been fined $425,000 for a breach of the PHI of 166,000 individuals, 4,000 of whom were Massachusetts residents. Aveanna Healthcare had suffered a phishing attack, with the Massachusetts Attorney General discovering a lack of safeguards such as multi-factor authentication and security awareness training.

The post November 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Six Data Breaches Reported by Healthcare Providers and Business Associates

Posted by HIPAA Journal

Work Health Solutions, a San Jose, CA-based occupational health services provider, has confirmed that the protected health information of 13,157 individuals has been exposed and potentially obtained by unauthorized individuals who had access to an employee email account between February 16, 2-022 and March 24, 2022.

Following an investigation by third-party cybersecurity professionals, Work Health Solutions determined that the email account contained files that included the information of individuals who had received services from the company. The manual review of those files concluded on October 11, 2022. Work Health Solutions then verified contact information and sent notifications on November 9, 2022.

The exposed files contained names, Social Security numbers, driver’s license numbers, health insurance information, and/or medical information. Complimentary credit monitoring services have been offered to individuals whose Social Security numbers were potentially compromised. Work Health Solutions said it continuously evaluates and modifies its practices to improve privacy and security, which includes educating its workforce regarding privacy matters.

Epic Management Email Account Breach Affects More Than 10,500 Individuals

The healthcare management company, Epic Management LLC, has recently announced that unauthorized individuals gained access to its digital environment and accessed files and data stored in its email system. Epic Management did not disclose when the breach occurred but said the review of affected files was complex and time-consuming, and that process was completed on December 9, 2022.

The information in the email system included first and last names, dates of birth, Social Security numbers, health insurance information, medical information, driver’s licenses, passport numbers, financial account numbers and routing numbers, biometric data, usernames and passwords, and/or payment card numbers and expiration dates and/or security codes.

Credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were exposed and updates have been made to its cyber environment to prevent similar incidents in the future.

NYC Health + Hospitals Alerts Patients About Loss of Device Containing PHI

NYC Health + Hospitals says a defective hard drive that contained the protected health information of 2,174 patients was discovered to be missing from a visual field testing device located at its NYC Health + Hospitals/Woodhull facility in Brooklyn, NY. Because the drive could not be located it was not possible to tell if the data on the device could be accessed, but it was confirmed that the device contained patients’ names, dates of birth, medical record numbers, and visual field test results.

In response, NYC Health + Hospitals has re-educated staff on its policy for the proper chain of custody for devices containing protected health information when those devices are taken out of service. Further, a new policy has been implemented that requires PHI to be removed from visual testing devices on a regular basis. Training has also been enhanced to ensure all employees are aware of the need to promptly notify officials about potential breaches of PHI.

Missouri Law Firm Discovers Unauthorized System Access

Polsinelli PC, a Kansas City, MO-based law firm that provides corporate legal services to hospitals, says files that contained patient information were accessed on September 9, 2022, from two locations by unauthorized individuals. A third-party cybersecurity firm was engaged to investigate the breach and determined that its network and main document repository were not affected; however, the files that were accessed included limited patient information, including names, addresses, Social Security numbers, birth dates, medical record numbers, patient account numbers, health insurance information, and very limited clinical information. Patients of St. Luke’s Health Brazosport are known to have been affected.

Credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved, although the law firm does not believe that any of the compromised information will be used for identity theft or fraud. The breach has been reported to the HHS’ Office for Civil Rights as affecting 1,220 individuals.

Patient Data Exposed in Cyberattack on Hawaiian Eye Center

Hawaiian Eye Center in Wahiawa, HI, has recently started notifying certain patients that some of their protected health information was stored on a server that was accessed by unauthorized individuals. The server was discovered to be unresponsive on November 2, 2022, with the investigation confirming the server and the network had been accessed by an unauthorized individual. The investigation confirmed that files containing patient information had been exfiltrated from its system by the attackers.

Those files contained names, addresses, email addresses, dates of birth, Social Security Numbers, driver’s license numbers, medical record numbers, and health insurance information. Affected individuals have been notified and provided with single-bureau credit monitoring services. Third-party cybersecurity experts have been engaged to conduct a review of its security practices and systems, and appropriate upgrades will be implemented to prevent further incidents in the future.

It is currently unclear how many individuals have been affected.

The Elizabeth Hospice Identifies Insider Data Breach

The Elizabeth Hospice, a non-profit hospice with locations in Carlsbad, Escondido, San Diego, and Temecula, CA, has discovered that a former employee had been forwarding emails from her work email account to a personal account while she was employed by the hospice. A review of the emails was completed on November 14, 2022, and confirmed they contained first and last names, dates of admission, dates of discharge, patient account numbers, and basic health information. The Elizabeth Hospice said it is unaware of any actual or attempted misuse of patient data but has advised affected individuals to be vigilant and monitor their accounts and statements for unauthorized activity.

It is currently unclear how many individuals have been affected.

The post Six Data Breaches Reported by Healthcare Providers and Business Associates appeared first on HIPAA Journal.

Avem Health Partners and Emory Healthcare Notify Patients About Data Breaches

Posted by HIPAA Journal

Avem Health Partners, an Oklahoma City-based provider of administrative and technology services to healthcare organizations, has recently started notifying its healthcare clients about a data breach that occurred at one of its vendors, 365 Data Centers.

On September 9, 2022, 365 Data Centers notified Avem Health Partners that an unauthorized third party had gained access to its servers. The breach was detected on May 16, 2022, with the investigation confirming there may have been unauthorized access to data stored on those servers prior to May 14, 2022. Avem Health Partners did disclose in its website substitute breach notice when its vendor’s servers were first breached.

A review of the files on the compromised servers confirmed that protected health information such as patient names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and diagnosis and treatment information had been exposed. Avem Health Partners is issuing breach notification letters to affected individuals on behalf of its vendor and complimentary credit monitoring and identity theft protection services have been offered to individuals who had their Social Security numbers or driver’s license numbers exposed. Avem Health Partners said it is re-evaluating its vendor relationships and the security measures that its vendors have implemented.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, but the website of the Texas Attorney General indicates 73,134 individuals have been affected.

Emory Healthcare Reports Insider Data Breach

Atlanta, GA-based Emory Healthcare has recently announced that a former employee has accessed the records of approximately 1,600 patients without authorization. Emory Healthcare was notified about the privacy breach by the U.S. Department of Labor (DOL) on August 24, 2022. An investigation was immediately launched and access logs were checked, which confirmed that the records of patients had been accessed by the employee between December 2020 and December 2021 when there was no legitimate work reason for doing so. Over the space of one year, the records of at least 1,600 patients were accessed.

According to the DOL, the former Emory Healthcare employee is known to have disclosed the demographic information of several hundred Emory Healthcare patients to individuals who were involved in unemployment benefits fraud. The DOL and the U.S. Department of Justice (DOJ) have charged eight individuals in connection with the fraud, including the former Emory Healthcare employee. Emory Healthcare said it cooperated fully with law enforcement during the investigation, arrest, and prosecution of those individuals. Notification letters are now being sent to all affected individuals, who have been offered free credit monitoring and identity theft protection services.

The data stolen included names, dates of birth, and Social Security numbers. Health information, insurance details, and financial information did not appear to have been stolen. Emory Healthcare said it has reinforced privacy and security education with its patient care teams and is continuing to implement best practice technology protocols to protect patient data and detect unauthorized access.

The post Avem Health Partners and Emory Healthcare Notify Patients About Data Breaches appeared first on HIPAA Journal.

Florida Primary Care Provider Fined $20,000 for HIPAA Right of Access Violation

Posted by HIPAA Journal

The Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc. (HSCF), has paid a $20,000 financial penalty to settle a HIPAA Right of Access case with the HHS’ Office for Civil Rights.

OCR launched an investigation in response to a November 22, 2019, complaint from a woman who had not been provided with a copy of her deceased father’s medical records. The initial request was made in writing on August 29, 2019, and an Authorization for Release of Medical Record Information form was provided to HSCF along with a copy of the original Letters of Administration. It took multiple requests and almost 5 months for all of the requested medical records to be provided. The complete set of records was received by the woman on January 27, 2020.

The HIPAA Right of Access requires healthcare providers to provide a copy of the requested medical records within 30 days of the request being submitted. In certain circumstances, a 30-day extension is applicable. OCR determined that the delay in providing the requested records was a violation of the HIPAA Right of Access. In addition to paying a $20,000 financial penalty, HSCF has agreed to undertake a corrective action plan, which involves developing, implementing, and maintaining HIPAA Privacy Rule policies and procedures concerning the HIPAA Right of Access, distributing those policies and procedures to staff members, and providing training on those policies and procedures. HSCF will also be monitored by OCR for a period of two years from the date of the settlement.

“The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously. We will continue to ensure that health care providers and health plans take this right seriously and follow the law,” said OCR Director, Melanie Fontes Rainer, announcing the settlement. “Today’s announcement speaks to the importance of accessing information and regulated entities taking steps to implement procedures and workforce training to ensure that they are doing all they can to help patients access.”

The HIPAA Right of Access enforcement initiative was launched by OCR in the fall of 2019. Since then, $2,423,650 has been paid by healthcare providers to resolve HIPAA Right of Access violations in 42 enforcement actions. The fines range from $3,500 to $240,000.

The post Florida Primary Care Provider Fined $20,000 for HIPAA Right of Access Violation appeared first on HIPAA Journal.