HIPAA Breach News

Anesthesia, Eye Care, and Telehealth Providers Announce Third-Party Data Breaches

Posted by HIPAA Journal

Several more providers of anesthesia services have confirmed they have been affected by a data breach at their management services organization (MSO). Last month, HIPAA Journal reported that 13 providers of anesthesia services to hospitals had been affected by the breach. At least five more healthcare providers are now known to have been affected. The latest announcements bring the breach total up to 410,842 records.

  • Somnia Pain Mgt of Kentucky – 10,849 individuals
  • Resource Anesthesiology Associates of KY PSC – 8,995
  • Saddlebrook Anesthesia Services PC – 8,861 individuals
  • Somnia, Inc. – 1,326 individuals
  • Mid-Westchester Anesthesia Services – 707 individuals

The breach was detected by the MSO on July 11, 2022, with the forensic investigation determining information stored on its systems had been compromised. The affected companies were notified about the breach on September 22, 2022.

The breach involved names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, medical record numbers, Medicaid/Medicare IDs, and health information, including diagnosis and treatment information.

Massengale Eye Care Affected by Eye Care Leaders’ Data Breach

Massengale Eye Care in Moore, OK, has recently announced that the protected health information of up to 15,000 patients has been compromised in a data breach at its EHR vendor, Eye Care Leaders. Massengale Eye Care said it has used the myCare Integrity electronic health records platform since 2017. On or around December 4, 2021, unauthorized individuals gained access to the platform and potentially obtained patient information.

Eye Care Leaders said it is unaware of any misuse of patient data, and no specific evidence was found to indicate the records of Massengale Eye Care patients were viewed or obtained. Since unauthorized access to protected health information could not be ruled out, notifications have been sent to affected individuals. The information potentially accessed includes names, addresses, dates of birth, Social Security numbers, diagnostic information, and health insurance information. Massengale Eye Care confirmed that the breach was confined to the Eye Care Leaders platform.

41 eye care providers are now known to have been affected and the records of at least 3,649,470 patients have been exposed.

Telehealth Vendor Announces 3-Year Data Breach

Miramar, FL-based telehealth provider, MDLIVE Medical Group, has recently announced that the protected health information of 7,439 individuals has been impermissibly disclosed as a result of a third-party analytics tool on its website. MDLIVE Medical Group did not confirm which analytics tool was involved, but similar breaches have been reported by other healthcare providers recently that involved the Meta Pixel tool, which is used for a similar purpose.

MDLIVE Medical Group said the tool was used to better understand how patients interacted on its website and patient portal, in order to make improvements to the portal to improve the quality of care provided to patients. The tool was first added to the website in June 2019 but was accidentally configured to monitor activity on the patient login page of its portal. The tool was removed in August 2022. The data disclosed to the provider of the tool included usernames, passwords, and dates of birth only. There is no indication that the information has been viewed or misused.

The post Anesthesia, Eye Care, and Telehealth Providers Announce Third-Party Data Breaches appeared first on HIPAA Journal.

OCR Explains HITECH Recognized Security Practices and How to Demonstrate They are in Place

Posted by HIPAA Journal

The Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) has released a video presentation on its YouTube channel that explains in detail how the 2021 HITECH Act amendment regarding “Recognized Security Practices” applies to HIPAA-regulated entities, and how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place for the 12 months prior to a security breach.

Background

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, part of the American Recovery and Reinvestment Act (ARRA), was introduced by the Obama administration to encourage the adoption of health information technology to improve quality, safety, and efficiency; engage patients in their care; increase coordination of care; improve the health status of the population; and ensure the privacy and security of healthcare data.

On January 5, 2022, H.R 7898 was signed into law which amended Section 13412 of the HITECH Act to require the HHS to take the Recognized Security Practices of HIPAA-regulated entities into account in certain HIPAA Security Rule enforcement and audit activities, when a HIPAA-regulated entity is able to demonstrate Recognized Security Practices have been in place continuously for the 12 months prior to a security incident.

The HITECH Act update does not create a safe harbor for organizations that have implemented Recognized Security Practices granting them immunity from liability for HIPAA Security Rule violations, and it will not prevent OCR from imposing financial penalties when HIPAA Security Rule violations are discovered. Organizations that can demonstrate they have implemented Recognized Security Practices can mitigate fines under section 1176 of the Social Security Act, mitigate the remedies that would otherwise be agreed in agreements to resolve violations of the HIPAA Security Rule, and reduce the length and extent of audits and investigations. The HITECH Act amendment acts as an incentive for HIPAA-regulated entities to implement Recognized Security Practices and do everything in their power to safeguard patient data. OCR has confirmed that implementing Recognized Security Practices is voluntary.

On April 6, 2022, OCR issued a Request for Information (RFI) seeking input from the public on the HITECH Act amendment, specifically on how HIPAA-regulated entities were implementing Recognized Security Practices, and how they anticipated demonstrating that they are in place and have been for 12 months. The RFI also included a request for comment on the long-awaited implementation of the HITECH Act requirement for OCR to share a proportion of the civil monetary penalties and settlements collected through its HIPAA enforcement activities with individuals who have been harmed due to HIPAA violations.

What Are Recognized Security Practices?

In the video, Nick Heesters, senior advisor for cybersecurity at OCR, explains how the HITECH Act was amended, what constitutes Recognized Security Practices, and how they can be implemented to reduce liability. Recognized Security Practices are standards, guidelines, best practices, methodologies, procedures, and processes developed under:

  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • Section 405(d) of the Cybersecurity Act of 2015, or
  • Other programs that address cybersecurity that are explicitly recognized by statute or regulation

HIPAA-regulated entities are free to choose the Recognized Security Practices that are best suited to their organization.

OCR Security Rule Audits and HIPAA Security Rule Investigations of Potential Violations

Heesters confirmed that in the event of an audit or investigation into potential HIPAA Security Rule violations, OCR will send a data request to the regulated entity to inform them they can voluntarily provide evidence that Recognized Security Practices have been in place. This will increase awareness of the HITECH Act amendment and also allow the regulated entity to submit evidence as a mitigating factor. The request will also include guidance on how that evidence can be provided and the types of evidence that a HIPAA-regulated entity can consider submitting.

How to Demonstrate Recognized Security Practices Have Been in Place

Heesters explained how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place and the types of evidence that they can consider submitting. OCR will not limit the evidence that can be provided and the request is not a one-time opportunity to provide evidence. Evidence can be provided to OCR continuously.

The regulated entity must demonstrate that Recognized Security Practices have been fully implemented and have been and continue to be actively and consistently in use. Simply providing documentation that only establishes the initial adoption of Recognized Security Practices is insufficient and OCR will not consider documentation stating the organization plans to implement Recognized Security Practices in the future. Documentation must demonstrate the implementation of Recognized Security Practices throughout the enterprise.

In the response, HIPAA-regulated entities should state which Recognized Security Practices have been implemented. If a HIPAA-regulated entity has chosen “other programs,” OCR will need to be provided with statutory or regulatory citations showing they were developed, recognized, or promulgated by statute or regulation.

OCR suggests the following can be provided as evidence, although the list is not exhaustive:

  • Policies and procedures regarding the implementation and use of RSPs
  • RSP implementation project plans and meeting minutes
  • Diagrams and narrative detail of RSP implementation and use
  • Training materials regarding RSP implementation and use
  • Application screenshots and reports showing RSP implementation and use
  • Vendor contracts and statements of work regarding RSP implementation
  • OCR also requires dates that support the implementation and use of RSPs for the previous 12 months

Heesters confirmed that organizations that have implemented Recognized Security Practices, and are able to demonstrate that sufficiently, will not avoid financial penalties, but OCR will consider the Recognized Security Practices as a mitigating factor. These practices only mitigate against HIPAA Security Rule investigations and audits, not other investigations and audits, such as investigations into potential HIPAA Privacy Rule violations. Heesters also confirmed that the lack of Recognized Security Practices will not be considered an aggravating factor and will not result in increased penalties.

The post OCR Explains HITECH Recognized Security Practices and How to Demonstrate They are in Place appeared first on HIPAA Journal.

PHI of Almost 34,000 Patients Potentially Compromised in Michigan Medicine Phishing Attack

Posted by HIPAA Journal

University of Michigan Health (Michigan Medicine) has recently announced that the protected health information of approximately 33,850 patients has potentially been compromised in a phishing attack. Suspicious activity was detected within its email environment and steps were immediately taken to secure the accounts to prevent further unauthorized access.

Michigan Medicine said it was targeted in a phishing campaign between August 15 and August 23, 2022, and four email accounts were compromised. Michigan Medicine said in its breach notice that employee email accounts were protected with multi-factor authentication at the time of the attack. Four employees responded to the phishing emails, visited a malicious website, disclosed their Michigan Medicine login information, and responded to the multi-factor authentication prompts, which allowed their accounts to be accessed.

The forensic investigation found no evidence of data theft and it appeared that the accounts were not compromised in order to obtain patient information; however, Michigan Medicine has assumed that all information in the accounts has been compromised. The review of the email accounts was completed on October 17, 2022, and notification letters have now been mailed.

The compromised accounts contained job-related communications for the coordination and care of patients. The information in the emails varied from patient to patient and may have included names, along with one or more of the following types of information: address, date of birth, diagnostic and treatment information, and health insurance information. Michigan Medicine said it has implemented additional technical safeguards to its email system and the infrastructure that supports it to prevent further incidents of this nature.

This is the second email account breach to be reported by Michigan Medicine this year. In late February, Michigan Medicine announced that a single email account containing the PHI of 2,920 patients had been compromised. Michigan Medicine was also targeted in a phishing campaign in 2019, which saw 3,200 of its employees receive phishing emails. In that attack, three employees responded, resulting in the exposure of the PHI of 5,466 patients.

Ascension St. Vincent’s Coastal Cardiology Brunswick Suffers Ransomware Attack

Ascension St. Vincent’s Coastal Cardiology Brunswick in Georgia has started notifying 71,227 patients about a security breach that affected its legacy systems, including its legacy electronic medical record system. The incident was detected on August 15, 2022, and all systems were immediately secured to prevent further unauthorized access and; however, it was not possible to prevent the encryption of certain files on those systems. The investigation confirmed the attack was confined to its legacy systems. No Ascension networks or systems were affected, nor was the electronic medical system that is currently in use. The legacy Coastal Cardiology network was primarily used to retain patient data to meet regulatory requirements and was not used for current business operations.

Ransomware attacks often involve data theft prior to the encryption of files; however, the forensic investigation found no evidence to suggest any information was removed from those systems. The breach notice suggests the ransom was not paid, as the data could not be decrypted. As such, it was not possible to determine the exact types of information that had been encrypted. Ascension said the systems would have contained demographic and health information related to visits at Coastal Cardiology prior to October 5, 2021. That information would have included names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, clinical information, and billing and insurance information.

Complimentary credit and identity theft protection services have been offered to affected individuals. Ascension said it has conducted a security risk assessment, realigned staff responsibilities, removed access rights to the legacy system, and is providing further training to its associates.

Delta Dental of Washington Members Affected by Mailing Vendor Hacking Incident

Delta Dental of Washington has announced that the protected health information of 6,361 members of its dental benefits plans has potentially been compromised in a cyberattack on its mail and printing vendor, Kaye-Smith. The attack occurred in June 2022 and resulted in the exposure of information such as names, addresses, group numbers, and Delta Dental Member ID numbers. Delta Dental of Washington was one of several organizations affected by the data breach.

Kaye-Smith is notifying affected individuals on behalf of Delta Dental of Washington and has offered complimentary credit monitoring services for 12 months.

The post PHI of Almost 34,000 Patients Potentially Compromised in Michigan Medicine Phishing Attack appeared first on HIPAA Journal.

California Appellate Court Confirms Trial Court’s Decision to Toss Class Action Insider Breach Lawsuit

Posted by HIPAA Journal

A Californian appellate court has recently confirmed the decision of the lower court to deny class action status for a lawsuit filed against a Californian healthcare provider over an insider data breach that affected 5,485 patients.

In May 2018, the healthcare provider – Muir Medical Group IPA – discovered a former employee had accessed and copied the records of patients before leaving employment and took patient information to her new employer. The investigation determined the breach occurred in December 2017 and affected patients who received treatment between November 2013 and February 2017. The information copied by the employee included names, contact information, treatment information, and other sensitive data.

A lawsuit was filed in the wake of the breach – Vigil v. Muir Medical Group IPA, Inc. – that alleged negligence and violations of the Confidentiality of Medical Information Act (CMIA), the Customer Records Act, and unlawful business practices under the Unfair Competition Law. The lawsuit also alleged violations of the Security Management Process standard of HIPAA, as the employee should not have been able to access the records of many of the patients.

Class action status for the lawsuit was rejected by the trial court, as the claims made by the plaintiff were deemed to be deficient. The court determined the patient’s claims hinged on the alleged CMIA violation. The trial court found the predominance of common questions requirement was not met as, under CMIA, individualized inquiries would be required to prove the defendant’s liability and damages to each of the affected patients, and liability is predicated on whether each of the class members’ records was actually viewed which, based on the facts, was not capable of resolution in the aggregate.

The decision was appealed, but the appellate court sided with the defendant, confirming that class action status could not be granted as the plaintiff was unable to show an unauthorized third party had viewed the records of each class member, therefore this was a private issue and class certification was not appropriate. The appellate court also ruled the plaintiff had no viable claim under CMIA due to failure to demonstrate the healthcare provider had negligently maintained or stored patient information, then lost that information due to its negligence.

The post California Appellate Court Confirms Trial Court’s Decision to Toss Class Action Insider Breach Lawsuit appeared first on HIPAA Journal.

RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach

Posted by HIPAA Journal

The American Civil Liberties Union of Rhode Island (ACLU of RI) is taking legal action against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) over an August 2021 data breach that affected more than 22,000 individuals.

According to RIPTA, a cyberattack on its systems was detected and blocked on August 5, 2021. The breach was investigated, and it was determined that hackers gained access to its network two days previously, on August 3. The review of the files on the accessible parts of its system revealed they contained the data of 5,015 members of its group health plan, including names, dates of birth, Social Security numbers, and health plan ID numbers.

The breach was reported to the HHS’ Office for Civil Rights as affecting 5,015 individuals; however, the information of a further 17,378 individuals who were not RIPTA employees was also compromised. Notification letters were sent to all affected individuals four months after the discovery of the data breach, which saw multiple complaints filed with the Rhode Island Attorney General by non-RIPTA employees demanding to know how and why RIPTA had access to their data. According to RIPTA, those individuals were insured by UnitedHealthcare, RIPTA’s previous health insurance provider. RIPTA said UnitedHealthcare had provided RIPTA with files containing the data of non-RIPTA employees.

Steven Brown, ACLU of RI Executive Director, told HIPAA Journal, “To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why it took over four months for RIPTA to notify both their employees and other affected individuals that their information had been hacked.”

The lawsuit was filed on behalf of plaintiffs Alexandra Morelli, a URI employee, and Diane Cappalli, a retired RIPTA employee. The plaintiffs represent a class of more than 20,000 individuals. The lawsuit alleges the plaintiffs and class members have been exposed to an ongoing risk of fraud and identity theft, which requires them to constantly monitor their financial accounts and credit reports as their personal information is in the hands of cybercriminals. Morelli alleges she has been a victim of fraud and has had unauthorized charges on her credit cards and withdrawals from her bank account.

The lawsuit alleges the defendants were negligent for failing to implement appropriate safeguards to protect sensitive employee and health plan member information, such as failing to encrypt data and properly maintain, protect, purge, and safely destroy data. These failures are alleged to have violated two state laws in Rhode Island – The Identify Theft Protection Act of 2015 and the Confidentiality of Healthcare Communications and Information Act.

The lawsuit also takes issue with the length of time it took to issue notifications about the breach, which were sent 138 days after the data breach was discovered. HIPAA requires notifications to be issued within 60 days of discovery of a data breach and state law requires notifications to be issued within 45 days. Further, the notifications did not contain sufficient information, such as if Social Security numbers have been breached, and RIPTA’s website notification – published in December 2021 – failed to state that the data of Non-RIPTA employees had also been breached.

The lawsuit seeks compensatory and punitive damages, attorneys’ fees, and an order for the defendants to cover the cost of “adequate” credit monitoring and identity theft protection services, which has been specified as 10 years. The lawsuit also calls for the defendants to implement and maintain a comprehensive information security program.

“Every Rhode Islander should be concerned not just about the flimsy safeguards that were in place to protect against a breach, but also that a state agency had access to the personal medical information of people not even in their employ,” said Brown. “As we pursue a legal remedy for this tremendous breach of personal and medical privacy, we believe this incident should also serve as a wake-up call to the General Assembly to strengthen the remedies available to victims of these breaches.”

The post RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach appeared first on HIPAA Journal.

RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach

Posted by HIPAA Journal

The American Civil Liberties Union of Rhode Island (ACLU of RI) is taking legal action against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) over an August 2021 data breach that affected more than 22,000 individuals.

According to RIPTA, a cyberattack on its systems was detected and blocked on August 5, 2021. The breach was investigated, and it was determined that hackers gained access to its network two days previously, on August 3. The review of the files on the accessible parts of its system revealed they contained the data of 5,015 members of its group health plan, including names, dates of birth, Social Security numbers, and health plan ID numbers.

The breach was reported to the HHS’ Office for Civil Rights as affecting 5,015 individuals; however, the information of a further 17,378 individuals who were not RIPTA employees was also compromised. Notification letters were sent to all affected individuals four months after the discovery of the data breach, which saw multiple complaints filed with the Rhode Island Attorney General by non-RIPTA employees demanding to know how and why RIPTA had access to their data. According to RIPTA, those individuals were insured by UnitedHealthcare, RIPTA’s previous health insurance provider. RIPTA said UnitedHealthcare had provided RIPTA with files containing the data of non-RIPTA employees.

Steven Brown, ACLU of RI Executive Director, told HIPAA Journal, “To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why it took over four months for RIPTA to notify both their employees and other affected individuals that their information had been hacked.”

The lawsuit was filed on behalf of plaintiffs Alexandra Morelli, a URI employee, and Diane Cappalli, a retired RIPTA employee. The plaintiffs represent a class of more than 20,000 individuals. The lawsuit alleges the plaintiffs and class members have been exposed to an ongoing risk of fraud and identity theft, which requires them to constantly monitor their financial accounts and credit reports as their personal information is in the hands of cybercriminals. Morelli alleges she has been a victim of fraud and has had unauthorized charges on her credit cards and withdrawals from her bank account.

The lawsuit alleges the defendants were negligent for failing to implement appropriate safeguards to protect sensitive employee and health plan member information, such as failing to encrypt data and properly maintain, protect, purge, and safely destroy data. These failures are alleged to have violated two state laws in Rhode Island – The Identify Theft Protection Act of 2015 and the Confidentiality of Healthcare Communications and Information Act.

The lawsuit also takes issue with the length of time it took to issue notifications about the breach, which were sent 138 days after the data breach was discovered. HIPAA requires notifications to be issued within 60 days of discovery of a data breach and state law requires notifications to be issued within 45 days. Further, the notifications did not contain sufficient information, such as if Social Security numbers have been breached, and RIPTA’s website notification – published in December 2021 – failed to state that the data of Non-RIPTA employees had also been breached.

The lawsuit seeks compensatory and punitive damages, attorneys’ fees, and an order for the defendants to cover the cost of “adequate” credit monitoring and identity theft protection services, which has been specified as 10 years. The lawsuit also calls for the defendants to implement and maintain a comprehensive information security program.

“Every Rhode Islander should be concerned not just about the flimsy safeguards that were in place to protect against a breach, but also that a state agency had access to the personal medical information of people not even in their employ,” said Brown. “As we pursue a legal remedy for this tremendous breach of personal and medical privacy, we believe this incident should also serve as a wake-up call to the General Assembly to strengthen the remedies available to victims of these breaches.”

The post RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach appeared first on HIPAA Journal.

Hacking, Database Misconfigurations, and Improper Disposal Incidents Reported

Posted by HIPAA Journal

A round-up of healthcare data breaches that have recently been reported to the HHS’ Office for Civil Rights and State Attorneys General.

Delaware Department of Health and Social Services – Database Misconfiguration

The Delaware Department of Health and Social Services, Division of Developmental Disabilities Services (DDDS) has recently discovered a misconfiguration occurred when creating new user accounts for the division’s client database. As a result of the misconfiguration, access was granted to the records of 7,074 individuals.

The misconfiguration was discovered on August 23, 2022, with the investigation confirming 159 new user accounts had been created that provided access to service recipients’ personal, identifiable information and protected health information, as well as some more detailed information. 12 cases were identified where records were actively accessed by the users, but many more records may have been passively accessed. It was not possible to determine how many records were passively accessed. As such, the decision was taken to notify all 7,074 individuals, who have been offered complimentary credit monitoring services for 12 months.

Steps have since been taken to improve security to prevent similar misconfigurations in the future. The lessons learned from the incident will be applied to the new client data management system that is currently being developed and is due to be implemented in 2023.

Country Doctor Community Clinic, WA – Hacking Incident

Country Doctor Community Clinic in Seattle, WA, announced on October 19, 2022, that hackers had gained access to its digital environment and viewed and potentially obtained files containing the protected health information of 38,751 patients.

Unusual activity was detected in its computer systems on October 6, 2022. Immediate action was taken to secure its IT systems and prevent further unauthorized access, and third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the attack. A review was conducted to determine the types of information that had been compromised, then up-to-date contact information had to be obtained for affected individuals. That process concluded on October 14, 2022.

Country Doctor Community Clinic said names, addresses, Social Security numbers, dates of birth, and other protected health information were potentially compromised. Credit monitoring and identity theft protection services are being offered to individuals whose Social Security numbers were exposed. Steps have also been taken to improve security to prevent similar breaches in the future.

Riverside Medical Group, NJ – Hacking Incident

Riverside Medical Group, an adult medical practice serving patients in Northern New Jersey, has discovered hackers gained access to a legacy server at its clinic in West Orange and may have viewed or obtained files containing patient data. The compromised server belonged to a provider who used it to store immunization records. No other systems were affected.

Riverside Medical Group said the breach was detected on August 3, 2022. The review of files on the server determined they contained the protected health information of 12,499 patients, including name, date of birth, address, gender, phone number, email address, immunization records, dates of immunizations, provider information, health plan information, and in limited instances, Social Security number. Riverside Medical Group said it is unaware of any actual or attempted misuse of patient information.

The Valley Hospital, NJ – Improper Disposal of Documents Containing PHI

The Valley Hospital in Ridgewood, NJ, has recently announced that the records of individuals who visited an outpatient COVID-19 testing facility have been disposed of in an improper manner, and could potentially have been accessed or obtained by unauthorized individuals.

The improper disposal incident was detected by the Valley Hospital on August 29, 2022. In its substitute breach notice, the hospital said post-COVID-19 testing instructions were discarded in a recycling bin at the testing facility, rather than being sent for shredding. The documents included the names of the providers administering COVID-19 tests and labels that included patient names, medical record numbers, location codes, and service dates.

The hospital attempted to recover the documents but was unable to retrieve them. The breach affected patients who received COVID-19 tests at the site between June 1 and September 1, 2022. Notifications have now been sent to affected individuals. It is currently unclear how many patients have been affected.

The post Hacking, Database Misconfigurations, and Improper Disposal Incidents Reported appeared first on HIPAA Journal.

WakeMed Announces Meta Pixel-Related Breach Affecting 495,000 Patients

Posted by HIPAA Journal

WakeMed Health and Hospitals, a health system with multiple healthcare facilities in metropolitan Raleigh, NC, has recently notified around 495,000 patients that some of their protected health information may have been impermissibly disclosed to Meta/Facebook due to the use of Meta Pixel tracking code on its website.

The privacy violation was announced by the health system on October 14, 2022, with WakeMed stating that the code was first added to its website and MyChart patient Portal in March 2018. The code is used to gather information on user activity on websites, which is achieved through the use of cookies. WakeMed said the code was added for website optimization and to, “better connect members of our community with WakeMed’s MyChart patient portal, thereby improving access to their health care, and to help improve the WakeMed website.”

The problem, as many healthcare systems have discovered, is that in addition to tracking user activity, the snippet of JavaScript code also transmits data to Meta/Facebook, which potentially includes sensitive patient information and information that can allow patients to be identified. According to WakeMed, that information included information entered by patients in the MyChart patient portal and on the appointment scheduling page.

The types of information transmitted depended on patients’ interactions on the website, their use of forms, and the data selected or entered when scheduling appointments. WakeMed said the information transmitted to Meta/Facebook may have included one or more of the following: email address, phone number, other contact information, IP address, emergency contact information, information provided during online check-in (e.g., allergy or medication information), COVID vaccine status, information about an upcoming appointment (e.g., appointment type and date, physician selected, and button/menu selections), and any information added to free text boxes.

WakeMed said its investigation was unable to determine whether Meta or Facebook collected or used any of the information transmitted by the Meta Pixel code. Meta has previously stated that if it identifies any information it is not authorized to receive, the information will not be used or provided to third parties for uses such as serving targeted advertisements. Multiple lawsuits have been filed against other healthcare organizations that claim targeted advertisements have been served using Meta Pixel-collected data.

WakeMed said that after becoming aware of the issue, the Meta Pixel code was stripped from its website in May 2022 and that there are no further plans to use the code unless it can be confirmed that there is no potential for it to transmit sensitive data. Policies and procedures have also been implemented that involve comprehensive reviews of code before it is added to its website to prevent similar situations in the future. The North Carolina Attorney General has launched an investigation into the incident.

Wakemed joins Novant Health and Aurora Advocate Health in issuing notifications to patients about impermissible disclosures of PHI due to the use of Meta Pixel and other tracking code and, this is unlikely to be the last such announcement by a healthcare provider. A study conducted by The Markup/STAT on the top 100 hospitals in the United States found one-third had used Meta Pixel code on their websites.

The post WakeMed Announces Meta Pixel-Related Breach Affecting 495,000 Patients appeared first on HIPAA Journal.

September 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

63 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in September, bringing an end to the downward trend in data breaches seen over the previous three months. September’s total was above the 12-month average of 59 breaches a month, with data breaches being reported at a rate of more than 2 per day. In 2017, data breaches were being reported at a rate of one per day.

healthcare data breaches in the past 12 months - September 2022

While the number of reported data breaches increased by 28.6% month-over-month, for the third consecutive month the number of breached records decreased, with 2,440,434 records breached across the 63 reported incidents. September’s total was well below the 12-month average of 3,481,033 breached records a month. Breached healthcare records in the past 12 months

So far in 2022, 31,705,618 patient records have been exposed or impermissibly disclosed.

The Largest Healthcare Data Breaches Reported in September

30 data breaches of 10,000 or more patient records were reported to the HHS’ Office for Civil Rights in September 2022, all but one of which were hacking/IT incidents. The largest data breach involved the records of more than 542,000 patients of the Wolfe Clinic in Iowa and occurred at its electronic health record provider Eye Care Leaders. The attack saw database and system configuration files deleted. More than 3.6 million individuals were affected by the data breach.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Wolfe Clinic, P.C. IA Healthcare Provider 542,776 Hacking incident at its EHR provider (Eye Care Leaders)
Empress Ambulance Service LLC NY Healthcare Provider 318,558 Ransomware attack
Cytometry Specialists, Inc. d/b/a CSI Laboratories GA Healthcare Provider 244,850 Business email compromise (BEC) attack
FMC Services, LLC TX Healthcare Provider 233,948 Hacked network server
Physician’s Business Office, Inc. WV Business Associate 196,673 Hacked network server
Providence WA Anesthesia Services PC NY Healthcare Provider 98,643 Hacked network server at management company
Medical Associates of the Lehigh Valley PA Healthcare Provider 75,628 Ransomware attack
Dyersburg Family Walk-In Clinic, LLC (Reelfoot Family Walk-In Clinic) TN Healthcare Provider 58,562 Hacked network server (data theft confirmed)
Palm Springs Anesthesia Services PC NY Healthcare Provider 58,513 Hacked network server at management company
Reiter Affiliated Companies, LLC CA Business Associate 48,000 Ransomware attack at a business associate
Reiter Affiliated Health and Welfare Plan CA Health Plan 45,000 Ransomware attack
Anesthesia Services of San Joaquin PC NY Healthcare Provider 44,015 Hacked network server at management company
Anesthesia Associates of El Paso PA NY Healthcare Provider 43,168 Hacked network server at management company
The Physicians’ Spine and Rehabilitation Specialists of Georgia, P.C. GA Healthcare Provider 38,765 Hacked network server
Country Doctor Community Clinic WA Healthcare Provider 38,751 Hacked network server
Resource Anesthesiology Associates PC NY Healthcare Provider 37,697 Hacked network server at management company
Lubbock Heart & Surgical Hospital TX Healthcare Provider 23,379 Hacked network server
Genesis Health Care, Inc. SC Healthcare Provider 21,226 Hacked network server
Resource Anesthesiology Associates of IL PC NY Healthcare Provider 18,321 Hacked network server at management company
Bronx Anesthesia Services PC NY Healthcare Provider 17,802 Hacked network server at management company
Resource Anesthesiology Associates of CA A Medical Corporation CA Healthcare Provider 16,001 Hacked network server at management company
Monroe Ear Nose and Throat Associates, PC MI Healthcare Provider 14,500 Hacked network server hosting EHRs
Magellan Rx Management MD Business Associate 13,663 Hacked network server
Hazleton Anesthesia Services PC NY Healthcare Provider 13,607 Hacked network server at management company
Riverside Medical Group NJ Healthcare Provider 12,499 Hacked legacy server containing EHRs
Anesthesia Associates of Maryland LLC MD Healthcare Provider 12,403 Hacked network server at management company
Northern California Fertility Medical Center CA Healthcare Provider 12,145 Ransomware attack
Neurology Center of Nevada NV Healthcare Provider 11,700 Hacking incident involving EHRs
Dr. Alexander J. Richardson, DPM OH Healthcare Provider 11,300 Hacking incident involving EHRs
WellMed Medical Management TX Healthcare Provider 10,506 A physician took records to his new practice

Causes of September 2022 Data Breaches

As is now the norm, the majority of the month’s data breaches were categorized as hacking/IT incidents, which include hacking, ransomware and malware attacks, phishing attacks, and misconfigured databases and cloud resources.

Causes of September 2022 healthcare data breaches

52 breaches – 82% of the month’s total – were hacking/IT incidents, which resulted in the exposure and/or theft of the records of 2,410,654 individuals. The average breach size was 46,359 records and the median breach size was 12,274 records. These incidents accounted for 98.78% of all records breached in September.

Ransomware is commonly used in attacks on hospitals to prevent access to business-critical files and patient records. These attacks typically involve data theft prior to file encryption with the attackers threatening to sell or publish the stolen data if the ransom is not paid. Several threat actors have now dispensed with the file encryption and are just stealing data and demanding payment to prevent its sale or release. That makes the attacks quicker and easier for the attackers and ransoms are still often paid. These extortion-only attacks have been increasing in recent months.

There were 7 reported unauthorized access/disclosure incidents reported, which include unauthorized access by employees, misdirected emails, and mailing errors. Across the 7 breaches, the records of 24,639 individuals were impermissibly disclosed. The average breach size was 3,250 records and the median breach size was 1,359 records.

There were 4 data breaches reported that involved the loss or theft of electronic devices that contained individually identifiable protected health information. Those devices contained 5,141 records. The average breach size was 1,285 records and the median breach size was 1,207 records. These incidents could have been avoided had data on the devices been encrypted.

The number of email-related data breaches is below the levels normally seen, with just 7 email data breaches reported. However, data from the ransomware remediation firm Coveware suggests email is still the most common way that threat actors gain access to networks in ransomware attacks. One of the largest data breaches reported this month – at CSI Laboratories – saw threat actors gain access to email accounts containing the records of almost 245,000 individuals. The email account was then used in a business email compromise attack to try to reroute CSI customer healthcare provider payments.

locatioon of PHI in september 2022 healthcare data breaches

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entity in September with 46 data breaches reported, with 10 breaches reported by business associates and 7 breaches reported by health plans. Healthcare providers and health plans often choose to report breaches at business associates themselves, as was the case in 7 data breaches at business associates in September. The pie chart below reflects this and shows where the data breaches actually occurred.

September 2022 healthcare data breaches - entities reporting

Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states reported data breaches in September. New York was the worst affected state with 15 breaches reported. 13 of the breaches were reported by providers of anesthesia services – The breach actually occurred at their management company.

State Breaches
New York 15
California 8
Tennessee & Washington 5
Florida & Texas 4
Georgia 3
Indiana, Maryland, New Jersey, & Pennsylvania 2
Colorado, Connecticut, Iowa, Michigan, Montana, Nebraska, Nevada, Ohio, Rhode Island, South Carolina, & Wisconsin 1

HIPAA Enforcement Activity in September

The HHS’ Office for Civil Rights agreed to settle HIPAA violations with three healthcare providers in September. All three of the settlements resolved violations of the HIPAA Right of Access, where patients were not provided with timely access to their medical records. All three cases were investigated by OCR after patients filed complaints that they had not been provided with their requested medical records. Great Expressions Dental Center of Georgia was also discovered to have overcharged a patient for providing a copy of her medical records.

Great Expressions Dental Center of Georgia, P.C. settled its case for $80,000, Family Dental Care, P.C. settled its case for $30,000, and B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental, settled its care for $25,000,  All three settlements involved a corrective action plan to address the areas of non-compliance.

OCR has now imposed 20 financial penalties on HIPAA-regulated entities to resolve HIPAA violations so far this year – more than any year to date.

The post September 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.