HIPAA Compliance News

CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General

In late September 2023, Indiana Attorney General Todd Rokita filed a lawsuit against CarePointe ENT over a ransomware attack and data breach that affected 48,742 individuals. A settlement has been reached that will see CarePointe pay $125,000 to resolve alleged violations of the Health Insurance Portability and Accountability (HIPAA) Act and state data privacy and security laws.

CarePointe ENT operates three ear, nose, throat, sinus, and hearing centers in Merrillville, Munster & Hobart in Northwest Indiana. On June 25, 2021, CarePointe ENT experienced a ransomware attack which resulted in files being encrypted and data being exfiltrated. The stolen data included names, addresses, dates of birth, Social Security numbers, medical insurance information, and health information. Affected individuals were notified about the data breach in August 2021.

AG Rokita launched an investigation into the attack to determine if CarePointe ENT had complied with its obligations under HIPAA and state laws. Despite claiming that it was committed to safeguarding patient information, CarePointe ENT was determined to have failed to implement appropriate security policies, conduct appropriate risk analyses, and address known security risks in a reasonable amount of time.

CarePointe ENT hired a third-party IT vendor that conducted a HIPAA risk analysis and identified security concerns in January 2021. The vendor was hired in March to address the identified vulnerabilities, but they were not fixed in a reasonable time frame. In June 2021, some of the unaddressed vulnerabilities were exploited in a ransomware attack. In addition to the failure to address known security issues, CarePointe ENT failed to enter into a business associate agreement with the vendor, even though the vendor was provided with access to systems containing protected health information.

AG Rokita’s lawsuit alleged one count of a failure to comply with the HIPAA Privacy Rule, one count of failing to comply with the HIPAA Security Rule, one count of failing to comply with the Indiana Disclosure of Security Breach Act (DSBA), and one count of failing to comply with the Indiana Deceptive Consumer Sales Act (DCSA). CarePointe ENT chose to settle the alleged violations of HIPAA and state laws with no admission of wrongdoing. Under the terms of the settlement, a financial penalty of $125,000 will be paid to the state and CarePointe ENT has agreed to ensure full compliance with the HIPAA Privacy and Security Rules and the DCSA and DSBA with respect to the safeguarding of personal information (PI), protected health information (PHI), and electronic protected health information (ePHI). CarePointe ENT has also agreed not to make misrepresentations about the extent to which it ensures the privacy, security, confidentiality, and integrity of PI, PHI, and ePHI.

The settlement agreement includes a comprehensive list of privacy and security measures. These include implementing a comprehensive information security program, appointing a HIPAA Security Officer to oversee that program, implementing technical safeguards and controls to ensure the privacy and security of patient data, developing an incident response plan and testing that plan through table-top exercises, developing policies and procedures regarding business associate agreements, and providing privacy and security training to all members of the workforce with access to PI, PHI, or ePHI,

The post CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General appeared first on HIPAA Journal.

St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 11th HIPAA penalty of 2023. St. Joseph’s Medical Center, a non-profit academic medical center in New York, was investigated over the disclosure of patients’ protected health information (PHI) to a reporter and has paid a $80,000 financial penalty to resolve the alleged HIPAA violations.

The Privacy Rule of the Health Insurance Portability and Accountability Act permits disclosures of PHI for the purpose of treatment, payment, and healthcare operations but other disclosures of PHI are generally prohibited unless authorization is obtained from a patient. OCR launched an investigation of St. Joseph’s Medical Center on April 20, 2020, pursuant to the publication of an article in the media by a reporter from the Associated Press (AP). Based on the information in the article it appeared that the reporter had been allowed to observe three patients who were being treated for COVID-19.

The article included information about the medical center’s response to the COVID-19 public health emergency and photographs and information about the facility’s patients. The images were distributed nationally, exposing PHI such as patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans. OCR’s investigation found evidence to suggest that St. Joseph’s Medical Center had allowed the reporter access to the patients and their clinical information. St. Joseph’s Medical Center had not obtained consent and valid HIPAA authorizations from the patients and the disclosure of PHI was not permitted by the HIPAA Privacy Rule.

St. Joseph’s Medical Center chose to settle the alleged HIPAA violation with OCR with no admission of liability and agreed to adopt a corrective action plan (CAP). The CAP requires St. Joseph’s Medical Center to review and, to the extent necessary, develop, maintain, and revise its written privacy policies and procedures to ensure they are compliant with the HIPAA Privacy Rule, provide those policies and procedures to OCR for review, distribute the updated policies and procedures to members of the workforce, and obtain a signed written or electronic compliance certification from all members of the workforce confirming they have read and understood the new policies and procedures. St. Joseph’s Medical Center will also be monitored by OCR for compliance for 2 years.

“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

Disclosures of PHI in Response to Media Enquires

When it comes to disclosures of PHI in response to media inquiries, 45 CFR § 164.510(a) of the HIPAA Privacy Rule permits notifications to individuals who inquire about a patient or the patient’s general condition and location in the facility.

In such cases, disclosure of PHI is permitted if it is consistent with the patient’s wishes and the patient is asked for by name. All that can be disclosed is “facility directory information.” The patient’s name may be disclosed along with the individual’s location within the facility, provided the location does not disclose information about the patient’s treatment, e.g., labor & delivery, and their condition in general terms. i.e., stable, fair, or critical. All other disclosures of PHI can only be made if a HIPAA-compliant authorization is obtained from the patient in advance.

The post St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter appeared first on HIPAA Journal.

October 2023 Healthcare Data Breach Report

For the second consecutive month, the number of reported data breaches of 500 or more healthcare records has fallen, with October seeing the joint-lowest number of reported data breaches this year. After the 29.4% fall in reported data breaches from August to September, there was a further 16.7% reduction, with 40 data breaches reported by HIPAA-regulated entities in October – the opposite trend to what was observed in 2022, when data breaches increased from 49 in August 2022 to 71 breaches in October 2022. October’s total of 40 breaches is well below the 12-month average of 54 breaches per month (median:52 breaches).

October 2023 healthcare data breach report - 12 month breaches

For the third consecutive month, the number of breached healthcare records has fallen, from more than 18 million records in July 2023 to 3,569,881 records in October – a month-over-month percentage decrease of 52.76%. October’s total is well below the 12-month average of 7,644,509 breached records a month (median: 5,951,455 records). While this is certainly good news, it should noted that 2023 has been a particularly bad year for healthcare data breaches. Between January 1, 2023, to October 31, 2023, more than 82.6 million healthcare records have been exposed or impermissibly disclosed, compared to 45 million records in 2021 and 51.9 million records in 2023. As of November 17, 2023, more than 100 million records have been breached.

October 2023 healthcare data breach report - 12 month breached records

Largest Healthcare Data Breaches Reported in October 2023

14 breaches of 10,000 or more records were reported in October, the largest of which occurred at Postmeds Inc., the parent company of Truepill, a provider of a business-to-business pharmacy platform that uses APIs for order fulfillment and delivery services for direct-to-consumer brands. While victims of the breach do not face an immediate risk of identity theft since no Social Security numbers were compromised, they do face an increased risk of phishing and social engineering attacks. As is now common in breach notifications, little information about the incident has been disclosed, other than it being a hacking incident involving unauthorized access to its network between August 30 and September 1, 2023.  The Postmeds data breach was the 21st data breach of 1 million or more records to be reported this year.

Even though the Clop hacking group’s mass exploitation of the zero-day vulnerability in Progress Software’s MOVEIt Transfer solution occurred in late May, healthcare organizations are still reporting MOVEit data breaches. More than 2,300 organizations are now known to have been affected and more than 60 million records were stolen in the attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of breach
Postmeds, Inc. (TruePill) CA Healthcare Provider 2,364,359 Hacking incident (details not disclosed)
Western Washington Medical Group MS Healthcare Provider 350,863 Hacking incident (details not disclosed)
Greater Rochester Independent Practice Association, Inc. NY Healthcare Provider 279,156 Hacking incident (details not disclosed)
Radius Global Solutions PA Business Associate 135,742 Hacking incident – MoveIT Transfer vulnerability exploited
Dakota Eye Institute ND Healthcare Provider 107,143 Hacking incident (details not disclosed)
Walmart, Inc. Associates Health and Welfare Plan AR Health Plan 85,952 Hacking incident (details not disclosed)
Westat, Inc. MD Business Associate 50,065 Hacking incident – MoveIT Transfer vulnerability exploited
Brooklyn Premier Orthopedics NY Healthcare Provider 48,459 Hacking incident (details not disclosed)
PeakMed CO Healthcare Provider 27,800 Hacking incident (Compromised credentials)
Hospital & Medical Foundation of Paris, Inc IL Healthcare Provider 16,598 Hacking incident (details not disclosed)
Fredericksburg Foot & Ankle Center, PLC VA Healthcare Provider 14,912 Hacking incident (details not disclosed)
Cadence Bank MS Business Associate 13,862 Hacking incident – MoveIT Transfer vulnerability exploited
Peerstar LLC PA Healthcare Provider 11,438 Hacking incident (details not disclosed)
Atlas Healthcare CT CT Healthcare Provider 10,831 Hacking incident (details not disclosed)

October 2023 Data Breach Causes and Data Locations

As has been the case throughout 2023, hacking was the most common cause of data breaches in October, accounting for 77.5% of the month’s data breaches (31 incidents) and 99.13% of the breached records (3,538,726 records). The average data breach size in hacking incidents was 114,152 records and the median data breach size was 4,049 records.

The exact nature of these incidents has not been publicly disclosed in many cases, so it is not possible to determine the extent to which ransomware attacks, phishing attacks, and vulnerability exploits are occurring. The exception being the mass hacking of a zero-day vulnerability in the MOVEit Transfer solution, a fairly safe disclosure legally as organizations cannot be expected to patch a vulnerability that is unknown even to the company that developed the software. While the lack of information is undoubtedly intended to reduce legal risk, if victims of the breach are given insufficient information it is difficult for them to accurately gauge the level of risk they face.

There were 8 data breaches classified as unauthorized access/disclosure incidents, across which 30,555 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 3,819 records and the median breach size was 2,111 records. There was one reported incident involving the theft of a desktop computer, which contained the unencrypted protected health information of 600 individuals, and no incidents involving the loss or improper disposal of PHI.

October 2023 healthcare data breach report - causes of breaches

The most common location of breached PHI was network servers, which is unsurprising given the large number of hacking incidents. 8 data breaches involved compromised email accounts.

October 2023 healthcare data breach report - location of breached data

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in October, with 25 reported data breaches. There were 11 data breaches reported by business associates and 4 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.

October 2023 healthcare data breach report - affected entities

October 2023 healthcare data breach report - breached records at HIPAA-regulated entities

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 23 states reported data breaches of 500 or more records in October. Texas was the worst affected state with 5 large data breaches followed by Mississippi with 4.

State Breaches
Texas 5
Mississippi 4
Illinois, New York & Pennsylvania 3
California, Colorado, Florida & Georgia 2
Arkansas, Connecticut, Delaware, Iowa, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, New Jersey, North Dakota, Oklahoma, Oregon & Virginia 1

HIPAA Enforcement Activity in October 2023

In October, the HHS’ Office for Civil Rights (OCR) announced its 10th HIPAA compliance enforcement action of the year. Doctors’ Management Services, a Massachusetts-based medical management company that offers services such as medical billing and payor credentialing, opted to settle an OCR investigation of a data breach. In April 2017, a threat actor accessed its network via Remote Desktop Protocol and gained access to the protected health information of 206,695 individuals.

OCR determined there had been a risk analysis failure, a failure to review records of system activity, and a failure to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule. Those failures resulted in an impermissible disclosure of the PHI of 206,695 individuals. Doctors’ Management Services paid a financial penalty of $100,000 and agreed to a corrective action plan to address the HIPAA compliance issues discovered by OCR.

State Attorneys General also have the authority to investigate HIPAA-regulated entities and impose financial penalties for HIPAA violations, although they often choose to impose penalties for equivalent violations of state laws. Three settlements were agreed in October with HIPAA-regulated entities to resolve allegations of data security and breach notification failures.

Blackbaud, a Delaware corporation headquartered in Charleston, South Carolina that provides donor relationship management software, chose to settle alleged violations of the HIPAA Security Rule, HIPAA Breach Notification Rule, and state consumer protection laws with 49 states and the District of Columbia and paid a $49.5 million penalty and agreed to make substantial data security improvements. Blackbaud suffered a ransomware attack in May 2020, which exposed the protected health information of 5,500,000 individuals. The multi-state investigation identified a lack of appropriate safeguards to ensure data security and breach response failures.

Inmediata, a Puerto Rico-based healthcare clearinghouse settled a multi-state data breach investigation involving more than 35 state attorneys general. A server has been left unsecured, which allowed sensitive data to be indexed by search engines, allowing it to be found by anyone with Internet access. The protected health information of 1,565,338 individuals was exposed. The multi-state investigation identified a failure to implement reasonable and appropriate security measures, as required by the HIPAA Security Rule, a failure to conduct a secure code review, and violations of the HIPAA Breach Notification Rule and state breach notification rules for failing to provide timely and complete information to victims of the breach. The investigation was settled for $1.4 million and Inmediata agreed to make improvements to its information security program and strengthen its data breach notification practices.

Personal Touch Holding Corp, a home health company that does business as Personal Touch Home Care, opted to settle an investigation by the Office of the New York Attorney General into a breach of the protected health information of 753,107 individuals, including 316,845 New York residents. An employee responded to a phishing email which resulted in malware being installed. The threat actor exfiltrated data and then used ransomware to encrypt files. The New York Attorney General alleged Personal Touch only had an informal information security program, insufficient access controls, no continuous monitoring system, a lack of encryption, and inadequate staff training. Personal Touch paid a $350,000 financial penalty and agreed to make improvements to its information security and training programs.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on November 11, 2023.

The post October 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Stricter Cybersecurity Regulations Proposed for New York Hospitals

New York has proposed tighter cybersecurity regulations for hospitals throughout New York State in response to a series of crippling attacks that have caused disruption to healthcare services, delays to patient care, and have put patient safety at risk.

Governor Kathy Hochul announced the proposed measures on Monday, which are expected to be published in the State Register on December 6, 2023, provided they are adopted by the Public Health and Health Planning Council this week. The new cybersecurity requirements will then undergo a 60-day public comment period, which will end on February 5, 2033. When the new regulations are finalized, hospitals will be given a 1-year grace period to ensure full compliance.

The proposed regulations include the requirement for New York hospitals to appoint a Chief Information Security Officer if they have not done so already, implement defensive infrastructure and cybersecurity tools including multifactor authentication, and conduct regular risk analyses to identify cyber risks. Any in-house applications must be developed using secure software design principles, and processes must be developed and implemented for testing the security of third-party software. Hospitals in the state will also be required to develop and test incident response plans to ensure that care can continue to be provided to patients in the event of a cyberattack.

New York hospitals already have cybersecurity responsibilities under the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for cybersecurity. The proposed regulations are intended to complement the HIPAA Security Rule and include similar requirements, but while the HIPAA Security Rule is largely technology agnostic, the proposed regulations in New York include specific measures that hospitals must implement. “Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” said Governor Hochul. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

There has been a massive increase in healthcare cyberattacks in recent years. The HHS’ Office for Civil Rights recently announced there has been a 77% in hacking incidents in 2023 and a 278% increase in ransomware attacks over the past 4 years. While reported data breaches of 500 or more records are down slightly from 2022, more than 79 million healthcare records have been exposed in those attacks – almost twice the number of compromised records in 2022.

These attacks clearly show that hospitals and health systems are struggling to prevent unauthorized access to their systems and that more needs to be done to improve cybersecurity than complying with the HIPAA Security Rule. There are often competing priorities in healthcare, and while investment in cybersecurity has increased, some hospitals have struggled to find the necessary funding to improve cybersecurity. To help ease the financial burden, Governor Hochul’s FY24 budget includes $500 million in funding for healthcare facilities to enable them to upgrade their technology systems to comply with the proposed regulations and pay for necessary cybersecurity tools, electronic health records, advanced clinical technologies, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.

“When it comes to protecting New Yorkers from cyberattacks that have become more numerous and more sophisticated, safeguarding our hospitals is an essential part of New York’s aggressive and comprehensive whole-of-state approach,” said New York State Chief Information Officer Dru Rai. “We thank the Governor and our agency partners for their ongoing commitment and are pleased that the state’s hospitals will be getting the uniform guidance and resources necessary to further enhance their own cybersecurity, thereby protecting patients and the critical systems that provide quality care all across New York.”

The post Stricter Cybersecurity Regulations Proposed for New York Hospitals appeared first on HIPAA Journal.

New York AG Settles Data Breach Investigation of U.S. Radiology Specialists for $450,000

New York Attorney General, Letitia James, has announced a $450,000 settlement with U.S. Radiology Specialists Inc. to resolve allegations it failed to protect patients’ personal and health information. U.S. Radiology Specialists is one of the largest private radiology groups in the country and acts as a service provider for healthcare facilities throughout the United States. It also partners with other radiology groups, including the Windsong Radiology Group, which operates 6 facilities in Western New York. Windsong, like other partner companies, relies on U.S. Radiology Specialists for numerous services, including network management and protection. The Office of the Attorney General of the State of New York opened an investigation of U.S. Radiology Specialists into a large data breach that was reported in 2021 to determine whether it was caused by a failure to comply with the Health Insurance Portability and Accountability Act (HIPAA) and state laws.

U.S. Radiology Specialists protected the networks of its partners with a SonicWall firewall. On January 22, 2021, SonicWall alerted its customers about a coordinated cyberattack on its internal systems. Highly capable threat actors were thought to have exploited a zero-day vulnerability in SonicWall products that are used for remote access. A few days later on January 31, 2021, researchers at NCC Group identified the likely vulnerability and SonicWall issued a patch three days later.

U.S. Radiology Specialists used SonicWall hardware that was approaching end-of-life and, as a result, SonicWall did not provide a patch that could be applied to its hardware. The hardware needed to be upgraded before the patch could be applied to fix the vulnerability. Even though the vulnerability was known to have been exploited in attacks on SonicWall customers, U.S. Radiology Specialists scheduled the hardware upgrade for July 2021, and the hardware replacement project was then delayed due to competing priorities and resource restraints.

On December 8, 2021, an unauthorized individual gained access to US Radiology’s SonicWall device with valid credentials, accessed the VPN, and then leveraged 101 additional credentials to access various network data folders over the following week. While the investigation into the breach did not confirm how the credentials were stolen, the SQL injection vulnerability identified by NCC Group and patched by SonicWall could have been exploited to obtain the necessary credentials to access the SonicWall VPN.

The third-party investigation of the attack was complicated and required extensive analysis and took until August 2022 to complete. The investigation confirmed that the threat actor gained access to the protected health information (PHI) of 198,260 patients, including 92,540 Windsong patients who were New York residents, and it was confirmed that sensitive data had been exfiltrated by the attackers. The PHI that was exposed in the attack included names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, and health insurance ID numbers, as well as the private information of 82,478 New Yorkers, which included names, driver’s license numbers, passport numbers, and Social Security numbers.

The New York Attorney General’s Office determined that U.S. Radiology Specialists had failed to adopt reasonable and appropriate data security practices to protect patient information when it failed to address a known vulnerability in a reasonable time frame. The investigation was settled with no admission of liability and U.S. Radiology Specialists agreed to pay a $450,000 financial penalty, update its IT infrastructure, ensure its networks are secured, update its data security policies, and implement and maintain a comprehensive information security program.

“When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,” said Attorney General James. “US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems. My office will continue to ensure companies do not neglect their legal responsibilities to protect New Yorkers’ private information.”

The New York Attorney General has imposed financial penalties on several organizations over the past few months for data security failures. Personal Touch recently settled alleged HIPAA and state law violations for $350,000, the New York Attorney General participated in a multi-state investigation of Blackbaud and received a share of the $49.5 million settlement, and PracticeFirst Medical Management Solutions settled its investigation with the New York AG and paid a $550,000 penalty.

The post New York AG Settles Data Breach Investigation of U.S. Radiology Specialists for $450,000 appeared first on HIPAA Journal.

AHA Files Lawsuit Challenging HHS Guidance on Tracking Technologies

The American Hospital Association (AHA), Texas Hospital Association, United Regional Health Care System, and Texas Health Resources have filed a lawsuit against Department of Health and Human Services (HHS) Secretary, Xavier Becerra, and HHS’ Office for Civil Rights (OCR) Director, Melanie Fontes Rainer, over the December 2022 guidance issued by OCR on website tracking technologies.

OCR issued guidance for HIPAA-regulated entities on the use of third-party tracking technologies on public-facing websites and applications following revelations that these tools were disclosing the individually identifiable information of website visitors to third-party companies such as Meta (Facebook), Google, social media platforms, and other third parties. The information disclosed by these tools, which include Meta Pixel and Google Analytics code, could potentially include health information, depending on the interactions of users on the websites and apps where the code is used.

A study of the websites of the 100 top hospitals by The Markup found one-third had used these tracking tools on their websites without obtaining consent from website visitors. A more comprehensive study of hospitals that was published in Health Affairs, found that 99% of the 3,747 U.S. hospitals studied were using these tools on their websites. Several of the hospitals reported the use of these tools as data breaches, including Advocate Aurora Health, Novant Health, WakeMed Health, and Cerebral, Inc., some of which involved the data of millions of patients. Many lawsuits have since been filed against healthcare providers in response to the use of these tools. Advocate Aurora Health recently settled Pixel-related litigation for $12.225 million.

In July 2023, OCR and the Federal Trade Commission (FTC) jointly issued warning letters to 130 healthcare organizations over the use of tracking tools and then published those letters – which name the organizations involved – in September 2023, signaling both OCR and the FTC are actively enforcing the guidance.  The AHA has publicly criticized OCR for its position on tracking technologies. In the AHA’s response to Senator Bill Cassidy’s request for information on healthcare data privacy and HIPAA, the AHA called for the HHS to drop its new website tracking technology rule, which it claimed harmed hospitals and negatively affected patients.

The AHA has now taken the issue a step further with legal action. The AHA claims that it had no alternative other than to take legal action due to several months of unsuccessful attempts to communicate its concerns to the HHS. The lawsuit was filed in the U.S. District Court for The Northern District of Texas Fort Worth Division and alleges the new rule is unlawful, and claims that the HHS is actively enforcing its new rule against hospitals but the federal government’s own healthcare providers are continuing to use the prohibited tracking technologies on their websites.

Lawsuit Seeks Court Order Preventing OCR from Enforcing Tracking Technology Guidance

The lawsuit alleges the decision to class the metadata collected and transmitted by tracking technologies as individually identifiable health information subject to HIPAA is, “a gross overreach by the federal bureaucracy, imposed without any input from the public or the healthcare providers most impacted by it.” The AHA explains that “the HHS rule exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect.” While the lawsuit does not go as far as seeking the rescindment of the guidance, an order is requested from the court that prohibits OCR from enforcing its rule to prevent members from being unlawfully penalized.

The AHA’s position is that website tracking technologies that collect information such as IP addresses are critical to the function of websites and apps, and many web tools are rendered ineffective without that information, including analytics software, video technologies that offer the public education and information on health conditions, translation and accessibility services, and digital maps, to name only a few. By prohibiting tracking technologies, these vital website tools will no longer feature on hospital websites, and that ultimately harms the patients that OCR’s rule seeks to protect.

“The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information. In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites,” said Rick Pollack, AHA President and CEO. “We cannot understand why HHS created this ‘rule for thee but not for me.’”

The post AHA Files Lawsuit Challenging HHS Guidance on Tracking Technologies appeared first on HIPAA Journal.

Doctors’ Management Services Settles OCR HIPAA Probe for $100,000

The HHS’ Office for Civil (OCR) has agreed to a $100,000 settlement with Doctors’ Management Services to resolve an investigation of a ransomware attack and data breach that uncovered multiple potential violations of the HIPAA Security Rule.

Doctors’ Management Services (DMS) is a Massachusetts-based medical management company whose services include medical billing and payor credentialing. DMS identified an intrusion on December 24, 2018, when GandCrab ransomware was used to encrypt files on its network. The forensic investigation confirmed the attackers first gained access to its network on April 1, 2017.

According to DMS, the threat actor gained access to its network via Remote Desktop Protocol (RDP) on one of its workstations and potentially obtained names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and diagnostic information. The breach was reported to OCR on April 22, 2019, as affecting up to 206,695 individuals.

OCR opened an investigation of the breach to determine whether DMS had complied with the HIPAA Rules and uncovered multiple potential violations of the HIPAA Rules. In addition to the impermissible disclosure of the protected health information of 206,695 individuals, OCR determined that DMS had failed to conduct an accurate and thorough risk analysis to assess technical, physical, and environmental risks and vulnerabilities associated with the handling of ePHI.

DMS was also found to have failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. OCR also determined that DMS had not implemented reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule.

DMS agreed to settle the investigation with no admission of liability. Under the terms of the settlement, DMS has agreed to pay a $100,000 financial penalty and implement a corrective action plan (CAP) to resolve the potential HIPAA violations identified by OCR. The CAP includes requirements to update its risk analysis, risk management program, HIPAA Privacy and Security Rule policies and procedures, and workforce HIPAA training. In its settlement announcement, OCR also recommended several cybersecurity best practices that all HIPAA-regulated entities should implement to prevent and mitigate cyber threats.

OCR said this is the first HIPAA settlement agreement it has reached in response to a ransomware attack. Given the number of ransomware attacks in the past five years, which have increased by 278% since 2018, it is likely to be the first of many. “Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches,” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

October is Cybersecurity Awareness Month, and in recognition, OCR released a cybersecurity video that explains how HIPAA Security Rule compliance can help healthcare organizations improve their defenses against cyberattacks and block the most common attack vectors. CISA and the HHS have also recently released a cybersecurity toolkit, which includes key cybersecurity tools, training material, and other resources for strengthening security posture and keeping up to date on the latest threats. This month, CISA released a log management tool to help under-resourced organizations reduce their log management burden and search for signs of compromise, and CISA, the NSA, FBI, and MS-ISAC have issued joint guidance on blocking phishing.

It has never been more important to ensure appropriate cybersecurity measures are in place, given the 239% increase in data breaches due to hacking in the past 4 years and the extent to which healthcare records are now being breached. Breached records are up 60% on last year and, at the time of writing, 88 million healthcare records are known to have been breached so far in 2023.

The post Doctors’ Management Services Settles OCR HIPAA Probe for $100,000 appeared first on HIPAA Journal.

OCR Video Explains How to Improve Cybersecurity Defenses Through HIPAA Security Rule Compliance

The HHS’ Office for Civil Rights has released a video in recognition of National Cybersecurity Awareness Month that explains how compliance with the HIPAA Security Rule can help HIPAA-regulated entities defend against cyberattacks. The video features Nick Heesters, Senior Advisor for Cybersecurity for the Health Information Privacy, Data, and Cybersecurity Division of the HHS’ Office for Civil Rights, who discusses some of the real-world cyberattack trends identified by OCR from breach reports.

There has been a massive increase in healthcare data breaches since the HIPAA Breach Notification Rule was enacted. In 2010, the first full year of breach report data, OCR received 199 reports of healthcare data breaches of 500 or more records. More than 700 data breaches were reported in both 2021 and 2022, and 2023 looks set to become the third successive year with more than 700 reported data breaches.

In the year to September 30, 2023, hacking and other IT incidents accounted for 77% of all large data breaches, compared to just 49% of incidents in 2009, and as of September 30, 2023, more than 79 million healthcare records have been exposed or impermissibly disclosed. There has been a 239% increase in hacking-related data breaches since 2018 and a 278% increase in ransomware incidents over the same period.

OCR investigates all breaches of 500 or more healthcare records to identify any HIPAA compliance issues that caused or contributed to breaches. Heesters explains some of the most common HIPAA compliance issues and security weaknesses that have been exploited by malicious actors to gain access to internal networks, focusing on the most common attack vectors such as phishing, compromised accounts, and unpatched vulnerabilities.

Heesters explains how specific provisions of the HIPAA Security Rule can help HIPAA-regulated entities protect against cyberattacks, detect attacks in progress, and mitigate the most common types of cyberattack, such as security awareness and training, authentication, access control, and risk analysis/risk management.

The video can be viewed on OCR’s YouTube Channel and is available in English and Spanish.

The post OCR Video Explains How to Improve Cybersecurity Defenses Through HIPAA Security Rule Compliance appeared first on HIPAA Journal.

HHS Publishes Proposed Rule Establishing Information Blocking Disincentives for Healthcare Providers

The Centers for Medicare and Medicaid Services (CMS) at the Department of Health and Human Services (HHS) has published a long-awaited proposed rule that establishes disincentives for healthcare providers that have committed information blocking, as called for by the 21st Century Cures Act. Information blocking is classed as knowingly or unreasonably interfering with the access, exchange, or use of electronic health information, except as required by law or covered by a regulatory exception.

The Cures Act requires the Office of Inspector General (OIG) to refer healthcare providers determined by OIG to have committed information blocking to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking. On June 27, 2023, the HHS OIG published its final rule that implemented information blocking penalties of $1 million per violation for health information technology (IT) developers of certified health IT and other entities offering certified health IT, health information exchanges, and health information networks. The penalties took effect on August 2, 2023.

The latest HHS proposed rule establishes penalties for healthcare providers found to have committed information blocking. The proposed disincentives are as follows:

  • Medicare Promoting Interoperability Program: An eligible hospital or critical access hospital (CAH) would not be a meaningful electronic health record (EHR) user in an applicable EHR reporting period. The impact on eligible hospitals would be the loss of 75 percent of the annual market basket increase; for CAHs, payment would be reduced to 100 percent of reasonable costs instead of 101 percent.
  • Promoting Interoperability performance category of the Merit-based Incentive Payment System (MIPS): An eligible clinician or group would not be a meaningful user of certified EHR technology in a performance period and would therefore receive a zero score in the Promoting Interoperability performance category of MIPS, if required to report on that category. The Promoting Interoperability performance category score typically can be a quarter of a clinician or group’s total MIPS score in a year.
  • Medicare Shared Savings Program: A health care provider that is an Accountable Care Organization (ACO), ACO participant, or ACO provider or supplier would be deemed ineligible to participate in the program for a period of at least one year. This may result in a healthcare provider being removed from an ACO or prevented from joining an ACO.

The proposed rule will be published in the Federal Register on November 1, 2023. A 60-day comment period will follow, with the comments made accessible for public inspection. Comments must be submitted by no later than January 2, 2024, at 11:59 p.m. The HHS will consider all comments before publishing the final rule, which is expected to be issued later in 2024. The Office of the National Coordinator for Health Information Technology (ONC) and the CMS will host an information session about the proposed rule in the coming weeks.

“HHS is committed to developing and implementing policies that discourage information blocking to help people and the health providers they allow to have access to their electronic health information,” said HHS Secretary Xavier Becerra. “We are confident the disincentives included in the proposed rule, if finalized, will further increase the appropriate sharing of electronic health information and establish a framework for potential additional disincentives in the future.”

The post HHS Publishes Proposed Rule Establishing Information Blocking Disincentives for Healthcare Providers appeared first on HIPAA Journal.