HIPAA Compliance News

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals.

Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures.

A Failure to Implement Adequate Security Controls

The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access.”

The breach in question occurred between May 7 and May 26, 2015. Hackers were able to gain access to its WebChart electronic health record system and highly sensitive patient information – The exact types of data sought by identity thieves – Names, addresses, dates of birth, Social Security numbers, and health information.

Known Vulnerabilities Were Not Corrected

Medical Informatics Engineering had set two ‘tester’ accounts, one of which could be accessed with the username and password ‘tester’ and the other with the username and password ‘testing.’ Both accounts could be accessed remotely without the need for any further identification. The lawsuit alleges Medical Informatics Engineering was aware of the security issue as the accounts were identified as high risk by a third-party penetration testing firm, Digital Defense, in January 2015. Even though the accounts were high risk, Medical Informatics Engineering continued to use the accounts. The accounts were set up to enable one of its healthcare provider clients to login without having to use unique usernames and passwords.

While those accounts did not have privileged access, they did allow the hackers to gain a foothold in the network. Through those accounts the attackers conducted an SQL injection attack, which allowed them to gain access to other accounts with administrative privileges that were used to exfiltrate data.

Post-Breach Response Failures

While the initial attack and data exfiltration went unnoticed, a further attempt to exfiltrate data using malware caused network performance to slow to such an extent that an alarm was generated, alerting Medical Informatics Engineering that its systems had been compromised. While investigating the malware attack the attackers were still able to exfiltrate further data through SQL queries demonstrating the company’s post-breach response was “inadequate and ineffective.”

No Encryption or Employee Security Awareness Training

No encryption had been used to protect stored data and no security system had been implemented to alert Medical Informatics Engineering about possible hacking attempts. Had such a system been implemented, it would have been easy to identify unauthorized access as two of the IP addresses used by the attackers originated in Germany.

The lawsuit also alleges Medical Informatics Engineering had no documentation to confirm security awareness training had been provided to its employees prior to the data breach.

In addition to violations of HIPAA Rules, the lawsuit alleges Medical Informatics Engineering violated several state statutes relating to the protection of personal information, unfair and deceptive practices, and data breach notifications.

The post 12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering appeared first on HIPAA Journal.

OCR Fines Florida Contractor Physicians’ Group $500,000 for Multiple HIPAA Compliance Failures

An HHS’ Office for Civil Rights (OCR) investigation into an impermissible disclosure of PHI by a business associate of a HIPAA-covered entity revealed serious HIPAA compliance failures.

Advanced Care Hospitalists (ACH) is a Lakeland, FL-based contractor physicians’ group that provides internal medicine physicians to nursing homes and hospitals in West Florida. ACH falls under the definition of a HIPAA-covered entity and is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. ACH serves approximately 20,000 patients a year and employed between 39 and 46 staff members per year during the time frame under investigation.

Between November 2011 and June 2012, ACH engaged the services of an individual who claimed to be a representative of Doctor’s First Choice billings Inc., a Florida-based provider of medical billing services. That individual used First Choice’s company name and website, but according to the owner of First Choice, those services were provided without the knowledge or permission of First Choice.

A local hospital notified ACH on February 11, 2014 that some patient information – including names, birth dates, Social Security numbers, and some clinical information – was viewable on the First Choice website. The website was shut down the following day.

In April 2014, ACH submitted a breach report to OCR about the impermissible disclosure of patients’ protected health information (PHI). Its breach report stated the PHI of 400 patients had been impermissibly disclosed, but later amended the breach report after it was discovered a further 8,855 patients’ PHI had also been impermissibly disclosed.

OCR investigated the breach and discovered that despite having been in operation since 2005, ACH did not implement any HIPAA Privacy, Security, and Breach Notification Rule policies and procedures before April 1, 2014, and had failed to implement appropriate security measures. ACH also failed to conduct a risk analysis until March 4, 2014.

Even though PHI had been disclosed to the individual providing medical billing services, ACH failed to enter into a business associate agreement with that individual. As a result of the lack of a BAA, ACH impermissibly disclosed the PHI of 9,255 patients to a third party for billing processing services – PHI that was subsequently exposed online.

In addition to paying the $500,000 fine, ACH has agreed to implement a robust corrective action plan to correct all HIPAA compliance failures.

“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA,” said OCR Director Roger Severino.

The latest settlement is the ninth OCR HIPAA compliance penalty of 2018. $25,572,000 has been paid to OCR in 2018 to resolve compliance failures.

The post OCR Fines Florida Contractor Physicians’ Group $500,000 for Multiple HIPAA Compliance Failures appeared first on HIPAA Journal.

OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Hartford allergy practice $125,000 to revolve potential violations of the HIPAA Privacy Rule.

On October 6, 2015, OCR received a copy of a civil rights complaint that had been filed with the Department of Justice (DOJ). The complainant alleged Allergy Associates of Hartford – A Connecticut healthcare provider that specializes in treating patients with allergies – had impermissibly disclosed her protected health information to a TV reporter.

The complainant had previously contacted a local TV station after she had been turned away from the allergy practice because of her service animal. The TV reporter subsequently contacted the practice seeking comment. A physician at the practice spoke to the reporter and impermissibly disclosed some of the patient’s protected health information.

OCR’s investigation confirmed there had been an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a).

The physician in question had already been advised by the practice’s Privacy Officer to ignore the reporter’s request for comment or to respond with ‘no comment.’ However, the physician chose to speak with the reporter and disclosed some of the patient’s PHI. OCR viewed the disclosure as ‘a reckless disregard for the patient’s privacy rights.’

After Allergy Associates was contacted by OCR about the privacy breach, Allergy Associates failed to apply appropriate sanctions against the physician concerned for a violation of the practice’s privacy policies and procedures, as is required by the HIPAA Privacy Rule – 45 C.F.R. §164.530(e)(l).

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” explained OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

Allergy Associates agreed to settle the case with no admission of liability. In addition to paying a financial penalty of $125,000, Allergy Associates has agreed to adopt a robust corrective action plan which includes two years of OCR monitoring the practice’s compliance with HIPAA Rules.

The post OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure appeared first on HIPAA Journal.

October 2018 Healthcare Data Breach Report

Our October 2018 healthcare data breach report shows there has been a month-over-month increase in healthcare data breaches with October seeing more than one healthcare data breach reported per day.

31 healthcare data breaches were reported by HIPAA-covered entities and their business associates in October – 6 incidents more than the previous month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches.

Healthcare Data Breaches (by Month)

The number of breached records in September (134,006) was the lowest total for 6 months, but the downward trend did not continue in October. There was a massive increase in exposed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly disclosed – 1,474% more than the previous month. In October, the average breach size was 68,055 records and the median was 4,058 records.

Healthcare Data Breaches (records exposed by month)

Largest Healthcare Data Breaches in October 2018

There were 11 healthcare data breaches of more than 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The largest healthcare data breach in October resulted in the exposure of 1.24 million records: An unauthorized access/disclosure incident at Employees Retirement System of Texas. A flaw in its ERS Online portal allowed members to view the PHI of other members.

566,217 records were exposed in a breach at Banker’s Life, a division of CNO Financial Group Inc., also an unauthorized access/disclosure incident. Employee credentials were stolen and used to gain access to company websites, resulting in the exposure and potential theft of policyholder and applicant information.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Employees Retirement System of Texas Health Plan 1248263 Unauthorized Access/Disclosure
2 CNO Financial Group, Inc. Health Plan 566217 Unauthorized Access/Disclosure
3 Health First, Inc Healthcare Provider 42000 Hacking/IT Incident
4 Jones Eye Center, P.C. Healthcare Provider 39605 Hacking/IT Incident
5 Gold Coast Health Plan Business Associate 37005 Hacking/IT Incident
6 The May Eye Care Center Healthcare Provider 30000 Hacking/IT Incident
7 CJ Elmwood Partners, L.P. Healthcare Provider 22416 Hacking/IT Incident
8 Minnesota Department of Human Services Health Plan 20800 Hacking/IT Incident
9 Catawba Valley Medical Center Healthcare Provider 20000 Hacking/IT Incident
10 National Ambulatory Hernia Institute Healthcare Provider 15974 Hacking/IT Incident

Causes of October 2018 Healthcare Data Breaches

Unauthorized access/disclosure breaches resulted in the highest number of compromised records, but hacking/IT incidents were more common in October.  October saw 16 hacking/IT incidents reported, 11 unauthorized access/disclosure incidents, and four theft incidents. There were no reports of lost PHI/ePHI and no improper disposal incidents.

Causes of October 2018 Healthcare Data Breaches

Healthcare Records Exposed by Breach Cause

Healthcare records Exposed by Breach Cause (October 2018)

Location of Breached Protected Health Information

Phishing is arguably the biggest cyber threat faced by healthcare organizations and October saw many phishing attacks reported by healthcare providers. In October, there were 9 incidents involving PHI exposure via email. There were also 9 network server-related breaches, which included hacks, malware, and ransomware attacks.

October 2018 Healthcare data Breach report - Location of Breached PHI

Data Breaches by Covered-Entity Type

In terms of the number of incidents, healthcare providers were the worst hit by data breaches in October with 20 reported breaches, followed by health plans/health insurers with 7. Four HIPAA business associate breaches were reported, three of which were by the same business associate – HealthFitness. One further breach had some business associate involvement.

In terms of the number of exposed records, health plans/insurers fared worse than other HIPAA-covered entities. 1,848,235 healthcare records were exposed at health plans/insurers, 221,994 healthcare records were exposed in healthcare provider breaches, and 39,501 records exposed by business associates.

October 2018 Healthcare Data Breaches by entity type

Healthcare Data Breaches by State

Texas was worst affected by healthcare data breaches in October. 5 breaches were reported by covered entities/business associates based in Texas. California, Connecticut, Illinois, and Washington each had 3 breaches reported. There were two breaches reported in each of Florida, Iowa, Indiana, and Pennsylvania. Minnesota, Missouri, North Carolina, New Mexico, Oklahoma, and Oregon had one breach apiece.

Penalties for HIPAA Violations in October

After a period of quiet on the HIPAA penalty front, the Department of Health and Human Services’ Office for Civil Rights announced three settlements in September related to filming patients without consent. There were followed up in October with a massive fine for Anthem Inc.

The Anthem Inc., HIPAA violation penalty was expected, and given the scale of the breach (78.8 million records), the penalty was likely to be large. After assessing the extent of HIPAA violations, the scale of the breach, and its impact, OCR fined Anthem $16,000,000. The previous largest ever HIPAA penalty was $5,550,000 (Advocate Health Care Network, 2016)

In October, a multi-state action against the health insurer Aetna was concluded and settlements were reached to resolve the HIPAA violations. The penalties related to the impermissible disclosure of 13,160 plan members’ HIV/AIDS diagnoses via a mailing. Settlements were reached with Connecticut, New Jersey, and the District of Columbia totaling $640,170. Washington was also part of the multi-state action, but the settlement amount has not yet been decided.

The post October 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

AMIA Calls for Greater Alignment of Federal Data Privacy Rules

The American Medical Informatics Association (AMIA) is calling for the Trump Administration to tighten data privacy rules through greater alignment of HIPAA and the Common Rule and adoption of a more integrated approach to privacy that includes both the healthcare sector and consumer sector.

The call follows a request for comment by the NTIA to initiate a conversation about consumer privacy. In a letter to the National Telecommunications and Information Administration (NTIA), a division of the Department of Commerce, AMIA explained that its comments are informed by extensive experience of dealing with both the Health Insurance Portability and Accountability Act and the Federal Protections for Human Subjects Research (Common Rule).

Currently, there is a patchwork of federal and state regulations that complicates compliance and creates information sharing challenges which results in ‘perverse outcomes’ due to different interpretations of existing privacy policies.

AMIA illustrated the problem of the current patchwork of privacy policies using Pennsylvania and New Jersey as an example. Pennsylvania and New Jersey are neighboring states, but they have different policies covering HIV/AIDS data. If an HIV/AIDS patient from Pennsylvania was to visit a hospital in New Jersey, information on their HIV/AIDS diagnosis would not be accessible by clinicians in New Jersey, even though the information has high importance in treatment decisions. The patient would also be unlikely to receive their data from the New Jersey hospital to take back to their healthcare provider in Pennsylvania.

“AMIA encourages the administration to ensure that federal rules lay a common foundation across jurisdictional and geographic boundaries while also providing a process for jurisdictions to address local needs and norms.”

In recent years there has been a significant increase in consumer devices and information systems that record similar information to medical devices and healthcare information systems. The line between the two has been blurred. Action is therefore required to develop concordant privacy policies across health and consumer data ecosystems.

HIPAA was introduced 22 years ago in 1996 at a time when healthcare organizations were predominantly using paper records. While HIPAA has been updated to account for the shift to electronic records, AMIA points out that the adoption of health-related technologies that were unavailable in 1996 has resulted in the formation of gaps that now endanger patient privacy.

The changes made to HIPAA through the introduction of the Privacy Rule have ensured that patients have access to their health data and greater control over what is done with that information. What is now required are similar rights and protections for consumers.

While AMA does not suggest that either HIPAA or the Common Rule should be applied to the consumer data ecosystem, both “should serve as important and informative inputs to [the] conversation on consumer data privacy.”

AMA has called for the Federal Trade Commission (FTC) to develop a consumer data strategy that “Supports trust, safety, efficacy, and transparency across the proliferation of commercial and non-proprietary information resources,” and suggests that the time is right to develop an “ethical framework around the collection, use, storage, and disclosure of the personal information consumers may provide to organizations.”

The post AMIA Calls for Greater Alignment of Federal Data Privacy Rules appeared first on HIPAA Journal.

Do HIPAA Rules Create Barriers That Prevent Information Sharing?

The HHS has drafted a Request for Information (RFI) to discover how HIPAA Rules are hampering patient information sharing and are making it difficult for healthcare providers to coordinate patient care.

HHS wants comments from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors.

The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, the aim of which is to remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected.

The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care.

The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued.

Certain provisions of HIPAA Rules are perceived to be barriers to information sharing. The American Hospital Association has spoken out about some of these issues and has urged the HHS to take action.

While there are certainly elements of HIPAA Rules that would benefit from an update to improve the sharing of patient health information, in some cases, healthcare organizations are confused about the restrictions HIPAA places on information sharing and the circumstances under which PHI can be shared with other entities without the need to obtain prior authorization from patients.

The feedback HHS is seeking will be used to assess what aspects of HIPAA are causing problems, whether there is scope to remove certain restrictions to facilitate information sharing, and areas of misunderstanding that call for further guidance to be issued on HIPAA Rules.

HIPAA does permit healthcare providers to share patients’ PHI with other healthcare providers for the purposes of treatment or healthcare operations without authorization from patients. However, there is some confusion about what constitutes treatment/healthcare operations in some cases, how best to share PHI, and when it is permissible to share PHI with entities other than healthcare providers. Simplification of HIPAA Rules could help in this regard, as could the creation of a safe harbor for good faith disclosures of PHI for the purposes of case management and care co-ordination.

While the HHS is keen to create an environment where patients’ health information can be shared more freely, the HHS has made it clear is that there will not be any changes made to the HIPAA Security Rule. Healthcare providers, health plans, and business associates of HIPAA-covered entities will still be required to implement controls to ensure risks to the confidentiality, integrity, and availability of protected health information are managed and reduced to a reasonable and acceptable level.

In addition to a general request for information, the HHS will specifically be seeking information on:

  • The methods of accounting of all disclosures of a patient’s protected health information
  • Patients’ acknowledgment of receipt of a providers’ notice of privacy practices
  • Creation of a safe harbor for good faith disclosures of PHI for purposes of care coordination or case management
  • Disclosures of protected health information without a patient’s authorization for treatment, payment, and health care operations
  • The minimum necessary standard/requirement.

While the RFI is likely to be issued, there are no guarantees that any of the comments submitted will result in HIPAA rule changes.

The post Do HIPAA Rules Create Barriers That Prevent Information Sharing? appeared first on HIPAA Journal.

$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach

New Jersey Attorney General Gurbir S. Grewal has announced a $200,000 settlement has been agreed with Best Medical Transcription to resolve violations of the Health Insurance Portability and Accountability Act that were discovered during an investigation of a 2016 breach of 1,650 individuals’ protected health information.

Protected Health Information of 1,654 Patients Was Accessible Through Search Engines

Best Medical Transcription was a business associate of Virtua Medical Group, a network of medical and surgical practices in southern New Jersey. Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians.

In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website that was accessible over the Internet without the need for any authentication. The files had been indexed by Google and could be found using search terms including information contained in the files. Password-protection had been removed when software on the website was updated.

In total, 1,654 patients had their protected health information exposed. Affected patients were notified of the breach and Virtua Medical Group terminated its relationship with Best Medical Transcription. In 2017 Best Medical Transcription was dissolved.

The New Jersey attorney general and the New Jersey Division of Consumer Affairs investigated the breach, and Virtua Medical Group was held accountable for failing to protect patients’ data. Virtua Medical Group settled with New Jersey for $417,816 in April 2018 to resolve the HIPAA violations and agreed to improve its data protection protocol.

While covered entities can be held accountable for data breaches experienced by their business associates, vendors can also be fined directly for HIPAA violations. New Jersey also filed charges against ATA Consulting LLC, dba Best Medical Transcription, and the owner of the business, Tushar Mathur.

New Jersey alleged Best Medical Transcription had violated the HIPAA Privacy Rule, HIPAA Security Rule and HIPAA Breach Notification Rule. Specifically, it was alleged that Best Medical Transcription failed to conduct an accurate and thorough risk assessment of potential risks to the confidentiality, integrity, and availability of ePHI. There was also an alleged failure to implement appropriate safeguards to reduce risks and vulnerabilities to a reasonable and appropriate level and policies and procedures had not been implemented to prevent the improper alteration or destruction of ePHI. Best Medical Transcription also failed to notify Virtua Medical Group about the breach and the improper disclosure of ePHI was a violation of its business associate agreement with Virtua Medical Group.

Tushar Mathur agreed to pay New Jersey a civil monetary penalty of $191,492 to resolve the HIPAA violations and $8,508 to cover attorneys’ fees and costs. Mathur has also been barred from managing or owning a business in New Jersey.

“We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information,” said Attorney General Grewal. “Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable… Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”

HIPAA-Related Fines and Settlements with Attorneys General in 2018

While the number of HHS’ Office for Civil Rights HIPAA violation settlements and civil monetary penalties has fallen in 2018, state attorneys general have increased their enforcement actions to resolve HIPAA violations. The latest settlement brings the total number of HIPAA-related fines in 2018 to 10.

State Covered Entity Amount Individuals affected Settlement/CMP
New Jersey Best Transcription Medical $200,000 1,650 Settlement
Washington Aetna TBA 13,160 Settlement (Multi-state action)
Connecticut Aetna $99,959 13,160 Settlement (Multi-state action)
New Jersey Aetna $365,211.59 13,160 Settlement (Multi-state action)
District of Columbia Aetna $175,000 13,160 Settlement (Multi-state action)
Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Settlement
New York Arc of Erie County $200,000 3,751 Settlement
New Jersey Virtua Medical Group $417,816 1,654 Settlement
New York EmblemHealth $575,000 81,122 Settlement
New York Aetna $1,150,000 12,000 Settlement

The post $200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach appeared first on HIPAA Journal.

Important Cybersecurity Best Practices for Healthcare Organizations

The Department of Health and Human Services’ Office for Civil Rights has drawn attention to basic cybersecurity safeguards that can be adopted by healthcare organizations to improve cyber resilience and reduce the impact of attempted cyberattacks.

The advice comes at the end of cybersecurity awareness month – a four-week coordinated effort between government and industry organizations to raise awareness of the importance of cybersecurity.

While all organizations need to implement policies, procedures, and technical solutions to make it harder for hackers to gain access to their systems and data, this is especially important in the healthcare industry. Hackers are actively targeting healthcare organizations as they store large quantities of highly sensitive and valuable data.

Healthcare organization need to ensure that their systems are well protected against cyberattacks, which means investing in technologies to secure the network perimeter, detect intrusions, and block malware and phishing threats. Large healthcare organizations have the resources to invest heavily in cybersecurity solutions, although many smaller HIPAA-covered entities and business associates may struggle to find the necessary funds to devote to cybersecurity.

OCR has reminded HIPAA-covered entities that there are several basic cybersecurity safeguards that can be implemented to improve cyber resilience which only require a relatively small financial investment, yet they can have a major impact on an organization’s cybersecurity posture.

Recommended Cybersecurity Best Practices for Healthcare Organizations

OCR has drawn attention to four cybersecurity safeguards that can significantly reduce the impact of attempted cyberattacks and are also important for HIPAA Security Rule compliance.

Data Encryption

Encryption may only be an addressable implementation specification of the HIPAA Security Rule, but it is one of the most effective cybersecurity safeguards to ensure the confidentiality, integrity, and availability of ePHI. Encryption is the conversion of data to a secure, encrypted form. If correctly applied, data are unintelligible and can only be transformed back to a readable form with a decryption key. Any healthcare organization that has experienced a ransomware attack will be aware of how effective encryption is at preventing data access.

HIPAA-covered entities should assess whether encryption is an appropriate safeguard to implement for data at rest and in motion based on the results of a risk analysis.

Social Engineering Awareness

As the OCR Breach portal shows, email hacking incidents are a common cause of healthcare data breaches. Hackers often use phishing to trick healthcare employees into revealing their email credentials. Phishing is one of the most common and most effective social engineering tactics used by hackers to gain access to ePHI.

Spam filters and other email gateway cybersecurity solutions can reduce the volume of phishing emails that are delivered to mailboxes, but no solution will be able to prevent all phishing emails from being delivered. It is therefore essential for all healthcare employees to be trained how to identify social engineering attacks. Security awareness training can greatly reduce susceptibility to phishing attacks. Regular security awareness training sessions are also a required element of HIPAA Security Rule compliance.

Audit Logs

HIPAA-covered entities are required to create and monitor audit logs. Audit logs contain a record of events related to specific systems, devices, and software. By reviewing audit logs regularly, security teams can identify attempts by unauthorized individuals to gain access to ePHI before they result in a data breach. Audit logs can also be used to reconstruct past events and identify historic data breaches that would otherwise go undetected.

Correct Configuration of Software and Network Devices

Network devices, software, and cloud-based solutions may incorporate all the necessary security controls to prevent unauthorized access, but if the security controls are not correctly configured hackers have an easy entry point into a healthcare network.

Misconfigured S3 buckets, deactivated firewalls, out of date software, and missed patches often lead to healthcare data breaches, and misconfigured audit logs may not record information to allow suspicious activity to be detected. Steps should be taken to ensure that all systems, software, and devices are correctly configured, and regular security audits should be conducted to identify potential vulnerabilities.

The post Important Cybersecurity Best Practices for Healthcare Organizations appeared first on HIPAA Journal.