HIPAA Compliance News

January 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

January is usually one of the quietest months of the year for healthcare data breaches and last month was no exception. In January, 40 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights, the same number as in December 2022. January’s total is well below the 53 data breaches reported in January 2022 and the 12-month average of 58 data breaches a month.

For the second successive month, the number of breached records has fallen, with January seeing just 1,064,195 healthcare records exposed or impermissibly disclosed – The lowest monthly total since June 2020, and well below the 12-month average of 4,209,121 breached records a month.

Largest Healthcare Data Breaches in January 2023

In January there were 13 data breaches involving 10,000 or more records, 8 of which involved hacked network servers and email accounts. The largest data breach of the month affected Mindpath Health, where multiple employee email accounts were compromised. 5 unauthorized access/disclosure incidents were reported that impacted more than 10,000 individuals, three of which were due to the use of tracking technologies on websites. The tracking code collected individually identifiable information – including health information – of website users and transmitted that information to third parties such as Google and Meta, including the month’s second-largest breach at BayCare Clinic. Another notable unauthorized access incident occurred at the mobile pharmacy solution provider, mscripts. Its cloud storage environment had been misconfigured, exposing the data of customers of its pharmacy clients on the Internet for 6 years.

HIPAA-Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Community Psychiatry Management, LLC (Mindpath Health) NC Healthcare Provider 193,947 Compromised email accounts
BayCare Clinic, LLP WI Healthcare Provider 134,000 Impermissible disclosure of PHI due to website tracking technology
DPP II, LLC (Home Care Providers of Texas) TX Healthcare Provider 125,981 Ransomware attack (data theft confirmed)
Jefferson County Health Center (Jefferson County Health Department) MO Healthcare Provider 115,940 Hacked network server
UCLA Health CA Healthcare Provider 94,000 Impermissible disclosure of PHI due to website tracking technology
mscripts®, LLC CA Business Associate 66,372 PHI exposed due to misconfigured cloud storage
Circles of Care, Inc. FL Healthcare Provider 61,170 Hacked network server
Howard Memorial Hospital AR Healthcare Provider 53,668 Hacked network server
Stroke Scan Inc TX Healthcare Provider 50,000 Hacking Incident – No public breach announcement
University of Colorado Hospital Authority CO Healthcare Provider 48,879 Hacking incident at business associate (Diligent)
Insulet Corporation MA Healthcare Provider 29,000 Impermissible disclosure of PHI due to website tracking technology
City of Cleveland OH Health Plan 15,206 Unauthorized access/disclosure incident – No public breach announcement
DotHouse Health Incorporated MA Healthcare Provider 10,000 Hacked network server

Causes of January 2023 Healthcare Data Breaches

Just over half of the 40 data breaches reported in January were hacking/IT incidents, the majority of which involved hacked network servers. Ransomware attacks continue to be conducted, although the extent to which ransomware is used is unclear, as many HIPAA-regulated entities do not disclose the exact nature of their hacking incidents, and some entities have not made public announcements at all. Across the 23 hacking incidents, the records of 698,295 individuals were exposed or stolen. The average breach size was 30,61 records and the median breach size was 5,264 records.

There was an increase in unauthorized access/disclosure incidents in January, with 15 incidents reported. The nature of 7 of the unauthorized access/disclosure incidents is unknown at this stage, as announcements have not been made by the affected entities. 5 of the 15 incidents were due to the use of tracking technologies on websites and web apps. Across the 15 unauthorized access/disclosure incidents, 362,629 records were impermissibly accessed or disclosed. The average breach size was 24,175 records and the median breach size was 3,780 records. There were two theft incidents reported, one involving stolen paper records and one involving a stolen portable electronic device. Across those two incidents, 3,271 records were stolen. No loss or improper disposal incidents were reported.

Where Did the Data Breaches Occur?

Healthcare providers were the worst affected HIPAA-covered entity with 31 reported data breaches and 5 data breaches were reported by health plans. While there were only 4 data breaches reported by business associates of HIPAA-covered entities, 14 data breaches had business associate involvement. 10 of those breaches were reported by the covered entity rather than the business associate. The chart below shows the breakdown of data breaches based on where they occurred, rather than which entity reported the breach.

The chart below highlights the impact of data breaches at business associates. 23 data breaches occurred at health plans, involving almost 275,000 records. The 14 data breaches at business associates affected almost three times as many people.

Geographical Spread of January Data Breaches

California was the worst affected state with 7 breaches reported by HIPAA-regulated entities based in the state, followed by Texas with 6 reported breaches. January’s 40 data breaches were spread across 40 U.S. states.

State Breaches
California 7
Texas 6
Georgia, Massachusetts, Missouri & Pennsylvania 3
Florida, New York & North Carolina 2
Alabama, Arkansas, Colorado, Illinois, Indiana, Minnesota, New Jersey, Ohio & Wisconsin 1

HIPAA Enforcement Activity in January 2023

The Office for Civil Rights announced one settlement in January to resolve potential violations of the HIPAA Right of Access. OCR investigated a complaint from a personal representative who had not been provided with a copy of her deceased father’s medical records within the allowed 30 days. It took 7 months for those records to be provided. Life Hope Labs agreed to pay a $16,500 financial penalty and adopt a corrective action plan that will ensure patients are provided with timely access to their medical records in the future. This was the 43rd penalty to be imposed under OCR’s HIPAA Right of Access enforcement initiative, which was launched in the fall of 2019. No HIPAA enforcement actions were announced by state attorneys general in January.

The post January 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Biden Administration Considers HIPAA Update to Better Protect Reproductive Health Information

Posted by HIPAA Journal

The Biden Administration is considering new rulemaking to update HIPAA to better protect reproductive health information, following the Supreme Court Decision in Dobbs v. Jackson Women’s Health Organization, which removed the federal right to abortion and left it to individual states to decide on the legality of abortions for state residents. Currently, at least 24 U.S. states have implemented bans on abortions or are likely to do so, with 12 states already having a near-total ban.

The Health Insurance Portability and Accountability Act classes reproductive health information as protected health information (PHI), so uses and disclosures are restricted by the HIPAA Privacy Rule. Following the Supreme Court decision, the HHS issued guidance to HIPAA-regulated entities on how the HIPAA Privacy Rule applies to reproductive healthcare data, confirming uses and disclosures of reproductive health information are restricted, and that the information can only be used or disclosed without a valid patient authorization for purposes related to treatment, payment, or healthcare operations.

The HHS also confirmed that while the HIPAA Privacy Rule permits disclosures of PHI “as required by law,” the HIPAA Privacy Rule does not require such disclosures, and that ‘required by law’ is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law,” an that when such a disclosure is required, it is limited to the relevant requirements of such a law. There is concern, however, that disclosures of reproductive health information may be made by HIPAA-regulated entities to law enforcement in states that have imposed bans or severe restrictions on abortions to support enforcement of the bans and allow individuals seeking abortion care to be prosecuted.

There have been calls for HIPAA to be updated to improve privacy protections with respect to reproductive health information. Currently, there are restrictions on disclosures of certain subclasses of PHI such as psychotherapy notes and information related to substance use disorder (SUD) treatment records, and similar restrictions could potentially be applied to reproductive health information. It has now been confirmed that the Department of Health and Human Services has drafted Proposed Modifications to the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (RIN 0945-AA20), and that proposal is currently under White House review. The HHS has also proposed a change to a rule introduced by the Trump Administration that made it easier for healthcare providers to decline to provide abortions due to religious objections.

The HHS has not released details of the proposed HIPAA update at this stage but has confirmed that prior to drafting the rule, the HHS participated in listening sessions and roundtable discussions with patients, healthcare providers, advocates, and state health officials and that the proposed rule was drafted under its statutory mandate to ensure non-discriminatory access to healthcare for all Americans.

The draft is not necessarily an attempt to impose restrictions on states that have introduced near-total bans on abortions and could be an attempt to ensure any actions by states are compliant with Federal law. It is worth noting that even if the HIPAA Privacy Rule is updated to better protect reproductive health data, HIPAA only applies to HIPAA-regulated entities, and no HIPAA update would be able to guarantee privacy for individuals seeking abortion care. For instance, geolocation data from mobile phones would allow individuals to be tracked when they visit reproductive health clinics.  Geolocation data is not protected by HIPAA and disclosure of such information are not restricted by the HIPAA Privacy Rule.

The post Biden Administration Considers HIPAA Update to Better Protect Reproductive Health Information appeared first on HIPAA Journal.

Lack of Funding Hampering OCR’s Ability to Enforce HIPAA

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has published a report it sent to Congress that details its HIPAA enforcement activities in 2021, which provides insights into the state of compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The report makes it clear that OCR’s resources are under considerable strain, and without an increase in funding from Congress, OCR will struggle to fulfill its mission to enforce HIPAA compliance, especially considering the large increase in reported data breaches and HIPAA complaints.

OCR reports significant increases in reported data breaches and HIPAA complaints, with large data breaches – 500 or more records – increasing by more than 58% between 2017 and 2021, and HIPAA complaints increasing by 25% between 2020 and 2021, yet between 2017 and 2021, OCR has not had any increases in appropriations, with Congress only increasing funding in line with inflation.

If Congress is unable to increase funding for OCR, the financial strain could be eased through enforcement actions; however, OCR has seen funding through enforcement decline after reassessing the language of the HITECH Act and determining it had been misinterpreted in 2009, resulting in the maximum penalty amounts in three of the four penalty tiers being significantly reduced. To address this and increase funding, OCR sent a request to Congress in September 2021 (HHS FY 2023 Discretionary A-19 Legislative Supplement) calling for an increase in HITECH civil monetary penalty caps), as without such an increase, OCR’s staff and resources will continue to be severely strained, especially during a time of substantial growth in cyberattacks on the healthcare sector.

25% Annual Increase in HIPAA Violation Complaints

There was a sizeable rise in complaints about potential HIPAA and HITECH Act violations in 2021, which increased by 25% year-over-year to 34,077 complaints, 77.5% of which (26,420) were resolved in 2021, 78% of which (20,611 complaints) were resolved without having to initiate an investigation. OCR explained that action can only be taken in response to complaints where the HIPAA violation occurred after the compliance deadline, where the complaint is against a HIPAA-regulated entity, where a HIPAA violation appears to have occurred, and when the complaint is submitted within 180 days of the complainant becoming aware of the violation (unless the complainant shows good cause why the violation was not reported within 180 days).

The most common reasons for closing complaints without an investigation were the complaint was made against a non-HIPAA-regulated entity or allegations were made about conduct that did not violate HIPAA (3%), and due to untimely complaints (1%). OCR said 4,139 complaints were resolved by providing technical assistance in lieu of an investigation, 714 complaints were resolved by the HIPAA-regulated entity taking corrective action, and 789 complaints were resolved through technical assistance taken after an investigation was initiated. There was a 10% year-over-year reduction in initiated compliance investigations, with 1,620 compliance investigations initiated in response to complaints. 50% were resolved as no violation was discovered, 44% were resolved through corrective action, and 6% were resolved through technical assistance after investigation. 13 complaints were resolved through settlements and corrective action plans with penalties totaling $815,150, and 2 were resolved through civil monetary penalties totaling $150,000.

674 compliance reviews were initiated for reasons other than complaints, 609 were initiated in response to large data breaches, 22 due to small data breaches, and a further 43 were initiated in response to incidents brought to OCR’s attention by other means, such as reports in the media. In 2021, OCR closed 573 compliance reviews, resulting in corrective actions or civil monetary penalties in 83% of the investigations. Two compliance reviews resulted in resolution agreements that included $5,125,000 in financial penalties and corrective action plans. The remaining 17% of compliance reviews were resolved through technical assistance (3%), insufficient evidence of HIPAA violations (11%), or where there was a lack of jurisdiction to investigate (3%). OCR said its HIPAA compliance audit program has stalled due to a lack of financial resources.

Click here to view OCR’s Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance

Click here to view a summary of OCR’s Report on Breaches of Unsecured PHI in 2021

The post Lack of Funding Hampering OCR’s Ability to Enforce HIPAA appeared first on HIPAA Journal.

OCR: HIPAA-Regulated Entities Need Continue to Improve HIPAA Security Rule Compliance

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has publicly released two reports that were submitted to Congress that provide insights into data breaches, HIPAA enforcement activity, and the state of HIPAA Privacy and Security Rule compliance for calendar year 2021.

According to OCR, in calendar year 2021, OCR received 609 reports of large data breaches – data breaches affecting 500 or more individuals – with those incidents affecting 37,182,558 individuals. OCR also received 63,571 reports of data breaches affecting fewer than 500 individuals – which are not publicly reported. 319,215 individuals were affected by those smaller data breaches. That’s 64,180 data breaches in total in 2021 affecting 37,501,772 individuals.

If you follow the breach reports and healthcare data breach statistics reported in the HIPAA Journal, you will notice a discrepancy with OCR’s official figures. That is because the statistics are based on the data breaches reported to OCR via the OCR HIPAA Breach Web Portal, which lists 714 data breaches for calendar year 2021. OCR investigates all of those breaches, but the report to Congress only includes data breaches that occurred in 2021 or continued into 2021. 105 of the data breaches reported to OCR in calendar year 2021 occurred and ended prior to 2021, but were reported in 2021.

OCR investigates all data breaches of 500 or more records and initiates HIPAA compliance reviews in all of those breaches to determine whether noncompliance with the HIPAA Rules was a contributory factor. In 2021, OCR launched investigations into all 609 data breaches plus 22 data breaches involving fewer than 500 individuals. 554 data breach investigations were completed in 2021 due to the investigations being closed with no further action as HIPAA violations were not determined to have occurred, or when HIPAA violations were discovered and were resolved through voluntary compliance, technical assistance, or resolution agreements and corrective action plans.

The adjusted data show there was a 7% annual reduction in data breaches of 500 or more records compared to 2020, and a 4% reduction in smaller data breaches. By comparison, there was a 61% increase in large data breaches in 2020 and a 6% increase in small data breaches. From 2017 to 2021, small data breaches increased by 5.4% and large data breaches increased by 58.2%.

In 2021, hacking/IT incidents accounted for 75% of large data breaches and 95% of the affected individuals, with the breached information most commonly stored on network servers. 19% of breaches and 4% of impacted individuals were affected by unauthorized access/disclosure incidents, 3% of reported breaches involved theft (<1% of affected individuals), 1% involved loss of PHI (<1% of affected individuals), and 1% involved improper disposal of PHI (1% of affected individuals). Unauthorized access/disclosure incidents accounted for the majority of small breaches, with those breaches typically involving paper records.

Healthcare providers reported 72% of the data breaches in 2021 (437 reports and 24,389,630 affected individuals), 15% of the breaches were reported by health plans (93 reports and 3,236,443 affected individuals), 13% by business associates (977 reports and 9,554,023 affected individuals), and <1% by healthcare clearinghouses (2 reports affecting 2,462 individuals).

Largest Data Breaches in 2021 in Each Breach Category

Breach Type Individuals Affected Cause
Hacking/IT Incident 3,253,822 Hacked Network Server
Unauthorized Access/Disclosure 326,417 Software Configuration Error Exposed ePHI
Improper Disposal 122,340 Improper disposal of hard drives containing ePHI
Theft 21,601 Theft of laptops and paper records in burglary
Loss of PHI 14,532 Loss of medical records

Lessons Learned from 2022 Data Breaches

OCR reports that the most common vulnerabilities identified during its investigations were failures to follow HIPAA Security Rule standards and implementation specifications. “There is a continued need for regulated entities to improve compliance with the HIPAA Rules,” explained OCR in the report. “In particular, the Security Rule standards and implementation specifications of risk analysis, risk management, information system activity review, audit controls, and access control were areas identified as needing improvement in 2021 OCR breach investigations.”

The most common remedial actions to breaches of 500 or more records were:

  • Implementing multi-factor authentication for remote access
  • Revising policies and procedures
  • Training or retraining workforce members who handle PHI
  • Providing free credit monitoring and identity theft protection services to customers
  • Adopting encryption technologies
  • Imposing sanctions on workforce members who violated policies and procedures for removing PHI from facilities or who improperly accessed PHI
  • Changing passwords
  • Performing a new risk assessment
  • Revising business associate contracts to include more detailed provisions for the protection of health information

When serious violations of HIPAA are identified and/or corrective action has not been proactively taken in response to data breaches, OCR will impose corrective action plans and financial penalties. In 2021, OCR resolved two investigations of data breaches with resolution agreements and corrective action plans, resulting in settlements totaling $5.1 million. One settlement was reached with Excellus Health Plan, which agreed to pay a financial penalty of $5,100,000 to resolve the HIPAA violations that contributed to its 2015 data breach affecting 9.3 million individuals, and a $25,000 penalty was paid by Peachstate Health Management (dba AEON Clinical Laboratories) to resolve HIPAA Security Rule violations.

“The health care industry is one of the most diverse industries in our economy, and OCR is responsible for enforcing the HIPAA Rules to support greater privacy and security of individuals’ protected health information,” said OCR Director Melanie Fontes Rainer. “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.”

Click here to view OCR’s Annual Report to Congress on Breaches of Unsecured Protected Health Information (PDF)

Click here to view a summary of OCR’s enforcement activity in 2021

The post OCR: HIPAA-Regulated Entities Need Continue to Improve HIPAA Security Rule Compliance appeared first on HIPAA Journal.

What is a HIPAA Security Incident?

Posted by HIPAA Journal

Misunderstandings can sometimes exist with the distinction between a HIPAA security incident and the definition of a HIPAA breach. Although the two events are quite often linked, not all security incidents result in breaches, and not all breaches are attributable to security incidents.

One of the reasons why misunderstandings can exist about the two terms is that their definitions appear in separate areas of the Administrative Simplification Regulations. With regards to a HIPAA security incident, the definition appears in §164.304 of the Security Rule:

“Security incident means the attempted (emphasis added) or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

The definition of a HIPAA breach does not appear until §164.402 of the Breach Notification Rule. This is because breaches are events that can compromise protected health information regardless of the media on which PHI is maintained:

“Breach means the acquisition, access use, or disclosure of protected health information in a manner not permitted under subpart E of this part (the Privacy Rule) which compromises the security or privacy of the protected health information.”

Therefore, the attempted infiltration of an information system does not necessarily have to be successful before the event qualifies as a HIPAA security incident. Similarly, an impermissible verbal disclosure qualifies as a HIPAA breach even though no security incident has occurred.

Is a HIPAA Security Incident a Reportable Event?

Whether or not a HIPAA security incident is a reportable event depends on who experiences the incident and what its outcome is. Both Covered Entities and Business Associates are required to document all security incidents and their outcomes – even if the incident results in no harmful effects (i.e., a pattern of pings from an external source).

Covered Entities are not required to report security incidents unless they result in a breach of unsecured protected health information – in which case it is necessary to notify affected individuals and HHS´ Office for Civil Rights unless there is a low probability protected health information has been compromised. The method for determining probability is explained in this article.

However, under §164.314 of the Security Rule, Business Associates are required to report all security incidents to the Covered Entity they are providing a service for. This requirement must be included in Business Associate Agreements between Covered Entities and Business Associates. Therefore, if a Business Associate fails to report a HIPAA security incident, they are in violation of HIPAA.

Additionally, Covered Entities are required to monitor a Business Associate´s compliance with the Business Associate Agreement. Therefore, if a Covered Entity receives no reports of a HIPAA security incident, and does not ask why, the Covered Entity is in breach of §164.504 of the Privacy Rule for failing to exercise reasonable diligence with regard to who PHI is being disclosed to.

Incident or Breach? Be Sure You Know Which is Which

It is important to know the difference between a HIPAA security incident and a HIPAA breach because these events are clearly defined in the Administrative Simplification Regulations. Therefore, there are no mitigating circumstances for Covered Entities that fail to document security incidents or for Business Associates that fail to report security incidents to their Covered Entities.

While the requirements of the respective Rules can create extra administrative work, the documents produced as a result of the extra work can be used to simplify risk analyses and more easily identify threats. Consequently, complying with the documentation and reporting requirements not only avoids unnecessary violations, but can also help improve an organization´s security posture.

If you are still unsure about the distinction between a HIPAA security incident and a HIPAA breach, you are advised to seek professional compliance advice.

The post What is a HIPAA Security Incident? appeared first on HIPAA Journal.

March 1, 2023: HIPAA Breach Notification Rule Deadline for Reporting Small Data Breaches

Posted by HIPAA Journal

The deadline for reporting healthcare data breaches of fewer than 500 records is fast approaching. HIPAA-regulated entities must ensure these data breaches are reported to the HHS’ Office for Civil Rights (OCR) no later than March 1, 2023. Late reporting of data breaches is a HIPAA violation and can result in a financial penalty.

The HIPAA Breach Notification Rule requires HIPAA-regulated entities to issue notifications to all individuals whose protected health information has been exposed or impermissibly disclosed without unnecessary delay, and no later than 60 days from the discovery of a data breach. HIPAA-regulated entities are also required to report data breaches to the Secretary of the HHS via the OCR breach reporting portal.

The HIPAA Breach Notification Rule requires large data breaches – affecting 500 or more individuals – to be reported to OCR within the same time frame – No later than 60 days from the discovery of the data breach. There is greater flexibility for reporting data breaches affecting fewer than 500 individuals. HIPAA-regulated entities must also report these breaches via the OCR breach reporting portal, but they have 60 calendar days from the end of the year when the breach was discovered to report the data breaches. That means the deadline for reporting these small data breaches is March 1, 2023. It should be stressed that if a HIPAA-regulated entity chooses to take advantage of this Breach Notification Rule flexibility, the extended time frame ONLY applies to breach reporting to OCR. The individuals who had their PHI exposed or impermissibly disclosed must still be notified about the breach within 60 days of when the breach was discovered.

All data breaches must be reported individually through the OCR breach reporting portal. The breach reports must include details of the breach and the efforts made to remediate those incidents. If a HIPAA-regulated entity has experienced multiple small data breaches over the course of a year, that process may take some time. It is therefore best not to wait until the last minute to report the data breaches.

The post March 1, 2023: HIPAA Breach Notification Rule Deadline for Reporting Small Data Breaches appeared first on HIPAA Journal.

Banner Health Settles Alleged HIPAA Security Rule Violations for $1.25 Million

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced its second financial penalty of 2023 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Banner Health has agreed to pay a financial penalty of $1,250,000 and adopt a corrective action plan to resolve the alleged HIPAA Security Rule violations.

Phoenix, AZ-based Banner Health is one of the largest non-profit health systems in the United States. The health system includes 30 hospitals and more than 69 affiliated healthcare facilities in 6 U.S. states and employs more than 50,000 individuals.  On July 13, 2016, Banner Health detected a security breach, with the subsequent investigation confirming hackers gained access to its systems on June 17, 2016. The hackers were able to access systems containing the protected health information (PHI) of 2.81 million individuals, including names, addresses, dates of birth, Social Security numbers, claims information, lab results, medications, diagnoses, and health insurance information. After being informed about the impermissible disclosure of PHI, OCR initiated a review of HIPAA Security Rule compliance to determine if noncompliance was a contributory factor to the data breach.

OCR’s investigators determined that Banner Health had failed to conduct an accurate and thorough analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI. The administrative safeguards of the HIPAA Security Rule include a requirement to conduct regular reviews of information system activity to identify unauthorized access to PHI. OCR determined that Banner Health had not implemented sufficient procedures to conduct regular reviews.

The HIPAA Security Rule requires covered entities to implement technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Banner Health failed to implement sufficient procedures to verify the identity of persons seeking access to ePHI to ensure they are who they claim to be, and insufficient technical security measures had been implemented to protect against unauthorized access to ePHI transmitted over an electronic communications network.

OCR said its investigators found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across the Banner Health organization, which was a serious concern given the size of the covered entity, and the HIPAA violations were sufficiently severe to warrant a financial penalty. In addition to paying a financial penalty, Banner Health has agreed to adopt a corrective action plan (CAP) that includes the requirement to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization and develop a risk management plan to address any vulnerabilities identified by the risk analysis. Policies and procedures must be developed, implemented, and distributed to the workforce covering risk analyses, risk management, system activity reviews, authentication processes, and security measures to protect against unauthorized PHI access. OCR will monitor Banner Health for compliance with the CAP for 2 years.

“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. The Office for Civil Rights provides help and support to health care organizations to protect against cyber security threats and comply with their obligations under the HIPAA Security Rule. Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

The post Banner Health Settles Alleged HIPAA Security Rule Violations for $1.25 Million appeared first on HIPAA Journal.

Early Bird Registration For National HIPAA Summit 2024 Ends 22nd December

Posted by HIPAA Journal

The National HIPAA Summit is a leading forum on healthcare EDI, privacy, cybersecurity, and HIPAA compliance.

The 22nd December deadline for early bird registration for the Virtual 41st National HIPAA Summit is fast approaching. You can register as a HIPAA Journal reader also receive $100 off the registration fee by entering “HIPAAJournal” on the registration page.  (This is not a sponsored post or paid sponsorship or affiliate link)

HIPAA Summit

The event provides a tremendous opportunity for learning through HIPAA workforce training sessions and keynote speeches from top government officials and leading industry professionals. You can download a PDF of the HIPAA Summit Agenda here.

Attendees will gain valuable insights into health information privacy, healthcare cybersecurity, HIPAA enforcement, and a wealth of information to help them maintain HIPAA compliance and take healthcare data privacy and security to the next level.

This year, the HIPAA Summit is being co-chaired by:

  • Adam Greene, JD, MPH – Partner and Co-chair, Health Information & HIPAA Practice, Davis Wright Tremaine LLP, HIPAA Summit Distinguished Service Award Winner, Former Senior Health Information Technology and Privacy Specialist, Office for Civil Rights, HHS, Washington, DC
  • Kirk J. Nahra, JD – Partner and Co-chair of the Privacy and Cybersecurity Practice, Wilmer Hale, Adjunct Professor, American University Washington College of Law, Washington, DC
  • Iliana Peters, JD, LLM – Shareholder, Polsinelli, Former Acting Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services, Washington, DC
  • Robert M. Tennant, MA – Vice President, Federal Affairs, Workgroup for Electronic Data Interchange (WEDI); Former Director, HIT Policy, Medical Group Management Association; Washington, DC

Government Keynote Speakers

  • Nicholas Heesters, MEng, JD, CIPP – Senior Advisor for Cybersecurity, Office for Civil Rights, US Department of Health and Human Services, Philadelphia, PA
  • Melanie Fontes Rainer, MSME, JD – Director, Office for Civil Rights, HHS; Former Senior Advisor, Healthcare to Attorney General, CA DOJ; Former Chief of Staff, Medicare-Medicaid Coordination Office, Centers for Medicare & Medicaid Services, Washington, DC
  • J. Ronnie Solomon, JD – Attorney, Division of Privacy and Identity Protection, Federal Trade Commission, Washington, DC.
  • Micky Tripathi, MPP, PhD – National Coordinator for Health Information Technology, US Department of Health and Human Services; Affiliate, Berkman Klein Center for Internet & Society, Harvard University, Washington, DC

 

The post Early Bird Registration For National HIPAA Summit 2024 Ends 22nd December appeared first on HIPAA Journal.

2022 Healthcare Data Breach Report

Posted by HIPAA Journal

For the first time since 2015, there was a year-over-year decline in the number of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), albeit only by 1.13% with 707 data breaches of 500 or more records reported. Even with that reduction, 2022 still ranked as the second-worst-ever year in terms of the number of reported breaches.

As the year drew to an end, data breach numbers started to decline from a high of 75 data breaches in October. Time will tell whether this trend will continue in 2023, although the lull in data breaches appears to have continued so far this year with an atypically low number of breaches currently showing on the OCR data breach portal this month.

In addition to the slight reduction in reported data breaches, there was also a drop in the number of breached records, which fell by 13.15% from 54.09 million records in 2021 to 51.9 million records in 2022.

The theft of protected health information places patients and health plan members at risk of identity theft and fraud, but by far the biggest concern is the threat to patient safety. Cyberattacks on healthcare providers often cause IT system outages, which in many cases have lasted several weeks causing considerable disruption to patient care. While there have not been any known cases of cyberattacks directly causing fatalities, the lack of access to patient data causes diagnosis and treatment delays that affect patient outcomes. Multiple studies have identified an increase in mortality rates at hospitals following ransomware attacks and other major cyber incidents.

 

These cyberattacks and data breaches result in huge financial losses for healthcare organizations. The 2022 IBM cost of a data breach report indicates the average cost of a healthcare data breach increased to an all-time high of $10.1 million in 2023, although data breaches can be significantly more expensive. In addition to the considerable breach remediation costs, security must be improved, cyber insurance premiums increase, and it is now common for multiple class action lawsuits to be filed following data breaches. There is also a risk of financial penalties from regulators.

The largest ever healthcare data breach, suffered by Anthem Inc in 2015, affected 78.8 million members and cost the health insurer around $230 million in clean-up costs, $115 million to settle the lawsuits, $39.5 million to settle the state attorneys general investigation, and $16 million to resolve the OCR investigation. Even much smaller data breaches can prove incredibly costly. Scripps Health suffered a data breach of 1.2 million records in 2021 due to a ransomware attack. The attack caused losses in excess of $113 million due to lost business ($92 million) and the clean-up costs ($21 million). There are also several lawsuits outstanding and there could be regulatory fines.

Largest Healthcare Data Breaches in 2022

There were 11 reported healthcare data breaches of more than 1 million records in 2022 and a further 14 data breaches of over 500,000 records. The majority of those breaches were hacking incidents, many of which involved ransomware or attempted extortion. Notable exceptions were several impermissible disclosure incidents that resulted from the use of pixels on websites. These third-party tracking technologies were added to websites to improve services and website functionality, but the data collected was inadvertently transmitted to third parties such as Meta and Google when users visited the websites while logged into their Google or Facebook accounts. The extent to which these tracking technologies have been used by healthcare organizations prompted OCR to issue guidance on these technologies, highlighting the considerable potential for HIPAA violations.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
OneTouchPoint, Inc. WI Business Associate 4,112,892 Ransomware attack
Advocate Aurora Health WI Healthcare Provider 3,000,000 Pixel-related impermissible disclosure via websites
Connexin Software, Inc. PA Business Associate 2,216,365 Hacking incident and data theft
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking incident and data theft
Professional Finance Company, Inc. CO Business Associate 1,918,941 Ransomware attack
Baptist Medical Center TX Healthcare Provider 1,608,549 Malware infection
Community Health Network, Inc. as an Affiliated Covered Entity IN Healthcare Provider 1,500,000 Pixel-related impermissible disclosure via websites
Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc. NC Business Associate 1,362,296 Pixel-related impermissible disclosure via websites
North Broward Hospital District d/b/a Broward Health (“Broward Health”) FL Healthcare Provider 1,351,431 Hacking incident and data theft
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking incident and data theft
Doctors’ Center Hospital PR Healthcare Provider 1,195,220 Ransomware attack
Practice Resources, LLC NY Business Associate 942,138 Hacking incident and data theft
Wright & Filippis LLC MI Healthcare Provider 877,584 Ransomware attack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking incident and data theft
MCG Health, LLC WA Business Associate 793,283 Hacking incident and data theft
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Ransomware attack
SightCare, Inc. AZ Health Plan 637,999 Hacking incident and data theft
CommonSpirit Health IL Business Associate 623,774 Ransomware attack
Metropolitan Area EMS Authority dba MedStar Mobile Healthcare TX Healthcare Provider 612,000 Ransomware attack
Wolfe Clinic, P.C. IA Healthcare Provider 542,776 Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Ransomware attack
Adaptive Health Integrations ND Healthcare Provider 510,574 Adaptive Health Integrations
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking incident and data theft
Health Care Management Solutions, LLC WV Business Associate 500,000 Hacking incident and data theft
OakBend Medical Center / OakBend Medical Group TX Healthcare Provider 500,000 Ransomware attack

While 2022 saw some very large data breaches reported, the majority of reported data breaches were relatively small. 81% of the year’s data breaches involved fewer than 50,000 records, and 58% involved between 500 and 999 records.

Hacking incidents dominated the breach reports with 555 of the 707 reported breaches (71.4%) classified as hacking/IT incidents, which accounted for 84.6% of all breached records in 2022. The average breach size was 79,075 records and the median breach size was 8,871 records. There were 113 reported unauthorized access/disclosure breaches reported in 2022, accounting for 14.5% of the breached records. The average breach size was 66,610 records due to some large pixel-related data breaches, and the median breach size was 1,652 records.

Theft (23 breaches) and loss (12 breaches) incidents were reported in relatively low numbers, continuing a downward trend from these once incredibly common data breaches. The downward trend is due to better control of devices and the use of encryption. The average breach size was 13,805 records and the median breach size was 1,704 records. There were four incidents involving the improper disposal of devices containing PHI and physical records. The average breach size was 1,772 records and the median was 1,021 records.

The high number of hacking incidents is reflected in the chart below, which shows the location of breached protected health information. Compromised email accounts remain a major source of data breaches, highlighting the importance of multi-factor authentication and training employees on how to recognize the signs of phishing.

Which Entities Suffered the Most Data Breaches?

The raw data on the OCR breach portal does not accurately reflect the extent to which business associate data breaches are occurring. When you factor in business associate involvement it is possible to gain a more accurate gauge of the extent to which data breaches are occurring at business associates. In 2022, 127 data breaches were self-reported by business associates, but there were 394 reported data breaches where business associates were involved – That’s a 337% increase since 2018. Last year, data breaches at business associates outnumbered data breaches at healthcare providers for the first time.

Several major business associate data breaches were reported to OCR in 2022, with some of the data breaches affecting several hundred healthcare organizations. A data breach at the debt collections company, Professional Finance Company, affected 657 of its healthcare clients and involved more than 1.91 million healthcare records. Eye Care Leaders, a provider of electronic health records to eye care providers, suffered a cyberattack that affected at least 41 eye care providers and exposed the data of almost 3.65 million patients.

The graph below shows the sharp increase in data breaches at business associates in recent years. There are several reasons for the increase. Hackers have realized the value of conducting attacks on business associates. One successful attack can provide access to the data, and sometimes networks, of all of the vendor’s clients. Healthcare organizations are now using more vendors to manage administrative functions and risk increases in line with the number of vendors. As more vendors are used, it becomes harder to monitor cybersecurity at the vendors. Managing third-party risk is one of the biggest challenges for healthcare organizations in 2023.

Data breaches by HIPAA-regulated entity type, 2009 to 2022

 

Where Did the Data Breaches Occur?

Healthcare data breaches were reported by HIPAA-regulated entities in 49 states, Washington D.C., and Puerto Rico in 2022. Alaska was the only state to survive the year with no reported data breaches. In general, the most populated states suffer the most data breaches. In 2022, the 10 most populated U.S. states all ranked in the top 15 worst affected states, although it was New York rather than California that topped the list with 68 reported breaches.

State Breaches
New York 68
California & Texas 52
Florida & Pennsylvania 38
New Jersey 27
Georgia 26
Michigan, Virginia & Washington 24
Ohio 23
Illinois & North Carolina 22
Tennessee 17
Arizona & Maryland 16
Massachusetts & Wisconsin 15
Colorado 14
Connecticut, Indiana & Missouri 13
Alabama 11
Kansas, Oklahoma & South Carolina 9
Arkansas, New Hampshire & West Virginia 8
Nebraska & Oregon 7
Minnesota 6
Utah 5
Delaware, Nevada & Rhode Island 4
Hawaii, Kentucky, Louisiana, Mississippi, Montana, South Dakota, % Vermont 3
Iowa, Idaho, Maine, New Mexico, and Washington D.C. 2
North Dakota & Wyoming 1
Alaska 0

HIPAA Enforcement in 2022

HIPAA is primarily enforced by OCR, with state attorneys general also assisting with HIPAA enforcement. OCR imposed more financial penalties for HIPAA violations in 2022 than in any other year to date, with 22 investigations resulting in settlements or civil monetary penalties.

OCR has limited resources for investigations but does investigate all breaches of 500 or more records. That task has become increasingly difficult due to the increase in data breaches, which have tripled since 2010. Despite the increase in data breaches, OCR’s budget for HIPAA enforcement has hardly increased at all, aside from adjustments for inflation. As of January 17, 2022, OCR had 882 data breaches listed as still under investigation. 97% of all complaints and data breach investigations have been successfully resolved.

Some investigations warrant financial penalties, and while the number of penalties has increased, the penalty amounts for HIPAA violations have been decreasing. Most of the financial penalties in 2022 were under $100,000.

HIPAA Settlements and Civil Monetary Penalties 2008-2022

Since 2019, the majority of financial penalties imposed by OCR have been for HIPAA right of access violations, all of which stemmed from complaints from individual patients who had not been provided with their medical records within the allowed time frame. OCR continues to pursue financial penalties for other HIPAA violations, but these penalties are rare.

2022 HIPAA Settlements and Civil Monetary Penalties

Regulated Entity Penalty Amount Type of Penalty Reason
Health Specialists of Central Florida Inc $20,000 Settlement HIPAA Right of Access failure
New Vision Dental $23,000 Settlement Impermissible PHI disclosure, Notice of Privacy Practices, releasing PHI on social media.
Great Expressions Dental Center of Georgia, P.C. $80,000 Settlement HIPAA Right of Access failure (time/fee)
Family Dental Care, P.C. $30,000 Settlement HIPAA Right of Access failure
B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental $25,000 Settlement HIPAA Right of Access failure
New England Dermatology and Laser Center $300,640 Settlement Improper disposal of PHI, failure to maintain appropriate safeguards
ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS) $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Dr. Brockley $30,000 Settlement HIPAA Right of Access
Jacob & Associates $28,000 Settlement HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., $50,000 Civil Monetary Penalty Impermissible disclosure on social media
Northcutt Dental-Fairhope $62,500 Settlement Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer

HIPAA enforcement by state attorneys general is relatively rare. Only three financial penalties were imposed in 2022 by state attorneys general. In these cases, penalties were imposed for violations of the HIPAA Rules and state laws.

State Regulated Entity Penalty Penalty Type Reason
Oregon/Utah Avalon Healthcare $200,000 Settlement Lack of safeguards and late breach notifications
Massachusetts Aveanna Healthcare $425,000 Settlement Lack of safeguards against phishing
New York EyeMed Vision Care $600,000 Settlement Multiple security failures

The post 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.