HIPAA Compliance News

June 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

June 2022 saw 70 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – two fewer than May and one fewer than June 2021. Over the past 12 months, from July 2021 to June 2022, 692 large healthcare data breaches have been reported and the records of 42,431,699 individuals have been exposed or impermissibly disclosed. The past two months have seen data breaches reported at well over the 12-month average of 57.67 breaches a month.

The past 6 months have seen data breaches reported at similar levels to the second half of 2021 (345 in 1H 2022 v 347 in 2H 2021), but data breaches are down 6.25% from the first half of 2021 (368 in 1H 2021 v 345 in 2H 2022).

Healthcare data breaches in the past 12 months

For the third successive month, the number of exposed or compromised records has increased. In June, 5,857,143 healthcare records were reported as breached. That is the highest monthly total so far in 2022. June saw 32.48% more records breached than the previous month and 65.64% more than the monthly average over the past 12 months.

While huge numbers of healthcare records are being breached, fewer records were breached in the first half of 2022 than were breached in either the first half or the second half of 2021. In 1H 2022, 20,191,930 records were breached – 26.84% fewer than the 27,600,651 records breached in 1H 2021 and 9.2% fewer than the 22,239,769 records breached in 2H 2021.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in June 2022

There were 31 reported breaches of 10,000 or more healthcare records in June – the same number as May 2022  – two of which affected more than 1.2 million individuals. Several healthcare providers submitted breach reports in June 2022 due to the ransomware attack on the HIPAA business associate, Eye Care Leaders. At least 37 healthcare providers are now known to have been affected by that ransomware attack and more than 3 million records are known to have been exposed in the attack.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Cause of Breach
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Other Eye Care Leaders ransomware attack
Baptist Medical Center TX Healthcare Provider 1,243,031 Network Server Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Network Server Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Network Server Ransomware attack
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Network Server Eye Care Leaders ransomware attack
Spectrum Eye Physicians CA Healthcare Provider 175,000 Network Server Eye Care Leaders ransomware attack
90 Degree Benefits, Inc. WI Business Associate 172,450 Network Server Unspecified hacking incident
Michigan Avenue Immediate Care IL Healthcare Provider 144,104 Network Server Unspecified hacking and data theft incident
Mattax Neu Prater Eye Center, Inc. MO Healthcare Provider 92,361 Electronic Medical Record Eye Care Leaders ransomware attack
Sight Partners Physicians, P.C. WA Healthcare Provider 86,101 Electronic Medical Record Eye Care Leaders ransomware attack
Clinivate LLC CA Business Associate 77,652 Network Server Unspecified hacking incident – No information publicly released
Kaiser Foundation Health Plan of Washington WA Healthcare Provider 69,589 Email Compromised email account
Carolina Eyecare Physicians, LLC SC Healthcare Provider 68,739 Electronic Medical Record Eye Care Leaders ransomware attack
Precision Eye Care, Ltd. MO Healthcare Provider 58,462 Electronic Medical Record Eye Care Leaders ransomware attack
Resolute Health Hospital TX Healthcare Provider 54,239 Network Server Ransomware attack
Aloha Laser Vision HI Healthcare Provider 43,263 Electronic Medical Record Eye Care Leaders ransomware attack
Center for Sight, Inc. MA Healthcare Provider 41,041 Electronic Medical Record Eye Care Leaders ransomware attack
McCoy Vision Center AL Healthcare Provider 33,930 Electronic Medical Record Eye Care Leaders ransomware attack
Chesapeake Eye Center PA MD Healthcare Provider 32,770 Network Server Eye Care Leaders ransomware attack
Kevin Wolf, DPM d/b/a Goldsboro Podiatry NC Healthcare Provider 30,669 Network Server Unspecified hacking incident
Long Vision Center TX Healthcare Provider 29,237 Electronic Medical Record Eye Care Leaders ransomware attack
Foxhall Ob Gyn Associates DC Healthcare Provider 27,000 Other No information
Alabama Eye &Cataract, P.C. AL Healthcare Provider 26,000 Network Server Eye Care Leaders ransomware attack
Lori A. Harkins MD, P.C. dba Harkins Eye Clinic NE Healthcare Provider 23,993 Electronic Medical Record Eye Care Leaders ransomware attack
DialAmerica Marketing, Inc. NJ Business Associate 19,796 Network Server Unspecified hacking incident
Central Florida Inpatient Medicine FL Healthcare Provider 19,625 Email Compromised email account
Yale New Haven Hospital CT Healthcare Provider 19,496 Other Data exposed on a public-facing website
Cherry Creek Eye Physicians and Surgeons, P.C. CO Healthcare Provider 17,732 Electronic Medical Record Eye Care Leaders ransomware attack
Bayhealth Medical Center, Inc. DE Healthcare Provider 17,481 Network Server Ransomware attack on business associate (Professional Finance Company)
Kernersville Eye Surgeons, P.C. NC Healthcare Provider 13,412 Electronic Medical Record Eye Care Leaders ransomware attack
Phelps County Regional Medical Center d/b/a Phelps Health MO Healthcare Provider 12,602 Network Server Data breach at business associate (MCG Health)

Causes of June 2022 Healthcare Data Breaches

As the above table shows, ransomware attacks on healthcare organizations continue to be reported in high numbers. 20 of the 31 affecting 10,000 or more individuals have been confirmed as involving ransomware. When these attacks occur at business associates they can affect many different HIPAA-covered entities. As mentioned, the Eye Care Leaders ransomware attack has affected at least 37 eye care providers, and a ransomware attack on Professional Finance Company affected 657 of its healthcare provider clients.

There is no sign that ransomware attacks on healthcare providers will slow. This month, CISA has warned the health and public health sector that North Korean state-sponsored hackers are known to be targeting the sector and are using ransomware for extortion.

Hacking incidents continue to dominate the breach reports, with all but two of the top 31 breaches involving hacking. 81% of the month’s breaches were reported as hacking/IT incidents, and across those 57 incidents, the records of 5,784,009 were breached – 98.75% of all the breached records in June. The average breach size was 101,474 records and the median breach size was 12,602 records.

There were 6 unauthorized access/disclosure data breaches reported involving 59,224 records. The average breach size was 9,871 records and the median breach size was 5,672 records. 5 loss theft incidents were reported (4 x theft, 1 x loss) involving 12,184 records. The average breach size was 2,437 records and the median breach size was 1,126 records. Finally, there were two improper disposal incidents reported, both of which involving paper/films. In total 1,726 records were exposed as a result of those incidents.

Causes of June 2022 healthcare data breaches

Location of Breached Protected Health Information

The bar graph below shows where the breached information was stored. The high number of network server breaches indicates the extent to which hackers are attacking healthcare organizations. Many of these attacks involved ransomware. Most data breaches reported by healthcare providers do not involve electronic health records, which are separate from other systems. The high number of breaches involving EHRs is due to the ransomware attack on Eye Care Leaders, which provides electronic medical record systems to eye care providers.

Location of breached PHI (June 2022)

Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected HIPAA-covered entity in June, accounting for 55 data breaches of 500 or more records, with 4 data breaches reported by health plans. Business associates of HIPAA-covered entities self-reported 11 data breaches; however, 29 data breaches occurred at business associates but were reported by the affected covered entity rather than the business associate.

Taking this into account, the breakdown of the month’s data breaches by HIPAA-regulated entity type is shown in the chart below.

June 2022 Healthcare Data Breaches - HIPAA-regulated entity type

Geographic Distribution of Breached Entities

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 29 states and the District of Columbia.

State Number of Data Breaches
Washington 5
California, New Jersey, North Carolina, Ohio, South Carolina, Texas, & Virginia 4
Alabama, Missouri, Nebraska, & New York 3
Delaware, Illinois, Kansas, Maryland, Michigan, Pennsylvania, Tennessee, & the District of Columbia. 2
Arizona, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Massachusetts, Mississippi, & Wisconsin 1

HIPAA Enforcement Activity in June 2022

There were no HIPAA enforcement actions announced by the OCR or state attorneys general in June; however, OCR announced this month (July) that a further 12 HIPAA penalties have been imposed, 11 of which were for violations of the HIPAA Right of Access.

The post June 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Announces 11 Further Financial Penalties for HIPAA Right of Access Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has sent a warning to healthcare providers about the importance of compliance with the HIPAA Right of Access with the announcement that a further 11 financial penalties for HIPAA-covered entities that have failed to provide patients with timely access to their medical records. The latest batch of enforcement actions brings the total number of financial penalties imposed under the HIPAA Right of Access enforcement initiative up to 38.

The HIPAA Right of Access gives people the right to inspect their protected health information that is held by a HIPAA-covered entity, check the information for errors, and request that any errors are corrected. People can also request a copy of their protected health information from healthcare providers and health plans. When such a request is made, the requested information must be provided in full within 30 days of the request being received. In very limited circumstances, an extension of 30 days is allowed. Requests can be submitted by patients or their nominated representatives, and parents and legal guardians of minors are permitted to obtain a copy of their minor’s records. Any individual requesting a copy of their records can only be charged a reasonable, cost-based fee for obtaining a copy of their records. The records should be provided in the format requested by the patient, provided the HIPAA-covered entity has the technical capability to provide records in that format.

OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019 in response to reports of widespread noncompliance with this important HIPAA right. “It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino.  “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”

HIPAA Right of Access Penalties

The latest penalties were all imposed for the failure to provide timely access to an individual’s medical records, rather than for charging unreasonable fees for exercising the Right of Access. All but one of these cases was settled with OCR, with the covered entities also agreeing to a corrective action plan to address the non-compliance and prevent further violations.

One HIPAA-covered entity refused to cooperate with OCR’s requests, resulting in a civil monetary penalty. ACPM Podiatry had received a request from a former patient for a copy of his medical records. OCR was notified on April 8, 2019, that ACPM had refused to provide those records. OCR provided technical assistance to ACPM on April 18, 2019, confirming that the records must be provided under HIPAA. The investigation was closed. A second complaint was then filed with OCR a month later when the records had still not been provided.

OCR’s investigation revealed the records had been withheld as the complainant’s insurance company had not paid the bill, but the complainant said the records were required in order to appeal the unfavorable decision, and that the records were necessary to file that appeal. While there was contact between OCR and ACPM Podiatry, ACPM failed to respond to OCR’s data access requests, OCR’s notice of proposed determination of a financial penalty, nor the Letter of Opportunity to provide evidence of mitigating factors, resulting in a civil monetary penalty being imposed.

Three of the enforcement actions stemmed from a HIPAA-covered entity failing to provide a patient’s nominated representative with a copy of the requested records when HIPAA allows the release of records to a personal representative. Two cases involved the withholding of a patient’s medical records due to outstanding medical bills. A patient’s right to obtain a copy of their medical records is not conditional on whether payment for medical services has been made in full.

A summary of each financial penalty has been provided in the table below.

HIPAA Covered Entity State Penalty Type Penalty Amount Individuals Affected Alleged Violation Reason
ACPM Podiatry IL Civil Monetary Penalty $100,000 1 Untimely Access Records not provided
Memorial Hermann Health System TX Settlement $240,000 1 Untimely Access Records not provided in full for 564 days from the initial request
Southwest Surgical Associates TX Settlement $65,000 1 Untimely Access Records not provided for 13 months
Hillcrest Nursing and Rehabilitation MA Settlement $55,000 1 Untimely Access Records not provided to a personal representative for 7 months
MelroseWakefield Healthcare MA Settlement $55,000 1 Untimely Access Failure to provide records to a patient’s nominated representative for 4 months
Erie County Medical Center Corporation NY Settlement $50,000 1 Untimely Access Failure to provide the requested records to a patient’s nominated representative
Fallbrook Family Health Center NE Settlement $30,000 1 Untimely Access Unspecified delay in providing requested records
Associated Retina Specialists NY Settlement $22,500 1 Untimely Access Failure to provide patient with access to records for 5 months
Coastal Ear, Nose, and Throat FL Settlement $20,000 1 Untimely Access Failure to provide patient with access to records for 5 months
Lawrence Bell, Jr. D.D.S MD Settlement $5,000 1 Untimely Access Failure to provide records for more than 3 months
Danbury Psychiatric Consultants MA Settlement $3,500 1 Untimely Access Withheld records for 6 months as the patient had an outstanding medical bill

OCR has now imposed 122 financial penalties on HIPAA-regulated entities to resolve HIPAA violations since 2008. The latest batch of HIPAA penalties brings the total enforcement actions in 2022 involving a financial penalty up to 16, exceeding the financial penalties imposed in all of 2021 by 2.

The post OCR Announces 11 Further Financial Penalties for HIPAA Right of Access Failures appeared first on HIPAA Journal.

Oklahoma State University Settles HIPAA Case with OCR for $875,000

Posted by HIPAA Journal

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has announced that Oklahoma State University – Center for Health Sciences (OSU-CHS) has agreed to settle a HIPAA investigation stemming from a web server hacking incident and has agreed to pay a financial penalty of $875,000 to resolve potential violations of the HIPAA Privacy, Security, and Breach Notification Rules.

OSU-CHS is a public land-grant research university that provides preventive, rehabilitative, and diagnostic care in Oklahoma. OCR launched a HIPAA investigation after receiving a breach report on January 5, 2018, in response to the hacking of an OSU-CHS web server. OSU-CHS determined that malware had been installed on the server which allowed the hacker(s) to access the electronic protected health information of 279,865 individuals.

The information exposed and potentially obtained by an unauthorized third party included names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially declared that the data breach occurred on November 7, 2017; however, it was later reported that the hackers first had access to the ePHI of patients 20 months earlier on March 9, 2016,

OCR investigators determined OSU-CHS had potentially violated the following provisions of the HIPAA Rules:

  • Impermissible disclosure of the ePHI of 279,865 individuals – 45 C.F.R. § 164.502(a)
  • Failure to conduct a comprehensive and accurate organization-wide risk analysis –45 C.F.R. § 164.308(a)(l)(ii)(A)
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI – 45 C.F.R. 164.308(a)(8)
  • Failure to implement audit controls – 45 C.F.R. § 164.312(b)
  • A security incident response and reporting failure – 45 C.F.R. § 164.308(a)(6)(ii)
  • Failure to provide timely breach notification to affected individuals – 45 C.F.R. § 164.404
  • Failure to provide timely breach notification to the Secretary of the HHS – 45 C.F.R. § 164.408

In addition to the financial penalty, OSU-CHS has agreed to implement a corrective action plan to resolve all areas of non-compliance identified by OCR and will be closely monitored for compliance with the corrective action plan and the HIPAA Rules for two years. The case was settled with no admission of liability or wrongdoing.

“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said OCR Director Lisa J. Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”

This is the fifth financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, and the 111th penalty to be imposed since OCR was given the authority to fine HIPAA-regulated entities for HIPAA violations.

The post Oklahoma State University Settles HIPAA Case with OCR for $875,000 appeared first on HIPAA Journal.

Senators Call for HIPAA Privacy Rule Change to Prohibit Disclosures of Reproductive Health Care Information to Law Enforcement

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has recently issued guidance to healthcare organizations following the overturning of Roe v. Wade following the SCOTUS Dobbs v. Jackson Women’s Health Organization ruling, which removed the right to abortion at the federal level and allowed states to set their own laws. The guidance explained how the HIPAA Privacy Rule permits disclosures of protected health information – including reproductive health care information – to law enforcement but does not require such disclosures. OCR explained in the guidance when such disclosures of reproductive health care information would be considered HIPAA violations under the HIPAA Privacy Rule.

Two U.S. senators – Michael F. Bennet (D-Co) and Catherine Cortez Masto (D-NV) – recently wrote to the Secretary of the Department of Health and Human Services, Xavier Becerra, calling for the HHS to go further and make an update to the HIPAA Privacy Rule to ensure that the private and confidential health information of patients seeking reproductive healthcare is better protected.

“The [SCOTUS} decision has created profound uncertainty for patients concerning their right to privacy when making the deeply personal decision to have an abortion,” explained the senators in the letter. “We write to urge the Department of Health and Human Services (HHS) to take immediate steps to protect the privacy of Americans receiving reproductive health care services by updating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.”

The senators pointed out that at the time HIPAA was signed into law in 1996, Roe v. Wade had already upheld the right to abortion for more than two decades, and when the Privacy Rule was added to HIPAA in 2000, it was unthinkable that Roe v. Wade would be overturned two decades later. The senators praised the efforts of the HHS in issuing prompt guidance on the privacy of medical information relating to abortion and other sexual and reproductive health care and also for issuing guidance to consumers on protecting health information on mobile devices but believe that the HHS needs to go further.

“We urge HHS to immediately begin the process to update the Privacy Rule, following all requirements under the Administrative Procedure Act, to clarify who is a covered entity and to limit when that entity can share information on abortion or other reproductive health services,” explained the senators. The senators specifically requested the HHS clarify that reproductive health care information cannot be shared with law enforcement agencies who target individuals who have an abortion, and have requested the HHS rule that Pregnancy Care Centers (aka Crisis Pregnancy Centers) are required to comply with the HIPAA Privacy Rule.

“Following the Supreme Court’s decision in Dobbs, millions of Americans have lost a fundamental constitutional right to make their own health and reproductive decisions. We must do all that we can to protect their fundamental right to privacy,” concluded the senators.

The post Senators Call for HIPAA Privacy Rule Change to Prohibit Disclosures of Reproductive Health Care Information to Law Enforcement appeared first on HIPAA Journal.

OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade

Posted by HIPAA Journal

President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra recently called on HHS agencies to take action to protect access to sexual and reproductive health care, which includes abortion, pregnancy complications, and other related care, following the decision of the Supreme Court in Dobbs vs. Jackson Women’s Health Organization. The Supreme Court overruled Roe v. Wade and Planned Parenthood v. Casey and took away the right of women to have a safe and legal abortion.

Yesterday, the HHS Office for Civil Rights (OCR) issued new guidance for healthcare providers and patients seeking access to reproductive health care services to ensure patient privacy is protected. The guidance explains that the federal Health Insurance Portability and Accountability Act (HIPAA) requires individuals’ private medical information, which includes information about abortion and other sexual and reproductive health care, is required to be kept private and confidential. That information is classed as protected health information (PHI) under HIPAA and healthcare providers are not required to disclose PHI to third parties.

The guidance also explains the extent to which private medical information is protected on personal cell phones and tablets and includes advice for protecting individuals’ privacy when using period trackers and other health information apps. Concern has been raised by women that health apps on smartphones, such as period trackers, threaten privacy as they disclose geolocation data. That information could potentially be abused by individuals seeking to deny them access to medical care.

“How you access health care should not make you a target for discrimination,” explained HHS Secretary Xavier Becerra. “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information.” Becerra is encouraging anyone who believes their privacy rights have been violated to file a complaint with OCR and explained that protecting access to health care, which includes abortion care and other forms of sexual and reproductive health care, is now an enforcement priority for OCR.

The guidance for healthcare providers explains that the HIPAA Privacy Rule allows HIPAA-covered entities, which includes healthcare providers, to disclose an individual’s PHI without obtaining authorization from that individual for the purposes of healthcare, payment, and healthcare operations, but other disclosures – to law enforcement officials for example – are only permitted in narrow circumstances, tailored to protect the individual’s privacy and support their access to health care, which includes abortion care. HIPAA-covered entities and their business associates are reminded that they can use and disclose PHI without an individual’s signed authorization, but only for reasons expressly permitted or required by the Privacy Rule. The guidance also explains the restrictions on disclosures of PHI under the HIPAA Privacy Rule when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.

Separate guidance has been issued for individuals about protecting the privacy and security of their health information when using their personal cell phones or tablets. It is important for individuals to understand that most health apps, including period trackers, are not covered by the HIPAA Privacy or Security Rules. That means any personal healthcare data entered, collected, or transmitted by those apps or is stored on smartphones or tablets, is not protected and there are no restrictions on disclosures of that information.

The guidance explains best practices to adopt when using these health apps that will decrease the personal information collected by the apps and limit the potential for disclosures of personal information – including geolocation data – without the individual’s knowledge. The guidance explains how to turn off the location services on Apple and Android devices, and offers advice on selecting apps, browsers, and search engines that prioritize privacy and security.

Information on individuals’ rights to reproductive healthcare is available here.

The post OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade appeared first on HIPAA Journal.

GAO: HHS Should Establish Mechanism for Obtaining Feedback on HIPAA Data Breach Reporting Process

Posted by HIPAA Journal

The Government Accountability Office (GAO) has recommended that the Department of Health and Human Services (HHS) establish a feedback mechanism to improve the effectiveness of its data breach reporting process.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, called for the Secretary of the HHS to create and maintain a list of data breaches involving the unsecured protected health information of 500 or more individuals on its website.

The HHS’ Office for Civil Rights (OCR) Breach Portal includes breaches of the personally identifiable protected health information (PHI), such as unauthorized access and disclosures, exposures, and the loss and theft of PHI. The number of reported data breaches has been increasing each year, with 2021 seeing 714 data breaches of 500 or more records reported to OCR.

GAO explained in its report that between 2015 and 2021, the number of individuals affected by healthcare data breaches at healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities has ranged from 5 million to 113 million each year.

OCR is the main enforcer of compliance with the Health Insurance Portability and Accountability Act (HIPAA). OCR investigates data breaches and complaints about potential HIPAA violations and seeks to establish whether the HIPAA Rules have been violated. To date, OCR has imposed 110 financial penalties on HIPAA-regulated entities that have been determined to have violated the HIPAA Rules.

In January 2021, the HITECH Act was amended to require OCR to consider the ‘recognized security practices’ that were continuously in place for the 12 months previously when making determinations about actions to take against HIPAA-regulated entities that have experienced breaches of PHI. OCR sought feedback from the public on the implementation of recognized security practices and is due to finalize that process this summer.

GAO said it was asked to conduct a review of the breach reporting process, determine the extent to which the HHS had established a review process to assess whether covered entities had implemented recognized security practices, and determine the extent to which improvements can be made related to the breach reporting requirements of the HHS.

As part of that process, GAO reviewed privacy and information security laws; analyzed HHS documentation, policies, and procedures; interviewed cognizant OCR officials; and surveyed HIPAA-regulated entities.

GAO said in its report that OCR has been charged with the development and management of the breach reporting process but has not established a method to allow HIPAA-regulated entities to provide feedback on the breach reporting process. Without such a mechanism, HIPAA-regulated entities could face challenges during the breach reporting process and have no clear way of reporting those issues to OCR. GAO has recommended such a process be established, as this would help OCR to improve aspects of the breach reporting process.

The HHS concurred with the single GAO recommendation and explained that OCR would establish a mechanism for regulated entities to provide feedback on the breach reporting and investigative process. This would be achieved by adding language and contact information to the confirmation emails that HIPAA-regulated entities receive when they report data breaches through the HHS Breach Portal. The HHS said it will also be issuing procedures to OCR’s regional offices that require them to regularly review and address emails received about the breach reporting process.

The post GAO: HHS Should Establish Mechanism for Obtaining Feedback on HIPAA Data Breach Reporting Process appeared first on HIPAA Journal.

May 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2022 saw a 25% increase in healthcare data breaches of 500 or more records. 70 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in May 2022, which is the highest monthly total this year and well above the 12-month average of 56.75 data breaches per month. This level of reported data breaches has not been seen since June 2021.

May 2022 Healthcare Data Breaches

Across those data breaches, the records of 4,410,538 individuals were exposed, stolen, or impermissibly disclosed, which is more than twice the number of records that were breached in April, and almost 40% higher than the average number of records breached each month over the past 12 months.

Breached healthcare records in the past 12 months (May 2022)

Largest Healthcare Data Breaches Reported in May 2022

In May 2022, there were 31 reports of healthcare data breaches that involved the records of more than 10,000 individuals. The largest breach to be reported affected the HIPAA business associate, Shields Health Care Group, which provides MRI and other imaging services in New England. The exact nature of the attack was not disclosed, but Shields said hackers accessed its network and exfiltrated files containing patient data. The breach affected 2 million patients who received medical services at 52 facilities in New England.

Partnership HealthPlan of California also reported a major data breach, in this case, a ransomware attack. Hackers gained access to systems containing the records of 854,913 current and former health plan members. The Hive ransomware gang claimed responsibility for the attack and allegedly stole 400GB of data.

The number of eye care providers affected by a hacking incident at the electronic health record vendor Eye Care Leaders continued to grow throughout May (and June). While they are not all reflected in the May data, as of June 21, at least 23 eye care providers are known to have been affected, and the data breach has affected at least 2,187,383 patients.

Data Breaches of over 10,000 Records Reported in May 2022

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Hacking and data theft incident
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
SAC Health System CA Healthcare Provider 149,940 Theft No Theft of documents in break-in at storage facility
Aon PLC IL Business Associate 119,636 Hacking/IT Incident Yes Hacking and data theft incident
Parker-Hannifin Corporation Group Health Plans OH Health Plan 119,513 Hacking/IT Incident No Hacking and data theft incident
Heidell, Pittoni, Murphy & Bach, LLP NY Business Associate 114,979 Hacking/IT Incident Yes Ransomware attack
Schneck Medical Center IN Healthcare Provider 92,311 Hacking/IT Incident No Hacking and data theft incident
Alameda Health System CA Healthcare Provider 90,000 Hacking/IT Incident No Unauthorized access to email accounts
Val Verde Regional Medical Center TX Healthcare Provider 86,562 Hacking/IT Incident No Ransomware attack
NuLife Med, LLC NH Healthcare Provider 81,244 Hacking/IT Incident No Hacking and data theft incident
Comstar, LLC MA Business Associate 68,957 Hacking/IT Incident Yes Unspecified hacking incident
Shoreline Eye Group CT Healthcare Provider 57,047 Hacking/IT Incident Yes Eye Care Leaders hacking incident
AU Health GA Healthcare Provider 50,631 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Finkelstein Eye Associates IL Healthcare Provider 48,587 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Oklahoma City Indian Clinic OK Healthcare Provider 38,239 Hacking/IT Incident No Ransomware attack
Moyes Eye Center, PC MO Healthcare Provider 38,000 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Family Health Care, Inc KS Healthcare Provider 33,619 Hacking/IT Incident No Unspecified hacking incident
Allwell Behavioral Health Services OH Healthcare Provider 29,972 Hacking/IT Incident No Hacking and data theft incident
Creative Hospice Care, Inc. dba Homestead Hospice & Palliative Care GA Healthcare Provider 28,332 Hacking/IT Incident No Unauthorized access to email accounts
FPS Medical Center AZ Healthcare Provider 28,024 Hacking/IT Incident No Ransomware attack
Capsule NY Healthcare Provider 27,486 Hacking/IT Incident No Unauthorized access to user accounts
McKenzie Health System MI Healthcare Provider 25,318 Hacking/IT Incident No Hacking and data theft incident
Sylvester Eye Care OK Healthcare Provider 19,377 Hacking/IT Incident Yes Eye Care Leaders hacking incident
Aesto, LLC d/b/a Aesto Health AL Business Associate 17,400 Hacking/IT Incident Yes Hacking and data theft incident
Vail Health Services CO Healthcare Provider 17,039 Hacking/IT Incident No Ransomware attack
Motion Picture Industry Health Plan CA Health Plan 16,838 Unauthorized Access/Disclosure No Mismailing incident
Bryan County Ambulance Authority OK Healthcare Provider 14,273 Hacking/IT Incident No Ransomware attack
Associated Ophthalmologists of Kansas City, P.C. MO Healthcare Provider 13,461 Hacking/IT Incident No Eye Care Leaders hacking incident
Allaire Healthcare Group NJ Healthcare Provider 13,148 Hacking/IT Incident No Unauthorized access to user accounts
EmblemHealth Plan, Inc. NY Health Plan 11,399 Unauthorized Access/Disclosure No Unconfirmed
Behavioral Health Partners of Metrowest, LLC MA Business Associate 11,288 Hacking/IT Incident Yes Hacking and data theft incident

Causes of May 2022 Healthcare Data Breaches

Hacking incidents continue to be reported in high numbers in May, with 53 (75.7%) of the month’s data breaches classed as hacking or other IT incidents. That represents a 77% increase in incidents compared to April. Those incidents accounted for 95.5% of the records breached in May (4,212,721 records), which is more than twice the number of records exposed in hacking incidents in April. The average breach size was 79,485 records and the median breach size was 13,148 records.

There were 13 unauthorized access/disclosure incidents reported in May – a slight increase from April. Across those incidents, 43,807 records were impermissibly disclosed. The average breach size was 3,370 records and the median breach size was 1,196 records.

There were three theft incidents reported and one incident involving the loss of paper/films. These breaches involved a total of 154,010 records, with an average breach size of 35,503 records and a median breach size of 1,771 records.

Causes of May 2022 Healthcare Data Breaches

With so many hacking incidents, it is unsurprising that 31 of the month’s data breaches involved protected health information stored on network servers. The high number of breaches of electronic health records was due to the cyberattack on Eye Care Leaders. As the chart below shows, email account breaches were reported in high numbers in May, 70% more incidents than in April. While security awareness training for the workforce and multi-factor authentication will not prevent all email data breaches, they can significantly improve protection.

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the hardest hit HIPAA-covered entity type in May, with 49 reported breaches. There were 11 data breaches reported by health plans, and business associates of HIPAA-covered entities reported 10 breaches; however, 8 data breaches occurred at business associates but were reported by the covered entity. The data breaches detailed in the chart below reflect where the data breach occurred.

May 2022 Healthcare data breaches by HIPAA regulated entity

Healthcare providers suffered the highest number of data breaches, but business associates topped the list in terms of the number of exposed healthcare records.

HIPAA-Regulated Entity

 Number of Reported Data Breaches Total Records Exposed

Business Associate

18

2,554,789

Health Plan

 10

1,014,150
Healthcare Provider 42

841,599

May 2022 Healthcare Data Breaches by State

Data breaches of 500 or more healthcare records were reported by HIPAA-regulated entities in 29 states. California was the worst affected state with 8 large healthcare data breaches reported, followed by New York with 6 reported breaches.

State No. Reported Data Breaches
California 8
New York 6
Georgia, Missouri & Ohio 4
Alabama, Illinois, Massachusetts, North Carolina, Oklahoma & Texas 3
Arizona, Connecticut, Florida, Maryland, Michigan, New Hampshire, Virginia & Washington 2
Colorado, Indiana, Kansas, Minnesota, Mississippi, Montana, New Jersey, Nevada, Tennessee & Wisconsin 1

HIPAA Enforcement Activity in May 2022

No HIPAA enforcement actions were announced by the HHS’ Office for Civil Rights or state Attorneys General in May. So far this year, 4 financial penalties totaling $170,000 have been imposed by OCR to resolve HIPAA violations.

The post May 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant

Posted by HIPAA Journal

Healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities that come into contact with protected health information (PHI) are required to ensure policies, processes, and people are compliant with the Rules of the Health Insurance Portability and Accountability Act (HIPAA).

Ensuring you have a good security posture is an important part of HIPAA compliance. The HIPAA Security Rule requires HIPAA-regulated entities to have appropriate safeguards in place to ensure the confidentiality, integrity, and availability of ePHI, and to manage risks to protected health information and reduce them to a low and acceptable level.

Ensuring you have a good security posture has never been more important. Cyber threat actors have stepped up their attacks on the healthcare industry and data breaches are occurring at record levels. Further, following the ‘Safe Harbor’ update to the HITECH Act, if you are able to demonstrate you have implemented recognized security practices, you will be protected against fines, sanctions, and extensive audits and investigations by the HHS’ Office for Civil Rights.

To help you on your compliance journey and with your security efforts, Compliancy Group is hosting a webinar that will explain the ins and outs of compliance and cybersecurity, and why both are necessary for patient privacy and your practice’s security.

During the webinar, Compliancy Group will explain how HIPAA compliance can be simplified, you will be walked through the regulation, and will be provided with actionable tips that you can implement within your practice today.

 3 learning objectives of the webinar:

  1. Why compliance and security are BOTH required for HIPAA compliance.
  2. How HIPAA and security help protect your patients.
  3. What you can implement in your practice now to avoid breaches and fines.

Webinar Details:

Compliance vs. Security: Why you Need Both to be HIPAA Compliant

Wednesday, July 20, 2022

11:00 a.m. PT ¦ 2:00 p.m. ET

Host: Compliancy Group

[contact-form-7]

The post Webinar Today: July 20, 2022: Compliance vs. Security: Why you Need Both to be HIPAA Compliant appeared first on HIPAA Journal.

Study Reveals One Third of Top 100 U.S. Hospitals are Sending Patient Data to Facebook

Posted by HIPAA Journal

An analysis of hospitals’ websites has revealed one-third of the top 100 hospitals in the United States are sending patient data to Facebook via a tracker called Meta Pixel, without apparently obtaining consent from patients.

Meta Pixel is a snippet of JavaScript code that is used to track visitor activity on a website. According to Meta, “It works by loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting, for dynamic ads campaigns, and to analyze [the] effectiveness of your website’s conversion funnels.”

Meta Pixel can collect a variety of data, including information about the buttons clicked and the pages visited by clicking those buttons, and the data collected is linked to the individual by their IP address, which identifies the device that the visitor is using. That information is then automatically sent to Facebook. On a hospital website, the tracker could collect a user’s IP address and link it to sensitive information, such as if that individual had clicked to make an appointment.

The analysis was conducted by The Markup and the report was co-published by STAT. The Markup found that Meta Pixel tracking was present on a third of hospitals’ appointment scheduling pages. In one example – University Hospitals Cleveland Medical Center – the researchers found that when a visitor clicks on the ‘Schedule Online’ button on a doctor’s page, Meta Pixel sent the text of the button to Meta, along with the doctor’s name and the search term, which for that patient was pregnancy termination. It was a similar story with several other websites, which sent information taken from the selection made from dropdown menus, which provided information about the patient’s condition – Alzheimer’s disease for example.

Even more concerning is that for 7 hospital systems, Meta Pixel was installed inside password-protected patient portals. The researchers found that five of those hospital systems were sending data to Meta about real patients who volunteered to participate in the Pixel Hunt project, which was jointly run by the Markup and Mozilla Rally. Participation in that project involved allowing data to be sent to The Markup about the sites they visited, which revealed the data being sent to Meta included patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.

The Markup said there did not appear to be any business associate agreements between the hospitals and Meta that would allow the data sharing under the HIPAA Rules, and express consent from patients authorizing the sharing of data with Meta did not appear to have been obtained, suggesting potential HIPAA violations.

The 7 health systems were Community Health Network, Edward-Elmhurst Health, FastMed, Novant Health, Piedmont, Renown Health, and WakeMed. All but FastMed and Renown Health had removed the Meta Pixel after being informed about the data transfer by The Markup at the time of publication of the report, along with 6 hospitals out of the 33 that were identified as having the Meta Pixel on their appointment booking pages.

The Markup said in its report that the 33 hospitals that had Meta Pixel on their appointment pages have collectively reported more than 26 million patient admissions and outpatient visits in 2020, and this study was only limited to the top 100 hospitals. Many others may also be passing data to Facebook through Meta Pixel.

The Markup said it was unable to determine how Meta/Facebook used the data transferred through Meta Pixel, such as for providing targeted adverts. Meta spokesperson, Dale Hogan, issued a statement in response to the findings of the study. “If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems.”

The post Study Reveals One Third of Top 100 U.S. Hospitals are Sending Patient Data to Facebook appeared first on HIPAA Journal.