For the fourth successive month, the number of reported healthcare data breaches has fallen. In March 2022, 43 healthcare data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which is a 6.52% fall from February and well below the 12-month average of 57.75 data breaches a month.

However, there was a 36.94% increase in the number of breached records compared to February. Across the 43 reported breaches, 3,083,988 healthcare records were exposed, stolen, or impermissibly disclosed, which is slightly below the average of 3,424,818 breached records a month over the past 12 months.

Largest Healthcare Data Breaches in March 2022

In March 2022, there were 25 data breaches reported to OCR that affected 10,000 or more individuals, all but one of which were hacking incidents. The largest data breach of the month affected over half a million patients. Christie Business Holdings Company, which operates Christie Clinic in Illinois, discovered an employee email account had been accessed by unauthorized individuals and was used in a business email compromise (BEC) attack to try to divert payment to a third-party vendor. BEC attacks may account for a relatively small percentage of healthcare data breaches, but according to figures from the FBI, they are the biggest cause of losses to cybercrime.

SuperCare Health reported a major breach from July 2021 where hackers accessed its network and potentially stole patient data. Around two weeks after announcing the data breach the first lawsuit against SuperCare Health was filed. There is often a rush to file lawsuits following healthcare data breaches, and it is now common for multiple lawsuits to be filed.

CSI Laboratories reported a cyberattack that was discovered in February. While the nature of the attack was not disclosed, the Conti ransomware gang claimed responsibility for the attack and published a sample of the stolen data on its data leak site to pressure the lab into paying the ransom. Double extortion tactics, where payment is required for the keys to decrypt files and to prevent the publication of stolen data, are now the norm in ransomware attacks.

Causes of March 2022 Healthcare Data Breaches

The healthcare data breaches reported in March were dominated by hacking/IT incidents, which accounted for 90.7% of all data breaches reported and 98.3% of the breached healthcare records. 3,083,988 individuals were affected by those hacking incidents. The average breach size was 77,766 records and the median breach size was 17,758 records.

While the category “hacking/IT incidents” covers a broad range of causes, 31 of the incidents involved hackers gaining access to network servers where patient data was stored. 10 incidents involved unauthorized individuals gaining access to employee email accounts.

There were just three breaches reported as unauthorized access/disclosure incidents which involved a total of 4,447 records. The average breach size was 1,482 records and the median was 1,682 records. There was only one theft incident reported – a hard drive containing the records of 46,673 individuals was stolen.

March 2022 Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states and Puerto Rico reported data breaches in March 2022. New Jersey, Pennsylvania & Texas were the worst affected states with 4 breaches reported in each state.

HIPAA Enforcement Activity in March 2022

There were no HIPAA enforcement actions announced by the HHS’ Office for Civil Rights or state attorneys general in March 2022.

The post March 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Immediate intervention following an instance of unauthorized access to protected health information (PHI) by a healthcare employee is 95% effective at preventing repeat offenses, according to a new study published in JAMA Open Network.

Healthcare data breaches are occurring at record levels, and while large data breaches are often the result of hacking and other IT incidents, insider breaches such as snooping on medical records are common. According to HHS data, in 2019, 92% of combined small and large breaches were tied to unauthorized access.

While many cases of employees snooping on the medical records of VIP patients have been covered in the media, these types of snooping incidents are relatively uncommon. It is much more common for healthcare employees to access the medical records of family members, friends, and colleagues, and those privacy violations can be just as damaging for patients.

All cases of unauthorized access start with an employee accessing a single patient record, but they can easily turn into major data breaches if left unchecked. There have been several cases of healthcare employees accessing the medical records of thousands of patients without authorization over several years when the unauthorized access is not promptly identified and addressed.

A study conducted by Bai, Jiang, and Flasher in 2017 found the risk of data breaches was higher at large academic medical centers than at other hospitals. Around one-quarter of the data breaches were cases of employees accessing patient information without authorization.

The recent study, Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information: A Nonrandomized Controlled Trial, conducted by researchers at Michigan State University, Johns Hopkins, and Nick Culbertson, CEO and Co-founder of the healthcare compliance analytics firm Protenus, investigated the effectiveness of email warnings at preventing repeat offenses by employees.

Between January 1 and July 31, 2018, a system that monitored unauthorized accessing of PHI at a large academic medical center flagged unauthorized accessing of electronic medical records by 444 employees, all of whom were professional medical staff who were not part of the patient’s intervention team and did not have access permission.

A group of 219 employees was randomly selected and received an email warning on the night of their access. The email explained that the individual had been identified as having accessed a patient’s electronic medical record when there was no work-related reason for doing so, and that it was a privacy violation. The remaining 225 employees formed a control group and received no email warning.

In the group that received an email intervention, 4 employees out 219 went on to access patient information without authorization on a second occasion between 20 and 70 days after the initial unauthorized access. In the control group, 90 out of the 225 employees accessed the protected health information of patients again without authorization between 20 and 70 days after the initial unauthorized access.

While there were limitations of the study and the findings may not translate to other hospitals, it demonstrates that on-the-spot intervention can be highly effective at preventing further privacy breaches and that if no action is taken, employees are likely to continue to access patient data in violation of the HIPAA Rules.

“What an email warning can do to deter employees’ unauthorized access is stunning. A simple email can lead to big changes,” said Dr. Ge Bai, a professor at Johns Hopkins Carey Business School and Bloomberg School of Public Health, and corresponding author of the study.

For the duration of the trial, no disciplinary action was taken against any of the employees. Disciplinary action was taken after the trial was concluded against all employees involved for violating the PHI access policy of the medical center, which prohibits employees from accessing the records of family members, coworkers, friends, or other acquaintances without prior written authorization.

The post On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95% appeared first on HIPAA Journal.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first financial penalties of 2022 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Three of the cases were settled with OCR, and one resulted in a civil monetary penalty being imposed.

OCR is continuing to enforce compliance with the HIPAA Right of Access, with two of the enforcement actions resolving violations of this important HIPAA provision. One of the fines was been imposed, in part, for overcharging a patient who requested a copy of their medical records – The first financial penalty under the 2019 enforcement initiative to allege overcharging for copies of medical records. To date, OCR has imposed 27 financial penalties on healthcare providers that have failed to provide patients with timely access to their medical records. The other two cases involved impermissible disclosures of the protected health information of patients.

“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” said OCR Director Lisa J. Pino. “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”

Dental Practitioner Fined $30,000 for Noncompliance with the HIPAA Right of Access

Dr. Donald Brockley D.D.M, a solo dental practitioner in Butler, PA, was investigated by OCR over a complaint from a patient who had not been provided with a copy of the requested medical records within the time allowed by the HIPAA Privacy Rule. OCR determined that there had been a HIPAA Right of Access violation and provided Dr. Brockley with the opportunity to provide written evidence of any mitigating factors in an August 27, 2019, letter. No response was received.

OCR then notified Dr. Brockley of its intention to impose a financial penalty of $104,000, and Dr. Brockley requested a hearing with an Administrative Law Judge to contest the financial penalty. On October 8, 2021, the parties filed a joint motion to stay proceedings for 60 days, during which time an agreement was reached with both parties and the case was settled.

Dr. Brockley agreed to pay a $30,000 financial penalty and adopt a corrective action plan which included updating policies and procedures to ensure compliance with the HIPAA Right of Access.

$28,000 Financial Penalty for California Psychiatric Medical Services in HIPAA Right of Access Case

Jacob & Associates, a California provider of psychiatric medical services, was investigated by OCR over a complaint from a patient who claimed that medical records had been requested from Jacob & Associates on July 1, 2018, but had not been provided. The complainant claimed to have sent similar requests every July 1 since 2013 but had never been provided with the requested records.

After submitting the complaint to OCR, the complainant resent their record request was provided with a complete copy of the requested records on May 16, 2019, by electronic mail. However, in order for the patient to be provided with those records, she was required to travel to the practice to complete a record access form in person. She was also charged $25 for the copy of her records, and initially was only provided with an incomplete, single-page copy and had to submit another request to obtain her full records.

OCR determined that Jacob & Associates had violated the HIPAA Right of Access by not providing timely access to the patient’s medical records, had charged the patient an unreasonable non-cost-based fee, and did not have policies and procedures in place concerning the right of patients to access their protected health information.

During the investigation, OCR also determined that Jacob & Associates had not designated a HIPAA Privacy Officer and its notice of privacy practices lacked the required content. The case was settled for $28,000 and Jacob & Associates agreed to a corrective action plan to address all areas of alleged non-compliance.

$50,000 Civil Monetary Penalty Imposed on Dental Practice for Social Media HIPAA Violation

Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., (UPI), a dental practice with offices in Charlotte and Monroe, NC, was investigated by OCR after a patient submitted a complaint in November 2015 alleging an unauthorized disclosure of his protected health information in response to a negative online review of the practice.

On or around September 28, 2015, the complainant, using a pseudonym to protect his privacy, posted a negative review on UPI’s Google page.  UPI responded to the review and claimed the accusations made by the patient were unsubstantiated; however, UPI identified the patient and mentioned the patient’s full name on three occasions in the response, the symptoms the patient was experiencing, and the treatment that was recommended but not provided.

OCR reviewed the complaint and requested documentation from UPI in July 2016 on its policies and procedures covering responses to online reviews and social media, uses and disclosures of PHI, safeguarding PHI, and details of HIPAA training that was provided prior to, and in response to, the incident. UPI confirmed that a response had been posted to the Google page, but only provided OCR with its notice of privacy practices.

In August 2016, OCR informed UPI that the response to the review violated the HIPAA Privacy Rule and was an impermissible disclosure of PHI and told UI to remove its response to the review and implement policies and procedures, if they had not already been implemented, covering online reviews and social media. In 2017, OCR requested a copy of the policies and procedures and again told UPI to remove the response to the review.

Only an acknowledgment of training was provided to OCR, and it did not include any of the training content. The response to the review was not removed. OCR then requested financial statements to be used to determine an appropriate financial penalty, but UPI refused to provide them claiming they were not related to HIPAA. After OCR explained why they were required, UPI responded in September 2017 and refused to provide the records, and included the statement “I will see you in court”.

After receiving and failing to respond to an administrative subpoena requesting the provision of policies and procedures, training, income statements, balance sheets, statements of cash flow, and federal tax returns, and the failure to respond to further communications, OCR obtained the authorization of the Attorney General of the United States and imposed a civil monetary penalty of $50,000 under the penalty tier of wilful neglect with no correction.

Dental Practice Fined $62,500 for Impermissible Disclosure of PHI for Marketing Purposes

Northcutt Dental-Fairhope, LLC (Northcutt Dental), a Fairhope, AL dental practice, was investigated by OCR over an impermissible disclosure of PHI. Dr. David Northcutt, the operator and owner of Northcutt Dental, ran for state senator for Alabama District 32 in 2017. Dr. Northcutt engaged a campaign manager and a third-party marketing company to provide assistance with the state senate election campaign. The campaign manager was provided with an Excel spreadsheet that included the names and addresses of 3,657 patients, and letters were sent to those individuals to notify them that Dr. Northcutt was running for state senate.  The email addresses of those individuals, along with the email addresses of a further 1,727 patients, were provided to the marketing company Solutionreach to send a campaign email.

OCR determined that the disclosures of PHI to the campaign manager and third-party marketing company were impermissible disclosures of PHI. OCR also determined that Northcutt Dental had not appointed a HIPAA Privacy Officer until November 14, 2017, and policies and procedures related to the HIPAA Privacy and Breach Notification Rules were not implemented until January 1, 2018. The case was settled and Northcutt Dental agreed to a $62,500 penalty and a corrective action plan to address the alleged areas of non-compliance.

The post OCR Announces 4 Financial Penalties to Resolve HIPAA Violations appeared first on HIPAA Journal.