HIPAA Compliance News

January 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

50 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR) in January 2022. January was the second successive month where the number of reported data breaches fell, although 38.9% more breaches were reported last month than in January 2020.

Healthcare data breaches over the past 12 months to January 2022

The protected health information of 2,304,607 individuals was exposed or impermissibly disclosed across those 50 breaches – 22% fewer records than December 2021, and well below the 12-month average of 3.51 million records a month. 726 data breaches of 500 or more records were reported to OCR in the 12 months from February 2021 to January 2022, and 42,175,121 records were breached across those 726 incidents.

Healthcare records breached in the past 12 months to January 2022

 

Largest Healthcare Data Breaches in January 2022

18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in January 2022, including one major data breach that affected more than 1.35 million Broward Health patients.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Breach Cause
North Broward Hospital District d/b/a Broward Health FL Healthcare Provider 1,351,431 Hacking/IT Incident Network Server Unspecified hacking and data theft incident
Medical Review Institute of America UT Business Associate 134,571 Hacking/IT Incident Network Server Ransomware attack
Medical Healthcare Solutions, Inc. MA Business Associate 133,997 Hacking/IT Incident Network Server Ransomware attack
Ravkoo FL Healthcare Provider 105,000 Hacking/IT Incident Other Cyberattack on cloud prescription portal
TTEC Healthcare Solutions CO Business Associate 86,305 Hacking/IT Incident Network Server Ransomware attack
Advocates, Inc. MA Healthcare Provider 68,236 Hacking/IT Incident Network Server Unspecified hacking and data theft incident
iRise Florida Spine and Joint Institute, LLC FL Healthcare Provider 61,595 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Suncoast Skin Solutions FL Healthcare Provider 57,730 Hacking/IT Incident Network Server Ransomware attack
Hospital Authority of Valdosta and Lowndes County Georgia GA Healthcare Provider 41,692 Unauthorized Access/Disclosure Desktop Computer Unauthorized access and PHI theft by former employee
Family Christian Health Center IL Healthcare Provider 31,000 Hacking/IT Incident Network Server Ransomware attack
Lakeshore Bone & Joint Institute, PC IN Healthcare Provider 23,627 Hacking/IT Incident Email Email account accessed by unauthorized individual
South City Hospital MO Healthcare Provider 21,601 Theft Network Server, Other Burglary
Pace Center for Girls FL Healthcare Provider 18,300 Unauthorized Access/Disclosure Network Server Unspecified hacking and data theft incident
County of Kings, a political subdivision of the State of California CA Healthcare Provider 16,590 Hacking/IT Incident Network Server Misconfigured web server
Philadelphia FIGHT Community Health Centers PA Healthcare Provider 15,000 Hacking/IT Incident Network Server Unspecified hacking incident
Catholic Hospice, Inc. FL Healthcare Provider 14,986 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Houston Area Community Services, Inc. d/b/a Avenue 360 Health and Wellness TX Healthcare Provider 12,186 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Spencer Gifts LLC Health and Welfare Benefit Plan NJ Health Plan 10,023 Hacking/IT Incident Network Server Unspecified hacking and data theft incident

Causes of January 2022 Healthcare Data Breaches

Hacking incidents continue to dominate the breach reports and accounted for 76% of the month’s data breaches and 95.57% of the month’s breached records. The average breach size was 57,962 records and the median breach size was 6,174 records. The largest healthcare data breach of the month resulted in the theft of the protected health information of more than 1.35 million patients of Broward Health in Florida. A hacker gained access to the Broward Health network via a third-party medical provider that had been given access rights to Broward Health’s systems.

Causes of January 2022 Healthcare Data Breaches

Ransomware is still being extensively used in cyberattacks on healthcare organizations. 5 of the month’s top 10 data breaches were reported as ransomware attacks, with several others likely to have involved ransomware. Ransomware attacks have become highly sophisticated, with the attackers using a variety of methods to gain access to healthcare networks. CISA, the FBI, and the NSA recently issued a joint threat brief warning about the increased risk of ransomware attacks on critical infrastructure firms and provided mitigations that can be implemented to improve resilience to ransomware attacks.

Phishing attacks are also common. 12 of the month’s data breaches involved compromised email accounts. Combatting phishing attacks requires a combination of email security solutions and end user training. While HIPAA does not specify anti-phishing training for employees, HIPAA-regulated entities should go beyond the requirements of HIPAA and ensure the workforce receives regular security awareness training, including instruction on how to identify phishing emails. When combined with phishing simulation exercises, susceptibility to phishing attacks can be significantly reduced.

There were 11 unauthorized access/disclosure incidents reported to OCR in January, across which the protected health information of 80,456 individuals was impermissibly accessed or disclosed. One of the incidents reported in January involved the theft of the protected health information of 41,692 patients by a former employee. That individual was arrested and charged in connection to the incident. The average size of these breaches was 7,314 records, and the median breach size was 1,125 records. There was also one theft incident reported – a burglary – involving the theft of a network server that contained the protected health information of 21,601 patients.

January 2022 healthcare data breaches - location of breached PHI

Data Breaches by HIPAA-Regulated Entity Type

Data breaches were reported by 31 healthcare providers, 6 health plans, and 13 business associates in January; however, a further 5 breaches occurred at business associates but were reported by the HIPAA-covered entity. The pie chart below shows the adjusted figures for where the data breach occurred.

January 2022 healthcare data breaches by HIPAA-regulated entity type

Healthcare Data Breaches by State

Healthcare data breaches were reported by HIPAA-regulated entities in 22 states, with Florida the worst affected with 7 data breaches.

State Number of Reported Data Breaches
Florida 7
Pennsylvania 6
California 4
Illinois, Massachusetts, New Jersey & New York 3
Colorado, Georgia, Ohio, Tennessee, Texas, & Utah 2
Arkansas, Connecticut, Idaho, Indiana, Minnesota, Missouri, Oklahoma, South Carolina, & Wisconsin 1

HIPAA Enforcement in January 2022

There were no HIPAA enforcement actions announced by the HHS’ Office for Civil Rights or state attorneys general in January 2022.

The post January 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws

Posted by HIPAA Journal

Healthcare privacy laws in the United States are due an update to bring them into the modern age to ensure individually identifiable health information is protected no matter how it is collected and shared. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is now more than 2 decades old, and while the Department of Health and Human Services (HHS) has proposed updates to the HIPAA Privacy Rule that are due to be finalized this year, even if the proposed HIPAA Privacy Rule changes are signed into law, there will still be regulatory gaps that place health data at risk.

The use of technology for healthcare and health information has grown in a way that could not be envisaged when the Privacy Rule was signed into law. Health information is now being collected by health apps and other technologies, and individuals’ sensitive health information is being shared with and sold by technology companies. The HIPAA Privacy and Security Rules introduced requirements to ensure the privacy and security of health data, but HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and their business associates. Some of the emerging technologies now being used to record, store, and transmit health data are not covered by HIPAA and its protections and safeguards do not apply. Further, the proposed updates to the HIPAA Privacy Rule will make it easier for individuals to access their health data and direct covered entities to send that information to unregulated personal health applications.

New bipartisan legislation has now been introduced that aims to start the process of identifying and closing the current privacy gaps associated with emerging technologies to ensure health data are better protected, including health data that are not currently protected by HIPAA. The Health Data Use and Privacy Commission Act was introduced by Sens. Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) and aims to set up a new commission that will be tasked with analyzing current federal and state laws covering health data privacy and make recommendations for improvements to cover the current technology landscape.

“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” said Dr. Cassidy. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”

The Comptroller General is tasked with appointing committee members who will be required to submit their report, conclusions, and recommendations to Congress and the President within 6 months. The commission will be required to assess current privacy laws and determine their effectiveness and limitations, any potential threats to individual health privacy and legitimate business and policy interests, and the purposes for which the sharing of health data is appropriate and beneficial to consumers.

The commission is required to report on whether further federal legislation is necessary and, if current privacy laws need to be updated, provide suggestions on the best ways to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy. Those recommendations could involve updates to HIPAA to cover a broader range of entities or new state or federal legislation covering health data. If updates are recommended, the commission will be required to provide details of the likely costs, burdens, and potential unintended consequences, and whether there is a threat to health outcomes if privacy rules are too stringent.

“I am excited to introduce the bipartisan Health Data Use and Privacy Commission Act to help inform how we can modernize health care privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”

The Health Data Use and Privacy Commission Act has attracted support from a dozen medical associations and technology vendors, including the Federation of American Hospitals, College of Cardiology, National Multiple Sclerosis Society, Association of Clinical Research Organizations, Epic Systems, and IBM.

The post Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws appeared first on HIPAA Journal.

RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach

Posted by HIPAA Journal

The Rhode Island Attorney General is investigating UnitedHealthcare and the Rhode Island Public Transit Authority (RIPTA) over a cyberattack and data breach that resulted in hackers gaining access to RIPTA’s network that contained the sensitive personal and protected health information of up to 22,000 individuals.

The Office of the Rhode Island Attorney General was notified about the security breach on December 23, 2021. RIPTA said it discovered and blocked a cyberattack on August 5, 2021, with its investigation confirming the hackers gained access to its network on August 3, 2021. Files stored on the compromised part of its network included extensive information on its employees, including names, dates of birth, Social Security numbers, and health plan ID numbers, along with the sensitive information of thousands of state employees who had never worked at RIPTA.

RIPTA reported the breach to the HHS’ Office for Civil Rights as affecting 5,015 individuals but said in its breach notice that the incident had resulted in the exposure of the personal data of 17,378 individuals. The difference in the numbers was due to UnitedHealthcare, RIPTA’s previous health insurance provider, providing RIPTA with files containing the data of non-RIPTA employees.  In total, up to 22,000 individuals had their sensitive data stolen in the attack. The files were stored on RIPTA’s servers and were not encrypted and the hackers exfiltrated approximately 40,000 files from RIPTA’s systems.

RIPTA sent notification letters to affected individuals, including those that had no association with RIPTA, triggering a barrage of complaints to the Office for the Attorney General questioning why their personal data had been compromised in a breach at RIPTA when they had never had any association with the quasi-public agency. The delay in issuing notification letters was due to each of those 40,000 files having to be manually searched, which was a labor-intensive and time-consuming process. RIPTA said only a small number of people were involved in the document review to prevent sensitive data from being further exposed.

On Monday this week, RIPTA administrators testified under oath at a Senate oversight committee hearing about the incident. RIPTA Chief Legal Counsel Steven Colantuono said at the hearing, “We don’t believe that anyone did anything wrong on our end, but we are still investigating it.”

RIPTA Director Scott Avedisian confirmed that reports downloaded by RIPTA from a UnitedHealthcare portal between 2015 and 2020 were ‘filtered files’, and the data unrelated to RIPTA was supposed to remain hidden. While not confirmed, the description suggests the downloaded files were Excel spreadsheets with certain rows hidden. The secure links to access the files on the portal were emailed to RIPTA by UnitedHealthcare.

At the hearing, officials at the state Department of Information Technology confirmed there is a statewide policy requiring the encryption of sensitive data such as personally identifiable information, personal health information, and federal tax information; however, RIPTA is not one of the agencies or quasi-state agencies assisted or supported by the Department of Information Technology, so RIPTA is not required to comply with the state’s encryption policy.

UnitedHealthcare’s VP of external affairs was scheduled to appear at the hearing but backed out after initially agreeing to appear. UnitedHealthcare said it is investigating the breach to determine what went wrong. At this stage, there is no listing of a breach at UnitedHealthcare on the HHS’ Office for Civil Rights breach portal.

In addition to the investigation by the Rhode Island Attorney General, Colantuono said there will also be a federal investigation and discussions are currently being had between the Department of Justice and the HHS’ Office for Civil Rights to determine which of the two agencies will be conducting the investigation. There is also the possibility of legal action being taken against UnitedHealthcare and RIPTA by state employees affected by the data breach.

The post RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach appeared first on HIPAA Journal.

Concerning Healthcare Data Breach Reporting Trend

Posted by HIPAA Journal

The HIPAA Breach Notification Rule calls for data breach notifications to be issued to the Secretary of the HHS “without unnecessary delay” and no later than 60 days after the date of discovery of a data breach. The same time frame applies to issuing notification letters to affected individuals.

There has been a trend in recent years for HIPAA-regulated entities to wait the full 60 days from the date of discovery of the breach to issue notifications to affected individuals and the HHS, but recently growing numbers have taken the date of discovery as the date when the breach investigation has been completed, or even the date when the full review of impacted documents is finished. In some cases, notifications have been issued many months after the initial system breach was detected. There may be valid reasons for a delay in reporting, such as a request from law enforcement to delay making a cyberattack or data theft incident public to avoid interfering with the law enforcement investigation; however, it is rare for individual notifications to mention these law enforcement requests.

Delays to individual notifications oftentimes mean individuals’ PHI has been in the hands of cybercriminals for many months before they are told about the data theft and are given the opportunity to take steps to protect against any misuse of their personal data. Notification letters cannot be sent to affected individuals until those individuals have been identified, but any delay in issuing notifications is a compliance risk. There have been several cases where ransomware gangs have stolen patient data, posted the data on their data leak sites, and for that information to be available for months before notification letters are issued. In some cases, the notification letters have not made any mention of data theft.

Promptly sending individual notification letters and being transparent about the risk individuals face will allow them to take appropriate action to protect their identities and could reduce the risk of a data breach lawsuit. Several recent lawsuits have cited unnecessary delays in issuing notifications, which has placed breach victims at a much higher risk of harm.

Risk of Penalties for Delayed Breach Notifications

The HHS has made it clear in guidance on its website that the deadline for reporting breaches to the Secretary of the HHS is 60 days from the date of discovery of the breach. If the number of affected individuals is not known at the time of reporting, an estimate should be provided. The breach report can then be appended at a later date when further information about the breach is known. Some covered entities report the breach within 60 days of the detection of a cyberattack and use a total of 500 or 501 affected individuals as a place marker until the document review is completed.

While there have been few enforcement actions to date over the late reporting of data breaches, a missed deadline does place a HIPAA-regulated entity at risk of a substantial fine. Given the number of data breaches now being reported to the HHS well after the 60-day deadline, non-compliance with the HIPAA Breach Notification Rule reporting requirements could well be an area where the OCR decides to take enforcement actions in the future.

The post Concerning Healthcare Data Breach Reporting Trend appeared first on HIPAA Journal.

February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements

Posted by HIPAA Journal

The Government Accountability Office (GAO) has launched a rapid response survey of healthcare organizations and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) seeking feedback on their experiences reporting data breaches to the Secretary of the Department of Health and Human Services (HHS). The questionnaire was initially due to remain open until 4 p.m. EST on Friday, February 4, 2022., but the deadline has now been extended by a week to February 11, 2022. The survey is being conducted through Survey Monkey and can be accessed here.

Congress requested the GAO review the number of data breaches reported to the HHS since 2015, and the survey seeks to identify some of the challenges, if any, faced by covered entities and business associates in meeting the data breach reporting requirements of the HHS. The GAO will also determine what efforts the HHS has made to address any breach reporting issues and improve the data breach reporting process.

The survey is being distributed by the Health-ISAC, Health Sector Coordinating Council (HSCC) and the American Hospital Association (AHA) on behalf of the GAO, and responses will be provided in aggregate to GAO.

GAO has requested only one survey be completed by each covered entity and business associate. GAO said it will not attribute specific comments to specific individuals and/or organizations when it produces the report, and the only individually identifiable information passed to GAO will be the email address provided in the survey along with any individually identifiable information provided voluntarily in any of the open-ended questions.

“This is an important opportunity to inform the work of the GAO and help identify the benefits of, along with the many issues of concern expressed over the years by hospitals and health system victims of cyberattacks, regarding the ensuing HHS Office for Civil Rights audit and investigation process,” said John Riggi, AHA national advisor for cybersecurity and risk.

The post February 11, 2022: Deadline for Providing GAO With Feedback on HHS Data Breach Reporting Requirements appeared first on HIPAA Journal.

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

Posted by HIPAA Journal

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents.

The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers, birth/marriage certificates, diagnoses, and medical treatment information.

Between June 24, 2020, and July 1, 2020, the attackers accessed the account from multiple IP addresses, including some from outside the United States and on July 1, 2020, the account was used to send around 2,000 phishing emails to EyeMed clients. The EyeMed IT department detected the phishing emails and received multiple inquiries from clients querying the legitimacy of the emails. The compromised account was then immediately secured.

The subsequent forensic investigation confirmed the attacker could have exfiltrated data from the email account while access was possible but could not determine if any personal information was stolen. Affected individuals were notified in September 2020 and were offered complimentary credit monitoring, fraud consultation, identity theft restoration services.

The Office of the New York Attorney General investigated the security incident and data breach and determined that, at the time of the attack, EyeMed had failed to implement appropriate security measures to prevent unauthorized individuals from accessing the personal information of New York residents.

The email account was accessible via a web browser and contained large quantities of consumers’ sensitive information spanning several years, yet EyeMed had failed to implement multifactor authentication on the account. EyeMed also failed to implement adequate password management requirements for the email account. The password requirements for the account were not sufficiently complex, only requiring a password of 8 characters, when it was aware of the importance of password complexity as the password requirements for admin-level accounts required passwords of at least 12 characters. EyeMed also allowed 6 failed password attempts before locking out the user ID. EyeMed had also failed to maintain adequate logging of email accounts and was not monitoring email accounts, which made it difficult to identify and investigate security incidents. It was also unreasonable to retain consumer data in the email account for such a long period of time. Older emails should have been transferred to more secure systems and be deleted from the email account.

State attorneys general have the authority to impose financial penalties for HIPAA violations and it would have been possible to cite violations of HIPAA; however, New York only cited violations of New York General Business Law.

Under the terms of the settlement, EyeMed is required to pay a financial penalty of $600,000 and must implement several measures to improve security and prevent further data breaches. Those measures include:

  • Maintaining a comprehensive information security program that is regularly updated to keep pace with changes in technology and security threats
  • Maintaining reasonable account management and authentication, including the use of multi-factor authentication for all administrative or remote access accounts
  • Encrypting sensitive consumer information
  • Conducting a reasonable penetration testing program to identify, assess, and remediate security vulnerabilities
  • Implementing and maintaining appropriate logging and monitoring of network activity
  • Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.

“New Yorkers should have every assurance that their personal health information will remain private and protected. EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals,” said Attorney General James. “Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”

The post New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach appeared first on HIPAA Journal.

December 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020.

2021 healthcare data breaches

Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009.

2021 healthcare data breaches - records breached

Largest Healthcare Data Breaches in December 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware
Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware
Monongalia Health System, Inc. WV Healthcare Provider 398,164 Business Email Compromise/Phishing
BioPlus Specialty Pharmacy Services, LLC FL Healthcare Provider 350,000 Hacked network server
Florida Digestive Health Specialists, LLP FL Healthcare Provider 212,509 Business Email Compromise/Phishing
Daniel J. Edelman Holdings, Inc. IL Health Plan 184,500 Business associate hacking/IT incident
Southern Orthopaedic Associates d/b/a Orthopaedic Institute of Western Kentucky KY Healthcare Provider 106,910 Compromised email account
Fertility Centers of Illinois, PLLC IL Healthcare Provider 79,943 Hacked network server
Bansley and Kiener, LLP IL Business Associate 50,119 Ransomware
Oregon Eye Specialists OR Healthcare Provider 42,612 Compromised email accounts
MedQuest Pharmacy, Inc. UT Healthcare Provider 39,447 Hacked network server
Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E. NY Health Plan 20,579 Phishing
Loyola University Medical Center IL Healthcare Provider 16,934 Compromised email account
Bansley and Kiener, LLP IL Business Associate 15,814 Ransomware
HOYA Optical Labs of America, Inc. TX Business Associate 14,099 Hacked network server
Wind River Family and Community Health Care WY Healthcare Provider 12,938 Compromised email account
Ciox Health GA Business Associate 12,493 Compromised email account
A New Leaf, Inc. AZ Healthcare Provider 10,438 Ransomware

Causes of December 2021 Healthcare Data Breaches

18 data breaches of 10,000 or more records were reported in December, with the largest two breaches – two ransomware attacks – resulting in the exposure and potential theft of a total of 1,285,989 records. Ransomware continues to pose a major threat to healthcare organizations. There have been several successful law enforcement takedowns of ransomware gangs in recent months, the most recent of which saw authorities in Russia arrest 14 members of the notorious REvil ransomware operation, but there are still several ransomware gangs targeting the healthcare sector including Mespinoza, which the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about this month due to the high risk of attacks.

Phishing attacks continue to result in the exposure of large amounts of healthcare data. In December, email accounts were breached that contained the ePHI of 807,984 individuals. The phishing attack on Monongalia Health System gave unauthorized individuals access to email accounts containing 398,164 records.

8 of the largest breaches of the month involved compromised email accounts, two of which were business email compromise attacks where accounts were accessed through a phishing campaign and then used to send requests for changes to bank account information for upcoming payments.

Causes of December 2021 healthcare data breaches

Throughout 2021, hacking and other IT incidents have dominated the breach reports and December was no different. 82.14% of the breaches reported in December were hacking/IT incidents, and those breaches accounted for 91.84% of the records breached in December – 2,711,080 records. The average breach size was 58,937 records and the median breach size was 4,563 records. The largest hacking incident resulted in the exposure of the protected health information of 750,050 individuals.

The number of unauthorized access and disclosure incidents has been much lower in 2021 than in previous years. In December there were only 5 reported unauthorized access/disclosure incidents involving 234,476 records. The average breach size was 46,895 records and the median breach size was 4,109 records.

There were two reported cases of the loss of paper/films containing the PHI of 3,081 individuals and two cases of theft of paper/films containing the PHI of 2,129 individuals. There was also one breach involving the improper disposal of a portable electronic device containing the ePHI of 934 patients.

As the chart below shows, the most common location of breached PHI was network servers, followed by email accounts.

Location of breached PHUI in December 2021 healthcare data breaches

HIPAA Regulated Entities Reporting Data Breaches in December 2021

Healthcare providers suffered the most data breaches in December, with 36 breaches reported. There were 11 breaches reported by health plans, and 9 breaches reported by business associates. Six breaches were reported by healthcare providers (3) and health plans (3) that occurred at business associates. The adjusted figures are shown in the pie chart below.

December 2021 healthcare data breaches by HIPAA-regulated entity type

December 2021 Healthcare Data Breaches by U.S. State

Illinois was the worst affected state with 11 data breaches, four of which were reported by the accountancy firm Bansley and Kiener and related to the same incident – A ransomware attack that occurred in December 2020. the firm is now facing a lawsuit over the incident and the late notification to affected individuals – 12 months after the attack was discovered.

State Number of Breaches
Illinois 11
Indiana 5
Florida, Oklahoma, and Texas 4
Arizona 3
California, Georgia, Kansas, Michigan, New York, Oregon, Utah, and Virginia 2
Alabama, Colorado, Kentucky, Maryland, North Carolina, Rhode Island, Wisconsin, West Virginia, and Wyoming 1

HIPAA Enforcement Activity in December 2021

There were no further HIPAA penalties imposed by the HHS’ Office for Civil Rights in December. The year closed with a total of 14 financial penalties paid to OCR to resolve violations of the HIPAA Rules. 13 of the cases were settled with OCR, and one civil monetary penalty was imposed. 12 of the OCR enforcement actions were for violations of the HIPAA Right of Access.

The New Jersey Attorney General imposed a $425,000 financial penalty on Regional Cancer Care Associates, which covered three separate Hackensack healthcare providers – Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC – that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland.

The New Jersey Attorney General and the New Jersey Division of Consumer Affairs investigated a breach of the email accounts of several employees between April and June 2019 involving the protected health information of 105,000 individuals and a subsequent breach when the breach notification letters were sent to affected individuals’ next of kin in error.

The companies were alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, failing to protect against reasonably anticipated threats to the security/integrity of patient data, a failure to implement security measures to reduce risks and vulnerabilities to an acceptable level, the failure to conduct an accurate and comprehensive risk assessment, and the lack of a security awareness and training program for all members of its workforce. The case was settled with no admission of liability. There were 4 HIPAA enforcement actions by state attorneys general in 2021. New Jersey was involved in 3 of those enforcement actions.

The post December 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

November 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches.

The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month.

Largest Healthcare Data Breaches Reported in November 2021

In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The average breach size in November was 34,862 records and the median breach size was 5,403 records.

The worst breach of the month saw the protected health information of 582,170 individuals exposed when hackers gained access to the network of Utah Imaging Associates. Planned Parenthood also suffered a major data breach, with hackers gaining access to its network and exfiltrating data before using ransomware to encrypt files.

Sound Generations, a non-profit that helps older adults and adults with disabilities obtain low-cost healthcare services, notified patients about two ransomware attacks that had occurred in 2021, which together resulted in the exposure and potential theft of the PHI of 103,576 individuals.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Cause of Breach
Utah Imaging Associates, Inc. Healthcare Provider 582,170 Hacking/IT Incident Network Server Unspecified hacking incident
Planned Parenthood Los Angeles Healthcare Provider 409,759 Hacking/IT Incident Network Server Ransomware attack
The Urology Center of Colorado Healthcare Provider 137,820 Hacking/IT Incident Network Server Unspecified hacking incident
Sound Generations Business Associate 103,576 Hacking/IT Incident Network Server Two ransomware attacks
Mowery Clinic LLC Healthcare Provider 96,000 Hacking/IT Incident Network Server Malware infection
Howard University College of Dentistry Healthcare Provider 80,915 Hacking/IT Incident Electronic Medical Record, Network Server Ransomware attack
Sentara Healthcare Healthcare Provider 72,121 Hacking/IT Incident Network Server Unspecified hacking incident at a business associate
Ophthalmology Associates Healthcare Provider 67,000 Hacking/IT Incident Electronic Medical Record, Network Server Unspecified hacking incident
Maxim Healthcare Group Healthcare Provider 65,267 Hacking/IT Incident Email Phishing attack
True Health New Mexico Health Plan 62,983 Hacking/IT Incident Network Server Unspecified hacking incident
TriValley Primary Care Healthcare Provider 57,468 Hacking/IT Incident Network Server Ransomware attack
Broward County Public Schools Health Plan 48,684 Hacking/IT Incident Network Server Ransomware attack
Consociate, Inc. Business Associate 48,583 Hacking/IT Incident Network Server  
Doctors Health Group, Inc. Healthcare Provider 47,660 Hacking/IT Incident Network Server Patient portal breach at business associate (QRS Healthcare Solutions)
Baywood Medical Associates, PLC dba Desert Pain Institute Healthcare Provider 45,262 Hacking/IT Incident Network Server Unspecified hacking incident
Medsurant Holdings, LLC Healthcare Provider 45,000 Hacking/IT Incident Network Server Ransomware attack
One Community Health Healthcare Provider 39,865 Hacking/IT Incident Network Server Unspecified hacking incident
Educators Mutual Insurance Association Business Associate 39,317 Hacking/IT Incident Network Server Malware infection
Victory Health Partners Healthcare Provider 30,000 Hacking/IT Incident Network Server Ransomware attack
Commission on Economic Opportunity Business Associate 29,454 Hacking/IT Incident Network Server Hacked public claimant portal

Causes of November 20021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in November, accounting for 50 of the reported breaches. Ransomware continues to be extensively used in attacks on healthcare providers and their business associates, with the attacks often seeing sensitive patient data stolen and posted on data leak sites. The theft of patient data in these attacks also makes lawsuits more likely. Planned Parenthood, for example, was hit with a class action lawsuit a few days after mailing notification letters to affected patients.

2,327,353 healthcare records were exposed or stolen across those hacking incidents, which is 98.18% of all records breached in November. The average breach size for those incidents was 42,316 records and the median breach size was 11,603 records.

There were 11 unauthorized access/disclosure breaches in November – half the number of unauthorized access/disclosure breaches reported in October. Across those breaches, 37,646 records were impermissibly accessed or disclosed. The average breach size was 3,422 records and the median breach size was 1,553 records. There were also two reported cases of theft of portable electronic devices containing the electronic protected health information of 5,601 individuals.

November Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 50 reported breaches, with four of those breaches occurring at business associates but were reported by the healthcare provider. 8 data breaches were reported by health plans, 3 of which occurred at business associates, and business associates self-reported 10 data breaches. The pie chart below shows the breakdown of breaches based on where the breach occurred.

Geographic Distribution of November Healthcare Data Breaches

Healthcare data breaches of 500 or more records were reported by HIPAA-regulated entities in 32 states and the District of Columbia.

State Number of Reported Data Breaches
California & New York 7
Maryland & Pennsylvania 4
Colorado, Kentucky, Ohio, & Utah 3
Illinois, Indiana, Michigan, Minnesota, New Mexico, Tennessee, Texas, Virginia, and the District of Columbia 2
Alabama, Arizona, Arkansas, Florida, Georgia, Idaho, Kansas, Massachusetts, Missouri, Nebraska, New Hampshire, New Jersey, North Carolina, Oregon, South Carolina, and Washington 1

HIPAA Enforcement Activity in November 2021

There was a flurry of HIPAA enforcement activity in November with financial penalties imposed by federal and state regulators. The HHS’ Office for Civil Rights announced a further 5 financial penalties to resolve alleged violations of the HIPAA Right of Access. In all cases, the healthcare providers had failed to provide patients with a copy of their requested PHI within a reasonable period of time after a request was received.

Covered Entity Penalty Penalty Type Alleged Violation
Rainrock Treatment Center LLC (dba Monte Nido Rainrock)

 

 $160,000

 

 Settlement HIPAA Right of Access
Advanced Spine & Pain Management $32,150

 

 Settlement HIPAA Right of Access
Denver Retina Center $30,000

 

 Settlement HIPAA Right of Access
Wake Health Medical Group

 

 $10,000

 

 Settlement HIPAA Right of Access
Dr. Robert Glaser

 

 $100,000 Civil Monetary Penalty HIPAA Right of Access

The New Jersey Attorney General and the Division of Consumer Affairs announced in November that a settlement had been reached with two New jersey printing firms – Command Marketing Innovations, LLC and Strategic Content Imaging LLC – to resolve violations of HIPAA and the New Jersey Consumer Fraud Act. The violations were uncovered during an investigation into a data breach involving the PHI of 55,715 New Jersey residents.

The breach was due to a printing error that saw the last page of one individual’s benefit statement being attached to the benefit statement of another individual.  The Division of Consumer Affairs determined the companies failed to ensure confidentiality of PHI, did not implement sufficient PHI safeguards and failed to review security measures following changes to procedures. A financial penalty of $130,000 was imposed on the two firms, and $65,000 was suspended and will not be payable provided the companies address all the security failures identified during the investigation.

The post November 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Issues Guidance on HIPAA and Disclosures of PHI for Extreme Risk Protection Orders

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has published new guidance to explain how the HIPAA Privacy Rule applies to disclosures of protected health information (PHI) to support applications for extreme risk protection orders.

In June 2021, the U.S. Department of Justice published model legislation to provide states with a framework for creating their own extreme risk protection order (ERPO) laws. Extreme risk protection orders temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms. ERPOs are intended to improve public safety and reduce the risk of firearm injuries and deaths.

ERPO legislation permits certain entities such as law enforcement officers, family members, and healthcare providers to apply to the courts for an ERPO. Part of that process involves obtaining affidavits or sworn oral statements from petitioners and witnesses. If healthcare providers are involved in ERPOs, the HIPAA Privacy Rule applies and places restrictions on any disclosures of PHI.

The HIPAA Privacy Rule permits disclosures of PHI when those disclosures are required by law, such as in relation to statutes, regulations, court orders, and subpoenas when the disclosures comply with and are limited to the relevant requirements of such laws. OCR has confirmed that healthcare providers are permitted to disclose information about an individual to support an application for an ERPO against that individual and, in such situations, the individual will not be required to authorize the disclosure under certain conditions.

  • If required by a court order to make a disclosure of a patient’s medical records in support of an ERPO, a healthcare provider is only permitted to disclose the PHI that is specifically authorized by the court order.
  • If a state’s attorney issues a subpoena for medical records that is not accompanied by an order of a court or administrative tribunal, the requested PHI can only be provided if one of the following conditions are met:
    • The provider receives satisfactory assurances from the state’s attorney that reasonable efforts have been made to notify the subject of the PHI request about the request for access to his/her PHI
    • The provider receives satisfactory assurances state’s attorney that reasonable efforts have been made to secure a qualified protective order prohibiting use or disclosure of the PHI for purposes other than the proceeding and requiring the return to the provider or destruction of the PHI at the end of the proceeding.
    • When the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public

In all cases, HIPAA-regulated entities should make reasonable efforts to limit disclosures of PHI to the minimum necessary amount to achieve the purpose for which the PHI is being disclosed. It is also important to consult state laws, as laws may exist at the state level that provide more stringent privacy protections for individuals than those of the HIPAA Privacy Rule and not all states allow healthcare providers to apply for an ERPO.

OCR reminds HIPAA-regulated entities that federal laws such as 42 U.S.C. § 290dd-2 and 42 CFR part 2, and the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99 may apply in a situation where they have information indicating a threat to public safety.

“Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.”

The post OCR Issues Guidance on HIPAA and Disclosures of PHI for Extreme Risk Protection Orders appeared first on HIPAA Journal.