HIPAA Compliance News

February 2024 Healthcare Data Breach Report

Posted March 22, 2024 by Steve Alder

There has been a fall in the number of reported healthcare data breaches for the second consecutive month, with 59 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

There were 10.6% fewer breaches reported in February than in January, which followed a 22% reduction between December 2023 and January 2024. Over the past 12 months, an average of 64 healthcare breaches have been reported each month, and while February is well under that average, 22.9% more breaches were reported in February 2024 than in February 2023.

For the third consecutive month, the number of breached records has fallen, reducing by 41.7% from January to 5,130,515 records, which is well below the 12-month average of 8.9 million records a month and around half as many records as were breached in February 2023. These figures could increase as three data breaches were reported as involving 500 or 501 records. These figures are often placeholders to meet HIPAA’s breach reporting requirements when the number of affected individuals has yet to be determined.

Biggest Healthcare Data Breaches in February 2024

There were 24 data breaches of 10,000 healthcare records in February, the largest of which was a 2.35 million record data breach at Medical Management Resource Group, which does business as American Vision Partners. A further 1.67 million records were compromised in breaches at Eastern Radiologists and Unite Here, both of which were hacking incidents. Only four breaches of 10,000 or more records were not hacking incidents.

Ransomware attacks continue to plague the healthcare industry, but it is difficult to determine the scale of the problem since breach notifications rarely mention whether ransomware was used. Ransomware groups typically steal data and leak it or sell it if the ransom is not paid. If the nature of the attack is not explained to the affected individuals, it is difficult for them to accurately assess the level of risk they face and make informed decisions about the steps they need to take to prevent their personal information from being misused.

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Business Associate Present
Medical Management Resource Group, L.L.C.	AZ	Business Associate	2,350,236	Hacking incident (Data theft confirmed)
Eastern Radiologists, Inc	NC	Healthcare Provider	886,746	Hacking incident
UNITE HERE	NY	Business Associate	791,273	Hacking incident
Northeast Orthopedics and Sports Medicine, PLLC	NY	Healthcare Provider	177,101	Hacking incident
Bold Quail Holdings, LLC (NewGen Administrative Services, LLC)	CA	Healthcare Provider	105,425	Hacking incident
Prime Healthcare Employee Health Plan	CA	Health Plan	101,135	Hacking incident at business associate (Keenan & Associates)
Egyptian Health Department	IL	Healthcare Provider	100,000	Hacking incident
Scurry County Hospital District dba Cogdell Memorial Hospital	TX	Healthcare Provider	86,981	Hacking incident
MedQ, Inc.	TX	Business Associate	54,725	Ransomware attack (Data theft confirmed)
Coleman Professional Services Inc.	OH	Healthcare Provider	51,889	Email accounts compromised
Greater Cincinnati Behavioral Health Services	OH	Healthcare Provider	50,000	Hacking incident
Kirkland & Ellis LLP	IL	Business Associate	48,802	Hacking incident (MOVEit Transfer)
Employee Benefits Corporation of America and Benefit Design Group, Inc.	VA	Health Plan	38,912	Hacking incident
Washington County Hospital and Nursing Home	AL	Healthcare Provider	29,346	Ransomware attack (Data theft confirmed)
Qualcomm Incorporated	CA	Health Plan	27,038	Hacking incident at a business associate
McKenzie County Healthcare System, Inc.	ND	Healthcare Provider	21,000	Email accounts compromised
East Carolina University’s Brody School of Medicine, a member of the ECU Health affiliated covered entity	NC	Healthcare Provider	19,085	Unauthorized access to a network server
Tiegerman	NY	Healthcare Provider	19,000	Hacking incident
Human Affairs International of California	CA	Business Associate	18,347	Unauthorized Access/Disclosure of paper/films
Maryville, Inc.	NJ	Healthcare Provider	15,503	Email account compromised
Bay Area Anesthesia, LLC	FL	Healthcare Provider	15,196	Hacking incident at business associate (Bowden Barlow Law)
AGC Flat Glass North America, Inc. Welfare Benefits Plan	GA	Health Plan	13,079	Hacking incident
Littleton Regional Healthcare	NH	Healthcare Provider	12,614	Misdirected email
CVS Caremark Part D Services, L.L.C. (“CVS”)	RI	Business Associate	11,193	Unauthorized Access/Disclosure of paper/films

Data Breach Causes and Location of Compromised PHI

As has been the case for many months, the main cause of healthcare data breaches in February was hacking. In February, there were 41 data breaches classed as hacking/IT incidents – 69.5% of the month’s data breaches. These incidents typically see large numbers of records compromised and February was no exception. Across those 41 incidents, the protected health information of 5,017,167 individuals was exposed or compromised – 97.8% of the month’s breached records. The 16 largest healthcare data breaches in February were all hacking incidents. The average breach size was 122,370 records and the median breach size was 7,288 records.

HIPAA-regulated entities reported 16 data breaches that were classed as unauthorized access/disclosure incidents. Across those 16 data breaches, the records of 104,359 individuals were accessed by unauthorized individuals or were impermissibly disclosed. The largest of those incidents was a phishing attack that saw multiple email accounts compromised and the records of 21,000 individuals exposed. The average breach size was 6,522 records and the median breach size was 2,516 records. There were two theft incidents involving the records of 8,989 individuals. No loss or improper disposal incidents were reported in February. The most common location of breached healthcare data was network servers, followed by email accounts.

While it is not possible to prevent all data breaches, many could be avoided by ensuring compliance with the HIPAA Security Rule and implementing OCR’s HPH Cybersecurity Performance Goals (CPGs). The CPGs are split into essential CPGs and advanced CPGs. The Essential CPGs address common vulnerabilities, will significantly improve an organization’s security posture and incident response, and minimize residual risk. The Enhanced CPGs are intended to help HPH sector organizations mature their cybersecurity capabilities and improve their defences against additional attack vectors. A recent IBM study determined that 85% of cyberattacks in critical infrastructure sectors could have been prevented with basic security measures such as those included in the essential CPGs.

Where Did the Data Breaches Occur?

OCR’s data breach portal shows there were 33 data breaches at healthcare providers (1,632,712 records), 16 data breaches at health plans (212,785 records), and 10 data breaches at business associates (3,285,018 records). These figures show the reporting entity rather than where the data breach occurred. When a data breach occurs at a business associate, it may be reported by the business associate, the affected covered entities, or a combination of the two. For example, in February,16 data breaches were reported by health plans, but 8 of those breaches occurred at business associates. The pie charts show where the data breaches occurred rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

In February, large healthcare data breaches were reported by HIPAA-regulated entities in 27 states and the District of Columbia. California had the most breaches but Arizona was the worst affected in terms of the number of breached records, with 2,351,027 records compromised in 2 data breaches.

State	Breaches
California	6
New York & Ohio	5
Illinois, Kentucky & Texas	4
Alabama, Florida & Michigan	3
Arizona, North Carolina & Rhode Island	2
Colorado, Georgia, Iowa, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, North Dakota, Oklahoma, Pennsylvania, South Carolina, Tennessee, Virginia, West Virginia & the District of Columbia	1

HIPAA Enforcement Activity in February 2024

In February, OCR announced two settlements with HIPAA-regulated entities to resolve HIPAA compliance failures. OCR investigated Montefiore Medical Center, a non-profit hospital system based in New York City, over a data breach involving a malicious insider. The breach was discovered in 2015 by the New York Police Department, and the investigation revealed a former employee had stolen the data of 12,517 patients over a 6-month period in 2013. OCR launched an investigation in 2015, but it took until February 2024 for the case to be settled.

OCR identified multiple HIPAA failures, and the severity of those failures warranted a significant fine. Montefiore Medical Center was determined to have failed to conduct a comprehensive risk analysis, failed to implement procedures to regularly review records of information system activity, and failed to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI. Montefiore Medical Center agreed to pay a $4.75 million penalty to settle the alleged HIPAA violations.

OCR also announced a $40,000 settlement with Green Ridge Behavioral Health, a Gaithersburg, MD-based provider of psychiatric evaluations, medication management, and psychotherapy. This was the second settlement to be reached with a HIPAA-regulated entity over a ransomware attack. OCR determined that a comprehensive risk analysis had not been conducted, there was a failure to manage risks to the confidentiality, integrity, and availability of ePHI, and there were insufficient policies and procedures for reviewing records of information system activity. These failures contributed to the ransomware attack and the impermissible disclosure of the PHI of more than 14,000 patients.

State Attorneys General also have the authority to issue financial penalties for HIPAA violations; however, no civil monetary penalties or settlements were announced in February.

The post February 2024 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Updates Guidance on the Use of Online Tracking Technologies by HIPAA Regulated Entities

Posted March 19, 2024 by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued updated guidance for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) on the use of online tracking technologies. The updated guidance is intended to provide greater clarity for HIPAA-regulated entities on the use of these technologies. OCR has not changed its position on the use of these technologies or how HIPAA applies.

Why OCR Issued Guidance on Online Tracking Technologies

OCR first issued the guidance in December 2022 after research into the use of these technologies revealed that most U.S. hospitals had added these technologies on their websites, which transmit user data to third parties such as Meta (Facebook), Google, and others. A variety of user data is collected and transmitted about users’ interactions on websites and apps, and some of that data can include protected health information.

The initial guidance explained that these technologies could not be used by HIPAA-regulated entities unless there was a business associate agreement in place with the provider of the technologies and the disclosures of protected health information are permitted by the HIPAA Privacy Rule. Alternatively, consent must be obtained from individuals before the information is transmitted to third parties. OCR has previously stated that non-compliant use of online tracking technologies is an enforcement priority, and in July 2023, OCR and the Federal Trade Commission (FTC) sent warning letters to around 130 hospitals and telehealth providers about the risks of using these technologies and the potential for impermissible disclosures of PHI.

OCR Sued Over its Tracking Technology Guidance

Since the providers of these technologies typically do not sign business associate agreements with HIPAA-regulated entities and obtaining consent from individuals is costly and challenging, these technologies can generally not be used by HIPAA-regulated entities without risking violating the HIPAA Rules. The American Hospital Association (AHA) urged OCR to reconsider its guidance, and when OCR failed to do so, AHA filed a lawsuit challenging the legality of the guidance. The AHA maintains that these technologies are critical to the function of websites, and that prohibiting their use ultimately harms healthcare providers and patients. Further, while HIPAA-regulated entities were not permitted to use these technologies, the code remained on many government websites, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites.

Online Tracking Technology Guidance Updated to Clear up Confusion

OCR’s updated guidance provides a general overview of how the HIPAA Rules apply to the use of tracking technologies and includes additional examples of when the code can and cannot be used, tips for complying with HIPAA, and OCR’s enforcement priorities regarding online tracking technologies. In the updated guidance, OCR stressed that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” Protected health information is information that relates to the past, present, or future health, health care, or payment for health care, that has identifiers that link that information to an individual or allow that individual to be identified. If any of that information is collected on a web page, the technologies cannot be used without a business associate agreement with the provider of the code and the disclosures must be permitted by the HIPAA Privacy Rule, or consent must be obtained from individuals. Consent cannot be obtained by including information about these disclosures in the Notice of Privacy Practices, via a pop-up on the websites or banner stating that use of the site may involve the disclosure of health information to a third party, or by asking a user to either accept or reject cookies. A valid HIPAA authorization is required.

OCR suggests that if a vendor will not sign a BAA covering the use of the code, then a different vendor should be found that will sign a BAA. Alternatively, a customer data platform vendor could be used, which de-identifies the PHI before the information is sent to a third party. It is not permitted to transfer PHI to a vendor without a BAA even if the vendor claims that they will strip out any identifying information after the disclosure. The collection of PHI is more likely on user-authenticated pages such as patient portals; however, there is the potential for PHI to be disclosed on unauthenticated web pages. For instance, on an appointment booking page that collects no health information, if the user enters their email address and that information is transmitted to a third party, that would be classed as an impermissible disclosure of PHI.

For some web pages, the nature of the visit determines whether HIPAA applies. For instance, if a student is searching for information on oncology services when researching the availability of those services pre- and post-pandemic, the collection and transmission of their IP address and other personally identifiable information to a third party without a BAA is not a HIPAA violation, as HIPAA does not apply as there is no PHI involved. If a patient is visiting the same pages to get a second opinion about their diagnosis or cancer treatment, the transmission of the same data would be a HIPAA violation without a BAA, as that information would be classed as PHI. Other examples have been added to the guidance to make it clear when HIPAA applies and when it does not.

OCR explained its enforcement priorities with respect to online tracking technologies and said it is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies. “OCR’s principal interest in this area is ensuring that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies and have implemented the Security Rule requirements to ensure the confidentiality, integrity, and availability of ePHI,” explained OCR in the guidance. “OCR investigations are fact-specific and may involve the review of technical information regarding a regulated entity’s use of any tracking technologies. OCR considers all of the available evidence in determining compliance and remedies for potential noncompliance.”

The post OCR Updates Guidance on the Use of Online Tracking Technologies by HIPAA Regulated Entities appeared first on HIPAA Journal.

OCR Opens HIPAA Compliance Investigation of Change Healthcare

Posted March 13, 2024 by Steve Alder

The HHS’ Office for Civil Rights has opened an investigation of Change Healthcare following its February 21, 2024, cyberattack, just three weeks after the attack occurred. Typically, OCR’s investigations of cyberattacks and data breaches are initiated several months after the breach is reported, which may even be years after the breach occurred. In this case, the incident has not even been reported to OCR as it is still under investigation. Change Healthcare has only just brought its systems back online – 99% of pharmacy and payment platforms are now up and running according to a recent statement – and there are still 5 weeks before the HIPAA Breach Notification Rule’s deadline for reporting breaches is reached.

The rapidly initiated investigation is in response to the magnitude of the incident, which is disrupting health care and billing information systems nationwide and has been estimated to be costing providers well over a billion in reimbursement losses per day due to Change Healthcare’s systems being unavailable. The disruption caused to providers that use Change Healthcare’s systems is causing extreme financial difficulties and some providers have had to make difficult decisions about whether they can continue to operate. As such, the incident poses a direct threat to critically needed patient care and essential operations of the healthcare industry.

In a “Dear Colleague” letter uploaded to the HHS website, OCR Director Melanie Fontes Rainer said “Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident. OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

OCR also explained in the letter that its interest in other entities that partner with Change Healthcare and UnitedHealth Group is secondary. While OCR is not prioritizing investigations of healthcare providers, health plans, and business associates that have partnered with Change Healthcare or UnitedHealth Group, OCR has taken the opportunity to remind them that they have regulatory responsibilities under HIPAA and they must ensure that they have business associate agreements in place and that they issue timely notifications to the HHS and any affected individuals. In the letter, the OCR Director shared resources to assist HIPAA-regulated entities with protecting records, systems, and patients from cyberattacks.

“This is an unusual move by OCR but given the far-reaching impact of the cyberattack and the massive effect it is having on healthcare organizations that rely on Change Healthcare’s services and systems, the breach warrants swift investigation to determine if Change Healthcare and its parent company were fully compliant with the HIPAA Rules,” commented Steve Alder, Editor-in-Chief, The HIPAA Journal.

Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance (NCA), offered some advice for readers of The HIPAA Journal and shared some of the lessons that can be learned from this devastating cyberattack.

Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance

The cyberattack on UnitedHealth Group and Change Healthcare serves as a stark reminder of the critical need for robust cybersecurity measures within the healthcare sector. Firstly, healthcare organizations must prioritize comprehensive risk assessments and implement stringent security protocols to safeguard sensitive patient data. This includes regular security audits, employee training on cybersecurity best practices, encryption of data both at rest and in transit, and proactive monitoring for suspicious activities. Furthermore, investments in cutting-edge cybersecurity technologies and partnerships with reputable cybersecurity firms can bolster defenses against evolving cyber threats.

Additionally, the incident highlights the indispensable role of government oversight and regulation in safeguarding healthcare data. Government agencies, such as the Department of Health and Human Services’ Office for Civil Rights, play a vital role in enforcing compliance with health privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA). Through rigorous investigations and enforcement actions, regulatory bodies can hold healthcare entities accountable for lapses in data protection and ensure swift responses to cyber incidents. Moreover, collaboration between government agencies, law enforcement, and private sector stakeholders is essential to enhance threat intelligence sharing and coordinate responses to cyber threats, ultimately bolstering the resilience of the healthcare sector against future cyberattacks.

In light of the recent cyberattack on UnitedHealth Group and Change Healthcare, consumers and patients also play a crucial role in protecting their personal health information. One key step is to remain vigilant about sharing sensitive data, both online and offline, only with trusted healthcare providers and entities. Patients should inquire about the security measures implemented by their healthcare providers, including encryption protocols and data breach response plans. Additionally, individuals should regularly review their medical bills and insurance statements for any discrepancies or unauthorized charges, which could indicate fraudulent activity. Furthermore, maintaining strong, unique passwords for healthcare portals and enabling multi-factor authentication can add an extra layer of security to personal health information. By staying informed, vigilant, and proactive, consumers can contribute to safeguarding their own health data and mitigating the risks posed by cyber threats in the healthcare sector.

The post OCR Opens HIPAA Compliance Investigation of Change Healthcare appeared first on HIPAA Journal.

Indiana Attorney General Files Lawsuit Against Apria Healthcare Alleging HIPAA Violations

Posted March 1, 2024 by Steve Alder

Indiana Attorney General Todd Rokita has filed a lawsuit against Apria Healthcare alleging violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws following a cyberattack and data breach that affected 1,869,598 individuals, including 42,000 Hoosiers.

Apria Healthcare is an Indianapolis, IA-based provider of home healthcare equipment and related services. Apria Healthcare was notified by the Federal Bureau of Investigation (FBI) on September 1, 2021, about unauthorized access to its internal systems. The investigation confirmed that between April 5, 2019, and May 7, 2019, and again from August 27, 2021, to October 10, 2021, an unauthorized third party accessed its internal systems, including several employee email accounts. The electronic protected health information exposed included names, birth certificates, financial information, Social Security numbers, medical histories, and health information. Apria Healthcare determined that the reason for the intrusion was to obtain funds from Apria Healthcare rather than patient data. Notifications were mailed to the affected individuals in May 2023, more than 20 months after being notified about the breach by the FBI.

Attorney General Rokita alleged that Apria Healthcare deliberately concealed the data breach by failing to issue notifications for 629 days and that the delay violated the HIPAA Breach Notification Rule, which requires individual notifications to be issued to the affected individuals within 60 days of the discovery of a data breach. The delayed notification also violated Indiana’s Disclosure of a Security Breach Act, which requires notifications to be issued without undue delay and not more than 45 days after the discovery of a data breach. Owens and Minor acquired Apria Healthcare in March 2022. Attorney General Rokita alleged that Owens and Minor was aware of the data breaches yet still failed to issue timely notifications.

Attorney General Rokita also alleged violations of the HIPAA Privacy and Security Rules – the failure to implement appropriate technical safeguards to ensure the confidentiality, integrity, and availability of ePHI, and the impermissible disclosure of the ePHI of more than 1.8 million individuals – and violations of the Indiana Deceptive Consumer Sales Act. “Patients should be able to trust their medical providers at all times,” said Attorney General Rokita. “All Hoosier patients deserve their privacy, especially when it comes to medical care. When your private information is accessible or leaked to a stranger, you’re susceptible to life-altering threats, such as identity theft and financial ruin. Our office has adamantly fought back against careless companies who disregard major cybersecurity threats.”

The post Indiana Attorney General Files Lawsuit Against Apria Healthcare Alleging HIPAA Violations appeared first on HIPAA Journal.

CMS Updates Policy to Allow Texting Patient Information and Patient Orders

Posted February 12, 2024 by Steve Alder

The Centers for Medicare and Medicaid Services (CMS) at the Department of Health and Human Services (HHS) has updated its policy on texting patient information between members of the care team and texting patient orders. Clinical teams are now permitted to text patient information provided they use a HIPAA-compliant texting platform to do so, and provided they are in compliance with the Conditions of Participation (CoPs). The CMS also permits the texting of patient orders.

In January 2018, the CMS issued a QSO-19-10-Hospital, CAHs Revised memorandum – Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) – acknowledging that many hospitals had adopted a secure text messaging platform for communicating among hospital and CAH team members; however, the CMS stated that texting patient orders from a provider to a member of the care team was not compliant with the CoPs due to concerns about privacy, record retention, and the confidentiality, security, and integrity of systems at the time. When the memorandum was written, most hospitals did not have the capability to use secure text messaging platforms to incorporate messages into electronic health records (EHRs). Improvements in technology over the past 6 years, such as the use of encryption, ensure that sensitive health information can be transmitted and stored securely and advances in technology, especially the application interface capabilities of text messaging platforms, allow data to be transferred into EHRs.

While texting patient orders is now permitted, Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider. If an order is entered via CPOE and immediately downloaded into the hospital’s or CAH’s EHR system, it is permitted under the CoPs because the order is dated, timed, authenticated, and promptly placed in the medical record. However, providers must utilize and maintain systems/platforms that are secure and encrypted. They must ensure the integrity of author identification and minimize risks to patient privacy and confidentiality, as required by HIPAA.

In addition, procedures and processes should be implemented that routinely assess the security and integrity of the texting systems/platforms to avoid negative outcomes that could compromise the care of patients. Any provider that opts to incorporate texting patient information or orders into the EHR should ensure that the platform is compliant with the requirements of the HITECH Act and HIPAA.

The post CMS Updates Policy to Allow Texting Patient Information and Patient Orders appeared first on HIPAA Journal.

OCR Seeks Feedback on HIPAA Audits

Posted February 12, 2024 by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is conducting a HIPAA Audit Review Survey and is seeking feedback from entities that were subjects of HIPAA compliance audits to gather information to improve future audit programs.

Between 2016 and 2017, OCR conducted its second phase of HIPAA compliance audits. The desk-based audit program involves documentation requests on specific aspects of the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. The audits revealed which elements of the HIPAA Rules were proving problematic for HIPAA-covered entities and their business associates.

The audit review survey is being conducted to gather information about the effect of the audits on the audited entities and their opinions on the audit process. The aim is to determine the efficacy of the audit program in assessing the efforts made by HIPAA-covered entities and their business associates to comply with the HIPAA Rules and measure the effect of the audits on covered entities’ and business associates’ subsequent actions to comply with HIPAA.

The survey will provide the audited entities with the opportunity to comment on the usefulness of HHS HIPAA guidance and communications, how easy the online submission portal was to use when uploading documentation requested by auditors, and whether the communicated findings of the audits and the audits themselves actually helped to improve entity compliance.

OCR is also seeking feedback on the burden that the audits placed on covered entities and business associates regarding the requested documentation and responses to audit-related requests, including the impact on day-to-day business operations. Questionnaires will consist of 39 questions and will be sent to Privacy and Security Officers at 166 HIPAA-covered entities and 41 business associates. The information collected will be used to improve future HIPAA compliance audits.

The post OCR Seeks Feedback on HIPAA Audits appeared first on HIPAA Journal.

HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations

Posted February 9, 2024 by Steve Alder

The U.S. Department of Health and Human Services (HHS) has finalized the proposed modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (Part 2). “The Final Rule strengthens confidentiality protections while improving care coordination for patients and providers. Patients can seek needed treatment and care for substance use disorder knowing that greater protections are in place to keep their records private, and providers can now better share information to improve patient care,” said OCR Director Melanie Fontes Rainer.

The Part 2 regulations have been in effect since 1975 and protect “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder [SUD] education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” These records are subject to strict protections due to the sensitivity of the information contained in those records and avoid deterring people from seeking treatment for SUD due to fears about discrimination and prosecution.

The bipartisan Coronavirus Aid, Relief, and Economic Security Act (CARES Act) called for the Part 2 regulations to be more closely aligned with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Breach Notification, and Enforcement Rules. On December 2, 2022, the HHS, via the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), published a Notice of Proposed Rulemaking (NPRM) to implement the changes required by the CARES Act. The comments received from industry stakeholders in response to the NPRM have been considered and appropriate modifications have been made before finalizing the changes.

The modifications include permitting the use and disclosure of Part 2 records based on a single patient consent. Once that consent has been given by a patient it covers all future uses and disclosures for treatment, payment, and health care operations. The final rule also permits disclosure of records without patient consent to public health authorities, provided the records are first deidentified using the methods stated in HIPAA. Redisclosure of Part 2 records by HIPAA-covered entities and business associates is permitted, provided those disclosures are in accordance with the HIPAA Privacy Rule, with certain exceptions. Separate consent is required for the disclosure of SUD clinician notes, which will be handled in the same way that psychotherapy notes are handled under HIPAA.

Patients’ SUD treatment records were already protected and could not be used to investigate or prosecute the patient unless written consent is obtained from the patient or as required by a court order that meets Part 2 requirements. Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have also been expanded in the final rule. The final rule clarifies the steps that investigative agencies must follow to be eligible for safe harbor. Before any request for records is made, the agency is required to search the SAMHSA treatment facility directory and check the provider’s Notice of Privacy Practices to determine if they are subject to Part 2.

The final rule gives patients new rights to obtain an “accounting of disclosures,” request restrictions on certain disclosures, and opt out of receiving fundraising communications, as is the case under the HIPAA Privacy Rule. Patients will also be able to file a complaint about Part 2 violations directly with the Secretary. In the event of a breach of Part 2 records, the requirements for notifications are now the same as the HIPAA Breach Notification Rule. The HHS has also been given enforcement authority, including the ability to impose civil monetary penalties for Part 2 violations. The criminal and civil penalties for Part 2 violations will be the same as those for violations of the HIPAA Rules. Other changes that have been introduced based on comments received on the NPRM include a statement confirming that Part 2 records do not need to be segregated and that it is not permitted to combine patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.

“Patient confidentiality is one of the bedrock principals in health care. People who are struggling with substance use disorders must have the same ability to keep their information private as anyone else. This new rule helps to ensure that happens, by strengthening confidentiality protections and improving the integration of behavioral health with other medical records,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration has made it a priority to end the stigmatization of those living with substance use disorders and give health care providers the tools they need so they can treat the whole patient while continuing to protect patient privacy. We will not rest until behavioral health is fully integrated into health care and those struggling with behavioral health challenges get the best treatment available.”

The final rule is due to be published in the Federal Register in mid-February. The compliance date has been set as 2 years from the date of publication. A fact sheet has been published by the HHS summarizing the changes that have been made in the Final Rule.

The post HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations appeared first on HIPAA Journal.

Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty

Posted February 7, 2024 by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Montefiore Medical Center has agreed to settle the investigation and has paid a $4.75 million penalty to resolve the alleged HIPAA violations. With this one penalty, OCR has already exceeded its total collections from its HIPAA enforcement actions in 2023 and this is the largest financial penalty to be imposed by OCR since January 2021’s $5.1 million penalty for Excellus Health Plan.

Like the Excellus investigation, OCR uncovered multiple failures to comply with the HIPAA Security Rule; however, the Excellus investigation was in response to a breach of the PHI of 9.35 million individuals. Montefiore Medical Center’s penalty stemmed from a report of a breach of the PHI of 12,517 patients. The scale of a data breach is taken into consideration by OCR when determining an appropriate penalty, but it is the nature of the underlying HIPAA violations that has the biggest impact on the size of a penalty, and Montefiore Medical Center’s HIPAA violations were deemed to be severe.

Montefiore Medical Center, a non-profit hospital system based in New York City, was notified by the New York Police Department in May 2015 that evidence had been uncovered of criminal HIPAA violations at the medical center. A patient’s protected health information had been stolen by an employee. An investigation was launched which revealed the employee had unlawfully accessed the medical records of 12,517 patients, copied their information, and sold the information to identity thieves. The former employee had been accessing the records without authorization for 6 months between January 1, 2013, through June 30, 2013.

Montefiore Medical Center notified OCR about the breach on July 22, 2015, and OCR informed Montefiore Medical Center on November 23, 2015, that it had initiated an investigation to assess whether the medical center was compliant with the HIPAA Rules. OCR determined that Montefiore Medical Center had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; failed to implement procedures to review records of activity in information systems, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems.

The insider incident investigated by OCR was not the last time that the medical center has had to deal with malicious insiders. There was an incident involving an employee accessing patient records without authorization between January 2018 and July 2020. The employee had accessed the records of 4,000 patients in connection with a vendor as part of a billing scam. In 2021, the medical center confirmed that another employee had accessed the medical records of patients without authorization over a period of 5 months in 2020. The Medical Center has since implemented a system to monitor patient records for unauthorized access by employees.

Montefiore Medical Center chose to settle the allegations with no admission of wrongdoing and agreed to implement a corrective action plan which includes the following requirements:

Conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
Develop a written risk management plan or plans sufficient to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
Develop and implement a plan to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.
Distribute the revised policies and procedures to the workforce and provide training to the workforce on those revised policies and procedures.
Review and revise current Privacy and Security Rules policies and procedures based on the findings of the risk analysis.

OCR will monitor Montefiore Medical Center for compliance with the HIPAA Rules for 2 years. “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”

In the announcement about the settlement, OCR reminded HIPAA-regulated entities of their obligations under HIPAA to implement safeguards to mitigate or prevent cyber threats, including threats that originate inside as well as outside the organization. This settlement makes clear the consequences of failing to implement those safeguards.

The post Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty appeared first on HIPAA Journal.

Security Breaches in Healthcare in 2023

Posted January 31, 2024 by Steve Alder

An unwanted record was set in 2023 with 725 large security breaches in healthcare reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), beating the record of 720 healthcare security breaches set the previous year. Aside from 2015, the number of reported security breaches in healthcare has increased every year although the rate of increase is slowing and 2024 could see the healthcare industry start to turn the corner.

As the chart shows, healthcare security breaches are occurring twice as often as in 2017/2018, with two large healthcare data breaches reported each day on average in 2023. Just a few years ago it was alarming that large healthcare data security breaches were being reported at a rate of one a day. Little did we know how bad the situation would get in such a short space of time.

The healthcare industry is struggling to deal with increasingly sophisticated cyberattacks, although in many incidents cyber threat actors have exploited vulnerabilities that should have been identified and addressed long before they were found and exploited by hackers. Many healthcare organizations are failing at basic security measures and are not consistently adhering to cybersecurity best practices due to budgetary pressures, difficulty recruiting and retaining skilled IT security professionals, and confusion about the most effective steps to take to improve resilience to cyber threats.

With healthcare data breaches increasing year-over-year, something needs to be done to help healthcare organizations improve resilience to cyber threats and action is now being taken at the state and federal levels. In December 2023, the HHS published a concept paper outlining plans to improve resilience to cyber threats across the sector and limit the severity of attacks when defenses are breached. In the paper, the HHS indicated it will be adopting a carrot-and-stick approach by developing voluntary Healthcare and Public Health (HPH) Sector Cybersecurity Goals (CPGs) that consist of cybersecurity measures that will have the greatest impact on security along with an update to the HIPAA Security Rule to add new cybersecurity requirements.

In January 2024, the CPGs were unveiled. They consist of Essential CPGs, which are high-impact, low-cost steps that healthcare organizations can take to improve cybersecurity, and a set of Enhanced CPGs to help healthcare organizations mature their cybersecurity programs. The HHS also hopes to obtain the necessary funding to help low-resourced healthcare delivery organizations cover the initial cost of the cybersecurity improvements in the Essential CPGs and to create an incentive scheme to encourage the adoption of the Enhanced CPGs.

In response to an alarming increase in cyberattacks on New York hospitals, New York Governor Kathy Hochul announced new cybersecurity measures had been proposed for New York hospitals, which are expected to be finalized in the first half of 2024. Hospitals in the state will be given a 1-year grace period to comply with the new requirements and funding has been set aside to help them cover the cost of making the necessary improvements.

It is not just the increasing number of data breaches that is a cause of concern it is the scale of these data breaches. 2023 was the worst-ever year for breached healthcare records with breached records increasing by 156% from 2022 to 133,068,542 breached records, beating the previous record of 113 million records set in 2015. In 2023, an average of 373,788 healthcare records were breached every day.

The total of 133 million records is also likely to significantly increase. To meet the breach reporting requirements of the HIPAA Breach Notification Rule, OCR must be notified within 60 days of the discovery of a data breach. When that deadline is near and breached organizations have not yet completed their document reviews to find out how many individuals have had their protected health information (PHI) exposed, breaches are reported to OCR using a placeholder of 500 or 501 records. The breached entity can then amend its OCR breach report when the number of affected individuals has been confirmed. Currently, 54 data breaches in 2023 are listed on the OCR breach portal as affecting 500 or 501 individuals. Some of these incidents have been reported by large healthcare providers, health plans, and business associates, so some of those breaches could involve hundreds of thousands or even millions of records.

Biggest Healthcare Security Breaches in 2023

Since several large healthcare organizations and major vendors have yet to confirm how many individuals have been affected by data breaches, the list of the biggest healthcare data breaches in 2023 is subject to change. Based on current figures, 114 data breaches of 100,000 or more records were reported in 2023, including 26 data breaches of more than 1 million records, 5 data breaches of more than 5 million records, and one breach of 11.27 million records. The average data breach size in 2023 was 183,543 records and the median data breach size was 5,175 records.

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Cause of Data Breach
HCA Healthcare	TN	Business Associate	11,270,000	Hackers accessed an external storage location that was used to automatically format emails
Perry Johnson & Associates, Inc., which does business as PJ&A	NV	Business Associate	8,952,212	Hackers access to its network between March 27, 2023, and May 2, 2023
Managed Care of North America (MCNA)	GA	Business Associate	8,861,076	Ransomware attack with data leak (LockBit ransomware group)
Welltok, Inc.	CO	Business Associate	8,493,379	MOVEit Transfer vulnerability exploited (Clop hacking group)
PharMerica Corporation	KY	Healthcare Provider	5,815,591	Ransomware attack with data leak (Money Message ransomware group)
HealthEC LLC	NJ	Business Associate	4,452,782	Hackers had access to its network between July 14, 2023, and July 23, 2023
Reventics, LLC	FL	Business Associate	4,212,823	Ransomware attack with data leak (Royal ransomware group)
Colorado Department of Health Care Policy & Financing	CO	Health Plan	4,091,794	MOVEit Transfer vulnerability exploited at a vendor (Clop hacking group)
Regal Medical Group, Lakeside Medical Organization, ADOC Acquisition, & Greater Covina Medical Group	CA	Healthcare Provider	3,388,856	Ransomware attack with data leak (Unspecified, Russia-based ransomware group)
CareSource	OH	Business Associate	3,180,537	MOVEit Transfer vulnerability exploited (Clop hacking group)
Cerebral, Inc	DE	Business Associate	3,179,835	Impermissible disclosure of PHI via Pixel tracking code on its website
NationsBenefits Holdings, LLC	FL	Business Associate	3,037,303	Fortra GoAnywhere MFT vulnerability exploited (Clop hacking group)
Maximus, Inc.	VA	Business Associate	2,781,617	MOVEit Transfer vulnerability exploited (Clop hacking group)
ESO Solutions, Inc.	TX	Business Associate	2,700,000	Ransomware attack (ransomware group unknown)
Harvard Pilgrim Health Care	MA	Health Plan	2,624,191	Ransomware attack (ransomware group unknown)
Enzo Clinical Labs, Inc.	NY	Healthcare Provider	2,470,000	Ransomware attack (ransomware group unknown)
Florida Health Sciences Center, Inc. dba Tampa General Hospital	FL	Healthcare Provider	2,430,920	Ransomware attack (Snatch and Nokoyawa groups claimed credit)
Postmeds, Inc.	CA	Healthcare Provider	2,364,359	Hackers hack access to its network between August 30, 2023, and September 1, 2023
Centers for Medicare & Medicaid Services	MD	Health Plan	2,342,357	MOVEit Transfer vulnerability exploited at Maximus Inc. (Clop hacking group)
Arietis Health, LLC	FL	Business Associate	1,975,066	MOVEit Transfer vulnerability exploited (Clop hacking group)
Pension Benefit Information, LLC	MN	Business Associate	1,866,694	MOVEit Transfer vulnerability exploited (Clop hacking group)
Performance Health Technology	OR	Business Associate	1,752,076	MOVEit Transfer vulnerability exploited (Clop hacking group)
Prospect Medical Holdings, Inc.	CA	Business Associate	1,309,096	Ransomware attack and data leak (Rhysida group unknown)
PurFoods, LLC	IA	Healthcare Provider	1,229,333	Hackers had access to its network between January 16, 2023, and February 22, 2023
Virginia Dept. of Medical Assistance Services	VA	Health Plan	1,229,333	Hacking incident – details unknown
Nuance Communications, Inc.	MA	Business Associate	1,225,054	MOVEit Transfer vulnerability exploited (Clop hacking group)

Causes of Cybersecurity Breaches in Healthcare in 2023

There has been a leveling off of security breaches in healthcare in the last three years after a sharp increase in hacking incidents between 2018 and 2021, with only a 0.69% year-over-year increase in large data breaches. The year included two major mass hacking incidents by the Clop hacking group that affected many healthcare organizations. Clop-linked threat actors exploited zero-day vulnerabilities in two file transfer solutions – Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer. The first of these mass hacking incidents occurred in January with the group exploiting a remote code execution flaw – CVE-2023-0669 – in GoAnywhere MFT to attack almost 130 organizations, including healthcare organizations and business associates.

The second mass hacking incident occurred in May and was far more extensive. A zero-day vulnerability was exploited in MOVEit Transfer and more than 2,470 organizations had data stolen from their MOVEit servers. Across those incidents, the data of more than 94 million individuals was stolen. Many healthcare providers and business associates were affected, and the top three worst affected companies were HIPAA-regulated entities – Maximus, Welltok, and Delta Dental of California and Affiliates.

As the graph below shows, hacking incidents continue to dominate the breach reports with almost four times as many hacking incidents reported in 2023 than all other breach causes combined. 578 of the year’s 725 breaches were due to hacking and other IT incidents. The sharp rise in hacking incidents in 2018 is linked to the widespread use of ransomware and the proliferation of ransomware-as-a-service (RaaS) groups, which allowed attacks to be conducted at scale by recruiting affiliates to breach networks and receive a cut of any ransoms generated.

Data from the ransomware remediation firm Coveware shows ransomware attacks are becoming much less profitable, with fewer victims choosing to pay the ransom. In Q4, 2023, 29% of ransomware victims paid the ransom compared to 85% at the start of 2019. In these attacks, ransomware groups steal vast amounts of sensitive data. If the ransom is not paid, the data is leaked or sold to other threat actors and is used for a multitude of nefarious purposes, but it is ransom payments that are the main source of income for these groups, and with fewer ransoms being paid, ransomware actors need to conduct more attacks to maintain their incomes.

The number of healthcare records stolen in hacking incidents has increased sharply in recent years. In 2023, more than 124 million records were compromised in healthcare hacking incidents which is 93.5% of the year’s total number of breached records. On average, 215,269 healthcare records were stolen in each hacking incident (median 73,623 records). The scale of some of these hacking incidents emphasizes the need for network segmentation to limit the data that can be accessed if networks are breached, and the importance of implementing a zero trust architecture. Zero trust assumes that adversaries have already breached ‘perimeter’ defenses and requires verification and validation of every stage of a digital interaction.

Aside from hacking incidents, there are several other types of security breaches in healthcare. There was a 10.4% increase in unauthorized access and disclosure incidents in 2023 and a 13.6% increase in impermissibly accessed or disclosed records. 127 Unauthorized access/disclosure incidents were reported in 2023 and 8,598,916 records were accessed or disclosed across those incidents. These HIPAA breaches may be smaller than the hacking incidents, averaging 67,708 records per incident (median 1,809 records), but they can be just as harmful.

Improper disposal incidents have remained consistently low over the past 5 years (5 incidents in 2023) apart from a spike during the pandemic in 2020, and there has been a marked decline in loss/theft incidents, of which there were only 15 incidents reported in 2023 – the lowest total of any year to date. The fall in these incidents can be explained by the widespread use of encryption on portable electronic devices and the migration of data to the cloud.

Given the high percentage of hacking incidents, the most common locations of breached PHI – network servers – should come as no surprise. In 2023, 69.8% of large data breaches involved network servers (506 incidents). Email was the next most common location of compromised PHI, accounting for 18.3% of breaches (133 incidents). While multifactor authentication does not provide complete protection against email account breaches, widespread adoption of phishing-resistant multifactor authentication will see email data breaches reduce dramatically. Multifactor authentication is one of the Essential HPH CPGs and one of the most important security measures to implement in 2024.

Healthcare Security Breaches at HIPAA-Regulated Entities

The HIPAA Breach Notification Rule requires all breaches of protected health information to be reported to OCR and individual notifications to be sent to the affected individuals within 60 days of the discovery of a data breach. When a data breach occurs at a business associate of a HIPAA-covered entity, the entity that reports the breach will be dictated by the terms of the business associate agreement. Business associates often self-report their data breaches to OCR, but their covered entities may choose to report the breach themselves, or a combination of the two. For instance, Maximus Inc. disclosed in an SEC filing that the data of between 8 million and 11 million individuals was compromised in its MOVEit Transfer hacking incident, but Maximus reported the breach to OCR as affecting 2,781,617 individuals. Several clients chose to report the breach themselves.

The OCR breach data shows data breaches by the reporting entity, and as such, using that data for analyses means business associate data breaches will be underrepresented. In the table below we show data breaches by reporting entity and the charts reflect where the breach actually occurred.

Healthcare Security Breaches in 2023 – Reporting Entity

Entity Type	Data Breaches	Records Breached	Average Breach Size
Healthcare Provider	450	39,925,448	88,723
Business Associate	170	77,347,471	454,985
Health Plan	103	15,792,548	153,326
Healthcare Clearinghouse	2	3,075	1,538

Healthcare Security Breaches in 2023 – Location of Data Breach

The adjusted data shows healthcare providers suffered the most data breaches; however, data breaches at business associates were more severe, with more than 2.5 times as many records breached at business associates than at healthcare providers. The average size of a data breach at a healthcare provider was 89,983 records (median 5,354 records) whereas the average breach at a business associate was 338,394 records (median 5,314 records). 11 of the top 15 security breaches in healthcare in 2023 occurred at business associates of HIPAA-covered entities.

Securing the supply chain is one of the biggest cybersecurity challenges in healthcare. Healthcare organizations often outsource certain functions to specialist vendors and health systems often rely on dozens, if not hundreds, of different vendors, many of which require access to protected health information and every vendor used introduces risk. Healthcare organizations need to conduct due diligence on their vendors, including assessing their security controls. Before onboarding any new vendor it must be made abundantly clear what the business associate’s responsibilities are with respect to HIPAA, data security, and breach reporting.

Strengthening the security of the supply chain is labor-intensive and costly, and many healthcare organizations lack the appropriate resources to devote to vendor risk management, but vendor risk management failures can have significant ramifications. An inventory should be maintained on all vendors, including details of the business associate agreements, and data provided to each. A risk assessment should be conducted before onboarding any vendor including an assessment of their security posture. If a vendor fails to meet the necessary cybersecurity requirements, then they should not be used. If there is no suitable alternative, then controls should be put in place to manage risk and reduce it to a low and acceptable level. While vendors may confirm that they have implemented reasonable and appropriate safeguards and data security policies and procedures, there are no guarantees that those policies and procedures will be followed and cybersecurity standards maintained. Conducting assessments of vendor security at intake is not sufficient. There should be ongoing reviews and audits of vendors and suppliers. If an organization lacks the personnel to handle this in-house, then third-party consultants should be engaged to assist with these processes. Third-party risk management requirements are included in both the Essential and Enhanced CPGs announced by the HHS in January 2024.

HIPAA Security Breaches Reported in All 50 States

No U.S. state was able to avoid a healthcare security breach in 2023. Data breaches of 500 or more records were reported in all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. The states that experienced the most data breaches are the most heavily populated and have the highest number of HIPAA-regulated entities.

State	Number of Data Breaches
California	80
New York	63
Texas	58
Pennsylvania	40
Massachusetts	39
Illinois	36
Florida	33
Georgia & New Jersey	21
Arizona & Minnesota	17
Connecticut, Maryland, Michigan & Ohio	16
Indiana, North Carolina & Tennessee	15
Virginia	14
Iowa	13
Kansas & Oregon	12
Washington	11
Kentucky, Missouri, Mississippi & Wisconsin	10
Colorado	9
Alabama	8
Utah	7
Arkansas, Oklahoma, and South Carolina	6
Alaska	5
Idaho, Louisiana, Maine, North Dakota & West Virginia	4
Delaware & New Mexico	3
Montana, Nebraska, New Hampshire & Nevada	2
Hawaii, Rhode Island, South Dakota, Vermont, Wyoming, District of Columbia, Puerto Rico & the U.S. Virgin Islands	1

HIPAA Enforcement Activity in 2023

In 2023, OCR announced 13 settlements with HIPAA-regulated entities to resolve allegations of HIPAA violations, a 40.9% reduction from the previous year. These investigations stemmed from reviews of HIPAA compliance in response to reported data breaches and investigations of complaints from patients and health plan members about potential HIPAA violations. While the number of financial penalties fell, the funds raised from OCR enforcement actions increased from $2,124,140 in 2022 to $4,176,500 in 2023.

Since 2019, the majority of penalties imposed by OCR resolved alleged violations of the HIPAA Right of Access. The HIPAA Right of Access requires individuals to be provided with a copy of their health records, on request, within 30 days of that request being received and they should only be charged a reasonable, cost-based fee for exercising that right if they are charged at all. Since OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019, 46 penalties have been imposed for HIPAA Right of Access violations, 4 of which were in 2023. This is a significant reduction from the 17 HIPAA Right of Access fines imposed in 2022.

Penalties were imposed for other HIPAA Privacy Rule violations in 2023, including one penalty for a lack of policies and procedures relating to access to PHI by employees and one penalty for the failure to obtain authorization from patients before disclosing their PHI to a reporter. Following the overturning of the penalty imposed on the University of Texas MD Anderson Cancer Center in 2018, OCR appears to have been reluctant to pursue financial penalties for Security Rule violations in all but the most egregious cases. In 2023, OCR imposed seven penalties to resolve potential violations of the HIPAA Security Rule.

Violations of several HIPAA Security Rule provisions were cited in these enforcement actions, with t6 of the 7 enforcement actions involving risk analysis failures. Another common violation was the failure to maintain and review logs of activity in information systems containing ePHI to identify unauthorized access. One of the penalties stemmed from a report of snooping on medical records by security guards, with OCR determining there was a failure to implement policies and procedures relating to HIPAA Security Rule compliance and a lack of HIPAA Privacy Rule training.

OCR Enforcement Actions in 2023 Resulting in Financial Penalties

HIPAA-Regulated Entity	Penalty Amount	Penalty Type	Individuals Affected	Reason for Penalty
LA Care Health Plan	$1,300,000	Settlement	1,498	Risk analysis failure, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, and impermissible disclosure of PHI
Banner Health	$1,250,000	Settlement	2.81 million	Risk analysis failure, lack of reviews of information system activity, lack of verification of identity for access to PHI, and a lack of technical safeguards
Lafourche Medical Group	$480,000	Settlement	34,862	No risk analysis prior to the 2021 phishing incident, and no procedures to regularly review logs of system activity prior to the incident
MedEvolve Inc.	$350,000	Settlement	230,572	Risk analysis failure, lack of a business associate agreement, and an impermissible disclosure of PHI
Yakima Valley Memorial Hospital	$240,000	Settlement	419	Lack of HIPAA Security Rule policies and procedures
Optum Medical Care	$160,000	Settlement	6	Failure to provide individuals with timely access to their medical records
Doctors’ Management Services	$100,000	Settlement	206,695	Risk analysis failure, lack of reviews of records of system activity, lack of policies/procedures to comply with the HIPAA Security Rule, and impermissible disclosure of PHI
UnitedHealthcare	$80,000	Settlement	1	Failure to provide an individual with timely access to their medical records
St. Joseph’s Medical Center	$80,000	Settlement	3	Disclosure of the PHI of patients to a reporter and a lack of HIPAA Privacy Rule training
iHealth Solutions (Advantum Health)	$75,000	Settlement	267	Risk analysis failure and an impermissible disclosure of PHI
Manasa Health Center, LLC	$30,000	Settlement	4	Impermissible PHI disclosure in response to online review
Life Hope Labs, LLC	$16,500	Settlement	1	Failure to provide an individual with timely access to their medical records
David Mente, MA, LPC	$15,000	Settlement	1	Failure to provide an individual with timely access to their medical records

Attorney General Penalties for HIPAA Violations in 2023

The was a major increase in enforcement actions by state attorneys general in 2023 in response to security breaches in healthcare, with 15 settlements reached with HIPAA-regulated entities to resolve violations of HIPAA and state consumer protection laws. In 2022 there were only three settlements with attorneys general to resolve HIPAA violations, four in 2021, and three in 2019. The majority of the penalties imposed in 2023 by state attorneys general resolved violations of the HIPAA Security Rule that were uncovered during data breach investigations. The majority of these cases involved a lack of reasonable and appropriate security measures such as multifactor authentication, access controls, encryption, security testing, data logging and monitoring, data retention, and up-to-date asset inventories.

Four settlements in 2023 came from multi-state actions. Since the entities concerned operated in multiple states, attorneys general pooled their resources and conducted joint investigations. The largest penalty of the year was imposed on Blackbaud and resolved multiple violations of the HIPAA Security Rule that contributed to a breach of the personal and protected health information of 5.5 million individuals. State attorneys general in Oregon, New Jersey, Florida & Pennsylvania joined forces in an investigation of a 2.1 million-record data breach at EyeMed Vision Care, and Pennsylvania & Ohio conducted a joint investigation of DNA Diagnostics Center over a 45,600-record data breach, both of which uncovered multiple HIPAA Security Rule failures.

32 states and Puerto Rico participated in an investigation of the Puerto Rican healthcare clearinghouse, practice management software, and electronic medical record provider Inmediata. HIPAA Security Rule failures were identified that led to a breach of the protected health information of more than 1.5 million individuals, followed by violations of the HIPAA Breach Notification Rule. California imposed a massive penalty on Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals. The case was resolved for $49 million and related to the improper disposal of PHI and hazardous waste, with the bulk of the settlement amount concerned with the latter.

State Attorney General	HIPAA-Regulated Entity	Penalty Amount	Penalty Type	Individuals Affected	Reason for Penalty
49 States and the District of Columbia	Blackbaud	$49,500,000	Settlement	5,500,000	Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state consumer protection laws
California	Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals	$49,000,000	Settlement	7,700	Violations of HIPAA for the improper disposal of PHI and violations of several state laws for the improper disposal of hazardous waste
Oregon, New Jersey, Florida & Pennsylvania	EyeMed Vision Care	$2,500,000	Settlement	2.1 million	Lack of administrative, technical, and physical safeguards, and access control failures – use of the same password by several employees.
32 States and Puerto Rico	Inmediata	$1,400,000	Settlement	1,565,338	Failure to implement appropriate safeguards to ensure data security, failure to conduct a secure code review, and data breach notification failures
New York	Practicefirst	$550,000	Settlement	1.2 million	Patch management failure, lack of encryption, and a lack of security testing.
New York	U.S. Radiology Specialists Inc.	$450,000	Settlement	198,260, including 92,540 New York residents	Failure to upgrade hardware to address a known vulnerability
California	Kaiser Permanente	$450,000	Settlement	Up to 167,095 individuals	Mailing error that resulted in an impermissible disclosure of PHI, failure to promptly halt mailings when there was a known error and negligent maintenance or disposal of medical information
New York	Healthplex	$400,000	Settlement	89,955 (62,922 New York residents)	Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments)
New York	Personal Touch Holding Corp dba Personal Touch Home Care	$350,000	Settlement	753,107 (316,845 New York residents)	Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training
New York	New York Presbyterian Hospital	$300,000	Settlement	54,396	Violations of the HIPAA Privacy Rule and New York Executive Law due to the use of pixels on its website that transmitted PHI to third parties
Indiana	Schneck Medical Center	$250,000	Settlement	89,707	Failure to address known vulnerabilities in a timely manner and breach notification failures.
New York	Heidell, Pittoni, Murphy & Bach LLP	$200,000	Settlement	61,438 New York residents	Widespread non-compliance with the HIPAA Security Rule – 17 HIPAA violations
Pennsylvania & Ohio	DNA Diagnostics Center	$400,000	Settlement	45,600	Lack of safeguards to detect and prevent unauthorized access, failure to update asset inventory, and disable/remove assets that were not used for business purposes.
Indiana	CarePointe ENT	$125,000	Settlement	48,742	Failure to correct known security issues in a reasonable time frame, lack of business associate agreement
Colorado	Broomfield Skilled Nursing and Rehabilitation Center	$60,000 ($25,000 suspended)	Settlement	677	Violations of HIPAA data encryption requirements, violation of state data protection laws, and deceptive trading practices.

Outlook for 2024

It has been a particularly bad year for security breaches in healthcare with hacking incidents continuing to increase in number as well as severity. Cyber actors will continue to target the healthcare industry and with fewer victims paying ransoms, these attacks may even increase as ransomware actors attempt to maintain their incomes. In 2023 we saw increasingly aggressive tactics by ransomware groups including swatting attacks on patients when their healthcare provider refused to pay the ransom and these aggressive tactics look set to continue.

To reduce security breaches in healthcare, more must be done than achieving the minimum cybersecurity standards of the HIPAA Security Rule. If all healthcare organizations implemented the recently announced HHS Essential Cybersecurity Goals, there would be a marked reduction in healthcare cybersecurity breaches in 2024. In practice that will be difficult for many healthcare organizations due to limited budgets and a chronic shortage of skilled cybersecurity professionals; however, the HHS plans to make funding available to help cover the initial cost of security improvements and establish an incentive program for adopting the Enhanced Security Goals. These measures will go a long way toward raising the baseline level of cybersecurity in the healthcare industry and improving resilience to cyber threats.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Security Breaches in Healthcare in 2023 appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information