HIPAA Compliance News

HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations

Posted February 9, 2024 by Steve Alder

The U.S. Department of Health and Human Services (HHS) has finalized the proposed modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (Part 2). “The Final Rule strengthens confidentiality protections while improving care coordination for patients and providers. Patients can seek needed treatment and care for substance use disorder knowing that greater protections are in place to keep their records private, and providers can now better share information to improve patient care,” said OCR Director Melanie Fontes Rainer.

The Part 2 regulations have been in effect since 1975 and protect “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder [SUD] education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” These records are subject to strict protections due to the sensitivity of the information contained in those records and avoid deterring people from seeking treatment for SUD due to fears about discrimination and prosecution.

The bipartisan Coronavirus Aid, Relief, and Economic Security Act (CARES Act) called for the Part 2 regulations to be more closely aligned with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Breach Notification, and Enforcement Rules. On December 2, 2022, the HHS, via the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), published a Notice of Proposed Rulemaking (NPRM) to implement the changes required by the CARES Act. The comments received from industry stakeholders in response to the NPRM have been considered and appropriate modifications have been made before finalizing the changes.

The modifications include permitting the use and disclosure of Part 2 records based on a single patient consent. Once that consent has been given by a patient it covers all future uses and disclosures for treatment, payment, and health care operations. The final rule also permits disclosure of records without patient consent to public health authorities, provided the records are first deidentified using the methods stated in HIPAA. Redisclosure of Part 2 records by HIPAA-covered entities and business associates is permitted, provided those disclosures are in accordance with the HIPAA Privacy Rule, with certain exceptions. Separate consent is required for the disclosure of SUD clinician notes, which will be handled in the same way that psychotherapy notes are handled under HIPAA.

Patients’ SUD treatment records were already protected and could not be used to investigate or prosecute the patient unless written consent is obtained from the patient or as required by a court order that meets Part 2 requirements. Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have also been expanded in the final rule. The final rule clarifies the steps that investigative agencies must follow to be eligible for safe harbor. Before any request for records is made, the agency is required to search the SAMHSA treatment facility directory and check the provider’s Notice of Privacy Practices to determine if they are subject to Part 2.

The final rule gives patients new rights to obtain an “accounting of disclosures,” request restrictions on certain disclosures, and opt out of receiving fundraising communications, as is the case under the HIPAA Privacy Rule. Patients will also be able to file a complaint about Part 2 violations directly with the Secretary. In the event of a breach of Part 2 records, the requirements for notifications are now the same as the HIPAA Breach Notification Rule. The HHS has also been given enforcement authority, including the ability to impose civil monetary penalties for Part 2 violations. The criminal and civil penalties for Part 2 violations will be the same as those for violations of the HIPAA Rules. Other changes that have been introduced based on comments received on the NPRM include a statement confirming that Part 2 records do not need to be segregated and that it is not permitted to combine patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.

“Patient confidentiality is one of the bedrock principals in health care. People who are struggling with substance use disorders must have the same ability to keep their information private as anyone else. This new rule helps to ensure that happens, by strengthening confidentiality protections and improving the integration of behavioral health with other medical records,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration has made it a priority to end the stigmatization of those living with substance use disorders and give health care providers the tools they need so they can treat the whole patient while continuing to protect patient privacy. We will not rest until behavioral health is fully integrated into health care and those struggling with behavioral health challenges get the best treatment available.”

The final rule is due to be published in the Federal Register in mid-February. The compliance date has been set as 2 years from the date of publication. A fact sheet has been published by the HHS summarizing the changes that have been made in the Final Rule.

The post HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations appeared first on HIPAA Journal.

Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty

Posted February 7, 2024 by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Montefiore Medical Center has agreed to settle the investigation and has paid a $4.75 million penalty to resolve the alleged HIPAA violations. With this one penalty, OCR has already exceeded its total collections from its HIPAA enforcement actions in 2023 and this is the largest financial penalty to be imposed by OCR since January 2021’s $5.1 million penalty for Excellus Health Plan.

Like the Excellus investigation, OCR uncovered multiple failures to comply with the HIPAA Security Rule; however, the Excellus investigation was in response to a breach of the PHI of 9.35 million individuals. Montefiore Medical Center’s penalty stemmed from a report of a breach of the PHI of 12,517 patients. The scale of a data breach is taken into consideration by OCR when determining an appropriate penalty, but it is the nature of the underlying HIPAA violations that has the biggest impact on the size of a penalty, and Montefiore Medical Center’s HIPAA violations were deemed to be severe.

Montefiore Medical Center, a non-profit hospital system based in New York City, was notified by the New York Police Department in May 2015 that evidence had been uncovered of criminal HIPAA violations at the medical center. A patient’s protected health information had been stolen by an employee. An investigation was launched which revealed the employee had unlawfully accessed the medical records of 12,517 patients, copied their information, and sold the information to identity thieves. The former employee had been accessing the records without authorization for 6 months between January 1, 2013, through June 30, 2013.

Montefiore Medical Center notified OCR about the breach on July 22, 2015, and OCR informed Montefiore Medical Center on November 23, 2015, that it had initiated an investigation to assess whether the medical center was compliant with the HIPAA Rules. OCR determined that Montefiore Medical Center had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; failed to implement procedures to review records of activity in information systems, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems.

The insider incident investigated by OCR was not the last time that the medical center has had to deal with malicious insiders. There was an incident involving an employee accessing patient records without authorization between January 2018 and July 2020. The employee had accessed the records of 4,000 patients in connection with a vendor as part of a billing scam. In 2021, the medical center confirmed that another employee had accessed the medical records of patients without authorization over a period of 5 months in 2020. The Medical Center has since implemented a system to monitor patient records for unauthorized access by employees.

Montefiore Medical Center chose to settle the allegations with no admission of wrongdoing and agreed to implement a corrective action plan which includes the following requirements:

Conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
Develop a written risk management plan or plans sufficient to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
Develop and implement a plan to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.
Distribute the revised policies and procedures to the workforce and provide training to the workforce on those revised policies and procedures.
Review and revise current Privacy and Security Rules policies and procedures based on the findings of the risk analysis.

OCR will monitor Montefiore Medical Center for compliance with the HIPAA Rules for 2 years. “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”

In the announcement about the settlement, OCR reminded HIPAA-regulated entities of their obligations under HIPAA to implement safeguards to mitigate or prevent cyber threats, including threats that originate inside as well as outside the organization. This settlement makes clear the consequences of failing to implement those safeguards.

The post Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty appeared first on HIPAA Journal.

Security Breaches in Healthcare in 2023

Posted January 31, 2024 by Steve Alder

An unwanted record was set in 2023 with 725 large security breaches in healthcare reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), beating the record of 720 healthcare security breaches set the previous year. Aside from 2015, the number of reported security breaches in healthcare has increased every year although the rate of increase is slowing and 2024 could see the healthcare industry start to turn the corner.

As the chart shows, healthcare security breaches are occurring twice as often as in 2017/2018, with two large healthcare data breaches reported each day on average in 2023. Just a few years ago it was alarming that large healthcare data security breaches were being reported at a rate of one a day. Little did we know how bad the situation would get in such a short space of time.

The healthcare industry is struggling to deal with increasingly sophisticated cyberattacks, although in many incidents cyber threat actors have exploited vulnerabilities that should have been identified and addressed long before they were found and exploited by hackers. Many healthcare organizations are failing at basic security measures and are not consistently adhering to cybersecurity best practices due to budgetary pressures, difficulty recruiting and retaining skilled IT security professionals, and confusion about the most effective steps to take to improve resilience to cyber threats.

With healthcare data breaches increasing year-over-year, something needs to be done to help healthcare organizations improve resilience to cyber threats and action is now being taken at the state and federal levels. In December 2023, the HHS published a concept paper outlining plans to improve resilience to cyber threats across the sector and limit the severity of attacks when defenses are breached. In the paper, the HHS indicated it will be adopting a carrot-and-stick approach by developing voluntary Healthcare and Public Health (HPH) Sector Cybersecurity Goals (CPGs) that consist of cybersecurity measures that will have the greatest impact on security along with an update to the HIPAA Security Rule to add new cybersecurity requirements.

In January 2024, the CPGs were unveiled. They consist of Essential CPGs, which are high-impact, low-cost steps that healthcare organizations can take to improve cybersecurity, and a set of Enhanced CPGs to help healthcare organizations mature their cybersecurity programs. The HHS also hopes to obtain the necessary funding to help low-resourced healthcare delivery organizations cover the initial cost of the cybersecurity improvements in the Essential CPGs and to create an incentive scheme to encourage the adoption of the Enhanced CPGs.

In response to an alarming increase in cyberattacks on New York hospitals, New York Governor Kathy Hochul announced new cybersecurity measures had been proposed for New York hospitals, which are expected to be finalized in the first half of 2024. Hospitals in the state will be given a 1-year grace period to comply with the new requirements and funding has been set aside to help them cover the cost of making the necessary improvements.

It is not just the increasing number of data breaches that is a cause of concern it is the scale of these data breaches. 2023 was the worst-ever year for breached healthcare records with breached records increasing by 156% from 2022 to 133,068,542 breached records, beating the previous record of 113 million records set in 2015. In 2023, an average of 373,788 healthcare records were breached every day.

The total of 133 million records is also likely to significantly increase. To meet the breach reporting requirements of the HIPAA Breach Notification Rule, OCR must be notified within 60 days of the discovery of a data breach. When that deadline is near and breached organizations have not yet completed their document reviews to find out how many individuals have had their protected health information (PHI) exposed, breaches are reported to OCR using a placeholder of 500 or 501 records. The breached entity can then amend its OCR breach report when the number of affected individuals has been confirmed. Currently, 54 data breaches in 2023 are listed on the OCR breach portal as affecting 500 or 501 individuals. Some of these incidents have been reported by large healthcare providers, health plans, and business associates, so some of those breaches could involve hundreds of thousands or even millions of records.

Biggest Healthcare Security Breaches in 2023

Since several large healthcare organizations and major vendors have yet to confirm how many individuals have been affected by data breaches, the list of the biggest healthcare data breaches in 2023 is subject to change. Based on current figures, 114 data breaches of 100,000 or more records were reported in 2023, including 26 data breaches of more than 1 million records, 5 data breaches of more than 5 million records, and one breach of 11.27 million records. The average data breach size in 2023 was 183,543 records and the median data breach size was 5,175 records.

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Cause of Data Breach
HCA Healthcare	TN	Business Associate	11,270,000	Hackers accessed an external storage location that was used to automatically format emails
Perry Johnson & Associates, Inc., which does business as PJ&A	NV	Business Associate	8,952,212	Hackers access to its network between March 27, 2023, and May 2, 2023
Managed Care of North America (MCNA)	GA	Business Associate	8,861,076	Ransomware attack with data leak (LockBit ransomware group)
Welltok, Inc.	CO	Business Associate	8,493,379	MOVEit Transfer vulnerability exploited (Clop hacking group)
PharMerica Corporation	KY	Healthcare Provider	5,815,591	Ransomware attack with data leak (Money Message ransomware group)
HealthEC LLC	NJ	Business Associate	4,452,782	Hackers had access to its network between July 14, 2023, and July 23, 2023
Reventics, LLC	FL	Business Associate	4,212,823	Ransomware attack with data leak (Royal ransomware group)
Colorado Department of Health Care Policy & Financing	CO	Health Plan	4,091,794	MOVEit Transfer vulnerability exploited at a vendor (Clop hacking group)
Regal Medical Group, Lakeside Medical Organization, ADOC Acquisition, & Greater Covina Medical Group	CA	Healthcare Provider	3,388,856	Ransomware attack with data leak (Unspecified, Russia-based ransomware group)
CareSource	OH	Business Associate	3,180,537	MOVEit Transfer vulnerability exploited (Clop hacking group)
Cerebral, Inc	DE	Business Associate	3,179,835	Impermissible disclosure of PHI via Pixel tracking code on its website
NationsBenefits Holdings, LLC	FL	Business Associate	3,037,303	Fortra GoAnywhere MFT vulnerability exploited (Clop hacking group)
Maximus, Inc.	VA	Business Associate	2,781,617	MOVEit Transfer vulnerability exploited (Clop hacking group)
ESO Solutions, Inc.	TX	Business Associate	2,700,000	Ransomware attack (ransomware group unknown)
Harvard Pilgrim Health Care	MA	Health Plan	2,624,191	Ransomware attack (ransomware group unknown)
Enzo Clinical Labs, Inc.	NY	Healthcare Provider	2,470,000	Ransomware attack (ransomware group unknown)
Florida Health Sciences Center, Inc. dba Tampa General Hospital	FL	Healthcare Provider	2,430,920	Ransomware attack (Snatch and Nokoyawa groups claimed credit)
Postmeds, Inc.	CA	Healthcare Provider	2,364,359	Hackers hack access to its network between August 30, 2023, and September 1, 2023
Centers for Medicare & Medicaid Services	MD	Health Plan	2,342,357	MOVEit Transfer vulnerability exploited at Maximus Inc. (Clop hacking group)
Arietis Health, LLC	FL	Business Associate	1,975,066	MOVEit Transfer vulnerability exploited (Clop hacking group)
Pension Benefit Information, LLC	MN	Business Associate	1,866,694	MOVEit Transfer vulnerability exploited (Clop hacking group)
Performance Health Technology	OR	Business Associate	1,752,076	MOVEit Transfer vulnerability exploited (Clop hacking group)
Prospect Medical Holdings, Inc.	CA	Business Associate	1,309,096	Ransomware attack and data leak (Rhysida group unknown)
PurFoods, LLC	IA	Healthcare Provider	1,229,333	Hackers had access to its network between January 16, 2023, and February 22, 2023
Virginia Dept. of Medical Assistance Services	VA	Health Plan	1,229,333	Hacking incident – details unknown
Nuance Communications, Inc.	MA	Business Associate	1,225,054	MOVEit Transfer vulnerability exploited (Clop hacking group)

Causes of Cybersecurity Breaches in Healthcare in 2023

There has been a leveling off of security breaches in healthcare in the last three years after a sharp increase in hacking incidents between 2018 and 2021, with only a 0.69% year-over-year increase in large data breaches. The year included two major mass hacking incidents by the Clop hacking group that affected many healthcare organizations. Clop-linked threat actors exploited zero-day vulnerabilities in two file transfer solutions – Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer. The first of these mass hacking incidents occurred in January with the group exploiting a remote code execution flaw – CVE-2023-0669 – in GoAnywhere MFT to attack almost 130 organizations, including healthcare organizations and business associates.

The second mass hacking incident occurred in May and was far more extensive. A zero-day vulnerability was exploited in MOVEit Transfer and more than 2,470 organizations had data stolen from their MOVEit servers. Across those incidents, the data of more than 94 million individuals was stolen. Many healthcare providers and business associates were affected, and the top three worst affected companies were HIPAA-regulated entities – Maximus, Welltok, and Delta Dental of California and Affiliates.

As the graph below shows, hacking incidents continue to dominate the breach reports with almost four times as many hacking incidents reported in 2023 than all other breach causes combined. 578 of the year’s 725 breaches were due to hacking and other IT incidents. The sharp rise in hacking incidents in 2018 is linked to the widespread use of ransomware and the proliferation of ransomware-as-a-service (RaaS) groups, which allowed attacks to be conducted at scale by recruiting affiliates to breach networks and receive a cut of any ransoms generated.

Data from the ransomware remediation firm Coveware shows ransomware attacks are becoming much less profitable, with fewer victims choosing to pay the ransom. In Q4, 2023, 29% of ransomware victims paid the ransom compared to 85% at the start of 2019. In these attacks, ransomware groups steal vast amounts of sensitive data. If the ransom is not paid, the data is leaked or sold to other threat actors and is used for a multitude of nefarious purposes, but it is ransom payments that are the main source of income for these groups, and with fewer ransoms being paid, ransomware actors need to conduct more attacks to maintain their incomes.

The number of healthcare records stolen in hacking incidents has increased sharply in recent years. In 2023, more than 124 million records were compromised in healthcare hacking incidents which is 93.5% of the year’s total number of breached records. On average, 215,269 healthcare records were stolen in each hacking incident (median 73,623 records). The scale of some of these hacking incidents emphasizes the need for network segmentation to limit the data that can be accessed if networks are breached, and the importance of implementing a zero trust architecture. Zero trust assumes that adversaries have already breached ‘perimeter’ defenses and requires verification and validation of every stage of a digital interaction.

Aside from hacking incidents, there are several other types of security breaches in healthcare. There was a 10.4% increase in unauthorized access and disclosure incidents in 2023 and a 13.6% increase in impermissibly accessed or disclosed records. 127 Unauthorized access/disclosure incidents were reported in 2023 and 8,598,916 records were accessed or disclosed across those incidents. These HIPAA breaches may be smaller than the hacking incidents, averaging 67,708 records per incident (median 1,809 records), but they can be just as harmful.

Improper disposal incidents have remained consistently low over the past 5 years (5 incidents in 2023) apart from a spike during the pandemic in 2020, and there has been a marked decline in loss/theft incidents, of which there were only 15 incidents reported in 2023 – the lowest total of any year to date. The fall in these incidents can be explained by the widespread use of encryption on portable electronic devices and the migration of data to the cloud.

Given the high percentage of hacking incidents, the most common locations of breached PHI – network servers – should come as no surprise. In 2023, 69.8% of large data breaches involved network servers (506 incidents). Email was the next most common location of compromised PHI, accounting for 18.3% of breaches (133 incidents). While multifactor authentication does not provide complete protection against email account breaches, widespread adoption of phishing-resistant multifactor authentication will see email data breaches reduce dramatically. Multifactor authentication is one of the Essential HPH CPGs and one of the most important security measures to implement in 2024.

Healthcare Security Breaches at HIPAA-Regulated Entities

The HIPAA Breach Notification Rule requires all breaches of protected health information to be reported to OCR and individual notifications to be sent to the affected individuals within 60 days of the discovery of a data breach. When a data breach occurs at a business associate of a HIPAA-covered entity, the entity that reports the breach will be dictated by the terms of the business associate agreement. Business associates often self-report their data breaches to OCR, but their covered entities may choose to report the breach themselves, or a combination of the two. For instance, Maximus Inc. disclosed in an SEC filing that the data of between 8 million and 11 million individuals was compromised in its MOVEit Transfer hacking incident, but Maximus reported the breach to OCR as affecting 2,781,617 individuals. Several clients chose to report the breach themselves.

The OCR breach data shows data breaches by the reporting entity, and as such, using that data for analyses means business associate data breaches will be underrepresented. In the table below we show data breaches by reporting entity and the charts reflect where the breach actually occurred.

Healthcare Security Breaches in 2023 – Reporting Entity

Entity Type	Data Breaches	Records Breached	Average Breach Size
Healthcare Provider	450	39,925,448	88,723
Business Associate	170	77,347,471	454,985
Health Plan	103	15,792,548	153,326
Healthcare Clearinghouse	2	3,075	1,538

Healthcare Security Breaches in 2023 – Location of Data Breach

The adjusted data shows healthcare providers suffered the most data breaches; however, data breaches at business associates were more severe, with more than 2.5 times as many records breached at business associates than at healthcare providers. The average size of a data breach at a healthcare provider was 89,983 records (median 5,354 records) whereas the average breach at a business associate was 338,394 records (median 5,314 records). 11 of the top 15 security breaches in healthcare in 2023 occurred at business associates of HIPAA-covered entities.

Securing the supply chain is one of the biggest cybersecurity challenges in healthcare. Healthcare organizations often outsource certain functions to specialist vendors and health systems often rely on dozens, if not hundreds, of different vendors, many of which require access to protected health information and every vendor used introduces risk. Healthcare organizations need to conduct due diligence on their vendors, including assessing their security controls. Before onboarding any new vendor it must be made abundantly clear what the business associate’s responsibilities are with respect to HIPAA, data security, and breach reporting.

Strengthening the security of the supply chain is labor-intensive and costly, and many healthcare organizations lack the appropriate resources to devote to vendor risk management, but vendor risk management failures can have significant ramifications. An inventory should be maintained on all vendors, including details of the business associate agreements, and data provided to each. A risk assessment should be conducted before onboarding any vendor including an assessment of their security posture. If a vendor fails to meet the necessary cybersecurity requirements, then they should not be used. If there is no suitable alternative, then controls should be put in place to manage risk and reduce it to a low and acceptable level. While vendors may confirm that they have implemented reasonable and appropriate safeguards and data security policies and procedures, there are no guarantees that those policies and procedures will be followed and cybersecurity standards maintained. Conducting assessments of vendor security at intake is not sufficient. There should be ongoing reviews and audits of vendors and suppliers. If an organization lacks the personnel to handle this in-house, then third-party consultants should be engaged to assist with these processes. Third-party risk management requirements are included in both the Essential and Enhanced CPGs announced by the HHS in January 2024.

HIPAA Security Breaches Reported in All 50 States

No U.S. state was able to avoid a healthcare security breach in 2023. Data breaches of 500 or more records were reported in all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. The states that experienced the most data breaches are the most heavily populated and have the highest number of HIPAA-regulated entities.

State	Number of Data Breaches
California	80
New York	63
Texas	58
Pennsylvania	40
Massachusetts	39
Illinois	36
Florida	33
Georgia & New Jersey	21
Arizona & Minnesota	17
Connecticut, Maryland, Michigan & Ohio	16
Indiana, North Carolina & Tennessee	15
Virginia	14
Iowa	13
Kansas & Oregon	12
Washington	11
Kentucky, Missouri, Mississippi & Wisconsin	10
Colorado	9
Alabama	8
Utah	7
Arkansas, Oklahoma, and South Carolina	6
Alaska	5
Idaho, Louisiana, Maine, North Dakota & West Virginia	4
Delaware & New Mexico	3
Montana, Nebraska, New Hampshire & Nevada	2
Hawaii, Rhode Island, South Dakota, Vermont, Wyoming, District of Columbia, Puerto Rico & the U.S. Virgin Islands	1

HIPAA Enforcement Activity in 2023

In 2023, OCR announced 13 settlements with HIPAA-regulated entities to resolve allegations of HIPAA violations, a 40.9% reduction from the previous year. These investigations stemmed from reviews of HIPAA compliance in response to reported data breaches and investigations of complaints from patients and health plan members about potential HIPAA violations. While the number of financial penalties fell, the funds raised from OCR enforcement actions increased from $2,124,140 in 2022 to $4,176,500 in 2023.

Since 2019, the majority of penalties imposed by OCR resolved alleged violations of the HIPAA Right of Access. The HIPAA Right of Access requires individuals to be provided with a copy of their health records, on request, within 30 days of that request being received and they should only be charged a reasonable, cost-based fee for exercising that right if they are charged at all. Since OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019, 46 penalties have been imposed for HIPAA Right of Access violations, 4 of which were in 2023. This is a significant reduction from the 17 HIPAA Right of Access fines imposed in 2022.

Penalties were imposed for other HIPAA Privacy Rule violations in 2023, including one penalty for a lack of policies and procedures relating to access to PHI by employees and one penalty for the failure to obtain authorization from patients before disclosing their PHI to a reporter. Following the overturning of the penalty imposed on the University of Texas MD Anderson Cancer Center in 2018, OCR appears to have been reluctant to pursue financial penalties for Security Rule violations in all but the most egregious cases. In 2023, OCR imposed seven penalties to resolve potential violations of the HIPAA Security Rule.

Violations of several HIPAA Security Rule provisions were cited in these enforcement actions, with t6 of the 7 enforcement actions involving risk analysis failures. Another common violation was the failure to maintain and review logs of activity in information systems containing ePHI to identify unauthorized access. One of the penalties stemmed from a report of snooping on medical records by security guards, with OCR determining there was a failure to implement policies and procedures relating to HIPAA Security Rule compliance and a lack of HIPAA Privacy Rule training.

OCR Enforcement Actions in 2023 Resulting in Financial Penalties

HIPAA-Regulated Entity	Penalty Amount	Penalty Type	Individuals Affected	Reason for Penalty
LA Care Health Plan	$1,300,000	Settlement	1,498	Risk analysis failure, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, and impermissible disclosure of PHI
Banner Health	$1,250,000	Settlement	2.81 million	Risk analysis failure, lack of reviews of information system activity, lack of verification of identity for access to PHI, and a lack of technical safeguards
Lafourche Medical Group	$480,000	Settlement	34,862	No risk analysis prior to the 2021 phishing incident, and no procedures to regularly review logs of system activity prior to the incident
MedEvolve Inc.	$350,000	Settlement	230,572	Risk analysis failure, lack of a business associate agreement, and an impermissible disclosure of PHI
Yakima Valley Memorial Hospital	$240,000	Settlement	419	Lack of HIPAA Security Rule policies and procedures
Optum Medical Care	$160,000	Settlement	6	Failure to provide individuals with timely access to their medical records
Doctors’ Management Services	$100,000	Settlement	206,695	Risk analysis failure, lack of reviews of records of system activity, lack of policies/procedures to comply with the HIPAA Security Rule, and impermissible disclosure of PHI
UnitedHealthcare	$80,000	Settlement	1	Failure to provide an individual with timely access to their medical records
St. Joseph’s Medical Center	$80,000	Settlement	3	Disclosure of the PHI of patients to a reporter and a lack of HIPAA Privacy Rule training
iHealth Solutions (Advantum Health)	$75,000	Settlement	267	Risk analysis failure and an impermissible disclosure of PHI
Manasa Health Center, LLC	$30,000	Settlement	4	Impermissible PHI disclosure in response to online review
Life Hope Labs, LLC	$16,500	Settlement	1	Failure to provide an individual with timely access to their medical records
David Mente, MA, LPC	$15,000	Settlement	1	Failure to provide an individual with timely access to their medical records

Attorney General Penalties for HIPAA Violations in 2023

The was a major increase in enforcement actions by state attorneys general in 2023 in response to security breaches in healthcare, with 15 settlements reached with HIPAA-regulated entities to resolve violations of HIPAA and state consumer protection laws. In 2022 there were only three settlements with attorneys general to resolve HIPAA violations, four in 2021, and three in 2019. The majority of the penalties imposed in 2023 by state attorneys general resolved violations of the HIPAA Security Rule that were uncovered during data breach investigations. The majority of these cases involved a lack of reasonable and appropriate security measures such as multifactor authentication, access controls, encryption, security testing, data logging and monitoring, data retention, and up-to-date asset inventories.

Four settlements in 2023 came from multi-state actions. Since the entities concerned operated in multiple states, attorneys general pooled their resources and conducted joint investigations. The largest penalty of the year was imposed on Blackbaud and resolved multiple violations of the HIPAA Security Rule that contributed to a breach of the personal and protected health information of 5.5 million individuals. State attorneys general in Oregon, New Jersey, Florida & Pennsylvania joined forces in an investigation of a 2.1 million-record data breach at EyeMed Vision Care, and Pennsylvania & Ohio conducted a joint investigation of DNA Diagnostics Center over a 45,600-record data breach, both of which uncovered multiple HIPAA Security Rule failures.

32 states and Puerto Rico participated in an investigation of the Puerto Rican healthcare clearinghouse, practice management software, and electronic medical record provider Inmediata. HIPAA Security Rule failures were identified that led to a breach of the protected health information of more than 1.5 million individuals, followed by violations of the HIPAA Breach Notification Rule. California imposed a massive penalty on Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals. The case was resolved for $49 million and related to the improper disposal of PHI and hazardous waste, with the bulk of the settlement amount concerned with the latter.

State Attorney General	HIPAA-Regulated Entity	Penalty Amount	Penalty Type	Individuals Affected	Reason for Penalty
49 States and the District of Columbia	Blackbaud	$49,500,000	Settlement	5,500,000	Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state consumer protection laws
California	Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals	$49,000,000	Settlement	7,700	Violations of HIPAA for the improper disposal of PHI and violations of several state laws for the improper disposal of hazardous waste
Oregon, New Jersey, Florida & Pennsylvania	EyeMed Vision Care	$2,500,000	Settlement	2.1 million	Lack of administrative, technical, and physical safeguards, and access control failures – use of the same password by several employees.
32 States and Puerto Rico	Inmediata	$1,400,000	Settlement	1,565,338	Failure to implement appropriate safeguards to ensure data security, failure to conduct a secure code review, and data breach notification failures
New York	Practicefirst	$550,000	Settlement	1.2 million	Patch management failure, lack of encryption, and a lack of security testing.
New York	U.S. Radiology Specialists Inc.	$450,000	Settlement	198,260, including 92,540 New York residents	Failure to upgrade hardware to address a known vulnerability
California	Kaiser Permanente	$450,000	Settlement	Up to 167,095 individuals	Mailing error that resulted in an impermissible disclosure of PHI, failure to promptly halt mailings when there was a known error and negligent maintenance or disposal of medical information
New York	Healthplex	$400,000	Settlement	89,955 (62,922 New York residents)	Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments)
New York	Personal Touch Holding Corp dba Personal Touch Home Care	$350,000	Settlement	753,107 (316,845 New York residents)	Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training
New York	New York Presbyterian Hospital	$300,000	Settlement	54,396	Violations of the HIPAA Privacy Rule and New York Executive Law due to the use of pixels on its website that transmitted PHI to third parties
Indiana	Schneck Medical Center	$250,000	Settlement	89,707	Failure to address known vulnerabilities in a timely manner and breach notification failures.
New York	Heidell, Pittoni, Murphy & Bach LLP	$200,000	Settlement	61,438 New York residents	Widespread non-compliance with the HIPAA Security Rule – 17 HIPAA violations
Pennsylvania & Ohio	DNA Diagnostics Center	$400,000	Settlement	45,600	Lack of safeguards to detect and prevent unauthorized access, failure to update asset inventory, and disable/remove assets that were not used for business purposes.
Indiana	CarePointe ENT	$125,000	Settlement	48,742	Failure to correct known security issues in a reasonable time frame, lack of business associate agreement
Colorado	Broomfield Skilled Nursing and Rehabilitation Center	$60,000 ($25,000 suspended)	Settlement	677	Violations of HIPAA data encryption requirements, violation of state data protection laws, and deceptive trading practices.

Outlook for 2024

It has been a particularly bad year for security breaches in healthcare with hacking incidents continuing to increase in number as well as severity. Cyber actors will continue to target the healthcare industry and with fewer victims paying ransoms, these attacks may even increase as ransomware actors attempt to maintain their incomes. In 2023 we saw increasingly aggressive tactics by ransomware groups including swatting attacks on patients when their healthcare provider refused to pay the ransom and these aggressive tactics look set to continue.

To reduce security breaches in healthcare, more must be done than achieving the minimum cybersecurity standards of the HIPAA Security Rule. If all healthcare organizations implemented the recently announced HHS Essential Cybersecurity Goals, there would be a marked reduction in healthcare cybersecurity breaches in 2024. In practice that will be difficult for many healthcare organizations due to limited budgets and a chronic shortage of skilled cybersecurity professionals; however, the HHS plans to make funding available to help cover the initial cost of security improvements and establish an incentive program for adopting the Enhanced Security Goals. These measures will go a long way toward raising the baseline level of cybersecurity in the healthcare industry and improving resilience to cyber threats.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Security Breaches in Healthcare in 2023 appeared first on HIPAA Journal.

December 2023 Healthcare Data Breach Report

Posted January 18, 2024 by Steve Alder

There was no letup in healthcare data breaches as the year drew to a close, with December seeing the second-highest number of data breaches of the year. The Department of Health and Human Services (HHS) Office for Civil Rights received 74 reports of healthcare data breaches of 500 or more records in December, which helped make 2023 a record-breaking year for healthcare data breaches. While there may still be some late additions to the list, as of January 18, 2023, 725 data breaches of 500 or more healthcare records have been reported to OCR in 2023 – The highest number since OCR started publishing records of data breaches on its “Wall of Shame.” To add some perspective, that is more than twice the number of data breaches that were reported in 2017.

It is not just the number of data breaches that is concerning. Healthcare data breaches have been increasing in severity and there have been ransomware attacks that have seen patients contacted and threatened directly with the exposure of their sensitive health data. Many of the data breaches reported in 2023 have been on a colossal scale, with December no exception with two multi-million-record data breaches reported.

Since 2009, when OCR created its Wall of Shame, the number of breached records has been trending upwards, but even the most pessimistic of security professionals would not have predicted at the start of 2023 that there would be such a massive rise in breached records. 2021 was a bad year with 45.9 million records breached, and 2022 was worse with 51.9 million breached records, but in 2023, an astonishing 133 million records were exposed or stolen. On January 18, 2023, the OCR breach portal showed 133,068,542 individuals had their protected health information exposed or stolen in 2023.

We will explore the year’s data breaches in greater detail and make predictions for the coming year in posts over the next few days but first, let’s take a dive into December’s data breaches to see where and how 11,306,411 healthcare records were breached.

The Biggest Healthcare Data Breaches in December 2023

Two of the largest data breaches of 2023 were reported in December, the largest of which occurred at the New Jersey-based analytics software vendor, HealthEC. Hackers gained access to a system used by more than 1 million healthcare professionals to improve patient outcomes. The platform contained the protected health information of 4,452,782 individuals. The data breach was the second in as many months to result in the exposure of the health data of more than 1 million Michigan residents, prompting the Michigan Attorney General to call for new legislation to hold companies accountable for breaches of healthcare data.

A 2.7 million-record data breach was reported by another business associate, ESO Solutions. ESO Solutions is a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, and had its network breached and files encrypted with ransomware. At least 12 health systems and hospitals are known to have been affected.

More than 900,000 records were obtained by hackers who gained access to an archive of data from the now defunct Fallon Ambulance Services, which was being stored to meet data retention requirements by Transformative Healthcare, and a cyberattack on Electrostim Medical Services exposed the data of almost 543,000 patients.

It has now been 7 months since the Clop hacking group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution and data breach reports continue to be issued. More than 2,600 organizations worldwide had data stolen in the attacks, with the healthcare industry among the worst affected.

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Cause of Data Breach
HealthEC LLC	NJ	Business Associate	4,452,782	Hacking incident (Data theft confirmed)
ESO Solutions, Inc.	TX	Business Associate	2,700,000	Ransomware attack
Transformative Healthcare (Fallon Ambulance Services)	MA	Healthcare Provider	911,757	Hacking incident (Data theft confirmed)
Electrostim Medical Services, Inc. dba EMSI	FL	Healthcare Provider	542,990	Hacking incident
Cardiovascular Consultants Ltd.	AZ	Healthcare Provider	484,000	Ransomware attack (Data theft confirmed)
Retina Group of Washington, PLLC	MD	Healthcare Provider	455,935	Ransomware attack
CompleteCare Health Network	NJ	Healthcare Provider	313,973	Ransomware attack (Data theft confirmed)
Health Alliance Hospital Mary’s Avenue Campus	NY	Healthcare Provider	264,197	Hacking incident (Data theft confirmed)
Independent Living Systems, LLC	FL	Business Associate	123,651	Hacking incident (MOVEit)
Pan-American Life Insurance Group, Inc.	LA	Health Plan	105,387	Hacking incident (MOVEit)
Meridian Behavioral Healthcare, Inc.	FL	Healthcare Provider	98,808	Hacking incident
Mercy Medical Center	IA	Healthcare Provider	97,132	Hacking incident at business associate (PJ&A)
Pan-American Life Insurance Group, Inc.	LA	Business Associate	94,807	Hacking incident (MOVEit)
Regional Family Medicine	AR	Healthcare Provider	80,166	Hacking incident
HMG Healthcare, LLC	TX	Healthcare Provider	80,000	Hacking Incident (Data theft confirmed)
Heart of Texas Behavioral Health Network	TX	Healthcare Provider	63,776	Hacking incident
Kent County Community Mental Health Authority d/b/a Network180	MI	Healthcare Provider	59,334	Unauthorized email account access
Highlands Oncology Group PA	AR	Healthcare Provider	55,297	Ransomware attack
Southeastern Orthopaedic Specialists, PA	NC	Healthcare Provider	35,533	Ransomware attack (Data theft confirmed)
Eye Physicians of Central Florida, PLLC, a division of Florida Pediatric Associates, LLC	FL	Healthcare Provider	31,189	Hacking incident (Data theft confirmed)
Clay County Social Services	MN	Business Associate	22,005	Ransomware attack (Data theft confirmed)
Bellin Health	WI	Healthcare Provider	20,790	Hacking incident
Neuromusculoskeletal Center of the Cascades, PC	OR	Healthcare Provider	19,373	Unauthorized email account access
Independent Living Systems, LLC	FL	Healthcare Provider	19,303	Hacking incident (MOVEit)
Community Memorial Healthcare, Inc.	KS	Healthcare Provider	14,798	Hacking incident
VNS Choice dba VNS Health Health Plans	NY	Health Plan	13,584	Unauthorized email account access
Hi-School Pharmacy	WA	Healthcare Provider	12,779	Ransomware attack

Many HIPAA-regulated entities keep information to the bare minimum in their breach reports, which allows them to meet legal requirements for breach reporting while minimizing the risk of disclosing information that could be used against them in class action lawsuits. The problem with this minimalistic breach reporting is the victims of the breach are not given enough information to accurately assess the risk they face, and the lack of transparency in data breach reporting makes it difficult to accurately assess how hackers are gaining access to healthcare networks and the nature of the attacks.

This is especially true for ransomware attacks and data theft/extortion attacks. Several breaches have been reported as hacking incidents where a possibility of unauthorized access to or theft of patient data, when the threat actors behind the attacks have claimed responsibility and have added the breached entity to their data leak sites. This trend has grown throughout the year.

December 2023 Data Breach Causes and Data Locations

All of December’s data breaches of 10,000 or more records were hacking incidents, which accounted for 83.78% of the month’s 74 data breaches (62 incidents) and 99.79% of the month’s breached healthcare records (11,283,128 records). The average breach size was 181,986 records and the median breach size was 6,728 records. In 2009, hacking incidents accounted for 49% of all data breaches of 500 or more records. In 2023, hacking incidents accounted for 79.72% of all large data breaches. Something clearly needs to be done to improve resiliency to hacking and there are signs of action being taken at the state and federal level.

In December 2023, OCR published its Healthcare Sector Cybersecurity Strategy which details several steps that OCR plans to take to improve cyber resiliency in the healthcare sector and patient safety. The extent to which these plans will be made a reality will depend on Congress making the necessary funding available. OCR is planning a much-needed update to the HIPAA Security Rule in 2024 and has stated that it will establish voluntary cybersecurity goals for the healthcare sector. OCR will be working with Congress to provide financial assistance for domestic investments in cybersecurity to help cover the initial cost. The New York Attorney General has also announced that there will be new cybersecurity requirements for hospitals in the state after a significant increase in cyberattacks, and that funds have been made available to help low-resource hospitals make the necessary improvements.

There were 8 data breaches classified as unauthorized access/disclosure incidents, involving 14,998 healthcare records. The average breach size was 1,875 records and the median breach size was 1,427 records. There were four loss/theft incidents reported in December, two of which involved stolen paperwork and two involved the loss of electronic devices, with the latter preventable if encryption had been used. 8,285 records were lost across these incidents.

The most common location of breached healthcare data was network services, which is unsurprising given the large number of hacking incidents. 14 data breaches involved protected health information stored in email accounts, three of which resulted in the exposure of more than 10,000 records.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in December with 49 reported breaches of 500 or more records, followed by business associates with 13 breaches, health pans with 11, and a single breach at a healthcare clearinghouse. While healthcare providers suffered the most breaches, it was data breaches at business associates that exposed the most records. Across the 13 business associate-reported breaches, 7,416,567 records were breached, compared to 3,730,791 records in the 49 breaches at healthcare providers. The health plan breaches exposed 156,479 records and 2,574 records were exposed in the healthcare clearinghouse data breach.

These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. A deeper dive into the data to determine where the breach actually occurred reveals there were 24 data breaches at business associates (7,544,504 records), 43 data breaches at healthcare providers (3,616,078 records), 6 data breaches at health plans (143,255 records), and one breach at a healthcare clearinghouse (2,574 records).

The average size of a business associate data breach was 314,354 records (median: 2,749 records), the average size of a healthcare provider data breach was 84,095 records (median: 5,809 records), and the average health plan data breach was 23,876 records (median: 7,695 records). The chart below shows where the data breaches occurred rather than the reporting entity.

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 32 states reported data breaches of 500 or more records in December. California was the worst affected state with 85 large data breaches followed by New York and Texas with 7 reported breaches.

State	Number of Breaches
California	8
New York & Texas	7
Florida	6
Massachusetts	4
New Jersey, Tennessee & Wisconsin	3
Arkansas, Connecticut, Illinois, Kansas, Kentucky, Louisiana, Maryland, North Carolina & Washington	2
Alaska, Arizona, Colorado, Iowa, Michigan, Minnesota, Mississippi, Missouri, Montana, New Mexico, North Dakota, Oregon, South Carolina, Virginia & West Virginia	1

HIPAA Enforcement in December 2023

OCR announced two enforcement actions against healthcare providers in December to resolve alleged violations of the HIPAA Rules. OCR continued its enforcement initiative targeting noncompliance with the HIPAA Right of Access with its 46th enforcement action over the failure to provide individuals with timely access to their medical records. Optum Medical Care of New Jersey settled its investigation and agreed to pay a financial penalty of $160,000 to resolve allegations that patients had to wait between 84 days and 231 days to receive their requested records when they should have been provided within 30 days.

OCR also announced its first-ever settlement resulting from an investigation of a phishing attack. Lafourche Medical Group in Louisiana suffered a phishing attack that resulted in the exposure of the protected health information of almost 35,000 individuals. While phishing attacks are not HIPAA violations, OCR’s investigation uncovered multiple violations of the HIPAA Security Rule, including no risk analyses prior to the 2021 phishing attack, and no procedures to regularly review logs of system activity before the attack. Lafourche Medical Group chose to settle the investigation and paid a $480,000 penalty.

These two enforcement actions bring the total number of OCR enforcement actions involving financial penalties up to 13, the lowest annual total since 2019, although there was a slight increase in funds raised from these enforcement actions with $4,176,500 collected in fines. OCR is pushing Congress to increase the penalties for HIPAA violations to make penalties more of a deterrent and also to provide much-needed funding to allow OCR to clear the backlog of HIPAA compliance investigations, in particular investigations of hacking incidents. Currently, OCR’s hands are tied, as the department’s budget has remained the same for years, aside from annual increases for inflation, yet its caseload of breach investigations has soared.

HIPAA Enforcement by State Attorneys General

State attorneys general have the authority to enforce HIPAA compliance and 2023 saw an increase in enforcement actions. The HIPAA Journal has tracked 16 enforcement actions by state attorneys general in 2023 that resolved violations of HIPAA or equivalent state consumer protection and data breach notification laws. In December, three enforcement actions were announced, two by New York Attorney General Letitia James and one by Indiana Attorney General Todd Rokita. New York has been particularly active this year having announced 4 settlements to resolve HIPAA violations in 2023 and the state also participated in two multi-state actions.

In December, AG James announced a settlement had been reached with Healthplex to resolve alleged violations of New York’s data security and consumer protection laws with respect to data retention, logging, MFA, and data security assessments which contributed to a cyberattack and data breach that affected 89,955 individuals. The case was settled for $400,000. AG James also investigated New York Presbyterian Hospital over a reported breach of the health information of 54,396 individuals related to its use of tracking technologies on its website, which sent patient data to third parties such as Meta and Google in violation of the HIPAA Privacy Rule and New York Executive Law. The case was settled for $300,000.

The Indiana Attorney General investigated CarePointe ENT over a breach of the health information of 48,742 individuals. AG Rokita alleged that CarePointe ENT was aware of security issues several months before they were exploited by cybercriminals but did not address them in a timely manner. There was also no business associate agreement with its IT services provider. The investigation was settled for $125,000.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on January 18, 2023.

The post December 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

New HIPAA Rules

Posted January 18, 2024 by Steve Alder

The New HIPAA Rules and the Changes for Reporting Breaches of PHI

Although the new HIPAA rules introduced in the Final Omnibus Rule of 2013 did not make many changes to the existing Security and Privacy Rules, they did have significant implications for covered entities that have failed to take measures to prevent the unauthorized disclosure of Protected Health Information (PHI).

Whereas previously, covered entities could avoid reporting breaches of PHI when there was a low risk of harm to a patient´s reputation or finances, the new HIPAA rules stipulate that all breaches of PHI must now be reported to the Office for Civil Rights (OCR) unless a documented procedure is completed that justifies the failure to report the breach.

The documented procedure has to demonstrate that there was a low risk of harm to the patient due to the nature of the PHI that was disclosed or due to the person(s) to whom it was disclosed. If multiple identifying elements have been disclosed, or the person to whom it was disclosed is unknown, HIPAA covered entities must report the breach to the OCR – unless it can be proven that the breach of PHI did not result in an unauthorized disclosure, or the risk of harm to a patient was mitigated by the destruction of the disclosed PHI.

In addition to this revised criteria for reporting breaches of PHI to the OCR, the new HIPAA rules increased the fines for non-compliance with the Security and Privacy Rules – the additional revenue being allocated to tougher enforcement of HIPAA. Shortly following the release of the new HIPAA rules, it was announced that the OCR would be conducting a round of audits – a worrying concern for any covered entity that has still failed to take measures to prevent the unauthorized disclosure of PHI.

How to Avoid Data Breaches with Secure Messaging

Rather than finding ways to avoid reporting data breaches to the OCR, it is in a covered entity´s best interests to avoid data breaches altogether. Studies conducted into the primary reasons for the unauthorized disclosure of PHI report that the theft of laptops, mobile devices and USB Flash drives account for nearly half of all PHI breaches. Therefore, these risks of harm to a patient´s reputation or finances should be the first to be eliminated.

One of the best solutions for achieving this objective is secure messaging – a communications platform that protects the integrity of PHI and prevents the unauthorized disclosure of Protected Health Information by encapsulating PHI within a private network. Secure messaging is an ideal and HIPAA compliant alternative to emails and SMS, as safeguards exist to prevent PHI being saved to a user´s device or a USB Flash drive.

Secure messaging also restricts access to PHI to authorized users, who can then communicate encrypted PHI with other authorized users via secure messaging apps. The secure messaging apps work across all operating systems and devices so that authorized users retain the same speed and convenience of modern technology as they currently enjoy using personal mobile devices to support their workloads.

All activity on the secure messaging network is monitored to ensure compliance with the new HIPAA rules and the secure messaging policies that have been implemented to support them. In the event that a laptop of Smartphone – to which a message containing PHI has been sent – is stolen, administrators have the ability to remote delete all protected Health Information and PIN-lock the app to prevent the unauthorized disclosure of PHI.

The Comprehensive Benefits of Secure Messaging

The mechanisms included in secure messaging solutions to ensure 100% message accountability have resulted in a significant acceleration of the communications cycle in healthcare organizations. Phone tag has been practically eliminated in many healthcare organizations that have implemented a secure messaging solution to comply with the new HIPAA rules – resulting in increased productivity among healthcare providers.

The group messaging facility on the secure messaging apps has been proven to foster collaboration between healthcare providers, and also to accelerate patient admissions and hospital discharges – saving many medical facilities more than $500,000 per year. Studies into the cost of operating a secure messaging solution have also found secure messaging up to 40% less expensive than alternative, unsecure channels of communication.

As well as reducing costs, increasing staff efficiency and helping healthcare organizations to comply with the new HIPAA rules, secure messaging solutions have also been beneficial to patients. According to a 2015 study by the Tepper School of Business at the Carnegie Mellon University, patient safety issues are reduced by 27% and medication errors reduced by 30% when a secure messaging solution is integrated with a healthcare organization´s EMRs.

The post New HIPAA Rules appeared first on HIPAA Journal.

Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment

Posted January 9, 2024 by Steve Alder

New York Attorney General Letitia James has announced that an agreement has been reached with Refuah Health Center Inc. to resolve allegations it failed to maintain reasonable and appropriate cybersecurity controls to protect and limit access to sensitive patient data stored on its network. Under the terms of the agreement, Refuah Health Center has agreed to invest $1.2 million in cybersecurity and will pay $450,000 in penalties and costs.

The NY AG launched an investigation of Refuah Health Center after being notified about a May 2021 ransomware attack that compromised the personal and protected health information of 260,740 individuals, including 175,077 New Yorkers. The Lorenz ransomware group gained access to internal systems in late May 2021, initially compromising a system that was used for viewing videos from internal cameras monitoring its facilities. That system was only protected with a four-digit code.

The attackers stole administrator credentials that were used by a former IT vendor to remotely access the network. The credentials had not been changed for 11 years and had not been deleted or disabled, even though they had not been used by the IT vendor in 7 years. The account did not have multifactor authentication enabled. The credentials allowed access to a large number of files containing patient information that had not been encrypted at the file level.

The Lorenz group exfiltrated data and encrypted files with ransomware. They contacted Refuah and issued a ransom demand and provided proof of data theft, including a list of files that were copied and a screenshot of patient data consistent with a database associated with Refuah’s dental practice. The third-party forensic investigation concentrated on the files that were stored on the shared network space but Refuah did not investigate to determine whether the database had been accessed, even though the attackers provided a screenshot of that database that displayed the records of 34 patients.

Refuah completed its analysis of the files on March 2, 2022, then mailed notification letters on April 29, 2022. The data compromised in the attack included patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account numbers, and health insurance policy numbers.

Multiple HIPAA Security Rule Failures Identified

The NY AG looked at the administrative and technical safeguards that had been implemented and identified widespread noncompliance with the HIPAA Security Rule. Refuah Health Center had not conducted a risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information since March 2017 in violation of 45 C.F.R § 164.308(a)(1)(ii)(A) and (B) and had not addressed vulnerabilities that were identified in that risk analysis in the four years since it was conducted, in violation of § 164.306(a).

There were insufficient policies and procedures to prevent, detect, contain, and correct security violations, in violation of § 164.308(a)(1)(i), a lack of policies and procedures authorizing access to ePHI in violation of § 164.308(a)(4)(i), and no procedures for regularly reviewing logs of information system activity, in violation of § 164.308(a)(1)(ii)(D).

Policies and procedures for granting right of access based on access authorization policies were not present, in violation of § 164.308(a)(4)(ii)(B) and (C), there were no procedures for monitoring log-in attempts and reporting discrepancies nor procedures for creating, changing, and safeguarding passwords, in violation of § 164.308(a)(5)(ii)(C) and (D), and insufficient policies and procedures to address security incidents, and identifying and responding to suspected or known security incidents, in violation of § 164.308(a)(6)(i) and (ii).

Further, there were insufficient periodic technical and nontechnical evaluations of security policies and procedures (§ 164.308(a)(8)), insufficient technical policies and procedures for systems that maintain ePHI to allow access to persons granted access rights and no mechanism to encrypt ePHI (§ 164.312(a)(1) and (2)(iv)), insufficient controls for recording and examining activity in systems that contain or use ePHI (§ 164.312(b)), and insufficient verification of persons seeking access to ePHI to ensure they are who they claim to be (§ 164.312(d)).

The NY AG also determined there had been two violations of New York General Business Law, which requires the implementation and maintenance of reasonable safeguards to protect consumer information (§ 899-bb), and the disclosure of a data breach in the most expedient time possible and without unreasonable delay (§ 899-aa). The later was also determined to be a violation of the HIPAA Breach Notification Rule (§ 164.404).

The agreement with the NY AG includes the requirement to invest $1.2 million in cybersecurity and make substantial improvements to its information security program, data retention policies, and incident response policies and procedures. Refuah is also required to issue notifications to all individuals whose data was compromised within 90 days.

“New Yorkers should receive medical care and trust that their personal and health information is safe,” said Attorney General James. “This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

The post Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment appeared first on HIPAA Journal.

Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital

Posted December 28, 2023 by Steve Alder

New York Presbyterian Hospital has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule with the New York Attorney General and will pay a financial penalty of $300,000.

NYP operates 10 hospitals in New York City and the surrounding metropolitan area and serves approximately 2 million patients a year. In June 2016, NYP added tracking pixels and tags to its nyp.org website to track visitors for marketing purposes. In early June 2022, NYP was contacted by a journalist from The Markup and was informed that these tools were capable of transmitting sensitive information to the third-party providers of the tools, including information classified as protected health information under HIPAA.

On June 16, 2023, The Markup published an article about the use of these tools by NYP and other U.S. hospitals, by which time NYP had already taken steps to remove the tools from its website and had initiated a forensic investigation to determine the extent of any privacy violations. NYP determined that PHI had potentially been impermissibly disclosed and reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on March 20, 2023, as involving the protected health information (PHI) of up to 54,396 individuals.

NY Attorney General Launches HIPAA Investigation

NY Attorney General, Letitia James opened an investigation of NYP in response to the reported breach to determine whether NYP had violated HIPAA and New York laws. The investigation confirmed that NYP had added several tracking tools to its website that were provided by third parties such as Bing, Google, Meta/Facebook, iHeartMedia, TikTok, The Trade Desk, and Twitter. These tools were configured to trigger on certain user events on its website. Most were configured to send information when a webpage loaded, and some sent information in response to clicks on certain links, the transmission of forms, and searches conducted on the site. The snippets of information sent to third parties included information about the user’s interactions on the website, including the user’s IP address, URLs visited, and searches. The tools provided by Google, Meta, and the Trade Desk also received unique identifiers that had been stored in cookies on the user’s devices.

Meta/Facebook also received information such as first and last name, email address, mailing address, and gender information, if that information was entered on a webpage where the Meta pixel was present. In some cases, the information sent to third parties included health information, such as if the user researched health information, performed a search for a specialist doctor, or scheduled an appointment. Certain URLs also revealed information about a specific health condition.

The tracking tools from Meta, Google, and the Trade Desk were used to serve previous website visitors with targeted advertisements based on their previous interactions on the website. NYP and its digital marketing vendor also used Meta pixel data to categorize website visitors based on the pages they visited and used Meta pixel to serve advertisements to other individuals with similar characteristics, known as “lookalike audiences.” For example, NYP identified individuals who visited webpages related to prostate cancer, and those individuals were then served targeted advertisements on other third-party websites related to prostate cancer.

Commonly Used Website Tracking Tools Violate HIPAA

These tracking tools are widely used by businesses of all types and sizes for marketing, advertising, and data collection purposes; however, in contrast to most businesses with an online presence, hospitals are HIPAA-covered entities and are required by federal law to ensure the privacy of personal and health information. As confirmed by the HHS’ Office for Civil Rights in December 2022 guidance, third-party tools that are capable of collecting and transmitting PHI may only be used if there is a business associate agreement (BAA) in place and the disclosure of PHI is permitted by HIPAA or if HIPAA-compliant authorizations have been obtained from patients. NYP, like many other HIPAA-covered entities that used these tools, had no BAAs in place with the tracking tool vendors and did not obtain consent from patients to disclose their PHI to those vendors.

The New York Attorney General determined that while NYP had policies and procedures relating to HIPAA compliance and patient privacy, they did not include appropriate policies and procedures for vetting third-party tracking tools. The New York Attorney General determined that the use of these tools violated § 164.502(a) of the HIPAA Privacy Rule, which prohibits disclosure of PHI, and § 164.530(c) and (i), which requires administrative, technical, and physical safeguards to protect the privacy of PHI and policies and procedures to comply with those requirements. NYP was also found to have violated New York Executive Law § 63 (12), by misrepresenting the manner and extent to which it protects the privacy, security, and confidentiality of PHI.

Settlement Agreed to Resolve Alleged Violations of HIPAA and State Laws

NYP fully cooperated with the investigation and chose to settle the alleged violations with no admission or denial of the findings of the investigation. In addition to the financial penalty, NYP has agreed to comply with Executive Law § 63 (12), General Business Law § 899-aa, and the HIPAA Privacy Rule Part 164 Subparts E and the HIPAA Breach Notification Rule 45 C.F.R. Part 164 Subpart D concerning the collection, use, and maintenance of PHI. NYP is also required to contact all third parties that have been sent PHI and request that information be deleted and NYP has agreed to conduct regular audits, reviews, and tests of third-party tools before deploying them to an NYP website or app, and conduct regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools.

NYP is also required to clearly disclose on all websites, mobile applications, and other online services it owns or operates, all third parties that receive PHI as the result of a pixel, tag, or other online tool, and provide a clear description of the PHI that is received. The notice must be placed on all unauthenticated web pages that allow individuals to search for doctors or schedule appointments, as well as any webpage that addresses specific symptoms or health conditions.

OCR’s guidance on tracking technologies is being challenged in court due to doubts about whether the types of information collected by tracking tools fall under the HIPAA definition of PHI. The requirements of the settlement concerning the use of tracking technologies and the restrictions imposed will remain in effect until the relevant sections of OCR’s guidance are amended, superseded, withdrawn, revoked, supplanted by successive guidance, or temporarily or permanently enjoined and/or rejected by a court ruling applicable to HIPAA-covered entities in New York.

“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James. “Hospitals and medical facilities must uphold a high standard for protecting their patients’ personal information and health data. New York-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that New York-Presbyterian is not negligent in protecting its patients’ information.”

A spokesperson for NYP responded to the resolution of the investigation and provided the following statement, “We are pleased to have reached a resolution with the New York State Attorney General on this matter. The privacy and security of our patients’ health information is of paramount importance, and the protection of this confidential information remains a top priority. We continually assess our data collection, data privacy, and digital monitoring tools and practices so that they meet or exceed the highest standards.”

The post Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital appeared first on HIPAA Journal.

Seattle Children’s Hospital Sues Texas AG Over Demand for Trans Youth Medical Records

Posted December 27, 2023 by Steve Alder

The Texas Attorney General sent a civil investigative demand to Seattle Children’s Hospital seeking access to the medical records of trans patients. The hospital refused to provide the records and has filed a lawsuit that requests a Texas judge nullify the Attorney General’s demands.

The American Medical Association and the American Academy of Pediatrics believe that gender-affirming care is medically necessary and, in some cases, can be a lifesaving treatment for transgender youth; however, 20 states have imposed bans or placed restrictions on gender-affirming care for minors, and dozens of bills are being considered in other states. Earlier this year, Texas was added to that list when SB 14 was signed into law by Texas Governor Greg Abbott. The law prohibits the provision of gender transition care to Texas residents under 18 years of age.

In November 2023, Texas Attorney General Ken Paxton issued a civil investigative demand for the records of Texas residents who visited Seattle Children’s Hospital to receive gender-affirming care when under 18 years of age. In Washington, gender transition care can be legally provided to minors, including to individuals who travel to Washington from other U.S. states. AG Paxton sought access to information on diagnoses, lab test results, visit records, treatment for gender dysphoria, and other information about minor trans patients from Texas dating back to January 2022, along with the hospital’s standard protocol for treating patients with gender dysphoria who live in Texas. The hospital was given until December 7, 2023, to respond and provide the requested records.

The civil investigative demand was issued by the Texas Attorney General’s Consumer Protection Division as part of an investigation into alleged violations of the Texas Deceptive Trade Practices Act, specifically, the misrepresenting gender-affirming care. The demand for records was also accompanied by a threat of fines of $5,000 or a year in jail for anyone who concealed or falsified information. Seattle Children’s Hospital refused to provide the requested records and claimed that handing over the requested information would violate the Health Insurance Portability and Accountability Act (HIPAA), state healthcare privacy laws, and the recently passed House Bill (HB) 1469 – The Shield Law. The Shield Law protects individuals who travel to Washington to receive protected medical services such as abortion and gender-affirming care, which are banned or restricted in their home states.

Seattle Children’s Hospital also explained in its lawsuit that it owns no land in Texas, does not provide telehealth services to Texas residents, and has no offices in Texas, and while the hospital does employ a small number of individuals in Texas, none of those employees deal with gender-affirming care, therefore the state has no jurisdiction over the hospital’s practices. The lawsuit claims that the Texas Attorney General’s demands are unconstitutional and are an attempt to chill potential travel from Texas to obtain legal healthcare in another state. The lawsuit requests a Texas Travis County Court Judge overrule AG Paxton’s civil investigative demand, or at least modify the request or grant an extension for reply.

Washington University (WU) has also taken legal action against a state attorney general over a civil investigative demand that sought access to the medical records of trans patients, in that case, the demand was issued by the Missouri Attorney General as part of an investigation into deceptive trade practices under Missouri law. The Missouri attorney general responded with its own lawsuit seeking an order from the court for WU to provide the records immediately, and to get clarification from the court as to whether providing the requested records violated HIPAA.

The post Seattle Children’s Hospital Sues Texas AG Over Demand for Trans Youth Medical Records appeared first on HIPAA Journal.

November 2023 Healthcare Data Breach Report

Posted December 21, 2023 by Steve Alder

After two months of declining healthcare data breaches, there was a 45% increase in reported breaches of 500 or more healthcare records. In November, 61 large data breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) – three more than the monthly average for 2023. From January 1, 2023, through November 30, 2023, 640 large data breaches have been reported.

In addition to an increase in data breaches, there was a massive increase in the number of breached records. 22,077,489 healthcare records were exposed or compromised across those 61 incidents – a 508% increase from October. November was the second-worst month of the year in terms of breached records behind July, when 24 million healthcare records were reported as breached. There is still a month of reporting left but 2023 is already the worst-ever year for breached healthcare records. From January 1, 2023, through November 30, 2023, 115,705,433 healthcare records have been exposed or compromised – more than the combined total for 2021 and 2022.

Largest Healthcare Data Breaches in November 2023

November was a particularly bad month for large data breaches, with 28 breaches of 10,000 or more records, including two breaches of more than 8 million records. Two of the breaches reported in November rank in the top ten breaches of all time and both occurred at business associates of HIPAA-covered entities. The largest breach occurred at Perry Johnson & Associates, Inc. (PJ&A) a provider of medical transcription services. The PJ&A data breach was reported to OCR as affecting 8,952,212 individuals, although the total is higher, as some of its clients have chosen to report the breach themselves. Hackers had access to the PJ&A network for more than a month between March and May 2023.

The second-largest breach was reported by Welltok, Inc. as affecting 8,493,379 individuals. Welltok works with health plans and manages communications with their subscribers. The Welltok data breach is one of many 2023 data breaches involving the exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution by the Clop hacking group. Globally, more than 2,615 organizations had the vulnerability exploited and data stolen.

A further three data breaches were reported that involved the protected health information of more than 500,000 individuals. Sutter Health was also one of the victims of the mass hacking of the MOVEit vulnerability and had the data of 845,441 individuals stolen, as did Blue Shield of California (636,848 records). In both cases, the MOVEit tool was used by business associates of those entities. East River Medical Imaging in New York experienced a cyberattack that saw its network breached for three weeks between October and September 2023, during which time the hackers exfiltrated files containing the PHI of 605,809 individuals. All 28 of these large data breaches were hacking incidents that saw unauthorized access to network servers.

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Cause of Breach
Perry Johnson & Associates, Inc., which does business as PJ&A	NV	Business Associate	8,952,212	Hacking and data theft incident
Welltok, Inc.	CO	Business Associate	8,493,379	Hacking incident (MOVEit Transfer)
Sutter Health	CA	Healthcare Provider	845,441	Hacking incident at business associate (MOVEit Transfer)
California Physicians’ Service d/b/a Blue Shield of California	CA	Health Plan	636,848	Hacking incident at business associate (MOVEit Transfer)
East River Medical Imaging, PC	NY	Healthcare Provider	605,809	Hacking and data theft incident
State of Maine	ME	Health Plan	453,894	Hacking incident (MOVEit Transfer)
Proliance Surgeons	WA	Healthcare Provider	437,392	Ransomware attack
Medical Eye Services, Inc.	NY	Business Associate	377,931	Hacking incident (MOVEit Transfer)
Medical College of Wisconsin	WI	Healthcare Provider	240,667	Hacking incident (MOVEit Transfer)
Warren General Hospital	PA	Healthcare Provider	168,921	Hacking and data theft incident
Financial Asset Management Systems (“FAMS”)	GA	Business Associate	164,796	Ransomware attack
Morrison Community Hospital District	IL	Healthcare Provider	122,488	Ransomware attack (BlackCat)
South Austin Health Imaging LLC dba Longhorn Imaging Center	TX	Healthcare Provider	100,643	Hacking and data theft incident (SiegedSec threat group)
Mulkay Cardiology Consultants at Holy Name Medical Center, P.C.	NJ	Healthcare Provider	79,582	Ransomware attack (NoEscape)
International Paper Company Group Health and Welfare Plan (the “IP Plan”)	TN	Health Plan	78,692	Hacking incident at business associate (MOVEit Transfer)
CBIZ KA Consulting Services, LLC	NJ	Business Associate	30,806	Hacking incident (MOVEit Transfer)
Endocrine and Psychiatry Center	TX	Healthcare Provider	28,531	Hacking and data theft incident
Blue Shield of California OR Blue Shield of California Promise Health Plan	CA	Business Associate	26,523	Hacking incident at business associate (MOVEit Transfer)
Wyoming County Community Health System	NY	Healthcare Provider	26,000	Hacking and data theft incident
Westat, Inc.	MD	Business Associate	20,045	Hacking incident (MOVEit Transfer)
Psychiatry Associates of Kansas City	KS	Healthcare Provider	18,255	Hacking and data theft incident
Southwest Behavioral Health Center	UT	Healthcare Provider	17,147	Hacking and data theft incident
TGI Direct, Inc.	MI	Business Associate	16,113	Hacking incident (MOVEit Transfer)
Pharmacy Group of Mississippi, LLC	MS	Healthcare Provider	13,129	Hacking and data theft incident
U.S. Drug Mart, Inc.	TX	Healthcare Provider	13,016	Hacking and data theft incident at business associate
Catholic Charities of the Diocese of Rockville Centre d/b/a Catholic Charities of Long Island	NY	Healthcare Provider	13,000	Hacking and data theft incident
Foursquare Healthcare, Ltd.	TX	Healthcare Provider	10,890	Ransomware attack
Saisystems International, Inc.	CT	Business Associate	10,063	Hacking and data theft incident

November 2023 Data Breach Causes and Data Locations

Many of the month’s breaches involved the mass hacking of a vulnerability in the MOVEit Transfer solution by the Clop threat group. MOVEit data breaches continue to be reported, despite the attacks occurring in late May. According to the cybersecurity firm Emsisoft, at least 2,620 organizations were affected by these breaches, and 77.2 million records were stolen. 78.1% of the affected organizations are based in the United States. Progress Software is currently being investigated by the U.S. Securities and Exchange Commission over the breach. Hacking/ransomware attacks accounted for 88.52% of the month’s data breaches (54 incidents) and 99.94% of the breached records (22,064,623 records). The average data breach size was 408,604 records and the median breach size was 10,477 records.

Ransomware gangs continue to target the healthcare industry, and in November several ransomware groups listed stolen healthcare data on their leak sites including NoEscape and BlackCat. Many hacking groups choose not to use ransomware and instead just steal data and threaten to sell or publish the data if the ransom is not paid, such as Hunter’s International and SiegedSec. Since there is little risk of ransomware actors being apprehended and brought to justice, the attacks are likely to continue. OCR is planning to make it harder for cyber actors to succeed by introducing new cybersecurity requirements for healthcare organizations. These new cybersecurity requirements will be voluntary initially but will later be enforced. New York has also announced that stricter cybersecurity requirements for hospitals will be introduced in the state, and financial assistance will be offered.

There were 6 data breaches classified as unauthorized access/disclosure incidents, across which 10,371 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 1,481 records and the median breach size was 1,481 records. There was one reported incident involving the theft of paperwork that contained the protected health information of 2,495 individuals. For the second consecutive month, there were no reported loss or improper disposal incidents. The most common location of breached PHI was network servers, which accounted for 77% of all incidents. 10 incidents involved PHI stored in email accounts.

Where did the Data Breaches Occur?

The OCR data breach portal shows healthcare providers were the worst affected HIPAA-regulated entity in November, with 42 reported data breaches. There were 13 data breaches reported by business associates and 6 data breaches reported by health plans. The problem with these figures is they do not accurately reflect where the data breaches occurred. When a business associate experiences a data breach, they may report it to OCR, the affected covered entities may report the breach or a combination of the two. As such, the raw data often does not accurately reflect the number of data breaches occurring at business associates of HIPAA-covered entities. The data used to compile the charts below has been adjusted to show where the data breach occurred rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 28 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

State	Number of Breaches
California	8
New York	6
Illinois & Texas	5
Connecticut, Florida, Georgia, Indiana, Iowa, Kansas, Maine, Michigan, Minnesota, New Jersey, Oregon, South Carolina & Washington	2
Arizona, Colorado, Maryland, Massachusetts, Mississippi, Nevada, Ohio, Pennsylvania, Tennessee, Utah & Wisconsin	1

HIPAA Enforcement Activity in November 2023

OCR announced one enforcement action in November. A settlement was agreed with St. Joseph’s Medical Center to resolve allegations of an impermissible disclosure of patient information to a reporter. OCR launched an investigation following the publication of an article by an Associated Press reporter who had been allowed to observe three patients who were being treated for COVID-19. The article included photographs and information about the patients and was circulated nationally. OCR determined that the patients had not provided their consent through HIPAA authorizations, therefore the disclosures violated the HIPAA Privacy Rule. St. Joseph Medical Center settled the alleged violations and paid an $80,000 financial penalty.

HIPAA is primarily enforced by OCR although State Attorneys General may also investigate HIPAA-regulated entities and they also have the authority to issue fines for HIPAA violations. In November, one settlement was announced by the New York Attorney General to resolve alleged violations of HIPAA and state laws. U.S. Radiology Specialists Inc. was investigated over a breach of the personal and protected health information of 198,260 individuals, including 95,540 New York Residents. The New York Attorney General’s investigation determined that U.S. Radiology Specialists was aware that vulnerabilities existed but failed to address those vulnerabilities in a timely manner. Some of those vulnerabilities were exploited by cyber actors in a ransomware attack. U.S. Radiology Specialists agreed to pay a $450,000 financial penalty and ensure full compliance with HIPAA and state laws.

The post November 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Biggest Healthcare Security Breaches in 2023

Causes of Cybersecurity Breaches in Healthcare in 2023

Healthcare Security Breaches at HIPAA-Regulated Entities

Healthcare Security Breaches in 2023 – Reporting Entity

Healthcare Security Breaches in 2023 – Location of Data Breach

HIPAA Security Breaches Reported in All 50 States

HIPAA Enforcement Activity in 2023

OCR Enforcement Actions in 2023 Resulting in Financial Penalties

Attorney General Penalties for HIPAA Violations in 2023

Outlook for 2024

The Biggest Healthcare Data Breaches in December 2023

December 2023 Data Breach Causes and Data Locations

Where did the Data Breaches Occur?

Geographical Distribution of Healthcare Data Breaches

HIPAA Enforcement in December 2023

HIPAA Enforcement by State Attorneys General

The New HIPAA Rules and the Changes for Reporting Breaches of PHI

How to Avoid Data Breaches with Secure Messaging

The Comprehensive Benefits of Secure Messaging

Multiple HIPAA Security Rule Failures Identified

NY Attorney General Launches HIPAA Investigation

Commonly Used Website Tracking Tools Violate HIPAA

Settlement Agreed to Resolve Alleged Violations of HIPAA and State Laws

Largest Healthcare Data Breaches in November 2023

November 2023 Data Breach Causes and Data Locations

Where did the Data Breaches Occur?

Geographical Distribution of Healthcare Data Breaches

HIPAA Enforcement Activity in November 2023

Latest News from Around the Web

Categories