HIPAA Compliance News

Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI

Posted by HIPAA Journal

A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk.

The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats.

The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to PHI to be tracked. Passwords are required to authenticate users, with the HIPAA Security Rule requiring HIPAA-regulated entities to implement, “procedures for creating, changing, and safeguarding passwords.”

The Varonis study, the results of which were published in its 2021 Data Risk Report: Healthcare, Pharmaceutical, & Biotech, revealed an average healthcare worker has access to 31,000 sensitive files containing PHI, financial, and proprietary data on their first day of work. Those files were stored on parts of the network that can be accessed by all employees.

On average, 20% of each organization’s files are open to every employee, even though in many cases access was not required to complete work duties. 50% of organizations investigated had more than 1,000 sensitive files open to all employees, and one in four files at small healthcare organizations could be accessed by every employee. There were no restrictions on access to 1 in 10 files that contained PHI or intellectual property.

“We discovered that smaller organizations have a shocking amount of exposed data, including sensitive files, intellectual property, and patient records. On their first day, new employees at small companies have instant access to over 11,000 exposed files, and nearly half of them contain sensitive data,” explained Varonis in the report. “This creates a massive attack surface and increases the risk of noncompliance in the event of a data breach.”

To reduce risk, it is vital to operate under the principle of least privilege. If employees are given broad access to sensitive information, not only does that increase the opportunity for insider data theft, if their credentials are compromised in a phishing attack, external threat actors will have easy access to huge volumes of data.

The problem is made worse by poor password practices. 77% of companies studied for the report had 501 or more accounts with passwords set to never expire, and 79% of organizations had more than 1,000 ghost accounts. Ghost accounts are inactive accounts that have not been disabled. These accounts give hackers an easy way to access sensitive data and traverse networks and file structures undetected.

According to the Verizon Data Breach Investigations Report, data breaches increased by 58% in 2020 with cyber threat actors actively targeting the healthcare, pharma, and biotech industries to steal sensitive data, intellectual property, and vaccine research data. The healthcare industry has the highest data breach costs which, according to the IBM Security Cost of a Data Breach Report, are $7.13 million per breach. Organizations that fail to restrict access to protected healthcare information can also face heavy financial penalties, which under HIPAA/HITECH are up to $1.5 million per year, per violation category.

“To get in front of increasingly malicious and sophisticated cyberattacks, hospitals, pharmaceutical companies, and biotech’s need to double down on maturing incident response procedures and mitigation efforts,” said Varonis. “Enforcing least privilege, locking down sensitive data, and restricting lateral movement in their environments are the absolute bare minimum precautionary measures that healthcare organizations need to take.”

The post Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI appeared first on HIPAA Journal.

September 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months.

Healthcare data breaches August 2020 to September 2021

While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months.

Healthcare records breached over the past 12 months

Largest Healthcare Data Breaches Reported in September 2021

16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records.

The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was reported to the HHS as affecting 500,000 individuals. The cyberattack is believed to have been conducted by a nation-state hacking group.

Two major data breaches were reported by eye care providers: A hacking incident at U.S. Vision Optical resulted in the exposure of the PHI of 180,000 individuals, and a phishing incident at Simon Eye Management gave the attackers access to email accounts containing the PHI of 144,373 individuals. The breaches are not believed to be related, but they are two of a handful of recent incidents affecting eye care providers.

Ransomware continues to be extensively used in attacks on the healthcare industry. 6 of the top 16 attacks in September involved ransomware and potentially saw PHI stolen. Several ransomware gangs have targeted the healthcare sector, with the FIN12 group one of the most active. A recent analysis of FIN12 attacks by Mandiant revealed 20% of the gang’s attacks have been on the healthcare industry, with the attacks accounting for around 20% of all incidents Mandiant responds to.

Hackers have been targeting the healthcare industry, but data breaches can also be caused by insiders with privileged access to PHI. One notable ‘insider’ breach was reported by Premier Management Company and involved data being accessed by a former employee after termination. The incident highlights the importance of ensuring access to PHI (and IT systems) is blocked immediately when an employee is terminated, leaves the company, or when job functions change that no longer require an employee to have access to PHI.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
State of Alaska Department of Health & Social Services AK Health Plan 500,000 Nation-state hacking Incident
U.S. Vision Optical NJ Healthcare Provider 180,000 Unspecified hacking incident
Simon Eye Management DE Healthcare Provider 144,373 Email account breach (phishing)
Navistar, Inc. Health Plan and the Navistar, Inc. Retiree Health Benefit and Life Insurance Plan IL Health Plan 49,000 Ransomware attack
Talbert House OH Healthcare Provider 45,000 Unspecified hacking incident (data exfiltration)
Premier Management Company TX Healthcare Provider 37,636 PHI accessed by an employee after termination
Central Texas Medical Specialists, PLLC dba Austin Cancer Centers TX Healthcare Provider 36,503 Malware
Orlick & Kasper, M.D.’s, P.A. FL Healthcare Provider 30,000 Theft of electronic devices containing PHI
McAllen Surgical Specialty Center, Ltd. TX Healthcare Provider 29,227 Ransomware attack
Asarco Health, Dental, Vision, Flexible Spending, Non-Union Employee Benefits, and Retiree Medical Plans AZ Health Plan 28,000 Ransomware attack
Horizon House, Inc. PA Healthcare Provider 27,823 Ransomware attack
Rehabilitation Support Services, Inc. NY Healthcare Provider 23,907 Unspecified hacking incident (data exfiltration)
Samaritan Center of Puget Sound WA Healthcare Provider 20,866 Theft of electronic devices containing PHI
Directions for Living FL Healthcare Provider 19,494 Ransomware attack
Buddhist Tzu Chi Medical Foundation CA Healthcare Provider 18,968 Ransomware attack
Eastern Los Angeles Regional Center CA Business Associate 12,921 Email account breach (phishing)

Causes of September 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 53.2% of all breaches reported in the month and 91.6% of all breached records. 1,147,383 healthcare records were exposed or stolen in those incidents, with an average breach size of 33,747 records and a median breach size of 2,453 records.

The number of incidents involving the theft of physical records or electronic equipment containing PHI increased month-over-month. September saw 6 theft incidents reported and 60,236 records compromised. The mean breach size was 10,039 records and the median breach size was 3,918 records. 4 of those breaches involved electronic equipment and could have been prevented had encryption been used.

There were 7 data breaches reported that involved unauthorized access or disclosures of data by insiders. 45,639 records were breached across those incidents, 37,636 of which were obtained in a single incident. The average breach size was 6,520 records and the median breach size was 1,738 records.

Causes of September 2021 healthcare data breaches

Given the high number of hacking and ransomware incidents reported, it is no surprise that the most common location of breached PHI is network servers. Email accounts continue to be targeted in phishing attacks, with 13 incidents in September involving PHI stored in email accounts. The number of devices containing PHI that were stolen highlights the importance of using encryption to protect stored data.

Location of PHI in September 2021 healthcare data breaches

September 2021 Data Breaches by HIPAA-Regulated Entity

Healthcare providers were the worst affected covered entity with 30 reported breaches. 10 breaches were reported by health plans, 6 breaches were reported by business associates, and one breach was reported by a healthcare clearinghouse.

5 breaches of those breaches were reported by a HIPAA-covered entity but occurred at a business associate. The adjusted figures are shown in the pie chart below.

September 2021 healthcare data breaches by HIPAA-regulated entity type

September 2021 Healthcare Data Breaches by State

Data breaches were reported by HIPAA-regulated entities based in 25 states. Texas was the worst affected state with 6 reported breaches of 500 or more records, followed by California with 5 breaches and Connecticut with 4.

State Breaches
Texas 6
California 5
Connecticut 4
Florida & Washington 3
Arizona, Georgia, Illinois, New York, Ohio, & Pennsylvania 2
Alaska, Delaware, Indiana, Kentucky, Maryland, Minnesota, Missouri, New Jersey, New Mexico, Oregon, Rhode Island, Tennessee, Virginia, & Wisconsin 1

HIPAA Enforcement Activity in September 2021

The Department of Health and Human Services’ Office for Civil Rights now has a new director, and it is currently unclear what direction she will take in the department’s HIPAA enforcement actions.

Since the fall of 2019 OCR has been targeting HIPAA-regulated entities that fail to comply with the HIPAA Right of Access and September saw the 20th financial penalty imposed under this initiative for the failure to provide individuals with access to their healthcare records.

Children’s Hospital & Medical Center in Omaha, NE, settled its HIPAA Right of Access case with OCR and paid an $80,000 financial penalty. This was the ninth OCR case this year to have resulted in a financial penalty for non-compliance with the HIPAA Rules.

There were no reported enforcement activities by state attorneys general in September.

The post September 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

Posted by HIPAA Journal

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty.

Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI).

Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents.

As a HIPAA covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access.

Diamond Investigated for Compliance with Federal and State Laws

The State of New Jersey Department of Law and Public Safety Division of Consumer Affairs investigated Diamond over the data breach to determine compliance with federal and state laws. The investigation revealed Diamond had entered into a support contract with the managed service provider (MSP) Infoaxis Technologies in 2007, which including security and information technology services including maintaining its third-party server and workstations. The service agreement included third-party software for the management and reporting of audit logs intended to interpret triggers for event alerts.

Around March 2014, Diamond downgraded its support package with the MSP, resulting in a reduction in the services provided, although Diamond maintains there was no reduction in services between the two support agreements other than the amount of time included for on-site support services.

Prior to the breach occurring, Diamond’s HIPAA Privacy and Security Officer used a Remote Desktop Protocol (RDP) service with a VPN to access the Diamond network, but because the VPN was blocked from the Bermuda office, the MSP provided a different method of access that involved opening a port in the firewall to allow RDP access, instead of using the VPN for authentication.

Between August 28, 2016 and January 14, 2017, a workstation in the Millburn office was accessed by an unauthorized individual on several occasions from a foreign IP address. The unauthorized access was detected and blocked on January 14, 2017. During the time the workstation was accessible, data on the device was not encrypted. The intruder therefore potentially accessed patient data including names, dates of birth, Social Security numbers, and medical record numbers.

An investigation into the breach also revealed an intruder accessed Diamond’s third-party server which housed its electronic medical records within a password-protected SQL server using two compromised Diamond user accounts that had weak passwords. The investigation revealed weak security settings were in place for failed login attempts and password expiration.

While the EMR data was not compromised, the intruder was able to access PHI such as test results, ultrasound images, and clinical and post-operative notes. Diamond’s investigation was unable to confirm how access to the network was gained.

Multiple HIPAA Violations Uncovered

The state investigation into the data breach revealed business associate agreements were not in place prior to sharing ePHI with three business associates: Infoaxis, BMedTech, and Igenomix, in violation of the HIPAA Rules. Diamond was also alleged to have violated the CFA, HIPAA Security Rule, and HIPAA Privacy Rule by removing administrative and technological safeguards protecting PHI and ePHI, which allowed unauthorized individuals to gain access to its systems and ePHI for around five and a half months.

The CFA violations included misrepresentation of HIPAA practices in its privacy and security policy, a failure to secure its network leading to a data breach, and unconscionable commercial practices.

The settlement agreement lists failures to comply with twenty-nine provisions of the HIPAA Privacy and Security Rules. Alleged violations include the failure to conduct a comprehensive risk assessment, failure to encrypt ePHI, failure to modify security measures to ensure reasonable protections for ePHI were maintained, failure to implement procedures for creating, changing, and modifying passwords, and a failure to verify the identify of individuals seeking access to ePHI.

Diamond disputes many of the claims made by the state but agreed to settle the case and pay a $495,000 financial penalty, which consists of $412,300 in civil penalties and $82,700 in investigation fees.

“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said Acting Attorney General Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”

In addition to the financial penalty, Diamond is required to implement additional measures to improve data security, including the use of encryption to prevent unauthorized access to ePHI, implementing a comprehensive information security program, appointing a new HIPAA officer, providing additional training to staff on security policies, developing a written incident response plan, and improving logging, monitoring, access controls, password management, and implementing a risk assessment program.

“Inadequate data systems and protocols are every hacker’s dream,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

The post New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty appeared first on HIPAA Journal.

OCR Issues Guidance on HIPAA and COVID-19 Vaccination Status Disclosures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has issued guidance to educate the public on how the Health Insurance Portability and Accountability Act (HIPAA) Rules apply to disclosures of COVID-19 vaccination status information and requests from individuals about whether a person has been vaccinated against COVID-19.

In the guidance, OCR confirmed that HIPAA only applies to HIPAA-regulated entities. HIPAA regulated entities are healthcare providers, health plans, and healthcare clearinghouses that conduct standard electronic transactions, and business associates of those entities that require access to or encounter protected health information (PHI). OCR reminded the public that the HIPAA Privacy Rule does not apply to employers or employment records. That includes information collected or stored by HIPAA-regulated entities in their capacity as an employer.

OCR explained how HIPAA applies to COVID-19 vaccination information in certain situations through a website Q&A and states:

  • The HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. Individuals who work at a HIPAA covered entity or business associate are not prohibited from asking if an individual has received a vaccine.
  • The HIPAA Privacy Rule does not prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine.
  • The HIPAA Privacy Rule does not prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties.
  • The HIPAA Privacy Rule does not prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine.

OCR has confirmed that, generally, the HIPAA Privacy Rule prohibits a doctor’s office from disclosing an individual’s PHI, including COVID-19 vaccination information, to the individual’s employer or other parties. Such disclosures are possible if consistent with other laws and applicable ethical standards, such as a disclosure to a health plan to obtain payment for administering the vaccine and disclosures of such information to public health authorities.

OCR explained that there are circumstances when a HIPAA-covered hospital is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer.

This is only possible to allow the employer, “to conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness.” In such cases, disclosures are only permitted if all the following conditions are met:

  • The covered hospital is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
  • The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
  • The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose.
  • The covered health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.

“We are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19,” said OCR Director Lisa Pino.

The post OCR Issues Guidance on HIPAA and COVID-19 Vaccination Status Disclosures appeared first on HIPAA Journal.

What is a HIPAA Subpoena?

Posted by HIPAA Journal

The U.S. Department of Justice has recently been cracking down on healthcare offenses and investigations often involve a HIPAA subpoena being issued. The subpoena compels HIPAA-regulated entities to release information such as patient medical records that they would otherwise not be permitted to disclose due to Privacy Rule restrictions on uses and disclosures. The HIPAA Privacy Rule permits disclosures of protected health information (PHI) if compelled to do so by a valid subpoena.

What is a HIPAA Subpoena?

A HIPAA subpoena is an administrative subpoena which requires a HIPAA-regulated entity to release documents to support investigations of federal criminal healthcare offenses pursuant to 18 U.S.C. § 3486, and the use of these subpoenas is becoming more common. A HIPAA subpoena is similar to a federal grand jury subpoena, in that they both compel a HIPAA regulated entity to release specific information to assist with investigations into healthcare offenses.

A HIPAA subpoena is an administrative subpoena, but they are not generally issued for investigations that are purely civil in nature. When prosecutors at the U.S. Department of Justice issue a HIPAA subpoena, it indicates a criminal investigation is being conducted into healthcare offenses.

How Does a HIPAA Subpoena Differ from a Federal Grand Jury Subpoena?

It is more common for a federal grand jury subpoena to be issued to obtain documents to support a civil or criminal investigation into healthcare offenses. Both types of subpoena compel a covered entity to release documents to support the investigation; however, a federal grand jury subpoena does not allow the sharing of information with civil DOJ attorneys who are pursuing a parallel investigation, whereas a HIPAA subpoena does.

For example, if there are parallel investigations being conducted into violations of the False Claims Act (civil) and anti-kickback and healthcare fraud statutes (criminal), a HIPAA subpoena may be issued as it supports intra-departmental cooperation. In contrast to a federal grand jury subpoena, it allows civil and criminal DOJ attorneys to work together in their investigations of potential violations of civil and criminal statutes under different statutes. A federal grand jury subpoena would not allow information to be shared between both parties due to grand jury secrecy rules.

Civil Investigative Demands (CIDs) are also often issued for documents or testimony. These may be associated with investigations that are purely civil in nature, although material obtained may also be shared with criminal Assistant United States Attorneys.

If a federal grand jury subpoena is received, it generally means a criminal investigation is being conducted. If you have received a CID, it was likely issued to support a civil investigation, but a criminal prosecutor may also be reviewing the documents. If you have received a HIPAA subpoena, it is probable that the DOJ is conducting parallel civil and criminal investigations.

Have You Received a Subpoena Compelling Release of Documents or Testimony?

If a valid federal grand jury subpoena or HIPAA subpoena is received, the HIPAA Privacy Rule permits the disclosure of PHI. HIPAA assumes the judge or magistrate issuing the subpoena has considered the privacy and confidentiality rights of an individual(s) prior to signing the subpoena. HIPAA regulated entities must provide the requested documents or medical records but only the specific information requested in the subpoena. All other information not specifically mentioned should be redacted.

If a subpoena is received that has been signed by an attorney or clerk, one of the following conditions must be satisfied before any PHI can be disclosed.

  • A written statement is received from the party requesting the information confirming reasonable efforts have been made to contact the individual to whom the requested information relates in writing, that the individual has been given the opportunity to object to the subpoena in court, and that sufficient time for raising an objection has been provided and either no objection was filed or the objection was resolved by the court.
  • Alternatively, if PHI can be provided if the subpoena is accompanied by a written statement from the issuing party confirming the parties to the proceeding have agreed to a qualified protective order that will maintain the confidentiality of the provided information, or that such a protective order has been requested.
  • The HIPAA regulated entity makes reasonable efforts to notify the individual in writing to advise them about the subpoena and the legal obligation to comply, and has provided information to allow the individual to object to the subpoena in court, provided no objection was filed or the objection was unsuccessful. Alternatively, the records can be released if the individual whose PHI has been requested signs an authorization form permitting the requested disclosure.

If one of the above conditions is satisfied, only the information specifically requested in the subpoena can be provided. If one of the above conditions could not be satisfied, PHI could only be provided if a court order is received. A written objection should be filed based on HIPAA restrictions and it will be the responsibility of the issuer of the subpoena to obtain a court order to release the information.

The post What is a HIPAA Subpoena? appeared first on HIPAA Journal.

Lisa J. Pino Named New Director of HHS’ Office for Civil Rights

Posted by HIPAA Journal

OCR Director, Lisa J. Pino

Lisa J. Pino has been named Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) and replaces Robinsue Frohboese, who has served as acting OCR Director since President Trump-appointed Roger Severino resigned from the post in mid-January.

OCR is the main enforcer of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the Patient Safety and Quality Improvement Act, and Patient Safety Rule, as well as as well as enforcing federal civil rights, conscience and religious freedom laws.

Pino is from New York City, a fluent Spanish speaker, and the first-generation daughter of immigrant parents. She completed a B.A., M.A., and J.D. at Arizona State University with honors, and Harvard Kennedy School leadership program as a National Hispana Leadership Institute Fellow.

Pino has served as legal aid attorney in the Southwest, fighting to protect the rights of migrant farm workers. Her civil rights activities carried on while working for the United States Department of Agriculture (USDA) where she served as USDA Deputy Administrator of the Supplemental Nutrition Assistance Program (SNAP) and USDA Deputy Assistant Secretary for Civil Rights.

While at the USDA, Pino drafted and championed USDA’s first gender identity anti-discrimination program regulation along with its first USDA limited English proficiency guidance. Pino played a key role in ensuring minority farmers had access to benefits awarded through class action settlements through her direction of USDA’s outreach and engagement activities.

Pino is a former senior executive service who was also appointed by President Barack Obama and served at the U.S. Department of Homeland Security (DHS) as Senior Counselor. There she played a key role in the mitigation of the largest federal data breach in history, the 2015 hacking of the data of 4 million federal personnel and 22 million surrogate profiles, by renegotiating 700 vendor procurements and establishing new cybersecurity regulatory protections.

Most recently, Pino served as Executive Deputy Commissioner of the New York State Department of Health, the agency’s second-highest executive position. During her time in the role, Pino spearheaded the state’s operational response to the COVID-19 pandemic and programming for Medicaid, Medicare, Nutrition Program for Women, Infants, and Children (WIC), Hospital and Alternative Care Facility, Wadsworth Laboratories, Center for Environmental Health, Center for Community Health, and AIDS Institute.

“Lisa is an exceptional public servant, and I am delighted to welcome her to the role of the Director of the Office for Civil Rights at HHS,” said HHS Secretary Xavier Becerra. “Her breadth of experience and management expertise, particularly her hand in advancing civil rights regulations and policy at the U.S. Department of Agriculture (USDA) during the Obama-Biden Administration, will help ensure that we protect the rights of every person across the country as we work to build a healthier America.”

The post Lisa J. Pino Named New Director of HHS’ Office for Civil Rights appeared first on HIPAA Journal.

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019.

Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year.

The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making the maximum time for providing records 60 days from the date the written request for access is received.

When individuals feel their HIPAA rights have been violated, they cannot take legal action against a HIPAA-covered entity for a HIPAA violation, but they can file a complaint with OCR. In this case, OCR received a complaint from a parent who alleged CHMC had not provided her with timely access to her minor daughter’s medical records.

CHMC received the parent’s request and provided some of her with some of her daughter’s medical records but did not provide all the requested information. The parent also made several follow-up requests to CHMC. OCR investigated and confirmed the parent requested a copy of her late daughter’s medical records in writing on January 3, 2020. Some of the requested records were provided; however, the remainder of the records needed to be obtained from a different CHMC division. Some of the remaining records were provided on June 20, 2020, with the rest provided on July 16, 2020. OCR determined this was in violation of the HIPAA Right of Access – 45 C.F.R. § 164.524(b).

In addition to the financial penalty, CHMC must review and update its policies and procedures related to the HIPAA Right of Access, provide the policies to OCR for assessment, and distribute the approved policies to the workforce and ensure training is provided.

“Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative,” said Acting OCR Director Robinsue Frohboese. “OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”

The post OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative appeared first on HIPAA Journal.

California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

Posted by HIPAA Journal

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to sent notifications to the HHS’ Office for Civil Rights (OCR) about data breaches, but healthcare organizations are also required to comply with state data breach notification laws.

Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified.

Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health information of California residents has likely been compromised in the attack.

California Attorney General Rob Bonta has recently issued a bulletin reminding all entities that house the confidential health-related information of California residents of their data breach reporting responsibilities under California law (Civil Code section 1798.82). Whenever there has been a breach of the health data of 500 or more California residents, a breach report must be submitted to the Office of the Attorney General. The California DOJ then publishes the breach notice on its website to ensure the public is made aware of the breach to allow victims to take appropriate action to protect themselves against identity theft and fraud. Individual notifications must also be issued to affected individuals.

“Timely breach notification helps affected consumers mitigate the potential losses that could result from the fraudulent use of their personal information obtained from a breach of health data,” said Attorney General Bonta. “Therefore, it is important for providers of healthcare to be proactive and vigilant about reducing their risk for ransomware attacks and to meet their health data breach notification obligations to protect the public.”

In the bulletin, Attorney General Bonta also urged healthcare organizations to take proactive steps to protect patient data against ransomware attacks.

“State and federal health data privacy frameworks, like the Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), obligate healthcare entities and organizations that deal in health data to establish appropriate procedures to ensure the confidentiality of health-related information, including security measures that can help prevent the introduction of malware, including ransomware, to protect consumers’ healthcare-related information from unauthorized use and disclosure,” explained AG Bonta.

Healthcare organizations are encouraged to take the following proactive steps:

  • Keep operating systems and software housing health data current
  • Apply security patches promptly
  • Install and maintain antivirus software
  • Provide regular data security training to employees, including education about phishing attacks
  • Restrict users from downloading, installing, and running unapproved software
  • Maintain and regularly test the data backup and recovery plan for all critical information 

The post California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents appeared first on HIPAA Journal.

July 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day.

Healthcare data Breaches Past 12 months (Aug 20-July21)

The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records.

Healthcare records breached Aug20 to July 21

Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month!

Largest Healthcare Data Breaches in July 2021

Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the Wisconsin healthcare provider Forefront Dermatology. The exact nature of the attack was not disclosed so it is unclear if ransomware was used. Hackers gained access to parts of its network that contained the protected health information of 2.4 million individuals. The second largest data breach was reported by Practicefirst, a New York business associate of multiple HIPAA-covered entities. Ransomware was used in the attack and the healthcare data of 1.2 million individuals was potentially exfiltrated.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Present
Forefront Dermatology, S.C. Healthcare Provider 2,413,553 Hacking/IT Incident Unspecified hacking incident Yes
Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions/PBS Medcode Corp Business Associate 1,210,688 Hacking/IT Incident Ransomware attack Yes
UF Health Central Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware attack No
Orlando Family Physicians, LLC Healthcare Provider 447,426 Hacking/IT Incident Phishing attack No
HealthReach Community Health Centers Healthcare Provider 122,340 Improper Disposal Improper disposal of electronic medical records No
Guidehouse Business Associate 84,220 Hacking/IT Incident Ransomware attack (Accellion FTA) Yes
Advocate Aurora Health Healthcare Provider 68,707 Hacking/IT Incident Ransomware attack (Elekta) Yes
McLaren Health Care Corporation Healthcare Provider 64,600 Hacking/IT Incident Ransomware attack (Elekta) Yes
Coastal Family Health Center, Inc Healthcare Provider 62,342 Hacking/IT Incident Ransomware attack No
Florida Heart Associates Healthcare Provider 45,148 Hacking/IT Incident Ransomware attack No
A2Z Diagnostics, LLC Healthcare Provider 35,587 Hacking/IT Incident Phishing attack No
University of Maryland, Baltimore Business Associate 30,468 Hacking/IT Incident Unspecified hacking incident Yes
Florida Blue Health Plan 30,063 Hacking/IT Incident Brute force attack (Member portal) No
Intermountain Healthcare Healthcare Provider 28,628 Hacking/IT Incident Ransomware attack (Elekta) Yes

Causes of July 2021 Healthcare Data Breaches

As the table above shows, ransomware continues to be extensively used in cyberattacks on healthcare organizations and their business associates. Those attacks can easily result in the theft of large amounts of healthcare data. The majority of ransomware gangs (and their RaaS affiliates) are now exfiltrating sensitive data prior to using ransomware to encrypt files. Victims are required to pay to prevent the publication or sale of the stolen data as well as a payment to obtain the keys to decrypt files.

To help combat this rise in double extortion ransomware attacks, new guidance has been released by the Cybersecurity and Infrastructure Security Agency. The National Institute of Standards and Technology (NIST) has also updated its cybersecurity guidance on building resilient computer networks, with the emphasis now shifting away from perimeter defenses to assuming attackers have already gained access to the network. Mechanisms therefore need to be implemented to reduce the harm that can be caused.

Causes of July 2021 Healthcare Data Breaches

Hacking/IT incidents, of which ransomware accounts for a many, dominate the month’s breach reports. There were 52 reported hacking/IT incidents in which the protected health information of 5,393,331 individuals was potentially compromised. That’s 96.82% of all records breached in July. The mean breach size was 103,718 records and the median breach size was 4,185 records.

There were 13 reported unauthorized access/disclosure incidents, which include misdirected emails, mailing errors, and snooping by healthcare employees. 52,676 healthcare records were impermissibly viewed or disclosed to unauthorized individuals across those incidents. The mean breach size was 4,052 records and the median breach size was 1,038 records. There were two theft incidents reported involving a total of 2,275 records and one improper disposal incident involving 122,340 electronic health records.

The vast majority of incidents involved the hacking of network servers; however, email accounts continue to be compromised at high rates. 21 breaches involved protected health information stored in email accounts. The majority of the email incidents involved the theft of employee credentials in phishing attacks.

Location of breached protected health information (July 2021)

Data Breaches by Covered Entity Type

Healthcare providers reported 47 data breaches in July, with 11 breaches reported by business associates and 10 breaches reported by health plans; however, the reporting entity is not the best gauge of where these breaches occurred. In many cases, the breach was experienced at a business associate, but was reported by the covered entity.

When this is taken into account, the figures show that healthcare provider and business associate data breaches are on a par, with 30 breaches each for July 2021, as shown in the pie chart below.

July 2021 healthcare data breaches by covered entity type

July 2021 Healthcare Data Breaches by State

July saw healthcare data breaches reported by HIPAA-covered entities and business associates based in 32 states and the District of Columbia.

State Number of Reported Healthcare Data Breaches
Florida 6
California, New York & Texas 5
Illinois & North Carolina 4
Connecticut, Minnesota, Nebraska & New Jersey 3
Mississippi, Oklahoma, Washington & Wisconsin 2
Alabama, Georgia, Iowa, Indiana, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Ohio, Pennsylvania, South Carolina, Utah, Virginia, West Virginia & the District of Columbia 1

HIPAA Enforcement Activity in July 2021

The HHS’ Office for Civil Rights (OCR), the primary enforcer of HIPAA compliance, did not announce any new enforcement actions against HIPAA-covered entities or business associates in July, nor were there any enforcement actions announced by state Attorneys General.

The OCR year-to-date total still stands at 8 financial penalties totaling $5,570,100, with just the one financial penalty imposed by state attorneys general – A multi-state action that saw American Medical Collection Agency (AMCA) fined $21 million.

Data for this report came from the HHS’ Office for Civil Rights breach portal.

The post July 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.