HIPAA Compliance News

26th Annual Compliance Institute: March 28 – 31, 2022

Posted by HIPAA Journal

The Health Care Compliance Association (HCCA) will be hosting the 26th Annual Compliance Institute at the Phoenix Convention Center, AZ, March 28 – 31, 2022.

The HCCA is a member-based association for healthcare compliance professionals that is dedicated to enabling the lasting success and integrity of all professionals working for, with, or supporting healthcare organizations. Established in 1996, the HCCA now has more than 12,000 members across the United States.  The HCCA promotes the highest standards in compliance programs, creates high-quality educational training events, and provides a forum for interaction and information exchange within the healthcare compliance community.

The Compliance Institute is the HCCA’s primary educational and networking event. Running over 4 days, attendees will be able to attend 109 educational sessions, benefit from professional development opportunities, and will be able to network and improve their career prospects.

The educational sessions highlight real-world compliance issues, emerging trends, and practical applications that attendees can use to strengthen their compliance programs., with the 2022 event covering the following subject areas:

  • Auditing and monitoring
  • Behavioral health
  • Compliance law
  • General compliance/hot topics
  • How to succeed as a compliance officer
  • Investigations
  • Physician compliance
  • Post-acute care
  • Privacy and security
  • Risk management
  • Telehealth

The event will be of great benefit to healthcare compliance professionals, risk managers, privacy officers, coding and billing specialists, healthcare regulators, government personnel, nurse managers and executives, staff educators and trainers, health information management specialists, CIOs, healthcare senior executives, healthcare professionals, healthcare journalists and researchers.

26th Annual Compliance Institute

The conference will run from Monday, March 28 to Thursday, March 31 at the Phoenix Convention Center, AZ.

If it is not possible to attend in person, this year there will be the option of attending virtually from Tuesday, March 29 to Thursday, March 31. Virtual visitors will be able to attend 47 educational sessions which are being live-streamed from the conference center.

Register for the Conference

The post 26th Annual Compliance Institute: March 28 – 31, 2022 appeared first on HIPAA Journal.

HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) is continuing with its enforcement of compliance with the HIPAA Right of Access and has recently announced a further 5 financial penalties. The HIPAA Right of Access enforcement initiative was launched in the fall of 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records.

The HIPAA Privacy Rule requires covered entities to provide individuals with access to their medical records. A copy of the requested information must be provided within 30 days of the request being received, although an extension of 30 days may be granted in limited circumstances. HIPAA-covered entities are permitted to charge patients for exercising this important Privacy Rule right, but may only charge a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and delivering the PHI after it has been identified.

The enforcement actions to date have not been imposed for charging excessive amounts, only for impermissibly refusing to provide a copy of the requested records or for unnecessary delays. In some cases, patients have had to wait many months before they were provided with a copy of their records.

The latest announcement by OCR brings the total number of HIPAA Right of Access enforcement actions under the 2019 enforcement initiative up to 25.

In all of the new cases below, OCR determined the healthcare providers were in violation of 45 C.F.R. § 164.524 and had not provided timely access to protected health information about the individual after receiving a request.

Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, agreed to settle OCR’s investigation and paid a $32,150 financial penalty and will be monitored by OCR for compliance with its corrective action plan for 2 years. The investigation stemmed from a complaint from a patient who requested his medical records on November 25, 2019, but was not provided with the records until March 19, 2020.

Denver Retina Center, a Denver, CO-based provider of ophthalmological services, settled its investigation with OCR and paid a $30,000 financial penalty and will be monitored for compliance with its corrective action plan for 12 months. A patient alleged she had requested her records in December 2018 but did not receive a copy of her records until July 26, 2019. OCR had provided technical assistance to the healthcare provider following receipt of a previous HIPAA Right of Access complaint from the same patient and closed the case. When evidence was received of continued non-compliance the case was reopened. OCR determined that in addition to the delay, Denver Retina Center’s access policies and procedures were not compliant with the HIPAA Privacy Rule, as required by 45 C.F.R. § 164.530(i).

Rainrock Treatment Center LLC (dba Monte Nido Rainrock), a Eugene, OR-based provider of residential eating disorder treatment services, settled OCR’s investigation and paid a $160,000 financial penalty and will be monitored for compliance with the corrective action plan for 12 months. OCR had received three complaints from a patient who had not been provided with a copy of her medical records. The patient had requested a copy of her records on October 1, 2019, and November 21, 2019, and did not receive the requested records until May 22, 2020.

Wake Health Medical Group, a Raleigh, NC-based provider of primary care and other health care services, settled OCR’s investigation and paid a $10,000 financial penalty and has agreed to take corrective action to prevent further HIPAA Right of Access violations. OCR had received a complaint from a patient who requested a copy of her medical records on June 27, 2019 and paid a $25 flat fee, which is the standard fee charged by Wake Health Medical Group for providing copies of medical records. As of the date of the settlement, the patient has still not been provided with the requested records.

Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, did not cooperate with OCR during the investigation, although did not contest the findings and waived his right to a hearing. A civil monetary penalty of $100,000 was imposed by OCR. An investigation was launched following receipt of a complaint from a former patient who alleged he had made several written and verbal requests for a copy of his medical records between 2013 and 2014. The complaint was filed with OCR on November 9, 2017, and the case was closed by OCR on December 15, 2017, after advising Dr. Glaser to investigate the complaint and provide the requested records if the requests were in line with the HIPAA Right of Access. The patient filed a further complaint with OCR on March 20, 2018, and provided evidence of further written requests. OCR tried to contact Dr. Glaser on multiple occasions by letter and phone, but he repeatedly failed to respond, hence the decision to impose a civil monetary penalty.

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

The post HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations appeared first on HIPAA Journal.

October 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

October saw 59 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 25.5% increase from September. Over the past 12 months, from November 2020 to October 2021, there have been 655 reported breaches of 500 or more records, 546 of which have been reported in 2021.

Healthcare Data Breaches (November 20-October 21)

The protected health information (PHI) of 3,589,132 individuals was exposed, stolen, or impermissibly disclosed across the 59 reported data breaches, which is 186% more records than September. Over the past 12 months, from November 2020 to October 2021, the PHI of 39,938,418 individuals has been exposed or stolen, with 34,557,664 individuals known to have been affected by healthcare data breaches so far in 2021.

Healthcare records breached (november 20-october 21)

Largest Healthcare Data Breaches in October 2021

There were 18 data breaches reported to the HHS’ Office for Civil Rights in October that impacted 10,000 or more individuals, as detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Breach Cause
Eskenazi Health IN Healthcare Provider 1,515,918 Hacking/IT Incident Ransomware attack
Sea Mar Community Health Centers WA Healthcare Provider 688,000 Hacking/IT Incident Ransomware attack
ReproSource Fertility Diagnostics, Inc. MA Healthcare Provider 350,000 Hacking/IT Incident Ransomware attack
QRS, Inc. TN Business Associate 319,778 Hacking/IT Incident Unauthorized network server access
UMass Memorial Health Care, Inc. MA Business Associate 209,048 Hacking/IT Incident Phishing attack
OSF HealthCare System IL Healthcare Provider 53,907 Hacking/IT Incident Ransomware attack
Educators Mutual Insurance Association UT Health Plan 51,446 Hacking/IT Incident Unauthorized network access and malware infection
Lavaca Medical Center TX Healthcare Provider 48,705 Hacking/IT Incident Unauthorized network access
Professional Dental Alliance, LLC PA Healthcare Provider 47,173 Unauthorized Access/Disclosure Phishing attack on a vendor
Nationwide Laboratory Services FL Healthcare Provider 33,437 Hacking/IT Incident Ransomware attack
Professional Dental Alliance of Michigan, PLLC PA Healthcare Provider 26,054 Unauthorized Access/Disclosure Phishing attack on a vendor
Syracuse ASC, LLC NY Healthcare Provider 24,891 Hacking/IT Incident Unauthorized network access
Professional Dental Alliance of Georgia, PLLC PA Healthcare Provider 23,974 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of Florida, LLC PA Healthcare Provider 18,626 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of Illinois, PLLC PA Healthcare Provider 16,673 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Healthcare Management, Inc. TN Healthcare Provider 12,306 Hacking/IT Incident Ransomware attack
Professional Dental Alliance of Tennessee, LLC PA Healthcare Provider 11,217 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of New York, PLLC PA Healthcare Provider 10,778 Unauthorized Access/Disclosure Phishing attack on a vendor

Ransomware attacks continue to plague healthcare organizations and threaten patient safety. Half of the top 10 data breaches involved ransomware, including the top three data breaches reported in October.

The worst breach of the month was reported by Eskenazi Health. The PHI of more than 1.5 million patients was exposed and patient data is known to have been stolen in the attack. A major ransomware attack was also reported by Sea Mar Community Health Centers. Its systems were first compromised in December 2020, the ransomware attack was identified in March 2021, and Sea Mar was notified about the posting of patient data on a darknet marketplace in June. It took until late October to issue notifications to affected individuals.

Hackers often gain access to healthcare networks through phishing attacks, and phishing remains the leading attack vector in ransomware attacks. Large quantities of sensitive data are often stored in email accounts and can easily be stolen if employees respond to phishing emails. A phishing attack on UMass Memorial Health Care resulted in the exposure of the PHI of 209,048 individuals, and a phishing attack on a vendor used by the Professional Dental Alliance exposed the PHI of more than 174,000 individuals.

Causes of October 2021 Healthcare Data Breaches

Data breaches classified as hacking/IT incidents, which include ransomware attacks, were the main cause of data breaches in October. 57.63% of all breaches reported in the month were classified as hacking/IT incidents and they accounted for 94.14% of all breached records (3,378,842 records). The average size of the data breaches was 99,378 records and the median breach size was 5,212 records.

Causes of October 2021 healthcare data breaches

22 breaches were classified as unauthorized access/disclosure incidents and involved the PHI of 200,887 individuals. Those breaches include the phishing attack that affected the Professional Dental Alliance. The average breach size was 9,131 records and the median breach size was 4,484 records.

There were 4 breaches reported that involved the loss or theft of physical PHI or electronic devices containing PHI, 3 of which were theft incidents and 1 was a lost laptop computer. The PHI of 9,403 individuals was exposed as a result of those incidents. The average breach size was 2,351 records and the mean breach size was 1,535 records.

Location of breached protected health information -October 2021

Healthcare Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected covered entity type with 43 reported breaches. 8 data breaches were reported by business associates of HIPAA-covered entities and 8 were reported by health plans. Many data breaches occur at business associates of HIPAA-covered entities but are reported by the affected covered entity. The pie chart below shows the breakdown of breaches based on where they occurred.

October 2021 healthcare data breaches by HIPAA-regulated entity type

Healthcare Data Breaches by State

Healthcare data breaches were reported by HIPAA-regulated entities in 26 states. Pennsylvania was the worst affected state with 12 reported breaches, although 11 of those breaches were the same incident – the phishing attack on the Professional Dental Alliance vendor that was reported separately by each affected HIPAA-covered entity.

State No. Breaches
Pennsylvania 12
California 5
Illinois, Indiana, & Texas 4
New York & Washington 3
Connecticut, Florida, Massachusetts, New Jersey, North Carolina & Tennessee 2
Alabama, Arkansas, Kansas, Kentucky, Minnesota, Mississippi, Nebraska, Ohio, South Carolina, Utah, Virginia, & West Virginia 1

HIPAA Enforcement Activity in October 2021

There was only one HIPAA enforcement action announced in October. The New Jersey Attorney General agreed to settle an investigation into a data breach reported by Diamond Institute for Infertility and Menopause that resulted in the exposure of the PHI of 14,663 New Jersey residents.

The New Jersey Department of Law and Public Safety Division of Consumer Affairs uncovered violations of 29 provisions of the HIPAA Privacy and Security Rules, and violations of the New Jersey Consumer Fraud Act. In addition to paying $495,000 in civil monetary penalties and investigation costs, Diamond agreed to implement additional measures to improve data security.

The post October 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations

Posted by HIPAA Journal

The New Jersey Attorney General and has fined two printing firms $130,000 over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA) which contributed to a breach of the protected health information (PHI) of 55,715 New Jersey residents.

Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI) provided services to a leading New Jersey-based managed healthcare organization that involved printing and mailing benefits statements. Between October 31, 2016, and November 2, 2016, a printing error resulted in PHI such as claims numbers, dates of service, provider names, facility names, and descriptions of services being mailed to incorrect recipients.

When printing firms or other vendors provide services to HIPAA-covered entities that require access to PHI, they are required to enter into a business associate agreement with the covered entity and must comply with the requirements of the HIPAA Security Rule. The responsibilities of HIPAA business associates include implementing safeguards to ensure the confidentiality, integrity, and availability of any PHI they are provided with.

The New Jersey Division of Consumer Affairs (DCA) launched an investigation into the printing firms and determined printing processes were changed in 2016 which resulted in an error being introduced that saw the final page of one member’s statement being added to the first page of another member’s statement. Procedures should have been implemented to check the benefits statements prior to mailing.

The DCA determined impermissible disclosure of PHI was in violation of HIPAA and the CFA. Specifically, the companies violated HIPAA by failing to ensure the confidentiality of PHI, failing to protect against a reasonably anticipated unauthorized disclosure of PHI, and failing to review and modify security measures to ensure reasonable and appropriate protections were in place to ensure the confidentiality of PHI.

The printing firms disputed the findings of the DCA investigation but agreed to a consent order which requires them to change their business practices and implement new safeguards to protect sensitive data.

The consent order requires a comprehensive security information program to be implemented and the use of an event management tool to identify and track potential vulnerabilities and threats to the confidentiality of PHI. Each company is required to appoint an employee as Chief Information Security Officer. That individual must have sufficient expertise in information security to implement, maintain, and monitor the information security program.

An employee with expertise in HIPAA compliance must be appointed as Chief Privacy Officer, a security awareness and anti-phishing training program must be implemented for the workforce, and policies and procedures must be put in place that require approval to be obtained from clients that store or transmit PHI prior to making material changes to printing processes. $65,000 of the penalty amount will be suspended and will not have to be paid if the companies comply with the terms of the consent order.

“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” said Acting Attorney General Bruck. “Inadequate protective measures are unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”

This is the second financial penalty for violations of HIPAA and the CFA to be announced by New Jersey in as many months. In October, Diamond Institute for Infertility and Menopause was fined $495,000 to resolve HIPAA and CFA violations that led to a breach of the PHI of 14,663 New Jersey residents.

The post New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations appeared first on HIPAA Journal.

OSHA and HIPAA Compliance

Posted by HIPAA Journal

In healthcare, OSHA and HIPAA compliance are both essential. There are separate standards that must be adhered to for compliance, but there are broad similarities in terms of reporting, recordkeeping, and enforcement.

The Occupational Safety and Health Act (OSH Act)

The Occupational Safety and Health Act (OSH Act) was signed into law more than 50 years ago and remains as relevant today as it was when President Nixon added his signature to the bill on December 29, 1970. The OSH Act covers the private sector and the federal government and requires employers to create and maintain a safe and healthful working environment, and ensure employees are protected from hazards in the workplace.

The OSH Act created the Occupational Safety and Health Administration (OHSA) within the Department of Labor, which is responsible for outreach, education, assistance, and is also the enforcer of compliance with the OSH Act. OHSA sets health and safety standards against which employers are measured. Those standards are published in Title 29 of the Code of Federal Regulations (29 U.S.C. §§ 651 to 678), and there are standards that apply to different industry sectors. The construction, maritime, and agriculture sectors each have their own set of standards due to the unique hazards and risks in those sectors, with separate standards set for general industry, which includes medical and dental offices.

OSHA standards have been set for a variety of health and safety areas, including fire safety, electrical safety, blood-borne pathogens, ionization radiation, hazardous materials, medical and first aid, personal protective equipment, emergency preparedness, and the general working environment.

OHSA conducts inspections of workplaces to ensure compliance and has the authority to impose financial penalties and sanctions. There is a tiered penalty structure of minimum and maximum penalties, although State Plans exist where states have control of OSHA regulations and can implement their own penalty structures.

The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) has been in effect for half the time of the OSH Act, with HIPAA signed into law by President Clinton on August 21, 1996. HIPAA set standards for the healthcare industry that must be followed by HIPAA-covered entities (healthcare providers, health plans, and healthcare clearinghouses) that conduct transactions involving protected health information electronically. HIPAA also applies to business associates of HIPAA-covered entities that are required to interact with protected health information.

When HIPAA was signed into law, the main aims of the legislation were to ensure individuals could retain health insurance coverage when between jobs, to introduce standards to reduce wastage in healthcare, and to help prevent healthcare fraud. Updates to the legislation over the years have seen HIPAA expanded to include standards covering the privacy and security of healthcare data and to give individuals rights over their healthcare data.

The Department of Health and Human Services is responsible for outreach, providing training materials and guidance, and enforcing HIPAA compliance, with the administrative standards regulated by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HIPAA Privacy, Security and Breach Notification Rules Regulated by the HHS’ Office for Civil Rights. State Attorneys General also play a role in HIPAA enforcement.

Each of those regulators can impose financial penalties and sanctions for non-compliance, in accordance with a tiered penalty structure based on the level of culpability.

OSHA and HIPAA Compliance

OSHA and HIPAA compliance is policed by different federal agencies and each set of regulations has different requirements for covered organizations, but there are some similarities between OSHA and HIPAA compliance.

OSHA and HIPAA compliance programs require all compliance efforts to be documented. Documentation may be requested during investigations and audits as proof of compliance. OSHA requires deaths, serious injuries, time off work due to injury or illness, medical treatment beyond first aid, restricted work and transfers to other jobs, loss of consciousness, and other issues to be recorded, and for all OHSA compliance documentation to be maintained. Employers must also update and maintain medical records for their employees. HIPAA requires all compliance efforts such as policies, procedures, and training to be recorded, along with records of any identified HIPAA violations and data breaches. HIPAA does not cover employee medical records but does cover the medical records of patients. There are minimum retention periods for documentation, although OHSA and HHS retention periods differ.

Both sets of legislation have strict reporting requirements. OHSA requires deaths and serious workplace injuries to be reported, while HIPAA requires breaches of protected health information to be reported. There are strict time frames for reporting in both the OSHA and HIPAA standards.

Ongoing OSHA and HIPAA compliance programs must be established that ensure working practices remain compliant. The failure of covered entities to ensure OSHA and HIPAA compliance can both result in substantial financial penalties. If there is an apparent violation of the HIPAA Rules or OSHA standards, individuals are permitted to file a complaint with regulators, but since there is no private cause of action in HIPAA or the OSH Act, it is not possible for individuals to sue for violations.

Federal and state regulators are responsible for investigating complaints, determining if there has been non-compliance, and deciding if financial penalties or sanctions are appropriate.

The post OSHA and HIPAA Compliance appeared first on HIPAA Journal.

OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has advised HIPAA-covered entities to assess the protections that they have implemented to secure their legacy IT systems and devices.

A legacy system is any system that has one or more components that have been supplanted by newer technology and reached end-of-life. When software and devices reach end-of-life, support comes to an end, and patches are no longer issued to correct known vulnerabilities. That makes legacy systems and devices vulnerable to cyberattacks.

Healthcare organizations should be aware of the date when support will no longer be provided, and a plan should be developed to replace outdated software and devices; however, there are often valid reasons for continuing to use outdated systems and devices.

Legacy systems may work well and be well-tailored to an organization’s business model, so there may be a reluctance to upgrade to new systems that are supported. Upgrading to a newer system may require time, funds, and human resources that are not available, or it may not be possible to replace a legacy system without disrupting critical services, compromising data integrity, or preventing ePHI from being available.

HIPAA-covered entities should ensure that all software, systems, and devices are kept fully patched and up to date, but in healthcare, there are often competing priorities and obligations. If the decision is made to continue using legacy systems and devices, it is essential for security to be considered and for safeguards to be implemented to ensure those systems and devices cannot be hacked. That is especially important if legacy systems and devices can be used to access, store, create, maintain, receive, or transmit electronic protected health information (ePHI).

It is not a violation of the HIPAA Rules to continue using software and devices that have reached the end of life, provided compensating controls are implemented to ensure ePHI is protected. “Despite their common use, the unique security considerations applicable to legacy systems in an organization’s IT environment are often overlooked,” said OCR in its cybersecurity newsletter, which would violate the HIPAA Rules.

In healthcare, there may be many legacy systems and devices in use that need to be protected. Healthcare organizations need to have full visibility into the legacy systems that reside in their organization, as if the IT department is unaware that legacy systems are in use, compensating controls will not be implemented to ensure they are appropriately protected.

It is vital for a comprehensive inventory to be created that includes all legacy systems and devices and for a security risk assessment to be performed on each system and device. “The HIPAA Security Rule requires covered entities and their business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI throughout their environment, including ePHI used by legacy systems,” explained OCR in its recent cybersecurity newsletter.

Risks must be identified, prioritized, and mitigated to reduce them to a low and acceptable level. Mitigations include upgrading to a supported version or system, contracting with a vendor to provide extended support, migrating the system to a supported cloud-based solution, or segregating the system from the network.

If HIPAA-covered entities choose to continue maintaining a legacy system existing security controls should be strengthened or compensating controls should be implemented. OCR says consideration should be given to the burdens of maintenance, as they may outweigh the benefits of continuing to use the legacy system and plans should be made for the eventual removal and replacement of the legacy system.

In the meantime, OCR suggests the following controls for improving security:

  • Enhance system activity reviews and audit logging to detect unauthorized activity, with special attention paid to security configurations, authentication events, and access to ePHI.
  • Restrict access to the legacy system to a reduced number of users.
  • Strengthen authentication requirements and access controls.
  • Restrict the legacy system from performing functions or operations that are not strictly necessary
  • Ensure backups of the legacy system are performed, especially if strengthened or compensating controls impact prior backup solutions.
  • Develop contingency plans that contemplate a higher likelihood of failure.
  • Implement aggressive firewall rules.
  • Implement supported anti-malware solutions.

The post OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance appeared first on HIPAA Journal.

Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI

Posted by HIPAA Journal

A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk.

The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats.

The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to PHI to be tracked. Passwords are required to authenticate users, with the HIPAA Security Rule requiring HIPAA-regulated entities to implement, “procedures for creating, changing, and safeguarding passwords.”

The Varonis study, the results of which were published in its 2021 Data Risk Report: Healthcare, Pharmaceutical, & Biotech, revealed an average healthcare worker has access to 31,000 sensitive files containing PHI, financial, and proprietary data on their first day of work. Those files were stored on parts of the network that can be accessed by all employees.

On average, 20% of each organization’s files are open to every employee, even though in many cases access was not required to complete work duties. 50% of organizations investigated had more than 1,000 sensitive files open to all employees, and one in four files at small healthcare organizations could be accessed by every employee. There were no restrictions on access to 1 in 10 files that contained PHI or intellectual property.

“We discovered that smaller organizations have a shocking amount of exposed data, including sensitive files, intellectual property, and patient records. On their first day, new employees at small companies have instant access to over 11,000 exposed files, and nearly half of them contain sensitive data,” explained Varonis in the report. “This creates a massive attack surface and increases the risk of noncompliance in the event of a data breach.”

To reduce risk, it is vital to operate under the principle of least privilege. If employees are given broad access to sensitive information, not only does that increase the opportunity for insider data theft, if their credentials are compromised in a phishing attack, external threat actors will have easy access to huge volumes of data.

The problem is made worse by poor password practices. 77% of companies studied for the report had 501 or more accounts with passwords set to never expire, and 79% of organizations had more than 1,000 ghost accounts. Ghost accounts are inactive accounts that have not been disabled. These accounts give hackers an easy way to access sensitive data and traverse networks and file structures undetected.

According to the Verizon Data Breach Investigations Report, data breaches increased by 58% in 2020 with cyber threat actors actively targeting the healthcare, pharma, and biotech industries to steal sensitive data, intellectual property, and vaccine research data. The healthcare industry has the highest data breach costs which, according to the IBM Security Cost of a Data Breach Report, are $7.13 million per breach. Organizations that fail to restrict access to protected healthcare information can also face heavy financial penalties, which under HIPAA/HITECH are up to $1.5 million per year, per violation category.

“To get in front of increasingly malicious and sophisticated cyberattacks, hospitals, pharmaceutical companies, and biotech’s need to double down on maturing incident response procedures and mitigation efforts,” said Varonis. “Enforcing least privilege, locking down sensitive data, and restricting lateral movement in their environments are the absolute bare minimum precautionary measures that healthcare organizations need to take.”

The post Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI appeared first on HIPAA Journal.

September 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months.

Healthcare data breaches August 2020 to September 2021

While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months.

Healthcare records breached over the past 12 months

Largest Healthcare Data Breaches Reported in September 2021

16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records.

The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was reported to the HHS as affecting 500,000 individuals. The cyberattack is believed to have been conducted by a nation-state hacking group.

Two major data breaches were reported by eye care providers: A hacking incident at U.S. Vision Optical resulted in the exposure of the PHI of 180,000 individuals, and a phishing incident at Simon Eye Management gave the attackers access to email accounts containing the PHI of 144,373 individuals. The breaches are not believed to be related, but they are two of a handful of recent incidents affecting eye care providers.

Ransomware continues to be extensively used in attacks on the healthcare industry. 6 of the top 16 attacks in September involved ransomware and potentially saw PHI stolen. Several ransomware gangs have targeted the healthcare sector, with the FIN12 group one of the most active. A recent analysis of FIN12 attacks by Mandiant revealed 20% of the gang’s attacks have been on the healthcare industry, with the attacks accounting for around 20% of all incidents Mandiant responds to.

Hackers have been targeting the healthcare industry, but data breaches can also be caused by insiders with privileged access to PHI. One notable ‘insider’ breach was reported by Premier Management Company and involved data being accessed by a former employee after termination. The incident highlights the importance of ensuring access to PHI (and IT systems) is blocked immediately when an employee is terminated, leaves the company, or when job functions change that no longer require an employee to have access to PHI.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
State of Alaska Department of Health & Social Services AK Health Plan 500,000 Nation-state hacking Incident
U.S. Vision Optical NJ Healthcare Provider 180,000 Unspecified hacking incident
Simon Eye Management DE Healthcare Provider 144,373 Email account breach (phishing)
Navistar, Inc. Health Plan and the Navistar, Inc. Retiree Health Benefit and Life Insurance Plan IL Health Plan 49,000 Ransomware attack
Talbert House OH Healthcare Provider 45,000 Unspecified hacking incident (data exfiltration)
Premier Management Company TX Healthcare Provider 37,636 PHI accessed by an employee after termination
Central Texas Medical Specialists, PLLC dba Austin Cancer Centers TX Healthcare Provider 36,503 Malware
Orlick & Kasper, M.D.’s, P.A. FL Healthcare Provider 30,000 Theft of electronic devices containing PHI
McAllen Surgical Specialty Center, Ltd. TX Healthcare Provider 29,227 Ransomware attack
Asarco Health, Dental, Vision, Flexible Spending, Non-Union Employee Benefits, and Retiree Medical Plans AZ Health Plan 28,000 Ransomware attack
Horizon House, Inc. PA Healthcare Provider 27,823 Ransomware attack
Rehabilitation Support Services, Inc. NY Healthcare Provider 23,907 Unspecified hacking incident (data exfiltration)
Samaritan Center of Puget Sound WA Healthcare Provider 20,866 Theft of electronic devices containing PHI
Directions for Living FL Healthcare Provider 19,494 Ransomware attack
Buddhist Tzu Chi Medical Foundation CA Healthcare Provider 18,968 Ransomware attack
Eastern Los Angeles Regional Center CA Business Associate 12,921 Email account breach (phishing)

Causes of September 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 53.2% of all breaches reported in the month and 91.6% of all breached records. 1,147,383 healthcare records were exposed or stolen in those incidents, with an average breach size of 33,747 records and a median breach size of 2,453 records.

The number of incidents involving the theft of physical records or electronic equipment containing PHI increased month-over-month. September saw 6 theft incidents reported and 60,236 records compromised. The mean breach size was 10,039 records and the median breach size was 3,918 records. 4 of those breaches involved electronic equipment and could have been prevented had encryption been used.

There were 7 data breaches reported that involved unauthorized access or disclosures of data by insiders. 45,639 records were breached across those incidents, 37,636 of which were obtained in a single incident. The average breach size was 6,520 records and the median breach size was 1,738 records.

Causes of September 2021 healthcare data breaches

Given the high number of hacking and ransomware incidents reported, it is no surprise that the most common location of breached PHI is network servers. Email accounts continue to be targeted in phishing attacks, with 13 incidents in September involving PHI stored in email accounts. The number of devices containing PHI that were stolen highlights the importance of using encryption to protect stored data.

Location of PHI in September 2021 healthcare data breaches

September 2021 Data Breaches by HIPAA-Regulated Entity

Healthcare providers were the worst affected covered entity with 30 reported breaches. 10 breaches were reported by health plans, 6 breaches were reported by business associates, and one breach was reported by a healthcare clearinghouse.

5 breaches of those breaches were reported by a HIPAA-covered entity but occurred at a business associate. The adjusted figures are shown in the pie chart below.

September 2021 healthcare data breaches by HIPAA-regulated entity type

September 2021 Healthcare Data Breaches by State

Data breaches were reported by HIPAA-regulated entities based in 25 states. Texas was the worst affected state with 6 reported breaches of 500 or more records, followed by California with 5 breaches and Connecticut with 4.

State Breaches
Texas 6
California 5
Connecticut 4
Florida & Washington 3
Arizona, Georgia, Illinois, New York, Ohio, & Pennsylvania 2
Alaska, Delaware, Indiana, Kentucky, Maryland, Minnesota, Missouri, New Jersey, New Mexico, Oregon, Rhode Island, Tennessee, Virginia, & Wisconsin 1

HIPAA Enforcement Activity in September 2021

The Department of Health and Human Services’ Office for Civil Rights now has a new director, and it is currently unclear what direction she will take in the department’s HIPAA enforcement actions.

Since the fall of 2019 OCR has been targeting HIPAA-regulated entities that fail to comply with the HIPAA Right of Access and September saw the 20th financial penalty imposed under this initiative for the failure to provide individuals with access to their healthcare records.

Children’s Hospital & Medical Center in Omaha, NE, settled its HIPAA Right of Access case with OCR and paid an $80,000 financial penalty. This was the ninth OCR case this year to have resulted in a financial penalty for non-compliance with the HIPAA Rules.

There were no reported enforcement activities by state attorneys general in September.

The post September 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

Posted by HIPAA Journal

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty.

Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI).

Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents.

As a HIPAA covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access.

Diamond Investigated for Compliance with Federal and State Laws

The State of New Jersey Department of Law and Public Safety Division of Consumer Affairs investigated Diamond over the data breach to determine compliance with federal and state laws. The investigation revealed Diamond had entered into a support contract with the managed service provider (MSP) Infoaxis Technologies in 2007, which including security and information technology services including maintaining its third-party server and workstations. The service agreement included third-party software for the management and reporting of audit logs intended to interpret triggers for event alerts.

Around March 2014, Diamond downgraded its support package with the MSP, resulting in a reduction in the services provided, although Diamond maintains there was no reduction in services between the two support agreements other than the amount of time included for on-site support services.

Prior to the breach occurring, Diamond’s HIPAA Privacy and Security Officer used a Remote Desktop Protocol (RDP) service with a VPN to access the Diamond network, but because the VPN was blocked from the Bermuda office, the MSP provided a different method of access that involved opening a port in the firewall to allow RDP access, instead of using the VPN for authentication.

Between August 28, 2016 and January 14, 2017, a workstation in the Millburn office was accessed by an unauthorized individual on several occasions from a foreign IP address. The unauthorized access was detected and blocked on January 14, 2017. During the time the workstation was accessible, data on the device was not encrypted. The intruder therefore potentially accessed patient data including names, dates of birth, Social Security numbers, and medical record numbers.

An investigation into the breach also revealed an intruder accessed Diamond’s third-party server which housed its electronic medical records within a password-protected SQL server using two compromised Diamond user accounts that had weak passwords. The investigation revealed weak security settings were in place for failed login attempts and password expiration.

While the EMR data was not compromised, the intruder was able to access PHI such as test results, ultrasound images, and clinical and post-operative notes. Diamond’s investigation was unable to confirm how access to the network was gained.

Multiple HIPAA Violations Uncovered

The state investigation into the data breach revealed business associate agreements were not in place prior to sharing ePHI with three business associates: Infoaxis, BMedTech, and Igenomix, in violation of the HIPAA Rules. Diamond was also alleged to have violated the CFA, HIPAA Security Rule, and HIPAA Privacy Rule by removing administrative and technological safeguards protecting PHI and ePHI, which allowed unauthorized individuals to gain access to its systems and ePHI for around five and a half months.

The CFA violations included misrepresentation of HIPAA practices in its privacy and security policy, a failure to secure its network leading to a data breach, and unconscionable commercial practices.

The settlement agreement lists failures to comply with twenty-nine provisions of the HIPAA Privacy and Security Rules. Alleged violations include the failure to conduct a comprehensive risk assessment, failure to encrypt ePHI, failure to modify security measures to ensure reasonable protections for ePHI were maintained, failure to implement procedures for creating, changing, and modifying passwords, and a failure to verify the identify of individuals seeking access to ePHI.

Diamond disputes many of the claims made by the state but agreed to settle the case and pay a $495,000 financial penalty, which consists of $412,300 in civil penalties and $82,700 in investigation fees.

“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said Acting Attorney General Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”

In addition to the financial penalty, Diamond is required to implement additional measures to improve data security, including the use of encryption to prevent unauthorized access to ePHI, implementing a comprehensive information security program, appointing a new HIPAA officer, providing additional training to staff on security policies, developing a written incident response plan, and improving logging, monitoring, access controls, password management, and implementing a risk assessment program.

“Inadequate data systems and protocols are every hacker’s dream,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

The post New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty appeared first on HIPAA Journal.