HIPAA Compliance News

July 2021 Healthcare Data Breach Report

Posted August 23, 2021 by HIPAA Journal

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day.

The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records.

Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month!

Largest Healthcare Data Breaches in July 2021

Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the Wisconsin healthcare provider Forefront Dermatology. The exact nature of the attack was not disclosed so it is unclear if ransomware was used. Hackers gained access to parts of its network that contained the protected health information of 2.4 million individuals. The second largest data breach was reported by Practicefirst, a New York business associate of multiple HIPAA-covered entities. Ransomware was used in the attack and the healthcare data of 1.2 million individuals was potentially exfiltrated.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Breach Cause	Business Associate Present
Forefront Dermatology, S.C.	Healthcare Provider	2,413,553	Hacking/IT Incident	Unspecified hacking incident	Yes
Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions/PBS Medcode Corp	Business Associate	1,210,688	Hacking/IT Incident	Ransomware attack	Yes
UF Health Central Florida	Healthcare Provider	700,981	Hacking/IT Incident	Ransomware attack	No
Orlando Family Physicians, LLC	Healthcare Provider	447,426	Hacking/IT Incident	Phishing attack	No
HealthReach Community Health Centers	Healthcare Provider	122,340	Improper Disposal	Improper disposal of electronic medical records	No
Guidehouse	Business Associate	84,220	Hacking/IT Incident	Ransomware attack (Accellion FTA)	Yes
Advocate Aurora Health	Healthcare Provider	68,707	Hacking/IT Incident	Ransomware attack (Elekta)	Yes
McLaren Health Care Corporation	Healthcare Provider	64,600	Hacking/IT Incident	Ransomware attack (Elekta)	Yes
Coastal Family Health Center, Inc	Healthcare Provider	62,342	Hacking/IT Incident	Ransomware attack	No
Florida Heart Associates	Healthcare Provider	45,148	Hacking/IT Incident	Ransomware attack	No
A2Z Diagnostics, LLC	Healthcare Provider	35,587	Hacking/IT Incident	Phishing attack	No
University of Maryland, Baltimore	Business Associate	30,468	Hacking/IT Incident	Unspecified hacking incident	Yes
Florida Blue	Health Plan	30,063	Hacking/IT Incident	Brute force attack (Member portal)	No
Intermountain Healthcare	Healthcare Provider	28,628	Hacking/IT Incident	Ransomware attack (Elekta)	Yes

Causes of July 2021 Healthcare Data Breaches

As the table above shows, ransomware continues to be extensively used in cyberattacks on healthcare organizations and their business associates. Those attacks can easily result in the theft of large amounts of healthcare data. The majority of ransomware gangs (and their RaaS affiliates) are now exfiltrating sensitive data prior to using ransomware to encrypt files. Victims are required to pay to prevent the publication or sale of the stolen data as well as a payment to obtain the keys to decrypt files.

To help combat this rise in double extortion ransomware attacks, new guidance has been released by the Cybersecurity and Infrastructure Security Agency. The National Institute of Standards and Technology (NIST) has also updated its cybersecurity guidance on building resilient computer networks, with the emphasis now shifting away from perimeter defenses to assuming attackers have already gained access to the network. Mechanisms therefore need to be implemented to reduce the harm that can be caused.

Hacking/IT incidents, of which ransomware accounts for a many, dominate the month’s breach reports. There were 52 reported hacking/IT incidents in which the protected health information of 5,393,331 individuals was potentially compromised. That’s 96.82% of all records breached in July. The mean breach size was 103,718 records and the median breach size was 4,185 records.

There were 13 reported unauthorized access/disclosure incidents, which include misdirected emails, mailing errors, and snooping by healthcare employees. 52,676 healthcare records were impermissibly viewed or disclosed to unauthorized individuals across those incidents. The mean breach size was 4,052 records and the median breach size was 1,038 records. There were two theft incidents reported involving a total of 2,275 records and one improper disposal incident involving 122,340 electronic health records.

The vast majority of incidents involved the hacking of network servers; however, email accounts continue to be compromised at high rates. 21 breaches involved protected health information stored in email accounts. The majority of the email incidents involved the theft of employee credentials in phishing attacks.

Data Breaches by Covered Entity Type

Healthcare providers reported 47 data breaches in July, with 11 breaches reported by business associates and 10 breaches reported by health plans; however, the reporting entity is not the best gauge of where these breaches occurred. In many cases, the breach was experienced at a business associate, but was reported by the covered entity.

When this is taken into account, the figures show that healthcare provider and business associate data breaches are on a par, with 30 breaches each for July 2021, as shown in the pie chart below.

July 2021 Healthcare Data Breaches by State

July saw healthcare data breaches reported by HIPAA-covered entities and business associates based in 32 states and the District of Columbia.

State	Number of Reported Healthcare Data Breaches
Florida	6
California, New York & Texas	5
Illinois & North Carolina	4
Connecticut, Minnesota, Nebraska & New Jersey	3
Mississippi, Oklahoma, Washington & Wisconsin	2
Alabama, Georgia, Iowa, Indiana, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Ohio, Pennsylvania, South Carolina, Utah, Virginia, West Virginia & the District of Columbia	1

HIPAA Enforcement Activity in July 2021

The HHS’ Office for Civil Rights (OCR), the primary enforcer of HIPAA compliance, did not announce any new enforcement actions against HIPAA-covered entities or business associates in July, nor were there any enforcement actions announced by state Attorneys General.

The OCR year-to-date total still stands at 8 financial penalties totaling $5,570,100, with just the one financial penalty imposed by state attorneys general – A multi-state action that saw American Medical Collection Agency (AMCA) fined $21 million.

Data for this report came from the HHS’ Office for Civil Rights breach portal.

The post July 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Future of HIPAA: Reflections at the 25th Anniversary of HIPAA

Posted August 21, 2021 by HIPAA Journal

The Health Insurance Portability and Accountability Act is now 25 years old. How effective has this healthcare law been and what is the future of HIPAA?

It is now exactly 25 years to the day since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton. On August 21, 1996, when President Clinton added his signature to the legislation, few people would have realized how HIPAA would evolve and grow into the comprehensive national health privacy law that it is today.

It is difficult to argue that HIPAA has not been an overall success, but the legislation has attracted a fair amount of criticism over the years, especially initially due to the considerable administrative burden it placed on healthcare organizations. On balance, the improvements to healthcare that have come from compliance with HIPAA more than outweigh the negatives.

The biggest successes are the improvements to patient privacy and data security, the rights given to patients with respect to their healthcare data, greater efficiency in the healthcare system, and changes that have helped to reduce waste and healthcare fraud. The improvements have generally been made for relatively little cost.

HIPAA certainly has its strengths, but there are also limitations that have become increasingly apparent in recent years and even now, 25 years after the legislation was first introduced, there is still confusion about what compliance entails.

In this article we will explore the strengths and limitations of HIPAA, assess how effective HIPAA has been, and will explore the future of HIPAA and what can be expected in terms of updates to the legislation. First, however, it is useful to provide a brief recap of the history of HIPAA and how the legislation has evolved over the years.

A Brief History of HIPAA

HIPAA was initially introduced to improve the portability of health insurance coverage for employees between jobs, to combat waste, fraud and abuse in health insurance and healthcare delivery, to promote the use of medical savings accounts by introducing tax breaks, and to simplify the administration of health insurance. The legislation was later augmented with new Rules covering the privacy and security of healthcare data.

Initially, HIPAA only applied to a limited number of entities in the healthcare industry – healthcare providers, health plans, and healthcare clearinghouses, and only those that transmit healthcare data in electronic form for certain transactions for which the HHS maintains standards. The Health Information Technology for Economic and Clinical Health (HITECH) Act expanded the scope of HIPAA to cover business associates of HIPAA covered entities – third-party firms that require access to protected health information (PHI) to provide services or products to covered entities.

Important updates to HIPAA are detailed below:

HIPAA Signed into Law by President Bill Clinton – August 1996
Effective Date of the HIPAA Privacy Rule – April 2003
Effective Date of the HIPAA Security Rule – April 2005
Effective Date of the HIPAA Enforcement Rule – March 2006
Effective date of HITECH and the Breach Notification Rule – September 2009
Effective Date of the Final Omnibus Rule – March 2013

HIPAA’s Strengths and Weaknesses

There are many positives that have come from HIPAA, the best known of which are improving privacy protections for patients and improving the security of healthcare data. HIPAA limits the uses and disclosures of patient data to those related to treatment, payment, or healthcare operations and all covered entities and business associates must implement appropriate administrative, physical, and technical safeguards to ensure patient data are appropriately protected from internal and external threats.

Importantly, HIPAA gave individuals new rights with respect to their healthcare data. Prior to the introduction of the HIPAA Privacy Rule, patients were not even permitted to see their medical files. HIPAA gave individuals the right to obtain and inspect a copy of their healthcare data and request errors be corrected. HIPAA made sure patients are informed about how their healthcare data will be used and disclosed, gave patients the right to further limit disclosures of their health data, and also allowed them to view an “accounting of disclosures” to see who has been provided with their healthcare data.

HIPAA has improved the portability of health insurance for employees between jobs and has helped to prevent discrimination against people with pre-existing conditions when receiving health insurance coverage. Efficiency in healthcare has been improved by standardizing transactions through the use of standard code sets and has helped to significantly reduce waste and fraud in healthcare.

However, it has not all been plain sailing. One of the initial requirements of HIPAA was to create a national patient identifier system, but 25 years on and that requirement has still failed to be implemented. Without a national patient identifier system, it can be difficult identifying patients which can result in medical record mismatching. One ONC study in 2014 suggested between 50% and 60% of records are mismatched when shared between different healthcare providers.

Another weakness of HIPAA is its coverage of healthcare data, which is limited to healthcare data collected, held, processed, stored, or transmitted by HIPAA-covered entities and business associates. If a non-HIPAA-covered entity or non-business associate collects the exact same data, HIPAA protections do not apply.

The HIPAA Rules are not clear in places due to the flexibility built into the legislation, so there is potential for misinterpretation of the requirements and there is still confusion among some HIPAA covered entities and business associates when it comes to compliance.

One criticism often made by patients is the lack of a private cause of action. It is not possible to sue for a HIPAA violation, even if the HIPAA Rules have clearly been violated and harm has been suffered. Legal action can only be taken under state laws.

Has HIPAA Been Effective?

In the early years following the introduction of the HIPAA Privacy and Security Rules, questions were asked about how effective the legislation has been. HIPAA certainly looked good on paper but was less effective in practice and noncompliance was widespread. Even the introduction of the HIPAA Enforcement Rule in 2006, which gave the HHS’ Office for Civil Rights the authority to impose financial penalties and sanctions for noncompliance, failed to have a major effect at spurring covered entities into compliance. Enforcement was also very slow at first. It took until 2008 for the first enforcement action to result in a financial penalty, then there was only one financial penalty in 2009 and just two in 2010.

The first phase of HIPAA compliance audits conducted in 2011/2012 highlighted just how many covered entities had ineffective HIPAA compliance programs. The audits uncovered many violations of both the HIPAA Privacy and Security Rules. Even those violations, some of which were serious, did not result in any financial penalties. Some of the fiercest criticism of HIPAA in the early years was it was all bark and no bite.

The introduction of the HITECH Act was a major turning point in the history of HIPAA. Prior to the HITECH Act, business associates were not covered to a large extent by HIPAA, even though they were frequently provided with PHI. The HITECH Act made the HIPAA Rules directly applicable to business associates, which could then be fined directly if they did not also comply with the HIPAA Rules. Business associates include a huge range of third-party companies such as accountants, attorneys, billing companies, collection agencies, consultants, data analysts, and IT firms, so the HITECH Act, and subsequent Omnibus Rule, addressed that major gap.

The introduction of the HITECH Act also saw the penalties for noncompliance significantly increased and OCR also increased its HIPAA enforcement activities. With major fines issued for HIPAA violations, HIPAA compliance became a major focus for HIPAA-covered entities and business associates.

Enforcement of compliance has been critical to the success of HIPAA and while there are still many cases each year of noncompliance, on the whole the requirements of HIPAA have been largely implemented and the benefits of HIPAA are being realized.

Issues with Patient Access to PHI

Since the 2000 HIPAA Privacy Rule was introduced, patients have been given the right to obtain a copy of their own healthcare data, or to have that data sent to their nominated representative. The HITECH Act updated that right and helped individuals obtain a copy of their health data in electronic form, due to the increasing use of electronic health record systems.

While healthcare organizations have implemented policies that allow patients to exercise their access rights, many patients have experienced problems obtaining a copy of their healthcare data. They have either been refused access, requests have been delayed, and patients have been charged excessive fees for exercising their access rights – HIPAA only permits covered entities to charge a reasonable, cost-based fee for providing records.

One of the requirements of the 21st Century Cures Act, introduced in 2016, was to call on the Government Accountability Office to report on the barriers to patient medical record access and following assessments the HHS’ Office for Civil Rights launched a new HIPAA enforcement initiative targeting violations of the HIPAA Right of Access of the HIPAA Privacy Rule in the fall of 2019. That enforcement initiative is still active and, up until the end of July 2021, OCR has imposed 19 financial penalties on healthcare providers found to have been in violation of the HIPAA Right of Access.

Prior to the OCR enforcement initiative, only one financial penalty had been imposed for violations of this important right and that was the $4,300,000 financial penalty imposed on Cignet Health of Prince George’s County in 2011 for denying 741 patients access to their medical records.

HIPAA has Improved Healthcare Data Security

Prior to the introduction of the HIPAA Security Rule, healthcare organizations only had to comply with state laws covering data security. The Security Rule set new minimum standards for data security to ensure the confidentiality, integrity, and availability of electronic PHI. The Security Rule requires risk analyses to be conducted and risks reduced to a reasonable and acceptable level. Access controls are required to prevent unauthorized access to healthcare data, logs must be maintained and checked to identify unauthorized access, backups of data must be made, measures must be implemented to protect against reasonably anticipated, impermissible uses or disclosures, and staff must be provided with security awareness training.

Data security has improved, but data breaches are now occurring at records levels. For the past 5 months, data breaches have been reported by healthcare organizations and business associates at a rate of over 2 per day, but without the Security Rule requirements, far more breaches would be likely to occur.

The HIPAA Security Rule does have weaknesses. To remain relevant the HIPAA Security Rule had to be technology agnostic, so specific measures for security are generally not stipulated. It is left to the discretion of each entity to determine what constitutes “reasonable” protections. If the Security Rule was more specific with regard to required security protections, many more data breaches could be prevented.

The Security Rule also only applies to HIPAA covered entities and business associates, not to any other entity. It therefore has limited reach, and does not cover health data collected by health apps, or the huge volumes of data collected and sold by data brokers. There is therefore considerable scope for improvement to better protect all health data.

The HIPAA Security Rule also calls for security awareness training for staff but does not stipulate how frequently it should be provided. With the threat landscape constantly changing, regular training must be provided to the workforce to ensure employees are kept aware of the latest threats and are taught how to avoid them. Many covered entities and business associates are compliant with this requirement yet fail to provide training regularly enough to prevent cyberattacks and the associated privacy violations.

How Has HIPAA Fared with Changing Technology?

No legislative act will be able to maintain pace with the pace at which technology has evolved, especially one covering the healthcare industry. This is why HIPAA provided a framework rather than specifics and incorporated flexibility to accommodate for changes to healthcare technology and evolving privacy and security best practices.

Updates have been made over the years which have amended HIPAA to maintain relevance, such as the 2008 Genetic Information Non-discrimination Act (GINA) which restricts the use of individuals’ genetic data by health insurers and employers and the American Recovery and Reinvestment Act, of which the HITECH Act was part, which strengthened HIPAA in relation to the adoption of EHRs.

However, many new technologies have emerged over the years that are not covered by HIPAA. Personal electronic devices are extensively used which can collect huge amounts of personal and health data, such as fitness trackers and other wearable devices and smartphones have made it much easier for individuals to obtain, use, and share healthcare data.

Many of these devices collect data that would fall under the category of PHI if created or collected by a HIPAA-covered entity but are not within the scope of HIPAA, even though the same data are often collected by those devices. The extent to which these devices are now being used, and the sheer volume of digital health and wellness data being generated outside the healthcare system by individuals, is a growing cause of concern. Without the protections of HIPAA, healthcare data may not be properly protected and could be shared extensively or sold on with ease.

The HIPAA Privacy Rule does not adequately cover the collection of healthcare data, as it only covers uses and disclosures by certain entities. It does not apply to health data itself, and this could be argued is one of the biggest failures of HIPAA. The same is true of the HIPAA Security Rule, which also has a restrictive scope and only calls for administrative, physical, and technical safeguards for the healthcare data held, received, or transmitted by HIPAA-covered entities and their business associates.

Healthcare data is extremely valuable, and not only to bad actors such as cybercriminals. Cybercriminals can use healthcare data for fraud and identity theft, but it also has tremendous value to a wide range of businesses. Healthcare and wellness data can be used by insurers to gauge risk – which can affect insurance premiums. Employers can use health data to make decisions about potential new hires, and all manner of other businesses can use the data to make decisions about individuals that could have significant consequences for the data subjects.

The question about whether HIPAA should be updated to cover all healthcare data has yet to be fully answered. Many attempts have been made to introduce legislation to cover all healthcare data, but each has failed to make it through the Senate.

The scope of HIPAA could be expanded to include individually identifiable health information collected, used, transmitted, or maintained by non-HIPAA covered entities and non-business associates. Alternatively, new separate legislation is required to cover healthcare data not currently regulated by HIPAA. The solution could well be to leave HIPAA as it is and to instead introduce a national privacy law akin to the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

HIPAA Training and Education Need to Improve

HIPAA is not perfect and there are still significant gaps in the legislation, something that the coronavirus pandemic has highlighted. HIPAA doesn’t extend to the army of contact tracers and the data they collect, nor does it adequately cover exposure notification apps and may disclosures of COVID-19 related data. This is an area, like personal health apps, that needs to be addressed as there is considerable potential for privacy violations.

Vaccination programs have highlighted several areas where education needs to be improved. There have been many cases of HIPAA being cited as a reason not to disclose or share vaccination data, when HIPAA does not place restrictions on disclosures of vaccination information by individuals to employers or others.

Training remains a key issue with HIPAA and is often a much bigger weakness than technology or the HIPAA text itself. It is often uninformed people, and not healthcare technology and privacy and security controls, that are the reason for security breaches and privacy violations. While updates to HIPAA are needed, improvements need to be made to training programs to ensure all individuals with access to PHI or systems containing PHI are aware of their responsibilities and are trained how to be HIPAA-compliant employees.

Training needs to be appropriate to the role of each individual and training needs to be reinforced. Regular training sessions need to be provided to the workforce to make sure that the requirements of HIPAA are fully understood and are not forgotten over time. At many covered entities and business associates, employee training on HIPAA is not provided frequently enough.

Proposed Updates to the HIPAA Privacy Rule

Ahead of the 25-year anniversary of the HIPAA Privacy Rule, a significant update was proposed by the HHS. The proposed update published by the HHS in 2020 is intended to address several aspects of the Privacy Rule that are hampering care coordination and adding an unnecessary administrative burden on healthcare providers.

One of the main reasons for the update, according to then HHS Secretary Alex Azar, was to “break down barriers that have stood in the way of common sense care coordination and value-based arrangements for far too long.” The proposed update will improve care coordination and case management for patients, allow families and caregivers to become more involved in the provision of care to individuals, improve patients’ access to their health data, and will introduce new flexibilities covering disclosures of PHI in emergency and threatening situations, while also reducing the administrative burden on healthcare organizations. These updates have been long overdue but there has been criticism that the updates do not go far enough, and that some of the suggested updates are ill-advised.

One of the aspects addressed in the update will make it easier for patients to obtain a copy of their electronic healthcare data, but there are potential privacy and security risks with the change. Patients will be given the “right to direct the transmission of certain protected health information in an electronic format to a third party.” This right will help patients share their healthcare data with research organizations, but there are concerns that this change could have a negative impact on patients. Patients could request their health data be sent to anyone they choose, when the transmission of data to an entity not covered by the protections of HIPAA carries a security risk. The new right will certainly give patients much greater access and control over their personal data, but potentially it increases the risks that PHI may fall into the hands of bad actors.

The Future of HIPAA

HIPAA has been a great success, but it is far from perfect. There are still areas that require tweaking to improve usability and remove some of the administrative burden placed on HIPAA-covered entities. Proposed updates to the HIPAA Privacy Rule go some way to addressing some of the issues, but for many, the new HIPAA regulations that have been proposed do not go nearly far enough and some of the proposed changes have potential to cause privacy issues.

Overall, for legislation that is 25 years old, HIPAA has, with its various amendments, survived the test of time and is even more relevant and useful now than it was when it was first signed into law in 1996. HIPAA should be viewed as a work in progress though, and as far as the Future of HIPAA is concerned, there are likely to need to be further updates to ensure it remains relevant and effective.

Future of HIPAA FAQs

Does HIPAA cover all healthcare data?

HIPAA covers identifiable healthcare data, which is any healthcare data created, collected, transmitted, or maintained by a HIPAA-covered entity or business associate for treatment, payment for healthcare, or healthcare operations relating to the past, present, or future health status of an individual. Health data is not covered by HIPAA if it is created, stored, or transmitted by a non-HIPAA-covered entity or non-business associate.

Who does HIPAA apply to?

HIPAA applies to HIPAA-covered entities and their business associates. HIPAA-covered entities are healthcare providers, health plans, and healthcare clearinghouses that conduct electronic transactions involving PHI for which the HHS has developed standards. Business associates are vendors that provide products or services to HIPAA-covered entities that requires contact with PHI. HIPAA does not apply to other entities such as reporters, senators, individuals, and most employers.

Are there privacy risks associated with health apps?

Health apps, fitness trackers, and other wearable devices are not generally covered by HIPAA, nor are the data they collect or transmit. Without the protection of HIPAA, health app developers may use, disclose, or sell health data collected through the apps, and the security measures implemented may not meet HIPAA standards. There may be privacy and security risks associated with the use of these apps and devices.

Does HIPAA prevent disclosures of COVID-19 vaccination information?

Many people hide behind HIPAA and use the regulation as an excuse not to answer questions. One of the most notable recent examples, of which there are many, came from Marjorie Taylor Greene when asked about her vaccination status and cited HIPAA as the reason she could not disclose the information. HIPAA does not prevent such discloses. It only places restrictions on uses and disclosures by healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities.

How often does HIPAA training need to be provided?

HIPAA training must be provided to all healthcare employees within a reasonable period of time after the person joins the covered entity’s workforce, as well as when functions are affected by a material change in policies or procedures and following any updates to the HIPAA Rules. HIPAA refresher training should also be provided at least annually, and no later than every two years. Annual training is the best practice.

The post Future of HIPAA: Reflections at the 25th Anniversary of HIPAA appeared first on HIPAA Journal.

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

Posted July 23, 2021 by HIPAA Journal

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims.

Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments.

In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims.

The San Diego Sheriff’s’ Department had initiated a traffic stop on Konrad Piekos for driving without a license plate. When police officers approached the vehicle, they saw an assault rifle in plain sight in his vehicle. Piekos admitted possessing an unregistered assault rifle, and the subsequent vehicle search revealed several loaded firearms and ammunition. A warrant was obtained to search Piekos’ properties and police officers found several other firearms and ammunition, quantities of heroin and fentanyl, and mobile phones. After obtaining warrants to search the phones, detectives identified text messages between Piekos, Genetti, and Lombardo discussing the illicit distribution of narcotics, firearms, and a scheme to obtain unemployment benefits using other persons’ personal identifying information (PII).

Piekos and Genetti had conspired together to fraudulently obtain PUA benefits in July 2020, with Lombardo joining the scheme in August 2020. Lombardo is alleged to have used his position as a patient financial service representative to access patients’ PII, which he then distributed to Piekos, Genetti, and Milosavljevic starting on August 15,2020, according to the indictment. Scripps Health terminated Lombardo on April 14, 2021.

In a separate case, Genetti and three other defendants – Lindsay Renee Henning, Garrett Carl Tuggle, and Salvatore Compilati – were charged with conspiracy to commit wire fraud. Henning and Tuggle were also charged with aggravated identity theft, and Henning, Tuggle, and a fourth defendant, Juan Landon, were charged with possession of methamphetamine, cocaine, and heroin with intent to distribute. The defendants had submitted more than 108 separate claims for PUB benefits, totaling $1,615,000.

Lombardo faces a maximum jail term of 10 years in prison for the HIPAA violation along with a fine and penalty assessment. The conspiracy to commit wire fraud charges carry a maximum jail term of 20 years in prison with a fine and penalty assessment, and there is a mandatory minimum 2-year jail term for the aggravated identity theft charges, with the aggravated identity theft jail term consecutive to any other sentences.

“Pandemic unemployment insurance programs are a critical part of our safety net designed to support hardworking citizens who are suffering during an unprecedented economic downturn,” said Acting U.S. Attorney Randy Grossman. “Our office and our law enforcement partners will investigate and prosecute individuals who attempt to steal from these programs designed to assist deserving recipients.”

The post Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case appeared first on HIPAA Journal.

Webinar Today July 8, 2021: All Your HIPAA Questions Answered

Posted July 1, 2021 by HIPAA Journal

In recent years, the Department of Health and Human Services’ Office for Civil Rights has issued guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules and how they apply in certain situations. Even with this guidance, there is still considerable confusion around HIPAA and how the HIPAA Privacy, Security, and Breach Notification Rules and the Omnibus Rule HIPAA updates apply to covered entities and their business associates.

All HIPAA covered entities and business associates must ensure they are compliant with all appropriate provisions of the HIPAA Rules and there are severe penalties for noncompliance. Over the past few years, OCR has stepped up enforcement and regularly imposes financial penalties on covered entities and business associates that are discovered not to have complied with the provisions of HIPAA.

OCR investigates breaches of protected health information, and they are now being reported at record rates. In 2010, the first full year after OCR started publishing summaries of healthcare data breaches on its website, there were 199 reported healthcare data breaches of 500 or more records. In 2020, there were 642 reported breaches… a rise of 222%. The first half of 2021 has just come to an end and there have already been 327 reported breaches this year. There is now a much greater chance of HIPAA violations being discovered. HIPAA compliance has never been more important.

HIPAA Journal regularly receives questions about HIPAA compliance and how the HIPAA Rules apply in certain situations. To help clear up confusion, HIPAA Journal has partnered with Compliancy Group, a leader in the compliance space that educates healthcare providers and their business associates and helps them become and remain HIPAA compliant.

On Thursday, July 8, 2021, you will have an opportunity to have your questions about HIPAA compliance answered in an interactive webinar.

Webinar Today: Thursday July 8, 2021: All Your HIPAA Questions Answered

“Our goal is to help eliminate any HIPAA stress or concerns you may have. Get quick responses to your questions and gain confidence in compliance today.”

Use the form below to register for the webinar.

The post Webinar Today July 8, 2021: All Your HIPAA Questions Answered appeared first on HIPAA Journal.

No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation

Posted June 28, 2021 by HIPAA Journal

The U.S. Court of Appeals for the Fourth Circuit has ruled that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to address improper disclosures of protected health information; however, the ruling suggests there is potentially a cause of action under the 14th amendment when an individual’s privacy is violated.

The case, Payne v. Taslimi, named Christopher N. Payne as plaintiff and Jahal Taslimi as the defendant. Payne was a Deep Meadow Correctional Center inmate and Taslimi a prison doctor. Payne took legal action against Taslimi over an alleged improper disclosure of his confidential medical information. Payne alleged Taslimi had approached his bed and stated in a voice loud enough for others to hear that the plaintiff had not taken his HIV medication. Payne alleged staff members, other inmates, and civilians had heard the doctor.

In the lawsuit, Payne claimed his medical records were confidential and his HIPAA rights had been violated at Deep Meadow Correctional Center by Taslimi, as well as his right to privacy under the 14th Amendment. The district court dismissed Payne’s claims, but the decision was appealed.

The Court of Appeals for the Fourth Circuit affirmed the decision of the district court and confirmed there was no private cause of action under HIPAA. The court also affirmed the decision of the district court to dismiss the claim of a violation of the 14th Amendment.

In the decision, the Court of Appeals said the violation of the 14th Amendment hinged on whether Payne had “a reasonable expectation of privacy” with regards to information about his HIV medications. Since Payne was a Deep Meadow Correctional Center prisoner, the court ruled that Payne lacked a reasonable expectation of privacy concerning his diagnosis and treatment plan, especially since the information was about a communicable disease.

The court ruled that the test in such cases is whether there is a compelling government interest that outweighs the plaintiff’s privacy interest. The ruling suggests there may be a cause of action under the 14th Amendment where there has been a disclosure of private medical information and no compelling government interest.

The post No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation appeared first on HIPAA Journal.

Former Mayo Clinic Doctor Charged Over Improper Medical Record Access

Posted June 28, 2021 by HIPAA Journal

In October 2020, Mayo Clinic announced a former employee was discovered to have impermissibly accessed the medical records of approximately 1,600 patients. According to a statement issued by the Mayo Clinic, the former employee viewed demographic information, date of birth, medical record number, clinical notes, and in some cases images. Mayo Clinic said its investigation uncovered no evidence to suggest any patient data was copied or retained. All affected patients were notified about the breach by mail.

The employee in question was Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, who was a doctor at Mayo Clinic. Alsughayer ended his employment with Mayo Clinic in August 2020, around the time that the privacy violation was discovered.

A criminal case has now been opened by the Olmsted County Attorney’s Office. Alsughayer has been charged with gross misdemeanor unauthorized computer access and has been scheduled to appear in court on July 8, 2021. The criminal case stems from allegations that Alsughayer had abused his access rights to view medical records when there was no need to do so to fulfil his role as a doctor and hospital employee. Alsughayer’s legal team filed a motion to dismiss the lawsuit on June 1, 2021 “”on the grounds that there does not exist probable cause to believe the defendant committed the offense(s) charged therein.”

Allegations had previously been made against Alsughayer in three lawsuits, the latest of which was filed against Alsughayer and Mayo Clinic on May 29, 2021. In December 2020, a female patient, named as K.M.M in the lawsuit, contacted Rochester police after receiving a breach notification letter from Mayo Clinic.

She had learned that her medical records had been accessed by a hospital worker, which included nude images that were taken on three separate occasions. After requesting to view her medical records, the woman discovered the dates of inappropriate access coincided with the dates that the images were taken. She alleged the hospital employee referred to in the breach notification letter had accessed her medical records specifically to view her nude images.

According to the lawsuit, the doctor “was at an off-campus, private location” when her medical records were accessed and “Alsughayer did not need photographic images of plaintiff’s breasts and genitals to do his job.” A court hearing has been scheduled in August.

In addition to that lawsuit, two class action lawsuits had already been filed in Olmsted County Court in connection to the breach. Amanda Bloxton-Kippola (MI) and Chelsea Turner (MN) are named as the plaintiffs in one of those lawsuits against Alsughayer and Mayo Clinic, with the second lawsuit naming Olga Ryabchuk (MN) as the plaintiff and John Doe and Mayo Clinic as defendants. One of the lawsuits alleges medical records accessed that included nude photographs taken by Mayo Clinic as part of the healthcare services provided. Both lawsuits have been scheduled for trial next year.

The post Former Mayo Clinic Doctor Charged Over Improper Medical Record Access appeared first on HIPAA Journal.

Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation

Posted June 25, 2021 by HIPAA Journal

A former Cedar Rapids Hospital employee has been sentenced to 5 years’ probation for wrongfully accessing and distributing the protected health information of her ex-boyfriend.

Jennifer Lynne Bacor, 41, of Las Vegas, NV, was employed as a patient care technician at a Cedar Rapids hospital. The position gave her access to systems containing the individually identifiable information of patients. While she was authorized to access that information, she was only permitted to view the information of patients in order to complete her work duties.

Bacor’s ex-boyfriend had visited the hospital on multiple occasions in 2017 to receive treatment. Bacor used her login credentials to access his medical records from October 2013 to September 2017 on multiple occasions between April and October 2017, when there was no legitimate work reason for doing so.

Accessing the protected health information of an individual when there is no legitimate work purpose for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA), for which criminal charges can be filed.

Bacor took a photograph of a medical image that showed injuries sustained by her ex-boyfriend and sent the photo to a third party. The third party subsequently sent the image to other individuals via Facebook Messenger, including taunting language and emojis with the image. Bacor was also found to have stated in social media chats with another person that she was attempting to get primary custody of the two children she had with her ex-boyfriend.

After learning about the privacy breach, the ex-boyfriend filed a complaint with the hospital on October 4, 2017 alleging Bacor had accessed his medical records without authorization and provided the photo to the hospital. The hospital conducted an investigation into the privacy breach and confirmed Bacor had accessed his medical records on 10 occasions. Bacor was initially suspended, then fired for the HIPAA violation.

In August 2020, Bacor admitted to law enforcement officers that she had violated federal privacy laws in an attempt to protect her children. Bacor entered into a plea arrangement and pleaded guilty to one count of wrongfully obtaining individually identifiable information under false pretenses.

U.S. District Judge C.J. Williams said Bacor had “weaponized” her ex-boyfriend’s private medical information by sending it to others and sentenced her to 5 months’ probation and fined her $1,000. Bacor has also been prohibited from working in any job that requires her to have access to the private medical records of others.

The post Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation appeared first on HIPAA Journal.

May 2021 Healthcare Data Breach Report

Posted June 18, 2021 by HIPAA Journal

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67.

May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months.

Largest Healthcare Data Breaches Reported in April 2021

As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by other means.

The largest healthcare data breach of the month by some distance affected 20/20 Eye Care Network, a vision and hearing benefits administrator. The records of more than 3.25 million individuals were stored in an AWS S3 bucket that was accessed by an unauthorized individual. Data was downloaded by the attacker before being deleted. Another benefits administrator, SEIU 775 Benefits Group, also suffered a breach in which sensitive data was deleted. That breach involved the PHI of 140,000 individuals.

Over the past two months, several healthcare providers have announced they were affected by a ransomware attack on the third-party administration service provider CaptureRx. At least 26 healthcare providers are known to have had PHI exposed in that breach. This month, CaptureRx issued its own notification to the HSS which confirms the breach affected 1,656,569 individuals. This month, several healthcare organizations have reported they have been affected by a ransomware attack on another business associate, Netgain Technologies. The table below shows the extent to which ransomware has been used in attacks on the healthcare industry.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Breach Cause	Business Associate Involvement
20/20 Eye Care Network, Inc	Business Associate	3,253,822	Hacking/IT Incident	Unsecured AWS S3 Bucket	Yes
NEC Networks, LLC d/b/a CaptureRx	Business Associate	1,656,569	Hacking/IT Incident	Ransomware attack	Yes
Orthopedic Associates of Dutchess County	Healthcare Provider	331,376	Hacking/IT Incident	Ransomware attack	No
Rehoboth McKinley Christian Health Care Services	Healthcare Provider	207,195	Hacking/IT Incident	Ransomware attack	No
Five Rivers Health Centers	Healthcare Provider	155,748	Hacking/IT Incident	Phishing attack	No
SEIU 775 Benefits Group	Business Associate	140,000	Hacking/IT Incident	Unspecified hacking incident	Yes
San Diego Family Care	Healthcare Provider	125,500	Hacking/IT Incident	Ransomware attack (Netgain Technologies)	Yes
Hoboken Radiology LLC	Healthcare Provider	80,000	Hacking/IT Incident	Hacked medical imaging server	No
CareSouth Carolina, Inc.	Healthcare Provider	76,035	Hacking/IT Incident	Ransomware attack (Netgain Technologies)	Yes
Arizona Asthma and Allergy Institute	Healthcare Provider	70,372	Hacking/IT Incident	Ransomware attack	No
New England Dermatology, P.C.	Healthcare Provider	58,106	Improper Disposal	Improper disposal of specimen bottles	No
Sturdy Memorial Hospital	Healthcare Provider	57,379	Hacking/IT Incident	Ransomware attack	No
LogicGate	Business Associate	47,035	Hacking/IT Incident	Unsecured AWS S3 Bucket	Yes
Lafourche Medical Group	Healthcare Provider	34,862	Hacking/IT Incident	Phishing attack	No
Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group	Healthcare Provider	34,203	Hacking/IT Incident	Ransomware attack	No
SAC Health Systems	Healthcare Provider	28,128	Hacking/IT Incident	Ransomware attack (Netgain Technologies)	Yes
Monadnock Community Hospital	Healthcare Provider	14,340	Hacking/IT Incident	Unspecified hacking incident	Yes
Community Access Unlimited	Business Associate	13,813	Hacking/IT Incident	Ransomware attack (Netgain Technologies)	Yes
Westwood Obstetrics and Gynecology	Healthcare Provider	12,931	Hacking/IT Incident	Unspecified hacking incident	Yes

Causes of May 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in May. Out of the 63 reported breaches, 47 (74.60%) were hacking/IT incidents. These incidents resulted in the exposure or theft of 6,432,367 healthcare records – 98.43% of all records breached in the month. The average breach size was 131,273 records and the median breach size was 4,250 records.

There were 9 reported unauthorized access/disclosure incidents involving the records of 17,834 individuals. The average breach size was 1,982 records and the median breach size was 1,562 records. There were 3 loss/theft incidents reported involving the 20,325 records and two incidents involving the improper disposal of protected health information affecting 64,604 individuals.

While phishing incidents have plagued the healthcare industry over the past few years, it is now network server incidents that dominate the breach reports. 41 of the month’s breaches involved compromised network servers, compared to just 9 incidents involving email.

May 2021 Healthcare Data Breaches by Covered Entity Type

47 healthcare providers reported data breaches in May 2021, although only 20 of those incidents were breaches directly involving the healthcare provider. 27 of those breaches were reported by the healthcare provider but occurred at a business associate.

7 data breaches were reported to the HHS’ Office for Civil Rights by business associates of HIPAA-covered entities, although in total, the business associate was present in 31 of the month’s breaches.

8 breaches affected health plans, 4 of which had some business associate involvement, and one breach was reported by a healthcare clearinghouse.

States Affected by Healthcare Data Breaches

Healthcare data breaches were reported by HIPAA-covered entities and business associates based in 32 U.S. states.

State	No. Reported Data Breaches
Texas	6
New York & Ohio	5
California, Illinois, West Virginia	4
Mississippi & Missouri	3
Florida, Maryland, Massachusetts, New Jersey, & Oklahoma	2
Arizona, Arkansas, Connecticut, Delaware, Georgia, Indiana, Louisiana, Maine, Minnesota, North Carolina, Nevada, New Hampshire, New Mexico, Pennsylvania, Rhode Island, South Carolina, Tennessee, Washington, and Wisconsin	1

HIPAA Enforcement in May 2021

There was one HIPAA enforcement action announced by the HHS’ Office for Civil Rights in May, bringing the total up to 8 for 2021. Most of the settlements announced so far in 2021 have resolved violations of the HIPAA Right of access; however, May’s settlement was for multiple violations of the HIPAA Security Rule.

Most financial penalties stem from an OCR investigation into a data breach or complaint from a patient. May’s financial penalty was atypical, as it was the result of a compliance investigation. OCR had investigated a data breach reported by the Department of Veteran Affairs involving its business associate Authentidate Holding Corporation (AHC).

That investigation was resolved without financial penalty; however, during the investigation OCR learned that AHC had entered into a reverse merger with Peachstate Health Management, LLC, a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR decided to conduct a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance and discovered multiple violations of the HIPAA Security Rule. OCR discovered potential violations related to risk assessments, risk management, audit controls, and a lack of documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000.

The post May 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Free Webinar Today 06/16/21: Social Media and HIPAA Compliance

Posted June 7, 2021 by HIPAA Journal

Social media platforms such as Facebook, Twitter, Snapchat, and Instagram make it easy for healthcare organizations to advertise their services and win new business. Healthcare providers can use social media sites to communicate with patients, provide updates on their services, and engage patients and get them to take a more active role in their healthcare.

While there are many benefits that can come from social media in healthcare, many healthcare organizations rightly see social media networks as minefield of HIPAA violations. This is not only true for the corporate accounts of healthcare providers, but also the personal social media accounts of their employees.

An employee communicating on social media after a particularly difficult day could easily divulge information that could violate patient privacy. There have been many cases of healthcare employees communicating on social media networks, including private Facebook groups, and sharing sensitive information about patients in violation of the HIPAA Rules.

Virtually all healthcare employees have smartphones, and it is common for them to have social media apps on their devices that make it possible to instantly communicate with large numbers of people. It is no surprise that privacy violations on social media networks are now occurring more frequently than ever before.

Social media networks can certainly be used effectively by healthcare organizations, but there are many misunderstandings about how these platforms can be used in a HIPAA compliant manner. It is naturally important to specifically cover the use of social media platforms in training sessions for healthcare employees to make it clear to employees how HIPAA applies to social media networks and what is and is not allowed. Without training for the workforce, HIPAA-covered entities will face a high risk of regulatory fines and lawsuits.

To make it easier for you to train your employees and teach them how they can use social media networks responsibly in their professional and personal lives, HIPAA Journal has teamed up with Compliancy Group for a webinar where attendees will be provided with invaluable advice on social media and HIPAA compliance.

At the webinar you will learn how your practice and employees can use social media networks ethically without violating the HIPAA Rules and patient privacy, as you will discover how you can protect your practice from HIPAA violations.

By the end of the webinar you will have instructions on how to create effective policies covering the use of personal and corporate-owned mobile phones and social media in the office. You will also be provided with real life examples of some of the HIPAA breaches that have occurred as a result of improper social media usage to help ensure similar mistakes are not made by your practice and employees.

Webinar Details:

Social Media & HIPAA Compliance: Simple Ways to Protect Your Business

Date: Wednesday June 16, 2021

Time: 2:00 pm ET / 11 am PT

The post Free Webinar Today 06/16/21: Social Media and HIPAA Compliance appeared first on HIPAA Journal.