HIPAA Compliance News

Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation

Posted by HIPAA Journal

A former Cedar Rapids Hospital employee has been sentenced to 5 years’ probation for wrongfully accessing and distributing the protected health information of her ex-boyfriend.

Jennifer Lynne Bacor, 41, of Las Vegas, NV, was employed as a patient care technician at a Cedar Rapids hospital. The position gave her access to systems containing the individually identifiable information of patients. While she was authorized to access that information, she was only permitted to view the information of patients in order to complete her work duties.

Bacor’s ex-boyfriend had visited the hospital on multiple occasions in 2017 to receive treatment. Bacor used her login credentials to access his medical records from October 2013 to September 2017 on multiple occasions between April and October 2017, when there was no legitimate work reason for doing so.

Accessing the protected health information of an individual when there is no legitimate work purpose for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA), for which criminal charges can be filed.

Bacor took a photograph of a medical image that showed injuries sustained by her ex-boyfriend and sent the photo to a third party. The third party subsequently sent the image to other individuals via Facebook Messenger, including taunting language and emojis with the image. Bacor was also found to have stated in social media chats with another person that she was attempting to get primary custody of the two children she had with her ex-boyfriend.

After learning about the privacy breach, the ex-boyfriend filed a complaint with the hospital on October 4, 2017 alleging Bacor had accessed his medical records without authorization and provided the photo to the hospital. The hospital conducted an investigation into the privacy breach and confirmed Bacor had accessed his medical records on 10 occasions. Bacor was initially suspended, then fired for the HIPAA violation.

In August 2020, Bacor admitted to law enforcement officers that she had violated federal privacy laws in an attempt to protect her children. Bacor entered into a plea arrangement and pleaded guilty to one count of wrongfully obtaining individually identifiable information under false pretenses.

U.S. District Judge C.J. Williams said Bacor had “weaponized” her ex-boyfriend’s private medical information by sending it to others and sentenced her to 5 months’ probation and fined her $1,000. Bacor has also been prohibited from working in any job that requires her to have access to the private medical records of others.

The post Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation appeared first on HIPAA Journal.

May 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67.

U.S. Healthcare Data Breaches - Past 12 Months

May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months.

U.S. Healthcare Data Breaches - Records Breached in the Past 12 Months

Largest Healthcare Data Breaches Reported in April 2021

As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by other means.

The largest healthcare data breach of the month by some distance affected 20/20 Eye Care Network, a vision and hearing benefits administrator. The records of more than 3.25 million individuals were stored in an AWS S3 bucket that was accessed by an unauthorized individual. Data was downloaded by the attacker before being deleted. Another benefits administrator, SEIU 775 Benefits Group, also suffered a breach in which sensitive data was deleted. That breach involved the PHI of 140,000 individuals.

Over the past two months, several healthcare providers have announced they were affected by a ransomware attack on the third-party administration service provider CaptureRx. At least 26 healthcare providers are known to have had PHI exposed in that breach. This month, CaptureRx issued its own notification to the HSS which confirms the breach affected 1,656,569 individuals. This month, several healthcare organizations have reported they have been affected by a ransomware attack on another business associate, Netgain Technologies. The table below shows the extent to which ransomware has been used in attacks on the healthcare industry.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Involvement
20/20 Eye Care Network, Inc Business Associate 3,253,822 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
NEC Networks, LLC d/b/a CaptureRx Business Associate 1,656,569 Hacking/IT Incident Ransomware attack Yes
Orthopedic Associates of Dutchess County Healthcare Provider 331,376 Hacking/IT Incident Ransomware attack No
Rehoboth McKinley Christian Health Care Services Healthcare Provider 207,195 Hacking/IT Incident Ransomware attack No
Five Rivers Health Centers Healthcare Provider 155,748 Hacking/IT Incident Phishing attack No
SEIU 775 Benefits Group Business Associate 140,000 Hacking/IT Incident Unspecified hacking incident Yes
San Diego Family Care Healthcare Provider 125,500 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Hoboken Radiology LLC Healthcare Provider 80,000 Hacking/IT Incident Hacked medical imaging server No
CareSouth Carolina, Inc. Healthcare Provider 76,035 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Arizona Asthma and Allergy Institute Healthcare Provider 70,372 Hacking/IT Incident Ransomware attack No
New England Dermatology, P.C. Healthcare Provider 58,106 Improper Disposal Improper disposal of specimen bottles No
Sturdy Memorial Hospital Healthcare Provider 57,379 Hacking/IT Incident Ransomware attack No
LogicGate Business Associate 47,035 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
Lafourche Medical Group Healthcare Provider 34,862 Hacking/IT Incident Phishing attack No
Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group Healthcare Provider 34,203 Hacking/IT Incident Ransomware attack No
SAC Health Systems Healthcare Provider 28,128 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Monadnock Community Hospital Healthcare Provider 14,340 Hacking/IT Incident Unspecified hacking incident Yes
Community Access Unlimited Business Associate 13,813 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Westwood Obstetrics and Gynecology Healthcare Provider 12,931 Hacking/IT Incident Unspecified hacking incident Yes

Causes of May 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in May. Out of the 63 reported breaches, 47 (74.60%) were hacking/IT incidents. These incidents resulted in the exposure or theft of 6,432,367 healthcare records – 98.43% of all records breached in the month. The average breach size was 131,273 records and the median breach size was 4,250 records.

There were 9 reported unauthorized access/disclosure incidents involving the records of 17,834 individuals. The average breach size was 1,982 records and the median breach size was 1,562 records. There were 3 loss/theft incidents reported involving the 20,325 records and two incidents involving the improper disposal of protected health information affecting 64,604 individuals.

May 2021 U.S. Healthcare Data Breaches - Causes

While phishing incidents have plagued the healthcare industry over the past few years, it is now network server incidents that dominate the breach reports. 41 of the month’s breaches involved compromised network servers, compared to just 9 incidents involving email.

May 2021 U.S. Healthcare Data Breaches- location of breached PHI

May 2021 Healthcare Data Breaches by Covered Entity Type

47 healthcare providers reported data breaches in May 2021, although only 20 of those incidents were breaches directly involving the healthcare provider. 27 of those breaches were reported by the healthcare provider but occurred at a business associate.

7 data breaches were reported to the HHS’ Office for Civil Rights by business associates of HIPAA-covered entities, although in total, the business associate was present in 31 of the month’s breaches.

8 breaches affected health plans, 4 of which had some business associate involvement, and one breach was reported by a healthcare clearinghouse.

May 2021 healthcare data breaches by covered entity type

States Affected by Healthcare Data Breaches

Healthcare data breaches were reported by HIPAA-covered entities and business associates based in 32 U.S. states.

State No. Reported Data Breaches
Texas 6
New York & Ohio 5
California, Illinois, West Virginia 4
Mississippi & Missouri 3
Florida, Maryland, Massachusetts, New Jersey, & Oklahoma 2
Arizona, Arkansas, Connecticut, Delaware, Georgia, Indiana, Louisiana, Maine, Minnesota, North Carolina, Nevada, New Hampshire, New Mexico, Pennsylvania, Rhode Island, South Carolina, Tennessee, Washington, and Wisconsin 1

HIPAA Enforcement in May 2021

There was one HIPAA enforcement action announced by the HHS’ Office for Civil Rights in May, bringing the total up to 8 for 2021. Most of the settlements announced so far in 2021 have resolved violations of the HIPAA Right of access; however, May’s settlement was for multiple violations of the HIPAA Security Rule.

Most financial penalties stem from an OCR investigation into a data breach or complaint from a patient. May’s financial penalty was atypical, as it was the result of a compliance investigation. OCR had investigated a data breach reported by the Department of Veteran Affairs involving its business associate Authentidate Holding Corporation (AHC).

That investigation was resolved without financial penalty; however, during the investigation OCR learned that AHC had entered into a reverse merger with Peachstate Health Management, LLC, a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR decided to conduct a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance and discovered multiple violations of the HIPAA Security Rule. OCR discovered potential violations related to risk assessments, risk management, audit controls, and a lack of documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000.

The post May 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Free Webinar Today 06/16/21: Social Media and HIPAA Compliance

Posted by HIPAA Journal

Social media platforms such as Facebook, Twitter, Snapchat, and Instagram make it easy for healthcare organizations to advertise their services and win new business. Healthcare providers can use social media sites to communicate with patients, provide updates on their services, and engage patients and get them to take a more active role in their healthcare.

While there are many benefits that can come from social media in healthcare, many healthcare organizations rightly see social media networks as minefield of HIPAA violations. This is not only true for the corporate accounts of healthcare providers, but also the personal social media accounts of their employees.

An employee communicating on social media after a particularly difficult day could easily divulge information that could violate patient privacy. There have been many cases of healthcare employees communicating on social media networks, including private Facebook groups, and sharing sensitive information about patients in violation of the HIPAA Rules.

Virtually all healthcare employees have smartphones, and it is common for them to have social media apps on their devices that make it possible to instantly communicate with large numbers of people. It is no surprise that privacy violations on social media networks are now occurring more frequently than ever before.

Social media networks can certainly be used effectively by healthcare organizations, but there are many misunderstandings about how these platforms can be used in a HIPAA compliant manner. It is naturally important to specifically cover the use of social media platforms in training sessions for healthcare employees to make it clear to employees how HIPAA applies to social media networks and what is and is not allowed. Without training for the workforce, HIPAA-covered entities will face a high risk of regulatory fines and lawsuits.

To make it easier for you to train your employees and teach them how they can use social media networks responsibly in their professional and personal lives, HIPAA Journal has teamed up with Compliancy Group for a webinar where attendees will be provided with invaluable advice on social media and HIPAA compliance.

At the webinar you will learn how your practice and employees can use social media networks ethically without violating the HIPAA Rules and patient privacy, as you will discover how you can protect your practice from HIPAA violations.

By the end of the webinar you will have instructions on how to create effective policies covering the use of personal and corporate-owned mobile phones and social media in the office. You will also be provided with real life examples of some of the HIPAA breaches that have occurred as a result of improper social media usage to help ensure similar mistakes are not made by your practice and employees.

Webinar Details:

Social Media & HIPAA Compliance: Simple Ways to Protect Your Business

Date:     Wednesday June 16, 2021

Time:     2:00 pm ET / 11 am PT

[contact-form-7]

The post Free Webinar Today 06/16/21: Social Media and HIPAA Compliance appeared first on HIPAA Journal.

Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced a settlement has been reached with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) that resolves a potential HIPAA Right of Access violation. This is the 8th financial penalty to be announced in 2021 to resolve violations of the HIPAA Rules, and the 19th settlement under OCR’s HIPAA Right of Access enforcement initiative that was launched in the fall of 2019.

DELC is a West Virginia-based healthcare provider specializing in treating endocrine disorders. In August 2019, OCR received a complaint that alleged DELC had failed to respond to a request for a copy of protected health information in a timely manner. The HIPAA Privacy Rule requires a copy of an individual’s protected health information contained in a designated record set to be provided within 30 days of a request being received.

In this case, the complainant wanted a copy of her minor child’s protected health information and DELC had failed to provide those records within the allowed 30 days. OCR notified DELC on October 30, 2019 about the investigation into potential noncompliance with the HIPAA Right of Access (45 C.F.R. § 164.524) over the alleged refusal to provide the patient’s mother with the records she requested.

OCR determined the failure to provide the requested records was in violation of the HIPAA Right of Access. As a result of OCR’s investigation, DELC finally provided the child’s mother with a copy of the requested records in May 2021, almost two years after the initial request had been made.

In addition to the financial penalty of $5,000, DELC has agreed to a corrective action plan that includes reviewing and updating policies and procedures for providing individuals with access to PHI and privacy training for the workforce on individual access to PHI. DELC will be monitored by OCR for 2 years to ensure compliance with the Right of Access provisions of the HIPAA Privacy Rule.

“It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records,” said Acting OCR Director Robinsue Frohboese.  “Covered entities owe it to their patients to provide timely access to medical records.”

The post Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case appeared first on HIPAA Journal.

Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Peachstate Health Management, LLC, dba AEON Clinical Laboratories to result multiple violations of the HIPAA Security Rule.

Peachstate is a CLIA-certified laboratory that provides a range of services including clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR launched a compliance investigation on August 31, 2026 following a breach of unsecured protected health information reported by the U.S. Department of Veterans Affairs (VA) on January 7, 2015 involving its business associates, Authentidate Holding Corporation (AHC). The VA had contracted with AHC to manage the VA’s Telehealth Services Program. The aim of the OCR investigation was to assess whether the breach was the result of the failure to comply with the HIPAA Privacy and Security Rules.

During the course of the investigation, OCR learned that AHC had entered into a reverse merger with Peachstate on January 27, 2016 and had acquired Peachstate. OCR then conducted a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance. During that investigation OCR identified multiple potential violations of the HIPAA Security Rule.

Peachstate was discovered not to have conducted an accurate and thorough assessment to identify risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A) and had failed to reduce risks and vulnerabilities to a reasonable and appropriate level by implementing appropriate security measures, as required by 45 C.F.R. § 164.308(a)(1)(ii)(B).

Hardware, software, and procedural mechanisms had not been implemented to record and examine activity in information systems containing or using ePHI, in violation of 45 C.F. R. § 164.312(b). Policies and procedures had not been implemented to record actions, activities, and assessments demanded by 45 C.F. R. § 164.312(b), which was in violation of 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate agreed to settle the case and pay a $25,000 penalty and will implement an extensive corrective action plan to address all areas of noncompliance identified by OCR during the course of the investigation. Peachstate will be closely monitored by OCR for 3 years to ensure compliance.

“Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”

The post Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000 appeared first on HIPAA Journal.

Is it a HIPAA Violation to Ask for Proof of Vaccine Status?

Posted by HIPAA Journal

There has been a lot of confusion about whether asking someone if they have had a COVID-19 vaccine constitutes a HIPAA violation, specifically in relation to employers asking their employees to provide proof of being vaccinated against COVID-19 to avoid wearing a face mask in the workplace.

The Health Insurance Portability and Accountability Act (HIPAA) includes provisions related to privacy and uses and disclosures of protected health information (PHI), which includes an individual’s vaccination status. The HIPAA Privacy Rule limits uses and disclosures of individuals’ PHI to those required for treatment, payment, or healthcare operations. Other uses and disclosures generally require consent to be provided by the individual in writing before their PHI can be used or disclosed. So how does HIPAA relate to requests for proof of vaccine status?

HIPAA and Proof of Vaccine Status

Vaccination information is classed as PHI and is covered by the HIPAA Rules; however, HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and their business associates. If an employer asks an employee to provide proof that they have been vaccinated in order to allow that individual to work without wearing a facemask, that is not a HIPAA violation as HIPAA does not apply to employers.

It would also not be a HIPAA violation for an employer to ask an employee’s healthcare provider for proof of vaccination. It would however be a HIPAA violation for the employee’s healthcare provider to disclose that information to their employer, unless the individual had provided authorization to do so.

Just as an employer can require all employees to wear a uniform in the workplace, an employer can have a policy that requires employees to wear a facemask during a pandemic to protect other members of the workforce and to refuse entry to the workplace if a mask is not worn.

Asking about vaccine status would not violate HIPAA but it is possible that other laws could be violated. For instance, requiring employees to disclose additional health information such as the reason why they are not vaccinated could potentially violate federal laws in some instances, although this would not be a HIPAA violation. It is also possible for states to introduce laws that prohibit employers from asking employees about their vaccine status.

On May 18, 2021, Rep. Marjorie Taylor Greene, (R-Ga) was asked by reporters whether she had been vaccinated, as she had refused to wear a mask on the House floor. In breach of House rules, several GOP members had refused to wear a mask, even though they had not been vaccinated. Greene told reporters that asking her about her vaccine status was a HIPAA violation, but this was not correct as reporters are not covered by HIPAA.

Disclosure of an Individual’s Vaccine Status by a Healthcare Provider

Healthcare providers can ask if a patient has been vaccinated as asking the question in no way violates HIPAA. It would be permitted for the healthcare provider to share vaccine status information with another covered entity or business associate, provided the disclosure was permitted under the HIPAA Privacy Rule – for treatment, payment, or healthcare operations – or if authorized to do so by a patient.

Authorizations would not be required when sharing vaccine status information for “public health activities.” For instance, a disclosure would be permitted to “a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events,” and also for “the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority.”

The post Is it a HIPAA Violation to Ask for Proof of Vaccine Status? appeared first on HIPAA Journal.

Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes

Posted by HIPAA Journal

Several healthcare groups have expressed concern about the HIPAA Privacy Rule changes proposed by the Department of Health and Human Services (HHS) in December 2020 and published in the Federal Register in January. The HHS has received comments from more than 1,400 individuals and organizations and will now review all feedback before issuing a final rule or releasing a new proposed rule.

There have been calls for changes to the HIPAA Privacy Rule to be made to align it more closely with other regulations, such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder (SUD) treatment programs, and for there to be greater alignment with state health data privacy laws. Some of the proposed HIPAA Privacy Rule changes are intended to remove barriers to data sharing for care coordination, but the changes may still conflict with state laws, especially in relation to SUD treatment. There is concern that poor alignment with other regulations could be a major cause of confusion and could create new privacy and security risks.

Another area of concern relates to personal health applications (PHA). The HHS has defined PHAs, but many groups and organizations have voiced concern about the privacy and security risks associated with sending protected health information (PHI) to these unregulated apps. PHAs fall outside the scope of HIPAA, so any PHI that a covered entity sends to a PHA at the request of a patient could result in a patient’s PHI being used in ways not intended by the patient. A patient’s PHI could also easily be accessed and used by third parties.

PHAs may not have robust privacy and security controls since compliance with the HIPAA Security Rule would not be required. There is no requirement for covered entities to enter into business associate agreements with PHA vendors, and secondary disclosures of PHI would not be restricted by the HIPAA Privacy Rule.

“Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records,” suggested the American Hospital Association in its feedback to the HHS.

The College of Healthcare Information Management Executives (CHIME) has voiced concerns about the proposal for covered entities to require PHAs to register before providing patient data, and how covered entities would be required to respond when a patient requested their health information to be sent to a PHA that does not have appropriate privacy and security protections. For instance, if a patient requested their PHI be sent to a PHA developed by nation state actor, whether providers would still be required to send PHI at the request of a patient. Concern has also been raised about the growing number of platforms that exchange PHI that fall outside the scope of HIPAA.

One of the proposed changes relates to improving patients’ access to their health data and shortening the time to provide that information from 30 to 15 days. The Association for Behavioral Health and Wellness (ABHW) and CHIME have both voiced concerns about the shortening of the timeframe for honoring patient requests for their healthcare data, as this will place a further administrative burden on healthcare providers, especially during the pandemic. CHIME said it may not be possible to provide PHI within this shortened time frame and doing so may well add costs to the healthcare system. CHIME has requested the HHS document when exceptions are allowed, such as in cases of legal disputes and custody cases. ABHW believes the time frame should not be changed and should remain as 30 days.

It is likely that if the final rule is issued this year, it will be necessary for organizations to ensure compliance during the pandemic, which could prove to be extremely challenging. ABHW has recommended delaying the proposed rule for an additional year to ease the burden on covered entities. CHIME has suggested the HHS should not issue a final rule based on the feedback received, but instead reissue the questions raised in the proposed rule as a request for information and to host a listening session to obtain more granular feedback and then enter into a dialogue about the proposed changes.

The post Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes appeared first on HIPAA Journal.

NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) is planning on revising and updating its guidance on implementing the HIPAA Security Rule and is seeking comment from stakeholders on aspects of the guidance that should be changed.

NIST published the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – in October 2008. During the past 13 years, cybersecurity has evolved and the threat landscape has changed considerably. NIST’s cybersecurity resources have also evolved during that time and an update to the guidance is now long overdue.

NIST will be updating the guidance to reference its new cybersecurity resources, will amplify awareness of non-NIST resources relevant to compliance with the HIPAA Security Rule, and will update its implementation guidance for HIPAA-covered entities and business associates.

Specifically, NIST has requested comment from stakeholders on their experiences applying and using the resource guide, including the parts of the guidance that have been helpful and those that have not, with the reasons why.

NIST wants to hear from covered entities and business associates that have used the guidance and have found key concepts to be missing, and for stakeholders who found the guidance not to be applicable to their organization to provide information on how it can be made more useful, relatable, and actionable to a wider range of audiences.

Covered entities and business associates have complied with the HIPAA Security Rule in a range of different ways. NIST is seeking information on any tools, resources, and techniques that have been adopted that have proven useful, and for covered entities that have enjoyed successes with their compliance programs to share information on how they manage compliance and security simultaneously, assess risks to ePHI, determine whether the security measures implemented are effective at safeguarding ePHI, and how they document demonstrating adequate implementation. NIST also wants to hear from any covered entity or business associate that has implemented recognized security practices that have diverged from compliance with the HIPAA Security Rule.

Stakeholders are invited to submit comment through June 15, 2021 for consideration ahead of the proposed update. Submitted comments will be considered and implemented as far as is practicable.

The post NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance appeared first on HIPAA Journal.

March 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 38.8% increase in reported healthcare data breaches in March. 62 breaches of 500 or more records reported to the HHS’ Office for Civil Rights, with hacking incidents dominating the breach reports. The high number of reported breaches is largely due to an increase in data breaches at business associates.

Healthcare data breaches in the past 12 months

The number of breached records also increased sharply with 2,913,084 healthcare records exposed or impermissibly disclosed across those 62 incidents; an increase of 135.89% from February.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in March 2021

The table below shows the 25 largest healthcare data breaches to be reported in March, all of which were hacking/IT incidents. 76% involved compromised network servers with the remaining 24% involving breaches of email accounts. 60% of these breaches involved business associates.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Health Net Community Solutions Health Plan 686,556 Hacking/IT Incident Network Server
Health Net of California Health Plan 523,709 Hacking/IT Incident Network Server
Woodcreek Provider Services LLC Business Associate 207,000 Hacking/IT Incident Network Server
Trusted Health Plans, Inc. Health Plan 200,665 Hacking/IT Incident Network Server
Apple Valley Clinic Healthcare Provider 157,939 Hacking/IT Incident Network Server
Saint Alphonsus Health System Healthcare Provider 134,906 Hacking/IT Incident Email
The Centers for Advanced Orthopaedics Healthcare Provider 125,291 Hacking/IT Incident Email
Cancer Treatment Centers of America at Midwestern Regional Medical Center Healthcare Provider 104,808 Hacking/IT Incident Email
SalusCare Healthcare Provider 85,000 Hacking/IT Incident Email
California Health & Wellness Health Plan 80,138 Hacking/IT Incident Network Server
Mobile Anesthesiologists Healthcare Provider 65,403 Hacking/IT Incident Network Server
Trillium Community Health Plan Health Plan 50,000 Hacking/IT Incident Network Server
PeakTPA Business Associate 50,000 Hacking/IT Incident Network Server
Sandhills Medical Foundation, Inc. Healthcare Provider 39,602 Hacking/IT Incident Network Server
ProPath Services, LLC Healthcare Provider 39,213 Hacking/IT Incident Email
BioTel Heart Healthcare Provider 38,575 Hacking/IT Incident Network Server
Healthgrades Operating Company, Inc. Business Associate 35,485 Hacking/IT Incident Network Server
The New London Hospital Association, Inc. Healthcare Provider 34,878 Hacking/IT Incident Network Server
La Clinica de La Raza, Inc. (La Clinica) Healthcare Provider 31,132 Hacking/IT Incident Network Server
Arizona Complete Health Health Plan 27,390 Hacking/IT Incident Network Server
Health Net Life Insurance Company Health Plan 26,637 Hacking/IT Incident Network Server
Colorado Retina Associates, P.C. Healthcare Provider 26,609 Hacking/IT Incident Email
Haven Behavioral Healthcare Business Associate 21,714 Hacking/IT Incident Network Server
Health Prime International Business Associate 17,562 Hacking/IT Incident Network Server
CalViva Health Health Plan 15,287 Hacking/IT Incident Network Server

 

Causes of March 2021 Healthcare Data Breaches

43 breaches – 69.35% of the month’s total – were the result of hacking/IT incidents such as compromised network servers and email accounts. Hacking incidents accounted for 98.43% of all records breached in March – 2,867,472 records. The average breach size was 66,685 records and the median breach size was 26,609 records.  17 unauthorized access/disclosure incidents were reported in March (27.42% of breaches) and 44,395 records were breached in those incidents – 1.52% of the month’s total. The average breach size was 2,611 records and the median breach size was 1,594 records. There was one theft incident reported involving 500 healthcare records and one loss incident that affected 717 individuals.

causes of March 2021 healthcare data breaches

Many of the reported breaches occurred at business associates of HIPAA covered entities, with those breaches impacting multiple healthcare clients. Notable business associate data breaches include a cyberattack on Accellion that affected its file transfer appliance. Hackers exploited vulnerabilities in the appliance and stole client files. A ransom was demanded by the attackers and threats were issued to publish the stolen data if payment was not made. The two largest data breaches of the month were due to this incident.

Several healthcare organizations were affected by a ransomware attack on business associate Netgain Technology LLC, including the 3rd and 5th largest breaches reported in March. Med-Data suffered a breach that affected at least 5 covered entities. This incident involved an employee uploading files containing healthcare data to a public facing website (GitHub).

 

The most common location of breached protected health information was network servers, many of which were due to ransomware attacks or other malware infections. Email accounts were the second most common location of breached PHI, which were mostly accessed following responses to phishing emails.

March 2021 healthcare data breaches - location PHI

Covered Entities Reporting Data Breaches in March 2021

Healthcare providers were the worst affected covered entity with 40 reported breaches and 15 breaches were reported by health plans, with the latter increasing 200% from the previous month. While only 5 data breaches were reported by business associates of covered entities, 30 of the month’s breaches – 48.39% – involved business associates but were reported by the covered entity. That represents a 200% increase from February.

March 2021 healthcare data breaches - breached entity

Distribution of March 2021 Healthcare Data Breaches

There was a large geographical spread of data breaches, with covered entities and business associates in 30 states affected. California was the worst affected state with 11 data breaches reported. There were 5 breaches reported in Texas, 4 in Florida and Massachusetts, 3 in Illinois and Maryland, 2 in each of Arkansas, Arizona, Michigan, Minnesota, Missouri, Ohio, and Pennsylvania, and one breach was reported in each of Alabama, Colorado, Connecticut, Georgia, Idaho, Kansas, Louisiana, Montana, New Hampshire, Nevada, Oregon, South Carolina, Tennessee, Utah, Washington, Wisconsin, and West Virginia.

HIPAA Enforcement Activity in March 2021

The HHS’ Office for Civil Rights announced two further settlements to resolve HIPAA violations in March, both of which involved violations of the HIPAA Right of Access. These two settlements bring the total number of financial penalties under OCR’s HIPAA Right of Access enforcement initiative to 18.

Arbour Hospital settled its case with OCR and paid a $65,000 financial penalty and Village Plastic Surgery settled its case and paid OCR $30,000. Both cases arose from complaints from patients who had not been provided with timely access to their medical records.

The post March 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.