HIPAA Compliance News

Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months

Posted by HIPAA Journal

A Georgia man who falsely claimed a former acquaintance had violated patient privacy and breached the HIPAA Rules has been fined $1,200 and sentenced to 6 months in jail.

In October 2019, Jeffrey Parker, 44, of Rincon, GA, claimed to be a HIPAA whistleblower and alerted the authorities about serious privacy violations by a nurse at a Savannah, GA hospital, including emailing graphic pictures of traumatic injuries of hospital patients internally and externally.

According to court documents, Parker “engaged in an intricate scheme” to frame a former acquaintance for violations of the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To back up the fake claims, Parker created multiple email accounts in the names of real patients and used those accounts to send false accusations of privacy violations. Emails were sent to the hospital where the nurse worked, the Federal Bureau of Investigation (FBI), and the Department of Justice (DOJ).

Parker also alleged that he had been threatened for his actions as a whistleblower and law enforcement took steps to ensure his safety. When questioned about the threats and the HIPAA violations, an FBI agent identified irregularities in his story and upon further questioning, Parker admitted making fake accusations to frame the former acquaintance for fictional HIPAA violations.

“Falsely accusing others of criminal activity is illegal, and it hinders justice system personnel with the pursuit of unnecessary investigations,” said U.S. Attorney Bobby L. Christine, when Parker was charged. “This fake complaint caused a diversion of resources by federal investigators, as well as an unnecessary distraction for an important health care institution in our community.”

Parker pleaded guilty to one case of making false statements and potentially faced a 5-year jail term. He was sentenced to serve 6 months in jail by U.S. District Court Judge Lisa Godbey Wood.

“Many hours of investigation and resources were wasted determining that Parker’s whistleblower complaints were fake, meant to do harm to another citizen,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “Before he could do more damage, his elaborate scheme was uncovered by a perceptive agent and now he will serve time for his deliberate transgression.”

Parker is not eligible for parole and will serve the full term, followed by 3 years of supervised release.

The post Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months appeared first on HIPAA Journal.

January 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day.

January 2021 Healthcare Data Breaches

There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records.

January 2021 Healthcare Data Breaches - Records Exposed

Largest Healthcare Data Breaches Reported in January 2021

The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply patches for 7 years, which allowed unauthorized individuals to exploit the flaws and gain access to sensitive data.

Hendrick Health had a major data breach due to a ransomware attack; one of many reported by healthcare providers since September 2020 when ransomware actors stepped up their attacks on the healthcare sector. The County of Ramsey breach was also due to a ransomware attack at one of its technology vendors.

Email-based attacks such as business email compromise (BEC) and phishing attacks were common in January, and were the cause of 4 of the top ten breaches.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Florida Healthy Kids Corporation Health Plan* 3,500,000 Hacking/IT Incident:

Website and Web Application Hack

 Network Server
Hendrick Health Healthcare Provider 640,436 Hacking/IT Incident:

Ransomware

 Network Server
Roper St. Francis Healthcare Healthcare Provider 189,761 Hacking/IT Incident:

Phishing attack

 Email
Precision Spine Care Healthcare Provider 20,787 Hacking/IT Incident:

BEC attack

 Email
Walgreen Co. Healthcare Provider 16,089 Unauthorized Access/Disclosure:

Unknown

 Email
The Richards Group Business Associate 15,429 Hacking/IT Incident:

Phishing attack

 Email
Florida Hospital Physician Group Inc. Healthcare Provider 13,759 Hacking/IT Incident:

EHR System

 Electronic Medical Record
Managed Health Services Health Plan* 11,988 Unauthorized Access/Disclosure:

Unconfirmed

 Paper/Films
Bethesda Hospital Healthcare Provider 9,148 Unauthorized Access of EMR by employee Electronic Medical Record
County of Ramsey Healthcare Provider* 8,687 Hacking/IT Incident:

Ransomware

 Network Server

*Breach reported by covered entity but occurred at a business associate.

Causes of January 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to cause the majority of healthcare data breaches. January saw 20 hacking/IT incidents reported, which accounted for 62.5% of the month’s data breaches. The protected health information of 4,413,762 individuals was compromised or exposed in those breaches – 98.8% of all breached records in January. The average breach size was 220,688 records and the median breach size was 2,464 records.

There were 11 reported unauthorized access and disclosure incidents involving 50,996 records. The average breach size was 4,636 records and the median breach size was 1,680 records.

There was one reported incident involving the loss of an unencrypted laptop computer containing 2,340 records, but no theft or improper disposal incidents.

Causes of January 2021 Healthcare Data Breaches

As the bar chart below shows, email is the most common location of breached PHI, mostly due to the high number of phishing attacks. This was closely followed by network server incidents, which mostly involve malware or ransomware.

Location of PHI in January 2021 Healthcare Data Breaches

January 2021 Healthcare Data Breaches by Entity Type

Healthcare providers were the worst affected covered entity type with 23 reported data breaches followed by health plans with 6 reported breaches. Three data breaches were reported by business associates of HIPAA covered entities, although a further 7 occurred at business associates but were reported by the covered entity, including the largest data breach of the month.

The number of breaches reported by business associates have been increasing in recent months. These incidents often involve multiple covered entities, such as the data breach at Blackbaud in 2020 which resulted involved the data of more than 10 million individuals across around four dozen healthcare organizations. A study by CI Security found 75% of all breached healthcare records in the second half of 2020 were due to data breaches at business associates.

January 2021 healthcare data breaches by covered entity type

Where Did the Data Breaches Occur?

January’s 32 data breaches were spread across 18 states, with Florida the worst affected with 6 reported breaches. There were 3 breaches reported by entities in Texas and Wyoming, and 2 reported in each of Louisiana, Massachusetts, and Minnesota.

Illinois, Indiana, Maryland, Missouri, Nevada, North Carolina, Ohio, Pennsylvania, South Carolina, Vermont, Virginia, and Washington each had 1 breach reported.

HIPAA Enforcement Activity in January 2021

2020 was a record year for HIPAA enforcement actions with 19 settlements reached to resolve HIPAA cases, and the enforcement actions continued in January with two settlements reached with HIPAA covered entities to resolve violations of the HIPAA Rules.

Excellus Health Plan settled a HIPAA compliance investigation that was initiated following a report of a breach of 9,358,891 records in 2015. OCR investigators identified multiple potential violations of the HIPAA Rules, including a risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. Excellus Health Plan settled the case with no admission of liability and paid a $5,100,000 financial penalty.

OCR continued with its crackdown of noncompliance with the HIPAA Right of Access with a $200,000 financial penalty for Banner Health. OCR found two Banner Health affiliated covered entities had failed to provide a patient with timely access to medical records, with both patients having to wait several months to receive their requested records.

The post January 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Secretary Announces Limited HIPAA Waiver in Texas Due to the Winter Storm

Posted by HIPAA Journal

Following President Joseph R. Biden’s declaration of an emergency in the State of Texas, Norris Cochran, Acting Secretary of the Department of Health and Human Services, declared a public health emergency due to the consequences of the winter storm in the state of Texas.

Pursuant to Section 1135(b)(7) of the Social Security Act, the HHS Secretary announced a limited waiver of sanctions and penalties arising from noncompliance with certain provisions of the HIPAA Privacy Rule.

For the period of the waiver, sanctions and penalties will not be imposed for noncompliance with the following HIPAA Privacy Rule requirements:

  • The requirement to obtain a patient’s agreement to speak with family members of friends – 45 C.F.R. § 164.510(a);
  • The requirement to honor a patient’s request to opt out of the facility directory – 45 C.F.R. § 164.510(b);
  • The requirement to distribute a notice of privacy practices – 45 C.F.R. § 164.520;
  • The patient’s right to request privacy restrictions – 45 C.F.R. § 164.522(a);
  • The patient’s right to request confidential communications – 45 C.F.R. § 164.522(b).

The waiver will become effective on February 19, 2021 and will be retroactive to February 11, 2021.

The waiver only covers hospitals in the geographic areas covered by the public health emergency, and only for hospitals that implemented their disaster protocols during the time that the waiver is in effect. The waiver lasts for up to 72 hours from the time a hospital implements its disaster protocol.

When either the Presidential or Secretarial declaration terminates, hospitals must then comply with the above requirements of the HIPAA Privacy Rule or face sanctions and penalties. That applies to patients still under the care of the hospital, even if the 72-hour time period has not elapsed.

Further information on the HIPAA waiver and HIPAA Privacy and Disclosures in Emergency situations can be found in the HHS HIPAA Bulletin – https://www.hhs.gov/sites/default/files/2021-texas-winter-storm-hipaa-bulletin.pdf

The post HHS Secretary Announces Limited HIPAA Waiver in Texas Due to the Winter Storm appeared first on HIPAA Journal.

Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has fined Sharp HealthCare $70,000 for failing to provide a patient with timely access to his medical records. This is the sixteenth financial penalty to be agreed with OCR under the HIPAA Right of Access enforcement initiative that was launched in late 2019.

OCR received a complaint from a patient on June 11, 2019 that alleged Sharp Healthcare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), failed to provide him with a copy of his medical records within 30 days, as is required by the HIPAA Privacy Rule.

The patient claimed to have made a request in writing on April 2, 2019 but had not been provided with the requested records after waiting more than 2 months. OCR investigated and provided technical assistance to SRMC on the HIPAA Right of Access provision of the HIPAA Privacy Rule and the requirement to send medical records to a third party if requested by a patient. OCR closed the complaint on June 25, 2019.

The same patient filed a second complaint with OCR on August 19, 2019 when the requested medical records had still not been provided. The complainant finally received the requested records on October 15, 2019, more than 6 months after the record request was initially made.

OCR determined the long delay in providing the requested records was in violation of 45 C.F.R. § 164.524 and the HIPAA violation warranted a financial penalty. Had the records been provided in a timely manner after receiving technical assistance, a financial penalty could have been avoided.

In addition to paying the $70,000 penalty, Sharp HealthCare has agreed to adopt a corrective action plan and will be monitored closely for compliance by OCR for 2 years. The corrective action plan requires Sharp HealthCare to develop, maintain, and revise, as necessary, policies and procedures covering patient requests for access to their medical records and training must be provided to the workforce on individuals’ right to access their own PHI.

In an announcement about the latest settlement, Acting OCR Director Robinsue Frohboese said, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.”

The post Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation appeared first on HIPAA Journal.

Renown Health Pays $75,000 to Settle HIPAA Right of Access Case

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) is continuing to crackdown on noncompliance with the HIPAA Right of Access. This week, OCR announced its fifteenth settlement to resolve a HIPAA Right of Access enforcement action.

Renown Health, a not-for-profit healthcare network in Northern Nevada, agreed to settle its HIPAA case with OCR to resolve potential violations of the HIPAA Right of Access and has agreed to pay a financial penalty of $75,000.

OCR launched an investigation after receiving a complaint from a Renown Health patient who had not been provided with an electronic copy of her protected health information. In January 2019, the patient submitted a request to Renown Health and asked for her medical and billing records to be sent to her attorney. After waiting more than a month for the records to be provided, the patient filed a complaint with OCR. It took Renown Health until December 27, 2019 to provide the requested records, almost a year after the initial request was made.

The HIPAA Privacy Rule (45 C.F.R. § 164.524) requires medical records to be provided to individuals within 30 days of a request being made. OCR determined that the delay in providing the requested records was in violation of this Privacy Rule provision.

In addition to paying the financial penalty, Renown Health has agreed to adopt a corrective action plan that requires written policies and procedures to be developed, maintained, and revised, as necessary, covering the HIPAA Right of Access. Training must be provided to the workforce on the policies and procedures, and a sanctions policy must be implemented and applied when workforce members fail to comply with the policies and procedures. OCR will monitor Renown Health for compliance with the HIPAA Right of Access for 2 years.

“Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis,” said Acting OCR Director Robinsue Frohboese.

The settlement is the third to be announced by OCR in 2021 and follows a $200,000 settlement with Banner Health for similar HIPAA Right of Access violations and a $5,100,000 settlement with Excellus Health Plan to resolve multiple HIPAA violations that contributed to a 2015 data breach of 9,358,891 records.

The post Renown Health Pays $75,000 to Settle HIPAA Right of Access Case appeared first on HIPAA Journal.

Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS

Posted by HIPAA Journal

The Biden administration has appointed Micky Tripathi as the National Coordinator for Health IT at the Department of Health and Human Services’ Office.

Tripathi will head the Office of the National Coordinator for Health IT, which is tasked with coordinating efforts to implement advanced health information technology to ensure the secure exchange of health information. The ONC is currently overseeing efforts to provide Americans with easy access to their health records through their smartphones and is implementing 21st Century Cures Act provisions that promote health IT interoperability and prohibit information blocking.

Tripathi has a wealth of experience in secure health information exchange and is aware of the current interoperability issues in the healthcare industry. Prior to joining the ONC, Tripathi was most recently the chief alliance officer at the healthcare analytics and software company Arcadia, where he was responsible for developing partnerships to enhance healthcare with advanced IT technology.

Tripathi has also served as manager of the strategy and management consulting firm Boston Consulting Group (BCG), CEO of the Massachusetts eHealth Collaborative, was the founding president and CEO of the Indiana Health information Exchange, and has served on the boards of the HL7 FHIR Foundation, Datica, Sequoia Project, CommonWell Health Alliance, and the CARIN Alliance.

“I can personally attest to Micky’s industry-wide leadership on healthcare interoperability and to his vision for the value that shared, timely, and accurate data provides for improving healthcare delivery and reducing costs. No one is better suited for this absolutely critical mission,” said Sean Carroll, CEO, Arcadia.

Tripathi replaces former President Trump appointment Donald Rucker, M.D., who held the position for the previous 4 years.

The HHS has also confirmed that Robinsue Frohboese has taken on the role of Acting Director of the HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance. Frohboese previously served as principal deputy director of OCR and takes over from acting director March Bell, who replaced the former OCR Director Roger Severino on January 15, 2020.

Frohboese has played a key role in many civil rights initiatives and OCR’s implementation of the HIPAA Privacy Rule.

Prior to taking on the role of principal deputy at OCR, Frohboese worked for 17 years in the Special Litigation Section of the Civil Rights Division of the U.S. Department of Justice, first as Senior Trial Attorney and subsequently as Deputy Chief.

The post Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS appeared first on HIPAA Journal.

HIPAA Enforcement by State Attorneys General

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Rules of the Health Insurance Portability and Accountability Act (HIPAA).

The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and they can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and for delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000.

State attorneys general HIPAA cases were relatively rare occurrences, with only 11 settlements reached with HIPAA-covered entities and business associates to resolve HIPAA violations between 2010 and 2015. HIPAA enforcement by state attorneys general was stepped up in 2017 with 5 settlements and again in 2018 when 12 cases resulted in financial penalties for violations of the HIPAA Rules.

In 2019 and 2020, a total of just 5 cases resulted in financial penalties, although those penalties were sizeable, with four of the five cases being multistate actions against HIPAA-covered entities and business associates where several state attorneys general participated in the actions. These multistate actions allow state attorneys general to pool their resources and investigate potential violations of HIPAA and state laws more efficiently.

2023 was a busy year in terms of enforcement, with 16 enforcement actions to resolve violations of the HIPAA Rules and state consumer protection and breach notification laws. Cases were resolved by the Attorneys General in California, Colorado, Indiana, New York, Ohio, and Pennsylvania and there were three multistate investigations resolved, including a 49-state action against Blackbaud, a 32-stat action against Personal Touch Home Care, and a 4-state action against EyeMed Vision Care. The case against Blackbaud over its 5.5 million-record breach resulted in a penalty of $49.5 million.

When civil actions are brought against covered entities or business associates by state Attorneys General, they are separate from any Office for Civil Rights actions which may also choose to investigate and impose its own fins and penalties. Several data breaches have resulted in settlements being reached at both the federal and state level. Community Health Systems/CHSPSC, Anthem Inc., Premera Blue Cross, Aetna, Cottage Health System, University of Rochester Medical Center, and Medical Informatics Engineering have all settled cases with OCR and separate cases with state attorneys general to resolve potential HIPAA violations.

In many of the state AG enforcement actions below, the financial penalties resolve violations of federal (HIPAA) and/or state laws. Over the years there have been several cases where HIPAA Rules have been violated, but the decision was taken to bring actions for violations of the equivalent provisions in state laws. The cases detailed below include cases where the HIPAA Rules have been violated, but action has been taken for the violation of state laws.

HIPAA Enforcement by State Attorneys General in 2024

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2024 New York Refuah Health Center $450,000 and invest $1.2 million in cybersecurity 260,740 May 2021 ransomware attack Multiple violations of the HIPAA Security Rule, a violation of the HIPAA Breach Notification Rule, and violations of New York Business Law.

HIPAA Enforcement by State Attorneys General in 2023

State attorneys general have imposed three financial penalties for HIPAA violations or equivalent violations of state laws.

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2023 New York New York Presbyterian Hospital $300,000 54,396 Use of pixels and other tracking tools on website Violation of the HIPAA Privacy Rule and New York Executive Law for impermissibly disclosing PHI to third parties.
2023 New York Healthplex $400,000 89,955 (62,922 in New York) Phishing attack Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments)
2023 Indiana CarePointe ENT $120,000 48,742 Ransomware attack and data breach Failure to address known vulnerabilities, business associate agreement failure, violations of the Indiana Disclosure of Security Breach Act and Indiana Deceptive Consumer Sales Act
2023 New York U.S. Radiology Specialists Inc. $450,000 198,260, including 92,540 New York residents Cyberattack and data breach Failure to upgrade hardware in a reasonable time frame to address a known vulnerability.
2023 New York Personal Touch Holding Corp $350,000 753,107 Ransomware attack Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training.
2023 Multistate (32 states and PR) Inmediata $1.4 million 1,565,338 Unsecured server exposed PHI online, breach notifications Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state breach notification laws
2023 Multistate (49 states and DC) Blackbaud $49.5 million 5,500,000 Ransomware attack Violations of the HIPAA Rules regarding safeguards and breach response, and violations of state consumer data protection laws
2023 Colorado Broomfield Skilled Nursing and Rehabilitation Center $60,000 ($25,000 suspended if full compliance with corrective measures) 677 individuals 2 compromised email accounts Violations of the HIPAA Security Rule, state data protection laws, including the Colorado Consumer Protection Act (CCPA)
2023 Indiana Schneck Medical Center $250,000 89,707 individuals Ransomware attack and data breach Violations of the HIPAA Privacy, Security, and Breach Notification Rules. Violations of the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act
2023 California Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49,000,000 7,700 individuals Improper disposal of hazardous waste, medical waste, and protected health information Violations of HIPAA, California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, and Unfair Competition Law.
2023 California Kaiser Permanente $450,000 up to 167,095 individuals Mailing error and PHI disclosure California Confidentiality of Medical Information Act (CMIA) violations – impermissible disclosure of PHI and negligent maintenance or disposal of PHI
2023 New York Practicefirst Medical Management Solutions (Professional Business Systems Inc.) $550,000 1.2 million Ransomware attack and data breach Failure to patch a critical firewall vulnerability for 22 months. No penetration testing or vulnerability scanning, and a lack of encryption for sensitive health data.
2023 Multi-state: Oregon, New Jersey, Florida & Pennsylvania EyeMed Vision Care $2,500,000 2.1 million Ransomware attack and data breach Insufficient password complexity requirements, insufficient locking of accounts after failed password attempts, no multifactor authentication on a browser-accessible email account containing large amounts of PHI, inadequate logging and monitoring of email accounts, and storing unnecessary amounts of PHI in email accounts.
2023 New York Heidell, Pittoni, Murphy & Bach LLP $200,000 61,438 Ransomware attack and data breach Violation of 17 provisions of the HIPAA Privacy and Security Rules
2023 Pennsylvania DNA Diagnostics Center $200,000 33,000 Stolen database containing 2.1 million records Lack of safeguards, failure to update asset inventory, failure to remove assets not used for business purposes.
2023 Ohio DNA Diagnostics Center $200,000 12,600 Stolen database containing 2.1 million records Lack of safeguards, failure to update asset inventory, failure to remove assets not used for business purposes.

This article will be updated as and when new fines, settlements, and other resolutions are announced to resolve violations of HIPAA and state laws.

HIPAA Enforcement by State Attorneys General in 2022

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2022 Oregon and Utah Avalon Healthcare $200,000 14,500 10 Month delay in notifying individuals about a phishing attack and data breach The investigation determined the 10-month delay violated HIPAA (60-day reporting deadline) and Oregon law (45-day reporting deadline), email security practices were found to be insufficient, with the settlement including several data security requirements including the appointment of an individual responsible for developing, implementing, and maintaining a comprehensive data security program to ensure compliance with Consumer Protection Laws and HIPAA, including email filtering, security awareness training, and multifactor authentication.
2022 Aveanna Healthcare Massachusetts $425,000 166,000 Phishing attack and data breach The Massachusetts Attorney General determined there was a lack of appropriate safeguards to prevent phishing attacks, such as multifactor authentication and security awareness training for its workforce. The security measures implemented did not meet the minimum level for compliance with the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts or the HIPAA Security Rule.
2022 New York EyeMed Vision Care $600,000 2.1 million Phishing attack and data breach Insufficient password complexity requirements, insufficient locking of accounts after failed password attempts, no multifactor authentication on a browser-accessible email account containing large amounts of PHI, inadequate logging and monitoring of email accounts, and storing unnecessary amounts of PHI in email accounts.

HIPAA Enforcement by State Attorneys General in 2021

New Jersey was particularly active in HIPAA enforcement in 2021 and was the only state to initiate its own investigations and issue financial penalties to resolve HIPAA violations in 2021. New Jersey also participated in a joint investigation into the data breach at American Medical Collection Agency (AMCA) – One of the largest ever breaches of healthcare data. The AMCA HIPAA case saw a $21 million financial penalty imposed; however, due to the huge costs incurred as a result of the breach, AMCA filed for bankruptcy protection. Due to the financial position of the company, the financial penalty was suspended and will only need to be paid if AMCA defaults on the terms of the settlement agreement.

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000 105,000 Phishing attack and data breach Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program.
2021 New Jersey Command Marketing Innovations, LLC and Strategic Content Imaging LLC $130,000 (Plus $65,000 suspended) 55,715 Printing and mismailing incident Failure to ensure the confidentiality of PHI, lack of PHI safeguards, failure to review security measures following changes to procedures
2021 New Jersey Diamond Institute for Infertility and Menopause $495,000 14,663 Hacking incident and data breach Multiple Privacy Rule and Security Rule failures, and violations of the Consumer Fraud Act
2021 Multi-state (41 state attorneys general) American Medical Collection Agency $21 million (suspended) 21 million Hacking incident and data breach Security failures including failure to detect a data breach

HIPAA Enforcement by State Attorneys General in 2020

Year State Entity Amount Individuals affected Reason for Investigation Findings
2020 Multistate (28 states) Community Health Systems / CHSPSC LLC $5,000,000 6.1 million Hacked by Chinese APT group Failure to implement and maintain reasonable security practices
2020 Multistate (43 states) Anthem Inc $39.5 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws
2020 California Anthem Inc $8.7 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws

HIPAA Enforcement by State Attorneys General in 2019

Year State Entity Amount Individuals affected Reason for Investigation Findings
2019 Multistate (30 states) Premera Blue Cross $10,000,000 10.4 million Hacking incident and major data breach Multiple violations of HIPAA and state laws
2019 Multistate (16 states) Medical Informatics Engineering $900,000 3.5 million Breach of NoMoreClipboard data Multiple violations of HIPAA and state laws
2019 California Aetna $935,000 1,991 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2018

Year State Entity Amount Individuals affected Reason for Investigation Findings
2018 Massachusetts McLean Hospital $75,000 1,500 Loss of backup tapes Insufficient risk assessment, failure to encrypt data, delayed breach notifications
2018 New Jersey EmblemHealth $100,000 6,443 (81,000) Mailing error exposed SSNs Impermissible disclosure of PHI, lack of staff training
2018 New Jersey Best Transcription Medical $200,000 1,650 Exposure of ePHI in Internet Risk assessment and risk management failure, breach notification failure
2018 Multistate (CT, NJ, DC) Aetna 640170.59 13,160 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information
2018 Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Multiple data breaches Failure to secure ePHI
2018 New York Arc of Erie County $200,000 3,751 Exposure of ePHI on the Internet Failure to secure ePHI
2018 New Jersey Virtua Medical Group $417,816 1,654 Exposure of ePHI on the Internet Multiple violations of the HIPAA Rules
2018 New York EmblemHealth $575,000 81,122 Mailing error exposed SSNs Impermissible disclosure of PHI, lack of staff training
2018 New York Aetna $1,150,000 12,000 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2017

Year State Entity Amount Individuals affected Reason for Investigation Findings
2017 California Cottage Health System $2,000,000 More than 54,000 Exposure of PHI on the Internet Failure to safeguard personal information
2017 Massachusetts Multi-State Billing Services $100,000 2,600 Theft of unencrypted laptop computer Failure to safeguard personal information
2017 New Jersey Horizon Healthcare Services Inc $1,100,000 3.7 million Theft of 2 unencrypted laptop computers Failure to safeguard personal information
2017 Vermont SAManage USA, Inc. $264,000 660 Exposure of PHI on the Internet Failure to secure ePHI, breach notification failure
2017 New York CoPilot Provider Support Services, Inc $130,000 221,178 Delayed breach notification Violation of breach notification requirements

HIPAA Enforcement by State Attorneys General (2010-2016)

Year State Entity Amount Individuals affected Reason for Investigation Findings
2015 New York University of Rochester Medical Center $15,000 3,403 List of patients provided to nurse who took it to a new employer Impermissible disclosure of ePHI
2015 Connecticut Hartford Hospital/ EMC Corporation $90,000 8,883 Theft of unencrypted laptop containing PHI Lack of Business Associate Agreement, failure to encrypt ePHI
2014 Massachusetts Women & Infants Hospital of Rhode Island $150,000 12,000 Loss of backup tapes containing PHI Failure to safeguard ePHI, lack of staff training
2014 Massachusetts Boston Children’s Hospital $40,000 2,159 Loss of laptop containing PHI Failure to encrypt ePHI
2014 Massachusetts Beth Israel Deaconess Medical Center $100,000 3,796 Loss of laptop containing PHI Failure to encrypt ePHI
2013 Massachusetts Goldthwait Associates $140,000 67,000 Mishandling of PHI Improper disposal of PHI
2012 Minnesota Accretive Health $2,500,000 24,000 Mishandling of PHI Failure to safeguard PHI
2012 Massachusetts South Shore Hospital $750,000 800,000 Loss of backup tapes containing PHI Failure to safeguard PHI
2011 Vermont Health Net Inc. $55,000 1,500,000 Loss of unencrypted hard drive/delayed breach notifications Failure to safeguard PHI, violation of breach notification requirements
2011 Indiana WellPoint Inc. $100,000 32,000 Failure to report breach in a reasonable timeframe Violation of breach notification requirements
2010 Connecticut Health Net Inc. $250,000 1,500,000 Loss of unencrypted hard drive Failure to safeguard PHI, violation of breach notification requirements

The post HIPAA Enforcement by State Attorneys General appeared first on HIPAA Journal.

OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced it will be exercising enforcement discretion and will not impose financial penalties on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling individual appointments for COVID-19 vaccinations.

The notice of enforcement discretion applies to the use of WBSAs for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 public health emergency. The notification is effectively immediately, is retroactive to December 11, 2020, and will remain in effect for the duration of the COVID-19 nationwide public health emergency.

A WBSA is a non-public facing online or web-based application that allows individual appointments to be scheduled in connection with large scale COVID-19 vaccination. The purpose of a WBSA is to allow covered healthcare providers to rapidly schedule large numbers of appointments for COVID-19 vaccinations.

A WBSA, and the data created, received, maintained, or transmitted by the WBSA, should only be accessible to the intended parties, such as the healthcare provider or pharmacy providing the vaccinations, an authorized person scheduling appointments, or a WBSA workforce member that requires access to the solution and/or data for providing technical support.

The notice of enforcement discretion does not apply to an appointment scheduling application that connects directly to electronic health record (EHR) systems.

A WBSA may not meet all requirements of the HIPAA Rules and would therefore not be permitted for use in connection with electronic protected health information (ePHI) under normal circumstances. It is also possible that the vendor of a WBSA may not be aware that their solution is being used by healthcare providers in connection with ePHI, which would see the vendor classified as a business associate under HIPAA.

While the notice of enforcement discretion is in effect, OCR will not impose penalties against HIPAA covered entities, their business associates, and WBSA vendors that meet the definition of business associate under the HIPAA Rules for good faith uses of WBSAs for scheduling COVID-19 vaccination appointments.

While penalties will not be imposed, OCR encourages the use of reasonable safeguards to protect the privacy of individuals and the security of ePHI. That means the ePHI collected and entered into the WBSA should be limited to the minimum necessary information, encryption technology should be used if available, and all privacy settings should be enabled. That includes adjusting the calendar display to hide names or only show initials. If a vendor stores ePHI, the storage should only be temporary and ePHI should be destroyed no later than 30 days after the appointment. The WBSA vendor should be instructed not to disclose any ePHI in a manner inconsistent with the HIPAA Rules.

These reasonable safeguards are encouraged by OCR. “Failure to implement the recommended reasonable safeguards above will not, in itself, cause OCR to determine that a covered health care provider or its business associate failed to act in good faith for purposes of this Notification,” explained OCR in the notification.

Bad faith uses are not covered by the notification include:

  1. Use of a WBSA where the vendor prohibits its use for scheduling healthcare services.
  2. Using the WBSA for scheduling appointments other than COVID-19 vaccinations.
  3. Using a solution that does not have access controls to limit access to ePHI to authorized individuals.
  4. Screening individuals for COVID-19 prior to in-person healthcare visits.
  5. Use of public-facing WBSAs.

“OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible,” said March Bell, Acting OCR Director.

The post OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments appeared first on HIPAA Journal.

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

Posted by HIPAA Journal

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website.

In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year.

More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010.

Key Takeaways

  • 25% year-over-year increase in healthcare data breaches.
  • Healthcare data breaches have doubled since 2014.
  • 642 healthcare data breaches of 500 or more records were reported in 2020.
  • 76 data breaches of 500 or more healthcare records were reported each day in 2020.
  • 2020 saw more than 29 million healthcare records breached.
  • One breach involved more than 10 million records and 63 saw more than 100K records breached.
  • Hacking/IT incidents accounted for 67% of data breaches and 92% of breached records.
  • 3,705 data breaches of 500 or more records have been reported since October 2009.
  • 78 million healthcare records have been breached since October 2009.

U.S. Healthcare Data Breaches 2009 to 2020

2020 was the third worst year in terms of the number of breached healthcare records, with 29,298,012 records reported as having been exposed or impermissibly disclosed in 2020. While that is an alarming number of records, it is 29.71% fewer than in 2019. 266.78 million healthcare records have been breached since October 2009 across 3,705 reported data breaches of 500 or more records.

U.S. Healthcare data breaches - exposed records 2009-2020

The Largest Healthcare Data Breaches in 2020

The largest healthcare data breach of 2020 was a ransomware attack on the cloud service provider Blackbaud Inc. The actual number of records exposed and obtained by the hackers has not been made public, but more than 100 of Blackbaud’s healthcare clients were affected and more than 10 million records are known to have been compromised. The breach does not appear on the OCR breach portal, as each entity affected has reported the breach separately.

Prior to deploying ransomware, the hackers stole the fundraising and donor databases of many of its clients which included information such as names, contact information, dates of birth, and some clinical information. Victims included Trinity Health (3.3 million records), Inova Health System (1 million records), and Northern Light Health Foundation (657,392 records).

The Florida-based business associate MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, experienced the largest phishing attack of the year. Hackers gained access to its Office 365 environment and potentially obtained the ePHI of 1,670 individuals, including Social Security numbers, driver’s license numbers, and health insurance and financial information.

Magellan Health’s million-record data breach also started with a phishing email but and ended with ransomware being deployed. The breach affected several of its affiliated entities and potentially saw patient information stolen.

Dental Care Alliance, a dental support organization with more than 320 affiliated dental practices across 20 states, had its systems hacked and the dental records of more than 1 million individuals were potentially stolen.

63 security incidents were reported in 2020 by HIPAA-covered entities and business associates that involved 100,000 or more healthcare records.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Trinity Health Business Associate 3,320,726 Hacking/IT Incident
MEDNAX Services, Inc. Business Associate 1,290,670 Hacking/IT Incident
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident
Magellan Health Inc. Health Plan 1,013,956 Hacking/IT Incident
Dental Care Alliance, LLC Business Associate 1,004,304 Hacking/IT Incident
Luxottica of America Inc. Business Associate 829,454 Hacking/IT Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident
Health Share of Oregon Health Plan 654,362 Theft
Florida Orthopaedic Institute Healthcare Provider 640,000 Hacking/IT Incident
Elkhart Emergency Physicians, Inc. Healthcare Provider 550,000 Improper Disposal
Aetna ACE Health Plan 484,157 Hacking/IT Incident
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident
SCL Health – Colorado Healthcare Provider 343,493 Hacking/IT Incident
AdventHealth Healthcare Provider 315,811 Hacking/IT Incident
Nuvance Health Healthcare Provider 314,829 Hacking/IT Incident
Magellan Rx Management Business Associate 314,704 Hacking/IT Incident
The Baton Rouge Clinic Healthcare Provider 308,169 Hacking/IT Incident
Allegheny Health Network Healthcare Provider 299,507 Hacking/IT Incident
Northeast Radiology Healthcare Provider 298,532 Hacking/IT Incident

Main Causes of 2020 Healthcare Data Breaches

Hacking and other IT incidents dominated the healthcare data breach reports in 2020. 429 hacking/IT-related data breaches were reported in 2020, which account for 66.82% of all reported breaches and 91.99% of all breached records. These incidents include exploitation of vulnerabilities and phishing, malware, and ransomware attacks, with the latter having increased considerably in recent months.

causes of 2020 healthcare data breaches

A recent report from Check Point revealed there was a 71% increase in ransomware attacks on healthcare providers in October, and a further 45% increase in healthcare cyberattacks in the last two months of 2020. Some of the year’s largest and most damaging breaches to affect the healthcare industry in 2020 involved ransomware. In many cases, systems were taken out of action for weeks and patient services were affected. Ryuk, Sodinokibi (REvil), Conti, and Egregor ransomware have been the main culprits, with the healthcare industry heavily targeted during the pandemic.

Unauthorized access/disclosure incidents accounted for 22.27% of the year’s breaches and 2.69% of breached records. These incidents include the accessing of healthcare records my malicious insiders, snooping on medical records by healthcare workers, accidental disclosures of PHI to unauthorised individuals, and human error that exposes patient data.

Breach Type Number of breaches Records breached

Mean Records Breached

 Median Records Breached
Hacking/IT Incident 429 26,949,956 62,820 8,000
Unauthorized Access/Disclosure 143 787,015 5,504 1,713
Theft 39 806,552 20,681 1,319
Improper Disposal 16 584,980 36,561 1,038
Loss 15 169,509 11,301 2,298

Location of Breached Protected Health Information

The increased use of encryption and cloud services for storing data have helped to reduce the number of loss/theft incidents, which used to account for the majority of reported breaches. Phishing attacks are still a leading cause of data breaches in healthcare and are often the first step in a multi-stage attack that sees malware or ransomware deployed.

Email account breaches were reported at a rate of more than 1 every two days in 2020, but email-related breaches took second spot this year behind breaches of network servers. Network servers often store large amounts of patient data and are a prime target for hackers and ransomware gangs.

While the majority of healthcare data breaches have involved electronic protected health information, a significant percentage of breaches in 2020 involved paper/film copies of protected health information which were obtained by unauthorized individuals, lost, or disposed of in an insecure manner.

Location of compromised data in healthcare data breaches 2020

Which Entities Suffered the Most Data Breaches in 2020?

The pie chart below shows the breakdown of HIPAA covered entities affected by data breaches of 500 or more records in 2020. Healthcare providers suffered the most breaches with 497 reported incidents. Business associates reported 73 data breaches, but it should be noted that in many cases a breach was experienced at the business associate, but the incident was reported by the covered entities affected. In total, 258 of the year’s breaches had some business associate involvement, which is 40.19% of all breaches. There were 70 breaches reported by health plans, and 2 breaches reported by healthcare clearinghouses.

2020 healthcare data breaches in the United States by Entity type

2020 Healthcare Data Breaches by State

South Dakota, Vermont, Wyoming residents survived 2020 without experiencing any healthcare data breaches, but there were breaches reported by entities based in all other states and the District of Columbia.

California was the worst affected state with 51 breaches, followed by Florida and Texas with 44, New York with 43, and Pennsylvania with 39.

State No. Breaches State No. Breaches State No. Breaches State No. Breaches
California 51 Virginia 18 New Jersey 9 Kansas 3
Florida 44 Indiana 17 South Carolina 9 Nebraska 3
Texas 44 Massachusetts 17 Washington 9 West Virginia 3
New York 43 Maryland 16 Delaware 8 District of Columbia 2
Pennsylvania 39 North Carolina 16 Utah 8 Idaho 2
Ohio 27 Colorado 14 Louisiana 6 Nevada 2
Iowa 26 Missouri 14 Maine 6 Oklahoma 2
Michigan 21 Arizona 12 New Mexico 6 Mississippi 1
Georgia 20 Arkansas 12 Oregon 5 Montana 1
Illinois 20 Kentucky 12 Hawaii 4 New Hampshire 1
Minnesota 20 Wisconsin 12 Alabama 3 North Dakota 1
Connecticut 19 Tennessee 10 Alaska 3 Rhode Island 1

HHS HIPAA Enforcement in 2020

2020 was a busy year in terms of HIPAA enforcement. The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, conducted 19 HIPAA compliance investigations that resulted in financial penalties. More penalties were agreed with HIPAA covered entities and business associates in 2020 than in any other year since OCR started enforcing HIPAA compliance.  $13,554,900 was paid in penalties across the 19 cases.

It can take several years from the start of an investigation before a financial penalty is levied. Some of the largest settlements of the year date back to breaches that were experienced in 2015 or earlier; however, the large increase in financial penalties in 2020 is largely due to a HIPAA enforcement drive launched by OCR in late 2019 to tackle noncompliance with the HIPAA Right of Access. There were 11 settlements reached with healthcare providers in 2020 to resolve cases where individuals were not provided with timely access to their medical records.

You can view a summary of OCR’s 2020 HIPAA enforcement actions in this post.

State AG HIPAA Enforcement in 2020

OCR is not the only enforcer of HIPAA compliance. State attorney generals also have the authority to take action against entities found not to be in compliance with the HIPAA Rules. There has been a trend for state attorneys general to work together and pool resources in their legal actions for noncompliance with the HIPAA Rules. In 2020, two multi-state actions were settled with HIPAA covered entities/business associates to resolve violations of the HIPAA Rules.

The health insurer Anthem Inc. settled a case that stemmed from its 78.8 million-record data breach in 2015 and paid financial penalties totalling $48.2 million to resolve multiple potential violations of HIPAA and state laws.

CHSPSC LLC, a Tennessee-based management company that provides services to subsidiary hospital operator companies and other affiliates of Community Health Systems, also settled a multi-state action and paid a financial penalty of $5 million to resolve alleged HIPAA violations. The case stemmed from a 2014 data breach that saw the ePHI of 6,121,158 individuals stolen by hackers.

About This Report

The Health Insurance Portability and Accountability Act (HIPAA) requires all healthcare data breaches to be reported to the HHS’ Office for Civil Rights. A summary of breaches of 500 or more records is published by the HHS Office for Civil Rights. This report was compiled using data on the HHS website on 01/19/21 and includes data breaches currently under investigation and archived cases.

The post 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020 appeared first on HIPAA Journal.