HIPAA Compliance News

Aetna Slapped with $1 Million HIPAA Fine for Three Data Breaches

Posted October 29, 2020 by HIPAA Journal

Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to settle multiple potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) that were discovered during the investigation of three data breaches that occurred in 2017.

The first of those data breaches was reported to OCR in June 2017 and concerned the exposure of the protected health information (PHI) of health plan members over the Internet. Two web services were used to display health plan-related documents to its members, but those documents could be accessed over the Internet without the need for any login credentials.

The lack of authentication allowed the documents to be indexed by search engines and displayed in search results. Aetna’s investigation revealed the PHI of 5,002 individuals had been exposed, which included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service.

The second two HIPAA breaches involved the exposure and impermissible disclosure of highly sensitive information in two mailings to plan members. In both mailings, window envelopes had been used which allowed PHI to be viewed without opening the envelopes.

The first mailing in July 2017 saw benefit notices sent to 11,887 individuals who were receiving HIV medication, either for treatment or prophylaxis. The words “HIV medication” could be seen through the windows of the envelope, along with the name and address of each individual.

The second mailing, sent in September 2017, concerned a research study on individuals with an irregular heart rhythm. Through the windows of the envelope the name and logo of the atrial fibrillation research study were clearly visible along with the name and address of the recipient. The mailing was sent to 1,600 individuals.

These three incidents resulted in the impermissible disclosure of the PHI of 18,489 individuals and during the course of the investigation OCR investigators uncovered several other violations of the HIPAA Rules.

Aetna had not performed periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI), in violation of 45 C.F.R. § 164.308(a)(8);
Procedures had not been implemented to verify the identity of individuals or entities looking to access their ePHI, in violation of 45 C.F.R. § 164.312(d);
Disclosures of ePHI had not been limited to the minimum necessary information to achieve the purpose for the disclosure, in violation of 45 C.F.R. § 164.514(d); and
There was a lack of appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in violation of 45 C.F.R. § 164.530(c).

“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.

In addition to the financial penalty, Aetna has agreed to adopt a corrective action plan to address all areas of HIPAA noncompliance discovered by OCR. OCR will be monitoring Aetna closely for noncompliance with the HIPAA Rules for 2 years.

Settlements totaling $2,725,170 were agreed in 2018 to resolve HIPAA violation cases brought by state attorneys general in California ($935,000), Connecticut ($99,959), New Jersey ($365,211.59), New York ($1,150,000) and the District of Columbia ($175,000) over these data breaches. In 2018, Aetna also settled a class action lawsuit filed on behalf of victims of the HIV medication mailing incident for $17 million.

This year has already seen more penalties imposed on covered entities and business associates than any other year since OCR was given the authority to impose fines for HIPAA violations. There have been 14 settlements announced this year totaling $13,211,500.

The post Aetna Slapped with $1 Million HIPAA Fine for Three Data Breaches appeared first on HIPAA Journal.

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

Posted October 22, 2020 by HIPAA Journal

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020.

Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records.

Causes of September 2020 Healthcare Data Breaches

The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers.

Blackbaud was able to contain the breach; however, prior to the deployment of the ransomware, the attackers exfiltrated some customer data. The breach was initially thought to only include limited data about donors and prospective donors, but further investigations revealed Social Security numbers and financial information were also exfiltrated by the hackers.

Blackbaud negotiated a ransom payment and paid to prevent the publication or sale of the stolen data. Blackbaud has reported it has received assurances that all stolen data were deleted. Blackbaud has engaged a company to monitor dark web sites but no data appears to have been offered for sale.

Blackbaud announced the ransomware attack in July 2020 and notified all affected customers. HIPAA-covered entities affected by the breach started to report the data breach in August, with most reporting in September.

It is currently unclear exactly how many U.S. healthcare organizations were affected by the breach and the final total may never be known. Databreaches.net has been tracking the Blackbaud breach reports and, at last count, at least 80 healthcare organizations are known to have been affected. The records of more than 10 million patients are thought to have been compromised as a result of the ransomware attack.

Unsurprisingly, given the numbers of healthcare providers affected by the Blackbaud breach, hacking/IT incidents dominated the breach reports. 83 breaches were attributed to hacking/IT incidents and 9,662,820 records were exposed in those breaches – 99.50% of all records reported as breached in September. The mean breach size was 116,420 records and the median breach size was 27,410 records.

There were 7 unauthorized access/disclosure incidents reported in September involving a total of 34,995 records. The mean breach size was 4,942 records and the median breach size was 1,818 records. There were 4 loss/theft incidents reported involving 12,029 records, with a mean breach size of 3,007 records and a median size of 2,978 records. There was 1 improper disposal incident reported involving 1,076 records.

Most of the compromised records were stored on network servers, although there were a sizable number of breaches involving PHI stored in email accounts.

Largest Healthcare Data Breaches Reported in September 2020

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Breach Cause
Trinity Health	Business Associate	3,320,726	Hacking/IT Incident	Blackbaud Ransomware Attack
Inova Health System	Healthcare Provider	1,045,270	Hacking/IT Incident	Blackbaud Ransomware Attack
NorthShore University HealthSystem	Healthcare Provider	348,746	Hacking/IT Incident	Blackbaud Ransomware Attack
SCL Health – Colorado (affiliated covered entity)	Healthcare Provider	343,493	Hacking/IT Incident	Blackbaud Ransomware Attack
Nuvance Health (on behalf of its covered entities)	Healthcare Provider	314,829	Hacking/IT Incident	Blackbaud Ransomware Attack
The Baton Rouge Clinic, A Medical Corporation	Healthcare Provider	308,169	Hacking/IT Incident	Ransomware Attack
Virginia Mason Medical Center	Healthcare Provider	244,761	Hacking/IT Incident	Blackbaud Ransomware Attack
University of Tennessee Medical Center	Healthcare Provider	234,954	Hacking/IT Incident	Blackbaud Ransomware Attack
Legacy Community Health Services, Inc.	Healthcare Provider	228,009	Hacking/IT Incident	Phishing Attack
Allina Health	Healthcare Provider	199,389	Hacking/IT Incident	Blackbaud Ransomware Attack
University of Missouri Health Care	Healthcare Provider	189,736	Hacking/IT Incident	Phishing Attack
The Christ Hospital Health Network	Healthcare Provider	183,265	Hacking/IT Incident	Blackbaud Ransomware Attack
Stony Brook University Hospital	Healthcare Provider	175,803	Hacking/IT Incident	Blackbaud Ransomware Attack
Atrium Health	Healthcare Provider	165,000	Hacking/IT Incident	Blackbaud Ransomware Attack
University of Kentucky HealthCare	Healthcare Provider	163,774	Hacking/IT Incident	Blackbaud Ransomware Attack
Children’s Minnesota	Healthcare Provider	160,268	Hacking/IT Incident	Blackbaud Ransomware Attack
Roswell Park Comprehensive Cancer Center	Healthcare Provider	141,669	Hacking/IT Incident	Blackbaud Ransomware Attack
Piedmont Healthcare, Inc.	Healthcare Provider	111,588	Hacking/IT Incident	Blackbaud Ransomware Attack
SCL Health – Montana (affiliated covered entity)	Healthcare Provider	93,642	Hacking/IT Incident	Blackbaud Ransomware Attack
Roper St. Francis Healthcare	Healthcare Provider	92,963	Hacking/IT Incident	Blackbaud Ransomware Attack

September 2020 Data Breaches by Covered Entity Type

88 healthcare providers reported data breaches of 500 or more records in September and 2 breaches were reported by health plans. 5 breaches were reported by business associates of HIPAA-covered entities, but a further 53 breaches involved a business associate, with the breach reported by the covered entity. Virtually all of those 53 breaches were due to the ransomware attack on Blackbaud.

September 2020 Data Breaches by State

Covered entities and business associates in 30 states and the district of Columbia reported data breaches of 500 or more records in September.

New York was the worst affected state with 10 breaches, 6 breaches were reported in each of California, Minnesota, and Pennsylvania, 5 in each of Colorado, South Carolina, and Texas, 4 in Florida, Georgia, Massachusetts, Ohio, and Virginia, 3 in each of Iowa, Kentucky, Louisiana, and Michigan, and 2 in each of Connecticut, Maryland, North Carolina, Tennessee, and Wisconsin.

One breach was reported in each of Alabama, Delaware, Illinois, Indiana, Missouri, New Hampshire, New Jersey, Oklahoma, Washington, and the District of Columbia.

HIPAA Enforcement Activity in September 2020

Prior to September, the HHS’ Office for Civil Rights had only imposed three financial penalties on covered entities and business associates to resolve HIPAA violations, but there was a flurry of announcements about HIPAA settlements in September with 8 financial penalties announced.

The largest settlement was agreed with Premera Blue Cross to resolve HIPAA violations discovered during the investigation of its 2014 data breach that affected 10.4 million of its members. OCR found compliance issues related to risk analyses, risk management, and hardware and software controls. Premera agreed to pay a financial penalty of $6,850,000 to resolve the case. This was the second largest HIPAA fine ever imposed on a covered entity.

CHSPSC LLC, a business associate of Community Health Systems, agreed to pay OCR $2,300,000 to resolve its HIPAA violation case which stemmed from a breach of the PHI of 6 million individuals in 2014. OCR found compliance issues related to risk analyses, information system activity reviews, security incident procedures, and access controls.

Athens Orthopedic Clinic PA agreed to pay a $1,500,000 penalty to resolve its case with OCR which stemmed from the hacking of its systems by TheDarkOverlord hacking group. The PHI of 208,557 patients was compromised in the attack. OCR’s investigation uncovered compliance issues related to risk analyses, risk management, audit controls, HIPAA policies and procedures, business associate agreements, and HIPAA Privacy Rule training for the workforce.

Five of the September settlements resulted from OCR’s HIPAA Right of Access enforcement initiative and were due to the failure to provide patients with timely access to their medical records.

Entity	Settlement
Beth Israel Lahey Health Behavioral Services	$70,000
Housing Works, Inc.	$38,000
All Inclusive Medical Services, Inc.	$15,000
Wise Psychiatry, PC	$10,000
King MD	$3,500

There was one settlement to resolve a multistate investigation by state attorneys general, with Anthem Inc. agreeing to pay a financial penalty of $48.2 million to resolve multiple violations of HIPAA and state laws in relation to its 78.8 million record data breach in 2015, which is on top of the $16 million financial penalty imposed by OCR in October 2018.

The post September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised appeared first on HIPAA Journal.

OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative

Posted October 12, 2020 by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) is continuing its crackdown on healthcare providers that are not fully complying with the HIPAA right of access. Last week, OCR announced its ninth enforcement action against a HIPAA-covered entity for the failure to provide patients with timely access to their medical records at a reasonable cost.

HIPAA gives patients the right to view or receive a copy of their medical records. When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received.

By obtaining a copy of their medical records, patients can share those records with other providers, research organizations, or individuals of their choosing. Patients can check their medical records for errors and submit requests to correct any mistakes. In the event of a ransomware attack that renders medical records inaccessible, patients who have a copy of their records ensure that their health histories are never lost.

Under the OCR HIPAA Right of Access Initiative, complaints from individuals who have been denied access to their medical records or have faced delays in receiving a copy of their records are investigated. When violations of the HIPAA right of access are uncovered, financial penalties are issued. The aim of penalties is to encourage compliance by making noncompliance very costly.

The latest financial penalty was imposed on NY Spine, a private medical practice with offices in New York and Miami that specializes in neurology and pain management. OCR received a complaint from a patient in July 2019 who claimed to have sent multiple requests to NY Spine in June 2019 requesting a copy of her protected health information.

NY Spine responded to the requests and provided some of her records but failed to provide the diagnostic films that she had specifically requested. It took intervention from OCR for NY Spine to provide those records. The patient was finally provided with a complete copy of all the requested records in October 2020, 16 months after the first request was submitted.

NY Spine and OCR agreed to settle the case for $100,000. NY Spine is also required to adopt a corrective action plan and will be monitored by OCR for compliance for 2 years.

“No one should have to wait over a year to get copies of their medical records. HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message,” said Roger Severino, OCR Director.

The post OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative appeared first on HIPAA Journal.

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Posted October 9, 2020 by HIPAA Journal

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million.

A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information.

The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during the breach investigation. In addition to the financial penalty, CHSPCS agreed to adopt a robust corrective action plan to address privacy and security failures discovered by OCR’s investigators.

Victims of the breach took legal action against CHS over the theft of their PHI and CHS settled the class action lawsuit in 2019 for $3.1 million. The latest settlement means CHS and its affiliates have paid $10.4 million in settlements over the breach.

“A patient’s personal information—especially health information—deserves the highest level of protection,” said Attorney General Slatery. “This settlement will require CHS to provide that moving forward.”

CHS and its affiliates were found to have failed to implement reasonable and appropriate security measures to ensure the confidentiality, integrity, and availability of protected health information on its systems. “The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure,” said Iowa Attorney General Tom Miller.

The states participating in the action were Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.

In addition to paying the financial penalty, CHS and its affiliates have agreed to adopt a corrective action plan and implement additional security measures to ensure the security of its systems. Those measures include developing a written incident response plan, providing security awareness and privacy training to all personnel with access to PHI, limiting unnecessary or inappropriate access to systems containing PHI, implementing policies and procedures for its business associates, and conducting regular audits of all business associates.

CHS must also conduct an annual risk assessment, implement and maintain a risk-based penetration testing program, implement and maintain intrusion detection systems, data loss protection measures, and email filtering and anti-phishing solutions. All system activity must be logged, and those logs must be regularly reviewed for suspicious activity.

“Community Health Systems is pleased to have resolved this six-year old matter,” said a spokesperson for CHS in a statement about the settlement. “The company had robust risk controls in place at the time of the attack and worked closely with the FBI and consistently with its recommendations after becoming aware of the attack.”

The post Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation appeared first on HIPAA Journal.

OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure

Posted October 8, 2020 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its 12^th HIPAA penalty of 2020 and its 8^th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records.

On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights.

OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018.

SJHMC did respond to the requests and provided some, but not all, of the requested records. The mother made contact with SJHMC again on May 2, May 10 and May 15, 2018 to request the records that had not been provided. SJHMC responded and sent additional records, but not the specific records that had been requested. It took until December 19, 2019 for SJHMC to provide all the records she had requested – 22 months after the initial request had been sent.

SJHMC agreed to pay the $160,000 financial penalty to settle the case with no admission of liability. SJHMC will also adopt a corrective action plan to address all areas of noncompliance and will be monitored for compliance by OCR for two years.

“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously. OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.

The post OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure appeared first on HIPAA Journal.

Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules

Posted October 6, 2020 by HIPAA Journal

A healthcare worker who was accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules and patient privacy by sending photographs of patients to unauthorized individuals has been cleared of any wrongdoing, following an investigation by federal law enforcement. A former acquaintance of the healthcare worker was discovered to have concocted a scheme to frame his former acquaintance for fictitious HIPAA violations and is now facing a prison sentence for making false statements.

Jeffrey Parker, 43, of Richmond Hill, GA, concocted an elaborate scheme to frame the former acquaintance for violations of patient privacy. In U. S. District Court in the Southern District of Georgia, Parker pled guilty to one count of false statements and admitted creating fake email addresses and concocting information in an effort to harm a former acquaintance. Parker portrayed himself as a whistleblower and contacted the U.S. Department of Justice (DOJ), Federal Bureau of Investigation (FBI) and the hospital where the healthcare worker was employed to make false allegations of HIPAA violations.

Several email addresses were created using the real names of individuals. Parker impersonated each to accuse the healthcare worker of violating patient privacy and the HIPAA Rules. Parker also claimed to have been threatened for reporting the HIPAA violations and acting as a whistleblower. The FBI investigated the case promptly to ensure Parker’s safety but identified inconsistencies in his account of events. After further investigation, Parker admitted he had concocted the scheme to harm the former acquaintance.

“This fake complaint not only caused potential harm for an innocent victim, but it also unnecessarily diverted resources from federal investigators whose diligent work shredded his web of lies,” said Bobby L. Christine, U.S. Attorney for the Southern District of Georgia.

“Many hours of investigative resources were wasted determining Parkers’ whistleblower claims were a scheme to damage a former acquaintance,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “Now he will pay for his deliberate transgression and we can affirm that these types of actions will be exposed and punished.”

Parker faces a maximum sentence of 5 years in jail.

The post Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules appeared first on HIPAA Journal.

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

Posted October 1, 2020 by HIPAA Journal

The Indianapolis, IN-based health insurer Anthem Inc. has settled multi-state actions by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 41 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million. The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States.

The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed accomplice were charged in connection with the cyberattack in May 2019.

A breach on that scale naturally attracted the attention of the HHS’ Office for Civil Rights (OCR), which investigated the breach and discovered multiple potential violations of the HIPAA Rules. Anthem settled the HIPAA violation case with OCR for $16 million in October 2018. The HIPAA violation penalty was, and still is, the largest ever financial penalty imposed on a covered entity or business associate for violations of the HIPAA Rules.

Many lawsuits were filed on behalf of victims of the data breach over the theft of their protected health information. Anthem settled the consolidated class action lawsuit for in 2018 for $115 million.

State Attorneys General investigated the breach to determine whether HIPAA and state laws had been violated. The multi-state investigation has taken 5 years to come to a conclusion, but the settlements now draw a line under the breach. Anthem has now paid $179.2 million to settle lawsuits and legal actions over the 2014 cyberattack.

In addition to the $48.2 million financial penalty, Anthem agreed to take a number of corrective actions to improve data security practices. These include implementing a comprehensive information security program based on the principles of zero trust architecture. Regular security reports are now sent to the board of directors and significant security events are reported promptly to the CEO.

Anthem has implemented multi-factor authentication, network segmentation, access controls, data encryption, is logging and monitoring information system activity. Anthem is conducting regular security risk assessments and penetration tests and provides regular security awareness training to its workforce. The corrective action plan also includes the requirement to undergo third-party security audits and assessments for three years, and to provide the results of those audits to a third-party assessor.

Anthem issued a statement in relation to the settlements saying, “[Anthem] does not believe it violated the law in connection with its data security and is not admitting to any such violations,” and also said that there had been no evidence uncovered to indicate any information stolen in the attack has been used to commit fraud or identity theft.

“When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data,” said California Attorney General Xavier Becerra. “Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return.”

The post Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties appeared first on HIPAA Journal.

OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross

Posted September 28, 2020 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85 million HIPAA penalty on Premera Blue Cross to resolve HIPAA violations discovered during the investigation of a 2014 data breach involving the electronic protected health information of 10.4 million individuals.

Mountainlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest and serves more than 2 million individuals in Washington and Alaska. In May 2014, an advanced persistent threat group gained access to Premera’s computer system where they remained undetected for almost 9 months. The hackers targeted the health plan with a spear phishing email that installed malware. The malware gave the APT group access to ePHI such as names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.

The breach was discovered by Premera Blue Cross in January 2015 and OCR was notified about the breach in March 2015. OCR launched an investigation into the breach and discovered “systemic noncompliance” with the HIPAA Rules.

OCR determined that Premera Blue Cross had failed to:

Conduct a comprehensive and accurate risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI.
Reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
Implement sufficient hardware, software, and procedural mechanisms to record and analyze activity related to information systems containing ePHI, prior to March 8, 2015.
Prevent unauthorized access to the ePHI of 10,466,692 individuals.

Due to the nature of the HIPAA violations and scale of the breach, OCR determined a financial penalty was appropriate. Premera Blue Cross agreed to settle the HIPAA violation case with no admission of liability. In addition to the financial penalty, Premera Blue Cross has agreed to adopt a robust corrective action plan to address all areas of noncompliance discovered during the OCR investigation. Premera Blue Cross will also be closely monitored by OCR for two years to ensure compliance with the CAP.

“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR Director.

“We are pleased to have reached an agreement with the federal Office for Civil Rights to resolve legal inquiries into the 2014 cyberattack on our data network,” said Premera Blue Cross in a statement. “The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information.”

Last year, Premera Blue Cross agreed to settle a $10 million HIPAA violation lawsuit over the breach. The health plan had been investigated by 30 state attorneys general who determined Premera Blue Cross had not met its obligations under HIPAA and Washington’s Consumer Protection Act. In 2019, Premera Blue Cross also agreed to settle a $74 million lawsuit filed on behalf of individuals whose ePHI was exposed in the breach.

The latest penalty is the second largest HIPAA penalty imposed on a covered entity or business associate by OCR to resolve HIPAA violations, behind the $16 million financial penalty imposed on Anthem Inc. over its 2015 data breach involving the ePHI of 79 million individuals.

The fine is the 11^th HIPAA violation penalty to be announced by OCR in 2020 and the 8^th to be announced this month. So far in 2020, OCR has been paid $10,786,500 to resolve HIPAA violations discovered during investigations of data breaches and HIPAA complaints.

The post OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross appeared first on HIPAA Journal.

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

Posted September 23, 2020 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days.

The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals.

CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule.

On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed CHSPSC’s information systems via its virtual private network (VPN) solution. CHSPSC failed to detect the intrusion and was notified by the Federal Bureau of Investigation on April 18, 2014 that its systems had been compromised.

During the time the hackers had access to CHSPSC systems, the ePHI of 6,121,158 individuals was exfiltrated. The data had been provided to CHSPSC through 237 covered entities that used CHSPSC’s services. The types of information stolen in the attack included the following data elements: name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information.

OCR launched an investigation into the breach and uncovered systemic noncompliance with the HIPAA Security Rule. While it may not always be possible to prevent cyberattacks by sophisticated threat actors, when an intrusion is detected action must be taken quickly to limit the harm caused. Despite being notified by the FBI in April 2014 that its systems had been compromised, the hackers remained active in its systems for 4 months, finally being eradicated in August 2014. During that time, CHSPSC failed to prevent unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the hackers continued to steal ePHI.

The failure to respond to a known security incident between April 18, 2014 and June 18, 2014 and mitigate harmful effects of the security breach, document the breach, and its outcome, was in violation of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators found CHSPSC had failed to conduct an accurate and thorough security risk analysis to identify the risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical policies and procedures permitting access to information systems containing ePH maintained by CHSPSC only by authorized individuals and software programs had not been implemented, in violation of 45 C.F.R. § 164.312(a).

Procedures had not been implemented to ensure information system activity records such as logs and system security incident tracking reports were regularly reviewed, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D).

“The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino. A sizeable financial penalty was therefore appropriate.

CHSPSC chose not to contest the case and agreed to pay the financial penalty and settled with OCR. The settlement also requires CHSPSC to adopt a robust and extensive corrective action plan to address all areas of noncompliance, and CHSPSC will be closely monitored by OCR for 2 years.

The post Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information