HIPAA Compliance News

Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital

Posted by Steve Alder

New York Presbyterian Hospital has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule with the New York Attorney General and will pay a financial penalty of $300,000.

NYP operates 10 hospitals in New York City and the surrounding metropolitan area and serves approximately 2 million patients a year. In June 2016, NYP added tracking pixels and tags to its nyp.org website to track visitors for marketing purposes. In early June 2022, NYP was contacted by a journalist from The Markup and was informed that these tools were capable of transmitting sensitive information to the third-party providers of the tools, including information classified as protected health information under HIPAA.

On June 16, 2023, The Markup published an article about the use of these tools by NYP and other U.S. hospitals, by which time NYP had already taken steps to remove the tools from its website and had initiated a forensic investigation to determine the extent of any privacy violations.  NYP determined that PHI had potentially been impermissibly disclosed and reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on March 20, 2023, as involving the protected health information (PHI) of up to 54,396 individuals.

NY Attorney General Launches HIPAA Investigation

NY Attorney General, Letitia James opened an investigation of NYP in response to the reported breach to determine whether NYP had violated HIPAA and New York laws. The investigation confirmed that NYP had added several tracking tools to its website that were provided by third parties such as Bing, Google, Meta/Facebook, iHeartMedia, TikTok, The Trade Desk, and Twitter. These tools were configured to trigger on certain user events on its website. Most were configured to send information when a webpage loaded, and some sent information in response to clicks on certain links, the transmission of forms, and searches conducted on the site. The snippets of information sent to third parties included information about the user’s interactions on the website, including the user’s IP address, URLs visited, and searches. The tools provided by Google, Meta, and the Trade Desk also received unique identifiers that had been stored in cookies on the user’s devices.

Meta/Facebook also received information such as first and last name, email address, mailing address, and gender information, if that information was entered on a webpage where the Meta pixel was present. In some cases, the information sent to third parties included health information, such as if the user researched health information, performed a search for a specialist doctor, or scheduled an appointment. Certain URLs also revealed information about a specific health condition.

The tracking tools from Meta, Google, and the Trade Desk were used to serve previous website visitors with targeted advertisements based on their previous interactions on the website. NYP and its digital marketing vendor also used Meta pixel data to categorize website visitors based on the pages they visited and used Meta pixel to serve advertisements to other individuals with similar characteristics, known as “lookalike audiences.” For example, NYP identified individuals who visited webpages related to prostate cancer, and those individuals were then served targeted advertisements on other third-party websites related to prostate cancer.

Commonly Used Website Tracking Tools Violate HIPAA

These tracking tools are widely used by businesses of all types and sizes for marketing, advertising, and data collection purposes; however, in contrast to most businesses with an online presence, hospitals are HIPAA-covered entities and are required by federal law to ensure the privacy of personal and health information. As confirmed by the HHS’ Office for Civil Rights in December 2022 guidance, third-party tools that are capable of collecting and transmitting PHI may only be used if there is a business associate agreement (BAA) in place and the disclosure of PHI is permitted by HIPAA or if HIPAA-compliant authorizations have been obtained from patients. NYP, like many other HIPAA-covered entities that used these tools, had no BAAs in place with the tracking tool vendors and did not obtain consent from patients to disclose their PHI to those vendors.

The New York Attorney General determined that while NYP had policies and procedures relating to HIPAA compliance and patient privacy, they did not include appropriate policies and procedures for vetting third-party tracking tools. The New York Attorney General determined that the use of these tools violated § 164.502(a) of the HIPAA Privacy Rule, which prohibits disclosure of PHI, and § 164.530(c) and (i), which requires administrative, technical, and physical safeguards to protect the privacy of PHI and policies and procedures to comply with those requirements. NYP was also found to have violated New York Executive Law § 63 (12), by misrepresenting the manner and extent to which it protects the privacy, security, and confidentiality of PHI.

Settlement Agreed to Resolve Alleged Violations of HIPAA and State Laws

NYP fully cooperated with the investigation and chose to settle the alleged violations with no admission or denial of the findings of the investigation. In addition to the financial penalty, NYP has agreed to comply with Executive Law § 63 (12), General Business Law § 899-aa, and the HIPAA Privacy Rule Part 164 Subparts E and the HIPAA Breach Notification Rule 45 C.F.R. Part 164 Subpart D concerning the collection, use, and maintenance of PHI. NYP is also required to contact all third parties that have been sent PHI and request that information be deleted and NYP has agreed to conduct regular audits, reviews, and tests of third-party tools before deploying them to an NYP website or app, and conduct regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools.

NYP is also required to clearly disclose on all websites, mobile applications, and other online services it owns or operates, all third parties that receive PHI as the result of a pixel, tag, or other online tool, and provide a clear description of the PHI that is received.  The notice must be placed on all unauthenticated web pages that allow individuals to search for doctors or schedule appointments, as well as any webpage that addresses specific symptoms or health conditions.

OCR’s guidance on tracking technologies is being challenged in court due to doubts about whether the types of information collected by tracking tools fall under the HIPAA definition of PHI. The requirements of the settlement concerning the use of tracking technologies and the restrictions imposed will remain in effect until the relevant sections of OCR’s guidance are amended, superseded, withdrawn, revoked, supplanted by successive guidance, or temporarily or permanently enjoined and/or rejected by a court ruling applicable to HIPAA-covered entities in New York.

“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James. “Hospitals and medical facilities must uphold a high standard for protecting their patients’ personal information and health data. New York-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that New York-Presbyterian is not negligent in protecting its patients’ information.”

A spokesperson for NYP responded to the resolution of the investigation and provided the following statement, “We are pleased to have reached a resolution with the New York State Attorney General on this matter. The privacy and security of our patients’ health information is of paramount importance, and the protection of this confidential information remains a top priority. We continually assess our data collection, data privacy, and digital monitoring tools and practices so that they meet or exceed the highest standards.”

The post Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital appeared first on HIPAA Journal.

Seattle Children’s Hospital Sues Texas AG Over Demand for Trans Youth Medical Records

Posted by Steve Alder

The Texas Attorney General sent a civil investigative demand to Seattle Children’s Hospital seeking access to the medical records of trans patients. The hospital refused to provide the records and has filed a lawsuit that requests a Texas judge nullify the Attorney General’s demands.

The American Medical Association and the American Academy of Pediatrics believe that gender-affirming care is medically necessary and, in some cases, can be a lifesaving treatment for transgender youth; however, 20 states have imposed bans or placed restrictions on gender-affirming care for minors, and dozens of bills are being considered in other states. Earlier this year, Texas was added to that list when SB 14 was signed into law by Texas Governor Greg Abbott. The law prohibits the provision of gender transition care to Texas residents under 18 years of age.

In November 2023, Texas Attorney General Ken Paxton issued a civil investigative demand for the records of Texas residents who visited Seattle Children’s Hospital to receive gender-affirming care when under 18 years of age. In Washington, gender transition care can be legally provided to minors, including to individuals who travel to Washington from other U.S. states. AG Paxton sought access to information on diagnoses, lab test results, visit records, treatment for gender dysphoria, and other information about minor trans patients from Texas dating back to January 2022, along with the hospital’s standard protocol for treating patients with gender dysphoria who live in Texas. The hospital was given until December 7, 2023, to respond and provide the requested records.

The civil investigative demand was issued by the Texas Attorney General’s Consumer Protection Division as part of an investigation into alleged violations of the Texas Deceptive Trade Practices Act, specifically, the misrepresenting gender-affirming care. The demand for records was also accompanied by a threat of fines of $5,000 or a year in jail for anyone who concealed or falsified information. Seattle Children’s Hospital refused to provide the requested records and claimed that handing over the requested information would violate the Health Insurance Portability and Accountability Act (HIPAA), state healthcare privacy laws, and the recently passed House Bill (HB) 1469 – The Shield Law. The Shield Law protects individuals who travel to Washington to receive protected medical services such as abortion and gender-affirming care, which are banned or restricted in their home states.

Seattle Children’s Hospital also explained in its lawsuit that it owns no land in Texas, does not provide telehealth services to Texas residents, and has no offices in Texas, and while the hospital does employ a small number of individuals in Texas, none of those employees deal with gender-affirming care, therefore the state has no jurisdiction over the hospital’s practices. The lawsuit claims that the Texas Attorney General’s demands are unconstitutional and are an attempt to chill potential travel from Texas to obtain legal healthcare in another state. The lawsuit requests a Texas Travis County Court Judge overrule AG Paxton’s civil investigative demand, or at least modify the request or grant an extension for reply.

Washington University (WU) has also taken legal action against a state attorney general over a civil investigative demand that sought access to the medical records of trans patients, in that case, the demand was issued by the Missouri Attorney General as part of an investigation into deceptive trade practices under Missouri law. The Missouri attorney general responded with its own lawsuit seeking an order from the court for WU to provide the records immediately, and to get clarification from the court as to whether providing the requested records violated HIPAA.

The post Seattle Children’s Hospital Sues Texas AG Over Demand for Trans Youth Medical Records appeared first on HIPAA Journal.

November 2023 Healthcare Data Breach Report

Posted by Steve Alder

After two months of declining healthcare data breaches, there was a 45% increase in reported breaches of 500 or more healthcare records. In November, 61 large data breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) – three more than the monthly average for 2023. From January 1, 2023, through November 30, 2023, 640 large data breaches have been reported.

In addition to an increase in data breaches, there was a massive increase in the number of breached records. 22,077,489 healthcare records were exposed or compromised across those 61 incidents – a 508% increase from October. November was the second-worst month of the year in terms of breached records behind July, when 24 million healthcare records were reported as breached. There is still a month of reporting left but 2023 is already the worst-ever year for breached healthcare records. From January 1, 2023, through November 30, 2023, 115,705,433 healthcare records have been exposed or compromised – more than the combined total for 2021 and 2022.

Largest Healthcare Data Breaches in November 2023

November was a particularly bad month for large data breaches, with 28 breaches of 10,000 or more records, including two breaches of more than 8 million records. Two of the breaches reported in November rank in the top ten breaches of all time and both occurred at business associates of HIPAA-covered entities. The largest breach occurred at Perry Johnson & Associates, Inc. (PJ&A) a provider of medical transcription services. The PJ&A data breach was reported to OCR as affecting 8,952,212 individuals, although the total is higher, as some of its clients have chosen to report the breach themselves. Hackers had access to the PJ&A network for more than a month between March and May 2023.

The second-largest breach was reported by Welltok, Inc. as affecting 8,493,379 individuals. Welltok works with health plans and manages communications with their subscribers. The Welltok data breach is one of many 2023 data breaches involving the exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution by the Clop hacking group. Globally, more than 2,615 organizations had the vulnerability exploited and data stolen.

A further three data breaches were reported that involved the protected health information of more than 500,000 individuals. Sutter Health was also one of the victims of the mass hacking of the MOVEit vulnerability and had the data of 845,441 individuals stolen, as did Blue Shield of California (636,848 records). In both cases, the MOVEit tool was used by business associates of those entities. East River Medical Imaging in New York experienced a cyberattack that saw its network breached for three weeks between October and September 2023, during which time the hackers exfiltrated files containing the PHI of 605,809 individuals. All 28 of these large data breaches were hacking incidents that saw unauthorized access to network servers.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Perry Johnson & Associates, Inc., which does business as PJ&A NV Business Associate 8,952,212 Hacking and data theft incident
Welltok, Inc. CO Business Associate 8,493,379 Hacking incident (MOVEit Transfer)
Sutter Health CA Healthcare Provider 845,441 Hacking incident at business associate (MOVEit Transfer)
California Physicians’ Service d/b/a Blue Shield of California CA Health Plan 636,848 Hacking incident at business associate (MOVEit Transfer)
East River Medical Imaging, PC NY Healthcare Provider 605,809 Hacking and data theft incident
State of Maine ME Health Plan 453,894 Hacking incident (MOVEit Transfer)
Proliance Surgeons WA Healthcare Provider 437,392 Ransomware attack
Medical Eye Services, Inc. NY Business Associate 377,931 Hacking incident (MOVEit Transfer)
Medical College of Wisconsin WI Healthcare Provider 240,667 Hacking incident (MOVEit Transfer)
Warren General Hospital PA Healthcare Provider 168,921 Hacking and data theft incident
Financial Asset Management Systems (“FAMS”) GA Business Associate 164,796 Ransomware attack
Morrison Community Hospital District IL Healthcare Provider 122,488 Ransomware attack (BlackCat)
South Austin Health Imaging LLC dba Longhorn Imaging Center TX Healthcare Provider 100,643 Hacking and data theft incident (SiegedSec threat group)
Mulkay Cardiology Consultants at Holy Name Medical Center, P.C. NJ Healthcare Provider 79,582 Ransomware attack (NoEscape)
International Paper Company Group Health and Welfare Plan (the “IP Plan”) TN Health Plan 78,692 Hacking incident at business associate (MOVEit Transfer)
CBIZ KA Consulting Services, LLC NJ Business Associate 30,806 Hacking incident (MOVEit Transfer)
Endocrine and Psychiatry Center TX Healthcare Provider 28,531 Hacking and data theft incident
Blue Shield of California OR Blue Shield of California Promise Health Plan CA Business Associate 26,523 Hacking incident at business associate (MOVEit Transfer)
Wyoming County Community Health System NY Healthcare Provider 26,000 Hacking and data theft incident
Westat, Inc. MD Business Associate 20,045 Hacking incident (MOVEit Transfer)
Psychiatry Associates of Kansas City KS Healthcare Provider 18,255 Hacking and data theft incident
Southwest Behavioral Health Center UT Healthcare Provider 17,147 Hacking and data theft incident
TGI Direct, Inc. MI Business Associate 16,113 Hacking incident (MOVEit Transfer)
Pharmacy Group of Mississippi, LLC MS Healthcare Provider 13,129 Hacking and data theft incident
U.S. Drug Mart, Inc. TX Healthcare Provider 13,016 Hacking and data theft incident at business associate
Catholic Charities of the Diocese of Rockville Centre d/b/a Catholic Charities of Long Island NY Healthcare Provider 13,000 Hacking and data theft incident
Foursquare Healthcare, Ltd. TX Healthcare Provider 10,890 Ransomware attack
Saisystems International, Inc. CT Business Associate 10,063 Hacking and data theft incident

November 2023 Data Breach Causes and Data Locations

Many of the month’s breaches involved the mass hacking of a vulnerability in the MOVEit Transfer solution by the Clop threat group. MOVEit data breaches continue to be reported, despite the attacks occurring in late May. According to the cybersecurity firm Emsisoft, at least 2,620 organizations were affected by these breaches, and 77.2 million records were stolen. 78.1% of the affected organizations are based in the United States.  Progress Software is currently being investigated by the U.S. Securities and Exchange Commission over the breach. Hacking/ransomware attacks accounted for 88.52% of the month’s data breaches (54 incidents) and 99.94% of the breached records (22,064,623 records). The average data breach size was 408,604 records and the median breach size was 10,477 records.

Ransomware gangs continue to target the healthcare industry, and in November several ransomware groups listed stolen healthcare data on their leak sites including NoEscape and BlackCat. Many hacking groups choose not to use ransomware and instead just steal data and threaten to sell or publish the data if the ransom is not paid, such as Hunter’s International and SiegedSec. Since there is little risk of ransomware actors being apprehended and brought to justice, the attacks are likely to continue. OCR is planning to make it harder for cyber actors to succeed by introducing new cybersecurity requirements for healthcare organizations. These new cybersecurity requirements will be voluntary initially but will later be enforced. New York has also announced that stricter cybersecurity requirements for hospitals will be introduced in the state, and financial assistance will be offered.

There were 6 data breaches classified as unauthorized access/disclosure incidents, across which 10,371 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 1,481 records and the median breach size was 1,481 records. There was one reported incident involving the theft of paperwork that contained the protected health information of 2,495 individuals. For the second consecutive month, there were no reported loss or improper disposal incidents. The most common location of breached PHI was network servers, which accounted for 77% of all incidents. 10 incidents involved PHI stored in email accounts.

Where did the Data Breaches Occur?

The OCR data breach portal shows healthcare providers were the worst affected HIPAA-regulated entity in November, with 42 reported data breaches. There were 13 data breaches reported by business associates and 6 data breaches reported by health plans. The problem with these figures is they do not accurately reflect where the data breaches occurred. When a business associate experiences a data breach, they may report it to OCR, the affected covered entities may report the breach or a combination of the two. As such, the raw data often does not accurately reflect the number of data breaches occurring at business associates of HIPAA-covered entities. The data used to compile the charts below has been adjusted to show where the data breach occurred rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 28 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

State Number of Breaches
California 8
New York 6
Illinois & Texas 5
Connecticut, Florida, Georgia, Indiana, Iowa, Kansas, Maine, Michigan, Minnesota, New Jersey, Oregon, South Carolina & Washington 2
Arizona, Colorado, Maryland, Massachusetts, Mississippi, Nevada, Ohio, Pennsylvania, Tennessee, Utah & Wisconsin 1

HIPAA Enforcement Activity in November 2023

OCR announced one enforcement action in November. A settlement was agreed with St. Joseph’s Medical Center to resolve allegations of an impermissible disclosure of patient information to a reporter. OCR launched an investigation following the publication of an article by an Associated Press reporter who had been allowed to observe three patients who were being treated for COVID-19. The article included photographs and information about the patients and was circulated nationally. OCR determined that the patients had not provided their consent through HIPAA authorizations, therefore the disclosures violated the HIPAA Privacy Rule. St. Joseph Medical Center settled the alleged violations and paid an $80,000 financial penalty.

HIPAA is primarily enforced by OCR although State Attorneys General may also investigate HIPAA-regulated entities and they also have the authority to issue fines for HIPAA violations. In November, one settlement was announced by the New York Attorney General to resolve alleged violations of HIPAA and state laws. U.S. Radiology Specialists Inc. was investigated over a breach of the personal and protected health information of 198,260 individuals, including 95,540 New York Residents. The New York Attorney General’s investigation determined that U.S. Radiology Specialists was aware that vulnerabilities existed but failed to address those vulnerabilities in a timely manner. Some of those vulnerabilities were exploited by cyber actors in a ransomware attack. U.S. Radiology Specialists agreed to pay a $450,000 financial penalty and ensure full compliance with HIPAA and state laws.

The post November 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000

Posted by Steve Alder

The New York Attorney General has agreed to settle alleged violations of New York’s data security and consumer protection laws with Healthplex, one of New York’s largest providers of dental insurance. Healthplex has agreed to pay a penalty of $400,000 to resolve the investigation with no admission of wrongdoing.

Attorney General Letitia James launched an investigation of Healthplex after being notified about a breach of the personal and protected health information of 89,955 individuals, including 62,922 New York residents to determine if Healthplex had complied with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and New York’s data security and consumer protection laws.

The data breach occurred on or around November 24, 2021, and was the result of an employee responding to a phishing email and disclosing her account credentials. The account contained more than 12 years of emails, some of which included customer enrolment information. Credentials alone should not be sufficient to gain access to email accounts; however, Healthplex had not implemented multi-factor authentication on its recently deployed Office 365 web interface.

The unauthorized individual used the account to send further phishing emails internally, and it was the reporting of those emails by employees that identified the attack. The attacker had access to the account for a period of almost 6 hours before access was terminated; however, during that time, the attacker could access emails dating from May 7, 2009, to November 24, 2022. The emails contained member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, driver’s license numbers, usernames and passwords for the member portal, email addresses, phone numbers, dates of service, provider names, billing information, procedure codes, diagnosis codes, prescription drug names, and plan affiliations. While unauthorized access was confirmed, insufficient logging capabilities meant it was not possible to determine which emails had been accessed or copied.

The affected individuals were notified in April and Healthplex took steps to improve security, including extending multifactor authentication to the Office 365 web interface, implementing a 90-day email retention policy, enhancing its logging capabilities, and providing further training on phishing detection and avoidance to the workforce. The investigation determined that the measures implemented by Healthplex prior to the phishing attack did not meet the standards required by New York’s data security and consumer protection laws with respect to data retention, logging, and multifactor authentication, and its data security assessments failed to identify the risk from storing years of data in email accounts when there was no business purpose for retaining that information.

In addition to paying a financial penalty, Healthplex has agreed to maintain a comprehensive information security program, encrypt personal data, implement an email retention schedule for employee email accounts, enforce the use of complex passwords, and conduct penetration tests to identify vulnerabilities. “Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”

The post Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000 appeared first on HIPAA Journal.

Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000

Posted by Steve Alder

The New York Attorney General has agreed to settle alleged violations of New York’s data security and consumer protection laws with Healthplex, one of New York’s largest providers of dental insurance. Healthplex has agreed to pay a penalty of $400,000 to resolve the investigation with no admission of wrongdoing.

Attorney General Letitia James launched an investigation of Healthplex after being notified about a breach of the personal and protected health information of 89,955 individuals, including 62,922 New York residents to determine if Healthplex had complied with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and New York’s data security and consumer protection laws.

The data breach occurred on or around November 24, 2021, and was the result of an employee responding to a phishing email and disclosing her account credentials. The account contained more than 12 years of emails, some of which included customer enrolment information. Credentials alone should not be sufficient to gain access to email accounts; however, Healthplex had not implemented multi-factor authentication on its recently deployed Office 365 web interface.

The unauthorized individual used the account to send further phishing emails internally, and it was the reporting of those emails by employees that identified the attack. The attacker had access to the account for a period of almost 6 hours before access was terminated; however, during that time, the attacker could access emails dating from May 7, 2009, to November 24, 2022. The emails contained member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, driver’s license numbers, usernames and passwords for the member portal, email addresses, phone numbers, dates of service, provider names, billing information, procedure codes, diagnosis codes, prescription drug names, and plan affiliations. While unauthorized access was confirmed, insufficient logging capabilities meant it was not possible to determine which emails had been accessed or copied.

The affected individuals were notified in April and Healthplex took steps to improve security, including extending multifactor authentication to the Office 365 web interface, implementing a 90-day email retention policy, enhancing its logging capabilities, and providing further training on phishing detection and avoidance to the workforce. The investigation determined that the measures implemented by Healthplex prior to the phishing attack did not meet the standards required by New York’s data security and consumer protection laws with respect to data retention, logging, and multifactor authentication, and its data security assessments failed to identify the risk from storing years of data in email accounts when there was no business purpose for retaining that information.

In addition to paying a financial penalty, Healthplex has agreed to maintain a comprehensive information security program, encrypt personal data, implement an email retention schedule for employee email accounts, enforce the use of complex passwords, and conduct penetration tests to identify vulnerabilities. “Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”

The post Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000 appeared first on HIPAA Journal.

OCR Imposes First HIPAA Penalty for a Phishing Attack

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) has agreed to settle a landmark cyber investigation and has imposed its first financial penalty under the Health Insurance Portability and Accountability Act (HIPAA) for a phishing attack. Lafourche Medical Group, a Louisiana-based medical group specializing in emergency medicine, occupational medicine, and laboratory testing, reported a data breach to OCR on May 28, 2021, involving the protected health information (PHI) of up to 34,862 individuals.

According to the breach notification, a hacker gained access to the email account of one of its owners on March 30, 2021, following a response to a phishing email that spoofed one of the medical group’s owners. The threat actor gained access to the Microsoft 365 environment, which contained patient data. Lafourche Medical Group said that because of the size of the email system, it was not possible to determine all patient information that had been exposed so notification letters were mailed to all patients. The exposed data included names, addresses, dates of birth, dates of service, e-mail addresses, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating practitioner names, and lab test results.

OCR launched an investigation into the incident to determine whether a failure to comply with the HIPAA Rules led to or contributed to the security breach. OCR’s investigators discovered Lafourche Medical Group had not conducted a security risk analysis prior to the phishing attack. The HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information. OCR also determined that Lafourche Medical Group had not implemented procedures to regularly review records of information system activity prior to the phishing attack. This is also a required implementation specification of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(D).

Lafourche Medical Group agreed to settle the investigation with no admission of liability or wrongdoing. In addition to paying a sizeable financial penalty, Lafourche Medical Group has agreed to implement a robust corrective action plan (CAP) which includes establishing and implementing security measures to reduce security risks and vulnerabilities to ePHI, developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA Rules, and providing HIPAA training to all staff members who have access to PHI. OCR will also monitor Lafourche Medical Group for two years to ensure compliance with the HIPAA Rules.

“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”

This is the 12th HIPAA violation penalty imposed by OCR in 2023 and the second-largest of the year. So far this year, OCR has imposed HIPAA penalties totaling $4,016,500

 

The post OCR Imposes First HIPAA Penalty for a Phishing Attack appeared first on HIPAA Journal.

HHS Publishes Healthcare Sector Cybersecurity Strategy

Posted by Steve Alder

On Wednesday, the U.S. Department of Health and Human Services published a concept paper that outlines the HHS’s cybersecurity strategy for the healthcare sector. The paper details the steps that the HHS has already taken to improve cybersecurity in the healthcare sector and the steps the HHS has planned for improving cyber resiliency and protecting patient safety. The Healthcare Sector Cybersecurity Strategy builds on the Biden administration’s National Cybersecurity Strategy and focuses specifically on strengthening resilience for hospitals, patients, and communities threatened by cyberattacks.

The healthcare sector has seen a massive increase in cyberattacks in recent years, with large data breaches increasing by 93% from 2018 to 2023 and ransomware attacks increasing by 278% over the same period. These attacks have resulted in extended stays in hospitals, poorer patient outcomes, delays to diagnosis and treatment, and diversions to other healthcare facilities. These adverse impacts have put patient safety at risk yet they are largely preventable.

“Since entering office, the Biden-Harris Administration has worked to strengthen the nation’s defenses against cyberattacks. The health care sector is particularly vulnerable, and the stakes are especially high. Our commitment to this work reflects that urgency and importance,” said HHS Secretary Xavier Becerra. “HHS is working with health care and public health partners to bolster our cyber security capabilities nationwide. We are taking necessary actions that will make a big difference for the hospitals, patients, and communities who are being impacted.”

The HHS has already taken several steps to improve healthcare cybersecurity. The HHS has updated its voluntary healthcare-specific cybersecurity guidance – Health Industry Cybersecurity Practices – to reflect the current cybersecurity landscape, released free healthcare-specific cybersecurity trainings to help small- and medium-sized healthcare organizations to train their staff on basic cybersecurity practices, and the HHS’ Office for Civil Rights has published telehealth guidance for healthcare providers and patients to educate patients about the privacy and security of protected health information. The Food and Drug Administration (FDA) has added new cybersecurity requirements for medical device manufacturers and has issued guidance on the pre-market cybersecurity requirements for new medical devices.

The Healthcare Sector Cybersecurity Strategy outlines the path forward and includes four pillars for action to improve cyber resilience in the health sector. The first step is to establish voluntary cybersecurity goals for the healthcare sector. Healthcare organizations have access to numerous cybersecurity standards and guidance and determining which standards should be prioritized can be confusing. The HHS will establish and publish voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) to help healthcare organizations prioritize high-impact cybersecurity practices, and will include essential and enhanced performance goals.

For many healthcare organizations, there are competing priorities and limited resources, which can mean improvements to cybersecurity are put on the back burner. The HHS plans to provide resources to incentivize healthcare organizations to implement cybersecurity practices and will be working with Congress to obtain new authority to administer financial support for domestic investments in cybersecurity. The HHS will create an upfront investment program to help high-need healthcare providers cover the upfront costs of implementing essential HPH CPGs and establish an incentive program to encourage hospitals to implement the enhanced HPH CPGs. Long term, the HHS will enforce the new cybersecurity requirements with the imposition of financial consequences for hospitals that fail to adopt essential cybersecurity practices.

The HHS plans an update to the HIPAA Security Rule in the spring of 2024 and will be adding new cybersecurity requirements. The HHS believes regulatory updates are required in addition to funding and voluntary goals, and those alone will not be enough to drive the behavioral changes needed across the sector. As part of an HHS-wide strategy, the Centers for Medicare and Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals through the Medicare and Medicaid programs and the HSS will work with Congress to increase the penalties for HIPAA violations. The HHS is also working with Congress to get increased resources to allow OCR to investigate potential HIPAA violations, conduct proactive audits, and scale outreach and technical assistance for organizations with low resources to help them improve HIPAA compliance.

The fourth pillar for action is to expand and mature the one-stop-shop within the HHS for healthcare cybersecurity within the Administration of Strategic Preparedness and Response (ASPR) to make it easier for the industry to access the support and services provided by the Federal Government. This will enhance coordination between the HHS and the Federal Government, deepen partnerships with private industry, increase the incident response capabilities of the HHS, and promote greater uptake of services and resources such as vulnerability scanning and technical assistance.

“Taken together, HHS believes these goals, supports, and accountability measures can comprehensively and systematically advance the healthcare sector along the spectrum of cyber resiliency to better meet the growing threat of cyber incidents, especially for high-risk targets like hospitals,” wrote the HHS. “Acting on these priorities will protect the health and privacy of all Americans and enable safe access to health care.”

The post HHS Publishes Healthcare Sector Cybersecurity Strategy appeared first on HIPAA Journal.

CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General

Posted by Steve Alder

In late September 2023, Indiana Attorney General Todd Rokita filed a lawsuit against CarePointe ENT over a ransomware attack and data breach that affected 48,742 individuals. A settlement has been reached that will see CarePointe pay $125,000 to resolve alleged violations of the Health Insurance Portability and Accountability (HIPAA) Act and state data privacy and security laws.

CarePointe ENT operates three ear, nose, throat, sinus, and hearing centers in Merrillville, Munster & Hobart in Northwest Indiana. On June 25, 2021, CarePointe ENT experienced a ransomware attack which resulted in files being encrypted and data being exfiltrated. The stolen data included names, addresses, dates of birth, Social Security numbers, medical insurance information, and health information. Affected individuals were notified about the data breach in August 2021.

AG Rokita launched an investigation into the attack to determine if CarePointe ENT had complied with its obligations under HIPAA and state laws. Despite claiming that it was committed to safeguarding patient information, CarePointe ENT was determined to have failed to implement appropriate security policies, conduct appropriate risk analyses, and address known security risks in a reasonable amount of time.

CarePointe ENT hired a third-party IT vendor that conducted a HIPAA risk analysis and identified security concerns in January 2021. The vendor was hired in March to address the identified vulnerabilities, but they were not fixed in a reasonable time frame. In June 2021, some of the unaddressed vulnerabilities were exploited in a ransomware attack. In addition to the failure to address known security issues, CarePointe ENT failed to enter into a business associate agreement with the vendor, even though the vendor was provided with access to systems containing protected health information.

AG Rokita’s lawsuit alleged one count of a failure to comply with the HIPAA Privacy Rule, one count of failing to comply with the HIPAA Security Rule, one count of failing to comply with the Indiana Disclosure of Security Breach Act (DSBA), and one count of failing to comply with the Indiana Deceptive Consumer Sales Act (DCSA). CarePointe ENT chose to settle the alleged violations of HIPAA and state laws with no admission of wrongdoing. Under the terms of the settlement, a financial penalty of $125,000 will be paid to the state and CarePointe ENT has agreed to ensure full compliance with the HIPAA Privacy and Security Rules and the DCSA and DSBA with respect to the safeguarding of personal information (PI), protected health information (PHI), and electronic protected health information (ePHI). CarePointe ENT has also agreed not to make misrepresentations about the extent to which it ensures the privacy, security, confidentiality, and integrity of PI, PHI, and ePHI.

The settlement agreement includes a comprehensive list of privacy and security measures. These include implementing a comprehensive information security program, appointing a HIPAA Security Officer to oversee that program, implementing technical safeguards and controls to ensure the privacy and security of patient data, developing an incident response plan and testing that plan through table-top exercises, developing policies and procedures regarding business associate agreements, and providing privacy and security training to all members of the workforce with access to PI, PHI, or ePHI,

The post CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General appeared first on HIPAA Journal.

St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 11th HIPAA penalty of 2023. St. Joseph’s Medical Center, a non-profit academic medical center in New York, was investigated over the disclosure of patients’ protected health information (PHI) to a reporter and has paid a $80,000 financial penalty to resolve the alleged HIPAA violations.

The Privacy Rule of the Health Insurance Portability and Accountability Act permits disclosures of PHI for the purpose of treatment, payment, and healthcare operations but other disclosures of PHI are generally prohibited unless authorization is obtained from a patient. OCR launched an investigation of St. Joseph’s Medical Center on April 20, 2020, pursuant to the publication of an article in the media by a reporter from the Associated Press (AP). Based on the information in the article it appeared that the reporter had been allowed to observe three patients who were being treated for COVID-19.

The article included information about the medical center’s response to the COVID-19 public health emergency and photographs and information about the facility’s patients. The images were distributed nationally, exposing PHI such as patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans. OCR’s investigation found evidence to suggest that St. Joseph’s Medical Center had allowed the reporter access to the patients and their clinical information. St. Joseph’s Medical Center had not obtained consent and valid HIPAA authorizations from the patients and the disclosure of PHI was not permitted by the HIPAA Privacy Rule.

St. Joseph’s Medical Center chose to settle the alleged HIPAA violation with OCR with no admission of liability and agreed to adopt a corrective action plan (CAP). The CAP requires St. Joseph’s Medical Center to review and, to the extent necessary, develop, maintain, and revise its written privacy policies and procedures to ensure they are compliant with the HIPAA Privacy Rule, provide those policies and procedures to OCR for review, distribute the updated policies and procedures to members of the workforce, and obtain a signed written or electronic compliance certification from all members of the workforce confirming they have read and understood the new policies and procedures. St. Joseph’s Medical Center will also be monitored by OCR for compliance for 2 years.

“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

Disclosures of PHI in Response to Media Enquires

When it comes to disclosures of PHI in response to media inquiries, 45 CFR § 164.510(a) of the HIPAA Privacy Rule permits notifications to individuals who inquire about a patient or the patient’s general condition and location in the facility.

In such cases, disclosure of PHI is permitted if it is consistent with the patient’s wishes and the patient is asked for by name. All that can be disclosed is “facility directory information.” The patient’s name may be disclosed along with the individual’s location within the facility, provided the location does not disclose information about the patient’s treatment, e.g., labor & delivery, and their condition in general terms. i.e., stable, fair, or critical. All other disclosures of PHI can only be made if a HIPAA-compliant authorization is obtained from the patient in advance.

The post St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter appeared first on HIPAA Journal.