HIPAA Compliance News

DoE and OCR Issue Updated Guidance on Sharing Student Health Records under FERPA and HIPAA

Posted by HIPAA Journal

The Department of Education and the Department of Health and Human Services’ Office for Civil Rights have issued updated guidance on the sharing of student health records under the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).

The guidance document was first released in November 2008 to help school administrators and healthcare professionals understand how FERPA and HIPAA apply to student educational and healthcare records. The guidance includes several Q&As covering both sets of regulations. Further questions and answers have been added to clear up potential areas of confusion about how HIPAA and FERPA apply to student records, including when it is permitted to share student records under FERPA and the HIPAA Privacy Rule without first obtaining written consent.

HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. HIPAA does not usually apply to schools, since health information collected by an educational institution would usually be classed as educational records under FERPA. The HIPAA Privacy Rule excludes educational records from the definition of protected health information, but there are instances where HIPAA and FERPA intersect.

The HIPAA Privacy Rule requires consent to be obtained prior to the sharing of health information for purposes other than treatment, payment, or healthcare operations. The guidance explains that in emergencies and situations when an individual’s health is at risk, educational institutions and healthcare providers may disclose a student’s health information to someone in a position to prevent or lessen harm, including to family, friends, caregivers, and law enforcement.

The guidance states that “Healthcare providers may share (protected health information) with anyone as necessary to prevent or lessen a serious and imminent threat to the health or safety of the individual, another person, or the public—consistent with applicable law (such as state statutes, regulations or case law) and the provider’s standards of ethical conduct.” It is also permissible to share psychotherapy notes and information about mental health issues and substance abuse disorder in certain situations. The update details the situations when these disclosures are permitted.

“This updated resource empowers school officials, healthcare providers, and mental health professionals by dispelling the myth that HIPAA prohibits the sharing of health information in emergencies,” said OCR Director Roger Severino.

The update also includes information on when protected health information or personally identifiable information can be shared about a student that poses a danger to themselves or others. Additionally, disclosures of health data to law enforcement and the National Instant Criminal Background Check System are also now included in the guidance.

“Confusion on when records can be shared should not stand in the way of protecting students while they are in school,” said U.S. Secretary of Education Betsy DeVos.  “This update will provide much-needed clarity and help ensure that students get the assistance they need, and school leaders have the information they need to keep students safe.”

The post DoE and OCR Issue Updated Guidance on Sharing Student Health Records under FERPA and HIPAA appeared first on HIPAA Journal.

November 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In November 2019, 33 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). That represents a 36.5% decrease in reported breaches from October – The worst ever month for healthcare data breaches since OCR started listing breaches on its website in October 2009. The fall in breaches is certainly good news, but data breaches are still occurring at a rate of more than one a day.

600,877 healthcare records were exposed, impermissibly disclosed, or stolen in November. That represents a 9.2% decrease in breached healthcare records from October, but the average breach size increased by 30.1% to 18,208 records in November.

Largest Healthcare Data Breaches in November 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Ivy Rehab Network, Inc. and its affiliated companies Healthcare Provider 125000 Hacking/IT Incident Email
Solara Medical Supplies, LLC Healthcare Provider 114007 Hacking/IT Incident Email
Saint Francis Medical Center Healthcare Provider 107054 Hacking/IT Incident Electronic Medical Record, Network Server
Southeastern Minnesota Oral & Maxillofacial Surgery Healthcare Provider 80000 Hacking/IT Incident Network Server
Elizabeth Family Health Healthcare Provider 28375 Theft Paper/Films
The Brooklyn Hospital Center Healthcare Provider 26312 Hacking/IT Incident Network Server
Utah Valley Eye Center Healthcare Provider 20418 Hacking/IT Incident Desktop Computer
Loudoun Medical Group d/b/a Comprehensive Sleep Care Center (“CSCC”) Healthcare Provider 15575 Hacking/IT Incident Email
Choice Cancer Care Healthcare Provider 14673 Hacking/IT Incident Email
Arizona Dental Insurance Services, Inc. d.b.a. Delta Dental of Arizona Health Plan 12886 Hacking/IT Incident Email

Causes of Healthcare Data Breaches in November 2019

Hacking/IT incidents dominated November’s breach reports and accounted for 63.6% of data breaches reported in November and 90.75% of the breached records (545,293). The average breach size was 25,966 records and the median breach size was 3,977 records.

There were 7 unauthorized access/disclosure breaches reported in November involving 16,586 healthcare records. The mean breach size was 2,369 records and the median breach size was 996 records.

There were 4 incidents involving the theft of 38,998 individuals’ protected health information. Two of the incidents involved electronic devices and two involved paper records. The mean breach size was 7,799 records and the median breach size was 3,237 records.

Phishing continues to be the most common cause of healthcare data breaches. 17 of the healthcare data breaches reported in November involved PHI stored in email accounts. The majority of those breaches were due to phishing attacks.

November 2019 Healthcare Data Breaches by Covered Entity Type

There were 28 healthcare provider data breaches reported in November and four breaches were reported by health plans. It was a good month for business associates, with only one breach reported, although a further two breaches had some business associate involvement.

 

November 2019 Healthcare Data Breaches by State

Data breaches were reported by covered entities in 19 states. California was the worst affected with 4 breaches, followed by Illinois, Missouri, New York, and Texas with three breaches each. Two breaches were reported by covered entities in Florida, North Carolina, and Pennsylvania, and there was one reported beach in each of Alaska, Arizona, Colorado, Connecticut, Indiana, Maryland, Michigan, Minnesota, Nebraska, Utah, and Virginia.

HIPAA Enforcement in November 2019

There were three financial penalties imposed on HIPAA-covered entities in November to resolve HIPAA violations.

University of Rochester Medical Center (URMC) settled its HIPAA violation case with OCR for $3,000,000. OCR launched an investigation after receiving two notifications about breaches due to lost or stolen devices. OCR investigated URMC in 2010 after the first device was lost and provided technical assistance. At the time, URMC recognized the high risk of storing ePHI on devices and the need for encryption, yet this was not implemented, and unencrypted portable electronic devices continued to be used. When OCR investigated the subsequent theft of a laptop computer, its investigators found URMC had failed to conduct an organization-wide risk analysis, risks had not been reduced to a reasonable and appropriate level, and URMC had not implemented appropriate device media controls.

Sentara Hospitals agreed to settle its HIPAA violation case with OCR for $2,175,000. OCR launched a compliance investigation in response to a complaint from a patient in April 2017. The patient had received a bill from Sentara containing another patient’s protected health information. Sentara Hospitals reported the breach as affecting 8 individuals, but OCR found that 577 letters had been misdirected to 16,342 different guarantors. Sentara Hospitals refused to update its breach report with the new total. OCR also found Sentara Hospitals had failed to enter into a business associate agreement with one of its vendors.

A substantial financial penalty was also imposed on The Texas Department of Aging and Disability Services (DADS). DADS had reported a breach of 6,617 patients’ ePHI to OCR in 2015. An error in a web application allowed ePHI to be accessed over the internet by individuals unauthorized to view the data. ePHI had been exposed for around 8 years. OCR investigated and found that DADS had failed to conduct an organization-wide risk analysis, there was a lack of access controls, and DADS failed to monitor information system activity. DADS settled the HIPAA violation case and paid a penalty of $1.6 million.

The post November 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership

Posted by HIPAA Journal

Pressure is continuing to be applied on Google and its parent company Alphabet to disclose information about how the protected health information (PHI) of patients of Ascension will be used, and the measures put in place to ensure PHI is secured and protected against unauthorized access.

The partnership between Google and Ascension was announced on November 11, 2019 following the publication of a story in the Wall Street Journal. A whistleblower at Google had shared information with the WSJ and expressed concern that millions of healthcare records had been shared with Google without first obtaining consent from patients. It was also alleged that Google employees could freely download PHI.

In its announcement, Google stated that the collaboration – named Project Nightingale – involved migrating Ascension’s infrastructure to the cloud and that it was helping Ascension implement G Suite tools to improve productivity and efficiency. Patient data was also being provided to Google to help develop AI and machine learning technologies to improve patient safety and clinical quality. When the migration of data has been completed, Google will have access to the health data of around 50 million patients.

Google has confirmed it is a business associate of Ascension and has signed a business associate agreement and is fully compliant with HIPAA regulations, but many privacy advocates are concerned about the partnership. Several members of Congress have also expressed concern and are seeking answers about the safeguards that have been put in place to secure patient data and how patient data will be used. The HHS’ Office for Civil Rights has also confirmed it is investigating Google and Ascension to make sure HIPAA Rules have not been violated.

Earlier this month, Rep. Pramila Jayapal (D-Washington), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, wrote to Google and Alphabet expressing concern about the partnership. She has demanded answers to several questions about how protected health information has been obtained, the measures put in place to protect patient data, and how Google will be using the PHI.

“As Google and parent company Alphabet have engaged in an ever-widening acquisition of the highly personal health-related information of millions of people, Americans now face the prospect of having their sensitive health information handled by corporations who may misuse it,” wrote Rep. Jayapal in her Dec 6, 2019 letter. “I am especially concerned that your company has not provided sufficient assurances that this sensitive data will be kept safe, and that patients’ data is being acquired by your companies without their consent and without any opt-out provision.”

Rep. Jayapal is particularly concerned about how that information will be used. Google is amassing huge quantities of healthcare data from several sources. Google’s healthcare-focused AI unit, Medical Brain, is actively acquiring health data, Alphabet has partnered with the Mayo Clinic, and Google has acquired the UK startup, DeepMind. NHS data has already been provided to Google. Google is also looking to acquire Fitbit, which holds health-related data on 25 million users of its wearable devices.

“The fact that Google makes the vast majority of its revenue through behavioral online advertising—creating an incentive to commoditize all user information—renders the company’s expansion into health services all the more troubling,” wrote Rep. Jayapal.

Rep. Jayapal also pointed out that Google does not have a blemish-free track record when it comes to protecting health and medical information, referencing one incident in which chest X-ray images from the National Institute of Health were almost posted online before Google realized they contained personally identifiable information. She also stated there is an active lawsuit that claims Google companies have obtained patient information from a major medical facility and DeepMind was found to have violated the Data Protection Act in the UK by using patient data to develop new apps.

Rep. Jayapal has given Google and Alphabet until January 5, 2020 to answer her questions, as detailed below:

The post Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership appeared first on HIPAA Journal.

$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its second enforcement action under its HIPAA Right of Access Initiative. Florida-based Korunda Medical has agreed to settle potential violations of the HIPAA Right of Access and will adopt a corrective action plan and bring its policies and procedures in line with the requirements of the HIPAA Privacy Rule.

In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The complainant alleged that Korunda Medical refused to send an electronic copy of her medical records to a third party and was overcharging patients for providing copies of their medical records. Under HIPAA, covered entities are only permitted to charge a reasonable, cost-based fee for providing access to patients’ protected health information.

The initial complaint was filed with OCR on March 6, 2019. On March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access and closed the complaint. Four days later, a second complaint was received which demonstrated continued noncompliance with the HIPAA Right of Access. On May 8, 2019, OCR advised Korunda Medical that a compliance investigation had been launched. As a result of OCR’s intervention, the complainant was provided with a copy of her medical records free of charge. Continued noncompliance with the HIPAA Right of Access resulted in a $85,000 financial penalty for Korunda Medical.

“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law,” said OCR Director, Roger Severino.

The HIPAA Right of Action Initiative is a HIPAA enforcement drive to ensure HIPAA-covered entities are providing patients with copies of their medical records in a timely manner, in the format of their choosing, and without being overcharged. The first enforcement action under this initiative was announced in September 2019. Bayfront Health St Petersburg was also required to pay a financial penalty of $85,000 to resolve HIPAA Right of Access failures.

This is the ninth HIPAA enforcement action of 2019. OCR has settled 8 HIPAA violation cases this year and has issued one civil monetary penalty, with the financial penalties ranging from $10,000 to $3 million. So far in 2019, $12,209,000 has been paid to OCR to resolve HIPAA violations.

The post $85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures appeared first on HIPAA Journal.

Amazon Lex is Now HIPAA Compliant

Posted by HIPAA Journal

Amazon has announced that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare organizations without violating Health Insurance Portability and Accountability Act Rules.

Amazon Lex is a service that allows customers to build conversational interfaces into applications using text and voice. It allows the creation of chatbots that use lifelike, natural language to engage with customers, ask questions, collect and give out information, and complete a range of different tasks such as scheduling appointments. The conversational engine that powers Amazon Lex is also used by Amazon Alexa.

Until recently, there was limited potential for use of Amazon Lex in healthcare as the solution was not HIPAA-compliant and could therefore not be used in connection with electronic protected health information (ePHI). The service was also not covered by Amazon’s business associate agreement (BAA).

On December 11, 2019, Amazon confirmed that Amazon Lex is now included in its AWS business associate agreement (BAA) addendum and that the service is eligible for use with workloads involving ePHI, provided that a BAA is in place. Amazon Lex has been subjected to third-party security assessments under multiple AWS compliance programs, and in addition to being HIPAA eligible is also compliant with PCI and SOC.

As with any software solution, a BAA does not guarantee compliance. Amazon has ensured appropriate safeguards have been implemented to ensure the confidentiality, integrity, and availability of ePHI, but it is the responsibility of users to ensure that the solution is implemented correctly and used in a manner that complies with HIPAA Rules.

Amazon has released a whitepaper on Architecting for HIPAA Security and Compliance on AWS, which details best practices for configuring AWS services that store, process, and transmit ePHI. Guidelines on the administration of Amazon Lex have also been published.

The post Amazon Lex is Now HIPAA Compliant appeared first on HIPAA Journal.

HIPAA Compliance Can Help Covered Entities Prevent, Mitigate, and Recover from Ransomware Attacks

Posted by HIPAA Journal

Ransomware attacks used to be conducted indiscriminately, with the file-encrypting software most commonly distributed in mass spam email campaigns. However, since 2017, ransomware attacks have become far more targeted. It is now common for cybercriminals to select targets to attack where there is a higher than average probability of a ransom being paid.

Healthcare providers are a prime target for cybercriminals. They have large quantities of sensitive data, low tolerance for system downtime, and high data availability requirements. They also have the resources to pay ransom demands and many are covered by cybersecurity insurance policies. Insurance companies often choose to pay the ransom as it is usually far lower than the cost of downtime while systems are rebuilt, and data is restored from backups.

With attacks increasing in frequency and severity, healthcare organizations need to ensure that their networks are well defended and they have policies and procedures in place to ensure a quick response in the event of an attack.

Ransomware attacks are increasing in sophistication and new tactics and techniques are constantly being developed by cybercriminals to infiltrate networks and deploy ransomware, but the majority of attacks still use tried and tested methods to deliver the ransomware payload. The most common methods of gaining access to healthcare networks is still phishing and the exploitation of vulnerabilities, such as flaws that have not been patched in applications and operating systems. By finding and correcting vulnerabilities and improving defenses against phishing, healthcare providers will be able to block all but the most sophisticated and determined attackers and keep their networks secure and operational.

In its Fall 2019 Cybersecurity Newsletter, the Department of Health and Human Services explains that it is possible to prevent most ransomware attacks through the proper implementation of HIPAA Security Rule provisions. Through HIPAA compliance, healthcare organizations will also be able to ensure that in the event of a ransomware attack they will be able to recover in the shortest possible time frame.

There are several provisions of the HIPAA Security Rule that are relevant to protecting, mitigating and recovering from ransomware attacks, six of the most important being:

Risk Analysis (45 C.F.R. §164.308(a)(1)(ii)(A))

A risk analysis is one of the most important provisions of the HIPAA Security Rule. It allows healthcare organizations to identify threats to the confidentiality, integrity, and availability of ePHI, which allows those threats to be mitigated. Ransomware is commonly introduced through the exploitation of technical vulnerabilities., such as unsecured, open ports, outdated software, and poor access management/provisioning. It is essential that all possible attack vectors and vulnerabilities are identified.

Risk Management (45 C.F.R. §164.308(a)(1)(ii)(B))

All risks identified during the risk analysis must be managed and reduced to a low and acceptable level. That will make it much harder for attackers to succeed. Risk management includes the deployment of anti-malware software, intrusion detection systems, spam filters, web filters, and robust backup systems.

Information System Activity Review (45 C.F.R. §164.308(a)(1)(ii)(D))

If an organization’s defenses are breached and hackers gain access to devices and information systems, intrusions need to be quickly detected. By conducting information system activity reviews, healthcare organizations can detect anomalous activity and take steps to contain attacks in progress. Ransomware is not always deployed as soon as network access is gained. It may be days, weeks, or even months after a network is compromised before ransomware is deployed, so a system activity review may detect a compromise before the attackers are able to deploy ransomware. Security Information and Event Management (SIEM) solutions can be useful for conducting activity reviews and automating the analysis of activity logs.

Security Awareness and Training (45 C.F.R. §164.308(a)(5))

Phishing attacks are often effective as they target employees, who are one of the weakest links in the security chain. Through regular security awareness training, employees will learn how to identify phishing emails and malspam and respond appropriately by reporting the threats to the security team.

Security Incident Procedures (45 C.F.R. §164.308(a)(6))

In the event of an attack, a fast response can greatly limit the damage caused by ransomware. Written policies and procedures are required and these must be disseminated to all appropriate workforce members so they know exactly how to respond in the event of an attack. Security procedures should also be tested to ensure they will be effective in the event of a security breach.

Contingency Plan (45 C.F.R. §164.308(a)(7))

A contingency plan must be developed to ensure that in the event of a ransomware attack, critical services can continue and ePHI can be recovered. That means that backups must be made of all ePHI. Covered entities must also test those backups to ensure that data can be recovered. Backups systems have been targeted by ransomware threat actors to make it harder for covered entities to recover without paying the ransom, so at least one copy of a backup should be stored securely on a non-networked device or isolated system.

The post HIPAA Compliance Can Help Covered Entities Prevent, Mitigate, and Recover from Ransomware Attacks appeared first on HIPAA Journal.

$2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 8th HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle potential violations of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to address areas of noncompliance.

Sentara operates 12 acute care hospitals in Virginia and North Carolina and has more than 300 care facilities in both states. OCR launched a compliance investigation in response to a complaint from a patient on April 17, 2017. The patient had reported receiving a bill from Sentara containing another patient’s protected health information.

Sentara did report the breach to OCR, but the breach report stated that only 8 individuals had been affected, when the mailing had been misdirected and 577 individuals had had some of their PHI impermissibly disclosed. OCR determined that those 577 patients had their information merged with 16,342 different guarantor’s mailing labels.

OCR advised Sentara that under the HIPAA Breach Notification Rule – 45 C.F.R. § 164.408 – notifications were required and that the breach total needed to be updated, but Sentara persisted in its refusal to update the breach report and issue notifications. Sentara maintained that since the bills only contained names, account numbers, and dates of service, and not diagnoses, treatment information, and other medical information, it did not constitute a reportable breach.

OCR also found that Sentara Hospitals provides services for its member covered entities but had not entered into business associate agreements with its business associate until October 17, 2018.

Sentara Hospital’s parent organization and business associate, Sentara Healthcare, had been allowed to create, receive, maintain, and transmit PHI on its behalf without a BAA being in place. Sentara Hospitals had therefore not received satisfactory assurances that PHI would be safeguarded, in violation of 45 C.F.R. § 164.504(e)(2).

The corrective action plan requires Sentara Hospitals to revise its policies and procedures and ensure they are compliant with HIPAA Rules. Policies and procedures must be checked and revised at least annually, or more frequently if appropriate. OCR will be scrutinizing Sentara’s compliance efforts for a period of two years from the start date of the corrective action plan.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said OCR Director, Roger Severino.  “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

The latest settlement is another example of when HIPAA violations are uncovered in response to complaints from patients rather than data breach investigations. All it takes is for one patient to submit a complaint about a potential HIPAA violation for a compliance review to be launched. These investigations can occur at any time, which shows how important it is for healthcare organizations to ensure their policies and procedures fully meet the requirements of HIPAA.

So far in 2019, HIPAA-covered entities and business associates have paid $12,124,000 to OCR to resolve violations of HIPAA Rules.

The post $2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures appeared first on HIPAA Journal.

Timothy Noonan Named Deputy Director for Health Information Privacy at Office for Civil Rights

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has named Timothy Noonan Deputy Director for Health Information Privacy.

The role of the Deputy Director for Health Information Privacy is to lead the Health Information Privacy Division of the Office for Civil Rights, oversee OCR’s national health information privacy policy and outreach activities, and administer and enforce the HIPAA Privacy, Security, and Breach Notification Rules and the confidentiality provisions of the Patient Safety Rule.

Noonan has been serving as Acting Deputy Director for Health Information Privacy since January 29, 2018, following the departure of Iliana Peters. Prior to taking on the position of Acting Deputy Director for Health Information Privacy, Noonan served as OCR’s Southeast Regional Manager, before moving to OCR’s headquarters to serve as Acting Associate Deputy Director for Regional Operations and the Acting Director for Centralized Case Management Operations.

In his 22 months as Acting Deputy Director for Health Information Privacy, Noonan has helped secure more than $37 million in HIPAA civil monetary penalties and settlements, including the largest ever HIPAA penalty – The $16 million settlement with Anthem Inc. over its 78.8 million-record data breach in 2015.

Noonan has also helped create the Right of Access Enforcement Initiative, under which guidance was issued to help reinforce individuals’ right of access to their medical records and the first financial penalty for Right of Access failures was agreed with Bayfront Health St Petersburg.

Under Noonan, guidance has also been issued on Health Apps and a request for information was issued seeking feedback from the public on how the HIPAA Privacy Rule should be modified to promote coordinated, value-based health care.

 

The post Timothy Noonan Named Deputy Director for Health Information Privacy at Office for Civil Rights appeared first on HIPAA Journal.

October 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches.

This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States.

Largest Healthcare Data Breaches in October 2019

Breached Entity Entity Type Individuals Affected Type of Breach
Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident
Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident
The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident
Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure
Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident
University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident
Prisma Health – Midlands Healthcare Provider 19,060 Hacking/IT Incident
South Texas Dermatopathology Laboratory Healthcare Provider 15,982 Hacking/IT Incident
Central Valley Regional Center Business Associate 15,975 Hacking/IT Incident
Texas Health Harris Methodist Hospital Fort Worth Healthcare Provider 14,881* Unauthorized Access/Disclosure

The largest healthcare data breach in October was reported by Betty Jean Kerr People’s Health Centers and was the result of a ransomware attack. At the time of issuing notifications, files that were encrypted in the attack remained locked. The decision was taken not to pay the ransom demand, but it was not possible to restore files from backups. Those files contained the health information of 152,000 patients.

The Kalispell Regional Healthcare data breach was due to a May 2019 phishing attack. An initial investigation did not uncover the extent of the breach. The forensic investigation revealed in August that the health information of up to 140,209 patients may have been accessed.

The Methodist Hospitals, Inc. data breach was also the result of a phishing attack. The incident was reported in October, but the initial email account compromise occurred in March 2019. Two accounts were breached for a total of four months.

South Texas Dermatopathology Laboratory is the last healthcare organization to report that its patients have been impacted by the data breach at the collection agency, AMCA. Its 15,982 records take the total number of individuals impacted by the AMCA breach to 26,059,725.

*Also of note is the data breach at Texas Health Resources. The breach makes the top 10 list of the most healthcare records exposed, but the breach was more far reaching than the table above shows. The Texas Health data breach involved a total of 82,577 records, but the breach was reported to the HHS’ Office for Civil Rights as 15 separate breaches, with one breach report submitted for each of its affected facilities. Had the incident been reported as a single incident, the month’s total would stand at 38 breaches – two more than September.

Causes of October 2019 Healthcare Data Breaches

There were 18 hacking/IT incidents reported in October involving 501,847 healthcare records. The average breach size was 27,880 records and the median breach size was 9,413 records.

There were 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records. The mean breach size was 4,813 records and the median breach size was 2,135 records. Those incidents include the 15 separate breach reports from Texas Health Resources.

There were 5 loss/theft incidents involving 13,454 records. The mean breach size was 2,350 records and the median breach size was 2,752 records. One improper disposal incident was reported involving 11,754 records.

Location of Breached Health Information

Phishing continues to cause problems for healthcare organizations. Not only are healthcare providers struggling to block phishing attacks, they are also not detected quickly when they do occur. Several phishing attacks have been reported that have taken weeks to discover.

Multi-factor authentication can help to reduce the risk of stolen credentials being used by cybercriminals to access corporate email accounts, yet many healthcare organizations only implement this important security measure after a phishing attack has occurred.

This high number of “other” breaches is due to the mailing error at Texas Health, which accounts for 15 of the 19 incidents in the other category.

The majority of the network server breaches were due to ransomware attacks, which include the largest healthcare data breach of the month. That breach highlights just how important it is to ensure that a viable backup copy of all data is created, that the backup is tested to make sure data recovery is possible, and that at least one backup copy is stored on a non-networked device that is not exposed to the internet.

October 2019 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in October with 45 reported incidents. Three breaches were reported by health plans, and four breaches were reported by business associates of HIPAA-covered entities. A further four breaches also had some business associate involvement but were reported by the covered entity.

October 2019 Healthcare Data Breaches by State

October saw healthcare organizations and business associates in 24 states report data breaches. With 15 breach reports coming from Texas Health, Texas was unsurprisingly the worst affected state with 17 incidents.

There were 4 breaches reported by entities based in Ohio, three breaches reported in California, and two breaches reported in each of Arkansas, Florida, Louisiana, Maryland, New Mexico, South Carolina, and Virginia. A single breach was reported in each of Alabama, Arizona, Georgia, Illinois, Indiana, Kentucky, Minnesota, Missouri, Mississippi, Montana, New York, Oregon, South Dakota, and Washington.

HIPAA Enforcement Actions in October 2019

A further two financial penalties for HIPAA violations were announced by the HHS’ Office for Civil Rights in October – One settlement and one civil monetary penalty.

OCR launched an investigation of Elite Dental Associates following a complaint from a patient who had some of her PHI publicly disclosed in response to a Yelp review. OCR found she was not the only patient to have had PHI disclosed in that manner. OCR also determined that the practice’s notice of privacy practices did not include sufficient information and was therefore not compliant with the HIPAA Privacy Rule. Elite Dental Associates agreed to settle its HIPAA violation case with OCR for $10,000.

OCR launched an investigation of Jackson Health System following the disclosure of PHI in the media. A photograph of an operating room display had been published which contained the health information of two individuals, including a well-known NFL star. The OCR investigation uncovered multiple Privacy Rule, Security Rule, and Breach Notification Rule violations spanning several years. OCR imposed a civil monetary penalty of $2,154,000 on Jackson Health System.

The post October 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.