HIPAA Compliance News

October 2023 Healthcare Data Breach Report

Posted by Steve Alder

For the second consecutive month, the number of reported data breaches of 500 or more healthcare records has fallen, with October seeing the joint-lowest number of reported data breaches this year. After the 29.4% fall in reported data breaches from August to September, there was a further 16.7% reduction, with 40 data breaches reported by HIPAA-regulated entities in October – the opposite trend to what was observed in 2022, when data breaches increased from 49 in August 2022 to 71 breaches in October 2022. October’s total of 40 breaches is well below the 12-month average of 54 breaches per month (median:52 breaches).

October 2023 healthcare data breach report - 12 month breaches

For the third consecutive month, the number of breached healthcare records has fallen, from more than 18 million records in July 2023 to 3,569,881 records in October – a month-over-month percentage decrease of 52.76%. October’s total is well below the 12-month average of 7,644,509 breached records a month (median: 5,951,455 records). While this is certainly good news, it should noted that 2023 has been a particularly bad year for healthcare data breaches. Between January 1, 2023, to October 31, 2023, more than 82.6 million healthcare records have been exposed or impermissibly disclosed, compared to 45 million records in 2021 and 51.9 million records in 2023. As of November 17, 2023, more than 100 million records have been breached.

October 2023 healthcare data breach report - 12 month breached records

Largest Healthcare Data Breaches Reported in October 2023

14 breaches of 10,000 or more records were reported in October, the largest of which occurred at Postmeds Inc., the parent company of Truepill, a provider of a business-to-business pharmacy platform that uses APIs for order fulfillment and delivery services for direct-to-consumer brands. While victims of the breach do not face an immediate risk of identity theft since no Social Security numbers were compromised, they do face an increased risk of phishing and social engineering attacks. As is now common in breach notifications, little information about the incident has been disclosed, other than it being a hacking incident involving unauthorized access to its network between August 30 and September 1, 2023.  The Postmeds data breach was the 21st data breach of 1 million or more records to be reported this year.

Even though the Clop hacking group’s mass exploitation of the zero-day vulnerability in Progress Software’s MOVEIt Transfer solution occurred in late May, healthcare organizations are still reporting MOVEit data breaches. More than 2,300 organizations are now known to have been affected and more than 60 million records were stolen in the attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of breach
Postmeds, Inc. (TruePill) CA Healthcare Provider 2,364,359 Hacking incident (details not disclosed)
Western Washington Medical Group MS Healthcare Provider 350,863 Hacking incident (details not disclosed)
Greater Rochester Independent Practice Association, Inc. NY Healthcare Provider 279,156 Hacking incident (details not disclosed)
Radius Global Solutions PA Business Associate 135,742 Hacking incident – MoveIT Transfer vulnerability exploited
Dakota Eye Institute ND Healthcare Provider 107,143 Hacking incident (details not disclosed)
Walmart, Inc. Associates Health and Welfare Plan AR Health Plan 85,952 Hacking incident (details not disclosed)
Westat, Inc. MD Business Associate 50,065 Hacking incident – MoveIT Transfer vulnerability exploited
Brooklyn Premier Orthopedics NY Healthcare Provider 48,459 Hacking incident (details not disclosed)
PeakMed CO Healthcare Provider 27,800 Hacking incident (Compromised credentials)
Hospital & Medical Foundation of Paris, Inc IL Healthcare Provider 16,598 Hacking incident (details not disclosed)
Fredericksburg Foot & Ankle Center, PLC VA Healthcare Provider 14,912 Hacking incident (details not disclosed)
Cadence Bank MS Business Associate 13,862 Hacking incident – MoveIT Transfer vulnerability exploited
Peerstar LLC PA Healthcare Provider 11,438 Hacking incident (details not disclosed)
Atlas Healthcare CT CT Healthcare Provider 10,831 Hacking incident (details not disclosed)

October 2023 Data Breach Causes and Data Locations

As has been the case throughout 2023, hacking was the most common cause of data breaches in October, accounting for 77.5% of the month’s data breaches (31 incidents) and 99.13% of the breached records (3,538,726 records). The average data breach size in hacking incidents was 114,152 records and the median data breach size was 4,049 records.

The exact nature of these incidents has not been publicly disclosed in many cases, so it is not possible to determine the extent to which ransomware attacks, phishing attacks, and vulnerability exploits are occurring. The exception being the mass hacking of a zero-day vulnerability in the MOVEit Transfer solution, a fairly safe disclosure legally as organizations cannot be expected to patch a vulnerability that is unknown even to the company that developed the software. While the lack of information is undoubtedly intended to reduce legal risk, if victims of the breach are given insufficient information it is difficult for them to accurately gauge the level of risk they face.

There were 8 data breaches classified as unauthorized access/disclosure incidents, across which 30,555 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 3,819 records and the median breach size was 2,111 records. There was one reported incident involving the theft of a desktop computer, which contained the unencrypted protected health information of 600 individuals, and no incidents involving the loss or improper disposal of PHI.

October 2023 healthcare data breach report - causes of breaches

The most common location of breached PHI was network servers, which is unsurprising given the large number of hacking incidents. 8 data breaches involved compromised email accounts.

October 2023 healthcare data breach report - location of breached data

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in October, with 25 reported data breaches. There were 11 data breaches reported by business associates and 4 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.

October 2023 healthcare data breach report - affected entities

October 2023 healthcare data breach report - breached records at HIPAA-regulated entities

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 23 states reported data breaches of 500 or more records in October. Texas was the worst affected state with 5 large data breaches followed by Mississippi with 4.

State Breaches
Texas 5
Mississippi 4
Illinois, New York & Pennsylvania 3
California, Colorado, Florida & Georgia 2
Arkansas, Connecticut, Delaware, Iowa, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, New Jersey, North Dakota, Oklahoma, Oregon & Virginia 1

HIPAA Enforcement Activity in October 2023

In October, the HHS’ Office for Civil Rights (OCR) announced its 10th HIPAA compliance enforcement action of the year. Doctors’ Management Services, a Massachusetts-based medical management company that offers services such as medical billing and payor credentialing, opted to settle an OCR investigation of a data breach. In April 2017, a threat actor accessed its network via Remote Desktop Protocol and gained access to the protected health information of 206,695 individuals.

OCR determined there had been a risk analysis failure, a failure to review records of system activity, and a failure to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule. Those failures resulted in an impermissible disclosure of the PHI of 206,695 individuals. Doctors’ Management Services paid a financial penalty of $100,000 and agreed to a corrective action plan to address the HIPAA compliance issues discovered by OCR.

State Attorneys General also have the authority to investigate HIPAA-regulated entities and impose financial penalties for HIPAA violations, although they often choose to impose penalties for equivalent violations of state laws. Three settlements were agreed in October with HIPAA-regulated entities to resolve allegations of data security and breach notification failures.

Blackbaud, a Delaware corporation headquartered in Charleston, South Carolina that provides donor relationship management software, chose to settle alleged violations of the HIPAA Security Rule, HIPAA Breach Notification Rule, and state consumer protection laws with 49 states and the District of Columbia and paid a $49.5 million penalty and agreed to make substantial data security improvements. Blackbaud suffered a ransomware attack in May 2020, which exposed the protected health information of 5,500,000 individuals. The multi-state investigation identified a lack of appropriate safeguards to ensure data security and breach response failures.

Inmediata, a Puerto Rico-based healthcare clearinghouse settled a multi-state data breach investigation involving more than 35 state attorneys general. A server has been left unsecured, which allowed sensitive data to be indexed by search engines, allowing it to be found by anyone with Internet access. The protected health information of 1,565,338 individuals was exposed. The multi-state investigation identified a failure to implement reasonable and appropriate security measures, as required by the HIPAA Security Rule, a failure to conduct a secure code review, and violations of the HIPAA Breach Notification Rule and state breach notification rules for failing to provide timely and complete information to victims of the breach. The investigation was settled for $1.4 million and Inmediata agreed to make improvements to its information security program and strengthen its data breach notification practices.

Personal Touch Holding Corp, a home health company that does business as Personal Touch Home Care, opted to settle an investigation by the Office of the New York Attorney General into a breach of the protected health information of 753,107 individuals, including 316,845 New York residents. An employee responded to a phishing email which resulted in malware being installed. The threat actor exfiltrated data and then used ransomware to encrypt files. The New York Attorney General alleged Personal Touch only had an informal information security program, insufficient access controls, no continuous monitoring system, a lack of encryption, and inadequate staff training. Personal Touch paid a $350,000 financial penalty and agreed to make improvements to its information security and training programs.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on November 11, 2023.

The post October 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Stricter Cybersecurity Regulations Proposed for New York Hospitals

Posted by Steve Alder

New York has proposed tighter cybersecurity regulations for hospitals throughout New York State in response to a series of crippling attacks that have caused disruption to healthcare services, delays to patient care, and have put patient safety at risk.

Governor Kathy Hochul announced the proposed measures on Monday, which are expected to be published in the State Register on December 6, 2023, provided they are adopted by the Public Health and Health Planning Council this week. The new cybersecurity requirements will then undergo a 60-day public comment period, which will end on February 5, 2033. When the new regulations are finalized, hospitals will be given a 1-year grace period to ensure full compliance.

The proposed regulations include the requirement for New York hospitals to appoint a Chief Information Security Officer if they have not done so already, implement defensive infrastructure and cybersecurity tools including multifactor authentication, and conduct regular risk analyses to identify cyber risks. Any in-house applications must be developed using secure software design principles, and processes must be developed and implemented for testing the security of third-party software. Hospitals in the state will also be required to develop and test incident response plans to ensure that care can continue to be provided to patients in the event of a cyberattack.

New York hospitals already have cybersecurity responsibilities under the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for cybersecurity. The proposed regulations are intended to complement the HIPAA Security Rule and include similar requirements, but while the HIPAA Security Rule is largely technology agnostic, the proposed regulations in New York include specific measures that hospitals must implement. “Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” said Governor Hochul. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

There has been a massive increase in healthcare cyberattacks in recent years. The HHS’ Office for Civil Rights recently announced there has been a 77% in hacking incidents in 2023 and a 278% increase in ransomware attacks over the past 4 years. While reported data breaches of 500 or more records are down slightly from 2022, more than 79 million healthcare records have been exposed in those attacks – almost twice the number of compromised records in 2022.

These attacks clearly show that hospitals and health systems are struggling to prevent unauthorized access to their systems and that more needs to be done to improve cybersecurity than complying with the HIPAA Security Rule. There are often competing priorities in healthcare, and while investment in cybersecurity has increased, some hospitals have struggled to find the necessary funding to improve cybersecurity. To help ease the financial burden, Governor Hochul’s FY24 budget includes $500 million in funding for healthcare facilities to enable them to upgrade their technology systems to comply with the proposed regulations and pay for necessary cybersecurity tools, electronic health records, advanced clinical technologies, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.

“When it comes to protecting New Yorkers from cyberattacks that have become more numerous and more sophisticated, safeguarding our hospitals is an essential part of New York’s aggressive and comprehensive whole-of-state approach,” said New York State Chief Information Officer Dru Rai. “We thank the Governor and our agency partners for their ongoing commitment and are pleased that the state’s hospitals will be getting the uniform guidance and resources necessary to further enhance their own cybersecurity, thereby protecting patients and the critical systems that provide quality care all across New York.”

The post Stricter Cybersecurity Regulations Proposed for New York Hospitals appeared first on HIPAA Journal.

New York AG Settles Data Breach Investigation of U.S. Radiology Specialists for $450,000

Posted by Steve Alder

New York Attorney General, Letitia James, has announced a $450,000 settlement with U.S. Radiology Specialists Inc. to resolve allegations it failed to protect patients’ personal and health information. U.S. Radiology Specialists is one of the largest private radiology groups in the country and acts as a service provider for healthcare facilities throughout the United States. It also partners with other radiology groups, including the Windsong Radiology Group, which operates 6 facilities in Western New York. Windsong, like other partner companies, relies on U.S. Radiology Specialists for numerous services, including network management and protection. The Office of the Attorney General of the State of New York opened an investigation of U.S. Radiology Specialists into a large data breach that was reported in 2021 to determine whether it was caused by a failure to comply with the Health Insurance Portability and Accountability Act (HIPAA) and state laws.

U.S. Radiology Specialists protected the networks of its partners with a SonicWall firewall. On January 22, 2021, SonicWall alerted its customers about a coordinated cyberattack on its internal systems. Highly capable threat actors were thought to have exploited a zero-day vulnerability in SonicWall products that are used for remote access. A few days later on January 31, 2021, researchers at NCC Group identified the likely vulnerability and SonicWall issued a patch three days later.

U.S. Radiology Specialists used SonicWall hardware that was approaching end-of-life and, as a result, SonicWall did not provide a patch that could be applied to its hardware. The hardware needed to be upgraded before the patch could be applied to fix the vulnerability. Even though the vulnerability was known to have been exploited in attacks on SonicWall customers, U.S. Radiology Specialists scheduled the hardware upgrade for July 2021, and the hardware replacement project was then delayed due to competing priorities and resource restraints.

On December 8, 2021, an unauthorized individual gained access to US Radiology’s SonicWall device with valid credentials, accessed the VPN, and then leveraged 101 additional credentials to access various network data folders over the following week. While the investigation into the breach did not confirm how the credentials were stolen, the SQL injection vulnerability identified by NCC Group and patched by SonicWall could have been exploited to obtain the necessary credentials to access the SonicWall VPN.

The third-party investigation of the attack was complicated and required extensive analysis and took until August 2022 to complete. The investigation confirmed that the threat actor gained access to the protected health information (PHI) of 198,260 patients, including 92,540 Windsong patients who were New York residents, and it was confirmed that sensitive data had been exfiltrated by the attackers. The PHI that was exposed in the attack included names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses, and health insurance ID numbers, as well as the private information of 82,478 New Yorkers, which included names, driver’s license numbers, passport numbers, and Social Security numbers.

The New York Attorney General’s Office determined that U.S. Radiology Specialists had failed to adopt reasonable and appropriate data security practices to protect patient information when it failed to address a known vulnerability in a reasonable time frame. The investigation was settled with no admission of liability and U.S. Radiology Specialists agreed to pay a $450,000 financial penalty, update its IT infrastructure, ensure its networks are secured, update its data security policies, and implement and maintain a comprehensive information security program.

“When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,” said Attorney General James. “US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems. My office will continue to ensure companies do not neglect their legal responsibilities to protect New Yorkers’ private information.”

The New York Attorney General has imposed financial penalties on several organizations over the past few months for data security failures. Personal Touch recently settled alleged HIPAA and state law violations for $350,000, the New York Attorney General participated in a multi-state investigation of Blackbaud and received a share of the $49.5 million settlement, and PracticeFirst Medical Management Solutions settled its investigation with the New York AG and paid a $550,000 penalty.

The post New York AG Settles Data Breach Investigation of U.S. Radiology Specialists for $450,000 appeared first on HIPAA Journal.

AHA Files Lawsuit Challenging HHS Guidance on Tracking Technologies

Posted by Steve Alder

The American Hospital Association (AHA), Texas Hospital Association, United Regional Health Care System, and Texas Health Resources have filed a lawsuit against Department of Health and Human Services (HHS) Secretary, Xavier Becerra, and HHS’ Office for Civil Rights (OCR) Director, Melanie Fontes Rainer, over the December 2022 guidance issued by OCR on website tracking technologies.

OCR issued guidance for HIPAA-regulated entities on the use of third-party tracking technologies on public-facing websites and applications following revelations that these tools were disclosing the individually identifiable information of website visitors to third-party companies such as Meta (Facebook), Google, social media platforms, and other third parties. The information disclosed by these tools, which include Meta Pixel and Google Analytics code, could potentially include health information, depending on the interactions of users on the websites and apps where the code is used.

A study of the websites of the 100 top hospitals by The Markup found one-third had used these tracking tools on their websites without obtaining consent from website visitors. A more comprehensive study of hospitals that was published in Health Affairs, found that 99% of the 3,747 U.S. hospitals studied were using these tools on their websites. Several of the hospitals reported the use of these tools as data breaches, including Advocate Aurora Health, Novant Health, WakeMed Health, and Cerebral, Inc., some of which involved the data of millions of patients. Many lawsuits have since been filed against healthcare providers in response to the use of these tools. Advocate Aurora Health recently settled Pixel-related litigation for $12.225 million.

In July 2023, OCR and the Federal Trade Commission (FTC) jointly issued warning letters to 130 healthcare organizations over the use of tracking tools and then published those letters – which name the organizations involved – in September 2023, signaling both OCR and the FTC are actively enforcing the guidance.  The AHA has publicly criticized OCR for its position on tracking technologies. In the AHA’s response to Senator Bill Cassidy’s request for information on healthcare data privacy and HIPAA, the AHA called for the HHS to drop its new website tracking technology rule, which it claimed harmed hospitals and negatively affected patients.

The AHA has now taken the issue a step further with legal action. The AHA claims that it had no alternative other than to take legal action due to several months of unsuccessful attempts to communicate its concerns to the HHS. The lawsuit was filed in the U.S. District Court for The Northern District of Texas Fort Worth Division and alleges the new rule is unlawful, and claims that the HHS is actively enforcing its new rule against hospitals but the federal government’s own healthcare providers are continuing to use the prohibited tracking technologies on their websites.

Lawsuit Seeks Court Order Preventing OCR from Enforcing Tracking Technology Guidance

The lawsuit alleges the decision to class the metadata collected and transmitted by tracking technologies as individually identifiable health information subject to HIPAA is, “a gross overreach by the federal bureaucracy, imposed without any input from the public or the healthcare providers most impacted by it.” The AHA explains that “the HHS rule exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect.” While the lawsuit does not go as far as seeking the rescindment of the guidance, an order is requested from the court that prohibits OCR from enforcing its rule to prevent members from being unlawfully penalized.

The AHA’s position is that website tracking technologies that collect information such as IP addresses are critical to the function of websites and apps, and many web tools are rendered ineffective without that information, including analytics software, video technologies that offer the public education and information on health conditions, translation and accessibility services, and digital maps, to name only a few. By prohibiting tracking technologies, these vital website tools will no longer feature on hospital websites, and that ultimately harms the patients that OCR’s rule seeks to protect.

“The Department of Health and Human Services’ new rule restricting the use of critical third-party technologies has real-world impacts on the public, who are now unable to access vital health information. In fact, these technologies are so essential that federal agencies themselves still use many of the same tools on their own webpages, including Medicare.gov, Tricare.mil, Health.mil, and various Veterans Health Administration sites,” said Rick Pollack, AHA President and CEO. “We cannot understand why HHS created this ‘rule for thee but not for me.’”

The post AHA Files Lawsuit Challenging HHS Guidance on Tracking Technologies appeared first on HIPAA Journal.

Doctors’ Management Services Settles OCR HIPAA Probe for $100,000

Posted by Steve Alder

The HHS’ Office for Civil (OCR) has agreed to a $100,000 settlement with Doctors’ Management Services to resolve an investigation of a ransomware attack and data breach that uncovered multiple potential violations of the HIPAA Security Rule.

Doctors’ Management Services (DMS) is a Massachusetts-based medical management company whose services include medical billing and payor credentialing. DMS identified an intrusion on December 24, 2018, when GandCrab ransomware was used to encrypt files on its network. The forensic investigation confirmed the attackers first gained access to its network on April 1, 2017.

According to DMS, the threat actor gained access to its network via Remote Desktop Protocol (RDP) on one of its workstations and potentially obtained names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and diagnostic information. The breach was reported to OCR on April 22, 2019, as affecting up to 206,695 individuals.

OCR opened an investigation of the breach to determine whether DMS had complied with the HIPAA Rules and uncovered multiple potential violations of the HIPAA Rules. In addition to the impermissible disclosure of the protected health information of 206,695 individuals, OCR determined that DMS had failed to conduct an accurate and thorough risk analysis to assess technical, physical, and environmental risks and vulnerabilities associated with the handling of ePHI.

DMS was also found to have failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. OCR also determined that DMS had not implemented reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule.

DMS agreed to settle the investigation with no admission of liability. Under the terms of the settlement, DMS has agreed to pay a $100,000 financial penalty and implement a corrective action plan (CAP) to resolve the potential HIPAA violations identified by OCR. The CAP includes requirements to update its risk analysis, risk management program, HIPAA Privacy and Security Rule policies and procedures, and workforce HIPAA training. In its settlement announcement, OCR also recommended several cybersecurity best practices that all HIPAA-regulated entities should implement to prevent and mitigate cyber threats.

OCR said this is the first HIPAA settlement agreement it has reached in response to a ransomware attack. Given the number of ransomware attacks in the past five years, which have increased by 278% since 2018, it is likely to be the first of many. “Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches,” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

October is Cybersecurity Awareness Month, and in recognition, OCR released a cybersecurity video that explains how HIPAA Security Rule compliance can help healthcare organizations improve their defenses against cyberattacks and block the most common attack vectors. CISA and the HHS have also recently released a cybersecurity toolkit, which includes key cybersecurity tools, training material, and other resources for strengthening security posture and keeping up to date on the latest threats. This month, CISA released a log management tool to help under-resourced organizations reduce their log management burden and search for signs of compromise, and CISA, the NSA, FBI, and MS-ISAC have issued joint guidance on blocking phishing.

It has never been more important to ensure appropriate cybersecurity measures are in place, given the 239% increase in data breaches due to hacking in the past 4 years and the extent to which healthcare records are now being breached. Breached records are up 60% on last year and, at the time of writing, 88 million healthcare records are known to have been breached so far in 2023.

The post Doctors’ Management Services Settles OCR HIPAA Probe for $100,000 appeared first on HIPAA Journal.

OCR Video Explains How to Improve Cybersecurity Defenses Through HIPAA Security Rule Compliance

Posted by Steve Alder

The HHS’ Office for Civil Rights has released a video in recognition of National Cybersecurity Awareness Month that explains how compliance with the HIPAA Security Rule can help HIPAA-regulated entities defend against cyberattacks. The video features Nick Heesters, Senior Advisor for Cybersecurity for the Health Information Privacy, Data, and Cybersecurity Division of the HHS’ Office for Civil Rights, who discusses some of the real-world cyberattack trends identified by OCR from breach reports.

There has been a massive increase in healthcare data breaches since the HIPAA Breach Notification Rule was enacted. In 2010, the first full year of breach report data, OCR received 199 reports of healthcare data breaches of 500 or more records. More than 700 data breaches were reported in both 2021 and 2022, and 2023 looks set to become the third successive year with more than 700 reported data breaches.

In the year to September 30, 2023, hacking and other IT incidents accounted for 77% of all large data breaches, compared to just 49% of incidents in 2009, and as of September 30, 2023, more than 79 million healthcare records have been exposed or impermissibly disclosed. There has been a 239% increase in hacking-related data breaches since 2018 and a 278% increase in ransomware incidents over the same period.

OCR investigates all breaches of 500 or more healthcare records to identify any HIPAA compliance issues that caused or contributed to breaches. Heesters explains some of the most common HIPAA compliance issues and security weaknesses that have been exploited by malicious actors to gain access to internal networks, focusing on the most common attack vectors such as phishing, compromised accounts, and unpatched vulnerabilities.

Heesters explains how specific provisions of the HIPAA Security Rule can help HIPAA-regulated entities protect against cyberattacks, detect attacks in progress, and mitigate the most common types of cyberattack, such as security awareness and training, authentication, access control, and risk analysis/risk management.

The video can be viewed on OCR’s YouTube Channel and is available in English and Spanish.

The post OCR Video Explains How to Improve Cybersecurity Defenses Through HIPAA Security Rule Compliance appeared first on HIPAA Journal.

HHS Publishes Proposed Rule Establishing Information Blocking Disincentives for Healthcare Providers

Posted by Steve Alder

The Centers for Medicare and Medicaid Services (CMS) at the Department of Health and Human Services (HHS) has published a long-awaited proposed rule that establishes disincentives for healthcare providers that have committed information blocking, as called for by the 21st Century Cures Act. Information blocking is classed as knowingly or unreasonably interfering with the access, exchange, or use of electronic health information, except as required by law or covered by a regulatory exception.

The Cures Act requires the Office of Inspector General (OIG) to refer healthcare providers determined by OIG to have committed information blocking to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking. On June 27, 2023, the HHS OIG published its final rule that implemented information blocking penalties of $1 million per violation for health information technology (IT) developers of certified health IT and other entities offering certified health IT, health information exchanges, and health information networks. The penalties took effect on August 2, 2023.

The latest HHS proposed rule establishes penalties for healthcare providers found to have committed information blocking. The proposed disincentives are as follows:

  • Medicare Promoting Interoperability Program: An eligible hospital or critical access hospital (CAH) would not be a meaningful electronic health record (EHR) user in an applicable EHR reporting period. The impact on eligible hospitals would be the loss of 75 percent of the annual market basket increase; for CAHs, payment would be reduced to 100 percent of reasonable costs instead of 101 percent.
  • Promoting Interoperability performance category of the Merit-based Incentive Payment System (MIPS): An eligible clinician or group would not be a meaningful user of certified EHR technology in a performance period and would therefore receive a zero score in the Promoting Interoperability performance category of MIPS, if required to report on that category. The Promoting Interoperability performance category score typically can be a quarter of a clinician or group’s total MIPS score in a year.
  • Medicare Shared Savings Program: A health care provider that is an Accountable Care Organization (ACO), ACO participant, or ACO provider or supplier would be deemed ineligible to participate in the program for a period of at least one year. This may result in a healthcare provider being removed from an ACO or prevented from joining an ACO.

The proposed rule will be published in the Federal Register on November 1, 2023. A 60-day comment period will follow, with the comments made accessible for public inspection. Comments must be submitted by no later than January 2, 2024, at 11:59 p.m. The HHS will consider all comments before publishing the final rule, which is expected to be issued later in 2024. The Office of the National Coordinator for Health Information Technology (ONC) and the CMS will host an information session about the proposed rule in the coming weeks.

“HHS is committed to developing and implementing policies that discourage information blocking to help people and the health providers they allow to have access to their electronic health information,” said HHS Secretary Xavier Becerra. “We are confident the disincentives included in the proposed rule, if finalized, will further increase the appropriate sharing of electronic health information and establish a framework for potential additional disincentives in the future.”

The post HHS Publishes Proposed Rule Establishing Information Blocking Disincentives for Healthcare Providers appeared first on HIPAA Journal.

September 2023 Healthcare Data Breach Report

Posted by Steve Alder

September was a much better month for healthcare data privacy, with the lowest number of reported healthcare data breaches since February 2023. In September, 48 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is well below the 12-month average of 57 data breaches a month.

For the second successive month, there was a fall in the number of breached records, which dropped 36.6% month-over-month. Across the 48 reported data breaches, the protected health information of 7,556,174 individuals was exposed or impermissibly disclosed. September’s total was below the 12-month average of 7,906,890 records per month, but this year has seen two particularly bad months for data breaches. More healthcare records were exposed in May and June than were exposed in all of 2020!

The high number of breached records can partly be attributed to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit solution, which is used by healthcare organizations and their business associates for transferring files. According to Emsisoft, which has been tracking the MOVEit data breaches, 2,553 organizations were affected by the attacks globally, and 19.2% of those were in the health sector. Most of these breaches are now believed to have been reported.

Largest Healthcare Data Breaches in September 2023

There were 16 data breaches reported in September that involved 10,000 or more records, four of which – including the largest data breach of the month – were due to the mass exploitation of the vulnerability that affected the MOVEit Transfer and MOVEit Cloud solutions (CVE-2023-34362). The healthcare industry continues to be targeted by ransomware and extortion gangs, including Clop, Rhysida, Money Message, NoEscape, Karakurt, Royal, and ALPHV (BlackCat). Three of the 10,000+ record data breaches were confirmed as ransomware attacks, although several more are likely to have involved ransomware or extortion. It is common for HIPAA-covered entities not to disclose details of hacking incidents.

While hacking incidents often dominate the headlines, the healthcare industry suffers more insider breaches than other sectors, and September saw a major insider breach at a business associate. An employee of the business associate Maximus was discovered to have emailed the protected health information of 1,229,333 health plan members to a personal email account.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Arietis Health, LLC FL Business Associate 1,975,066 Hacking/IT Incident MOVEit Hack (Clop)
Virginia Dept. of Medical Assistance Services VA Health Plan 1,229,333 Hacking/IT Incident Employee of a business associate (Maximus) emailed documents to a personal email account
Nuance Communications, Inc. MA Business Associate 1,225,054 Hacking/IT Incident MOVEit Hack (Clop)
International Business Machines Corporation NY Business Associate 630,755 Unauthorized Access/Disclosure MOVEit Hack (Clop)
Temple University Health System, Inc. PA Healthcare Provider 430,381 Hacking/IT Incident Hacking incident at business associate (no information released)
Prospect Medical Holdings, Inc. CA Business Associate 342,376 Hacking/IT Incident Rhysida ransomware attack
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 315,915 Unauthorized Access/Disclosure MOVEit Hack (Clop)
Oak Valley Hospital District CA Healthcare Provider 283,629 Hacking/IT Incident Hacked network server
Bienville Orthopaedic Specialists LLC MS Healthcare Provider 242,986 Hacking/IT Incident Hacked network server (data theft confirmed)
Amerita KS Healthcare Provider 219,707 Hacking/IT Incident Ransomware attack on parent company (PharMerica) by Money Message group
Community First Medical Center IL Healthcare Provider 216,047 Hacking/IT Incident Hacked network server
OrthoAlaska, LLC AK Healthcare Provider 176,203 Hacking/IT Incident Hacking incident (no information released)
Acadia Health, LLC d/b/a Just Kids Dental AL Healthcare Provider 129,463 Hacking/IT Incident Ransomware attack – Threat group confirmed data deletion
Founder Project Rx, Inc. TX Healthcare Provider 30,836 Hacking/IT Incident Unauthorized access to email account
Health First, Inc. FL Healthcare Provider 14,171 Hacking/IT Incident Unauthorized access to email account
MedMinder Systems, Inc. MA Healthcare Provider 12,146 Hacking/IT Incident Hacked network server

Data Breach Types and Data Locations

Hacking and other IT incidents continue to dominate the breach reports. In September, hacking/IT incidents accounted for 81.25% of all reported data breaches of 500 or more records (39 incidents) and 87.23% of the exposed or stolen records (6,591,496 records). The average data breach size was 169,013 records and the median data breach size was 4,194 records.

There were 9 data breaches classified as unauthorized access/disclosure incidents, across which 964,678 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 107,186 records and the median breach size was 2,834 records.

There were no reported incidents involving the loss or theft of paper records or electronic devices containing ePHI, and no reported incidents involving the improper disposal of PHI.

Given the large number of hacking incidents, it is no surprise that network servers were the most common location of breached protected health information. 7 incidents involved unauthorized access to email accounts.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in September, with 30 healthcare providers reporting data breaches. There were 11 data breaches reported by business associates and 7 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered a data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate.

To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.

Business associate data breaches are often severe as if a hacker gains access to the network of a business associate, they can access the data of all clients of that business associate. In September the average size of a business associate data breach was 5,864,823 records (median: 2,729 records). The average size of a healthcare provider data breach was 1,372,101 records (median: 7,267 records), and the average health plan data breach involved 319,250 records (median: 2,834 records).

Geographical Distribution of Data Breaches

Healthcare data breaches of 500 or more records were reported by HPAA-regulated entities in 24 states. California, Florida, and New York were the worst affected states with 4 breaches each.

State Breaches
California, Florida & New York 4
Georgia, Illinois & Texas 3
Alabama, Connecticut, Massachusetts, Minnesota, Mississippi, Missouri, New Jersey, Pennsylvania & Virginia 2
Arizona, Arkansas, Indiana, Kansas, Kentucky, Maryland, Nevada, North Carolina & Tennessee 1

HIPAA Enforcement Activity in September 2023

All healthcare data breaches of 500 or more records are investigated by OCR to determine whether they were the result of non-compliance with the HIPAA Rules. OCR has a backlog of investigations due to budgetary constraints, and HIPAA violation cases can take some time to be resolved. In September, OCR announced that one investigation had concluded and a settlement had been reached. The case dates back to March 2014, when an online media source reported that members of the health plan were able to access the PHI of other members via its online member portal. The breach was reported to OCR as affecting fewer than 500 plan members and OCR launched a compliance review in February 2016. Three years later, another breach was reported – a mailing error, this time affecting 1,498 plan members.

OCR investigated LA Care Health Plan again and found multiple violations of the HIPAA Rules – A risk analysis failure, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, and an impermissible disclosure of the ePHI of 1,498 individuals. The case was settled, and LA Care Health Plan agreed to adopt a corrective action plan and pay a $1,300,000 penalty.

State attorneys general are also authorized to investigate healthcare data breaches and fine organizations for HIPAA violations. From 2019 to 2022, there were relatively few financial penalties imposed for HIPAA violations or equivalent violations of state laws, but there has been a significant increase in enforcement actions in 2023. Between 2019 and 2022 there were 12 enforcement actions by state attorneys general that resulted in financial penalties. 11 penalties have been imposed so far in 2023.

In September, three settlements were announced by state attorneys general. The first, and the largest, was in California, which fined Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49 million. Kaiser was found to have violated state laws by improperly disposing of hazardous waste and violating HIPAA and state laws by disposing of protected health information in regular trash bins.

The Indiana Attorney General announced that a settlement had been reached with Schneck Medical Center following an investigation of a data breach involving the PHI of 89,707 Indiana residents. The settlement resolved alleged violations of violations of the HIPAA Privacy, Security, and Breach Notification Rules, the Indiana Disclosure of Security Breach Act, and the Indiana Deceptive Consumer Sales Act. Schneck Medical Center paid a $250,000 penalty and agreed to improve its security practices.

The Colorado Attorney General announced that a settlement had been reached with Broomfield Skilled Nursing and Rehabilitation Center over a breach of the protected health information of 677 residents. The settlement resolved alleged violations of HIPAA data encryption requirements, state data protection laws, and deceptive trading practices. A penalty of $60,000 was paid to resolve the alleged violations, with $25,000 suspended, provided corrective measures are implemented.

The post September 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Issues Telehealth Guidance for Providers and Patients

Posted by Steve Alder

The HHS’ Office for Civil Rights has issued new guidance for healthcare providers to help them educate patients about privacy and security risks when using remote communications technologies for telehealth visits and recommendations for patients on how they can protect and secure their health information.

During the pandemic, healthcare providers massively expanded their telehealth services to ensure that patients could access the medical services they needed while reducing the risk of contracting COVID-19. OCR issued a Notice of Enforcement Discretion covering the good faith provision of telehealth services to make it easier for healthcare providers to provide telehealth services during the pandemic by using non-public-facing communications platforms that are not fully HIPAA compliant, such as platforms where vendors would not enter into business associate agreements. Now that the COVID-19 public health emergency has been declared over, OCR’s telehealth Notice of Enforcement Discretion has expired; however, OCR continues to support telehealth services, which have proven popular with both providers and patients.

Telehealth Privacy and Security Risks

Healthcare providers must ensure that the communications platforms they use for providing telehealth services support HIPAA compliance. Even when ‘HIPAA-compliant’ platforms are used for telehealth there are still privacy and security risks that must be addressed and reduced to a low and acceptable level. In the summer of 2022, ahead of the telehealth flexibilities coming to an end, OCR issued guidance for healthcare providers on HIPAA and audio-only telehealth services.

While HIPAA does not require healthcare providers to educate patients about the privacy and security risks associated with telehealth, a Government Accountability Office (GAO) review of the Medicare telehealth services provided during the COVID-19 – Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks – recommended OCR issue guidance to help healthcare providers explain the privacy and security risks associated with telehealth services to patients.

During the review, GAO identified numerous complaints that had been made about the use of non-compliant technology during the pandemic, more than 3 dozen complaints had been filed about the presence of third parties during appointments, and there were instances where providers shared PHI without obtaining patient consent. GAO concluded that there was a need for additional education and outreach to help providers explain the privacy and security risks to patients associated with telehealth to make sure that those risks are fully understood. OCR concurred with the recommendation and agreed to publish new guidance.

New OCR Telehealth Privacy and Security Resources

Two guidance resources were published by OCR on October 18, 2023. The first guidance document is for healthcare providers to help them educate patients about the privacy and security risks associated with remote communication technologies, and the second guidance document is for patients and offers tips on privacy and security when taking advantage of telehealth services.

The provider guidance – Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth – offers suggestions for healthcare providers to help them discuss the telehealth options offered, the potential risks to protected health information associated with remote communications technologies, the privacy and security practices of vendors telehealth communication tools, and the applicability of civil rights laws.

The patient guidance – Telehealth Privacy and Security Tips for Patients – offers recommendations for patients on how they can protect and secure their protected health information, such as the importance of conducting telehealth visits in private settings, activating multi-factor authentication, using encryption, and avoiding using public Wi-Fi networks.

“Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” said OCR Director Melanie Fontes Rainer.  “Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private.”

The post OCR Issues Telehealth Guidance for Providers and Patients appeared first on HIPAA Journal.