HIPAA Compliance News

November 2019 Healthcare Data Breach Report

In November 2019, 33 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). That represents a 36.5% decrease in reported breaches from October – The worst ever month for healthcare data breaches since OCR started listing breaches on its website in October 2009. The fall in breaches is certainly good news, but data breaches are still occurring at a rate of more than one a day.

600,877 healthcare records were exposed, impermissibly disclosed, or stolen in November. That represents a 9.2% decrease in breached healthcare records from October, but the average breach size increased by 30.1% to 18,208 records in November.

Largest Healthcare Data Breaches in November 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Ivy Rehab Network, Inc. and its affiliated companies Healthcare Provider 125000 Hacking/IT Incident Email
Solara Medical Supplies, LLC Healthcare Provider 114007 Hacking/IT Incident Email
Saint Francis Medical Center Healthcare Provider 107054 Hacking/IT Incident Electronic Medical Record, Network Server
Southeastern Minnesota Oral & Maxillofacial Surgery Healthcare Provider 80000 Hacking/IT Incident Network Server
Elizabeth Family Health Healthcare Provider 28375 Theft Paper/Films
The Brooklyn Hospital Center Healthcare Provider 26312 Hacking/IT Incident Network Server
Utah Valley Eye Center Healthcare Provider 20418 Hacking/IT Incident Desktop Computer
Loudoun Medical Group d/b/a Comprehensive Sleep Care Center (“CSCC”) Healthcare Provider 15575 Hacking/IT Incident Email
Choice Cancer Care Healthcare Provider 14673 Hacking/IT Incident Email
Arizona Dental Insurance Services, Inc. d.b.a. Delta Dental of Arizona Health Plan 12886 Hacking/IT Incident Email

Causes of Healthcare Data Breaches in November 2019

Hacking/IT incidents dominated November’s breach reports and accounted for 63.6% of data breaches reported in November and 90.75% of the breached records (545,293). The average breach size was 25,966 records and the median breach size was 3,977 records.

There were 7 unauthorized access/disclosure breaches reported in November involving 16,586 healthcare records. The mean breach size was 2,369 records and the median breach size was 996 records.

There were 4 incidents involving the theft of 38,998 individuals’ protected health information. Two of the incidents involved electronic devices and two involved paper records. The mean breach size was 7,799 records and the median breach size was 3,237 records.

Phishing continues to be the most common cause of healthcare data breaches. 17 of the healthcare data breaches reported in November involved PHI stored in email accounts. The majority of those breaches were due to phishing attacks.

November 2019 Healthcare Data Breaches by Covered Entity Type

There were 28 healthcare provider data breaches reported in November and four breaches were reported by health plans. It was a good month for business associates, with only one breach reported, although a further two breaches had some business associate involvement.

 

November 2019 Healthcare Data Breaches by State

Data breaches were reported by covered entities in 19 states. California was the worst affected with 4 breaches, followed by Illinois, Missouri, New York, and Texas with three breaches each. Two breaches were reported by covered entities in Florida, North Carolina, and Pennsylvania, and there was one reported beach in each of Alaska, Arizona, Colorado, Connecticut, Indiana, Maryland, Michigan, Minnesota, Nebraska, Utah, and Virginia.

HIPAA Enforcement in November 2019

There were three financial penalties imposed on HIPAA-covered entities in November to resolve HIPAA violations.

University of Rochester Medical Center (URMC) settled its HIPAA violation case with OCR for $3,000,000. OCR launched an investigation after receiving two notifications about breaches due to lost or stolen devices. OCR investigated URMC in 2010 after the first device was lost and provided technical assistance. At the time, URMC recognized the high risk of storing ePHI on devices and the need for encryption, yet this was not implemented, and unencrypted portable electronic devices continued to be used. When OCR investigated the subsequent theft of a laptop computer, its investigators found URMC had failed to conduct an organization-wide risk analysis, risks had not been reduced to a reasonable and appropriate level, and URMC had not implemented appropriate device media controls.

Sentara Hospitals agreed to settle its HIPAA violation case with OCR for $2,175,000. OCR launched a compliance investigation in response to a complaint from a patient in April 2017. The patient had received a bill from Sentara containing another patient’s protected health information. Sentara Hospitals reported the breach as affecting 8 individuals, but OCR found that 577 letters had been misdirected to 16,342 different guarantors. Sentara Hospitals refused to update its breach report with the new total. OCR also found Sentara Hospitals had failed to enter into a business associate agreement with one of its vendors.

A substantial financial penalty was also imposed on The Texas Department of Aging and Disability Services (DADS). DADS had reported a breach of 6,617 patients’ ePHI to OCR in 2015. An error in a web application allowed ePHI to be accessed over the internet by individuals unauthorized to view the data. ePHI had been exposed for around 8 years. OCR investigated and found that DADS had failed to conduct an organization-wide risk analysis, there was a lack of access controls, and DADS failed to monitor information system activity. DADS settled the HIPAA violation case and paid a penalty of $1.6 million.

The post November 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership

Pressure is continuing to be applied on Google and its parent company Alphabet to disclose information about how the protected health information (PHI) of patients of Ascension will be used, and the measures put in place to ensure PHI is secured and protected against unauthorized access.

The partnership between Google and Ascension was announced on November 11, 2019 following the publication of a story in the Wall Street Journal. A whistleblower at Google had shared information with the WSJ and expressed concern that millions of healthcare records had been shared with Google without first obtaining consent from patients. It was also alleged that Google employees could freely download PHI.

In its announcement, Google stated that the collaboration – named Project Nightingale – involved migrating Ascension’s infrastructure to the cloud and that it was helping Ascension implement G Suite tools to improve productivity and efficiency. Patient data was also being provided to Google to help develop AI and machine learning technologies to improve patient safety and clinical quality. When the migration of data has been completed, Google will have access to the health data of around 50 million patients.

Google has confirmed it is a business associate of Ascension and has signed a business associate agreement and is fully compliant with HIPAA regulations, but many privacy advocates are concerned about the partnership. Several members of Congress have also expressed concern and are seeking answers about the safeguards that have been put in place to secure patient data and how patient data will be used. The HHS’ Office for Civil Rights has also confirmed it is investigating Google and Ascension to make sure HIPAA Rules have not been violated.

Earlier this month, Rep. Pramila Jayapal (D-Washington), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, wrote to Google and Alphabet expressing concern about the partnership. She has demanded answers to several questions about how protected health information has been obtained, the measures put in place to protect patient data, and how Google will be using the PHI.

“As Google and parent company Alphabet have engaged in an ever-widening acquisition of the highly personal health-related information of millions of people, Americans now face the prospect of having their sensitive health information handled by corporations who may misuse it,” wrote Rep. Jayapal in her Dec 6, 2019 letter. “I am especially concerned that your company has not provided sufficient assurances that this sensitive data will be kept safe, and that patients’ data is being acquired by your companies without their consent and without any opt-out provision.”

Rep. Jayapal is particularly concerned about how that information will be used. Google is amassing huge quantities of healthcare data from several sources. Google’s healthcare-focused AI unit, Medical Brain, is actively acquiring health data, Alphabet has partnered with the Mayo Clinic, and Google has acquired the UK startup, DeepMind. NHS data has already been provided to Google. Google is also looking to acquire Fitbit, which holds health-related data on 25 million users of its wearable devices.

“The fact that Google makes the vast majority of its revenue through behavioral online advertising—creating an incentive to commoditize all user information—renders the company’s expansion into health services all the more troubling,” wrote Rep. Jayapal.

Rep. Jayapal also pointed out that Google does not have a blemish-free track record when it comes to protecting health and medical information, referencing one incident in which chest X-ray images from the National Institute of Health were almost posted online before Google realized they contained personally identifiable information. She also stated there is an active lawsuit that claims Google companies have obtained patient information from a major medical facility and DeepMind was found to have violated the Data Protection Act in the UK by using patient data to develop new apps.

Rep. Jayapal has given Google and Alphabet until January 5, 2020 to answer her questions, as detailed below:

The post Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership appeared first on HIPAA Journal.

$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its second enforcement action under its HIPAA Right of Access Initiative. Florida-based Korunda Medical has agreed to settle potential violations of the HIPAA Right of Access and will adopt a corrective action plan and bring its policies and procedures in line with the requirements of the HIPAA Privacy Rule.

In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The complainant alleged that Korunda Medical refused to send an electronic copy of her medical records to a third party and was overcharging patients for providing copies of their medical records. Under HIPAA, covered entities are only permitted to charge a reasonable, cost-based fee for providing access to patients’ protected health information.

The initial complaint was filed with OCR on March 6, 2019. On March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access and closed the complaint. Four days later, a second complaint was received which demonstrated continued noncompliance with the HIPAA Right of Access. On May 8, 2019, OCR advised Korunda Medical that a compliance investigation had been launched. As a result of OCR’s intervention, the complainant was provided with a copy of her medical records free of charge. Continued noncompliance with the HIPAA Right of Access resulted in a $85,000 financial penalty for Korunda Medical.

“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law,” said OCR Director, Roger Severino.

The HIPAA Right of Action Initiative is a HIPAA enforcement drive to ensure HIPAA-covered entities are providing patients with copies of their medical records in a timely manner, in the format of their choosing, and without being overcharged. The first enforcement action under this initiative was announced in September 2019. Bayfront Health St Petersburg was also required to pay a financial penalty of $85,000 to resolve HIPAA Right of Access failures.

This is the ninth HIPAA enforcement action of 2019. OCR has settled 8 HIPAA violation cases this year and has issued one civil monetary penalty, with the financial penalties ranging from $10,000 to $3 million. So far in 2019, $12,209,000 has been paid to OCR to resolve HIPAA violations.

The post $85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures appeared first on HIPAA Journal.

Amazon Lex is Now HIPAA Compliant

Amazon has announced that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare organizations without violating Health Insurance Portability and Accountability Act Rules.

Amazon Lex is a service that allows customers to build conversational interfaces into applications using text and voice. It allows the creation of chatbots that use lifelike, natural language to engage with customers, ask questions, collect and give out information, and complete a range of different tasks such as scheduling appointments. The conversational engine that powers Amazon Lex is also used by Amazon Alexa.

Until recently, there was limited potential for use of Amazon Lex in healthcare as the solution was not HIPAA-compliant and could therefore not be used in connection with electronic protected health information (ePHI). The service was also not covered by Amazon’s business associate agreement (BAA).

On December 11, 2019, Amazon confirmed that Amazon Lex is now included in its AWS business associate agreement (BAA) addendum and that the service is eligible for use with workloads involving ePHI, provided that a BAA is in place. Amazon Lex has been subjected to third-party security assessments under multiple AWS compliance programs, and in addition to being HIPAA eligible is also compliant with PCI and SOC.

As with any software solution, a BAA does not guarantee compliance. Amazon has ensured appropriate safeguards have been implemented to ensure the confidentiality, integrity, and availability of ePHI, but it is the responsibility of users to ensure that the solution is implemented correctly and used in a manner that complies with HIPAA Rules.

Amazon has released a whitepaper on Architecting for HIPAA Security and Compliance on AWS, which details best practices for configuring AWS services that store, process, and transmit ePHI. Guidelines on the administration of Amazon Lex have also been published.

The post Amazon Lex is Now HIPAA Compliant appeared first on HIPAA Journal.

HIPAA Compliance Can Help Covered Entities Prevent, Mitigate, and Recover from Ransomware Attacks

Ransomware attacks used to be conducted indiscriminately, with the file-encrypting software most commonly distributed in mass spam email campaigns. However, since 2017, ransomware attacks have become far more targeted. It is now common for cybercriminals to select targets to attack where there is a higher than average probability of a ransom being paid.

Healthcare providers are a prime target for cybercriminals. They have large quantities of sensitive data, low tolerance for system downtime, and high data availability requirements. They also have the resources to pay ransom demands and many are covered by cybersecurity insurance policies. Insurance companies often choose to pay the ransom as it is usually far lower than the cost of downtime while systems are rebuilt, and data is restored from backups.

With attacks increasing in frequency and severity, healthcare organizations need to ensure that their networks are well defended and they have policies and procedures in place to ensure a quick response in the event of an attack.

Ransomware attacks are increasing in sophistication and new tactics and techniques are constantly being developed by cybercriminals to infiltrate networks and deploy ransomware, but the majority of attacks still use tried and tested methods to deliver the ransomware payload. The most common methods of gaining access to healthcare networks is still phishing and the exploitation of vulnerabilities, such as flaws that have not been patched in applications and operating systems. By finding and correcting vulnerabilities and improving defenses against phishing, healthcare providers will be able to block all but the most sophisticated and determined attackers and keep their networks secure and operational.

In its Fall 2019 Cybersecurity Newsletter, the Department of Health and Human Services explains that it is possible to prevent most ransomware attacks through the proper implementation of HIPAA Security Rule provisions. Through HIPAA compliance, healthcare organizations will also be able to ensure that in the event of a ransomware attack they will be able to recover in the shortest possible time frame.

There are several provisions of the HIPAA Security Rule that are relevant to protecting, mitigating and recovering from ransomware attacks, six of the most important being:

Risk Analysis (45 C.F.R. §164.308(a)(1)(ii)(A))

A risk analysis is one of the most important provisions of the HIPAA Security Rule. It allows healthcare organizations to identify threats to the confidentiality, integrity, and availability of ePHI, which allows those threats to be mitigated. Ransomware is commonly introduced through the exploitation of technical vulnerabilities., such as unsecured, open ports, outdated software, and poor access management/provisioning. It is essential that all possible attack vectors and vulnerabilities are identified.

Risk Management (45 C.F.R. §164.308(a)(1)(ii)(B))

All risks identified during the risk analysis must be managed and reduced to a low and acceptable level. That will make it much harder for attackers to succeed. Risk management includes the deployment of anti-malware software, intrusion detection systems, spam filters, web filters, and robust backup systems.

Information System Activity Review (45 C.F.R. §164.308(a)(1)(ii)(D))

If an organization’s defenses are breached and hackers gain access to devices and information systems, intrusions need to be quickly detected. By conducting information system activity reviews, healthcare organizations can detect anomalous activity and take steps to contain attacks in progress. Ransomware is not always deployed as soon as network access is gained. It may be days, weeks, or even months after a network is compromised before ransomware is deployed, so a system activity review may detect a compromise before the attackers are able to deploy ransomware. Security Information and Event Management (SIEM) solutions can be useful for conducting activity reviews and automating the analysis of activity logs.

Security Awareness and Training (45 C.F.R. §164.308(a)(5))

Phishing attacks are often effective as they target employees, who are one of the weakest links in the security chain. Through regular security awareness training, employees will learn how to identify phishing emails and malspam and respond appropriately by reporting the threats to the security team.

Security Incident Procedures (45 C.F.R. §164.308(a)(6))

In the event of an attack, a fast response can greatly limit the damage caused by ransomware. Written policies and procedures are required and these must be disseminated to all appropriate workforce members so they know exactly how to respond in the event of an attack. Security procedures should also be tested to ensure they will be effective in the event of a security breach.

Contingency Plan (45 C.F.R. §164.308(a)(7))

A contingency plan must be developed to ensure that in the event of a ransomware attack, critical services can continue and ePHI can be recovered. That means that backups must be made of all ePHI. Covered entities must also test those backups to ensure that data can be recovered. Backups systems have been targeted by ransomware threat actors to make it harder for covered entities to recover without paying the ransom, so at least one copy of a backup should be stored securely on a non-networked device or isolated system.

The post HIPAA Compliance Can Help Covered Entities Prevent, Mitigate, and Recover from Ransomware Attacks appeared first on HIPAA Journal.

$2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 8th HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle potential violations of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to address areas of noncompliance.

Sentara operates 12 acute care hospitals in Virginia and North Carolina and has more than 300 care facilities in both states. OCR launched a compliance investigation in response to a complaint from a patient on April 17, 2017. The patient had reported receiving a bill from Sentara containing another patient’s protected health information.

Sentara did report the breach to OCR, but the breach report stated that only 8 individuals had been affected, when the mailing had been misdirected and 577 individuals had had some of their PHI impermissibly disclosed. OCR determined that those 577 patients had their information merged with 16,342 different guarantor’s mailing labels.

OCR advised Sentara that under the HIPAA Breach Notification Rule – 45 C.F.R. § 164.408 – notifications were required and that the breach total needed to be updated, but Sentara persisted in its refusal to update the breach report and issue notifications. Sentara maintained that since the bills only contained names, account numbers, and dates of service, and not diagnoses, treatment information, and other medical information, it did not constitute a reportable breach.

OCR also found that Sentara Hospitals provides services for its member covered entities but had not entered into business associate agreements with its business associate until October 17, 2018.

Sentara Hospital’s parent organization and business associate, Sentara Healthcare, had been allowed to create, receive, maintain, and transmit PHI on its behalf without a BAA being in place. Sentara Hospitals had therefore not received satisfactory assurances that PHI would be safeguarded, in violation of 45 C.F.R. § 164.504(e)(2).

The corrective action plan requires Sentara Hospitals to revise its policies and procedures and ensure they are compliant with HIPAA Rules. Policies and procedures must be checked and revised at least annually, or more frequently if appropriate. OCR will be scrutinizing Sentara’s compliance efforts for a period of two years from the start date of the corrective action plan.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said OCR Director, Roger Severino.  “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

The latest settlement is another example of when HIPAA violations are uncovered in response to complaints from patients rather than data breach investigations. All it takes is for one patient to submit a complaint about a potential HIPAA violation for a compliance review to be launched. These investigations can occur at any time, which shows how important it is for healthcare organizations to ensure their policies and procedures fully meet the requirements of HIPAA.

So far in 2019, HIPAA-covered entities and business associates have paid $12,124,000 to OCR to resolve violations of HIPAA Rules.

The post $2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures appeared first on HIPAA Journal.

Timothy Noonan Named Deputy Director for Health Information Privacy at Office for Civil Rights

The Department of Health and Human Services’ Office for Civil Rights (OCR) has named Timothy Noonan Deputy Director for Health Information Privacy.

The role of the Deputy Director for Health Information Privacy is to lead the Health Information Privacy Division of the Office for Civil Rights, oversee OCR’s national health information privacy policy and outreach activities, and administer and enforce the HIPAA Privacy, Security, and Breach Notification Rules and the confidentiality provisions of the Patient Safety Rule.

Noonan has been serving as Acting Deputy Director for Health Information Privacy since January 29, 2018, following the departure of Iliana Peters. Prior to taking on the position of Acting Deputy Director for Health Information Privacy, Noonan served as OCR’s Southeast Regional Manager, before moving to OCR’s headquarters to serve as Acting Associate Deputy Director for Regional Operations and the Acting Director for Centralized Case Management Operations.

In his 22 months as Acting Deputy Director for Health Information Privacy, Noonan has helped secure more than $37 million in HIPAA civil monetary penalties and settlements, including the largest ever HIPAA penalty – The $16 million settlement with Anthem Inc. over its 78.8 million-record data breach in 2015.

Noonan has also helped create the Right of Access Enforcement Initiative, under which guidance was issued to help reinforce individuals’ right of access to their medical records and the first financial penalty for Right of Access failures was agreed with Bayfront Health St Petersburg.

Under Noonan, guidance has also been issued on Health Apps and a request for information was issued seeking feedback from the public on how the HIPAA Privacy Rule should be modified to promote coordinated, value-based health care.

 

The post Timothy Noonan Named Deputy Director for Health Information Privacy at Office for Civil Rights appeared first on HIPAA Journal.

October 2019 Healthcare Data Breach Report

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches.

This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States.

Largest Healthcare Data Breaches in October 2019

Breached Entity Entity Type Individuals Affected Type of Breach
Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident
Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident
The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident
Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure
Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident
University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident
Prisma Health – Midlands Healthcare Provider 19,060 Hacking/IT Incident
South Texas Dermatopathology Laboratory Healthcare Provider 15,982 Hacking/IT Incident
Central Valley Regional Center Business Associate 15,975 Hacking/IT Incident
Texas Health Harris Methodist Hospital Fort Worth Healthcare Provider 14,881* Unauthorized Access/Disclosure

The largest healthcare data breach in October was reported by Betty Jean Kerr People’s Health Centers and was the result of a ransomware attack. At the time of issuing notifications, files that were encrypted in the attack remained locked. The decision was taken not to pay the ransom demand, but it was not possible to restore files from backups. Those files contained the health information of 152,000 patients.

The Kalispell Regional Healthcare data breach was due to a May 2019 phishing attack. An initial investigation did not uncover the extent of the breach. The forensic investigation revealed in August that the health information of up to 140,209 patients may have been accessed.

The Methodist Hospitals, Inc. data breach was also the result of a phishing attack. The incident was reported in October, but the initial email account compromise occurred in March 2019. Two accounts were breached for a total of four months.

South Texas Dermatopathology Laboratory is the last healthcare organization to report that its patients have been impacted by the data breach at the collection agency, AMCA. Its 15,982 records take the total number of individuals impacted by the AMCA breach to 26,059,725.

*Also of note is the data breach at Texas Health Resources. The breach makes the top 10 list of the most healthcare records exposed, but the breach was more far reaching than the table above shows. The Texas Health data breach involved a total of 82,577 records, but the breach was reported to the HHS’ Office for Civil Rights as 15 separate breaches, with one breach report submitted for each of its affected facilities. Had the incident been reported as a single incident, the month’s total would stand at 38 breaches – two more than September.

Causes of October 2019 Healthcare Data Breaches

There were 18 hacking/IT incidents reported in October involving 501,847 healthcare records. The average breach size was 27,880 records and the median breach size was 9,413 records.

There were 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records. The mean breach size was 4,813 records and the median breach size was 2,135 records. Those incidents include the 15 separate breach reports from Texas Health Resources.

There were 5 loss/theft incidents involving 13,454 records. The mean breach size was 2,350 records and the median breach size was 2,752 records. One improper disposal incident was reported involving 11,754 records.

Location of Breached Health Information

Phishing continues to cause problems for healthcare organizations. Not only are healthcare providers struggling to block phishing attacks, they are also not detected quickly when they do occur. Several phishing attacks have been reported that have taken weeks to discover.

Multi-factor authentication can help to reduce the risk of stolen credentials being used by cybercriminals to access corporate email accounts, yet many healthcare organizations only implement this important security measure after a phishing attack has occurred.

This high number of “other” breaches is due to the mailing error at Texas Health, which accounts for 15 of the 19 incidents in the other category.

The majority of the network server breaches were due to ransomware attacks, which include the largest healthcare data breach of the month. That breach highlights just how important it is to ensure that a viable backup copy of all data is created, that the backup is tested to make sure data recovery is possible, and that at least one backup copy is stored on a non-networked device that is not exposed to the internet.

October 2019 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in October with 45 reported incidents. Three breaches were reported by health plans, and four breaches were reported by business associates of HIPAA-covered entities. A further four breaches also had some business associate involvement but were reported by the covered entity.

October 2019 Healthcare Data Breaches by State

October saw healthcare organizations and business associates in 24 states report data breaches. With 15 breach reports coming from Texas Health, Texas was unsurprisingly the worst affected state with 17 incidents.

There were 4 breaches reported by entities based in Ohio, three breaches reported in California, and two breaches reported in each of Arkansas, Florida, Louisiana, Maryland, New Mexico, South Carolina, and Virginia. A single breach was reported in each of Alabama, Arizona, Georgia, Illinois, Indiana, Kentucky, Minnesota, Missouri, Mississippi, Montana, New York, Oregon, South Dakota, and Washington.

HIPAA Enforcement Actions in October 2019

A further two financial penalties for HIPAA violations were announced by the HHS’ Office for Civil Rights in October – One settlement and one civil monetary penalty.

OCR launched an investigation of Elite Dental Associates following a complaint from a patient who had some of her PHI publicly disclosed in response to a Yelp review. OCR found she was not the only patient to have had PHI disclosed in that manner. OCR also determined that the practice’s notice of privacy practices did not include sufficient information and was therefore not compliant with the HIPAA Privacy Rule. Elite Dental Associates agreed to settle its HIPAA violation case with OCR for $10,000.

OCR launched an investigation of Jackson Health System following the disclosure of PHI in the media. A photograph of an operating room display had been published which contained the health information of two individuals, including a well-known NFL star. The OCR investigation uncovered multiple Privacy Rule, Security Rule, and Breach Notification Rule violations spanning several years. OCR imposed a civil monetary penalty of $2,154,000 on Jackson Health System.

The post October 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data

The Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act, has been introduced by Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada). The new legislation will ensure that health data collected through fitness trackers, smartwatches, and health apps cannot be sold or shared without consumer consent.

The Health Insurance Portability and Accountability Act (HIPAA) applies to health data collected, received, stored, maintained, or transmitted by HIPAA-covered entities and their business associates. Some of the same information is collected, stored, and transmitted by fitness trackers, wearable devices, and health apps. That information can be used, shared, or sold, without consent. Consumers have no control over who can access their health data. The new legislation aims to address that privacy gap.

The bill prohibits the transfer, sale, sharing, or access to any non-anonymized consumer health information or other individually identifiable health information that is collected, recorded, or derived from personal consumer devices to domestic information brokers, other domestic entities, or entities based outside the United States unless consent has been obtained from the consumer.

Consumer devices are defined as “equipment, application software, or mechanism that has the primary function or capability to collect, store, or transmit consumer health information.”

The Smartwatch Data Act applies to information about the health status of an individual, personal biometric information, and kinesthetic information collected directly through sensors or inputted manually into apps by consumers. The Smartwatch Data Act would treat all health data collected through apps, wearable devices, and trackers as protected health information.

There have been calls for HIPAA to be extended to cover app developers and wearable device manufacturers that collect, store, maintain, process, or transmit consumer health information. The Smartwatch Data Act does not extend HIPAA to cover these companies, instead the legislation applies to the data itself. The bill proposes the HHS’ Office for Civil Rights, the main enforcer of compliance with HIPAA, would also be responsible for enforcing compliance with the Smartwatch Data Act. The penalties for noncompliance with the Smartwatch Data Act would be the same as the penalties for HIPAA violations.

“The introduction of technology to our healthcare system in the form of apps and wearable health devices has brought up a number of important questions regarding data collection and privacy,” said Sen. Rosen “This commonsense, bipartisan legislation will extend existing health care privacy protections to personal health data collected by apps and wearables, preventing this data from being sold or used commercially without the consumer’s consent.”

The legislation was introduced following the news that Google has partnered with Ascension, the second largest healthcare provider in the United States, and has been given access to the health information of 50 million Americans. That partnership has raised a number of questions about the privacy of health information.

The Ascension data passed to Google is covered by HIPAA, but currently fitness tracker data is not. Google intends to acquire fitness tracker manufacturer Fitbit in 2020 and concern has been raised about how Google will use personal health data collected through Fitbit devices. The Smartwatch Data Act would help to ensure that consumers are given a say in how their health data is used.

The post Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data appeared first on HIPAA Journal.