HIPAA Compliance News

Hospital Associations Call for Industry-Wide Effort to Accelerate Interoperability

Posted January 23, 2019 by HIPAA Journal

Seven leading hospital associations, including the American Hospital Association (AHA), are calling for an industry-wide effort to improve data sharing. The new report seeks to enlist and expand public and private stakeholder support to accelerate interoperability and help remove the barriers to data sharing.

In order to achieve the full potential of the nation’s healthcare system, health data must flow freely. Only then will it be possible to provide the best possible care to patients, properly engage people in their health, improve public health, and ensure new models of healthcare succeed.

Effective sharing of patient data strengthens care coordination, improves safety and quality, empowers patients and their families, increases efficiency, reduces healthcare costs, and supports the accurate tracking of diseases and the creation of robust public health registries.

The report explains that great progress is being made to improve interoperability of health IT systems and ensure that patients data can be accessed regardless of location or system. 93% of hospitals now allow patients to access their health records online, 87% allow health records to be downloaded by patients, 88% of hospitals send patient records to ambulatory care providers outside their system, and 84% of hospitals allow caregivers to access information on behalf of patients.

Interoperability improvements have required tremendous effort and have come at a significant cost. Progress has been made but hospitals still face substantial barriers that are preventing efficient data sharing. Health IT tools are often expensive, many do not easily support information sharing, and the use of different health IT and EHR systems make it difficult to efficiently share information.

It is now common for healthcare to be delivered across multiple settings and locations. Records generated in doctor’s offices, hospitals, laboratories, medical devices, and in non-clinical settings should all be accessible and capable of being transferred quickly, efficiently, and accurately to create a full patient record that can be accessed by patients and their healthcare providers.

The report notes that diplomats at the United Nations speak a wide variety of languages but, through translators, are able to communicate efficiently and effectively. Mobile phones can communicate with other devices, regardless of make, model, or operating system. Healthcare needs to operate in a similar way.

A final push is required to get interoperability where it needs to be. The challenges that need to be overcome are detailed in the report along with an agenda detailing the pathway to full interoperability.

In order to achieve true interoperability, all industry stakeholders need to collaborate and work toward the common goal. The roles that different stakeholders must play are detailed in the report.

The report – Sharing data, Saving Lives: The Hospital Agenda for Interoperability – can be downloaded on this link.

The post Hospital Associations Call for Industry-Wide Effort to Accelerate Interoperability appeared first on HIPAA Journal.

December 2018 Healthcare Data Breach Report

Posted January 22, 2019 by HIPAA Journal

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January.

In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11.

Largest Healthcare Data Breaches in December 2018

Rank	Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
1	Adams County	Healthcare Provider	258,120	Unauthorized Access/Disclosure
2	JAND Inc. d/b/a Warby Parker	Healthcare Provider	177,890	Hacking/IT Incident
3	University of Vermont Health Network – Elizabethtown Community Hospital	Healthcare Provider	32,470	Hacking/IT Incident
4	The Podiatric Offices of Bobby Yee	Healthcare Provider	24,000	Hacking/IT Incident
5	Choice Rehabilitation	Business Associate	4,309	Hacking/IT Incident
6	Virtual Radiologic Professionals, LLC	Healthcare Provider	2,568	Hacking/IT Incident
7	Kent County Community Mental Health Authority	Healthcare Provider	2,284	Hacking/IT Incident
8	Butler County Board of County Commissioners	Health Plan	1,912	Unauthorized Access/Disclosure
9	Barnes-Jewish Hospital	Healthcare Provider	1,643	Hacking/IT Incident
10	Tift Regional Medical Center	Healthcare Provider	1,045	Hacking/IT Incident

Causes of December 2018 Healthcare Data Breaches

The healthcare industry experiences more insider breaches than other industry sectors, although in December, hacking/IT Incidents outnumbered unauthorized/access disclosure incidents by almost two to one. Eight of the top ten data breaches for the month were hacks, ransomware attacks, and other IT incidents.

While unauthorized access/disclosure incidents usually impact fewer individuals that hacking breaches, that was not the case in December. The largest breach of the month was the unauthorized accessing of a network server by a former employee of Adams County, WI.

In total, 264,049 healthcare records were exposed in the 7 unauthorized access/disclosure incidents reported in December. The mean breach size was 37,721 records and the median breach size was 911 records.

250,404 healthcare records were exposed in the 13 hacking/IT incidents. The mean breach size was 19,261 records and the median breach size was 1,643 records.

There were two theft incidents reported in December and one case of improper disposal of paper records. No lost devices were reported.

Location of Breached Protected Health Information

Phishing attacks continue to plague healthcare organizations and December was no exception. The largest phishing incident reported in December affected 32,470 patients of Elizabethtown Community Hospital. The PHI was contained in a single email account.

Three email accounts were compromised at Kent County Community Mental Health Authority, although they only contained the PHI of 2,200 individuals.

The most common location of breached PHI in December was email, although network server breaches were more severe. The two largest December 2018 healthcare data breaches were network server incidents which impacted 436,010 individuals – 84.43% of the total number of breached records in December.

Data Breaches by Covered-Entity Type

Health plans made it through November without reporting any data breaches, although they didn’t fare so well in December. 6 health plan data breaches were announced in December; however, all were relatively small, with only the breach at Butler County Board of County Commissioners impacting more than 1,000 plan members (1,912).

One data breach was reported by a business associate of a HIPAA-covered entity, although a further three breaches had some business associate involvement. The remaining 16 breaches were reported by healthcare providers.

Healthcare Data Breaches by State

In December 2018, healthcare organizations in 13 states reported PHI breaches. Minnesota was the worst affected state with a total of four breaches followed by Arizona with three. There were two breaches reported by healthcare organizations based in each of California, Missouri, New York, Ohio, and Wisconsin, and a single breach was experienced in each of Georgia, Illinois, Kentucky, Massachusetts, Michigan, and Pennsylvania.

HIPAA Fines and Settlements in December 2018

The Department of Health and Human Services’ Office for Civil Rights (OCR) agreed two settlements with HIPAA-covered entities in December to resolve violations of HIPAA Rules. OCR finished the year on ten fines and settlements, the same number as 2017. (You can view all 2018 HIPAA fines and settlements here).

Advanced Care Hospitalists, a Florida Contractor Physicians’ Group, was investigated by OCR following the submission of a breach report in April 2014. The report stated the PHI of 400 patients had been subject to unauthorized access, although the number of individuals affected was subsequently increased to 8,855 patients.

OCR confirmed there had been a preventable impermissible disclosure of PHI, and found that a business associate had been engaged without first entering into a business associate agreement. Additionally, insufficient security measures had been implemented and there had been no effort to comply with HIPAA Rules prior to April 1, 2014. Advanced Care Hospitalists and OCR settled the HIPAA violation case for $500,000.

On June 7, 2013, OCR received a complaint about Pagosa Springs Medical Center, a critical access hospital in Colorado, which had failed to terminate access to a web-based scheduling calendar after an employee’s contract had been terminated. The OCR investigation confirmed the former employee accessed the calendar on two occasions after leaving employment.

For the failure to terminate employee access and the lack of a business associate agreement with Google covering Google Calendar resulted in a financial penalty of $111,400 for Pagosa Springs Medical Center.

There were two financial penalties issued by state Attorneys General in December to resolve violations of HIPAA Rules.

The Massachusetts Attorney General fined McLean Hospital $75,000 over a breach of 1,500 patients PHI. The information was stored on backup tapes that had been taken offsite by an employee. When the employee was terminated, McLean Hospital was unable to recover two of the backup tapes.

The New Jersey Attorney General issued a financial penalty of $100,000 to EmblemHealth over an impermissible disclosure of PHI. In 2016, an EmblemHealth mailing had Social Security numbers printed on the outside of envelopes. This was the second fine for EmblemHealth in relation to the breach. The New York Attorney General had previously settled its case with EmblemHealth for $575,000 earlier in the year.

The post December 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Department of Defense Health Agency Security Failures Placed Patient Health Information at Risk

Posted January 18, 2019 by HIPAA Journal

According to a recent Department of Defense (DoD) Office of Inspector General report (PDF), the Defense Health Agency (DHA) failed to consistently implement security protocols to protect against the unauthorized accessing of systems that stored, processed, and transmitted electronic health records and other sensitive patient information.

The failures are detailed in the DoD OIG Report – DODIG-2017-085, “Protection of Electronic Patient Health Information at Army Military Treatment Facilities.”

The DoD OIG found that Common Access Cards (CACs) were not used to access three DoD EHR systems and two Army-specific systems. System administrators claimed that the CAC software was not compatible with some of the software used by older systems and it was not possible for multiple users to login and out of the system without rebooting local terminals.

DoD password complexity requirements had been set; however, the DHA failed to comply with those requirements for its Clinical Information System/Essentris Inpatient System and two Army-specific systems. System administrators believed that existing network authentication requirements were sufficient to control access.

Three further cybersecurity failures were identified at the Brooke Army Medical Center, Evans Army Community Hospital, and Kimbrough Ambulatory Care Center. Network and system administrators failed to grant user access to three EHR systems and four Army-specific systems based on assigned duties, did not require user justifications for access, and did not align user responsibilities to specific system roles.

Five Army-specific systems and two EHR systems were not configured to lock users out after 15 minutes of inactivity. According to the report, the CIOs in those facilities failed to implement to lockout as they did not want to negatively affect system availability.

Additionally, standard operating procedures were not developed to manage access to systems as they did not consider documented procedures to be necessary.

According to the DoD OIG, “Without well-defined, effectively implemented system security protocols, the DHA and Army introduced unnecessary risks that could compromise the integrity, confidentiality, and availability of patient health information.”

The DoD OIG pointed out that the failure to implement security protocols and the ineffective application of security protocols increases the risk of a cyberattack, data breach, loss of data, data manipulation, and unauthorized disclosures of patients’ health information.

In addition to threat to the confidentiality, integrity, and availability of patient data, the failure to adhere to HIPAA Rules exposed the Defense Health Agency to HIPAA compliance fines of up to $1.5 million, per violation category, per year.

The DoD OIG made 39 NIST Cybersecurity Framework-based recommendations to correct the security failures, which included use of CACs when accessing DoD EHR and Army-specific systems and to ensure that password complexity requirements were met for those systems.

Three of the recommendations were closed after the DHA Chief of Staff provided reports from the three sites detailing one or more specific security-related performance standards for complying with security requirements and protecting patients’ PHI. One of the standards was to hold CIOs accountable for the protection of patient health information.

According to the DoD OIG, six of the recommendations remained unresolved as the measures implemented failed to address the identified issues. On September 30, 2018, 36 of the recommendations remained open.

The post Department of Defense Health Agency Security Failures Placed Patient Health Information at Risk appeared first on HIPAA Journal.

Physician Receives Probation for Criminal HIPAA Violation

Posted January 18, 2019 by HIPAA Journal

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation rather than a jail term and fine for the wrongful disclosure of patients’ PHI to a pharmaceutical firm.

The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion.

In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug.

Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability.

The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules for allowing a sales representative of Aegerion to access the confidential health information of patients without first obtaining patient consent. The sales rep was allowed to view the information of patients who had not been diagnosed with a medical condition that could be treated with Juxtapid (lomitapide) in order to identify new potential candidates for the drug.

This is the second such criminal HIPAA violation case in Massachusetts in the past four months to result in probation rather than a jail term or fine. In September, Massachusetts gynecologist Rita Luthra was given 1 year of probation over payments received by a pharmaceutical firm (Warner Chilcott) for providing sales reps with access to the individually identifiable health information of patients for financial gain. While prosecutors were pushing for a fine and a jail term to act as a deterrent, Judge Mastroianni explained in his ruling, “Her loss of license and ability to practice is a substantial deterrent.”

While probation was received in both of these cases, a substantial fine, jail term, and loss of license are real possibilities for physicians found to have criminally violated HIPAA Rules. Both physicians could have received a fine of up to $50,000 for the violations and up to one year in jail.

The post Physician Receives Probation for Criminal HIPAA Violation appeared first on HIPAA Journal.

OCR Seeks Permanent Deputy Director for Health Information Privacy

Posted January 15, 2019 by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has advertised for a permanent Deputy Director for Health Information Privacy. The position was posted on USAJOBS on January 14, 2019.

The last permanent Deputy Director was Deven McGraw, who left OCR in October 2017 for the private sector. Iliana Peters, OCR’s Senior Advisor for Compliance and Enforcement, took on the role of acting Deputy Director for Health Information Privacy but also left the post for the private sector in February 2018. Timothy Noonan, the former regional manager for the HHS Office for Civil Rights in Atlanta, replaced Peters in February 2018.

The role involves leading OCR’s day-to-day HIPAA privacy and security program operations, development of privacy and security policies, administrative rulemaking, interpretation of current regulations, providing technical assistance to the department’s regional offices, and coordinating HIPAA Privacy and Security Rule compliance activities to ensure consistent application of policies across all regional offices.

The Deputy Director for Health Information Privacy is a key player in the development of departmental policies, legislative, and regulatory proposals, and special OCR initiatives to ensure health information is protected and remains private.

The role involves advising OCR Director Roger Severino and senior OCR officials on HIPAA policies and application of those policies. The successful applicant will be required to work closely with the OCR Director and assist with the planning, organization, and formulation of policies and procedures for OCR and health privacy and security policies across the HHS.

According to the posting, the Deputy Director represents the Director and OCR on health information privacy and security matters and coordinates work where problems and issues involve more than one component of the HHS. The Deputy Director is also required to maintain relationships concerning health information privacy and security issues at a number of senior management levels.

Applications are being accepted until February 5, 2019.

The post OCR Seeks Permanent Deputy Director for Health Information Privacy appeared first on HIPAA Journal.

Summary of 2018 HIPAA Fines and Settlements

Posted January 3, 2019 by HIPAA Journal

This post summarizes the 2018 HIPAA fines and settlements that have resulted from the enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.

Another Year of Heavy OCR HIPAA Enforcement

In 2016, there was a significant increase in HIPAA files and settlements compared to the previous year. In 2016, one civil monetary penalty was issued by OCR and 12 settlements were agreed with HIPAA covered entities and their business associates. In 2015, OCR only issued 6 financial penalties.

The high level of HIPAA enforcement continued in 2017 with 9 settlements agreed and one civil monetary penalty issued.

While there were two settlements agreed in February 2018 to resolve HIPAA violations, there were no further settlements or penalties until June. By the end of the summer it was looking like OCR had eased up on healthcare organizations that failed to comply with HIPAA Rules.

However, in September, a trio of settlements were agreed with hospitals that had allowed a film crew to record footage of patients without first gaining consent. Further settlements were agreed in October, November, and December and OCR finished the year on one civil monetary penalty and 9 settlements to resolve HIPAA violations.

While 2018 was not a record-breaking year in terms of the number of financial penalties for HIPAA violations, it was a record-breaker in terms of the total penalty amounts paid. OCR received $25,683,400 in financial penalties in 2018. The mean financial penalty was $2,568,340.

The median HIPAA fine in 2018 was $442,000: Much lower than 2017 median of $2,250,000. It was also the lowest median fine amount of the last 5 years, although 2018 did see the largest ever HIPAA violation penalty.

In October 2018, Anthem Inc., settled its HIPAA violation case with OCR for $16,000,000. The massive fine was due to the extent of the HIPAA violations discovered by OCR and the scale of its 2015 data breach, which saw the protected health information of around 78,800,000 plan members stolen by hackers.

2018 HIPAA Fines and Settlements

Year	Covered Entity	Amount	Settlement/CMP	Reason
February 2018	Fresenius Medical Care North America	$3,500,000	Settlement	Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
February 2018	Filefax, Inc.	$100,000	Settlement	Impermissible disclosure of PHI
June 2018	University of Texas MD Anderson Cancer Center	$4,348,000	Civil Monetary Penalty	Impermissible disclosure of ePHI; No Encryption
September 18	Massachusetts General Hospital	$515,000	Settlement	Filming patients without consent
September 18	Brigham and Women’s Hospital	$384,000	Settlement	Filming patients without consent
September 18	Boston Medical Center	$100,000	Settlement	Filming patients without consent
October 2018	Anthem Inc	$16,000,000	Settlement	Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
November 2018	Allergy Associates of Hartford	$125,000	Settlement	PHI disclosure to reporter; No sanctions against employee
December 2018	Advanced Care Hospitalists	$500,000	Settlement	Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
December 2018	Pagosa Springs Medical Center	$111,400	Settlement	Failure to terminate employee access; No BAA

State Attorneys General HIPAA Enforcement Activities

It is difficult to obtain meaningful statistics on HIPAA fines and settlements by state attorneys general. While state attorneys general can issue fines for violations of HIPAA Rules, in many cases, financial penalties instead issued for violations of state laws. That said, 2018 did see a major increase in HIPAA enforcement activity by state attorneys general.

There were 12 HIPAA-related financial penalties issued in 2018 by state attorneys general. The New Jersey attorney general was the most active HIPAA enforcer behind OCR with 4 HIPAA fines, followed by New York with 3, Massachusetts with 2, and 1 financial penalty issued by each of Connecticut, District of Columbia, and Washington.

The largest attorney general HIPAA fine of 2018 – Aetna’s $1,150,000 penalty – was issued by New York. Aetna was also fined a total of $640,171 in a multi-state action by Connecticut, New Jersey, Washington, and the District of Columbia. Washington has yet to agree to a settlement amount with Aetna.

EmblemHealth was fined a total of $675,000 for a 2016 data breach: $575,000 by New York and $100,000 by New Jersey.

State	Covered Entity	Amount	State Residents Affected
Massachusetts	McLean Hospital	$75,000	1,500
New Jersey	EmblemHealth	$100,000	6,443
New Jersey	Best Transcription Medical	$200,000	1,650
Washington	Aetna	TBA*	13,160 (multi-state total)
Connecticut	Aetna	$99,959	13,160 (multi-state total)
New Jersey	Aetna	$365,211.59	13,160 (multi-state total)
District of Columbia	Aetna	$175,000	13,160 (multi-state total)
Massachusetts	UMass Memorial Medical Group / UMass Memorial Medical Center	$230,000	15,000
New York	Arc of Erie County	$200,000	3,751
New Jersey	Virtua Medical Group	$417,816	1,654
New York	EmblemHealth	$575,000	81,122
New York	Aetna	$1,150,000	13,160 (multi-state total)

*Washington yet to determine settlement amount

The post Summary of 2018 HIPAA Fines and Settlements appeared first on HIPAA Journal.

Flowers Hospital Data Breach Settlement Approved by Judge

Posted December 28, 2018 by HIPAA Journal

A class action data breach lawsuit filed against Flowers Hospital in Dothan, AL, in 2014 has finally been settled.

In 2014, an employee of Flowers Hospital stole the personal information of patients from the hospital laboratory and used the information to file fraudulent tax returns in the names of patients.

A deputy sheriff discovered patient files in the vehicle of laboratory employee, Karmarian Millender, during a traffic stop. The investigation revealed that Millender had been stealing patient records from the laboratory and had sold the information to tax fraudsters who filed fraudulent tax returns in patients’ names. Millender pleaded guilty to the theft of patient data and was sentenced to two years in prison.

Many patients incurred out-of-pocket expenses from paying for credit monitoring services, lost earnings from arranging those services and combatting identity theft, and lost interest from delayed tax refunds. A class action lawsuit was filed against the hospital to recover those costs.

The lawsuit alleged the hospital had been negligent by failing to implement adequate measures to prevent data theft. Flowers Hospital attempted to have the lawsuit dismissed for lack of standing and claimed that the plaintiffs failed to link the data breach to economic harm. A judge allowed the plaintiffs to amend the complaint and the motion to dismiss was not carried over to the updated filing.

It has taken nearly five years, but the lawsuit has finally been dismissed and Flowers Hospital has agreed to a settlement of up to $150,000. That settlement was recently approved by a judge. Up to 1,208 patients potentially had their protected health information stolen and those who filed claims will be awarded a proportion of the settlement amount.

The maximum claim per patient is $5,000, which covers loss of interest on delayed tax returns, the cost of credit monitoring services, and compensation from loss of earnings arranging those services; up to a maximum of 4 hours. The majority of breach victims are expected to be awarded up to $250 in damages.

The post Flowers Hospital Data Breach Settlement Approved by Judge appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2018

Posted December 27, 2018 by HIPAA Journal

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records.

2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records.

A Bad Year for Healthcare Data Breaches

As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records.

It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017.

In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in the exposure of 5,138,179 healthcare records.

The Largest Healthcare Data Breaches of 2018

Listed below is a summary of the largest healthcare data breaches of 2018. A brief description of those breaches has been listed below.

At the time of writing, OCR is still investigating all but one of the breaches listed below. Only the LifeBridge Health breach investigation has been closed.

Rank	Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
1	AccuDoc Solutions, Inc.	Business Associate	2,652,537	Hacking/IT Incident
2	UnityPoint Health	Business Associate	1,421,107	Hacking/IT Incident
3	Employees Retirement System of Texas	Health Plan	1,248,263	Unauthorized Access/Disclosure
4	CA Department of Developmental Services	Health Plan	582,174	Theft
5	MSK Group	Healthcare Provider	566,236	Hacking/IT Incident
6	CNO Financial Group, Inc.	Health Plan	566,217	Unauthorized Access/Disclosure
7	LifeBridge Health, Inc	Healthcare Provider	538,127	Hacking/IT Incident
8	Health Management Concepts, Inc.	Business Associate	502,416	Hacking/IT Incident
9	AU Medical Center, INC	Healthcare Provider	417,000	Hacking/IT Incident
10	SSM Health St. Mary’s Hospital – Jefferson City	Healthcare Provider	301,000	Improper Disposal
11	Oklahoma State University Center for Health Sciences	Healthcare Provider	279,865	Hacking/IT Incident
12	Med Associates, Inc.	Business Associate	276,057	Hacking/IT Incident
13	Adams County	Healthcare Provider	258,120	Unauthorized Access/Disclosure
14	MedEvolve	Business Associate	205,434	Unauthorized Access/Disclosure
15	HealthEquity, Inc.	Business Associate	165,800	Hacking/IT Incident
16	St. Peter’s Surgery & Endoscopy Center	Healthcare Provider	134,512	Hacking/IT Incident
17	New York Oncology Hematology, P.C.	Healthcare Provider	128,400	Hacking/IT Incident
18	Boys Town National Research Hospital	Healthcare Provider	105,309	Hacking/IT Incident

Causes of the Largest Healthcare Data Breaches of 2018

Further information on the causes of the largest healthcare breaches of 2018.

AccuDoc Solutions, Inc.

Morrisville, NC-based AccuDoc Solutions, a billing company that operates the online payment system used by Atrium Health’s network of 44 hospitals in North Carolina, South Carolina and Georgia, discovered that some of its databases had been compromised between September 22 and September 29, 2018. The databases contained the records of 2,652,537 patients. While data could have been viewed, AccuDoc reports that the databases could not be downloaded. Not only was this the largest healthcare data breach of 2018, it was the largest healthcare data breach to be reported since September 2016.

UnityPoint Health

A UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled in a business email compromise attack. A trusted executive’s email account was spoofed, and several employees responded to the messages and disclosed their email credentials. The compromised email accounts contained the PHI of 1,421,107 individuals.

Employees Retirement System of Texas

The Employees Retirement System of Texas discovered a flaw in its ERS OnLine portal that allowed certain individuals to view the protected health information of other members after logging into the portal. The breach was attributed to a coding error. Up to 1,248,263 individuals’ PHI was potentially viewed by other health plan members.

CA Department of Developmental Services

The California Department of Developmental Services experienced a break in at its offices. During the time the thieves were in the offices they potentially accessed the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of 582,174 patients.

MSK Group

Tennessee-based MSK Group, P.C, a network of orthopedic medical practices, discovered in May 2018 that hackers had gained access to its network. Certain parts of the network had been accessed by the hackers over a period of several months. The records of 566,236 patients, which included personal, health and insurance information, may have been viewed or copied by the hackers.

CNO Financial Group, Inc.

Chicago-based health insurer Bankers Life, a division of CNO Financial Group Inc., discovered hackers gained access to its systems between May 30 and September 13, 2018 and potentially stole the personal information of 566,217 individuals.

LifeBridge Health, Inc

The Baltimore-based healthcare provider LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. Those systems contained the PHI of 538,127 patients.

Health Management Concepts, Inc.

Health Management Concepts discovered hackers gained access to a server used for sharing files and installed ransomware. The ransom demand was paid to unlock the encrypted files; however, HMC reported that the hackers were ‘inadvertently provided’ with a file that contained the PHI of 502,416 individuals. It is suspected that the file was unwittingly sent to the attackers to prove they could decrypt files.

AU Medical Center, INC

An Augusta University Medical Center phishing attack resulted in an unauthorized individual gaining access to the email accounts of two employees. The compromised email accounts contained the PHI of 417,000 patients.

SSM Health St. Mary’s Hospital – Jefferson City

St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility; however, on June 1, 2018, the hospital discovered administrative documents containing the protected health information of 301,000 patients had been left behind. In the most part, the breach was limited to names and medical record numbers.

Oklahoma State University Center for Health Sciences

Oklahoma State University Center for Health Sciences discovered an unauthorized individual gained access to parts of its computer network and potentially accessed files containing billing information of Medicaid patients. The breach affected 279,865 patients, although only a limited amount of PHI was accessible.

Med Associates, Inc.

The Latham, NY-based health billing company Med Associates, which provides claims services to more than 70 healthcare providers, discovered an employee’s computer has been accessed by an unauthorized individual. It is possible that the attacker gained access to the PHI of up to 276,057 patients.

Adams County

Adams County, WI, discovered hackers gained access to its network and potentially accessed the PHI and PII of 258,102 individuals. The compromised systems were used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office.

MedEvolve

MedEvolve, a provider of electronic billing and record services to healthcare providers, discovered an FTP server had been left unsecured between March 29, 2018 and May 4, 2018. A file on the FTP server contained the PHI of 205,434 patients of Premier Immediate Medical Care.

HealthEquity, Inc.

HealthEquity, a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, experienced a phishing attack that resulted in hackers gaining access to the email accounts of two employees. Those accounts contained the PHI of 165,800 individuals.

St. Peter’s Surgery & Endoscopy Center

St. Peter’s Surgery & Endoscopy Center in New York discovered malware had been installed on one of its servers which potentially allowed hackers to view the PHI of 134,512 patients. The malware was discovered the same day it was installed. The fast detection potentially prevented patients’ data from being viewed or copied.

New York Oncology Hematology, P.C.

A phishing attack on New York Oncology Hematology in Albany, NY, resulted in hackers gaining access to the email accounts of 15 employees. Those accounts contained the PHI of 128,400 current and former patients and employees.

Boys Town National Research Hospital

Boys Town National Research Hospital, an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, experienced a phishing attack that allowed hackers to gain access to a single email account. The email account contained the PHI of 105,309 patients.

The post Largest Healthcare Data Breaches of 2018 appeared first on HIPAA Journal.

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Posted December 21, 2018 by HIPAA Journal

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients.

McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center.

The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an alternative, equivalent measure to safeguard PHI.

“Hospitals must take measures to protect the private information of their patients,” said AG Maura Healey. “This settlement requires McLean Hospital to implement a new information security program and train its staff on how to properly handle the private information of those they serve.”

Backups of sensitive data should be made regularly to ensure that, in the event of disaster, patients’ PHI can be recovered. If physical copies of PHI are backed up and taken offsite by employees, appropriate security controls should be put in place to prevent those individuals from accessing the data and to ensure that in the event of loss or theft of devices, PHI will not be exposed. While HIPAA falls short of demanding the use of encryption for PHI, if the decision is taken not to encrypt PHI, an alternative safeguard must be implemented that offers an equivalent level of protection.

In addition to the financial penalty, McLean Hospital has agreed to enhance its privacy and security practices. A written information security program will be implemented and maintained, training will be provided to new and existing employees on privacy and security of personal health information, an inventory will be created and maintained of all portable devices containing ePHI, and all electronic PHI will be encrypted within 60 days.

McLean has also agreed to a third-party audit of the Harvard Brain Tissue Resource Center to assess how it handles portable devices containing personal and health information.

“McLean has continued to enhance its privacy and security practices and procedures within the Brain Bank and throughout the research operation. The agreement with the Attorney General represents a continuation of those efforts,” explained McLean Hospital in statement issued to the media.

This is the second HIPAA violation penalty to be issued by Massachusetts in 2018. UMass Memorial Medical Group / UMass Memorial Medical Center settled a HIPAA violation case with Massachusetts for $230,000 in September. The fine related to the failure to secure the ePHI of 15,000 state residents.

The post Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital appeared first on HIPAA Journal.