HIPAA Compliance News

24 State Attorneys General Confirm Support for Stronger HIPAA Protections for Reproductive Health Data

Posted by Steve Alder

A coalition of 24 state attorneys general has written to the Department of Health and Human Services (HHS) to confirm their support for the proposed update to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to strengthen reproductive health information privacy.

Background

The decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization in June 2022 overturned Roe v. Wade and removed the federal right to abortion. Many states introduced their own laws banning or severely restricting abortions in their respective states, and those laws permit criminal or civil penalties for anyone that seeks, provides, or assists with the provision of an abortion. Currently, 15 states have introduced almost total bans on abortions and several others have restricted abortions or are in the process of introducing bans or restrictions. Idaho has also recently enacted an abortion trafficking law, which aims to restrict the ability of state residents to travel out of state to receive abortion care.

Following the Supreme Court decision, the HHS’ Office for Civil Rights (OCR) issued guidance to HIPAA-regulated entities on the HIPAA Privacy Rule and how it permits but does not require disclosures of reproductive health information if the disclosure is required by law or is for law enforcement purposes. OCR confirmed that if a patient in a state that has banned abortions informs their healthcare provider that they are seeking an abortion in a state where abortion is legal, the HIPAA Privacy Rule would not permit the healthcare provider to disclose that information to law enforcement in order to prevent the abortion.

OCR subsequently issued a notice of proposed rulemaking (NPRM) about a planned update to the HIPAA Privacy Rule to strengthen reproductive health data privacy further, which would make it illegal to share a patient’s PHI if that information is being sought for certain criminal, civil, and administrative investigations or proceedings against a patient in connection with a legal abortion or other reproductive care.

In response to the NPRM, a coalition of 24 state attorneys general recently wrote to the HHS’ Secretary, Xavier Becerra, and OCR Director, Melanie Fontes Rainer, to confirm their support for the proposed HIPAA Privacy Rule changes. The coalition is led by New York Attorney General, Leticia James, and the letter was signed by the state Attorneys General in Arizona, California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New York, New Mexico, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, Washington, Wisconsin, and Washington D.C. The state AGs requested the HHS “move expeditiously to issue [the proposed rule] and apply the standard compliance date of 180 days after the effective date of the final rule.”

“No one should have to worry about whether their health care information will be kept private when they go to the doctor to get the care they need,” said Attorney General James. “While anti-choice state legislatures across the nation are stripping away our reproductive freedom and seeking access to health care data, it is imperative that we take every measure to safeguard Americans’ privacy. I will always fight to defend abortion and ensure no one’s private right to choose can be used against them.”

Recommendations to Further Strengthen Reproductive Health Information Privacy

In addition to confirming their support, comment has been provided on areas where the protections stated in the proposed rule can be strengthened further. The proposed Privacy Rule update adopts a broad definition of “reproductive health care” as a subcategory of health care; however, the state AGs recommend also creating a separate definition of “reproductive health,” to make it clear that the update not only applies to providers of gynecological and/or fertility-related care but also to other HIPAA covered entities. This would help to avoid any possible ambiguities about the types of health care covered by the proposed rule and they recommend that examples of reproductive health care are incorporated into the regulatory text of the final rule.

The state AGs also call for the HHS to define “birth” and “death” separately, in order to clarify that termination of pregnancy is not a public health reporting event and is therefore not subject to the HIPAA Privacy Rule reporting requirements. They also call for tightening up of the language in the proposed rule, which prohibits “use or disclosure “primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.” There is concern that a different primary purpose may be manufactured as a pretext for obtaining PHI for a prohibited purpose. This potential loophole could be closed by dropping the word ‘primary’.

Among the other recommendations are for the HHS to ensure that requesters and providers receive adequate guidance on the attestation requirement of the proposed rule, which requires attestation that the request is not being made to obtain reproductive health information to take legal action against an individual, and for the HHS to create a nationally available, online platform to provide patients with accurate and clear information on reproductive care and privacy rights, and to conduct a public awareness campaign to promote the website.

The post 24 State Attorneys General Confirm Support for Stronger HIPAA Protections for Reproductive Health Data appeared first on HIPAA Journal.

Washington Hospital Pays $240,000 HIPAA Penalty After Security Guards Access Medical Records

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) investigates all reported breaches of the protected health information of 500 or more individuals and some smaller breaches to determine if the breach was caused by the failure to comply with the HIPAA Rules. OCR’s latest HIPAA enforcement action confirms that it is not the scale of a data breach that determines if a financial penalty must be paid but the severity of the underlying HIPAA violations.

A relatively small data breach was reported to OCR on February 28, 2018, by Yakima Valley Memorial Hospital (formerly Virginia Mason Memorial), a 222-bed non-profit community hospital in Washington state. The hospital discovered security guards had been accessing the medical records of patients when there was no legitimate work reason for the medical record access, and 419 medical records had been impermissibly viewed.

OCR launched an investigation into the snooping incident in May 2018 and discovered widespread snooping on medical records by security guards in the hospital’s emergency department. 23 security guards had used their login credentials to access medical records in the hospital’s electronic medical record system when there was no legitimate reason for the access. The security guards were able to view protected health information such as names, addresses, dates of birth, medical record numbers, certain notes related to treatment, and insurance information. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule – 45 C.F.R. § 164.316.

Yakima Valley Memorial Hospital chose to settle the case with OCR and agreed to pay a financial penalty of $240,000 with no admission of liability. A corrective action plan has been adopted to ensure full compliance with the HIPAA Rules, which includes an accurate and comprehensive risk analysis, the development and implementation of a risk management plan to address the risks identified by the risk analysis, updates to its HIPAA policies and procedures, the enhancement of its current HIPAA security training program, and a review of its relationships with vendors and third-party service providers to identify business associates, and to obtain business associate agreements if they are not already in place.

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.”

This is the 6th OCR HIPAA enforcement action of 2023 that has resulted in a financial penalty, and the second to be announced by OCR this month. So far this year, penalties totaling $1,901,500 have been imposed by OCR to resolve violations of the HIPAA Rules.

The post Washington Hospital Pays $240,000 HIPAA Penalty After Security Guards Access Medical Records appeared first on HIPAA Journal.

Mistrial Declared in Criminal HIPAA Prosecution of Couple Who Disclosed PHI to Undercover FBI Agent

Posted by Steve Alder

The prosecution of two doctors accused of criminal HIPAA violations and conspiring with the Russian government has ended in a mistrial as the jury could not reach a unanimous guilty verdict. Dr. Anna Gabrielian. 37, a former anesthesiologist at Johns Hopkins, and her spouse, Jamie Lee Henry, 40, a doctor and U.S. Army Major previously stationed at Fort Bragg, were indicted on September 28, 2022, and charged with conspiracy to assist Russia with its invasion of Ukraine and criminal HIPAA violations for wrongfully disclosing the personally identifiable health information of individuals to someone they believed to be a Russian agent.

In an eight-count indictment, the couple was alleged to have conspired to cause harm to the United States by providing the sensitive information of U.S. citizens associated with the U.S. government and military to Russia. The disclosures started on August 17, 2022, when information was passed to an individual who they believed to be a Russian agent. The disclosures served as confirmation of Henry’s secret-level security clearance and the couple’s willingness to work with a Russian operative and provide medical information that could potentially be exploited by the Russian government.

Gabrielian had sent an email from her work email account to the Russian embassy offering medical collaboration and humanitarian aid to Russia in response to the war with Ukraine. The message was obtained by the FBI, which sent an undercover agent posing as a Russian operative to meet with Gabrielian. In the meeting, Gabrielian told the agent that her husband was a more important source for Russia as he had access to more valuable information, then arranged to meet with the undercover agent with her husband.

The undercover agent recorded over 5 hours of conversations over the series of meetings in which the couple claimed they wanted to help Russia. Henry admitted that he had attempted to sign up as a volunteer in the Russian Army but was turned down due to his lack of combat experience. Henry agreed to provide the medical records of Fort Bragg patients to the agent. In a subsequent meeting, Gabrielian provided the agent with the health information of two individuals, including the spouse of an employee of the Office of Naval Intelligence, whom Gabrielian pointed out had a medical condition Russia could exploit. Henry provided information on five individuals who were military veterans or related to military veterans. The couple faced a maximum sentence of 10 years in jail for the criminal HIPAA violation – accessing and disclosing medical records without authorization – and a maximum of 5 years in jail for the conspiracy charge.

At the trial, Gabrielian testified that she disclosed the information because she feared for her life and the lives of her family in the United States and Russia if she did not cooperate. She also testified that she saw the camera worn by the agent and asked if she was being recorded, which led to her believing she was in danger. She claimed that she provided two records to the agent as a test of loyalty, but thought the two records would be useless to the Russian government, as were the records disclosed by Henry.

The legal team for the doctors argued that while the agent did not overtly threaten them, and only implied that they worked for the KGB, the doctors were fearful of what would happen if they said no to a KGB operative and said their intention was only to help heal the sick and treat the wounded, arguing that this was a crime created by the U.S. government. The prosecution argued that the two doctors wanted to be long-term weapons for Russia and there was no merit to the claims they were entrapped by the FBI.

After two and a half days of deliberation, the jury told U.S. District Court Judge, Stephanie Gallagher, that they were unable to reach a unanimous verdict because one juror believed the doctors were entrapped by the FBI, leaving Gallagher with no option other than to declare a mistrial. The U.S. Attorney’s Office has confirmed that it will seek a retrial.

The post Mistrial Declared in Criminal HIPAA Prosecution of Couple Who Disclosed PHI to Undercover FBI Agent appeared first on HIPAA Journal.

$30,000 Penatly for Disclosing PHI Online in Response to Negative Reviews

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with a New Jersey provider of adult and child psychiatric services for $30,000. In April 2020, OCR received a complaint alleging Manasa Health Center had impermissibly disclosed patient information online when responding to a negative online review. The complainant alleged Manasa Health Center’s responded to a patient’s review and disclosed the patient’s mental health diagnosis and treatment information.

OCR launched an investigation into the Kendall Park, NJ-based healthcare provider and discovered the protected health information of a total of four patients had been impermissibly disclosed in responses to negative Google Reviews, and notified the practice about the HIPAA Privacy Rule investigation on November 18, 2020. In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a) of the HIPAA Privacy Rule, the practice was determined to have failed to comply with standards, implementation specifications, or other requirements of HIPAA Privacy Rule and Breach Notification Rules – 45 C.F.R. § 164.530(i).

Manasa Health Center chose to settle the case with OCR with no admission of liability or wrongdoing. In addition to the financial penalty, Manasa Health Center has agreed to adopt a corrective action plan which includes the requirement to develop, maintain, and revise its written policies and procedures to ensure compliance with the HIPAA Privacy Rule, provide training to all members of the workforce on those policies and procedures, issue breach notification letters to the individuals whose PHI was impermissibly disclosed online, and submit a breach report to OCR about those disclosures.

This is not the first time that OCR has imposed a financial penalty for disclosures of PHI on social media and online review platforms. In 2022, OCR agreed to a $23,000 settlement with New Vision Dental and imposed a civil monetary penalty of $50,000 on Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. In 2019, OCR settled an online disclosure case with Elite Dental Associates for $10,000. The HIPAA Privacy Rule does not prohibit HIPAA-regulated entities from responding to online reviews or using social media; however, protected health information must not be disclosed online without written consent from the patient. You can read more about HIPAA and social media here.

“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

This is the 5th OCR HIPAA enforcement action in 2023 that has been resolved with a financial penalty. So far this year, $1,661,500 has been paid by HIPAA-regulated entities to resolve violations of the HIPAA Rules.

The post $30,000 Penatly for Disclosing PHI Online in Response to Negative Reviews appeared first on HIPAA Journal.

Arizona Man Sentenced to 54 Months in Criminal HIPAA Violation Case

Posted by Steve Alder

An Arizona man has been sentenced to 54 months in jail for aggravated identity theft and criminal violations of the Health Insurance Portability and Accountability Act (HIPAA).  Rico Prunty, 41 years old, of Sierra Vista, Arizona, was previously employed at an Arizona medical facility where he unlawfully accessed the medical intake forms of patients between July 2014 and May 2017. The intake forms included information protected under HIPAA such as names, dates of birth, addresses, employer information, social security numbers, diagnoses, and medical information.

He then provided that information to his co-conspirators – Vincent Prunty, Temika Coleman, and Gemico Childress – who used the stolen information to open credit card accounts in the victims’ names. Federal prosecutors investigating the identity theft raided an apartment linked to the suspects and found evidence of the manufacture of credit cards and the opening of fraudulent accounts in victims’ names. Prunty and his co-conspirators attempted to steal more than $181,000 from the victims.

According to court documents, the protected health information of almost 500 patients was accessed without authorization, and their information was impermissibly disclosed to Prunty’s co-conspirators. Rico Prunty pleaded guilty to aggravated identity theft and criminal HIPAA violations for accessing and disclosing patients’ protected health information. The HIPAA violations carried a maximum jail term of 10 years, and aggravated identity has a mandatory sentence of 2 years, which runs consecutively to sentences for other felony crimes. Senior U.S. District Court Judge James Moody imposed a sentence of 54 months with 2 years of supervised release and Prunty was ordered to pay $132,521.98 in restitution to the victims.

His co-conspirators have already been sentenced for their roles in the identity theft scheme. Vincent Prunty pleaded guilty to wire fraud, mail fraud, and aggravated identity theft and was sentenced to 154 months, Gemico Childress pleaded guilty to wire fraud and aggravated identity theft and was sentenced to 134 months, and Temika Coleman pleaded guilty to wire fraud, mail fraud, and aggravated identity theft and was sentenced to 121 months. They were also ordered to pay $181,835.77 in restitution and will each have 2 years of supervised release.

The post Arizona Man Sentenced to 54 Months in Criminal HIPAA Violation Case appeared first on HIPAA Journal.

Doctor Fined for Privacy Violations Following Abortion on 10-Year-Old Rape Victim

Posted by Steve Alder

Dr. Caitlin Bernard, an Indianapolis, IN-based obstetrician-gynecologist has been fined $3,000 by the Medical Licensing Board of Indiana and issued with a letter of reprimand for violating HIPAA and state privacy law after talking to the media about an abortion she provided to a 10-year-old rape victim on July 1, 2022.

Within hours of the Supreme Court’s decision that overturned Roe v Wade and removed the federal right to an abortion, Ohio banned abortions after 6 weeks of pregnancy. Three days later, on June 27, 2022, Dr. Bernard received a call from a child abuse doctor in Ohio about a 10-year-old patient who could not legally have an abortion in Ohio as she was three days past the legal cutoff. The victim then traveled from her home state of Ohio to Indiana to have the procedure performed by Dr. Bernard.

A reporter for the IndyStar overheard a conversation between Dr. Bernard and another doctor at an anti-abortion rally and approached Dr. Bernard and asked for comment. The IndyStar ran a story about the girl and the reduction of access to abortions following the Supreme Court’s decision, and the story rapidly became national news. The case was also referenced on multiple occasions by President Biden. Following the publication of the story, Dr. Bernard provided further statements to the media, was interviewed on national TV networks, and was featured in various media articles, in which Dr. Bernard highlighted the real-world impact of the change to federal law on abortions. In those media interviews, Dr. Bernard confirmed that she had performed an abortion procedure on a 10-year-old patient, but did not disclose the name of the patient.

Shortly after the publication of the IndyStar story, Indiana Attorney General Todd Rokita confirmed in a Fox News interview that Dr. Bernard would be investigated. Rokita filed an administrative complaint with the Medical Licensing Board of Indiana alleging Dr. Bernard had violated HIPAA and state law by failing to get written authorization to release patient information, and that Dr. Bernard had failed to immediately report suspected child abuse to local law enforcement in Indianapolis or the Indiana Department of Children Services. Rokita claimed that Dr. Bernard learned about possible child abuse on June 27, 2022, in a telephone call, yet failed to report it until July 2, 2022, the day after the procedure was performed. As such, the child was returned to the custody of the alleged rapist, where she remained until July 6, 2022. Law enforcement later confirmed, with a 99.99% probability, that the rapist was the child’s biological father, who was charged with two counts of rape in July 2022.

In a Medical Licencing Board hearing on Thursday, Dr. Bernard’s attorney explained that Dr. Bernard told an IU Health social worker about the case on the same day she received the initial call about the patient, and that discussion was in line with IU Health’s policies. She also confirmed that the abuse was reported on an Indiana state form and that the abuse had already been reported in Ohio where the abuse took place. The IU Health social worker testified that she reported the abuse in Ohio per IU Health policies, as that was where the abuse occurred. Dr. Bernard also confirmed with child protection staffers in Ohio that it was safe for the child to leave with her mother and testified that she did not violate state or federal privacy laws as she did not disclose any identifying information about the patient.

At the hearing, Deputy Attorney General Cory Voight asked Dr. Bernard why she had disclosed information about a real patient, rather than providing a hypothetical situation in her media interviews. “I think that it’s incredibly important for people to understand the real-world impacts of the laws of this country about abortion,” said Dr. Bernard in response. “I think it’s important for people to know what patients will have to go through because of legislation that is being passed, and a hypothetical does not make that impact.”

Andrew Mahler, a former official at the HHS’ Office for Civil Rights was an expert witness for the state and testified that the disclosures made by Dr. Bernard violated HIPAA, as it was certainly possible that the information disclosed by Dr. Bernard – age, state, and gender – would allow the girl to be identified. Paige Jayner, a privacy compliance officer and former OCR auditor, was a witness for the defense and disagreed with Mahler’s view, testifying that the information Dr. Bernard disclosed was not protected health information and that the disclosure was not a HIPAA violation. IU Health agreed and did not believe the HIPAA Rules had been violated. At the hearing, Dr. Bernard defended her right to speak to the media about medical issues when it is in the public interest and her attorney confirmed that there are no laws that prohibit physicians from speaking with the media.

Dr. John Strobel, President of the Medical Licensing Board believed Dr. Bernard disclosed too much information to the IndyStar reporter about the pending abortion and said consent should have been obtained before any information was disclosed. The majority decision of the Medical Licensing Board was the disclosures violated state and federal privacy laws and Dr. Bernard received a $1,000 fine for each of the three privacy violation counts. The Medical Licensing Board found the state had failed to meet the burden for the other two counts on reporting the child abuse and Dr. Bernard being unfit to practice, and therefore did not suspend Dr. Bernard or put her on probation so she is able to continue to practice in Indiana. Dr. Bernard will be given the right to appeal the decision.

The post Doctor Fined for Privacy Violations Following Abortion on 10-Year-Old Rape Victim appeared first on HIPAA Journal.

NY AG Fines Medical Management Company $550,000 for Patch Management Failures

Posted by HIPAA Journal

A medical management company has been fined $550,000 by the New York Attorney General for failing to prevent a cyberattack that exposed the personal and protected health information of 1.2 million individuals, including 428,000 New Yorkers.

Professional Business Systems Inc, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp, had its systems hacked in November 2020. The threat actor exfiltrated sensitive data from its systems and then deployed ransomware to encrypt files. As proof of data theft and to pressure Practicefirst into paying the ransom, files were uploaded to the threat actor’s dark web data leak site. The leaked data included screenshots of 13 patients’ protected health information. Practicefirst’s investigation confirmed the threat actor exfiltrated approximately 79,000 files from its systems, which contained names, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, medication information, and financial information.

The investigation conducted by the Office of the New York Attorney General determined that the hacker gained initial access to Practicefirst’s systems by exploiting a critical vulnerability in its firewall. The firewall provider released an updated version of the firewall software in January 2019, but Practicefirst failed to apply the update. Practicefirst did not conduct penetration tests or vulnerability scans, or perform other security tests that would have highlighted the vulnerability before it was exploited.  The protected health information stored on its systems was also not encrypted. The New York Attorney General determined that these failures violated state law and the federal Health Insurance Portability and Accountability Act (HIPAA).

Practicefirst agreed to settle the alleged violations of HIPAA and state law. In addition to the financial penalty, Practicefirst has agreed to strengthen its data security practices and will offer affected individuals complimentary credit monitoring services. The data security measures agreed upon as part of the settlement include the development, implementation, and maintenance of a comprehensive information security program, encryption for health information stored on its systems, implementation of a patch management system with timely patching of vulnerabilities, regular vulnerability scans and penetration tests, and updates to its data collection, retention, and disposal practices.

“When a person is seeking medical care, their last concern should be the security of their personal information,” said Attorney General Letitia James. “Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. New Yorkers can trust that when companies fail at their duty, my office will step in to hold them accountable.

The post NY AG Fines Medical Management Company $550,000 for Patch Management Failures appeared first on HIPAA Journal.

April 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 17.5% month-over-month fall in the number of reported healthcare data breaches with 52 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR) – less than the 12-month average of 58 breaches per month, and one less than in April 2022.

April 2023 Healthcare Data Breaches

One of the largest healthcare data breaches of the year was reported in April, but there was still a significant month-over-month reduction in breached records, which fell by 30.7% to 4,425,891 records. The total is less than the 12-month average of 4.9 million records a month, although more than twice the number of records that were breached in April 2022.

Healthcare records breached in the last 12 months - April 2023

Largest Healthcare Data Breaches Reported in April 2023

As previously mentioned, April saw a major data breach reported that affected 3,037,303 individuals – The third largest breach to be reported by a single HIPAA-covered entity so far this year, and the 19th largest breach to be reported by a single HIPAA-regulated entity to date.  The breach occurred at the HIPAA business associate, NationsBenefits Holdings, and was a data theft and extortion attack by the Clop ransomware group involving the Fortra GoAnywhere MFT solution.  8 of the month’s 21 breaches of 10,000 or more records were due to these Clop attacks, including the top 5 breaches in April. Brightline Inc. was also hit hard by those attacks, which were reported separately for each covered entity client (9 reports). Together, the attacks on Brightline involved the PHI of more than 964,000 individuals.

18 of the 21 breaches of 10,000 or more records were hacking incidents. The remaining three breaches were unauthorized disclosures of protected health information, one due to tracking technologies and the other two due to mailing errors. While ransomware and data theft/extortion attacks dominated the breach reports, phishing, business email compromise, and other email account breaches are common, with 5 of the top 21 breaches involving hacked email accounts. End-user security awareness training is recommended to reduce susceptibility to these attacks and multifactor authentication should be implemented on all email accounts, ideally using phishing-resistant multifactor authentication.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Breach Cause
NationsBenefits Holdings, LLC FL Business Associate 3,037,303 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 462,241 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 199,000 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 180,694 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
California Physicians’ Services d/b/a Blue Shield of California CA Business Associate 61,790 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
MiniMed Distribution Corp. CA Healthcare Provider 58,374 Network Server Unauthorized disclosure of PHI to Google and other third parties (Tracking code)
Brightline, Inc. CA Business Associate 49,968 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
United Steelworkers Local 286 PA Health Plan 37,965 Email Hacked email account
Retina & Vitreous of Texas, PLLC TX Healthcare Provider 35,766 Network Server Hacking incident
Brightline, Inc. CA Business Associate 31,440 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 21,830 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Iowa Department of Health and Human Services – Iowa Medicaid Enterprise (Iowa HHS-IME) IA Health Plan 20,815 Network Server Hacking incident at business associate (Independent Living Systems)_
Lake County Health Department and Community Health Center IL Healthcare Provider 17,000 Email Hacked email account
Southwest Healthcare Services ND Healthcare Provider 15,996 Network Server Hacking incident (data theft confirmed)
La Clínica de La Raza, Inc. CA Healthcare Provider 15,316 Email Hacked email accounts
St. Luke’s Health System, Ltd. ID Healthcare Provider 15,246 Paper/Films Mailing error
Two Rivers Public Health Department NE Healthcare Provider 15,168 Email Hacked email account
Robeson Health Care Corporation NC Healthcare Provider 15,045 Network Server Malware infection
Northeast Behavioral Health Care Consortium PA Health Plan 13,240 Email Hacked email account (Phishing)
Centers for Medicare & Medicaid Services MD Health Plan 10,011 Paper/Films Mailing error at business associate (Palmetto GBA)
Modern Cardiology Associates PR Healthcare Provider 10,000 Network Server Hacking incident

Causes of April 2023 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 36 of the month’s breaches (69.2%) and the vast majority of the breached records. Across those incidents, 4,077,019 healthcare records were exposed or stolen – 92.1% of the records that were breached in April. The average breach size was 119,914 records and the median breach size was 9,675 records.

April 2023 Healthcare data breach causes

Ransomware attacks continue to be conducted by there has been a notable shift in tactics, with many ransomware gangs opting for data theft and extortion without encrypting files, as was the case with the attacks conducted by the Clop ransomware group which exploited a zero-day vulnerability in the Fortra GoAnywhere MFT solution. The BianLian threat group has previously conducted attacks using ransomware, but this year has been primarily conducting extortion-only attacks, which are quieter and faster. 12 of the month’s breaches (40%) involved hacked email accounts, highlighting the importance of security awareness training and multifactor authentication.

There were 13 unauthorized access/disclosure incidents in April, including a 58K-record incident involving tracking technologies that transferred sensitive data to third parties such as Google, instances of paper records not being secured, and PHI that had been exposed over the Internet. Across those 13 breaches, 105,155 records were impermissibly disclosed. The average breach size was 8,089 records and the median breach size was 1,304 records.

There were two theft incidents involving 3,321 records in total and one improper disposal incident. The improper disposal incident was reported as involving 501 records – a placeholder commonly used to meet the Breach Notification Rule reporting deadline when the total number of individuals affected has yet to be determined.  As the chart below shows, the majority of incidents involved ePHI stored on network servers and in email accounts.

Location of PHI in April 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data on the OCR breach portal shows the reporting entity, which in some cases is a HIPAA-covered entity when the breach actually occurred at a business associate. The breach portal shows 31 data breaches were reported by healthcare providers, 8 by health plans, and 13 by business associates. The charts below are based on where the breach occurred, rather than the entity that reported the data breach, to better reflect the extent to which data breaches are occurring at business associates.

April 2023 healthcare data breaches by HIPAA-regulated entity type

While healthcare providers were the worst affected HIPAA-regulated entity, the majority of the month’s breached records were due to data breaches at business associates.

Records exposed or stolen in April 2023 healthcare data breaches by hipaa-regulated entity type

Geographical Distribution of April 2023 Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states and Puerto Rico, with California the worst affected state with 16 breaches, 9 of which were the same incident that was reported separately for each client by Brightline Inc., which is why the breach count was so high for California this month.

State Breaches
California 16
Florida 4
New York & Pennsylvania 3
Illinois, Kentucky, Ohio, & Texas 2
Alabama, Arizona, Idaho, Iowa, Indiana, Maryland, Michigan, Minnesota, Nebraska, North Carolina, North Dakota, Oregon, Utah, Virginia, Washington, West Virginia, Wisconsin & Puerto Rico 1

HIPAA Enforcement Activity in April 2023

No HIPAA enforcement actions were announced by OCR or state attorneys general in April 2023 to resolve violations of HIPAA and state laws, and no Health Breach Notification Rule enforcement actions were announced by the Federal Trade Commission.

The post April 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Will a HIPAA Violation Show Up on a Background Check?

Posted by HIPAA Journal

Whether or not a HIPAA violation will show up on a background check depends on the nature of the violation, the consequences of the violation, and the motive for the violation. While it is currently rare for a HIPAA violation to show up on a background check, this may change due to a proposed update to the Privacy Rule.

There are many different types of HIPAA violations. Some have minimal impact and no long-lasting consequences – i.e., an accidental disclosure of PHI that is overheard, but nothing comes of it – whereas others can have a major impact on an organization and serious consequences for individuals affected by the violation – i.e., the deliberate misuse of login credential that exposes a PHI database.

Most employee HIPAA violations are addressed according to a Covered Entity’s sanctions policy. Employees responsible for minor violations will likely be sanctioned with verbal or written warnings and additional HIPAA training. Those responsible for repeated or serious violations could be sanctioned with a suspension or termination of employment, or loss of license to practice.

A suspension, termination, or loss of license would be recorded in an employment record, but would not show up on a background check unless the motive for the HIPAA violation was the knowing and wrongful disclosure of individually identifiable health information without authorization – which is not only a violation of HIPAA, but also a violation of §1177 of the Social Security Act.

When a HIPAA Violation Will Show Up on a Background Check

When a HIPAA violation is also a violation of the Social Security Act, an employer is required to report the violation to a law enforcement agency as well as HHS’ Office for Civil Rights. The case will be referred to the Department of Justice, who will pursue a criminal conviction for the violation. If successful, the penalties for criminally violating HIPAA are:

  • For wrongfully and knowingly violating §1177 of the Social Security Act – a fine of up to $50,000 and/or a prison sentence of up to one year.
  • If the offence is committed under false pretenses (i.e., with someone else’s login credentials) – a fine of up to $100,000 and/or a prison sentence of up to five years.
  • If the offence is committed for personal gain, malicious harm, or a commercial advantage – a fine of up to $250,000 and/or a prison sentence of up to ten years.

Regardless of the sentence imposed, the HIPAA violation, the consequences of the HIPAA violation, and the penalty for the HIPAA violation will become public record and will show up on a background check. This will undoubtedly prevent a person obtaining employment in a healthcare role, and likely prevent employment in any other position in which the person will have access to sensitive data.

The Proposed Update to the Privacy Rule

In April 2023, HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking in the Federal Register. The Notice is in response to the Supreme Court’s decision in Dobbs v. Jackson Women`s Health Organization, which led to many states introducing anti-abortion legislation and women having to cross state lines to have terminations in states where abortions are still legal.

State with anti-abortion legislation cannot prevent women crossing state lines to have a termination, but some have introduced further legislation criminalizing the act of assisting with or facilitating a termination procedure. Because this could lead to the disclosure of PHI to pursue a criminal conviction relating to a medical procedure that was legal in the state it was administered, HHS` Office for Civil Rights is proposing an update to the Privacy Rule.

The update would add a new category of uses and disclosures (“attestation”) to those that already exist (“required”, “permitted”, “opportunity to agree”, and “authorized”). Thereafter, certain types of PHI considered more sensitive than other types could only be used or disclosed if the recipient attests the PHI will not be further used or disclosed for a prohibited purpose (in this case to pursue a criminal conviction relating to a legal procedure).

If finalized, the new category would not only apply to PHI relating to terminations, but to all reproductive healthcare – including contraception, fertility treatment, and miscarriages. The category could also be used to align the Privacy Rule more closely with 42 CFR Part 2 (the confidentiality of substance use disorder medical records), and protect other types of sensitive data from misuse or disclosures that contradict Health and Human Services’ messaging.

How the Update Could Increase §1177 Violations

The reason the update could increase §1177 violations is that, if a person to whom sensitive PHI is disclosed under an attestation subsequently uses or discloses the PHI for a prohibited purpose, they will be considered to have knowingly and wrongfully disclosed individually identifiable health information without authorization.

Importantly, not only will the person who gave a false attestation be guilty of a §1177 violation, but the Covered Entity (or employee of a Covered Entity) who disclosed the information may also be guilty of a §1177 violation if they knew – or should have known – that sensitive PHI was going to be used or disclosed for a prohibited purpose.

If an employee of a Covered Entity is found guilty of a §1177 violation, this will also be a HIPAA violation that will show up on a background check. Therefore – if the proposed update to the Privacy Rule is finalized – not only should Covered Entities make sure policies and procedures reflect the new category of uses and disclosures, but also that all members of the workforce are trained on the updated policies and procedures to prevent avoidable violations of HIPAA.

The post Will a HIPAA Violation Show Up on a Background Check? appeared first on HIPAA Journal.