HIPAA Compliance News

Noncompliant Use of Website Tracking Technologies is an Enforcement Priority for OCR

Posted by HIPAA Journal

If you are a HIPAA-covered entity and use tracking technologies on your websites or apps, you must ensure that they are HIPAA-compliant. The Director of the HHS’ Office for Civil Rights has confirmed that this aspect of compliance with the HIPAA Rules is now an enforcement priority for OCR and the department is actively looking into noncompliance by HIPAA-covered entities.

OCR Director, Melanie Fontes Rainer, confirmed in an interview with Information Security Media Group that enforcement actions will be taken very soon against HIPAA-regulated entities that use tracking technologies that disclose protected health information to third parties without authorization or business associate agreements. OCR has recently undergone restructuring to improve efficiency which will allow it to undertake more enforcement actions against HIPAA-regulated entities for non-compliance with the HIPAA Rules.

Tracking technologies, often referred to as pixels, are snippets of code that are added to websites and apps that collect the data of website users and are typically used for website analytics to improve the quality of websites and services. While there is nothing wrong with improving services for website and app users, these tools often pass the data they collect to the third-party providers of the code. When an individual visits a healthcare website, the information collected may include data classed as protected health information, and disclosing that information to third parties not authorized to receive that data is a HIPAA violation.

The disclosure of PHI via tracking technologies is not permitted by the HIPAA Privacy Rule unless the third party to which the information is disclosed is a business associate under HIPAA, the disclosure is permitted by the HIPAA Privacy Rule, and a HIPAA-compliant business associate agreement is in place. Alternatively, authorization must be obtained from website visitors prior to the collection and transmission of PHI.

Over the past two years, analyses have been conducted on the use of these technologies by healthcare organizations such as hospitals, counseling providers, and telehealth companies which suggest they have been extensively used. One study indicates 99% of hospitals had added the tools to their websites.

Last year, OCR issued guidance to HIPAA-regulated entities on the use of these tools and confirmed how HIPAA applies to these tools. HIPAA-regulated entities have had several months to assess their websites and apps and either remove tracking code or ensure it is used in a manner compliant with the HIPAA Rules. The continued use of these tools and/or failure to send breach notifications when there have been confirmed disclosures of PHI to third parties will likely result in enforcement actions. The Federal Trade Commission is also cracking down on the use of these tools by non-HIPAA-regulated entities.

If you are a HIPAA-regulated entity, it is important to conduct an audit of your websites and apps to identify if any tracking code is in use and if there is the potential for PHI to be impermissibly disclosed to third parties. If such code is identified, it must be made HIPAA-compliant or be removed. If unauthorized disclosures of PHI have occurred breach notifications must be issued to OCR and the affected individuals.

The post Noncompliant Use of Website Tracking Technologies is an Enforcement Priority for OCR appeared first on HIPAA Journal.

March 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

Our monthly data breach reports are based on data breaches of 500 or more records that have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) each month. The monthly reports provide an indication of the extent to which healthcare data breaches are increasing, decreasing, or remaining flat. To view longer-term healthcare data breach trends, visit our healthcare data breach statistics page.

Healthcare Data Breaches Reported in March 2023

In March, 63 breaches of 500 or more records were reported to OCR, which is a 46.51% increase from February, 6.92% more than the 12-month average, and 40% more breaches than in March 2022.

March 2023 Healthcare Data Breach Report - 12 month breaches

There was a 15.62% month-over-month increase in breached records, with 6,382,618 records exposed or impermissibly disclosed across the 63 data breaches. That’s 36% more records breached than the 12-month average and 76.46% more breached records than in March 2022.

March 2023 Healthcare Data Breach Report - 12 month breached records

Largest Healthcare Data Breaches

In March, 22 healthcare data breaches were reported that impacted more than 10,000 individuals, up from 17 such breaches in February 2023. Four of those breaches, including the largest data breach of the month, were due to the use of tracking code on websites that collected individually identifiable website visitor data. The data collected was used for analytics purposes but was transferred to the providers of the code. Those third parties included, but were not limited to, Meta (Facebook), Instagram, & Google. These tracking tools are not prohibited by the HIPAA Privacy Rule, but if they are used, consent must be obtained, or the disclosure must be permitted by the Privacy Rule and a business associate must be in place with the provider of the code. We can expect to see many more of these breaches reported over the coming weeks and months. According to a recently published study, 99% of U.S. hospitals have used these tools on their websites. Relatively few have reported tracking code-related data breaches to OCR.

Malicious actors continue to use ransomware in their attacks on healthcare organizations. Three of the top 22 data breaches were confirmed as involving ransomware, and several other hacking incidents were reported that involved network disruption, but were not reported as involving ransomware. Several threat actors that are known to use ransomware in their attacks on the healthcare sector are now choosing not to encrypt files, instead, they just steal data for extortion. For example, the Clop ransomware group typically deploys ransomware in its attacks but in recent attacks that exploited a vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) solution, ransomware was not deployed. The group stole data from 130 organizations in the attacks, including Community Health Systems Professional Services Corporations and US Wellness Inc, both of which are in the top 22 list.

There were three 10,000+ record data breaches involving the hacking of email accounts – through phishing or other means. Phishing attacks are common in healthcare, and while these attacks can be difficult to prevent, it is possible to limit the harm caused by placing time limits on how long emails are stored in email accounts. While emails often need to be retained for compliance with HIPAA and other laws –  moving them to a secure archive can help to reduce the extent of a data breach if email accounts are compromised. One of the phishing attacks saw one email account compromised that contained the PHI of more than 77,000 individuals.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Cerebral, Inc DE Business Associate 3,179,835 Website tracking code – Impermissible disclosure to third parties
ZOLL Services LLC MA Healthcare Provider 997,097 Hacking incident (details not made public)
Community Health Systems Professional Services Corporations (CHSPSC), LLC TN Business Associate 962,884 Hacking of Fortra’s GoAnywhere MFT solution
Santa Clara Family Health Plan CA Health Plan 276,993 Hacking incident involving business associate – no information available
Monument, Inc. NY Business Associate 108,584 Website tracking code – Impermissible disclosure to third parties
Bone & Joint Clinic, S.C. WI Healthcare Provider 105,094 Hacking incident: Network disruption and data theft
Florida Medical Clinic, LLC FL Healthcare Provider 94,132 Ransomware attack
Healthy Options dba Postal Prescription Services – Kroger OH Healthcare Provider 82,466 Impermissible disclosure of PHI to Kroger
NorthStar Emergency Medical Services AL Healthcare Provider 82,450 Hacking incident (details not made public)
Merritt Healthcare Advisors CT Business Associate 77,258 Unauthorized accessing of employee email account
NewYork Presbyterian Hospital NY Healthcare Provider 54,396 Website tracking code – Impermissible disclosure to third parties
Trinity Health MI Business Associate 45,350 Phishing attack: employee email account compromised
UHS of Delaware, Inc. PA Business Associate 40,290 Unauthorized accessing of employee email account
SundaySky, Inc. NY Business Associate 37,095 Hacked cloud server – data theft confirmed
Denver Public Schools Medical Plans CO Health Plan 35,068 Hacked network server – data theft confirmed
Atlantic General Hospital MD Healthcare Provider 26,591 Ransomware attack
UC San Diego Health CA Healthcare Provider 23,000 Website tracking code used by a business associate – Impermissible disclosure to third parties
Tallahassee Memorial Healthcare, Inc. FL Healthcare Provider 20,376 Hacked network server – data theft confirmed
Northeast Surgical Group, PC MI Healthcare Provider 15,298 Hacked network server
Health Plan of San Mateo CA Health Plan 11,894 Unauthorized accessing of employee email account
US Wellness Inc. MD Business Associate 11,459 Hacking of Fortra’s GoAnywhere MFT solution
Codman Square Health Center MA Healthcare Provider 10,161 Ransomware attack

Causes of March 2023 Data Breaches

The majority of the month’s reported breaches were classified as hacking/IT incidents, as has been the case for many months. While hacking incidents usually account for the vast majority of breached records, in March they accounted for only 54.29% of the month’s breached records due to very large data breaches caused by the use of tracking technologies. The average size of a hacking incident in March was 73,724 records and the median breach size was 2,785 records.

March 2023 Healthcare Data Breach Report - causes

There were 14 data breaches reported as unauthorized access/disclosure incidents and while they only accounted for 22.22% of the month’s data breaches, they were responsible for 45.65% of the breached records, mostly due to the website tracking code breaches. The average breach size was 208,114 records and the median breach size was 2,636 records. There was one theft incident reported involving the protected health information of 3,013 individuals and one improper disposal incident involving 999 records.

March 2023 Healthcare Data Breach Report - data location

Where Did the Breaches Occur?

The entity reporting a data breach is not always the entity that experienced the breach. Business associates of HIPAA -covered entities may self-report breaches, but it is common for the covered entity to report the breaches. The data submitted to OCR indicates breaches occurred at 33 healthcare providers, 24 business associates, and 6 health plans. The pie charts below are based on where the breaches actually occurred rather than the reporting entity, as this provides a clearer picture of the extent to which data breaches are occurring at business associates.

March 2023 Healthcare Data Breach Report - breaches at hipaa-regulated entities

The pie chart below shows the extent to which patient and health plan member records have been exposed or compromised at business associates. 75.4% of the month’s breached records were due to data breaches at business associates.

March 2023 Healthcare Data Breach Report - records breached at hipaa-regulated entities

Geographical Distribution of March 2023 Data Breaches

Data breaches were reported by HIPAA-regulated entities in 25 U.S. states in March, with New York topping the list with 18 reported data breaches. The unusually high total was due to an attack on a business associate – Atlantic Dialysis Management Services – which reported the breach separately for each affected client and submitted 14 separate breach reports to OCR.

State Breaches
New York 18
California 7
Florida, Massachusetts, Ohio, Pennsylvania & Texas 3
Indiana, Kansas, Maryland, Michigan & Oregon 2
Alabama, Arizona, Colorado, Connecticut, Delaware, Georgia, Illinois, Kentucky, New Jersey, Oklahoma, Tennessee, Wisconsin & West Virginia 1

HIPAA Enforcement Activity in March 2023

No HIPAA enforcement actions were announced by the HHS’ Office for Civil Rights in March, but there was one enforcement action by a state Attorney General. The New York Attorney General confirmed that a case had been settled with the law firm, Heidell, Pittoni, Murphy & Bach LLP. The law firm was investigated following a breach of the personal and protected health information of 61,438 New York residents to identify potential violations of HIPAA and New York laws. The law firm chose to settle the case with no admission of wrongdoing and paid a financial penalty of $200,000. The New York Attorney General alleged violations of 17 HIPAA provisions and implementation specifications, details of which can be found here.

While the Federal Trade Commission does not enforce HIPAA, the agency has started taking action over breaches of healthcare data by non-HIPAA-covered entities to resolve violations of the FTC Act and the FTC Health Breach Notification Rule. In February, the FTC announced that its first settlement had been reached for a health data breach notification failure and that was followed up with a second enforcement action in March. The FTC announced that the online counseling service provider, BetterHelp, had agreed to settle alleged FTC Act violations related to impermissible disclosures of health data to third parties when users of its services had been told their information was private and confidential.  While there was no fine, under the terms of the settlement, $7.8 million will be paid to the consumers affected by the breach and they must be notified per the Health Breach Notification Rule.

The post March 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Proposes HIPAA Privacy Rule Update to Bolster Reproductive Health Care Privacy

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has published a Notice of Proposed Rulemaking (NPRM) about an update to the HIPAA Privacy Rule to strengthen privacy protections for reproductive health information. The proposed update is in response to the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization and the overturning of Roe v. Wade, which removed the federal right to abortion that has been in place for almost half a century.

Since that decision in 2022, states have been scrambling to enact abortion laws. 18 states have introduced full or partial bans on abortions in their states, and a further 4 states are due to introduce full or partial bans. There is concern that those states will attempt to prosecute state residents that seek abortions out of state and will request the health data of individuals from healthcare providers who provide reproductive health services or facilitate reproductive health care.

“When the Supreme Court overturned Roe v. Wade, nearly half a century of precedent changed overnight,” said Secretary Xavier Becerra in an announcement about the NPRM. “The Biden-Harris Administration is committed to protecting women’s lawful access to reproductive health care, including abortion care. President Biden signed not one but two executive orders calling on HHS to take action to meet this moment and we have wasted no time in doing so. Today’s action is yet another important step HHS is taking to protect patients accessing critical care.”

Currently, the HIPAA Privacy Rule permits but does not require HIPAA-covered entities to provide reproductive health information to law enforcement. OCR has released guidance on disclosures of reproductive health information and has clarified the circumstances when reproductive health information can be legally disclosed. OCR has also stated that noncompliance with the HIPAA Rules with respect to reproductive health care is an enforcement priority for OCR.

Today’s announcement is intended to enhance privacy protections and strengthen patient-provider confidentiality by prohibiting disclosures of reproductive health information to investigate or prosecute patients, providers, and others involved in the provision of legal reproductive health care, including abortion care.

Specifically, the proposed HIPAA Privacy Rule update will prohibit disclosures of reproductive health care information for:

  • Criminal, civil, or administrative investigations into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of initiating such investigations or proceedings.

These restrictions will apply in the following situations:

  • Reproductive health care is sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized.
  • Reproductive health care that is protected, required, or expressly authorized by federal law, regardless of the state in which such health care is provided.
  • Reproductive health care that is provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such health care is provided.

Reproductive health care is defined as including, but not limited to, prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions such as ovarian cancer.

Under the proposed rule, if a request is received for protected health information that is potentially related to reproductive health care, a regulated entity will be required to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. The attestations will be required for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners.

“I have met with doctors across the country who have shared their stories,” said OCR Director Melanie Fontes Rainer. “These providers have expressed fear, anger, and sadness that they or their patients may end up in jail for providing or obtaining evidence-based and medically appropriate care. Trust is critical in the patient-doctor relationship and medical mistrust can damage and chill patients’ relationship with their providers, imperiling patient health, “added Fontes Rainer. “Today’s proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care.”

The post OCR Proposes HIPAA Privacy Rule Update to Bolster Reproductive Health Care Privacy appeared first on HIPAA Journal.

HHS Secretary Will Not Renew COVID-19 PHE: HIPAA Enforcement Discretion to End on May 11, 2023

Posted by HIPAA Journal

The Secretary of the Department of Health and Human Services (HHS) has announced that he does not plan to renew the COVID-19 Public Health Emergency, which is due to expire on May 11, 2023. The HHS’ Office for Civil Rights (OCR) has confirmed that the Notifications of Enforcement Discretion that were issued in response to the COVID-19 Public Health Emergency will expire one month from today, at 11:59 pm on May 11, 2023.

Four Notifications of Enforcement Discretion were announced by OCR in response to the COVID-19 Public Health Emergency in 2020 and 2021 to support the healthcare sector during the COVID-19 pandemic. Under the Notices of Enforcement Discretion, OCR would refrain from imposing financial penalties for violations of certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The flexibilities introduced by OCR concerned Community-based COVID-19 testing sites, uses and disclosures of protected health information by business associates for public health oversight activities, the use of online or web-based scheduling applications for scheduling individual appointments for COVID-19 vaccinations, and the use of telehealth remote communications that would not, under normal circumstances, be HIPAA-compliant.

OCR had previously stated that it would provide healthcare organizations with sufficient time to come into compliance with the HIPAA Rules regarding telehealth, so while the notice of enforcement discretion ends on May 11, 2023, HIPAA-covered entities will be provided with a three-month – 90-day – transition period, during which time financial penalties will not be imposed for non-compliance with the HIPAA Rules in connection with the good faith provision of telehealth services. The transition period starts on May 12, 2023, and expires at 11:59 pm on August 9, 2023.

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

Since the telehealth Notice of Enforcement Discretion took effect, healthcare providers have been able to use any non-public-facing remote communication product for audio and video communication to provide telehealth services, even if those platforms are not HIPAA compliant.  For instance, if a communication platform was used and the provider of that communication platform was unwilling to enter into a business associate agreement with the healthcare provider, the platform could be used without risking a financial penalty.

Now that the Notice of Enforcement Discretion is due to expire, healthcare providers must now enter into a HIPAA-compliant business associate agreement with the provider of the communication platform to be able to continue to use it after August 9, 2023. Healthcare providers should make arrangements to obtain a business associate agreement or transition to a HIPAA-compliant communications platform as soon as possible to prevent any disruption to telehealth services and to avoid financial penalties for non-compliance.

You can view the OCR announcement on this link (PDF).

The post HHS Secretary Will Not Renew COVID-19 PHE: HIPAA Enforcement Discretion to End on May 11, 2023 appeared first on HIPAA Journal.

99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties

Posted by HIPAA Journal

New research indicates virtually all U.S. hospitals have been using tracking software on their websites that captures visitor data, including health information, and transfers that information to third parties. The study – published this month in Health Affairs – was conducted by researchers at the University of Pennsylvania. They used the 2019 American Hospital Association (AHA) Annual Survey to identify hospitals and narrowed their study to nonfederal acute care hospitals with an emergency department, which were not ambulatory surgery centers or freestanding long-term care facilities – The websites of 3,747 U.S. hospitals were assessed in the study.

The researchers used an open-source tool called WebXray to identify third-party tracking code and recorded data requests on the hospital websites over a 3-day period in 2021. The researchers also recorded cookies and data stored on browsers that would allow visitors to the websites to be tracked across the Internet.  They found 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties and 94.3% used cookies that allowed visitors to the websites to be tracked across the Internet. Over the three-day study period, the home pages of the websites initiated a median of 16 data transfers.

The tracking code, sometimes referred to as pixels, is provided by third parties for use on websites for tracking visitors and the code is incredibly common across the Internet. The code is used to record website interactions, such as the pages visited, how visitors arrived on the website, and the sites they visited when they left. The data collected through the code can be used by website operators to improve their websites and services, but the data collected is also transferred to the third parties that provide the code.

While these technologies can be found on virtually all websites, the Health Insurance Portability and Accountability Act (HIPAA) does not permit the use of these technologies unless certain conditions are met as the tracking code can collect individually identifiable health information, including visits to web pages about specific medical conditions such as HIV, cancer, and Alzheimer’s disease, and information entered into web forms.

The third parties receiving the information are typically not HIPAA-regulated entities, which means uses and disclosures of the transferred data are largely unregulated. The transferred information could be used for a variety of purposes, such as serving targeted advertisements related to medical conditions, health insurance, or medications. What actually happens to the transferred data is unclear.

The HHS’ Office for Civil Rights (OCR) recently issued guidance for HIPAA-regulated entities on the use of tracking technologies on websites and apps and confirmed that the use of these technologies is not permitted by the HIPAA Privacy Rule unless the third parties receiving protected health information are legitimate business associates and a business associate agreement has been signed. Alternatively, authorizations are required before protected health information is transferred.

According to the study, hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving urban patient populations had more third-party data transfers than other hospitals, which it was hypothesized could be due to the websites providing a more extensive range of services, the inclusion of third-party apps on the website – Google Maps for example – or them having a higher level of website advertising.

The third parties that most commonly received data were Alphabet (Google) – 98.5% of websites, Meta (Facebook) – 55.6% of websites, and Adobe Systems – 31.4% of websites. Other third parties commonly sent visitor data include AT&T, The Trade Desk, Oracle, Verizon, Rubicon Project, Amazon, Microsoft, Hotjar, StackPath, Siteimprove, Cloudflare, and Acxiom.

“By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties,” wrote the researchers. “These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.”

In 2021, three Boston hospitals – Massachusetts General Hospital, Brigham and Women’s Hospital, and Dana Farber Cancer Institute – agreed to pay more than $18 million to settle allegations they had shared website user data with third parties without consent, and many more lawsuits against healthcare providers are pending.

Given the recent guidance from OCR and the extent to which tracking code has been used, all hospitals should review their websites for tracking code and ensure that business associate agreements are in place, patient authorizations are obtained, or that the code is removed from the websites or is made HIPAA-compliant. If tracking code is found and protected health information has been impermissibly disclosed it is a reportable data breach and the HHS must be informed and notifications sent to affected patients.

The post 99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties appeared first on HIPAA Journal.

99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties

Posted by HIPAA Journal

New research indicates virtually all U.S. hospitals have been using tracking software on their websites that captures visitor data, including health information, and transfers that information to third parties. The study – published this month in Health Affairs – was conducted by researchers at the University of Pennsylvania. They used the 2019 American Hospital Association (AHA) Annual Survey to identify hospitals and narrowed their study to nonfederal acute care hospitals with an emergency department, which were not ambulatory surgery centers or freestanding long-term care facilities – The websites of 3,747 U.S. hospitals were assessed in the study.

The researchers used an open-source tool called WebXray to identify third-party tracking code and recorded data requests on the hospital websites over a 3-day period in 2021. The researchers also recorded cookies and data stored on browsers that would allow visitors to the websites to be tracked across the Internet.  They found 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties and 94.3% used cookies that allowed visitors to the websites to be tracked across the Internet. Over the three-day study period, the home pages of the websites initiated a median of 16 data transfers.

The tracking code, sometimes referred to as pixels, is provided by third parties for use on websites for tracking visitors and the code is incredibly common across the Internet. The code is used to record website interactions, such as the pages visited, how visitors arrived on the website, and the sites they visited when they left. The data collected through the code can be used by website operators to improve their websites and services, but the data collected is also transferred to the third parties that provide the code.

While these technologies can be found on virtually all websites, the Health Insurance Portability and Accountability Act (HIPAA) does not permit the use of these technologies unless certain conditions are met as the tracking code can collect individually identifiable health information, including visits to web pages about specific medical conditions such as HIV, cancer, and Alzheimer’s disease, and information entered into web forms.

The third parties receiving the information are typically not HIPAA-regulated entities, which means uses and disclosures of the transferred data are largely unregulated. The transferred information could be used for a variety of purposes, such as serving targeted advertisements related to medical conditions, health insurance, or medications. What actually happens to the transferred data is unclear.

The HHS’ Office for Civil Rights (OCR) recently issued guidance for HIPAA-regulated entities on the use of tracking technologies on websites and apps and confirmed that the use of these technologies is not permitted by the HIPAA Privacy Rule unless the third parties receiving protected health information are legitimate business associates and a business associate agreement has been signed. Alternatively, authorizations are required before protected health information is transferred.

According to the study, hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving urban patient populations had more third-party data transfers than other hospitals, which it was hypothesized could be due to the websites providing a more extensive range of services, the inclusion of third-party apps on the website – Google Maps for example – or them having a higher level of website advertising.

The third parties that most commonly received data were Alphabet (Google) – 98.5% of websites, Meta (Facebook) – 55.6% of websites, and Adobe Systems – 31.4% of websites. Other third parties commonly sent visitor data include AT&T, The Trade Desk, Oracle, Verizon, Rubicon Project, Amazon, Microsoft, Hotjar, StackPath, Siteimprove, Cloudflare, and Acxiom.

“By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties,” wrote the researchers. “These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.”

In 2021, three Boston hospitals – Massachusetts General Hospital, Brigham and Women’s Hospital, and Dana Farber Cancer Institute – agreed to pay more than $18 million to settle allegations they had shared website user data with third parties without consent, and many more lawsuits against healthcare providers are pending.

Given the recent guidance from OCR and the extent to which tracking code has been used, all hospitals should review their websites for tracking code and ensure that business associate agreements are in place, patient authorizations are obtained, or that the code is removed from the websites or is made HIPAA-compliant. If tracking code is found and protected health information has been impermissibly disclosed it is a reportable data breach and the HHS must be informed and notifications sent to affected patients.

The post 99% of Hospitals Use Website Tracking Code That Transmits Data to Third Parties appeared first on HIPAA Journal.

New York Law Firm Pays $200,000 to State AG to Resolve HIPAA Violations

Posted by HIPAA Journal

A New York law firm that suffered a LockBit ransomware attack has agreed to pay a financial penalty of $200,000 to the New York Attorney General to resolve alleged violations of New York General Business Law and the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA).

Heidell, Pittoni, Murphy & Bach LLP (HPMB) is a New York City-based medical malpractice law firm. On or around Christmas Day 2021, the LockBit ransomware gang gained access to its network and encrypted files. The investigation confirmed that files were exfiltrated in the attack, including legal documents, patient lists, and medical records. The patient information included names, birthdates, medical histories, treatment information, Social Security numbers, and health insurance information. The incident was reported to the HHS’ Office for Civil Rights on May 16, 2022, as affecting 114,979 individuals. HPMB engaged a third-party ransomware remediation firm to negotiate with the threat actor and ended up paying $100,000 for the keys to decrypt files and to prevent the release of the stolen data. The investigation confirmed the LockBit gang gained access to its network in November 2021 by exploiting unpatched Microsoft Exchange vulnerabilities.

The incident was investigated by the Office of the New York Attorney General to determine whether the law firm had violated state laws and the HIPAA Rules. The NY AG determined the vulnerabilities exploited by the LockBit gang had been identified by Microsoft in April and May 2021 and patches had been released shortly thereafter to fix those vulnerabilities. Despite the vulnerabilities being well known, they remained unpatched for more than 6 months, which left firm’s email server vulnerable to attack.

The NY AG determined 17 provisions of the HIPAA Privacy and Security Rules had been violated and there were also violations of New York General Business law by failing to implement reasonable security practices to protect private information and the failure to issue timely notifications to 61,438 New York residents.

The alleged HIPAA violations were:

  • The failure to safeguard electronic protected health information (ePHI).
  • The failure to protect against reasonably anticipated threats to ePHI.
  • The failure to review and modify data protection practices.
  • The failure to conduct an accurate and thorough risk assessment.
  • The failure to implement appropriate security measures to reduce risks to ePHI.
  • The failure to regularly review records of information system activity.
  • The failure to implement procedures sufficient to guard against, detect, and report malicious software.
  • The failure to implement procedures sufficient for periodic testing and revision of contingency plans.
  • The failure to perform a periodic technical and nontechnical evaluation.
  • The failure to sufficiently implement technical policies and procedures for ePHI to limit access by unauthorized individuals.
  • The failure to encrypt ePHI.
  • The failure to implement a centralized logging system for information systems to allow unauthorized system activity to be detected.
  • The failure to implement a system for detecting the alteration or destruction of ePHI.
  • The failure to implement procedures sufficient to verify that a person or entity seeking access to ePHI is the one claimed.
  • The failure to implement reasonable and appropriate policies and procedures to comply with the standards of 45 C.F.R. Part 164, Subpart C.
  • The failure to prevent unauthorized access to ePHI.
  • The failure to adhere to the minimum necessary standard.

In addition to paying a financial penalty, HPMB has agreed to implement a comprehensive information security program that includes risk analyses at least annually, implement appropriate administrative, technical, and physical safeguards, and conduct regular tests of those safeguards. HPMB will appoint a Chief Information Security Officer (CISO), encrypt all ePHI at rest and in transit, implement a centralized logging system, conduct system activity reviews, establish a patch management program, and develop a penetration testing program.

“New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled,” said Attorney General Letitia James. “Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”

The post New York Law Firm Pays $200,000 to State AG to Resolve HIPAA Violations appeared first on HIPAA Journal.

February 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

The number of healthcare data breaches reported over the past three months has remained fairly flat, with only a small uptick in breaches in February, which saw 43 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), well below the 12-month average of 57.4 reported breaches a month. An average of 41 data breaches have been reported each month over the past 3 months, compared to an average of 50.6 breaches per month for the corresponding period last year.

February 2023 Healthcare Data Breach Report - Records breached

The downward trend in breached records did not last long. There was a sizeable month-over-month increase in breached records, jumping by 418.7% to 5,520,291 records. February was well above the monthly average of 4,472,186 breached records a month, with the high total largely due to a single breach that affected more than 3.3 million individuals.

February 2023 Healthcare Data Breach Report - Records Breached

 

Largest Healthcare Data Breaches Reported in February 2023

17 healthcare data breaches of 10,000 or more records were reported in February, all of which were hacking incidents. The largest data breach affected 3,300,638 patients of 4 medical groups in California that are part of the Heritage Provider Network – Regal Medical Group, Inc.; Lakeside Medical Organization, A Medical Group, Inc.; ADOC Acquisition Co., A Medical Group Inc.; & Greater Covina Medical Group, Inc. This was a ransomware attack with confirmed data theft and was, at the time of reporting, the largest data healthcare data breach of the year. That record did not stand for long, as a 4.4 million-record breach was reported this month (Independent Living Systems).

Hacking incidents were reported by CentraState Healthcare System in New York (617,901 records), Cardiovascular Associates in Alabama (441,640 records), and the Florida-based revenue cycle management company, Revenetics (250,918 records), all of which saw sensitive data exfiltrated. It is unclear whether these incidents were ransomware or extortion attacks. An email account breach at Highmark Inc. rounds out the top five. That incident was reported to the HHS’ Office for Civil Rights as two separate breaches, affecting 239,039 and 36,600 individuals -275,639 in total. The breach occurred as a result of an employee clicking a link in a phishing email.

The full list of 10,000+ record data breaches and their causes are detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Business Associate Present
Regal Medical Group, Inc., Lakeside Medical Organization, A Medical Group, Inc., ADOC Acquisition Co., A Medical Group Inc. & Greater Covina Medical Group, Inc. CA Healthcare Provider 3,300,638 Ransomware attack (data theft confirmed)
CentraState Healthcare System, Inc. NJ Healthcare Provider 617,901 Hacking incident (data theft confirmed)
Cardiovascular Associates AL Healthcare Provider 441,640 Hacking incident (data theft confirmed)
Reventics, LLC FL Business Associate 250,918 Hacking incident (data theft confirmed)
Highmark Inc PA Health Plan 239,039 Phishing attack
90 Degree Benefits, Inc. WI Business Associate 175,000 Hacking incident
Hutchinson Clinic, P.A. KS Healthcare Provider 100,000 Hacking incident
Lawrence General Hospital MA Healthcare Provider 76,571 Hacking incident
Sharp Healthcare CA Healthcare Provider 62,777 Hacked web server (data theft confirmed)
Rise Interactive Media & Analytics, LLC IL Business Associate 54,509 Hacking incident
Highmark Inc PA Business Associate 36,600 Phishing attack
Teijin Automotive Technologies Welfare Plan MI Health Plan 25,464 Ransomware attack – Access gained through phishing
Evergreen Treatment Services WA Healthcare Provider 21,325 Hacking incident
Aloha Nursing Rehab Centre HI Healthcare Provider 20,216 Hacking incident (data theft confirmed)
NR Pennsylvania Associates, LLC PA Healthcare Provider 14,335 Hacking incident (data theft confirmed)
Intelligent Business Solutions NC Business Associate 11,595 Ransomware attack
Arizona Health Advantage, Inc. dba Arizona Priority Care; AZPC Clinics, LLC; and health plans for which APC has executed a BAA AZ Healthcare Provider 10,978 Ransomware attack

Causes of Healthcare Data Breaches in February 2023

Hacking and other IT incidents dominated the breach reports in February with 33 such incidents reported, accounting for 76.7% of all breaches reported in February. Across those incidents, the records of 5,497,797 individuals were exposed or stolen – 99.59% of the breached records in February. The average breach size was 166,600 records and the median breach size was 10,978 records.

There were 8 unauthorized access/disclosure incidents reported involving a total of 13,950 records. The average breach size was 1,744 records and the median breach size was 689 records. One of the incidents – reported by Asante – involved a physician accessing the records of patients when there was no treatment relationship. The unauthorized access occurred for 9 years before it was detected, during which time the records of 8,834 patients were impermissibly viewed. Incidents such as this show why it is important to maintain logs of medical record access and to review those logs regularly, ideally automating the process using a monitoring and alerting system.

February 2023 Healthcare Data Breach Report - Causes

One theft incident was reported involving a portable electronic device containing the PHI of 986 patients and one incident involved the improper disposal of paper records that contained the PHI of 7,558 patients.

February 2023 Healthcare Data Breach Report - Location PHI

What HIPAA-Regulated Entities were Affected?

Healthcare providers were the worst affected HIPAA-regulated entity in February, with 31 data breaches of 500 or more records. Seven data breaches were reported by business associates and five were reported by health plans. When data breaches involve business associates, they are often reported by the covered entity. In February, 6 data breaches involved business associates but were reported by the affected healthcare providers and health plans. The two charts are based on where the breach occurred rather than who reported it.

February 2023 Healthcare Data Breach Report - Reporting Entities

The average healthcare provider breach exposed 178,046 records (median: 3,061 records), the average health plan data breach exposed 67,236 records (median: 3,909 records), and the average business associate data breach involved 47,859 records (median: 8,500 records).

February 2023 Healthcare Data Breach Report - records by reporting entity

Where Did the Breaches Occur?

Data breaches were reported by HIPAA-covered entities and business associates in 28 states, with California being the worst affected state with 4 breaches reported in February.

State Breaches
California 4
Pennsylvania & Texas 3
Arizona, Illinois, Kansas, Massachusetts, New Jersey, Oregon, Virginia & Washington 2
Alabama, Colorado, Connecticut, Florida, Georgia, Hawaii, Iowa, Maryland, Michigan, New Hampshire, New Mexico, North Carolina, Rhode Island, Tennessee, Utah, Wisconsin & Wyoming 1

HIPAA Enforcement Activity in February 2023

The HHS’ Office for Civil Rights announced one enforcement action in February to resolve alleged violations of the HIPAA Rules. OCR investigated Banner Health over a 2016 breach of the protected health information of 2.81 million individuals and identified multiple potential HIPAA violations related to risk analyses, system activity reviews, verification of identity for access to PHI, and technical safeguards. Banner Health agreed to settle the case and paid a $1,125,000 financial penalty.

DNA Diagnostics Center was investigated by the Attorneys General in Pennsylvania and Ohio after a reported breach of the personal and health information of 45,600 state residents. The investigation determined there was a lack of safeguards, a failure to update its asset inventory, and a failure to disable or remove assets that were not used for business purposes. While these failures would have been HIPAA violations, the settlement resolved violations of state laws. DNA Diagnostics Center paid a financial penalty of $400,000, which was split equally between the two states.

In February, the Federal Trade Commission (FTC) announced its first-ever settlement to resolve a violation of the FTC Health Breach Notification Rule. While the Rule has been in effect for a decade, the FTC has never enforced it. That has now changed. The FTC stated last year that it would be holding non-HIPAA-covered entities accountable for impermissible disclosures of health information and breach notification failures. GoodRx Holdings Inc. was found to have used tracking technologies on its website that resulted in unauthorized disclosures of personal and health information to Facebook, Google, and other third parties and failed to issue notifications to affected individuals. The allegations were settled and GoodRx paid a $1,500,000 financial penalty.

The post February 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Settlement Agreed with Florida Children’s Health Insurance Website Contractor to Resolve False Claims Act Allegations

Posted by HIPAA Journal

The United States Department of Justice has agreed to settle alleged False Claims Act violations with Jelly Bean Communications Design LLC and manager Jeremy Spinks related to the failure to protect HIPAA-covered data.

Jelly Bean Communications Design is a Tallahassee, FL-based company co-owned by Jeremy Spinks, who is the company’s manager and sole employee. The company provides web hosting functions and services for its clients, one of which was the Florida Healthy Kids Corporation (FHKC). FHKC is a state-created entity that offers health and dental insurance to children in Florida between the ages of 5 and 18. FHKC receives Medicaid funds and state funds for providing health insurance programs for children in Florida.

On July 1, 2012, the Agency for Health Care Administration (AHCA) in Florida contracted with FHKC to provide services for the State Children’s Health Insurance Plan (SCHIP) Program, which included implementing technical safeguards to ensure the confidentiality, integrity, and availability of the electronic protected health information that was received, maintained, or transmitted on behalf of AHCA. FHKC contracted with Jelly Bean Communications Design on October 13, 2013, to provide web design, programming, and hosting services. Under that contract, Jelly Bean Communications Design was required to provide a fully functioning hosting environment that complied with the standards of the HIPAA Security Rule, thus requiring Jelly Bean Communications Design to create appropriate code to ensure the secure communication of HIPAA-protected data. The contract was renewed by FHKC through 2020, with the federal government covering 86% of the payments to Jelly Bean Communications Design.

Between 2013 and 2020, the online application system created by Jelly Bean Communications Design collected data from parents and other individuals that were provided when submitting applications for Medicaid insurance coverage for children. Jelly Bean Communications Design issued invoices to FHKC for its services, which included “HIPAA-compliant hosting” and a monthly retainer fee for hosting and other tasks.

In early December 2020, it became clear that the website had been hacked and unauthorized individuals accessed the application data of more than 500,000 individuals submitted through the HealthyKids.org website. FHKC initiated an investigation that revealed hackers had altered applications allowing data to be stolen. The review of the website found multiple outdated and vulnerable applications and the website had not been patched since November 2013. Further, the website did not maintain audit logs showing who had accessed the personal information of applicants. The types of information compromised included names, dates of birth, email addresses, telephone numbers, addresses, Social Security numbers, financial information, family relationship information, and secondary insurance information. The application portal was shut down by FHKC in December 2020 in response to the cybersecurity failures.

The civil litigation alleged that Jelly Bean Communications Design and Jeremy Spinks failed to follow cybersecurity standards resulting in the exposure of sensitive HIPAA-covered data while submitting false claims that data would be safeguarded, while knowingly failing to properly maintain, patch, and update software systems. While Jelly Bean Communications Design acted as a business associate under HIPAA, the action was taken over violations of the False Claims Act under the Department of Justice’s 2021 Civil Cyber-Fraud Initiative. The Civil Cyber-Fraud Initiative utilizes the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients, and was the result of a coordinated effort by the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section, and the U.S Attorney’s Office for the Middle District of Florida, with assistance provided by HHS-OIG.

The claims were settled by Jelly Bean Communications Design and Jeremy Spinks, who agreed to pay $293,771 to resolve the allegations, of which $130,565.00 is restitution. The settlement was agreed to avoid the delay, uncertainty, inconvenience, and expense of protracted litigation, with no admission of liability or wrongdoing and no concession by the United States that its claims were not well founded.

“Companies have a fundamental responsibility to protect the personal information of their website users. It is unacceptable for an organization to fail to do the due diligence to keep software applications updated and secure and thereby compromise the data of thousands of children,” said Special Agent in Charge Omar Pérez Aybar of the Department of Health and Human Services, Office of Inspector General (HHS-OIG). “HHS-OIG will continue to work with our federal and state partners to ensure that enrollees can rely on their health care providers to safeguard their personal information.”

The post Settlement Agreed with Florida Children’s Health Insurance Website Contractor to Resolve False Claims Act Allegations appeared first on HIPAA Journal.