HIPAA News for Small and Mid-Sized Practices

Are You Blocking Ex-Employees’ PHI Access Promptly?

Posted by HIPAA Journal

A recent study commissioned by OneLogin has revealed many organizations are not doing enough to prevent data breaches by ex-employees.

Access to computer systems and applications is a requirement while employed, but many organizations are failing to block access to systems promptly when employees leave the company, even though ex-employees pose a significant data security risk.

Blocking access to networks and email accounts when an employee is terminated or otherwise leaves the company is one of the most basic security measures, yet all too often the process is delayed.

500 IT employees who had some responsibility for security in their organization were interviewed for the study and approximately half of respondents said they do not immediately terminate ex-employees’ network access rights. 48% said it takes longer than a day to delete ex-employees’ login credentials.

A quarter of respondents said it can take up to a week to block access, while one in five respondents said it can take up to a month to deprovision ex-employees. That gives them plenty of time to gain access to systems and steal information. Almost half of respondents were aware of ex-employees who still had access to company systems, while 44% of respondents lacked confidence that ex-employees had been removed from their networks.

Deprovisioning ex-employees can be a labor-intensive task and IT departments are under considerable time pressure. It is all too easy to postpone the task and concentrate on other more pressing issues. Automatic provisioning technology can reduce the time burden and improve security, but many organizations continue to perform the task manually. Whether automatic or manual, deprovisioning should take place promptly – as soon as the individual is terminated or employment ceases.

How serious is the threat from ex-employees? 20% of respondents said they had experienced at least one data breach by an ex-employee, while approximately half of those individuals said more than 1 in 10 data breaches experienced by their organization was due to an ex-employee.

For healthcare organizations, ex-employees are a significant threat. There have been numerous cases of employees changing companies and taking patient lists with them when they leave. If access is not blocked, there is nothing to stop data being stolen.

Further, if policies are not introduced to cover the deprovisioning of employees or if those policies are not strictly adhered to, organizations are at risk of receiving a HIPAA violation penalty – See Administrative Safeguards § 164.308 (3)(ii)(B).

The post Are You Blocking Ex-Employees’ PHI Access Promptly? appeared first on HIPAA Journal.

Is Dropbox HIPAA Compliant?

Posted by HIPAA Journal

Healthcare organizations can benefit from using Dropbox, but is Dropbox HIPAA compliant? Can the service be used to store and share protected health information?

Is Dropbox HIPAA Compliant?

Dropbox is a popular file hosting service used by many organizations to share files, but what about protected health information? Is Dropbox HIPAA compliant?

Dropbox claims it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is HIPAA compliant. No software or file sharing platform can be HIPAA compliant as it depends on how the software or platform is used. That said, healthcare organizations can use Dropbox to share or store files containing protected health information without violating HIPAA Rules.

The Health Insurance Portability and Accountability Act requires covered entities to enter into a business associate agreement (BAA) with an entity before any protected health information (PHI) is shared. Dropbox is classed as a business associate so a BAA is required.

Dropbox will sign a business associate agreement with HIPAA-covered entities. To avoid a HIPAA violation, the BAA must be obtained before any file containing PHI is uploaded to a Dropbox account. A BAA can be signed electronically via the Account page of the Admin Console.

Dropbox allows third party apps to be used, although it is important to note that they are not covered by the BAA. If third party apps are used with a Dropbox account, covered entities need to assess those apps separately prior to their use.

Dropbox Accounts Must be Configured Carefully

HIPAA requires healthcare organizations to implement safeguards to preserve the confidentiality, integrity and availability of PHI. It is therefore important to configure a Dropbox account correctly. Even with a signed BAA, it is possible to violate HIPAA Rules when using Dropbox.

To avoid a HIPAA violation, sharing permissions should be configured to ensure files containing PHI can only be accessed by authorized individuals. Sharing permissions can be set to prevent PHI from being shared with any individual outside of a team. Two-step verification should be used as an additional safeguard against unauthorized access.

It should not be possible for any files containing PHI to be permanently deleted. Administrators can disable permanent deletions via the Admin Console. That will ensure files cannot be permanently deleted for the lifetime of the account.

It is also essential for Dropbox accounts to be monitored to ensure that PHI is not being accessed by unauthorized individuals. Administrators should delete individuals when their role changes and they no longer need access to PHI or when they leave the organization. The list of linked devices should also be regularly reviewed. Dropbox allows linked devices to have Dropbox content remotely wiped. That should occur when a user leaves the organization of if a device is lost or stolen.

Dropbox records all user activity. Reports can be generated to show who has shared content and to obtain information on authentication and the activities of account administrators. Those reports should be regularly reviewed.

Dropbox will provide a mapping of its internal practices on request and offers a third-party assurance report that details the controls that the firm has implemented to help keep files secure. Those documents can be obtained from the account management team.

So, is Dropbox HIPAA compliant? Dropbox is secure and controls have been implemented to prevent unauthorized access, but ultimately HIPAA compliance depends on users. If a BAA is obtained and the account is correctly configured, Dropbox can be used by healthcare organizations to share PHI with authorized individuals without violating HIPAA Rules.

The post Is Dropbox HIPAA Compliant? appeared first on HIPAA Journal.

ONC Offers Help for Covered Entities on Medical Record Access for Patients

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request.

Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case.

Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other healthcare providers, they can find it difficult to find the information they need.

The Office of the National Coordinator for Health Information Technology (ONC) has recently published a report detailing some of the problems faced by healthcare providers when providing medical record access for patients. The report offers useful tips for healthcare organizations to help them provide medical record access for patients quickly and easily.

For the report- Improving the Health Records Request Process for PatientsONC spoke to 17 consumers to find out about the challenges they faced when attempting to gain access to their medical records. The report includes three examples of patients and caregivers that have experienced difficulties when attempting to exercise their right to access medical data. The personas are fictional, although the challenges faced by those personas were taken from real world examples.

ONC also looked at the medical record release forms used by 50 large healthcare systems across 32 states and spoke to stakeholders and health system professionals about the challenges faced when trying to provide patients with copies of their health records. ONC discovered the process of providing electronic copies of health records is often hampered by inefficient systems and limited resources.

The research has allowed ONC to develop tips to help healthcare providers create a streamlined, transparent, and electronic records request process. Making the suggested changes will allow health systems to improve the process of providing access to health data. Patients will then suffer less frustration and be able to obtain their records faster, allowing them to coordinate their care more effectively and have greater control over their health and wellbeing.

The post ONC Offers Help for Covered Entities on Medical Record Access for Patients appeared first on HIPAA Journal.

Indiana Senate Passes New Law on Abandoned Medical Records

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information.

HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely.

For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or incineration.

For physical PHI, OCR recommends shredding, burning, pulping, or pulverization to render PHI unreadable and indecipherable and to ensure the data cannot be reconstructed.

If PHI is not disposed of in accordance with HIPAA Rules, covered entities can face heavy financial penalties. Those penalties are decided by OCR, although state attorneys general can also fine covered entities since the introduction of the Health Information Technology for Clinical and Economic Health (HITECH) Act.

While state attorneys general can take action against covered entities for HIPAA violations that impact state residents, few have exercised that right – Only Connecticut, Vermont, Massachusetts, New York and Indiana all done so since the passing of the HITECH Act.

Even though few states are taking action against covered entities for HIPAA violations as allowed by the HITECH Act, many states have introduced laws to protect state residents in the event of a data breach.

In Indiana, a new state law has been recently passed that allows action to be taken against organizations that fail to dispose of medical records securely.

Indiana Updates Legislation Covering Abandoned Medical Records

In Indiana, legislation has previously been introduced covering ‘abandoned records’. If medical records are abandoned, such as being dumped or disposed of without first rendering them unreadable, action can be taken against the organization concerned.

Abandoned records are those which have been “voluntarily surrendered, relinquished, or disclaimed by the health care provider or regulated professional, with no intention of reclaiming or regaining possession.” The state law previously only covered physical records, although a new Senate Bill (SB 549) has recently been unanimously passed that has expanded the definition to also include ePHI stored in databases. The definition of ‘abandoned records’ has also been expanded to include those that have been “recklessly or negligently treated such that an unauthorized person could obtain access or possession” to those records.”

While there are exceptions under SB 549 for organizations that maintain their own data security procedures under HIPAA and other federal legislation, the new law closes a loophole for organizations that are no longer HIPAA covered entities. In recent years, there have been numerous cases of healthcare organizations going out of business and subsequently abandoning patients’ files. SB 549 allows the state attorney general to take action against HIPAA covered entities that have gone out of business if they are discovered to have abandoned PHI or disposed of ePHI incorrectly.

The new legislation came into effect on July 1, 2017. The new law allows the Indiana attorney general to file actions against the organization concerned and recover the cost of securing and disposing of the abandoned records. That should serve as a deterrent and will help to keep state residents’ PHI private.

The post Indiana Senate Passes New Law on Abandoned Medical Records appeared first on HIPAA Journal.

U.S. Healthcare Providers Affected by Global Ransomware Attack

Posted by HIPAA Journal

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below.

NotPetya Ransomware Attacks Spread to the United States

Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems.

Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities.

While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected

The health system’s communications director, Suzanne Sakson said, “Corrective measures supplied by our antivirus software vendor have been developed and are being implemented and tested within the health system.”

No evidence has been uncovered to suggest protected health information has been accessed, although an investigation into the incident is ongoing.

West Virginia’s Princeton Community Hospital has also been affected with many of the hospital’s computers taken out of action following infection with ransomware. An investigation has been launched to determine whether patient health information was potentially accessed. Hospital spokesperson Rick Hypes said the hospital has implemented its protocols for cyberattacks and patient care is continuing to be provided.

The New Jersey-based pharmaceutical firm Merck has also been affected.

While it was initially believed the attacks involved Petya ransomware, security researchers believe this is a Petya-like ransomware variant from the same family. It has already attracted a variety of names including NotPetya, SortaPetya, GoldenEye, Petna, Nyeta and ExPetr.

Decryption Unlikely, Even if the Ransom is Paid

The ransomware variant deletes and replaces the Master File Table (MFT) which prevents computers from being able to locate files. The attackers have collected some ransom payments, although recovering systems by paying the ransom may not be possible.

The attacker was using an email account through a German email provider; however, that email account has been suspended. The email account was used to verify payment of a ransom. Without access to that email account, payment verification would be prevented.

Security researchers at Kaspersky Lab have also discovered a flaw in the ransomware which prevents data recovery, even if the ransom is paid. Kaspersky Lab issued a statement saying “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.”

Some security researchers have suggested that the goal of the attack was therefore not extortion but sabotage. Matt Suiche suggested in a recent analysis of the attack that “The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.” However, also likely is a mistake by the attackers when developing their ransomware.

The number of victims has been steadily rising, with Kaspersky Lab identifying 2,000 attacks on Tuesday, while Microsoft now reports there has been at least 12,500 infections across 65 countries.

The attacks have hit multinational companies hard, with infections first occurring in European facilities but then subsequently spreading across networks to other geographical locations. Shipping firm Maersk had its Danish facilities infected, followed by infections in Ireland, the UK and other countries.

How to Prevent Infection with NotPetya Ransomware

Two exploits released by Shadow Brokers have been used to spread infections – EternalBlue and EternalRomance – both of which were addressed with the MS17-010 patch issued by Microsoft in March, which was subsequently expanded for use on non-supported Windows versions such as Windows XP following the WannaCry ransomware attacks last month.

However, if one computer on a network has not been patched the machine can be infected. The infection can then spread across a network to patched computers.

Even if all vulnerable machines have been patched, infection may still occur. The attackers are using multiple attack vectors including spam emails containing malicious attachments.

To protect against these NotPetya ransomware attacks – and other similar attacks – the MS17-010 patch must be applied to all Windows devices. Since data recovery may not be possible it is essential for data to be backed up, with multiple copies made, including one copy on an air-gapped machine that is not exposed via the Internet.

Rapid7 recommends organizations should “employ network and host-based firewalls to block TCP/445 traffic from untrusted systems.” Additionally, “if possible, block 445 inbound to all internet-facing Windows systems.”

PsExec and wmic.exe should also be disabled to limit the ability of the ransomware to spread.

Since infection can occur via email, organizations should send alerts to company employees alerting them to the risk of attack from infected email attachments, specifically – but not exclusively – Microsoft Excel spreadsheets.

Security researcher Amit Serper at Cyberreason suggests it is possible to ‘vaccinate’ computers to prevent encryption, with his method confirmed by a number of firms such as Emisoft and PT security.

Serper says, “Create a file called perfc in the C:\Windows folder and make it read only.” Details of how to do this are available on Beeping Computer.

The post U.S. Healthcare Providers Affected by Global Ransomware Attack appeared first on HIPAA Journal.

World’s Largest Data Breach Settlement Agreed by Anthem

Posted by HIPAA Journal

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information.

A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014.

After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in part, be used to pay for a further two years of credit monitoring services. Alternatively, individuals who have already enrolled in the credit monitoring services previously offered may be permitted to receive a cash payment of $36 in lieu of the additional two years of cover or up to $50 if funds are still available. The settlement also includes a $15 million fund to cover out-of-pocket expenses incurred by plaintiffs, which will be decided on a case-by-case basis for as long as there are funds available.

Anthem has also agreed to set aside ‘a certain level of funding’ to make improvements to its cybersecurity defenses and systems, including the use of encryption to secure data at rest. Anthem will also be making changes to how it archives sensitive data and will be implementing stricter access controls. While the settlement has been agreed, Anthem has not admitted any wrongdoing.

Anthem Spokesperson Jill Becher explained that while data were stolen in the attack, Anthem has not uncovered evidence to suggest any of the information stolen in the cyberattack was used to commit fraud or was sold on. Becher also said, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”

While the decision to settle has been made, the settlement must now be approved by the U.S. District judge in California presiding over the case. District Judge Lucy Koh will hear the case on August 17, 2017.

The post World’s Largest Data Breach Settlement Agreed by Anthem appeared first on HIPAA Journal.

Google to Remove Personal Medical Information From Its Search Results

Posted by HIPAA Journal

There are only a handful of content categories that Google will not display in its search results. Now the list has grown slightly with the addition of personal medical records, specifically, the ‘confidential, personal medical records of private people.’

The update to its policy was made yesterday, with medical records joining national identification numbers such as Social Security numbers, bank account numbers, credit card numbers, images of signatures, sexual abuse images, revenge porn, and material that has been uploaded to the Internet in violation of the Digital Millennium Copyright Act.

Google’s indexing system captures all publicly accessible information that has been uploaded to the Internet, although there has been criticism in recent years about the types of information Google allows to be listed. Even so, it is rare for Google to make changes to its algorithms to block certain types of content. The last addition to the list of material that can be removed automatically by Google was revenge porn – nude or sexually explicit images that have been uploaded to the Internet without an individual’s consent. Google added that category to its list of unacceptable web content back in 2015.

The latest addition will go some way toward protecting the privacy of individuals who have been the victims of data breaches or data leaks. One notable case of the latter came to light in December last year when an Indian pathology lab accidentally uploaded the pathology results of 43,203 individuals to a website which was indexed by Google and displayed in the search listings. Recently there have been a number of cases of stolen medical records being dumped online when ransom demands have not been paid. In such cases, the information will now be less visible.

If medical records are uploaded to the Internet, accidentally or deliberately, they will still be accessible directly and will be indexed by other search engines, but since more than 77% of people use Google as their primary search engine, it will be harder for the medical records to be found online by the general public.

The post Google to Remove Personal Medical Information From Its Search Results appeared first on HIPAA Journal.

Healthcare Data Breach Costs Fall to $380 Per Record

Posted by HIPAA Journal

Healthcare data breach costs have fallen year-over year according to the latest IBM Security/Ponemon Institute study. However, for the seventh straight year, healthcare data breach costs were higher than any other industry sector.

This year, the Ponemon Institute calculated the average healthcare data breach costs to be $380 per record. The average global cost per record for all industries is now $141, with healthcare data breach costs more than 2.5 times the global average. Last year, average healthcare data breach costs were $402 per record. The average cost of a breach in the United States across all industries is $225 per record, up from $221 in 2016.

Data breach costs have risen substantially over the past seven years, although the latest report shows there was a 10% reduction in data breach costs across all industry sectors. This was the first year that data breach costs have shown a decline. The average global cost of a data breach now stands at $3.62 million, having reduced from $4 million last year.

The study was conducted globally, with 63 organizations in the United States surveyed. Those organizations were spread across 16 industry sectors. The Ponemon Institute surveyed each company after they experienced the loss or theft of sensitive information and had issued breach notifications to affected individuals. Sensitive data was classed as “An individual’s name plus Social Security number, medical record and/or a financial record or debit card.”

In the United States, the surveyed companies experienced data breaches that resulted in the exposure or theft of between 5,563 and 99,500 records, with an average of 28,512 records per breach.

The Ponemon compared the total cost of a breach with the average cost over the past four years. In the United States, the total cost of a data breach rose from $7.01 million to $7.35 million. This was the highest total breach cost since IBM Security/Ponemon first started conducting the study.

Across all industry sectors, the cost of a data breach was higher for malicious or criminal attacks ($244 per record) followed by system glitches ($209 per record) and human error ($200 per record). The breakdown of the causes of the breaches were malicious or criminal attacks ($52%), system glitches (24%) and human error (24%).

How do Healthcare Data Breach Costs Compare to Other Industries?

 

United States Data Breach Costs
Industry Average Cost per Record (USD)
Healthcare 380
Financial Services 336
Services 274
Life Sciences 264
Industrial 259
Technology 251
Education 245
Transportation 240
Communications 239
Energy 228
Consumer 196
Retail 177
Hospitality 144
Entertainment 131
Research 123
Public Sector 110
Average Cost 225

 

The study showed the United States has higher breach costs than Europe, where the average cost of a data breach declined by 26% year-over-year. The Ponemon Institute attributed this, in part, to the centralized regulatory environment in Europe. In the United States, organizations have to comply with federal regulations as well as separate regulations in 48 of the 50 states. This makes the breach response labor intensive and extremely costly.

The report suggests the reason for the rise in breach costs in the United States was the result of compliance failures and a rush to notify individuals, with the latter costing organizations 50% more than in Europe. The study revealed the cost of issuing breach notifications was $690,000 on average in the United States – twice the figure of any other country.

The study showed that when third parties were involved in a breach there was an increase in data breach costs, typically adding an extra $17 per record.

As in previous years, a rapid response to a data breach saw organizations limit the cost. When an incident response plan was in place prior to a breach, organizations were able to save an average of $19 per record. There was an average reduction in breach costs of $1 million when organizations were able to contain the breach within 30 days. However, on average, companies took more than six months to discover a breach and more than 66 days to contain it.

Other factors that led to a reduction in breach costs were the use of encryption, which saw a $16 reduction in costs per record and employee education which saw breach costs reduced by $12.50 per record.

Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute said, “Data breaches and the implications associated continue to be an unfortunate reality for today’s businesses,” explaining, “Year-over-year we see the tremendous cost burden that organizations face following a data breach.

The post Healthcare Data Breach Costs Fall to $380 Per Record appeared first on HIPAA Journal.

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

Posted by HIPAA Journal

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported.

So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per day, as was the case in 2016.

In May, there were 255,108 exposed healthcare records representing a 10% increase in victims from the previous month; however, it is not yet known how many records were exposed in 8 of the breaches reported in May. The number of individuals affected could rise significantly.

The largest incident reported in May was the theft of data by TheDarkOverlord, a hacking group/hacker known for stealing data and demanding a ransom in exchange for not publishing the data. The latest incident saw the data dumped online when the organization refused to pay the ransom.

While April saw a majority of healthcare data breaches caused by hackers, in May it was insiders that caused the most data breaches. Insiders were responsible for 40.54% of data breaches (15 incidents) in May, with 10 the result of insider errors and 5 incidents the result of insider wrongdoing. In total, 39,491 healthcare records were exposed as the result of insiders.

Hacking was the second biggest cause of data breaches, accounting for 35.14% of the month’s reported breaches. As is typical, hacking resulted in the exposure of the most records – 203,394. At least three of those hacking incidents involved ransomware.

This month’s report proved problematic, as several hacking incidents were discovered after data were posted on black market websites, yet it is unclear whether the incidents are genuine as efforts to verify the data proved inconclusive.

Loss or theft of unencrypted devices and physical records accounted for 13.51% of breaches. Those incidents resulted in the exposure of 4,122 records, although it is unclear how many records were exposed in one of the 4 breaches involving theft/loss. The cause of the 10.81% of incidents is still unknown.

Healthcare providers reported 81% of the months’ breaches, followed by business associates (11%) and health plans (8%).

Over the past two months there has been an improvement in the reporting of healthcare data breaches, with more covered entities reporting incidents inside the 60-day limit of the HIPAA Breach Notification Rule. This month 83% of covered entities reported their breaches on time, an improvement from last month when just 66% of breaches were reported within 60 days. One covered entity took 77 days to report a breach while another took 140 days; more than twice the allowable time. The improvement could be due, in part, to OCR’s decision to fine a covered entity $475,000 for the late issuing of breach notifications to patients.

This month’s Breach Barometer report shows that while breach reporting is improving, breach detection remains a problem. April’s breaches took an average of 51 days to detect, whereas in May it took an average of 441 days for healthcare organizations to discover a breach had occurred. Three healthcare organizations took more than three years to discover a breach had occurred. One healthcare organization took almost three and a half years (1,260 days) to discover a breach, another took 1,125 days and one took 1,071 days.

California was once again the worst affected state with 6 breaches, closely followed by Florida with 5 incidents.

The post May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover appeared first on HIPAA Journal.