Latest HIPAA News

January 2020 Healthcare Data Breach Report

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day.

As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day. There was also a 15.78% decrease in reported breaches compared to December 2019.

healthcare data breaches February 2019 to January 2020

Healthcare data breaches in January

While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years.

Largest Healthcare Data Breaches in January 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
PIH Health CA Healthcare Provider 199,548 Hacking/IT Incident Email
Douglas County Hospital d/b/a Alomere Health MN Healthcare Provider 49,351 Hacking/IT Incident Email
InterMed, PA ME Healthcare Provider 33,000 Hacking/IT Incident Email
Fondren Orthopedic Group L.L.P. TX Healthcare Provider 30,049 Hacking/IT Incident Network Server
Native American Rehabilitation Association of the Northwest, Inc. OR Healthcare Provider 25,187 Hacking/IT Incident Email
Central Kansas Orthopedic Group, LLC KS Healthcare Provider 17,214 Hacking/IT Incident Network Server
Hospital Sisters Health System IL Healthcare Provider 16,167 Hacking/IT Incident Email
Spectrum Healthcare Partners ME Healthcare Provider 11,308 Hacking/IT Incident Email
Original Medicare MD Health Plan 9,965 Unauthorized Access/Disclosure Other
Lawrenceville Internal Medicine Assoc, LLC NJ Healthcare Provider 8,031 Unauthorized Access/Disclosure Email

Causes of January 2020 Healthcare Data Breaches

2019 saw a major increase in healthcare data breaches caused by hacking/IT incidents. In 2019, more than 59% of data breaches reported to the HHS’ Office for Civil Rights were the result of hacking, malware, ransomware, phishing attacks, and other IT security breaches.

Causes of January 2020 Healthcare Data Breaches

Hacking/IT incidents continued to dominate the breach reports in January and accounted for 59.38% of all breaches reported (19 incidents). 28.13% of reported breaches were classified as unauthorized access/disclosure data breaches (9 incidents), there were two reported theft incidents, both involving physical records, and 2 cases of improper disposal of physical records. Ransomware attacks continue to plague the healthcare industry, but phishing attacks are by far the biggest cause of healthcare data breaches. As the above table shows, these attacks can see the PHI of tens of thousands or even hundreds of thousands of patients exposed or stolen.

Hacking/IT incidents tend to be the most damaging type of breach and involve more healthcare records than other breach types. In January, 416,275 records were breached in hacking/IT incidents. The average breach size was 21,909 records and the median breach size was 6,524 records. 26,450 records were breaches as a result of unauthorized access/disclosure incidents. The average breach size was 26,450 records and the median breach size was 2,939 records.

11,284 records were stolen in theft incidents with an average breach size of 5,642 records. The two improper disposal incidents saw 2,812 records discarded without first rendering documents unreadable and undecipherable. The average breach size was  1,406 records. 
Location of breached protected health information

Regular security awareness training for employees has been shown to reduce susceptibility to phishing attacks, but threat actors are conducting increasingly sophisticated attacks. It is often hard to distinguish a phishing email from a genuine message, especially in the case of business email compromise scams.

What is needed to block these attacks is a defense in depth approach and no one technical solution will be effective at blocking all phishing attacks. Defenses should include an advanced spam filter to block phishing messages at source, a web filter to block access to websites hosting phishing kits, DMARC to identify email impersonation attacks, and multi-factor authentication to prevent compromised credentials from being used to access email accounts.

Healthcare Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in January with 25 reported breaches of 500 or more healthcare records. Five breaches were reported by health plans, and two breaches were reported by business associates of HIPAA-covered entities. There were a further three data breaches reported by covered entities that had some business associate involvement.

January 2020 Healthcare Data Breaches by Covered Entity

January 2020 Healthcare Data Breaches records exposed covered entity

Healthcare Data Breaches by State

HIPAA covered entities and business associates in 23 states reported data breaches in January. California and Texas were the worst affected with three reported breaches in each state. There were two breaches reported in each of Florida, Illinois, Maine, Minnesota, and New York, and one breach was reported in each of Alabama, Arizona, Colorado, Connecticut, Georgia, Iowa, Indiana, Kansas, Maryland, Michigan, North Carolina, New Jersey, Oregon, Pennsylvania, South Carolina, and Virginia.

HIPAA Enforcement in January 2020

There were no financial penalties imposed on HIPAA covered entities or business associates by the HHS’ Office for Civil Rights or state attorneys general in January.

There was a notable increase in the number of lawsuits filed against healthcare organizations that have experienced data breaches related to phishing and ransomware attacks.

January saw a lawsuit filed against Health Quest over a July 2018 phishing attack, Tidelands Health is being sued over a December 2019 ransomware attack, and a second lawsuit was filed against DCH Health System over a malware attack involving the Emotet and TrickBot Trojans that occurred in October 2019. These lawsuits follow legal action against Kalispell Regional Healthcare and Solara Medical Supplies in December.

The trend has continued in February with several law firms racing to be the first to file lawsuits against PIH Health in California over a 2019 phishing attack that exposed the data of more than 200,000 individuals.

These lawsuits may cite HIPAA violations, but since there is no private cause of action under HIPAA, legal action is taken over violations of state laws.

The post January 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep

The healthcare industry is digitizing business management and data management processes and is adopting new technology to improve efficiency and cut costs, but that technology, in many cases, has been added to infrastructure, processes, and software from a different era and as a result, many vulnerabilities are introduced.

The healthcare industry is being targeted by cybercriminals who are looking for any chink in the armor to conduct their attacks, and many of those attacks are succeeding. The healthcare industry is the most targeted industry sector and one third of data breaches in the United States happen in hospitals.

According to the recently published 2020 Healthcare Security Vision Report from CyberMDX almost 30% of healthcare delivery organizations (HDOs) have experienced a data breach in the past 12 months, clearly demonstrating that the healthcare industry is struggling to address vulnerabilities and block cyberattacks.

Part of the reason is the number of difficult-to-secure devices that connect to healthcare network. The attack surface is huge. It has been estimated that globally there are around 450 million medical devices connected to healthcare networks and 30% of those devices are in the United States. That equates to around 19,300 connected medical devices and clinical assets per hospital in the United States. It is not uncommon for large hospitals to have more than 100,000 connected devices. On average, one in 10 devices on hospital networks are medical devices.

The report reveals 80% of device makers and HDOs say medical devices are difficult to secure due to a lack of knowledge on how to secure them, a lack of training on secure coding practices, and pressure to meet product deadlines.

71% of HDOs say they do not have a comprehensive cybersecurity program that includes medical devices, and 56% believe there will be a cyberattack on their medical devices in the next 12 months. That figure jumps to 58% when you ask medical device manufacturers. Even if an attack occurred, only 18% of HDOs say they are confident that they would be able to detect such an attack.

45% of Medical Devices Vulnerable to Flaws Such as BlueKeep

CyberMDX’s analysis revealed 61% of medical devices are exposed to some degree of cyber risk. 15% are exposed to BlueKeep flaws, 25% are exposed to DejaBlue flaws, and 55% of imaging devices run on outdated software that is vulnerable to exploits such as BlueKeep and DejaBlue. Overall, around 22% of Windows devices on hospital networks are vulnerable to BlueKeep.

BlueKeep and DejaBlue are vulnerabilities that can be exploited via Remote Desktop Protocol (RDP). The flaws can be exploited remotely and allow an attacker to take full control of vulnerable devices. BlueKeep is also wormable, so malware could be created that could spread to other vulnerable devices on a network with no user interaction required.

BlueKeep affects older Windows versions – Windows XP to Windows 7 and Windows Server 2003 to 2008 R2 – but many medical devices run on those older operating systems and have not been updated to protect against exploitation. DejaBlue affects Windows 7 and later versions.

Even Linux-based operating systems are vulnerable. Approximately 15% of connected hospital assets and 30% of medical devices are vulnerable to a flaw known as SACK Panic. It has been estimated that around 45% of medical devices are vulnerable to at least one flaw.

Prompt Patching is Critical, But That’s Not Straightforward

CyberMDX’s research found that 11% of HDOs don’t patch their medical devices at all and when patches are applied, the process is slow. 4 months after a vulnerability as serious as BlueKeep is discovered, an average hospital will only have patched around 40% of vulnerable devices.

The situation could actually be far worse, as the report reveals 25% of HDOs do not have a full inventory of their connected devices and an additional 13% say their inventory is unreliable. 36% do not have a formal BYOD policy and CyberMDX says a typical hospital has lost track of around 30% of its connected devices.

Patching medical devices is no easy task. “Where vulnerabilities concern unmanaged devices, there is no easy way to identify the relevant patch level for each device and no way to centrally push patches (through the active directory and SCCM) to devices distributed throughout the organization,” explained CyberMDX. “For these devices, technicians must individually investigate and manually attend the affected devices.”

Alarmingly, even though medical devices are vulnerable to attack, a majority of HDOs neglect granular network segmentation or segment their networks for reasons other than security, so when network segmentation is used, segments contain a variety of different devices with some connections open to the internet.

If flaws are exploited, many HDOs would struggle to detect an attack. More than a third of HDOs do not continuously monitor their connected devices and a further 21% identify, profile, and monitor their devices manually.

So, What is the Solution?

Improving the security of medical devices is no easy task, as CyberMDX explains. It requires “continuous review of configuration practices, segmentation, network restrictions, appropriate use, credential management, vulnerability monitoring, patching & updating, lifecycle management, recall tracking, access and role controls, compliance assurance, pen testing, live context-aware traffic monitoring & analysis, oversight of partner and third-party security practices, and more.” Further, “If you don’t know what devices you have networked, you won’t be able to understand their individual attack vectors.”

Improving security is certainly a daunting task, but the goal is not to make your organization 100% secure, as that would be an impossible goal. The aim should be to address the most important issues and to significantly reduce the attack surface.

“By more clearly defining lifecycle-wide security responsibilities and expectations with your vendors, by restricting functionally unnecessary in-VLAN communications, by investing in staff-wide cyber training, by normalizing basic network hygiene practices (like password and access management, patching & updating, etc.), and by tweaking security policies (at the NAC or firewall level) specifically for monitors, infusion pumps, and patient tracking devices, you can dramatically shrink your attack surface in short order,” suggest CyberMDX.

The post Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep appeared first on HIPAA Journal.

OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions

An audit conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed many pharmacies and other healthcare providers are improperly using Medicare beneficiaries’ data.

OIG conducted the audit at the request of the HHS’ Centers for Medicare and Medicaid Services (CMS) to determine whether there was inappropriate access and use of Medicare recipients’ data by mail-order and retail pharmacies and other healthcare providers, such as doctors’ offices, clinics, long-term care facilities, and hospitals.

CMS was concerned that a mail order pharmacy and other healthcare providers were misusing Medicare Part D Eligibility Verification Transactions (E1 transactions), which should be only be used to verify Medicare recipients’ eligibility for certain coverage benefits.

OIG conducted the audit to determine whether E1 transactions were only being used for their intended purpose. Since E1 transactions contain Medicare beneficiaries’ protected health information (PHI), they could potentially be used for fraud or other malicious or inappropriate purposes.

An E1 transaction consists of two parts – a request and a response. The healthcare provider submits an E1 request that contains an NCPDP provider ID number or NPI, along with basic patient demographic data.  The request is forwarded onto the transaction facilitator which matches the E1 request data with the data contained in the CMS Eligibility file. A response is then issued, which contains a beneficiary’s Part D coverage information.

The audit was conducted on one mail-order pharmacy and 29 providers selected by CMS. Out of 30 entities audited, 25 used E1 transactions for a purpose other than billing for prescriptions or to determine drug coverage order when beneficiaries are covered by more than one insurance plan. 98% of those 25 providers’ E1 transactions were not associated with prescriptions.

OIG found providers were obtaining coverage information for beneficiaries without prescriptions, E1 transactions were being used to evaluate marketing leads, some providers had allowed marketing companies to submit E1 transactions for marketing purposes, providers were obtaining information about private insurance coverage for items not covered under Part D, long term care facilities had obtained Part D coverage using batch transactions, and E1 transactions had been submitted by 2 non-pharmacy providers.

E1 transactions are covered transactions under HIPAA, PHI must be protected against unauthorized access while it is being electronically stored or transmitted between covered entities, and the minimum necessary standard applies. The findings suggest HIPAA is being violated and that this could well be a nationwide problem. Based on the findings of the audit and apparent widespread improper access and use of PHI, OIG will be expanding the audits nationwide.

OIG believes these issues have arisen because CMS has not yet fully implemented controls to monitor providers who are submitting high numbers of E1 transactions relative to prescriptions provided; CMS has yet to issue clear guidance that E1 transactions must not be used for marketing purposes; and CMS has not limited non-pharmacy access.

Following the audit, CMS took further steps to monitor for abuse of the eligibility verification system and will be taking appropriate enforcement actions when cases of misuse are discovered. OIG has recommended CMS issue clear guidance on E1 transactions and ensure that only pharmacies and other authorized entities submit E1 transactions.

The post OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions appeared first on HIPAA Journal.

2019 Healthcare Data Breach Report

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Optum360, LLC Business Associate 11500000 Hacking/IT Incident Network Server
2 Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10251784 Hacking/IT Incident Network Server
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2964778 Hacking/IT Incident Network Server
4 Clinical Pathology Laboratories, Inc. Healthcare Provider 1733836 Unauthorized Access/Disclosure Network Server
5 Inmediata Health Group, Corp. Healthcare Clearing House 1565338 Unauthorized Access/Disclosure Network Server
6 UW Medicine Healthcare Provider 973024 Hacking/IT Incident Network Server
7 Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
8 CareCentrix, Inc. Healthcare Provider 467621 Hacking/IT Incident Network Server
9 Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
10 BioReference Laboratories Inc. Healthcare Provider 425749 Hacking/IT Incident Other
11 Bayamon Medical Center Corp. Healthcare Provider 422496 Hacking/IT Incident Network Server
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409789 Unauthorized Access/Disclosure Network Server
13 Sunrise Medical Laboratories, Inc. Healthcare Provider 401901 Hacking/IT Incident Network Server
14 Columbia Surgical Specialist of Spokane Healthcare Provider 400000 Hacking/IT Incident Network Server
15 Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
16 UConn Health Healthcare Provider 326629 Hacking/IT Incident Email
17 Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey Healthcare Provider 305737 Hacking/IT Incident Network Server
19 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
20 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server


The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
South Texas Dermatopathology LLC 15,982
Total Records Breached 26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

  • Hacking/IT incidents
  • Unauthorized access/disclosures
  • Theft
  • Loss
  • Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause Incidents Breached Records Mean Breach Size Median Breach Size
Hacking/IT Incident 303 36,210,097 119,505 6,000
Unauthorized Access/Disclosure 147 4,657,932 31,687 1,950
Theft 39 367,508 9,423 2,477
Loss 15 74,271 4,951 3,135
Improper Disposal 6 26,081 4,347 4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State Breaches State Breaches State Breaches State Breaches State Breaches
Texas 60 Maryland 14 Arkansas 9 Alabama 4 Mississippi 2
California 42 Washington 14 South Carolina 9 Alaska 4 Montana 2
Illinois 26 Georgia 13 New Jersey 8 Iowa 4 South Dakota 2
New York 25 North Carolina 13 Massachusetts 7 Kentucky 4 Washington DC 2
Ohio 25 Tennessee 11 Puerto Rico 7 Nebraska 4 West Virginia 2
Minnesota 23 Arizona 10 Virginia 7 Oklahoma 4 Delaware 1
Florida 22 Colorado 10 Louisiana 6 Utah 4 Kansas 1
Pennsylvania 19 Connecticut 10 New Mexico 6 Wyoming 3 New Hampshire 1
Missouri 17 Indiana 10 Wisconsin 6 Idaho 2 Rhode Island 1
Michigan 16 Oregon 10 Nevada 5 Maine 2 Vermont 1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records

The HIPAA Breach Notification Rule requires data breaches of 500 or more records to be reported to the Secretary of the Department of Health and Human Services no later than 60 days after the discovery of a breach. Breaches of fewer than 500 records can be reported to the Secretary at any time, but no later than 60 days from the end of the calendar year in which the data breach was experienced – 45 C.F.R. § 164.408.

That means smaller healthcare data breaches must usually be reported to the HHS no later than March 1 each year, but this year is a leap year so there is an extra day in February. That means the deadline for reporting smaller breaches is one day earlier. All breaches that have affected fewer than 500 individuals must therefore be reported to OCR no later than February 29, 2020.

All breaches must be submitted to the Secretary of the HHS via the Office for Civil Rights breach portal. Each data breach must be reported separately and full information about each breach should be submitted. If several small data breaches have been experienced in the 2020 calendar year, reporting the breaches can take some time. It is therefore advisable not to leave the reporting of data breaches to the last minute to ensure the deadline is not missed. If data breaches are reported later than the 60-day deadline, financial penalties can be imposed.

If a breach has been experienced and the number of individuals affected by the breach has not yet been determined, the breach report should include an estimate of the number of people affected. It is not permissible to delay reporting the breach. When the actual number of affected individuals is known, an addendum can be submitted. Addenda should also be used to update breach reports when further information about the breach becomes available.

The post Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records appeared first on HIPAA Journal.

HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs

The Department of Health and Human Services has issued a final rule modifying the HIPAA National Council for Prescription Drug Programs (NCPDP) D.0 Telecommunication Standard to require pharmacies to track partially filled prescriptions for Schedule II drugs. The modification is part of HHS efforts to curb opioid abuse in the United States and will provide a greater quantum of data that may help prevent impermissible refills of Schedule II drugs.

The final rule takes effect on March 24, 2020. The compliance date is September 21, 2020.

By September 21, 2020, pharmacies will be required to use the Quantity Prescribed (460-ET) field for retail pharmacy transactions for all Schedule II drugs. Pharmacies must distinguish in retail pharmacy transactions whether the full prescribed amount of a Schedule II drug has been dispensed in a refill, or if the prescription has only been partially filled.


The NCPDP Telecommunication Standard was adopted by the Secretary of the HHS in January 2009 for pharmacy transactions (health care claims or equivalent encounter information, referral certification and authorization, and coordination of benefits).

Under the Controlled Substances Act, the refilling of Schedule II drugs is prohibited, but partial fills are permitted if a pharmacist has less than the prescribed amount in stock, for patients in long-term care facilities, and for patients with terminal illnesses.

An analysis of prescription drug refill records by the HHS’ Office of Inspector General in 2012 revealed that in 2009, $25 million has been inappropriately paid by Medicare Part D plan sponsors for 397,203 Schedule II drug refills. 75% of those refills were billed by long-term care facilities. There was considerable concern that these prohibited refills could contribute to the diversion of Schedule II drugs and their being resold on the street.

The HHS’ Centers for Medicare and Medicaid services believed the OIG figures were incorrect due to a misinterpretation of the data in the Fill Number (403-D3) field, which resulted in partial fills being confused with refills dispensed to patients in long-term care facilities. A CMS review confirmed pharmacies could not distinguish between partial fills of Schedule II drugs and refills for billing purposes without using the Fill Number (403-D3) field.

The NCPDP D.0 standard was then updated to include the Quantity Prescribed (460-ET) field for claims, which should include the actual quantity supplied. That data could then be used to determine whether inappropriate fills had been made over and above the amount prescribed.

The change was detailed in the November 2012 publication of Version D.0 which required the Quantity Prescribed (460–ET) field to be completed when submitting claims to Medicare Part D for Schedule II drugs. However, since the HHS has not adopted the November 2012 publication, pharmacies could not use the Quantity Prescribed field for HIPAA transactions. The final rule addresses this issue.

The Administrative Simplification: Modification of the Requirements for the Use of Health Insurance Portability and Accountability Act of 1996 (HIPAA) National Council for Prescription Drug Programs (NCPDP) D.0 Standard has been published in the federal register on January 24, 2020 and can be viewed on this link.

The post HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs appeared first on HIPAA Journal.

HHS Reminds Covered Entities of Data Sharing in Light of Novel Coronavirus Outbreak

The Department of Health and Human Services has issued a bulletin reminding HIPAA covered entities about the ways that patient information can be shared during outbreaks of infectious disease and other emergency situations, in light of the recent Novel Coronavirus (2019-nCoV) outbreak.

In the bulletin, the HHS confirms that in such situations, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must continue to apply administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI).

Under the HIPAA Privacy Rule, covered entities are permitted to disclose patient information without authorization for treatment purposes, care coordination, consultations, and referrals of patients for treatment.

In situations when patients have contracted an infectious disease such as 2019-nCoV, there is a legitimate need for information to be shared with public health authorities and others responsible for ensuring public health and safety. Those entities may need to be provided with PHI to allow them to carry out their public health missions. In such cases, the HIPAA Privacy Rule allows covered entities to share PHI with those entities and individual authorizations are not required.

That includes sharing information with the Centers for Disease Control and Prevention (CDC) and state and health departments authorized by law to receive such information to prevent or control disease and injury. Directed by a public health authority, PHI may also be shared with foreign government agencies that are working with public health authorities. Information can also be shared with individuals believed to be at risk of contracting or spreading disease, if other law, such as state law authorizes the covered entity to notify such persons to help prevent the spread of disease or to carry out public health investigations.

Information can also be shared with friends, family members, and other individuals involved in the care of a patient, including sharing information about a patient, as necessary, to identify, locate, and notify family members, guardians, and others responsible for the patient’s care, of the patient’s location, general condition, or death.

In such cases, verbal permission should be obtained from the patient or it can be reasonably inferred that the patient does not object. If a patient is incapacitated, then professional judgement should be used as to whether the sharing of information is in the patient’s best interest.

Patient information may also be shared to prevent or lessen a serious or imminent threat to the health and safety of a person or the public, consistent with applicable laws. Generally speaking, providing specific information about an identifiable patient to the media or public at large is not permitted.

All permitted disclosures of patient information are subject to the minimum necessary rule. Shared information should be limited to the minimum necessary amount to accomplish the purpose for which information is disclosed.

The post HHS Reminds Covered Entities of Data Sharing in Light of Novel Coronavirus Outbreak appeared first on HIPAA Journal.

Average Ransomware Payment Increased Sharply in Q4, 2019

A new report from the ransomware incident response firm Coveware shows payments made by ransomware victims increased sharply in Q4, 2019. The average ransomware payment doubled in Q4, as two of the most prolific ransomware gangs – Sodinokibi and Ryuk – shifted their attention to attacking large enterprises. In Q3, 2019 the average ransom payment was $41,198. In Q4, that figure jumped to $84,116, with a median payment of $41,179.

The large increase in ransom amounts is largely due to changing tactics of the two main ransomware gangs, Ryuk especially. Ryuk is now heavily focused on attacking large enterprises. The average number of employees at victim companies increased from 1,075 in Q3 to 1,686 in Q4. The largest ransom amount was $779,855.5 in Q4; a considerable jump from the largest demand of $377,027 in Q3.

In Q4, the most prevalent ransomware threats were Sodinokibi (29.4%), Ryuk (21.5%), Phobos (10.7%), Dharma (9.3%), DoppelPaymer (6.1%), and NetWalker (5.1%). 10.7% of attacks involved the Rapid, Snatch, IEncrypt or GlobeImposter ransomware variants.

Many of the above ransomware variants are distributed under the ransomware-as-a-service model, where affiliates can sign up and use the ransomware and retain a cut of the ransom payments. The more sophisticated gangs are cautious about who they accept as affiliates whereas some of the smaller ransomware gangs let anyone sign up. Only a handful of affiliates are used to distribute Sodinokibi, with some specializing in different types of attack. One Sodinokibi affiliate has extensive knowledge of remote monitoring and management tools and specializes in attacks on managed service providers.

Ransomware is mostly delivered as a result of brute forcing weak RDP credentials or purchasing stolen RDP credentials. This tactic is used in more than 50% of successful ransomware attacks, followed by phishing (26%) and the exploitation of software vulnerabilities (13%).

Coveware explained in its report that 98% of victims who paid the ransom were supplied with valid keys and were able to decrypt their files. The probability of success can vary greatly depending on the variant of ransomware involved. Some threat actors are known for defaulting and often do not supply valid keys, even after the ransom is paid. Threat groups associated with Rapid, Mr. Dec, and Phobos ransomware were named as being consistent defaulters. Those threat groups were also less selective and tended to work with any affiliate.

Even when valid decryptors are supplied, some data lost can be expected. Out of the companies Coveware helped recover data, on average, 97% of files were recovered. An average of 3% of files were permanently lost as files were corrupted during the encryption/decryption process. More sophisticated attackers, such as the Ryuk and Sodinokibi threat actors, tend to be more careful encrypting data to ensure file recovery is possible and their reputation is not damaged.

The average downtime from a ransomware attack increased from 12.1 days in Q3, 2019 to 16.2 days in Q4. This is largely due to an increase in attacks on large enterprises, which have complex systems that take much longer to restore.

The figures for the report naturally only include ransomware victims that have used Coveware to negotiate with the attackers and assist with recovery. Many firms chose to deal with their attackers directly or use other ransomware recovery firms.

The post Average Ransomware Payment Increased Sharply in Q4, 2019 appeared first on HIPAA Journal.

How One Company is Helping to Drive Down the Cost of U.S. Healthcare and Improve Patient Outcomes

2019 Health Statistics published by the Organisation for Economic Co-operation and Development’s (OECD) show healthcare expenditures in the United States are significantly higher than those in other developed countries. A 2018 Harvard study of 11 developed countries showed the United States had the highest healthcare costs relative to its GDP out of all 11 countries studied. Per capita healthcare spending was found to be almost twice that of other wealthy, developed countries.

Higher costs are not necessarily bad if they translate into better patient outcomes, but the OECD figures show that is not the case. The United States performed poorly for patient outcomes, even though the costs of healthcare are so high. Reducing the cost of healthcare is a major challenge and there is no silver bullet, but there are ways for costs to be reduced and for patient outcomes to be improved.

The Trump Administration is committed to reducing the cost of healthcare through executive orders and HHS rulings. In November 2018 an executive order – Improving Price and Quality Transparency in American Healthcare – was issued which is intended to improve healthcare price transparency to increase competition among hospitals and insurers and drive down healthcare spending.

Another key area where costs can be cut is by eliminating wastage in healthcare. A great deal of money being wasted due to inefficiency, such as the continued use of outdated communications technology.

The healthcare industry is still heavily reliant on communications technology from the 1970s. Advances are being made and new communications tools are being introduced, but oftentimes when new communications technology is purchased, it tends to be introduced in silos and healthcare organizations fail to achieve the full benefits. As a result, communications problems persist.

Communication inefficiencies are costing the healthcare industry dearly and that cost is being passed onto patients. Research shows communication inefficiencies cost a single 500-bed hospital around $4 million a year. The breakdown in communication is estimated to be a major factor in 70% of medical error deaths, according to a study published in the Journal of Medical Internet Research.

One company helping to cut the cost of healthcare is TigerConnect. TigerConnect has developed an advanced communications and collaboration solution that allows all members of care teams to communicate and collaborate quickly, efficiently, and effectively. The platform helps accelerate productivity and eliminates wastage, which allows healthcare providers to reduce the cost of healthcare. The solution has also been shown to improve patient outcomes.

The platform has been shown to reduce wait times in emergency departments, reduce the potential for medical errors, reduce the length of hospitals stays, and the platform helps improve staff morale, especially among physicians. The platform eliminates phone tag, allows all members of the care team to access the data they need to make decisions, and ensures proper patient handoffs, which is where the majority of medical errors occur.  

The TigerConnect team is committed to solving pervasive problems in healthcare communication and continues to innovate and develop its solution to meet the need of healthcare organizations of all sizes. The platform has proven popular with healthcare organizations and the company has been enjoying a period of tremendous growth, according to 2019 figures released today.

The TigerConnect solution is the most widely adopted healthcare communications and collaboration platform in the United States and 2019 has seen the company expand its industry footprint further. More than 600 new clients have been added in 2019, including 100 new enterprise clients such as Geisinger, NCH Healthcare System, Penn State Health, University of Maryland Medical System, Einstein Medical Center, Cooper University Health Care, and St. Luke’s University Health Network. More than 6,000 healthcare organizations are now using the platform.

TigerConnect has also expanded its workforce to cope with the increased demand. Over 50 new members of staff joined the company in 2019. TigerConnect also created new leadership roles, with the appointment of former Vacasa CTO, Tim Goodwin, as its first Chief Technology Officer, former McKesson consultant Sarah Shillington as the SVP of client success, and former Expedia executive, Allie Hanegan as VP of People.

TigerConnect is now looking to make greater gains in 2020 and has launched several initiatives to accelerate growth. Ahead of HIMSS20, TigerConnect will be launching several major product and partner initiatives, the company will be aggressively marketing its solution toward new clients and will also be looking to expand its footprint with its existing customer base. TigerConnect has also confirmed it will be forming a client advisory group and will be leveraging additional forums to get feedback from users to identify areas where the platform can be further improved.

“As we look ahead to the next decade, we see nothing but greenfield opportunity to redefine the way healthcare teams, payers, and patients connect and collaborate. We remain steadfast in our mission to partner with care organizations of every size and type, providing them with the world’s most advanced collaboration technology to produce a vision of the future we can all be proud of,” said Brad Brooks, co-founder, and CEO of TigerConnect.

The post How One Company is Helping to Drive Down the Cost of U.S. Healthcare and Improve Patient Outcomes appeared first on HIPAA Journal.