Latest HIPAA News

350,000 Affected by Oregon Department of Human Services Phishing Attack

Oregon Department of Human Services (ODHS) has experienced a phishing attack that has potentially allowed unauthorized individuals to view or obtain the protected health information of more than 350,000 individuals.

ODHS learned on January 28, 2019 that unauthorized individuals had gained access to email accounts containing clients’ personal information. Third-party forensics experts from IDExperts were called in to determine the number of individuals affected, the types of data that could have been accessed, and whether clients’ personal information had been extracted.

The investigation conformed that nine employees had clicked links in phishing emails and divulged their login credentials, which allowed the attackers to gain access to their email accounts. The first account was compromised on January 8, 2019.

The compromised email accounts contained almost 2 million emails. Checks are still being performed to find out which individuals have been affected. ODHS has confirmed that emails in the account contained information such as clients’ first and last names, addresses, birth dates, case numbers, Social Security numbers, and information used to administer ODHS programs.

The investigation did not uncover any evidence to suggest the attackers viewed or copied any protected health information, but the possibility of data access/theft could not be ruled out.

The exact number of individuals affected by the phishing attack has not yet been finalized. When all individuals have been identified, IDExperts will be sending breach notification letters by mail and will provide further information on the steps that should be taken to protect against identity theft and fraud.

ODHS is offering complimentary credit monitoring and identity theft recovery services to all individuals affected by the breach.

The post 350,000 Affected by Oregon Department of Human Services Phishing Attack appeared first on HIPAA Journal.

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit.

UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach.

The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had been implemented post-breach to improve security.

UCLA Health avoided a financial penalty, but a class action lawsuit was filed on behalf of patients affected by the breach. The plaintiffs alleged UCLA Health failed to inform them about the breach in a timely manner, there had been breach of contract, violations of California’s privacy laws, and that UCLA Health’s failure to protect the privacy of patients constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015, and while this was in line with HIPAA requirements – under 60 days from the discovery that PHI had been compromised – the plaintiffs believed they should have been notified more quickly, given the fact that the breach had occurred 9 months previously.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be allowed to submit a claim to recover costs that have been incurred protecting themselves against unauthorized use of their personal and health information and they can also submit a claim to recover losses from fraud and identity theft.

Patients can claim up to $5,000 to cover the costs of protecting their identities and up to $20,000 for any losses or damage caused by identity theft and fraud. $2 million of the $7.5 million settlement has been set aside to cover patients’ claims.  The remaining $5.5 million will be paid into a cybersecurity fund which will be used to improve cybersecurity defenses at UCLA Health.

Patients have until May 20, 2019 to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019 and patients must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. The deadline for submitting claims for the reimbursement of losses is June 18, 2021. The final court hearing on the settlement is scheduled for June 18, 2019.

The post UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million appeared first on HIPAA Journal.

Potentially Massive Breach of Protected Health Information Discovered

Sacramento, CA-based medical software provider Meditab Software Inc., and it’s San Juan, PR-based affiliate, MedPharm Services have suffered a massive breach of protected health information.

Meditab provides electronic medical record (EMR) and practice management software to hospitals, physician’s offices, and pharmacies. According to the company website, its software is used by more than 2,200 healthcare clients.

Meditab also provides a fax processing service and one of the servers used for processing faxes has been discovered to be leaking data and could be accessed over the internet without the need for any authentication.

The unprotected fax server was discovered by the Dubai-based cybersecurity firm SpiderSilk. The fax server was hosted on a subdomain of MedPharm Services and housed an Elastisearch database containing fax communications. Those faxes could be accessed in real time. The database was created in March 2018 and housed more than 6 million records. It is currently unclear how many of those records contained protected health information.

According to a recent report on TechCrunch, a brief review of the faxes in the database revealed they contained highly sensitive information such as names, addresses, dates of birth, insurance information, payment information, Social Security numbers, doctor’s notes, prescription details, diagnoses, lab test results, and medical histories. None of the information was encrypted.

Meditab Software and MedPharm Services were both founded by Kalpesh Patel, who TechCrunch contacted about the breach. After being alerted to the breach, the fax server was taken offline, and an investigation was launched to identify the cause of the breach.

Database logs are currently being assessed to determine the extent of the breach, which patients have been affected, and whether the database was accessed by unauthorized individuals or downloaded.

It is unclear for how long the server was left unprotected and how many patients have been affected by the breach. Considering the number of records in the database, this breach has potential to be one of the largest ever healthcare data breaches in the United States.

Further information will be posted as and when it becomes available.

The post Potentially Massive Breach of Protected Health Information Discovered appeared first on HIPAA Journal.

February 2019 Healthcare Data Breach Report

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January.

Healthcare data breaches by month

The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month.

Records exposed in Healthcare data breaches by month

Causes of Healthcare Data Breaches in February 2019

Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports.

75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents.

There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The unauthorized access/disclosure incidents involved 3.1% of all compromised records and 0.65% of records were compromised in the theft incidents.

Causes of Healthcare data breaches in February 2019

Largest Healthcare Data Breaches in February 2019

The largest healthcare data breach reported in February involved the accidental removal of safeguards on a network server, which allowed the protected health information of more than 973,000 patients of UW Medicine to be exposed on the internet. Files were indexed by the search engines and could be found with simple Google searches. Files stored on the network server were accessible for a period of more than 3 weeks.

The second largest data breach was due to a ransomware attack on Columbia Surgical Specialist of Spokane. While patient information may have been accessed, no evidence was found to suggest any ePHI was stolen by the attackers.

The 326,629-record breach at UConn Health was due to a phishing attack that saw multiple employees’ email accounts compromised, and one email account was compromised in a phishing attack on Rutland Regional Medical Center that contained the ePHi of more than 72,000 patients.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 UW Medicine Healthcare Provider 973,024 Hacking/IT Incident
2 Columbia Surgical Specialist of Spokane Healthcare Provider 400,000 Hacking/IT Incident
3 UConn Health Healthcare Provider 326,629 Hacking/IT Incident
4 Rutland Regional Medical Center Healthcare Provider 72,224 Hacking/IT Incident
5 Delaware Guidance Services for Children and Youth, Inc. Healthcare Provider 50,000 Hacking/IT Incident
6 Rush University Medical Center Healthcare Provider 44,924 Unauthorized Access/Disclosure
7 AdventHealth Medical Group Healthcare Provider 42,161 Hacking/IT Incident
8 Reproductive Medicine and Infertility Associates, P.A. Healthcare Provider 40,000 Hacking/IT Incident
9 Memorial Hospital at Gulfport Healthcare Provider 30,642 Hacking/IT Incident
10 Pasquotank-Camden Emergency Medical Service Healthcare Provider 20,420 Hacking/IT Incident

 

Location of Breached Protected Health Information

Email is usually the most common location of compromised PHI, although in February there was a major rise in data breaches due to compromised network servers. 46.88% of all breaches reported in February involved ePHI stored on network servers, 25% involved ePHI stored in email, and 12.5% involved ePHI in electronic medical records.

Location of breached PHI

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in February 2019 with 24 incidents reported. There were five breaches reported by health plans, and three breaches reported by business associates of HIPAA-covered entities. A further seven breaches had some business associate involvement.

February 2019 healthcare data breaches by covered entity

Healthcare Data Breaches by State

The healthcare data breaches reported in February were spread across 22 states. California and Florida were the worst affected states with three breaches apiece. Two breaches were reported in each of Illinois, Kentucky, Maryland, Minnesota, Texas, and Washington, and one breach was reported in each of Arizona, Colorado, Connecticut, Delaware, Georgia, Kansas, Massachusetts, Mississippi, Montana, North Carolina, Virginia, Wisconsin, and West Virginia.

HIPAA Enforcement Actions in February 2019

2018 was a record year for HIPAA enforcement actions, although 2019 has started slowly. The HHS’ Office for Civil Rights has not issued any fines nor agreed any HIPAA settlements so far in 2019.

There were no enforcement actions by state attorneys general over HIPAA violations in February. The only 2019 penalty to date is January’s $935.000 settlement between California and Aetna.

The post February 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices

U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) have introduced The Internet of Things Improvement Act, which requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).

Ericcson has predicted there will be 18 billion IoT devices in use by 2022 and IDC predicts IoT spending will reach $1.2 trillion the same year. As the number of IoT devices in use grows, so does concern about the security risk posed by the devices.

Sen. Warner wants to make sure that a baseline for security is achieved before any IoT device is allowed to connect to a government network and wants to use the purchasing power of the U.S. government to help establish minimum standards of security for IoT devices.

Currently IoT devices are coming to market with scant cybersecurity protections. When cybersecurity measures are integrated into IoT devices, it is often as an afterthought. Most IoT devices have not been designed with security in mind and the market encourages device manufacturers to prioritize convenience and cost over security.

The bill calls for NIST to issue recommendations for IoT device manufacturers on secure development, identity management, configuration management, and patching throughout the life-cycle of the devices. NIST will also be required to work with cybersecurity researchers and industry experts to develop guidance on coordinated vulnerability disclosures to ensure flaws are addressed when they are discovered.

The Internet of Things Improvement Act calls for the Office of Management and Budget (OMB) to issue guidelines for each agency that is consistent with NIST recommendations and for policies to be reviewed at least every five years.

Any IoT device used by the federal government will be required to meet the security standards set by NIST and contractors and vendors that provide IoT devices to the government will be required to adopt coordinated vulnerability disclosure policies to ensure information on vulnerabilities is disseminated.

It is important that IoT devices do not give hackers a backdoor into government networks. Without minimum security standards, the government will be vulnerable to attack and critical national security information will be placed at risk.

The Internet of Things Improvement Act will see the U.S. government lead by example and better manage cyber risks.

The bill is supported by many software and security firms and industry associations, including BSA, Symantec, Tenable, Mozilla, CloudFlare, Rapid7, and CTIA.

The post Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices appeared first on HIPAA Journal.

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

Implementing technical safeguards to prevent the exposure of electronic protected health information is a major challenge in healthcare, especially when it comes to securing mobile devices.

According to the Verizon Mobile Security Index 2019 report, 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months.

All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation.

Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months.

While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices.

85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to detect a security incident quickly. That confidence may be misplaced as a quarter of healthcare organizations have experienced a breach involving a mobile device and 80% of those entities learned about the breach from a third party.

Since mobile devices are often used to access or store ePHI, a security incident could easily result in a breach of ePHI. Two thirds (67%) of healthcare mobile security incidents were rated major breaches. 40% of those breaches had major lasting repercussions and, in 40% of cases, remediation was said to be difficult and expensive.

67% of mobile device security incidents saw other devices compromised, 60% of organizations said they experienced downtime as a result of the breach, and 60% said data was lost. 40% of healthcare organizations that experienced such a breach said multiple devices were compromised, downtime was experienced, and they lost data. 30% of breached entities said that cloud services had been compromised as a result of a mobile security breach.

The main security risks were seen to be how devices were used by employees. 53% of respondents said personal use of mobile devices posed a major security risk and 53% said user error was a major problem.

65% of healthcare organizations were less confident about their ability to protect mobile devices than other IT systems. Verizon notes that this could be explained, in part, by the lack of effective security measures in place. For instance, just 27% of healthcare organizations were using a private mobile network and only 22% had unified endpoint management (UEM) in place.

The survey also confirmed that users are taking major risks and are breaching company policies. Across all industries, 48% of respondents said they sacrificed security to get tasks completed compared to 32% last year. 81% said they use mobile devices to connect to public Wi-Fi even though in many cases doing so violates their company’s mobile device security policy.

The post 25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months appeared first on HIPAA Journal.

‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records

A major case of snooping on celebrity medical records has been reported that has resulted in ‘dozens’ of healthcare workers being fired from Chicago’s Northwestern Memorial Hospital for accessing the medical records of Jussie Smollett without authorization.

Jussie Smollett attended the hospital’s emergency room for treatment for injuries sustained in an alleged racially motivated attack by two men on January 29, 2019.

Following a police investigation into the alleged attack, Chicago Police Superintendent Eddie Johnson announced that the Empire actor had been arrested on February 21 and charged with disorderly conduct and filing a false police report. The police allege that the attack was a hoax and that it had been staged by Smollett as a publicity stunt.

Curiosity got the better of some employees at Northwestern Memorial Hospital who searched for Smollett on the hospital’s system, some of whom accessed his chart and viewed his medical records.

Accessing the medical records of patients without authorization is a violation of Health insurance Portability and Accountability Act (HIPAA) Rules and can result in disciplinary action and, in certain cases, criminal penalties for the employees concerned.

Northwestern Memorial Hospital reviewed PHI access logs and took decisive action over the privacy violations. Employees found to have snooped on Smollett’s medical records were fired.

Northwestern Memorial Hospital has neither confirmed that Smollett was a patient nor provided information about the number of employees that have been terminated, stating that HIPAA prevents such information from being disclosed.

Some employees that were terminated have spoken to the media about the incident. CBS Chicago claims dozens of hospital employees have been terminated for the HIPAA violations while NBC Chicago has reported there have been at least 50 terminations for snooping.

The post ‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records appeared first on HIPAA Journal.

HIPAA Compliance at Odds with Healthcare Cybersecurity

The College of Healthcare Information Management Executives (CHIME) has told Congress that complying with HIPAA Rules is not enough to prevent data breaches and HIPAA compliance can, in some cases, result in a lessening of healthcare cybersecurity defenses.

Russell P. Branzell, President and CEO of CHIME and Shafiq Rab, CHCIO Chair of the CHIME Board of Trustees recently responded to a request for information (RFI) by Congress on ways to address rising healthcare costs.

In a March 1, 2019 letter to Lamar Alexander, Chairman of the Committee on Health, Education, Labor, and Pensions (HELP), they explained that the use of technology in healthcare helps to reduce costs and can, if harnessed correctly, improve efficiency as well as outcomes.

“Significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.”

The use of technology and data sharing are essential for improving the level of care that can be provided to patients, yet both introduce new risks to the confidentiality, integrity, and availability of healthcare data. While policies are being introduced to encourage the use of technology and improve interoperability, it is also essential for cybersecurity measures to be implemented to protect patient data. Any policy recommendations must also include security requirements.

“As we increase interoperability, additional threats to data integrity will arise. Without proper safeguards, the safe and secure transmission of sensitive data will continue to be a challenge and will hinder efforts to care outcomes,” wrote CHIME.

Healthcare organizations that comply with HIPAA Rules will have met the minimum standards for healthcare data privacy and security set by the HHS. That does not mean that HIPAA-compliant organizations are well protected against cyberattacks. HIPAA is complex and compliance requires a significant amount of resources. That can mean fewer resources are then available to tackle cybersecurity issues and protect against actual cyber threats.

Healthcare providers are devoting resources to meeting standards set by the HHS and its Office for Civil Rights (OCR), even though the measures introduced for HIPAA compliance may not address the most serious threats. As a result, their ability to protect patient data could be diminished rather than increased as a result.

CHIME also pointed out that enforcement of compliance with HIPAA Rules, via breach investigations and compliance audits, are unduly punitive. OCR appears to be more focused on punishment rather than helping healthcare providers recover from a breach, learn from it, and share the lessons learned with other healthcare organizations.

Healthcare providers should not have the burden of protecting PHI in areas outside their control. CHIME suggests safe harbors should be introduced “for organizations that demonstrate, and certify, cybersecurity readiness.” That may require amendments to the HITECH Act, along with a change to the language used for the definition of a breach so it no longer presumes guilt.

CHIME has also called for the HHS to issue better guidance for healthcare providers to help them assess threats that are within their control. Healthcare providers should not have full responsibility for protecting PHI outside of their domain. CHIME has also suggested that the balance of responsibility for security needs to be split more evenly between covered entities and their business associates.

When considering enforcement actions, OCR should assess the level of effort that has gone into protecting systems and PHI and policies should be pursued that reward healthcare providers for good faith efforts to prevent cyberattacks, such as demonstrating sufficient compliance with NIST’s Cybersecurity Framework (CSF).

These measures will help encourage healthcare providers to invest more in cybersecurity, which in turn will help to prevent more breaches and allow healthcare providers to avoid the high costs of mitigating those breaches, thus helping to reduce healthcare costs.

The post HIPAA Compliance at Odds with Healthcare Cybersecurity appeared first on HIPAA Journal.

Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack

A new Moody’s Investors Service Report has revealed four industry sectors – hospitals, banks, market infrastructure providers, and securities firms – face significant financial risks from cyberattacks.

Those four sectors were determined to have high risk exposure to cyberattacks. All four sectors are heavily reliant on technology for day to day operations, distribution of content, or customer engagement. Increasing digitalization and interconnectedness within each sector and across different sectors is increasing cyber risk.

For the report, Moody’s assessed vulnerability to a cyberattack and the impact such an attack could have on critical businesses processes, disclosure of data, and reputation damage. Cybersecurity measures that had been deployed to protect against attacks were not considered for the report, unless mitigants had been applied uniformly across each sector – Supply chain diversity for instance. In total, 35 broad industry sectors were assessed and were given a rating of low-risk, medium-risk, or high-risk.

The health insurance, pharmaceutical, and medical device industries were rated in the medium-risk category. Hospitals were rated high risk, primarily due to the sensitive and essential nature of data used by hospitals, the value of healthcare data to hackers, the increasing number of vulnerabilities introduced from connected medical devices, and the time it would likely take to recover from an attack and the disruption to the business while an attack was mitigated.

A successful cyberattack can be costly to mitigate. Breached entities have to increase investment in technology and infrastructure, cover the cost of regulatory fines and litigation, pay higher insurance premiums, increase R&D spending, and attacks can have serious reputational effects, including higher customer churn rates and a reduction in creditworthiness.

“We view cyber risk as event risk that can have material impact on sectors and individual issuers,” said Moody’s Managing Director Derek Vadala. “Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers’ financial profiles and business prospects.”

The financial impact of a cyberattack can be significant and long-lasting so it is important for businesses and organizations in the high-risk sectors to have “robust sources of liquidity” to weather the storm.

While larger hospitals are likely to have more financial resources to devote to mitigating threats and recovering from cyberattacks, they are not immune to attack and can still suffer a significant financial impact, especially considering many hospitals have not purchased cyber insurance due to the high cost.

Cyberattacks on businesses and organizations in high-risk sectors could potentially be catastrophic, which could have an impact on the ability of breached entities to pay back debts. Combined, the four high-risk industry sectors hold $11.7 trillion in rated debt.

In addition to the financial costs and damage to an entity that is attacked, cyberattacks in the high-risk sectors would likely have broad ripple effects and a far-reaching impact on other industry sectors.

The post Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack appeared first on HIPAA Journal.