Latest HIPAA News

January 2018 Healthcare Data Breach Report

Our January 2018 Healthcare Data Breach Report details the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights in January 2018. There were 21 security breaches reported to OCR in January which is a considerable improvement on the 39 incidents reported in December 2017.

Healthcare data breaches by Month (August 2017-January 2018)

Last month saw 428,643 healthcare records exposed. While there was a 46.15% drop in the number of healthcare data breaches reported in January month over month, 87,022 more records were exposed or stolen than in December. January was the third consecutive month where the number of breached records increased month over month.

records exposed in January 2018 Healthcare Data Breaches

The mean breach size in January was 20,412 records – very similar to the mean breach size in December 2017 (20,487 records). However, the high mean value was due to a particularly large breach of 279,865 records reported by Oklahoma State University Center for Health Sciences. In January, the healthcare data breaches reported were far less severe than in December. In January the median breach size was 1,500 records. In December it was 15,857 records.

Largest Healthcare Data Breaches in January 2018

In January there were only four breaches reported that impacted more than 10,000 individuals, compared to nine such incidents in December 2017. Hacking incidents continue to result in the largest data breaches with five of the top six breaches the result of hacking/IT incidents, which includes hacks, malware infections and ransomware attacks.


Covered Entity Entity Type Individuals Affected Type of Breach
Oklahoma State University Center for Health Sciences Healthcare Provider 279865 Hacking/IT Incident
Onco360 and CareMed Specialty Pharmacy Healthcare Provider 53173 Hacking/IT Incident
Agency for Health Care Administration Health Plan 30000 Hacking/IT Incident
Decatur County General Hospital Healthcare Provider 24000 Hacking/IT Incident
Charles River Medical Associates, pc Healthcare Provider 9387 Loss
Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc. Healthcare Provider 5228 Hacking/IT Incident
RGH Enterprises, Inc. Healthcare Provider 4586 Unauthorized Access/Disclosure
Gillette Medical Imaging Healthcare Provider 4476 Unauthorized Access/Disclosure
Zachary E. Adkins, DDS Healthcare Provider 3677 Theft
Steven Yang, D.D.S., INC. Healthcare Provider 3202 Theft

Main Causes of Healthcare Data Breaches in January 2018

While hacking/IT incidents and unauthorized access/disclosures shared top spot in January, the biggest cause of breaches was actually errors made by employees and insider wrongdoing. Insiders were behind at least 11 of the 21 breaches reported in January.  Four of the five loss/theft incidents involved portable electronic devices. Those incidents could have been avoided if encryption had been used.

Main Causes of January 2018 Data Breaches

  • Hacking/IT Incidents: 7 breaches
  • Unauthorized Access/Disclosure: 7 breaches
  • Loss/theft of physical records and portable devices: 5 breaches

January 2018 Healthcare Data Breaches by Incident Type


Records Exposed by Breach Type

The vast majority of individuals impacted by healthcare data breaches in January 2018 had their health data accessed or stolen in hacking/IT incidents. January saw a significant reduction in records exposed due to loss or theft – In December, incidents involving the loss or theft of devices and physical records impacted 122,921 individuals.

Main Causes of Exposed Healthcare Records in January 2018

  • Hacking/IT Incidents: 394,787 healthcare records exposed in 7 security incidents
  • Loss/theft of physical records and portable devices: 18,519 records exposed in 5 incidents
  • Unauthorized Access/Disclosure: 13,329 healthcare records exposed in 7 incidents

Main Causes of Healthcare Data Breaches in January 2018 - Records by breach type

Location of Data Breaches in January 2018

Overall, more incidents were reported involving electronic copies of health data in January, but covered entities must ensure that appropriate physical security and access controls are in place to prevent unauthorized accessing and theft of paper records. Training must also be provided to staff on disposing of physical records. Two improper disposal incidents were reported in January involving physical records.

Main Locations of Exposed Healthcare Records in January 2018

  • Paper/Films: 13,514 records exposed in 7 incidents: 4 unauthorized access/disclosures; 2 improper disposal incidents, and one incident involving the loss of records
  • Network Servers: 310,593 healthcare records exposed in 4 hacking/IT incidents involving network servers: 1 Hack, 2 malware incidents and one incident for which the cause is unknown
  • Laptop computers: 3 incidents involving laptop computers: 2 stolen devices and one hack/IT incident
  • Email: Three incidents involving unauthorized access/disclosure due to phishing and two hacking incidents
  • EMRs:  3 incidents involving EMRs: 2 unauthorized access incidents (Physician/nurse) and 1 hacking incident

January 2018 Healthcare Data Breaches - Location of breached PHI

January 2018 Healthcare Data Breaches by Covered Entity

In January, no business associates of HIPAA covered entities reported data breaches, and according to the OCR breach summaries, none of the 21 security breaches had any business associate involvement. Healthcare providers were the worst affected with 19 breaches reported.

Healthcare Records Breached

  • Healthcare providers: 398,009 healthcare records exposed in 19 incidents
  • Health plans: 30,634 healthcare records exposed in 2 incidents

January 2018 Healthcare Data Breaches by Entity Type

January Healthcare Data Breaches by State

In January, covered entities based in 15 states reported data breaches that impacted more than 500 individuals.

California was the worst hit state by some distance with 5 covered entities reporting breaches. Tennessee and Wyoming had two breaches apiece, with one incident reported by organizations based in Florida, Illinois, Kentucky, Massachusetts, Maryland, New Mexico, Nevada, Ohio, Oklahoma, Pennsylvania, Utah, and Washington.

Financial Penalties for HIPAA Covered Entities in January

There were no OCR HIPAA fines or settlements announced in January to resolve violations of HIPAA Rules, although the New York Attorney General did settle a case with health insurer Aetna.

Aetna was required to pay the NY AG’s office $1.15 million to resolve violations of HIPAA Rules and state laws. The violations were discovered during an investigation into a serious privacy breach experienced in July 2017. A mailing was sent to approximately 12,000 members in which details of HIV medications were visible through the clear plastic windows of the envelopes – An unauthorized disclosure of PHI. The mailing was sent on behalf of Aetna by a settlement administrator.

Further, it was alleged that Aetna provided PHI to its outside counsel, who in turn provided that information to the settlement administrator – a subcontractor – yet no business associate agreement was in place prior to that disclosure.

Aetna also settled a class action lawsuit in January over the breach. The lawsuit was filed by HIV/AIDS organizations on behalf of the victims of the breach. Aetna settled the lawsuit for $17,161,200.

That is unlikely to be the end of the fines. OCR may decide to take action over the breach and alleged HIPAA violations, and other state attorneys general have opened investigations. Aetna is also embroiled in costly legal action with its settlement administrator.

Data source for breaches: Department of Health and Human Services’ Office for Civil Rights.

The post January 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses closes the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading.

FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations.

An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork.

That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In total, the records of 2,150 patients were included in the paperwork.

OCR determined that between January 28, 2015 and February 14, 2015, FileFax had impermissibly disclosed the PHI of 2,150 patients as a result of either: A) Leaving the records in an unlocked truck where they could be accessed by individuals unauthorized to view the information or; B) By granting permission to an individual to remove the PHI and leaving the unsecured paperwork outside its facility for the woman to collect.

Since FileFax is no longer in business – the firm was involuntarily dissolved by the Illinois Secretary of State on August 11, 2017 – the HIPAA penalty will be covered by the court appointed receiver, who liquidated the assets of FileFax and is holding the proceeds of that liquidation.

A corrective action plan has also been issued that requires the receiver to catalogue all remaining medical records and ensure the records are stored securely for the remainder of the retention period. Once that time period has elapsed, the receiver must ensure the records are securely and permanently destroyed in accordance with HIPAA Rules.

The settlement has been agreed with no admission of liability.

HIPAA Retention Requirements and Disposal of PHI

There are no HIPAA retention requirements – Covered entities and their business associates are not required to keep medical records after their business has ceased trading. However, that does not mean medical records and PHI can be disposed of immediately. Businesses are bound by state laws, which do require documents to be retained for a set period of time. For instance, in Florida, physicians must maintain medical records for 5 years after the last patient contact and in North Carolina hospitals must maintain records for 11 years following the last date of discharge.

During that time, HIPAA requires appropriate administrative, technical, and physical safeguards to be implemented to ensure those records are secure and remain confidential. After the retention period is over, all PHI must be disposed of in a compliant manner.

In the case of paper records, disposal typically means shredding, burning, pulping, or pulverization. Whatever method chosen must render the documents indecipherable and incapable of reconstruction.

This HIPAA breach is similar to several others that have occurred over the past few years. Businesses have ceased trading and paper records containing the protected health information of patients have been dumped, abandoned, or left unsecured. There have also been cases where businesses have moved location and left paperwork behind, only for contractors performing a cleanup or refurb of the property to find the paperwork and dispose of it with regular trash.

The failure to secure PHI during the retention period and the incorrect disposal of records after that retention period is over are violations of HIPAA Rules that can attract a significant financial penalty.

“The careless handling of PHI is never acceptable,” said OCR Director Roger Severino in a press release about the latest HIPAA settlement. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

The post $100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes appeared first on HIPAA Journal.

Timothy Noonan Becomes OCR’s Top HIPAA Enforcer, Replacing Deputy Director Iliana Peters

After just 4 months in the position of deputy director for health information privacy at the Department of Health and Human Services’ Office for Civil Rights, Iliana Peters has departed for the private sector.

Peters took over as deputy director following the departure of acting deputy director Deven McGraw in November, only to leave the post on February 2 to join the healthcare team at law firm Polsinelli.

This is the third major change of staff at the Department of Health and Human Services in a little over four months. First, there was the departure of HHS Secretary Tom Price in late September, McGraw left in October to join health tech startup Citizen, and now Iliana Peters has similarly quit for the private sector.

Peters has been working at the Office for Civil Rights for the past 12 years, including 5 years as a senior advisor. During her time at OCR Peters has worked closely with regional offices helping them enforce HIPAA Rules and has been instrumental in building up OCR’s HIPAA enforcement program.

Peters has trained regional OCR staff on HIPAA enforcement and the handling of cases and played a key role in OCR’s latest enforcement actions – the $3.5 million settlement with Fresenius Medical Care North America over five data breaches reported to OCR in 2012 and the $2.3 million settlement with 21st Century Oncology over its 2015 cyberattack.

Peters has also trained state attorneys general on HIPAA policies and played a key role in the development of OCR’s second phase of HIPAA compliance audits, as well helping with the development of guidance for HIPAA covered entities on HIPAA Privacy and Security Rules.

Now, instead of helping OCR punish organizations for HIPAA violations, Peters will be working on the other side and will be helping healthcare organizations avoid HIPAA violations and OCR penalties.

Peters has become a shareholder at Polsinelli and will be based at its Health Care Operations practice in Washington D.C. According to a February 7 Polsinelli press release. Peters will be helping to develop the law firm’s healthcare presence in DC.

“Iliana brings key insights into the government’s investigation, enforcement, and settlement processes and will enhance our ability to guide our clients in responding to ever-changing threats and risks,” said Polsinelli Health Care Department Chair Matt Murer. “We know that our clients look forward to having Iliana as a strategic member of their privacy and security teams.”

OCR’s southeast regional manager Timothy Noonan was appointed as acting deputy director for health information privacy at OCR on January 29, 2018. Noonan has spent the past four years working as the Southeast regional manager and has served as acting associate deputy director for regional operations and OCR’s acting director for centralized case management operations.

While the loss of Peters will certainly be felt at OCR, there is unlikely to be any easing of OCR’s HIPAA enforcement efforts. OCR’s regional offices have been well trained and will continue to ensure that HIPAA Rules are being followed and action is taken over serious violations of HIPAA Rules.

The post Timothy Noonan Becomes OCR’s Top HIPAA Enforcer, Replacing Deputy Director Iliana Peters appeared first on HIPAA Journal.

Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach

Aetna has taken legal action against an administrative support company over a July 2017 data breach that saw details of HIV medications visible through the clear plastic windows of envelopes in a mailing. Letters inside some of the envelopes had slipped, making the words ““when filling prescriptions for HIV medications” clearly visible to anyone who saw the envelopes.

The privacy breach was condemned by the Legal Action Center and AIDS Law Project of Pennsylvania, who along with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking damages for breach victims. In January, Aetna settled the lawsuit for $17.16 million. Last month, Aetna also settled violations of HIPAA and state laws for $1.15 million with the New York attorney general over the same breach.

The class action was only one of seven filed against the health insurer, and further fines from state attorneys general are to be expected. Several other attorneys general have opened investigations into the breach and may also determine that state laws have been violated.

The costs associated with the privacy breach are mounting and Aetna does not believe it should have to cover costs resulting from the (alleged) negligence of a third-party. The health insurer is seeking at least $20 million in damages from the administrative support company – Kurtzman Carson Consultants (KCC) – whose error resulted in the privacy breach.

In the lawsuit, Aetna claims the firm’s errors and omissions amounted to gross negligence and that KCC should have been aware that HIV medication information was detailed under the names and addresses of its plan members. Aetna claims no checks were performed to determine how much information was visible through the windows of the envelopes. Aetna also claims KCC did not communicate to Aetna that envelopes with clear plastic windows were being used for the mailing, and that Aetna’s lawyers were not consulted to give their approval of the mailing.

Aetna did try to resolve matters directly with KCC and sought indemnification; however, the talks failed prompting Aetna to take legal action.

Aetna is seeking a ‘hold harmless’ ruling which will see the Aetna protected from all liability, damages, payments and claims related to the mailing. With the outcome of other lawsuits pending, further investigations being conducted by state attorneys general, and a potential HIPAA breach penalty from the Department of Health and Human Services’ office for Civil Rights, the final cost of the mailing error is likely to be well in excess of $20 million.

In addition to seeking damages, Aetna is also trying to get KCC to return or destroy all confidential information provided to allow the firm to process the mailing.

KCC denies the allegations and its general counsel, Drake Foster, said Aetna’s claims are ‘demonstrably false.’

It is not only Aetna taking legal action against KCC over the mailing fiasco. A subsidiary of KCC has also filed a lawsuit against Aetna claiming the health insurer failed to protect the privacy of its plan members. The lawsuit was filed in Los Angeles federal court the day after Aetna’s lawsuit was filed in Philadelphia federal court.

In its lawsuit, KCC claims Aetna and its lawyers at Gibson Dunn & Crutcher were provided with samples of the letters and were aware that envelopes with clear plastic windows were being used. KCC claims the letters and the use of the envelopes were both approved.

KCC also claims the confidential information it received in order to send the mailing was not subject to a protection order, and neither was all of the information encrypted during transit to KCC via Gibson Dunn. KCC also claims Aetna shared more information than was necessary to send the mailing: A breach of the minimum necessary standard of HIPAA.

KCC is seeking a declaration that it is not responsible for any of the costs arising from the privacy breach and that all of its legal costs should be covered by Aetna.

The post Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach appeared first on HIPAA Journal.

$3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches

The first HIPAA settlement of 2018 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). Fresenius Medical Care North America (FMCNA) has agreed to pay OCR $3.5 million to resolve multiple potential HIPAA violations that contributed to five separate data breaches in 2012.

The breaches were experienced at five separate covered entities, each of which was owned by FMCNA. Those breached entities were:

  • Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval)
  • Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove)
  • Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin)
  • Fresenius Vascular Care Augusta, LLC (FVC Augusta)
  • WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island)

Breaches Experienced by FMCNA HIPAA Covered Entities

The five security breaches were experienced by the FMCNA covered entities over a period of four months between February 23, 2012 and July 18, 2012:

  • The theft of two desktop computers from FMC Duval during a February 23, 2012 break-in. The computers contained the ePHI – including Social Security numbers – of 200 individuals
  • The theft of an unencrypted USB drive from FMC Magnolia Grove on April 3, 2012. The device contained the PHI – including insurance account numbers – of 245 individuals
  • On April 6, 2012 FMC Ak-Chin discovered a hard drive was missing. The hard drive had been removed from a computer that had been taken out of service and the drive could not be located. The hard drive contained the PHI – including Social Security numbers – of 35 individuals
  • An unencrypted laptop computer containing the ePHI of 10 patients – including insurance details – was stolen from the vehicle of an employee on June 16, 2012. The laptop had been left in the vehicle overnight. The bag containing the laptop also contained the employee’s list of passwords
  • Three desktop computers and one encrypted laptop were stolen from FMC Blue Island on or around June 17-18, 2012. One of the computers contained the PHI – including Social Security numbers – of 35 patients

Multiple HIPAA Failures Identified

OCR launched an investigation into the breaches to establish whether they were the result of failures to comply with HIPAA Rules. The investigation revealed a catalogue of HIPAA failures.

OCR established that the FMCNA covered entities had failed to conduct a comprehensive and accurate risk analysis to identify all potential risks to the confidentiality, integrity, and availability of ePHI: One of the most common areas of non-compliance with HIPAA Rules. If an accurate risk assessment is not performed, risks are likely to be missed and will therefore not be managed and reduced to an acceptable level.

OCR also discovered the FMCNA covered entities had impermissibly disclosed the ePHI of many of its patients by providing access to PHI that is prohibited under the HIPAA Privacy Rule.

Several other potential HIPAA violations were discovered at some of the FMCNA covered entities.

FMC Magnolia Grove did not implement policies and procedures governing the receipt and removal of computer hardware and electronic storage devices containing ePHI from its facility, and neither the movement of those devices within its facility.

FMC Magnolia Grove and FVC Augusta had not implemented encryption, or an equivalent, alternative control in its place, when such a measure was reasonable and appropriate given the risk of exposure of ePHI.

FMC Duval and FMC Blue were discovered not to have sufficiently safeguarded their facilities and computers, which could potentially lead to unauthorized access, tampering, or theft of equipment.

FMC Ak-Chin had no policies and procedures in place to address security breaches.

Financial Penalty Reflects the Seriousness and Extent of HIPAA Violations

The $3.5 million settlement is one of the largest issued to date by OCR to resolve violations of HIPAA Rules. In addition to paying the sizeable financial penalty, FMCNA has agreed to adopt a robust corrective actin plan to address all HIPAA failures and bring its policies and procedures up to the standard demanded by HIPAA.

The FMCNA covered entities must conduct comprehensive, organization wide risk analyses to identify all risks to the confidentiality, integrity, and availability of PHI and develop a risk management plan to address all identified risks and reduce them to a reasonable and acceptable level.

Policies and procedures must also be developed and implemented covering device, media, and access controls and all staff must receive training on current and new HIPAA policies and procedures.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Settlement Shows it is Not the Size of the Breach that Matters

All of the five breaches resulted in the exposure of relatively few patients’ PHI. No breach involved more than 235 records, and three of the breaches exposed fewer than 50 records.

The settlement shows that while the scale of the breach is considered when deciding on an appropriate financial penalty, it is the severity and the extent of non-compliance that is likely to see financial penalties pursued.

The settlement also clearly shows that OCR does investigate smaller breaches and will do so when breaches suggest HIPAA Rules have been violated.

The post $3.5 Million Settlement to Resolve HIPAA Violations That Contributed to Five Data Breaches appeared first on HIPAA Journal.

Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones.

Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis.

The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $115 million settlement with the New York Attorney General to resolve violations of federal and state laws.

Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had their privacy violated by the September mailing.

The settlement agreement explains that more than 90% of patients diagnosed with HIV face discrimination and prejudice, and approximately one in eight individuals with HIV are denied health services as a result of the stigma associated with HIV and AIDS. A breach of HIV information can therefore have severe repercussions for the victims.

New York has implemented strict laws that require HIV information to be kept secure and confidential to ensure its residents are not discouraged from coming forward to be tested and treated for HIV. It is therefore important that action is taken against organizations and individuals who violate state laws by disclosing HIV information.

As a HIPAA-covered entity, Aetna is bound by the regulations and is required to implement safeguards to ensure the confidentiality of health and HIV information. Several laws in New York also require safeguards to be implemented to protect personal health information and personally identifiable information.

Not only were state and federal laws violated by the mailing, Aetna provided the personal health information of its members to outside counsel who in turn gave that information to a settlement administrator. While the outside counsel was a business associate of Aetna and had signed a business associate agreement, its subcontractor, the settlement administrator, was also a business associate yet no business associate agreement was entered into prior to the disclosure of PHI. A further violation of HIPAA Rules.

The office of the attorney general determined Aetna’s two mailings violated 45 C.F.R § 164.502; 42 U.S.C. § 1320d-5 of HIPAA, N.Y General Business Law § 349, N.Y Public Health Law § 18(6), and N.Y Executive Law § 63(12).

The settlement agreement also draws attention to the fact that Aetna had reported a further three HIPAA breaches to the Office for Civil Rights in the past 24 months, which in total impacted more than 25,000 individuals.

In addition to the financial penalty, Aetna has agreed to update its policies, procedures and controls to enhance the privacy protections for its members and protect them from negligent disclosures of personal health information and personally identifiable information through its mailings.

“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” said Attorney General Eric T. Schneiderman. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”

This may not be the last financial penalty Aetna has to cover in relation to the mailings. This $115 million settlement only resolves the privacy violations of 2,460 Aetna members in New York state. The mailing was sent to around 13,000 Aetna members across the United States. It is possible that other states will similarly take action over the privacy violations. The Department of Health and Human Services’ Office for Civil Rights is also investigating the data breach and may choose to penalize the insurer for violating HIPAA Rules.

The post Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case appeared first on HIPAA Journal.

Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records

The Topeka, KS-based healthcare company Pearlie Mae’s Compassion and Care LLC and its owners have been fined by the Kansas Attorney General for failing to protect patient and employee records. The healthcare provider has agreed to pay a civil monetary of $8,750.

The HITECH Act gave attorneys general the authority to enforce HIPAA rules and take action against HIPAA-covered entities and business associates that are discovered not to be in compliance with HIPAA regulations. Only a handful of state attorneys general have exercised those rights, with many opting to pursue privacy violations under state laws.

In this case, Attorney General Derek Schmidt issued the civil monetary penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act.

Special agents of the Kansas attorney general’s office were assisting the Topeka Police Department execute a search warrant in June 2017 at the home of Ann Marie Kaiser, one of the owners of Pearlie Mae’s Compassion and Care. Kaiser’s home was used as an office location for the company. While at the property, the agents noticed unsecured medical records in open view.

The paperwork included personal information, which includes, social security numbers, driver’s license numbers, financial account numbers, which could be used to harm the persons whose information is compromised. Such information could have been viewed by anyone in the property, including individuals unauthorized to access the information.

The civil penalty was issued for the failure to maintain reasonable procedures and practices appropriate to the nature of information held, the failure to exercise reasonable care to protect personal information, and the failure to take reasonable steps to destroy records when they were no longer required – violations of K.S.A. 50-6,139b(b)(l) and K.S.A. 50-6,139b(b)(2).

In addition to covering the financial penalty, Pearlie Mae’s has agreed to update its policies and procedures to ensure compliance with the Wayne Owen Act and will also cover the costs – $1,250 – incurred by the Attorney general office during its investigation.

The post Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records appeared first on HIPAA Journal.

Analysis of Healthcare Data Breaches in 2017

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been?

There Were at Least 477 Healthcare Data Breaches in 2017

In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day.

There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches.

There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was a massive reduction in the number of breached records. In 2016, there were 27,314,647 records exposed/stolen. The 407 healthcare data breaches in 2017 resulted in the exposure/theft of 5,579,438 records.

In 2017, there were no million-record+ breaches. The largest security incident was a breach of 697,800 records. That breach was an insider incident where a healthcare employee downloaded PHI onto a USB drive and CD.

Main Causes of Healthcare Data Breaches in 2017

There were two causes of healthcare data breaches in 2017 that dominated the breach reports – Hacking/IT incidents and insider breaches, both of which were behind 37% of the year’s breaches. 178 incidents were attributed to hacking/IT incidents. There were 176 breaches caused by insider wrongdoing or insider errors.

Hacking/IT incidents resulted in the exposure/theft of 3,436,742 records, although detailed data is only available for 144 of those breaches. In 2016, 86% of breaches were attributed to hacking/IT incidents. In 2016, 120 hacking incidents were reported which resulted in the exposure/theft of 23,695,069 records. The severity of hacks/insider incidents was therefore far lower in 2017, even though hacking incidents were more numerous.

What is clear from the breach reports is a major increase in malware/ransomware attacks, which were at more than twice the level seen in 2016. This could be explained, in part, by the issuing of new guidance from OCR on ransomware attacks. OCR confirmed that ransomware attacks are usually reportable security incidents under HIPAA Rules. Until the issuing of that guidance, many healthcare organizations did not report ransomware attacks unless it was clear that data had been stolen or viewed prior to or during the attack.

Insider breaches continue to plague the healthcare industry. Data is available for 143 of the 176 data breaches attributed to insiders. 1,682,836 records were exposed/stolen in those incidents. While the totals are still high, there were fewer insider incidents in 2017 than 2016, and the incidents resulted in fewer exposed records. There were 192 insider-related incidents in 2016 and those incidents resulted in the exposure/theft of 2,000,262 records.

Protenus broke down the incidents into insider error – mistakes made by healthcare employees – and insider wrongdoing, which included theft and snooping. The breakdown was 102 insider errors and 70 cases of insider wrongdoing. Four incidents could not be classified as either. One of the cases of snooping lasted for an astonishing 14 years before it was discovered.

While theft of PHI by employees is difficult to eradicate, arguably the easiest cause of healthcare data breaches to prevent is theft of electronic devices containing unencrypted PHI. If devices are encrypted, if they are stolen the incidents do not need to be reported. There has been a steady reduction in theft breaches over the past few years as encryption has been more widely adopted. Even so, 58 breaches (16%) were due to theft. Data is available for 53 of those incidents, which resulted in the exposure of 217,942 records. The cause of 47 healthcare data breaches in 2017 could not be determined from the data available.

Breached Entities and Geographic Spread

The breaches affected 379 healthcare providers (80%), 56 health plans (12%), and 4% involved other types of covered entity. Business associate reported 23 incidents (5%) although a further 66 breaches (14%) reported by covered entities had some business associate involvement. Figures are known for 53 of those breaches, which resulted in the exposure/theft of 647,198 records.  Business associate breaches were lower than in 2016, as was the number of records exposed by those breaches.

There were breaches by covered entities and business associates based in 47 states, Puerto Rico and the District of Columbia. Interestingly, three states were free from healthcare data breaches in 2017 – Hawaii, Idaho, and New Mexico. California was the worst hit with 57, followed by Texas on 40, and Florida with 31.

Slower Detection, Faster Notification

Reports of healthcare data breaches in 2017 show that in many cases, breaches are not detected until many months after the breach occurred. The average time to discover a breach, based on the 144 incidents for which the information is known, was 308 days. Last year the average time to discover a breach was 233 days. It should be noted that the data were skewed by some breaches that occurred more than a decade before discovery.

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) allows up to 60 days from the discovery of a breach to report the incident. The average time to report a breach, based on the 220 breaches for which information was available, was 73 days. Last year the average was 344 days.

The faster reporting may have been helped by the OCR settlement with Presense Health in January for delaying breach notifications – The first HIPAA penalty solely for late breach notifications.

Overall there were several areas where the healthcare industry performed better in 2017, although the report shows there is still considerable room for improvement, especially in breach prevention, detection and reporting.

The post Analysis of Healthcare Data Breaches in 2017 appeared first on HIPAA Journal.

Analysis of Q4 2017 Healthcare Security Breaches

Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported.

There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches.

Q4 2017 Healthcare Security Breaches by Month

Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.

 Largest Q4, 2017 Healthcare Security Breaches


Covered Entity Entity Type Number of Records Breached Cause of Breach
Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident
Henry Ford Health System Healthcare Provider 43563 Theft
Coplin Health Systems Healthcare Provider 43000 Theft
Pulmonary Specialists of Louisville, PSC Healthcare Provider 32000 Hacking/IT Incident
SSM Health Healthcare Provider 29579 Unauthorized Access/Disclosure
UNC Health Care System Healthcare Provider 27113 Theft
Emory Healthcare Healthcare Provider 24000 Unauthorized Access/Disclosure
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois, LLC (formerly known as WellGroup Health Partners, LLC) Healthcare Provider 22000 Loss
Chase Brexton Health Care Healthcare Provider 16562 Hacking/IT Incident
Hackensack Sleep and Pulmonary Center Healthcare Provider 16474 Hacking/IT Incident
Longs Peak Family Practice, P.C. Healthcare Provider 16238 Hacking/IT Incident
Shop-Rite Supermarkets, Incorporated Healthcare Provider 12172 Improper Disposal
Sinai Health System Healthcare Provider 11347 Hacking/IT Incident
The Medical College of Wisconsin, Inc. Healthcare Provider 9500 Hacking/IT Incident
Golden Rule Insurance Company Health Plan 9305 Unauthorized Access/Disclosure


There was a steady increase in breached records each month in Q4. In October, 71,377 records were breached, rising to 107,143 records in November and 341,621 records in December. Even December’s high total was lower than any month in the previous quarter.

Q4 2017 Healthcare Security Breaches - breached records


Hacking/IT incidents tend to involve the highest number of exposed/stolen records and Q4 was no exception. 7 of the top 15 security incidents (47%) were due to hacks and IT incidents. Loss and theft incidents accounted for 27% of the worst healthcare security breaches in Q4, followed by unauthorized access/disclosures on 20%.

Causes of Q4 2017 Healthcare Security Breaches


While hacking/IT incidents resulted in the exposure/theft of the most records, unauthorized access/disclosure incidents were the most numerous. Out of the 86 reported healthcare security breaches in Q4, 33 were unauthorized access/disclosures (38.37%). There were 29 hacking/IT incidents (33.7%), and 20 incidents (23.3%) involving the loss/theft of PHI and electronic devices containing ePHI. Four incidents (4.7%) involved the improper disposal of PHI/ePHI.

In Q4, paper records/films were involved in the most breaches, showing how important it is to physically secure records. 21 incidents (24.4%) involved physical records. As was the case in Q3, email was also a top three cause of breaches, with many healthcare organizations suffering phishing attacks in Q4. Network server attacks completed the top three locations of breached PHI.

Q4 2017 Healthcare Security Breaches - location of breached PHI



Healthcare providers reported the most security breaches in Q4, following by health plans and business associates of HIPAA-covered entities, as was the case for most of 2017.

Q4 2017 Healthcare Security Breaches by covered entity


In Q4, 2017, healthcare organizations based in 35 states reported security breaches. Unsurprisingly, being the most populous state in the US, California topped the list for the most reported healthcare security breaches with 7 incidents in Q4.

In close second on 6 breaches were Florida and Maryland, followed by New York with 5 incidents. Kentucky, Michigan, and Texas each had four reported breaches, and Colorado, Illinois, New Jersey, and Pennsylvania each suffered 3 incidents.

Q4 2017 Healthcare Security Breaches - by state




The post Analysis of Q4 2017 Healthcare Security Breaches appeared first on HIPAA Journal.