Latest HIPAA News

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000.

MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary.

Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach.

OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules.

OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A).

As a result of that failure, there was an impermissible disclosure of 3.5 million individual’s PHI, in violation of 45 C.F.R. § 164.502(a).

MIE chose to settle the case with OCR with no admission of liability. In addition to paying a financial penalty, MIE has agreed to adopt a corrective action plan that requires a comprehensive, organization-wide risk analysis to be conducted and a risk management plan to be developed to address all identified risks and reduce them to a reasonable and acceptable level.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

While the settlement releases MIE from further actions by OCR over the above violations of HIPAA Rules, MIE is not out of the woods yet. In December 2018, a multi-state lawsuit was filed against MIE by 12 state attorneys general over the breach.

The lawsuit alleged there was a failure to implement adequate security controls, that known vulnerabilities had not been corrected, encryption had not been used, security awareness training had not been provided to staff, and there were post-breach failures at MIE. That lawsuit has yet to be resolved. It could well result in a further financial penalty for MIE.

This is OCR’s second financial penalty of 2019. Earlier this month, a $3,000,000 settlement was agreed with Touchstone Medical Imaging to resolve multiple HIPAA violations, several of which were related to the delayed response to a data breach.

The post Medical Informatics Engineering Settles HIPAA Breach Case for $100,000 appeared first on HIPAA Journal.

PHI of 1.5 Million Individuals Exposed Online by Inmediata

In April, Inmediata, a provider of clearinghouse services to healthcare organizations, announced that the protected health information of certain patients had been exposed online as a result of a misconfigured setting on an internal web page.

The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 1,565,338 individuals had their PHI exposed. That makes the data breach the largest to be reported in 2019.

The information had been made available to employees through an internal web page, but the failure to configure that page correctly allowed the data to be made accessible over the internet without the need for authentication. The page was indexed by Google and patient information could be found through online searches.

The information had been provided by hospitals, health plans, and independent physicians and included names, addresses, dates of birth, gender, claims data and, for a small number of patients, Social Security numbers.

Inmediata immediately deactivated the web page when it was discovered that patient information had been exposed and a computer forensics firm was retained to conduct an investigation to determine whether any patient information had been accessed by unauthorized individuals during the time it was available online.

While the investigation did not uncover any evidence to suggest that information had been accessed or copied by unauthorized individuals, it was not possible to rule out unauthorized data access entirely.

Immediata started sending breach notification letters to affected individuals on April 22, 2019. As if suffering such a large data breach was not bad enough, there were further impermissible disclosures of protected information in the breach response.

Individuals reported receiving breach notification letters addressed to other individuals. In addition, several individuals complained that it was not made clear who the company was and why it had their personal information.

You can read more about the mailing error on this link.

The post PHI of 1.5 Million Individuals Exposed Online by Inmediata appeared first on HIPAA Journal.

April 2019 Healthcare Data Breach Report

April was the worst ever month for healthcare data breaches. More data breaches reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years.

While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks.

Largest Healthcare Data Breaches in April 2019

Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients.

The ransomware was deployed 7 months after the attacker had first gained access to its systems. The initial access was gained via Remote Desktop Protocol (RDP) on a workstation.

The second largest data breach was reported by the healthcare provider Centrelake Medical Group. The breach resulted in the exposure of 197,661 patients’ PHI and was also a ransomware attack that prevented patient information from being accessed. While the delay between access to the servers being gained and the ransomware being deployed was not as long, it also appeared that the attacker had been exploring the network prior to deploying the malicious software. Access to the server was gained 6 weeks prior to the ransomware being deployed. Ransomware was also used in the attack on ActivYouth Orthopaedics.

Covered Entity Entity Type Records Exposed Breach Type Location of Breached PHI
Doctors Management Services, Inc. Business Associate 206695 Hacking/IT Incident Network Server
Centrelake Medical Group, Inc. Healthcare Provider 197661 Hacking/IT Incident Network Server
Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute Healthcare Provider 35000 Unauthorized Access/Disclosure Electronic Medical Record
EmCare, Inc. Healthcare Provider 31236 Hacking/IT Incident Email
Kim P. Kornegay, DMD Healthcare Provider 27000 Theft Desktop Computer, Electronic Medical Record, Paper/Films
Pediatric Orthopedic Specialties, PA, dba ActivYouth Orthopaedics Healthcare Provider 24176 Hacking/IT Incident Network Server
Health Recovery Services, Inc. Healthcare Provider 20485 Unauthorized Access/Disclosure Network Server
Baystate Health Healthcare Provider 11658 Hacking/IT Incident Email
Riverplace Counseling Center, Inc. Healthcare Provider 11639 Hacking/IT Incident Network Server
Minnesota Department of Human Services Healthcare Provider 10263 Hacking/IT Incident Email

Causes of April 2019 Healthcare Data Breaches

Hacking/IT incidents outnumbered unauthorized access/disclosure incidents by 2 to 1 in April. 28 of the reported breaches of 500 or more records were due to hacking/IT incidents. There were 14 unauthorized access/disclosure incidents, two cases of theft of PHI, one reported case of loss of paperwork, and one case of improper disposal of PHI.

While 2018 saw a decline in the number of ransomware attacks across all industry sectors, the number of ransomware attacks is increasing once again, and healthcare is the most attacked industry. Remote Desktop Protocol often exploited to gain access to servers and workstations to deploy ransomware.

In May, a Forescout study revealed that the use of vulnerable protocols is common in the healthcare industry. Risk can be reduced by disabling these protocols, and if RDP must be used, to only use RDP with a VPN.

Phishing attacks also increased considerably in April, which highlights just how vulnerable healthcare organizations are to this type of attack. Advanced anti-phishing and anti-spam solutions can reduce the volume of malicious emails that reach inboxes and combined with regular security awareness training, risk can be reduced.

The use of multi-factor authentication is also important. In the event of credentials being compromised, MFA will prevent those credentials from being used to gain access to PHI. MFA is not infallible, but it can ensure risk is reduced to a reasonable and acceptable level. According to Verizon, most credential theft incidents would not have resulted in a data breach if MFA been implemented.

Hacking/IT incidents resulted in the highest number of compromised records in April 2019 – 384,219 records or 55% of all compromised records in April. The mean breach size was 13,722 records and the median breach size was 4,008 records.

Unauthorized access/disclosure incidents resulted in the exposure of 264,016 records or 38% of the month’s total. While hacking incidents usually result in more records being compromised, these incidents were more severe and had a mean breach size of 18,858 records. The median breach size was 3,193 records.

31,810 records were exposed to loss or theft – 4.6% of the month’s total. The mean breach size was 10,603 records and the median breach size was 4,000 records.

April 2019 healthcare data breaches - breach cause

Location of Breached Protected Health Information

Email was the most common location of breached PHI in April. Email was involved in 22 data breaches – 47.8% of all breaches in April 2019. While this category includes misdirected emails, the majority of email breaches were due to phishing attacks.

Network servers were involved in 11 breaches – 23.9% of the month’s breaches – which include malware and ransomware attacks.

Physical records such as paperwork, charts, and films were involved in 6 breaches – 13% of the month’s total.

April 2019 healthcare data breaches - location of PHI

April Breaches by Covered Entity Type

April was a relatively good month for business associates of covered entities with only two breaches reported and one further breach having some business associate involvement, although a business associate breach was the largest breach of the month.

6 health plans reported breaches in April and the remaining 38 breaches were reported by healthcare providers.

April 2019 healthcare data breaches by covered entity type

April 2019 Healthcare Data Breaches by State

Data breaches were reported by entities based in 21 states in April. California and Texas were the worst affected, with each state having 5 breaches. Florida, Minnesota, and Ohio each had four breaches, and there were 3 breaches reported by entities in Illinois.

Idaho, Massachusetts, New York, Oregon, Tennessee, and Washington each had 2 breaches and one breach was reported in each of Alabama, Delaware, Louisiana, North Carolina, New Jersey, Pennsylvania, South Dakota, Utah, and West Virginia.

HIPAA Enforcement Activity in April 2019

There were no financial penalties issued by the HHS’ Office for Civil Rights or state Attorneys General in 2019. The first OCR financial penalty of 2019 was issued in May – A $3,000,000 penalty for Touchstone Medical Imaging for the delayed response to a data breach in which the records of 307,839 patients were exposed.

In addition to the delayed response, there was a failure to issue breach notifications in a reasonable time frame, a failure to notify the media about the breach, two BAAs failures, insufficient access rights, and a risk analysis failure.

The post April 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

New Report Uncovers Serious Holes in Healthcare Cybersecurity

The sorry state of healthcare cybersecurity has been highlighted by a recent Forescout study. The study revealed the healthcare industry is overly reliant on legacy software, vulnerable protocols are extensively used, and medical devices are not properly secured.

75 global healthcare deployments were analyzed for the study, which comprised more than 1.5 million devices operating on 10,000 virtual local area networks (VLANs).

The majority of those devices were running on legacy systems. While just 1% of devices used unsupported operating systems such as Windows XP, 71% had operating systems that are rapidly approaching end-of-life such as Windows 7, Windows 2008, and Windows Mobile. In January 2020, all three of those operating systems will be at end-of-life and will no longer be supported by Microsoft.

The analysis revealed 85% of Windows devices had SMB running. It was a flaw in SMB that was behind the WannaCry ransomware attacks of 2017. Remote Desktop Protocol (RDP) is commonly used. 35% of devices did not have RDP disabled. The use of File Transfer Protocol (FTP) was also highly prevalent.

There has been a rapid deployment of a diverse range of connected medical devices such as infusion pumps, patient monitors, tracking and identification tools, and imaging systems. The number and variety of devices that connecting to healthcare networks has greatly increased the attack surface. Those devices have introduced considerable security risks which, in many cases, have not been effectively mitigated.

The sheer number of devices and different operating systems is causing major headaches for IT security teams. The study revealed 40% of deployments used more than 20 different operating systems. 41% of VLAN platforms used a variety of mobile, network, and embedded infrastructure and 34% of healthcare deployments had more than 100 vendors connecting to the network. Many vendors are responsible for patching their systems and healthcare IT teams are unaware if those patches have been correctly applied.

While it is important to ensure that all devices are secured, first IT teams must identify all devices that connect to the network, which is a major challenge especially following mergers and acquisitions. There have been many cases of devices being used without the knowledge or oversight of the IT department.

The complexity of healthcare networks makes security difficult to manage and the variety of devices and operating systems makes patching a gargantuan task. It is often not possible to keep on top of patching and software updates. In some cases, medical devices cannot be patched to correct known vulnerabilities and legacy apps may not work on newer operating systems. It is not uncommon for vendor approval to be required before patches can be applied. Acute care providers cannot easily take critical care systems offline without jeopardizing patient care, which means vulnerabilities often cannot be addressed.

One of the solutions to improve security and decrease the attack surface is to segment networks and ensure vulnerable devices and systems are kept separate from other parts of the network and are not Internet-facing. Restrictions also need to be implemented to ensure that devices and systems can only be accessed by individuals who need access for their day to day work duties.

However, this best practice is not particularly evident in the data analyzed for the study. Only a small number of VLANs were being used for medical devices, which suggests many healthcare providers are not using network segmentation to a large extent.

Forescout researchers do concede that applying network segmentation best practices across the organization and managing and enforcing segmentation can be a challenge, but it is necessary to improve security. Forescount also recommends enabling agentless discovery of all devices, identifying and auto-classifying devices, and ensuring all devices are continuously monitored.

“It’s critical for healthcare organization security and risk management leaders to look at securing all devices across the extended enterprise. Solely focusing on securing medical devices rather than securing all device classes can cause significant gaps in your security posture,” wrote the researchers. “A holistic approach to security requires continuous visibility and control over the entire connected-device ecosystem—including understanding the role a device visibility and control platform can play in orchestrating actions among heterogeneous security and IT management tools.”

The post New Report Uncovers Serious Holes in Healthcare Cybersecurity appeared first on HIPAA Journal.

Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks

On Tuesday May 14, 2019, Microsoft released a patch to fix a ‘wormable’ flaw in Windows, similar to the vulnerability that was exploited in the WannaCry ransomware attacks in May 2017.

The flaw is a remote code execution vulnerability in Remote Desktop Services – formerly Terminal Services – that can be exploited via RDP.

The flaw (CVE-2019-0708) can be exploited by sending specially crafted requests via RDP protocol to a vulnerable system. No authentication is required and the flaw can be exploited without any user interaction.

If exploited, malware could propagate from one compromised computer to all other vulnerable computers on a network. If ransomware exploited the vulnerability, healthcare organizations could experience widespread file encryption and major disruption to operations.

Microsoft has not received any reports to suggest the flaw is being actively exploited at present, but it is almost certain that exploits will be developed for the vulnerability and that those exploits will be incorporated into malware.

The vulnerability is not present in Windows 8 and Windows 10, only older Windows versions. However, it is of concern for the healthcare industry as many healthcare organizations are still using older, vulnerable operating systems.

Patches have been released for Windows 7, Windows Server 2008, and Windows Server 2008 R2. The flaw is so serious that Microsoft has taken the unusual step of issuing patches for Windows XP and Windows Server 2003, even though both operating systems are no longer supported.

A workaround is available for all organizations that use the above operating systems but are not able to apply the patch. In such cases, TCP port 3389 should be blocked and Network Level Authentication should be enabled to prevent the flaw from being exploited. Given the speed at which vulnerabilities are exploited once a patch has been released, it is imperative that the patch or workaround is implemented as a priority.

It was slow patching that allowed the 2017 WannaCry attacks to succeed. Those attacks clearly demonstrated that many organizations are slow to apply patches, even those that address critical and actively exploited vulnerabilities.

The WannaCry attacks occurred in May 2017 yet the patch to address the flaw – MS17-010 – was released by Microsoft in March. Had the patch been applied promptly, the attacks would not have been possible.

The UK’s National Health Service (NHS) was badly affected by WannaCry. Around one third of all NHS Trusts and 8% of GP practices were affected. The attacks cost the NHS an estimated £92 million and resulted in the cancellation of 19,000 appointments. The global cost of WannaCry has been estimated to be $4 billion.

Attacks exploiting CVE-2019-0708 have potential to be much worse than WannaCry. It is unlikely that a malware variant will be developed to exploit the vulnerability that contains such an easily activated kill switch as WannaCry.

In addition to the wormable vulnerability, Microsoft has issued updates to correct a further 21 critical flaws, including one that is being actively exploited and another that was disclosed publicly prior to a patch being released. Patches have also been released to address a new type of vulnerability in Intel processors. The Microarchitectural Data Sampling (MDS) flaws could allow a threat actor to deploy malware that can obtain sensitive data from applications, virtual machines, operating systems and trusted execution environments.

The post Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks appeared first on HIPAA Journal.

Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records

Two Chinese nationals who were allegedly behind the 2015 hacking of Anthem Inc., have been charged by the U.S. Department of Justice.

32-year-old Fujie Wang and an unnamed man have been charged in a 4-count indictment in relation to the Anthem cyberattack and theft of 78.8 million health insurance records, along with cyberattacks on three other U.S. businesses between 2014 and 2015.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian A. Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.”

The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

According to the indictment, the international hacking scheme saw Wang and other members of the hacking group conduct highly sophisticated cyberattacks on businesses starting in February 2014. Those attacks continued until at least January 2015.

The attacks started by sending spear phishing emails to employees of the targeted businesses. Those emails contained hyperlinks to a malicious website. When the links were clicked, they triggered the download of a file containing a malware downloader. When the file was executed, a backdoor was installed in the system that gave the hackers access to the business network through a server controlled by the hackers. Wang has been accused of registering two domains that were used for the spear phishing attack and for communicating with the malware.

After gaining access business networks, the hackers moved laterally searching for information of interest, in some cases waiting months before proceeding with the attack. In the case of the attack on Anthem, its systems were accessed on multiple occasions between October and November 2014. The aim was to find sensitive business information and the personally identifiable information of its plan members, according to the indictment.

Once sensitive data had been identified, it was combined into encrypted archive files and was exfiltrated through a variety of computers to destinations in China. The vast quantities of data were exfiltrated from Anthem on multiple occasions in January 2015. After data was exfiltrated, the hackers deleted the archive files in an attempt to avoid detection. The attacks on the other businesses were linked to Wang via the two domains used in the Anthem attack.

The FBI was able to launch an investigation promptly as a result of the attacked companies reporting the breaches to the FBI, and along with their continued cooperation with the investigation, the FBI was able to successfully identify the individuals behind the cyberattacks.

The speed at which Anthem notified the FBI about the attack was a key factor in being able to determine who was responsible for the breach. FBI Special Agent in Charge Grant Mendenhall said “[This] should serve as an example to other organizations that might find themselves in a similar situation.”

Assistant Attorney General Benczkowski said “The Department of Justice and our law enforcement partners are committed to protecting PII, and will aggressively prosecute perpetrators of hacking schemes like this, wherever they occur.”

The post Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records appeared first on HIPAA Journal.

Key Findings of the 2019 Verizon Data Breach Investigations Report

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe.

The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources.

The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below:

  • C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees
  • Cyberespionage attacks increased from 13% of incidents in 2018 to 25% in 2019
  • Financially motivated breaches fell from 76% to 71%
  • Phishing is involved in 32% of breaches and 78% of cyberespionage incidents
  • 90% of malware arrived via email
  • 60% of web application attacks were on cloud-based email servers
  • Most email threats and BEC attacks only resulted in data breaches because multi-factor authentication had not been implemented
  • 52% of cyberattacks involve hacking
  • 34% of attacks involved insiders
  • 43% of cyberattacks were on small businesses
  • Ransomware is the second biggest malware threat and accounts for 24% of breaches
  • There has been a six-fold decrease in attacks on HR personnel
  • Misconfiguration of cloud platforms accounted for 21% of breaches caused by errors

C-Suite Executives Beware!

C-suite executives are being extensively targeted by cybercriminals and for good reason. They are likely to have high-level privileges, so their accounts and credentials are more valuable. Compromised email accounts can be used for social engineering, phishing, and BEC attacks on other members of the organization and vendors.

Attacks on the C-suite are 12 times more likely than on other employees and C-suite executives are 9 times more likely to be the target of social incidents. These figures show just how important it is for C-suite executives to receive regular security awareness training.

These attacks are part of a trend of cybercriminals choosing the path of least resistance. Why invest time and money into hacking a company when an email can be sent to the CEO or CFO requesting a fraudulent transfer. Hacking a C-suite email account and using it to send wire transfer requests is simple, effective, and highly profitable.

Figures from the FBI, a new DBIR partner in 2019, show the median losses due to BEC attacks is a few thousand dollars. However, there are an equal number of attacks with losses from zero to the median as there are from the median to $100 million dollars. 12% of all breaches were the result of business email compromise attacks

Cyberattacks on the Healthcare Industry

The 2019 DBIR included 466 healthcare cybersecurity incidents, 304 of which involved confirmed data disclosures.

Out of all industry sectors analyzed, healthcare was the only industry where the number of incidents caused by insiders was greater than those caused by external threat actors. 59% of incidents involved insiders compared to 42% involving external threat actors. Breaches of medical information are 14 times more likely to be caused by doctors and nurses.

The primary motive for attacks on the healthcare industry was financial gain (83%), followed by fun (6%), convenience (3%), because a grudge was held (3%), and espionage (2%). 72% of breaches involved medical data, 34% involved personal information, and 25% involved credential theft.

81% of all healthcare cybersecurity incidents involved either miscellaneous errors such as software misconfiguration, privilege misuse, and web applications.

Across all industries, ransomware is involved in 24% of attacks but 70% of those attacks were reported by healthcare organizations. It should be noted that, in most cases, ransomware attacks are reportable breaches under HIPAA. The overall number of attacks in other industry sectors may well be much higher, as many attacked companies choose not to report the incidents and just quietly pay the ransom.

Patterns Identified in Healthcare Data Breaches

Pattern Number of Data Breaches
Miscellaneous Errors 97
Privilege Misuse 85
Web Applications 65
Lost and Stolen Assets 28
Everything Else 27
Cyber-Espionage 2
Point of Sale 2
Crimeware 1
Denial of Service 0

Causes of Healthcare Data Breaches

Actions Involved   Incidents Data Breaches
Error 124 110
Misuse 110 85
Hacking 100 78
Social 91 78
Malware 85 7
Physical Theft 47 17

The post Key Findings of the 2019 Verizon Data Breach Investigations Report appeared first on HIPAA Journal.

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach.

Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability.

On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals.

As a result of the lack of access controls, files had been indexed by search engines and could be found by the public with simple Internet searches. Even when the server was taken offline, patient information could still be accessed over the Internet. The failure to secure the server constituted a violation of 45 C.F.R. § 164.312(a)(1).

The security breach was reported to OCR, but Touchstone initially claimed that no PHI had been exposed. OCR launched an investigation into the breach and during the course of that investigation Touchstone admitted that PHI had in fact been exposed. The types of information that could be accessed over the internet included names, addresses, dates of birth, and Social Security numbers.

In addition to the impermissible disclosure of 307,839 individuals’ PHI – a violation of 45 C.F.R. § 164.502(a) – OCR discovered the security breach had not been properly investigated until September 26, 2014: Several months after Touchstone was initially notified about the breach by the FBI, and after notification had been given to OCR. The delayed breach investigation was a violation of 45 C.F.R. §164.308(a)(6)(ii).

As a result of the delayed investigation, affected individuals did not receive notifications about the exposure of their PHI until 147 days after the discovery of the breach: Well in excess of the 60-day Breach Notification Rule’s maximum time limit for issuing notifications. The delayed breach notices were a violation of 45 C.F.R. § 164.404. Similarly, a media notice was not issued about the breach for 147 days, in violation of 45 C.F.R. § 164.406.

During the course of its investigation, OCR discovered that Touchstone had failed to complete a thorough, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI: A violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

OCR also identified two cases of Touchstone having failed to enter into a business associate agreement with vendors prior to providing access to systems containing ePHI.

OCR cites the use of an IT services company – MedIT Associates  – without a BAA as a violation 45 C.F.R. §§ 164.502(e)(2), 164.504(e), and 164.308(b), and the use of a third-party data center, XO Communications, without a BAA as a violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

In addition, in violation of 45 C.F.R. § 164.308(b), XO Communications continues to be used without a business associate agreement in place.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR Director Roger Severino.  “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

The settlement comes just a few days after OCR announced it has reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. This settlement confirms that while minor HIPAA violations may now attract lower financial penalties, when serious violations of HIPAA Rules are discovered and healthcare organizations fail to take prompt action to correct violations, the financial penalties can be considerable.

The post Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures appeared first on HIPAA Journal.

Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy

Facebook is making changes to Facebook Groups used to discuss health conditions. The move comes following criticism that Facebook Groups were being promoted as private and confidential when information about participants in health groups was being made available to third parties for advertising purposes.

In January, a complaint was filed with the Federal Trade Commission alleging the content of private Facebook health groups had been shared with third parties. Some members of these health support groups claimed they had been targeted by advertisers who had offered products and services related to health conditions that had only ever been discussed in closed, private Facebook health groups.

The groups are used by individuals with health conditions to obtain advice and receive support. Groups have been set up to help people with a wide range of health conditions, including cancer, substance abuse disorder, and mental health issues. Information was being openly discussed by members of the groups in the belief that the groups were confidential. Not only were advertisers able to contact members of these groups, it was also possible for members of the public to find out the names of people who were members of the groups.

Facebook was accused of deceptively soliciting patients to sign up and use closed and private health groups when their personal health information was actually being used to generate advertising income.

In response to the complaint, Facebook has made changes that will allow users to post information anonymously in health groups. The groups will be given a special designation – Health Support Group – and will be treated differently to other Facebook Groups. Members of the groups will be allowed to request that group administrators post messages on their behalf. This measure will allow posts to be made that will not be tied to a user’s Facebook profile and their name will not appear on those posts. The move was announced by Facebook founder, Mark Zuckerberg, at Facebook’s annual developer conference.

While the move is a step in the right direction and will help to ensure that comments can be posted in confidence, a group administrator will be able to tie a comment to a particular user and information discussed in the groups will still be able to be used for advertising purposes.

Facebook is not an entity covered by HIPAA Rules and neither is it a business associate of HIPAA-covered entities, so it is not required to comply with HIPAA’s Privacy and Security Rules.  To protect the privacy of consumers, what is needed is a federal law to limit the collection and use of users’ sensitive information and to prevent social media and other tech companies from engaging in deceptive practices.

This is not the only Facebook issue concerning health data to have come to light in recent months. Third-party health app developers were discovered to be sharing users’ data with Facebook and, in some cases, without users’ consent. The issue was highlighted in a report in the Wall Street Journal and was viewed by many to be a serious violation of privacy. Facebook’s response was that its policies strictly prohibit app developers from sharing the sensitive health information of app users with Facebook and it is the responsibility of app developers to make sure sensitive information is not sent to Facebook.

The post Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy appeared first on HIPAA Journal.