Latest HIPAA News

OCR Reminds CEs of HIPAA Audit Control Requirements to Identify Inappropriate ePHI Access

Posted by HIPAA Journal

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients.

Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 12 months. Once case involved the viewing of a celebrity’s medical records by multiple staff members.

Late last week, OCR released its January Cyber Awareness Newsletter which covered the importance of implementing audit controls and periodically reviewing application, user, and system-level audit trails. NIST defines audit logs as records of events based on applications, system or users, while audit trails are audit logs of applications, system or users.

Most information systems include options for logging user activity, including access and failed access attempts, the devices that have been used to log on, and the duration of login periods, and whether data have been viewed.

Audit trails are particularly useful when security incidents occur as they can be used to determine whether ePHI access has occurred and which individuals have been affected. Logs can be used to track unauthorized disclosures, potential intrusions, attempted intrusions, and in forensic analyses of data breaches and cyberattacks. Covered entities can also use logs and trails to review the performance of applications and to help identify potential flaws.

OCR confirmed that recording data such as these, and reviewing audit logs and audit trails is a requirement of the HIPAA Security Rule. (45 C.F.R. § 164.312(b)).

The HIPAA Security Rule requires covered entities to record audit logs and audit trails for review, although the types of data that should be collected are not specified by the legislation. The greater the range of information collected, the more thoroughly security incidents can be investigated. However, covered entities should carefully assess and decide on which data elements are stored in logs. It will be quicker and easier to review audit logs and trails if they only contain relevant information.

The HIPAA Security Rule does not specify how often covered entities should conduct reviews of user activities, instead this is left to the discretion of the covered entity. Information gathered from audit logs and trails should be reviewed ‘regularly’.

A covered entity should determine the frequency of reviews based on the results of their risk analyses. Organizations should also consider organizational factors such as their technical infrastructure and hardware/software capabilities when determining the review period.

OCR also points out that a review of audit logs and trails should take place after any security incident, such as a suspected breach, although reviews should also be conducted during real-time operations. Due to the potential for audit log tampering, OCR reminds covered entities that “Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.”

The post OCR Reminds CEs of HIPAA Audit Control Requirements to Identify Inappropriate ePHI Access appeared first on HIPAA Journal.

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000.

In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily.

Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.

While largescale breaches of PHI may warrant financial penalties and will have an impact on the final settlement amount, OCR has resorted to financial penalties when relatively few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.

A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:

 

Summary of 2016 HIPAA Settlements

 

Covered Entity Date Amount Breach that triggered OCR investigation Individuals impacted
University of Massachusetts Amherst (UMass) November, 2016 $650,000 Malware infection 1,670
St. Joseph Health October, 2016 $2,140,500 PHI made available through search engines 31,800
Care New England Health System September, 2016 $400,000 Loss of two unencrypted backup tapes 14,000
Advocate Health Care Network August, 2016 $5,550,000 Theft of desktop computers, loss of laptop, improper access of data at business associate 3,994,175 (combined total of three separate breaches)
University of Mississippi Medical Center July, 2016 $2,750,000 Unprotected network drive 10.,000
Oregon Health & Science University July, 2016 $2,700,000 Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 (combined total of two breaches)
Catholic Health Care Services of the Archdiocese of Philadelphia June, 2016 $650,000

 

 Theft of mobile device 412 (Combined total)
New York Presbyterian Hospital

 

 April, 2016 $2,200,000 Filming of patients by TV crew Unconfirmed
Raleigh Orthopaedic Clinic, P.A. of North Carolina April, 2016 $750,000 Improper disclosure to business associate 17,300
Feinstein Institute for Medical Research March, 2016 $3,900,000 Improper disclosure of research participants’ PHI 13,000
North Memorial Health Care of Minnesota March, 2016 $1,550,000 Theft of laptop computer / Improper disclosure to business associate (discovered during investigation) 299,401
Complete P.T., Pool & Land Physical Therapy, Inc. February, 2016 $25,000 Improper disclosure of PHI (website testimonials) Unconfirmed
Lincare, Inc.

 

 February, 2016* $239,800 Improper disclosure (unprotected documents) 278

*Civil monetary penalty confirmed as lawful by an administrative law judge

 

The largest HIPAA settlement of 2016 –  and the largest HIPAA settlement ever agreed with a single covered entity – was announced in August. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.

The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.

2017 has started with an early settlement with Presence Health. The $475,000 settlement was solely based on delayed breach notifications – The first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.

Looking forward into 2017 and beyond, the future of HIPAA enforcement activities is unclear. The new administration may cut funding for OCR which would likely have an impact on HIPAA enforcement.

This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will commence this year.

Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”

However, Jocelyn Samuels will be standing down as head of OCR and it is currently unclear who will take her place. While there are a number of suitable candidates for the position, incoming president Trump has a lot on his hands and the appointment of an OCR director is likely to be relatively low down the to do list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.

What we can expect to see in 2017 is a continuation of enforcement actions that have already commenced. HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.

The post OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements appeared first on HIPAA Journal.

$475,000 Settlement for Delayed HIPAA Breach Notification

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations.

Following a breach of PHI, the HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to all affected individuals advising them of the breach. Those letters need to be issued within 60 days of the discovery of the breach, although covered entities should not delay the issuing of breach notifications to patients or health plan members unnecessarily.

Additionally, if the breach affects more than 500 individuals, a breach report must be submitted to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered entities to issue a breach notice to prominent media outlets. Covered entities should also place a substitute breach notice in a prominent place the company website to alert patients or plan members to the breach.

Smaller breaches impacting fewer than 500 individuals must also be reported to OCR, although covered entities can report these smaller breaches annually within 60 days of the end of the calendar year. Covered entities should note that state data breach laws may not permit such delays and that regardless of the number of individuals impacted by a breach, HIPAA requires patients to always be notified within 60 days of a PHI breach.

Presence Health experienced a breach of physical protected health information (PHI) in late 2013. Operating room schedules had been removed from the Presense Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois, and could not be located. The documents contained sensitive data on 836 patients, including names, birth dates, medical record numbers, details of procedures performed, treatment dates, the types of anaesthesia provided, and names of the surgeons that performed operations.

Presence Health became aware that the documents were missing on October 22, 2013, yet OCR was not notified of the breach until January 31, 2014, more than a month after the 60-day HIPAA Breach Notification Rule deadline.

OCR investigates all breaches of more than 500 records – and selected branches of fewer than 500 records. The OCR investigation revealed notification to OCR was issued 104 days after the breach was discovered – 34 days after the deadline for reporting the incident had passed. A media notice was issued, although not until 106 days after the breach was discovered – 36 days after the HIPAA Breach Notification Rule deadline. Patients were notified of the breach 101 days after discovery – 31 days after the HIPAA Breach Notification Rule deadline had passed.

Investigators determined that this was not the only instance where breach notifications to patients had been delayed. Presense Health had experienced a number of smaller PHI breaches in 2015 and 2016, yet for several of those breaches, Presense Health did not provide affected individuals with timely breach notifications.

Announcing the resolution agreement and settlement, OCR Director Jocelyn Samuels said “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.” She went on to explain the reason why individuals need to be notified of PHI breaches promptly, saying “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The settlement should serve as a warning to HIPAA covered entities that unnecessary breach notification delays can have serious financial repercussions. 60-days is the maximum time frame for reporting (and announcing) PHI breaches, not a recommendation.

The post $475,000 Settlement for Delayed HIPAA Breach Notification appeared first on HIPAA Journal.

Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks

Posted by HIPAA Journal

A hacker by the name of Harak1r1 has taken advantage of a misconfigured MongoDB healthcare database containing 200,000 records of Emory Healthcare patients. The hacker stole the database and issued a 0.2 Bitcoin ransom demand for its safe return.

Emory healthcare is the largest healthcare provider in Georgia with headquarters in Atlanta. The database contained the protected health information of patients of the Emory Brain Health Center. Information in the database includes patients’ names, addresses, email addresses, dates of birth, medical ID numbers, and phone numbers.

However, while the attack involves a ransom demand, Harak1r1 is not using ransomware.  The database of Emory Healthcare was accessed, the database was stolen, and the data tables wiped. Emory Healthcare is far from the only victim. More than 4,000 companies have been attacked by Harak1r1.

The attacks on misconfigured MongoDB databases were discovered by the ethical hacker Victor Gevers of GDI Foundation on December 27, 2016.

Gevers found a MongoDB database that had been left unsecured.  When the database was accessed, instead of data in the tables, the database appeared to have been wiped clean and replaced with a ransom demand asking for 0.2 Bitcoin to be paid to recover the database. Gevers reports that the attacker gained access to the healthcare provider’s MongoDB database, exfiltrated it, and replaced the data with a new table called Warning which contained the ransom demand.

Gevers investigated and discovered numerous organizations had also been attacked. The victim count has been steadily rising over the past couple of weeks, from tens to hundreds to thousands.

Reports this morning indicate the total victim count has now surpassed 28,000. Norway-based security researcher Niall Merrigan is tracking the attacks along with Gevers. At the time of writing, the victim count has reached 28,321.

However, not all of the attacks have been conducted by Harak1r1. There now appears to be at least 13 individuals involved. One attacker from India has attacked and wiped the data of more than 16,000 organizations. Unfortunately, not all of the attackers are exfiltrating data. Organizations are being issued with ransom demands, but their databases are simply being wiped. Payment of the ransom may not result in data being recovered.

The good news is that the problem appears to only affect older installations of MongoDB that have been left in the default configuration. The bad news is that there are 99,000 or more of these unprotected databases according to Gevers.

In the default configuration databases can be accessed over the Internet without the need for any hacking tools. Even usernames and passwords are not required to gain access to the unprotected databases.

MongoDB, Inc., the company behind MongoDB, fixed the issue in the latest MongoDB version. Unfortunately, if MongoDB admins have not upgraded to the latest version or have not otherwise secured their MongoDB installations, their databases may be stolen or simply deleted.

Any organization that used MongoDB should take immediate action to ensure their installation is up to date and their data secured and backed up. The 0.2 Bitcoin ransom may not break the bank, but there is a high probability that data will simply be wiped. Should that happen, and a viable backup not exist, data will be permanently lost.

The post Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks appeared first on HIPAA Journal.

Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach

Posted by HIPAA Journal

The massive 2015 data breach at Anthem Inc., which resulted in the theft of more than 78.8 million health plan members’ records, was likely the work of a foreign government-backed hacker, according to a recent report issued by the California Department of Insurance.

Anthem Inc., the second largest health insurer in the United States, announced the massive cyberattack in February 2015, almost a month after the breach was discovered. However, the cyberattack occurred almost a year earlier with Anthem’s database discovered to have been infiltrated on February 18, 2014.

Data stolen in the attack included members’ Social Security numbers, birth dates, employment details, addresses, email addresses, and Medical identification numbers. The attackers were able to bypass multiple layers of cybersecurity defenses with a single phishing email sent to an employee of one of Anthem’s subsidiaries. The response to the email allowed the attacker to download malware onto Anthem’s network, which in turn allowed access to Anthem’s database of members. The attackers also managed to infiltrate 90 other information systems used by the insurer.

Anthem employed cybersecurity firm Mandiant to investigate the breach, although the independent investigation conducted by California Department of Insurance, with assistance from cybersecurity firm CrowdStrike and Alvarez & Marsal Insurance and Risk Advisory Services, has taken considerably longer to conduct. While Mandiant’s investigation centered on how the breach occurred, the individuals affected, and the extent of the breach, the California Department of Insurance’s investigation probed deeper and attempted to determine who was responsible.

It was only recently that the California state agency discovered a credible link between the cyberattack and a foreign-government backed hacker. No announcement has been made as to which foreign government has been linked to the attack. The California Department of Insurance chose not to announce details of the government suspected to be linked to the attack as a federal investigation is still ongoing. However, a number of cybersecurity firms have linked the malware used in the attack to China.

The California Department of Insurance investigation was led by seven insurance commissioners and involved 40 other state and territorial insurance commissioners. One of those insurance commissioners, Dave Jones, said “our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government.”

The investigators were able to identify the attacker with “a significant degree of confidence”, although they only had “a medium degree of confidence” that the attacker was backed by a foreign government. Previous cyberattacks linked to the foreign government suspected of assisting in the attack have not resulted in any stolen data being passed on to non-state actors, yet the data from the Anthem attack appears to have been passed on to non-state groups.

Preventing cyberattacks such as Anthem’s is difficult. A coordinated effort between government agencies and private sector firms is required. Jones said “Insurers and regulators alone cannot stop foreign government-assisted cyberattacks.”

The California Department of Insurance investigation also looked at the cybersecurity defenses Anthem had put in place prior to the breach, the actions taken immediately after the breach was discovered, and the plans put in place to protect members from harm. The investigators determined that the defenses put in place to prevent cyberattacks were reasonable and the plan implemented to resolve the breach was rapid an effective.

Vulnerabilities were discovered during the course of the investigation and were communicated to the insurer and incorporated into its remediation plan. After cybersecurity defenses were improved post-breach, the investigators arranged for Anthem’s new cybersecurity defenses to be penetration tested. The California Department of Insurance found the improvements to be reasonable.

Early estimates on the breach resolution costs suggested Anthem would have to pay in excess of $100 million. However, the cost to the insurer has been significantly higher. Anthem Inc., has spent $260 million just to shore up its cybersecurity defenses and improve its information systems to prevent further attacks. All individuals affected by the breach have been offered 2 years credit monitoring/protection services free of charge, and the company is currently embroiled in numerous class-action lawsuits. There is also the possibility that the Department of Health and Human Services’ Office for Civil Rights may take action against the insurer. The final cost of the Anthem breach will not be known for many months to come.

The post Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach appeared first on HIPAA Journal.

Fetal Tissue Firms Guilty of Systemic HIPAA Violations

Posted by HIPAA Journal

The U.S. House of Representatives Select Investigative Panel has published the findings from its investigation into the sale of fetal tissue by abortion clinics, revealing systemic HIPAA violations by both abortion clinics and tissue procurement businesses.

An investigation was requested by the Energy and Commerce Subcommittee on Oversight and Investigations following revelations made by undercover journalist David Daleiden.

In 2015, Daleiden arranged a serious of meetings with businesses involved in the fetal tissue procurement industry via the not-for-profit group Center for Medical Progress (CMP).

Daleiden secretly recorded abortion providers – and companies involved in the fetal tissue business – detailing the nature of the business of buying and selling tissues from aborted fetuses. Daleiden’s meetings uncovered some dark truths about the practices employed by abortion clinics to obtain fetal tissue, including how termination procedures were often changed in order to obtain more intact specimens, including the use of illegal abortion procedures. The investigation showed how abortion clinics were selling fetal tissue to improve their bottom lines with profit often placed above patient welfare.

The Select Investigative Panel’s 471-page report is the culmination of a yearlong investigation into the fetal procurement industry. The aim of the investigation was sixfold: To examine the medical procedures and business practices used by the industry; to investigate other relevant matters related to fetal procurement; to review federal funding and support for abortion service providers; to investigate the practice of second and third trimester abortions (including partial birth abortions); to assess medical procedures used to care for a child born alive; and to determine whether there was a need for law changes and/or further regulation of the industry.

The investigation centered on the tissue procurement company StemExpress and three Californian abortion clinics: Two operated by Planned Parenthood and one operated by Family Planning Specialists Medical Group.

Planned Parenthood and StemExpress Violated the HIPAA Privacy Rule

The investigation revealed that StemExpress and the Californian abortion clinics: Planned Parenthood Mar Monte (PPMM), Planned Parenthood Shasta Pacific (PPSP), and Family Planning Specialists Medical Group (FPS), routinely violated the Health Insurance Portability and Accountability Act’s Privacy Rule. The organizations’ HIPAA violations were found to be systemic and occurred over a 6-year period between 2010 and 2015.

While HIPAA Rules are in place to protect the privacy of healthcare patients and prevent unauthorized disclosures of individuals’ identifiable protected health information, the above abortion clinics were discovered to have impermissibly disclosed individual’s PHI to facilitate the sale of human fetal tissue.

Further, some tissue procurement businesses misrepresented that the consent forms used, along with the methods employed to harvest fetal tissue, complied with federal regulations.

The Panel determined that tissue procurement businesses routinely violated the HIPAA privacy rights of women for the sole purpose of making money by selling fetal tissue, and were concerned with profit over patient welfare.

Impermissible Disclosures of PHI

The Panel determined that the fetal tissue trade “did not meet the exceptions for cadaveric organ, eye or tissue transplantation or for research,” and that the HIPAA Privacy Rule had been repeatedly violated. The abortion clinics were discovered to have allowed employees of StemExpress to enter their clinics, view patients’ PHI, interact with patients, and seek and obtain their consent to donate fetal tissues. However, consent to share PHI had not been obtained prior to sharing sensitive information with StemExpress. StemExpress was found to have violated HIPAA Rules by viewing the PHI of women without there being a medically valid reason for doing so.

No HIPAA Business Associate Agreements

The Panel also determined that the consent forms obtained by StemExpress “did not constitute sufficient authorizations for the disclosure of PHI,” and that the information disclosed to StemExpress was not “the minimum necessary information” as required by HIPAA. Abortion clinics are HIPAA-covered entities and their dealings with StemExpress made the company a HIPAA business associate, yet the clinics and StemExpress had not entered into a business associate agreement as required by HIPAA Rules.

While the clinics could have entered into a valid business associate agreement and provided PHI in accordance with HIPAA Rules, they did not, and instead impermissibly shared “the most intimate information about their patients,” and violated patients’ privacy.

The Select Investigative Panel determined that the disclosures were both deliberate and purposeful, with StemExpress employees being provided with full patient charts containing highly sensitive medical information.

While a contractual agreement between the abortion clinics and Planned Parenthood clinics existed, the agreements were not compliant with HIPAA Rules. The report says the agreements with StemExpress instructed the company to “treat the information obtained from patients’ charts in order to preserve the confidentiality of the patients,” but said this “cannot trump a law prohibiting the Planned Parenthood abortion clinics from permitting these disclosures in the first place.”

The Select Investigative Panel’s report says “The Panel’s work has revealed that this corruption extends to the method of obtaining consent from the patient, which is both deceptive and unlawful,”

Recommendations for the Department of Health and Human Services

The panel has made numerous recommendations, including a request that Planned Parenthood is stripped of all federal funding, including reimbursements for Medicaid services. Instead those funds should be made available to healthcare providers that “provide comprehensive preventive healthcare for their patients, and that do not perform abortions,” except in the case of rape or incest or when abortions are required to prevent women from being placed in danger of death.

The potential HIPAA violations have been referred to the Department of Health and Human Services and the Select Investigative Panel has recommended that HHS conducts “greater oversight over misleading consent forms, IRBs, HIPAA violations, and abortion provider competence to care for infants born alive during abortion procedures.”

The sale of fetal tissue by abortion clinics has been condemned by many pro-life groups. Kristan Hawkins, president of Students for Life of America (SFLA), said “It is our deepest hope that Planned Parenthood, StemExpress, their business partners, and these late-term abortionists be brought to swift justice by the immediate investigation and prosecution of the U.S. Department of Justice and various state Attorneys General to whom charges were referred.”

The Select Investigative Panel report can be downloaded on this link.

The post Fetal Tissue Firms Guilty of Systemic HIPAA Violations appeared first on HIPAA Journal.

Patients Holding Back Health Information Over Fears of Data Privacy

Posted by HIPAA Journal

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers.

However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited.

Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider.

Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data.

Important Medical Information is Being Withheld by Patients

The extent to which patients are withholding information has recently been highlighted by a Black Book survey. Between September and December 2016, Black Book conducted a national poll on 12,090 adult consumers to assess patients’ confidence in healthIT and the extent to which they have been willing to share their health information.

The results of the survey clearly show that patients are extremely concerned about the privacy of their data and believe that sensitive health information is being shared without their knowledge. There are also serious concerns about healthcare organizations’ abilities to protect health information and ensure that it remains private.

For the Black Book survey, consumers were asked about the contact they had had with technology used by their physician, hospital, and other healthcare organizations over the past 12 months, including mobile apps, patient portals, and electronic health records.

57% of respondents who had experience of these health technologies said they were concerned about the privacy protections put in place and whether their data could be kept private.

87% of Patients Unwilling to Share their Full Medical Histories

Consumer confidence in privacy and security measures put in place by healthcare providers appears to be at an all time low. In the last quarter of 2016, Black Book reports that 87% of patients were unwilling to comprehensively share all of their health information with their providers. 89% of consumers who had visited a healthcare provider in 2016 said they had withheld some information during their visits.

While certain types of information are openly shared, healthcare patients are particularly concerned about sharing highly sensitive data. Many feel that those data are being shared without their knowledge.

90% of respondents said they were concerned about details of their pharmacy prescriptions being shared beyond their chosen provider and payer, and that information was being shared with the government, retailers, and employers. 81% were concerned that information about chronic conditions was being shared without their knowledge, and 99% were concerned about the sharing of mental health notes. 93% of respondents said they were concerned about their personal financial information being shared.

According to Black Book Managing Partner Doug Brown, “Incomplete medical histories and undisclosed conditions, treatment or medications raises obvious concerns on the reliability and usefulness of patient health data in application of risk based analytics, care plans, modeling, payment reforms, and population health programming.” In a statement issued about the findings of the survey he said, “This revelation should force cybersecurity solutions to the top of the technology priorities in 2017 to achieve tangible trust in big data dependability.”

Providers’ Expertise with Technology Inspires Trust

Providers can do more to improve patients’ confidence in technology by demonstrating that they know how to use it. Patients do not appear to have an issue with the technology itself. Only 5% of respondents said they mistrusted the technology. However, 69% of respondents said their current primary care physician did not display enough technology prowess for them to be able to trust that individual with all of their data. 84% of respondents said their level of trust in their provider was influenced by how that provider used technology.

Patients are also having trouble using technology. 96% of consumers said they had left physicians’ offices “with poorly communicated or miscommunicated instructions on patient portal use,” and 83% reported having difficulty using the portal at home. Only 40% of patients said they had tried to use the portal in their physician’s office.

The survey also revealed that patients believe the data they are collecting via personal wearable devices is important. 91% of consumers said their physician practice’s medical record system should store any health-related data they request. However, most physicians do not want access to so much information. 94% of physicians that responded to this section of the survey said much of the personally collected health information is redundant and would be unlikely to make a clinical difference. Furthermore, so much information is now being collected that they are becoming overwhelmed by data.

The post Patients Holding Back Health Information Over Fears of Data Privacy appeared first on HIPAA Journal.

Massachusetts Data Breach Notification Archive Now Available Online

Posted by HIPAA Journal

The Office of Consumer Affairs and Business Regulation of the state of Massachusetts has taken a major step toward improving transparency by making its data breach notification archive available to the public. Previously, members of the public were permitted to view the breach reports, but only by submitting a public records request. Now all breach notifications made to the state’s Office of Consumer Affairs and Business Regulation can be viewed online.

The Massachusetts Data Breach Notification Archive can be viewed and downloaded in PDF form, with the identity theft report detailing the date the incident was reported, the organization affected, breach type, number of residents impacted, types of sensitive data exposed (SSNs, Driver’s license numbers, financial information, credit/debit card numbers), and whether credit monitoring services have been offered to breach victims. The reports include breaches of both physical records and electronic personal information from 2007. The report for 2016 currently includes 1,865 breach summaries.

State law (Chapter 93H) requires all entities that maintain a record of any personal information of residents of the state of Massachusetts to issue breach notifications to individuals if their personal information is “acquired or used by an unauthorized person or for an unauthorized purpose.” Breaches of encrypted data are not reportable unless a key to unlock the data is also compromised. Breaches must also be reported to the state attorney general and the Office of Consumer Affairs and Business Regulation.

State law covers accidental and deliberate breaches including, but not limited to, loss and theft of electronic data or papers, hacking incidents, insider errors, and unintentional data leakage.

In the state of Massachusetts, personal information is classed as a state resident’s first and last name or initial and last name in combination with any of the following data elements:

  • Social Security number
  • Driver’s license number
  • State-issued ID number
  • Financial account number
  • Credit or debit card number (with or without a CVV/CVC code
  • Personal ID number and/or password that would allow a financial account to be accessed

Breach notifications are not required if data elements are lawfully obtained from publicly available information or federal, state, or local records that are available to the general public.

Breaches of medical information are not included in the state’s definition of personal information as is the case in a number of other states, although such information is covered under HIPAA Rules and breach notification letters would need to be issued to affected individuals by HIPAA-covered entities.

State public records law was updated in June last year, although the records have only just been made public. Consumer Affairs Undersecretary John Chapman issued a statement on January 3 explaining the move: “The Data Breach Notification Archive is a public record that the public and media have every right to view.” He went on to say, “Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records law, but also with Governor Baker’s commitment to greater transparency throughout the Executive Office.”

The post Massachusetts Data Breach Notification Archive Now Available Online appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2016

Posted by HIPAA Journal

 

2016 was a particularly bad year for healthcare data breaches. While the numbers of records exposed was nowhere near the level of 2015 – 15,936,849 records compared to 113,267,174 in 2015 – more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year.

As 2017 begins, there have been 313 reported breaches of more than 500 records that have been uploaded to the OCR breach portal.

2016 Healthcare Data Breaches of 500 or More Records

 

Year Number of Breaches Number of Records Exposed
2016 313 15,936,849
2015 270 113,267,174
2014 307 12,737,973
2013 274 6,950,118
2012 209 2,808,042
2011 196 13,150,298
2010 198 5,534,276
2009 18 134,773
Total 1785 170,519,503

 

While the above figures appear to suggest a significant reduction in large healthcare data breaches year on year, the figures are somewhat misleading.

In 2015 there were three massive data breaches reported by covered entities: Anthem Inc., Premera Blue Cross, and Excellus Health Plan. Those three cyberattacks resulted in the theft of 78.8 million records, 11 million, and 10 million records respectively.

More records may have been exposed in 2015 as a result of those major cyberattacks, although in each size category, 2016 ranked worse than 2015. Many healthcare organizations will be happy to put 2016 behind them.

 

Year 2016 Healthcare Data Breaches
500 to 1000 Records 1,000 to 10,000 Records 10,000 to 100,000 Records 100,001+ Records
2016 13 62 151 86
2015 12 37 142 76

 

Aside from one major breach at a business associate, all of the largest healthcare data breaches of 2016 – those that resulted in the exposure or theft of more than 100,000 healthcare records – affected healthcare providers. The largest data breach experienced by a health plan was the 91,187-record breach reported by Washington State Health Care Authority in September.

Largest Healthcare Data Breaches of 2016

 

Rank Covered Entity Entity Type Cause of Breach Records Exposed
1 Banner Health Healthcare Provider Hacking/IT Incident 3,62,0000
2 Newkirk Products, Inc. Business Associate Hacking/IT Incident 3,466,120
3 21st Century Oncology Healthcare Provider Hacking/IT Incident 2,213,597
4 Valley Anesthesiology Consultants Healthcare Provider Hacking/IT Incident 882,590
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider Hacking/IT Incident 749,017
6 Bon Secours Health System Incorporated Healthcare Provider Unauthorized Access/Disclosure 651,971
7 Peachtree Orthopaedic Clinic Healthcare Provider Hacking/IT Incident 531,000
8 Radiology Regional Center, PA Healthcare Provider Loss 483,063
9 California Correctional Health Care Services Healthcare Provider Theft 400,000
10 Central Ohio Urology Group, Inc. Healthcare Provider Hacking/IT Incident 300,000
11 Premier Healthcare, LLC Healthcare Provider Theft 205,748
12 Athens Orthopedic Clinic, P.A. Healthcare Provider Unauthorized Access/Disclosure 201,000
13 Community Mercy Health Partners Healthcare Provider Improper Disposal 113,528

 

Main Causes of Healthcare Data Breaches in 2016

Insider breaches continue to plague the healthcare industry in the United States. As in 2015, the main cause of healthcare data breaches in 2016 was unauthorized access/disclosure. Hacking incidents on the scale of those at Anthem, Premera, and Excellus were not repeated in 2016, but 2016 saw a major increase in healthcare hacks.

The loss and theft of unencrypted devices used to store PHI fell considerably year on year, although the use of data encryption technology could have prevented all 76 of those data breaches and the exposure of 1,459,816 healthcare records.

Main Cause of Breach 2016 2015
Unauthorized Access/Disclosure 127 102
Hacking/IT Incident 102 57
Theft 60 81
Loss 16 23
Improper Disposal 7 6

 

2016 Healthcare Data Breaches by Covered Entity

Healthcare data breaches in 2016 followed a similar pattern to 2015, with healthcare providers the main entities breached, although the percentage of breaches affecting health plans was significantly lower in 2015. Data breaches at business associates remained at the same level year on year.

 

Breached Entity 2016 2015
Healthcare Provider 247 196
Health Plan 46 62
Business Associate 19 19

Data Source: Department of Health and Human Services’ Office for Civil Rights

The post Largest Healthcare Data Breaches of 2016 appeared first on HIPAA Journal.