Latest HIPAA News

August 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 44% month-over-month decrease in the number of reported healthcare data breaches in August 2021. 38 healthcare data breaches of 500 or more records were reported by healthcare providers, health plans, and their business associates in August. August’s reported data breaches takes the total number of healthcare data breaches in the past 12 months to 707 (Sep 2020 to August 2021), with 440 of those data breaches reported in 2021.

Healthcare data breaches in the past 12 months

While there was a marked fall in the number of reported breaches, 5,120,289 healthcare records were breached across those 38 incidents, which is well above the 12-month average of 3.94 million breached records a month. The high total was largely due to two major ransomware attacks on St. Joseph’s/Candler Health System and University Medical Center Southern Nevada, which involved 2.8 million healthcare records combined.

healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in August 2021

Ransomware gangs continued to target the healthcare industry in August. The attacks can cause disruption to care and can put patient safety at risk. Some of the attacks reported in August have resulted in appointments being postponed and have seen patients redirected to alternative facilities out of safety concerns.

It is now the norm for hackers to exfiltrate sensitive data prior to the use of ransomware and then demand payment for the keys to decrypt data and to prevent stolen data from being published or sold. While some major ransomware operations such as Sodinokibi/REvil and DarkSide appear to have been shutdown, several other operations have taken their place. The Vice Society and Hive ransomware gangs have been targeting the healthcare sector, and this month the Health Sector Cybersecurity Coordination Center (HC3) issued a warning to the health and public health sector about an increased risk of BlackMatter ransomware attacks. Fortunately, this month, past victims of Sodinokibi/REvil ransomware have been given the opportunity to recover encrypted data for free. Bitdefender released a free Sodinokibi/REvil decryptor last week.

In August there were three major ransomware attacks reported by healthcare providers that involved huge amounts of patient data. DuPage Medical Group suffered a ransomware attack in which the protected health information (PHI) of 655,384 patients may have been compromised, while the attack on University Medical Center Southern Nevada affected 1.3 million patients and the St. Joseph’s/Candler Health System attack involved the PHI of 1.4 million patients. Class action lawsuits have already been filed against DuPage Medical Group and St. Joseph’s/Candler Health System on behalf of patients affected by those attacks.

Listed below are the 20 data breaches reported in August that involved the PHI of 10,000 or more individuals. The majority of these data breaches involved ransomware or data stored in compromised email accounts.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Cause
St. Joseph’s/Candler Health System, Inc. Healthcare Provider 1,400,000 Hacking/IT Incident Ransomware attack
University Medical Center Southern Nevada Healthcare Provider 1,300,000 Hacking/IT Incident Ransomware attack
DuPage Medical Group, Ltd. Healthcare Provider 655,384 Hacking/IT Incident Ransomware attack
UNM Health Healthcare Provider 637,252 Hacking/IT Incident Unspecified hacking incident
Denton County, Texas Healthcare Provider 326,417 Unauthorized Access/Disclosure Online exposure of COVID-19 vaccination data
Metro Infectious Disease Consultants Healthcare Provider 171,740 Hacking/IT Incident Email accounts compromised
LifeLong Medical Care Healthcare Provider 115,448 Hacking/IT Incident Ransomware attack (Netgain Technologies)
CareATC, Inc. Healthcare Provider 98,774 Hacking/IT Incident Email accounts compromised
San Andreas Regional Center Business Associate 57,244 Hacking/IT Incident Ransomware attack
CarePointe ENT Healthcare Provider 48,742 Hacking/IT Incident Ransomware attack
South Florida Community Care Network LLC d/b/a Community Care Plan Health Plan 48,344 Unauthorized Access/Disclosure PHI emailed to a personal email account
Electromed Healthcare Provider 47,200 Hacking/IT Incident Unspecified hacking incident
Queen Creek Medical Center d/b/a Desert Wells Family Medicine Healthcare Provider 35,000 Hacking/IT Incident Ransomware attack
The Wedge Medical Center Healthcare Provider 29,000 Hacking/IT Incident Unspecified hacking incident
Gregory P. Vannucci DDS Healthcare Provider 26,144 Hacking/IT Incident Unspecified hacking incident
Texoma Community Center Healthcare Provider 24,030 Hacking/IT Incident Email accounts compromised
Family Medical Center of Michigan Healthcare Provider 21,988 Hacking/IT Incident Ransomware attack
Central Utah Clinic, P.C. dba Revere Health Healthcare Provider 12,433 Hacking/IT Incident Email accounts compromised (Phishing)
Hospice of the Piedmont Healthcare Provider 10,682 Hacking/IT Incident Email accounts compromised
Long Island Jewish Forest Hills Hospital Healthcare Provider 10,333 Unauthorized Access/Disclosure Unauthorized medical record access by employee

Causes of August 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, accounting for 81.6% of the month’s data breaches and 92.3% of breached healthcare records. There were 31 security breaches classed as hacking/IT incidents involving 4,727,350 healthcare records. The mean breach size was 152,495 records and the median breach size was 12,433 records. The majority of these incidents involved ransomware, malware, or compromised email accounts.

Causes of Healthcare Data Breaches Reported in August 2021

There were 7 incidents classed as unauthorized access/disclosure incidents. Those incidents involved 392,939 healthcare records. The mean breach size was 56,134 records and the median breach size was 4,117 records. There were no reported breaches involving lost or stolen devices or paper records and no reported improper disposal incidents.

Location of breached PHI in August 2021 healthcare data breaches

Healthcare Data Breaches by State

August’s 38 healthcare data breaches were reported by entities in 24 U.S. states. Texas was the worst affected state with 4 reported breaches, followed by Arizona and Illinois with three reported breaches each.

State Number of Reported Data Breaches
Texas 4
Arizona & Illinois 3
California, Georgia, Michigan, Minnesota, New Hampshire, Oklahoma, & Virginia 2
Alabama, Delaware, Florida, Iowa, Indiana, Massachusetts, Nevada, New Mexico, New York, Pennsylvania, Tennessee, Utah, West Virginia, & Wisconsin 1

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 30 data breaches reported, 4 of which occurred at business associates but were reported by the healthcare provider. 4 data breaches were reported by health plans, and business associates self-reported 4 breaches.

August 2021 healthcare data breaches by covered entity type

HIPAA Enforcement Activity in August 2021

The HHS’ Office for Civil Rights (OCR) did not announce any new HIPAA penalties in August and there were no HIPAA enforcement actions announced by state attorneys general. So far in 2021 there have been 8 financial penalties imposed on HIPAA-covered entities and business associates by OCR, and one multi-state action by state attorneys general.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on September 20, 2021

 

The post August 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

FTC Tells Developers of Health Apps and Wearable Devices to Notify Individuals About Data Breaches

Posted by HIPAA Journal

Developers of health apps and wearable devices such as fitness trackers that collect health data have been warned by the Federal Trade Commission (FTC) that they are required to comply with the FTC Health Breach Notification Rule and must notify consumers about data breaches.

The FTC Health Breach Notification Rule was introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009, and requires individuals to be notified if there is a breach of their health data. The Health Breach Notification Rule applies to vendors of personal health records and associated companies, but in a policy statement issued on September 16, 2021, the FTC said health apps and other connected devices that collect or use the health information of U.S. consumers are also covered by Rule. The policy statement was approved during an open meeting on Wednesday by a vote of 3-2.

The FTC Health Breach Notification Rule applies to health apps and wearable devices that collect health information from a consumer and can draw information from multiple sources, such as through an API that allows synching with a device such as a fitness tracker. Compliance will be enforced by the FTC, which has the authority to impose financial penalties. Those penalties can be as high as $43,792 for each day that notifications have not been issued.

Health apps can collect a wide range of sensitive personal and health data, either by directly recording the information through paired sensors, or by individuals entering the data into the apps manually. Health apps have been growing in popularity and usage has increased during the pandemic. Given the wide range of sensitive data stored by the apps, they are an attractive target for cybercriminals.

“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever,” said the FTC in the policy statement.

A lot of the data collected by health apps would be considered protected health information if collected by a healthcare provider, which would mean the information would be subject to the restrictions on uses and disclosures stipulated by the HIPAA Privacy Rule. Safeguards would need to be implemented to secure the data, in accordance with the HIPAA Security Rule, and a breach of health data would require notifications per the HIPAA Breach Notification Rule. However, unless a health app is developed for use by a HIPAA-covered entity, it falls outside of HIPAA protections.

Health apps often have security features to protect the privacy of users, but they are often limited. There have been calls for HIPAA to be extended to cover health app developers to improve privacy protections for users, or to implement new legislation covering these apps that requires certain standards of privacy and security to be adopted.

The FTC policy statement will at least help to ensure that users of health apps and wearable devices will be notified should a data breach occur, which will allow them to take steps to protect their identities and prevent fraud.

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

The post FTC Tells Developers of Health Apps and Wearable Devices to Notify Individuals About Data Breaches appeared first on HIPAA Journal.

Health and Public Health Sector Warn of Elevated Risk of BlackMatter Ransomware Attack

Posted by HIPAA Journal

The health and public health sector is facing an elevated risk of ransomware attacks by affiliates of the BlackMatter ransomware-as-a-service (RaaS) operation, according to the Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services.

The BlackMatter threat group emerged in July 2021 shortly after the DarkSide and Sodinokibli/REvil ransomware gangs shut down their operations. The Russian speaking threat group is believed to originate in Eastern Europe and has conducted many attacks over the past couple of months in Brazil, Chile, India, Thailand, and the United States. The group also started leaking data stolen in attacks on its data leak site on August 11, 2021.

The threat group has mostly conducted ransomware attacks on companies in the real estate, food and beverage, architecture, IT, financial services, and education sectors, and while the ransomware gang has publicly stated it would not attack hospitals, critical infrastructure companies, nonprofits, government, and defense contractors, there is concern that attacks may still occur.

The threat group said in its sales pitch for affiliates that its ransomware incorporates the best features of the DarkSide, Lockbit 2.0 and Sodinokibi/REvil ransomware variants, and a technical analysis of the ransomware found several similarities between both DarkSide and Sodinokibi/REvil ransomware variants suggesting the gang has links with those operations.

BlackMatter said its affiliates are not permitted to attack hospitals, and should any hospital or nonprofit company be attacked, they can make contact and request free decryption. The threat group also said “We will not allow our project to be used to encrypt critical infrastructure that will attract unwanted attention to us.” There is of course no guarantee that an attack would not still occur nor that a free decryptor would be provided. As HC3 warmed, “these details are what BlackMatter claims to be, and may not be accurate,” and the DarkSide and Sodinokibi/REvil ransomware variants have both been used in attacks on the health and public health sector.

The threat group is actively seeking initial access brokers (IABs) that can provide access to corporate networks, as well as affiliates to conduct attacks. IABs often sell compromised RDP credentials, VPN login credentials, and web shells, which provide ransomware gangs with the access they need to conduct attacks.

According to HC3, there have been “at least 65 instances of threat actors selling network access to healthcare entities on hacking forums in the past year.” An analysis of 1,000 forum posts selling network access in the past 12 months found the United States was the worst affected country, and 4% of breached entities were in the healthcare industry.

BlackMatter is used in attacks on Windows and Linux systems, encrypts files using Salsa20 and 1024-bit RSA, and attempts to mount and encrypt unmounted partitions. The ransomware encrypts files stored locally, on removable media, and on network shares, and deletes shadow copies to prevent recovery without paying the ransom. Files are also exfiltrated prior to encryption and stolen data have been published on the gang’s leak site to encourage payment of the ransom.

Even if free decryptors are provided, the cost of remediating attack is likely to be significant. It is therefore important for the health and public health sector to take steps to improve defenses to make BlackMatter and other ransomware attacks more difficult.

In the threat brief, HC3 provides cybersecurity best practices that should be adopted to mitigate the BlackMatter threat, which include maintaining offline encrypted backups, regularly testing backups to ensure file recovery is possible, creating, maintaining, and exercising a basic cyber incident response plan and communications plan.

The sector has also been advised to mitigate Internet-facing vulnerabilities and misconfigurations, patch promptly, and conduct regular security awareness training for the workforce and to implement defenses such as spam filters to combat email phishing and social engineering attacks.

The post Health and Public Health Sector Warn of Elevated Risk of BlackMatter Ransomware Attack appeared first on HIPAA Journal.

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019.

Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year.

The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making the maximum time for providing records 60 days from the date the written request for access is received.

When individuals feel their HIPAA rights have been violated, they cannot take legal action against a HIPAA-covered entity for a HIPAA violation, but they can file a complaint with OCR. In this case, OCR received a complaint from a parent who alleged CHMC had not provided her with timely access to her minor daughter’s medical records.

CHMC received the parent’s request and provided some of her with some of her daughter’s medical records but did not provide all the requested information. The parent also made several follow-up requests to CHMC. OCR investigated and confirmed the parent requested a copy of her late daughter’s medical records in writing on January 3, 2020. Some of the requested records were provided; however, the remainder of the records needed to be obtained from a different CHMC division. Some of the remaining records were provided on June 20, 2020, with the rest provided on July 16, 2020. OCR determined this was in violation of the HIPAA Right of Access – 45 C.F.R. § 164.524(b).

In addition to the financial penalty, CHMC must review and update its policies and procedures related to the HIPAA Right of Access, provide the policies to OCR for assessment, and distribute the approved policies to the workforce and ensure training is provided.

“Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative,” said Acting OCR Director Robinsue Frohboese. “OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”

The post OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative appeared first on HIPAA Journal.

FBI & CISA Warn of Increased Risk of Ransomware Attacks over Labor Day Weekend

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning to all public and private sector organizations about the increased risk of ransomware attacks at times when offices are normally closed, such as long holiday weekends.

While many employees will be having a long weekend due to Labor Day, this is a time when threat actors are usually highly active. The low staff numbers during holidays and weekends make it less likely that their attacks will be detected and blocked. The CISA and the FBI explained in the warning that they have observed an increase in “highly impactful ransomware attacks occurring on holidays and weekends,” and provided multiple examples of threat actors conducting attacks over holiday weekends in the United States in 2021.

Most recently, the Sodinokibi/REvil ransomware actors conducted an attack on the Kaseya remote monitoring and management tool over the Fourth of July 2021 holiday weekend. The attack affected hundreds of organizations including many managed service providers and their downstream customers.

In May 2021, during the Memorial Day weekend, the same threat actors conducted a ransomware attack on JBS Foods, which affected the company’s food production facilities in the United States, causing all production to stop. JBS Foods paid the $11 million ransom for the keys to decrypt files and prevent the release of data stolen in the attack.

Prior to that, over the Mother’s Day weekend in May, the DarkSide ransomware gang conducted its attack on Colonial Pipeline, which resulted in the fuel pipeline serving the Eastern Seaboard being shut down for a week. Colonial Pipeline paid a $4.4 million ransom payment to accelerate recovery from the attack.

The ransomware threat actors behind the cyberattacks on Kaseya, Colonial Pipeline, and JBS Foods have shut down their operations, but threat actors rarely remain inactive for long. It is common for them to remerge with a new ransomware operation after a period of apparent dormancy. There are also many other ransomware threat actors that are currently highly active that may try to take advantage of the absence of key staff over the holiday weekend.

The ransomware actors behind the Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, and Crysis/Dharma/Phobos ransomware variants have all been active over the course of the past month and attacks involving those ransomware variants have frequently been reported to the FBI over the past 4 weeks.

While neither CISA nor the FBI have discovered any specific threat intelligence to indicate a ransomware or other cyberattack will occur over the Labor Day weekend, based on the attack trends so far this year, there is an increased risk of a major cyberattack occurring.

Consequently, the FBI and CISA are advising security teams to be especially vigilant in the run up to the Labor Day weekend, and to ensure that they are diligent in their network defense practices, engage in preemptive threat hunting on their networks, follow recommended cybersecurity and ransomware best practices, and implement the recommended mitigations to reduce the risk of ransomware and other cyberattacks.

Those mitigations include:

  • Make an offline backup copy of data and testing backups to ensure data recovery is possible
  • Not clicking on suspicious links in emails
  • Secure and monitor RDP connections
  • Update operating systems and software and scan for vulnerabilities
  • Ensure strong passwords are set
  • Ensure multi-factor authentication is implemented
  • Secure networks by implementing segmentation, filtering traffic, and scanning ports
  • Secure user accounts
  • Ensure an incident response plan is developed

Recommended best practices, mitigations, and resources are detailed in the alert, which can be found on this link.

The post FBI & CISA Warn of Increased Risk of Ransomware Attacks over Labor Day Weekend appeared first on HIPAA Journal.

Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals

Posted by HIPAA Journal

A new analysis of breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights has revealed outpatient facilities and specialty clinics have been targeted by cyber threat actors more frequently than hospital systems in the first 6 months of 2021.

Researchers at Critical Insight explained in their 2021 Healthcare Data Breach Report that cybercriminals have changed their targets within the healthcare ecosystem and are now focusing on outpatient facilities and business associates more often than hospitals and health insurers.

While large health systems are naturally attractive targets for cybercriminals, smaller healthcare organizations tend to have weaker security defenses and can be attacked more easily and are low hanging fruit for hackers. The potential profits from the attacks may be lower, but so too is the effort to gain access to their networks and sensitive data.

“It is no secret as to why hackers are showing interest. Electronic protected health information (ePHI) is worth more than a credit card number or social security number. Scammers can monetize it in a myriad of ways, from selling it on the dark web to filing fraudulent insurance claims,” explained the researchers in the report. “It does not help that many health organizations use devices that run on operating systems that are out-of-date, and many devices were not designed with cybersecurity in mind.”

The researchers confirmed healthcare data breaches are now occurring at almost twice the level of 2018, with data breaches attributed to hacking and IT incidents occurring at almost three times the level of the first half of 2018. In the first half of 2021, 70% of all healthcare data breaches of 500 or more records that were reported to the HHS’ Office for Civil Rights were hacking/IT incidents.

There has been a slight decline in the number of reported data breaches from the last 6 months of 2020, but that does not indicate cyberattacks are falling, as in the last half of 2020 the breach reports submitted to the HHS’ Office for Civil Rights included many breach notices submitted by organizations affected by the data breach at business associate Blackbaud. The number of reported breaches in the first half of 2021 is higher than the first 6 months of last year, and it looks like the trend for increasing numbers of data breaches being reported every year looks set to continue.

There has been a major increase in the number of cyberattacks on business associates of HIPAA covered entities, which now account for 43% of all reported healthcare data breaches. In the first 6 months of 2021, there were 141 data breaches reported by business associates of HIPAA-covered entities. By comparison, there were only 66 data breaches reported by business associates in the last 6 months of 2019. “As these and other third-party breaches continue to make the news, it demonstrates that attackers are paying more attention to this ecosystem of vendors as a vulnerable link in the cybersecurity chain,” explained the researchers.

Cybercriminals are unlikely to stop attaching healthcare organizations as the attacks are profitable. It is up to healthcare organizations and their business associates to improve their defenses against cyber actors. The Critical Insight researchers have made several recommendations, including assessing third party risk more accurately, regularly reviewing business associate agreements and ensuring they clearly define roles and responsibilities, implementing more comprehensive protections against ransomware and phishing attacks, strengthening access controls, and practicing basic security hygiene.

The post Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals appeared first on HIPAA Journal.

Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps

Posted by HIPAA Journal

Researchers at McAfee Advanced Threat Research (ATR), in conjunction with the medical device cybersecurity firm Culinda, have identified 5 previously unreported vulnerabilities in two widely used models of B. Braun drug infusion pumps.

The devices are used globally in hospitals to treat adult and pediatric patients and automate the delivery of medications and nutrients to patients. They are especially useful for ensuring controlled delivery of critical medication doses.

The flaws in the B. Braun infusion pumps could be exploited by an unauthenticated attacker to change the configuration of the infusion pumps while they are in standby mode, which could result in an unexpected dose of medication being delivered the next time the device is used, potentially causing harm to a patient.

McAfee alerted B.Braun to the vulnerabilities in the B. Braun Infusomat Space Large Volume Pump and the B. Braun SpaceStation on January 11, 2021, and recommended safeguards that should be implemented to prevent the flaws being exploited. In May 2021, B.Braun published information for customers and notified the Health Information Sharing & Analysis Center (H-ISAC) about the flaws and recommended mitigations. The flaws affect infusion pumps running older versions of B.Braun software; however, the researchers explained that “vulnerable versions of software are still widely deployed across medical facilities and remain at risk of exploitation.”

Safeguards have been incorporated into the infusion pumps to prevent attackers from changing doses while the pumps are operational, so it would not be possible for an attacker to change doses as they are being administered. The vulnerabilities can however be exploited while the pumps are idle or on standby, so changes could be made to the function of the devices between infusions.

There have been no reported cases of the vulnerabilities in these or other drug infusion pumps being exploited in the wild, but this is a credible attack scenario and one that could easily be exploited to cause harm to patients. The latest version of B.Braun software blocks the initial network vector of the attack chain, but the flaws have not been totally addressed. An attacker could find another way to gain access to the network to which the devices connect and exploit the flaws. Given the number of ransomware attacks that have been reported in recent months, gaining access to healthcare networks is not proving to be a major challenge for many threat actors.

“Until a comprehensive suite of patches is produced and effectively adopted by B. Braun customers, we recommend medical facilities actively monitor these threats with special attention, and follow the mitigations and compensating controls provided by B. Braun Medical Inc. in their coordinated vulnerability disclosure documentation,” suggested the researchers.

The researchers believe that many other medical devices could have vulnerabilities that could be exploited to cause harm to patients. Medical devices are designed primary to ensure patient safety, and safeguards are implemented to ensure patient safety is not put at risk; however, it is common for cybersecurity protections to be given less consideration during the design stage. Further, when security flaws are discovered in medical devices, patching is costly. The devices are tightly controlled, so it is not just a case of releasing a patch or automatically updating the devices as would occur with an Internet browser for instance. Patches need to be thoroughly tested, the devices must be taken out of action while updates are applied, and the patches and updates need to be thoroughly tested. It is for this reason that many devices still use legacy versions of software and firmware.

“For the time being, ransomware attacks are a more likely threat in the medical sector, but eventually these networks will be hardened against this type of attacks and malicious actors will look for other lower-hanging fruits,” explained the researchers. “Given the lifespan of medical devices and the difficulties surrounding their updates, it is important to start planning now for tomorrow’s threats. We hope this research will help bring awareness to an area that has been a blind spot for far too long.”

The post Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps appeared first on HIPAA Journal.

July 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day.

Healthcare data Breaches Past 12 months (Aug 20-July21)

The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records.

Healthcare records breached Aug20 to July 21

Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month!

Largest Healthcare Data Breaches in July 2021

Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the Wisconsin healthcare provider Forefront Dermatology. The exact nature of the attack was not disclosed so it is unclear if ransomware was used. Hackers gained access to parts of its network that contained the protected health information of 2.4 million individuals. The second largest data breach was reported by Practicefirst, a New York business associate of multiple HIPAA-covered entities. Ransomware was used in the attack and the healthcare data of 1.2 million individuals was potentially exfiltrated.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Present
Forefront Dermatology, S.C. Healthcare Provider 2,413,553 Hacking/IT Incident Unspecified hacking incident Yes
Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions/PBS Medcode Corp Business Associate 1,210,688 Hacking/IT Incident Ransomware attack Yes
UF Health Central Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware attack No
Orlando Family Physicians, LLC Healthcare Provider 447,426 Hacking/IT Incident Phishing attack No
HealthReach Community Health Centers Healthcare Provider 122,340 Improper Disposal Improper disposal of electronic medical records No
Guidehouse Business Associate 84,220 Hacking/IT Incident Ransomware attack (Accellion FTA) Yes
Advocate Aurora Health Healthcare Provider 68,707 Hacking/IT Incident Ransomware attack (Elekta) Yes
McLaren Health Care Corporation Healthcare Provider 64,600 Hacking/IT Incident Ransomware attack (Elekta) Yes
Coastal Family Health Center, Inc Healthcare Provider 62,342 Hacking/IT Incident Ransomware attack No
Florida Heart Associates Healthcare Provider 45,148 Hacking/IT Incident Ransomware attack No
A2Z Diagnostics, LLC Healthcare Provider 35,587 Hacking/IT Incident Phishing attack No
University of Maryland, Baltimore Business Associate 30,468 Hacking/IT Incident Unspecified hacking incident Yes
Florida Blue Health Plan 30,063 Hacking/IT Incident Brute force attack (Member portal) No
Intermountain Healthcare Healthcare Provider 28,628 Hacking/IT Incident Ransomware attack (Elekta) Yes

Causes of July 2021 Healthcare Data Breaches

As the table above shows, ransomware continues to be extensively used in cyberattacks on healthcare organizations and their business associates. Those attacks can easily result in the theft of large amounts of healthcare data. The majority of ransomware gangs (and their RaaS affiliates) are now exfiltrating sensitive data prior to using ransomware to encrypt files. Victims are required to pay to prevent the publication or sale of the stolen data as well as a payment to obtain the keys to decrypt files.

To help combat this rise in double extortion ransomware attacks, new guidance has been released by the Cybersecurity and Infrastructure Security Agency. The National Institute of Standards and Technology (NIST) has also updated its cybersecurity guidance on building resilient computer networks, with the emphasis now shifting away from perimeter defenses to assuming attackers have already gained access to the network. Mechanisms therefore need to be implemented to reduce the harm that can be caused.

Causes of July 2021 Healthcare Data Breaches

Hacking/IT incidents, of which ransomware accounts for a many, dominate the month’s breach reports. There were 52 reported hacking/IT incidents in which the protected health information of 5,393,331 individuals was potentially compromised. That’s 96.82% of all records breached in July. The mean breach size was 103,718 records and the median breach size was 4,185 records.

There were 13 reported unauthorized access/disclosure incidents, which include misdirected emails, mailing errors, and snooping by healthcare employees. 52,676 healthcare records were impermissibly viewed or disclosed to unauthorized individuals across those incidents. The mean breach size was 4,052 records and the median breach size was 1,038 records. There were two theft incidents reported involving a total of 2,275 records and one improper disposal incident involving 122,340 electronic health records.

The vast majority of incidents involved the hacking of network servers; however, email accounts continue to be compromised at high rates. 21 breaches involved protected health information stored in email accounts. The majority of the email incidents involved the theft of employee credentials in phishing attacks.

Location of breached protected health information (July 2021)

Data Breaches by Covered Entity Type

Healthcare providers reported 47 data breaches in July, with 11 breaches reported by business associates and 10 breaches reported by health plans; however, the reporting entity is not the best gauge of where these breaches occurred. In many cases, the breach was experienced at a business associate, but was reported by the covered entity.

When this is taken into account, the figures show that healthcare provider and business associate data breaches are on a par, with 30 breaches each for July 2021, as shown in the pie chart below.

July 2021 healthcare data breaches by covered entity type

July 2021 Healthcare Data Breaches by State

July saw healthcare data breaches reported by HIPAA-covered entities and business associates based in 32 states and the District of Columbia.

State Number of Reported Healthcare Data Breaches
Florida 6
California, New York & Texas 5
Illinois & North Carolina 4
Connecticut, Minnesota, Nebraska & New Jersey 3
Mississippi, Oklahoma, Washington & Wisconsin 2
Alabama, Georgia, Iowa, Indiana, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Ohio, Pennsylvania, South Carolina, Utah, Virginia, West Virginia & the District of Columbia 1

HIPAA Enforcement Activity in July 2021

The HHS’ Office for Civil Rights (OCR), the primary enforcer of HIPAA compliance, did not announce any new enforcement actions against HIPAA-covered entities or business associates in July, nor were there any enforcement actions announced by state Attorneys General.

The OCR year-to-date total still stands at 8 financial penalties totaling $5,570,100, with just the one financial penalty imposed by state attorneys general – A multi-state action that saw American Medical Collection Agency (AMCA) fined $21 million.

Data for this report came from the HHS’ Office for Civil Rights breach portal.

The post July 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Future of HIPAA: Reflections at the 25th Anniversary of HIPAA

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act is now 25 years old. How effective has this healthcare law been and what is the future of HIPAA?

It is now exactly 25 years to the day since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton. On August 21, 1996, when President Clinton added his signature to the legislation, few people would have realized how HIPAA would evolve and grow into the comprehensive national health privacy law that it is today.

It is difficult to argue that HIPAA has not been an overall success, but the legislation has attracted a fair amount of criticism over the years, especially initially due to the considerable administrative burden it placed on healthcare organizations. On balance, the improvements to healthcare that have come from compliance with HIPAA more than outweigh the negatives.

The biggest successes are the improvements to patient privacy and data security, the rights given to patients with respect to their healthcare data, greater efficiency in the healthcare system, and changes that have helped to reduce waste and healthcare fraud. The improvements have generally been made for relatively little cost.

HIPAA certainly has its strengths, but there are also limitations that have become increasingly apparent in recent years and even now, 25 years after the legislation was first introduced, there is still confusion about what compliance entails.

In this article we will explore the strengths and limitations of HIPAA, assess how effective HIPAA has been, and will explore the future of HIPAA and what can be expected in terms of updates to the legislation. First, however, it is useful to provide a brief recap of the history of HIPAA and how the legislation has evolved over the years.

A Brief History of HIPAA

HIPAA was initially introduced to improve the portability of health insurance coverage for employees between jobs, to combat waste, fraud and abuse in health insurance and healthcare delivery, to promote the use of medical savings accounts by introducing tax breaks, and to simplify the administration of health insurance. The legislation was later augmented with new Rules covering the privacy and security of healthcare data.

Initially, HIPAA only applied to a limited number of entities in the healthcare industry – healthcare providers, health plans, and healthcare clearinghouses, and only those that transmit healthcare data in electronic form for certain transactions for which the HHS maintains standards. The Health Information Technology for Economic and Clinical Health (HITECH) Act expanded the scope of HIPAA to cover business associates of HIPAA covered entities – third-party firms that require access to protected health information (PHI) to provide services or products to covered entities.

Important updates to HIPAA are detailed below:

  • HIPAA Signed into Law by President Bill Clinton – August 1996
  • Effective Date of the HIPAA Privacy Rule – April 2003
  • Effective Date of the HIPAA Security Rule – April 2005
  • Effective Date of the HIPAA Enforcement Rule – March 2006
  • Effective date of HITECH and the Breach Notification Rule – September 2009
  • Effective Date of the Final Omnibus Rule – March 2013

HIPAA’s Strengths and Weaknesses

There are many positives that have come from HIPAA, the best known of which are improving privacy protections for patients and improving the security of healthcare data. HIPAA limits the uses and disclosures of patient data to those related to treatment, payment, or healthcare operations and all covered entities and business associates must implement appropriate administrative, physical, and technical safeguards to ensure patient data are appropriately protected from internal and external threats.

Importantly, HIPAA gave individuals new rights with respect to their healthcare data. Prior to the introduction of the HIPAA Privacy Rule, patients were not even permitted to see their medical files. HIPAA gave individuals the right to obtain and inspect a copy of their healthcare data and request errors be corrected. HIPAA made sure patients are informed about how their healthcare data will be used and disclosed, gave patients the right to further limit disclosures of their health data, and also allowed them to view an “accounting of disclosures” to see who has been provided with their healthcare data.

HIPAA has improved the portability of health insurance for employees between jobs and has helped to prevent discrimination against people with pre-existing conditions when receiving health insurance coverage. Efficiency in healthcare has been improved by standardizing transactions through the use of standard code sets and has helped to significantly reduce waste and fraud in healthcare.

However, it has not all been plain sailing. One of the initial requirements of HIPAA was to create a national patient identifier system, but 25 years on and that requirement has still failed to be implemented. Without a national patient identifier system, it can be difficult identifying patients which can result in medical record mismatching. One ONC study in 2014 suggested between 50% and 60% of records are mismatched when shared between different healthcare providers.

Another weakness of HIPAA is its coverage of healthcare data, which is limited to healthcare data collected, held, processed, stored, or transmitted by HIPAA-covered entities and business associates. If a non-HIPAA-covered entity or non-business associate collects the exact same data, HIPAA protections do not apply.

The HIPAA Rules are not clear in places due to the flexibility built into the legislation, so there is potential for misinterpretation of the requirements and there is still confusion among some HIPAA covered entities and business associates when it comes to compliance.

One criticism often made by patients is the lack of a private cause of action. It is not possible to sue for a HIPAA violation, even if the HIPAA Rules have clearly been violated and harm has been suffered. Legal action can only be taken under state laws.

Has HIPAA Been Effective?

In the early years following the introduction of the HIPAA Privacy and Security Rules, questions were asked about how effective the legislation has been. HIPAA certainly looked good on paper but was less effective in practice and noncompliance was widespread. Even the introduction of the HIPAA Enforcement Rule in 2006, which gave the HHS’ Office for Civil Rights the authority to impose financial penalties and sanctions for noncompliance, failed to have a major effect at spurring covered entities into compliance. Enforcement was also very slow at first. It took until 2008 for the first enforcement action to result in a financial penalty, then there was only one financial penalty in 2009 and just two in 2010.

The first phase of HIPAA compliance audits conducted in 2011/2012 highlighted just how many covered entities had ineffective HIPAA compliance programs. The audits uncovered many violations of both the HIPAA Privacy and Security Rules. Even those violations, some of which were serious, did not result in any financial penalties. Some of the fiercest criticism of HIPAA in the early years was it was all bark and no bite.

The introduction of the HITECH Act was a major turning point in the history of HIPAA. Prior to the HITECH Act, business associates were not covered to a large extent by HIPAA, even though they were frequently provided with PHI. The HITECH Act made the HIPAA Rules directly applicable to business associates, which could then be fined directly if they did not also comply with the HIPAA Rules. Business associates include a huge range of third-party companies such as accountants, attorneys, billing companies, collection agencies, consultants, data analysts, and IT firms, so the HITECH Act, and subsequent Omnibus Rule, addressed that major gap.

The introduction of the HITECH Act also saw the penalties for noncompliance significantly increased and OCR also increased its HIPAA enforcement activities. With major fines issued for HIPAA violations, HIPAA compliance became a major focus for HIPAA-covered entities and business associates.

Enforcement of compliance has been critical to the success of HIPAA and while there are still many cases each year of noncompliance, on the whole the requirements of HIPAA have been largely implemented and the benefits of HIPAA are being realized.

Issues with Patient Access to PHI

Since the 2000 HIPAA Privacy Rule was introduced, patients have been given the right to obtain a copy of their own healthcare data, or to have that data sent to their nominated representative. The HITECH Act updated that right and helped individuals obtain a copy of their health data in electronic form, due to the increasing use of electronic health record systems.

While healthcare organizations have implemented policies that allow patients to exercise their access rights, many patients have experienced problems obtaining a copy of their healthcare data. They have either been refused access, requests have been delayed, and patients have been charged excessive fees for exercising their access rights – HIPAA only permits covered entities to charge a reasonable, cost-based fee for providing records.

One of the requirements of the 21st Century Cures Act, introduced in 2016, was to call on the Government Accountability Office to report on the barriers to patient medical record access and following assessments the HHS’ Office for Civil Rights launched a new HIPAA enforcement initiative targeting violations of the HIPAA Right of Access of the HIPAA Privacy Rule in the fall of 2019. That enforcement initiative is still active and, up until the end of July 2021, OCR has imposed 19 financial penalties on healthcare providers found to have been in violation of the HIPAA Right of Access.

Prior to the OCR enforcement initiative, only one financial penalty had been imposed for violations of this important right and that was the $4,300,000 financial penalty imposed on Cignet Health of Prince George’s County in 2011 for denying 741 patients access to their medical records.

HIPAA has Improved Healthcare Data Security

Prior to the introduction of the HIPAA Security Rule, healthcare organizations only had to comply with state laws covering data security. The Security Rule set new minimum standards for data security to ensure the confidentiality, integrity, and availability of electronic PHI. The Security Rule requires risk analyses to be conducted and risks reduced to a reasonable and acceptable level. Access controls are required to prevent unauthorized access to healthcare data, logs must be maintained and checked to identify unauthorized access, backups of data must be made, measures must be implemented to protect against reasonably anticipated, impermissible uses or disclosures, and staff must be provided with security awareness training.

Data security has improved, but data breaches are now occurring at records levels. For the past 5 months, data breaches have been reported by healthcare organizations and business associates at a rate of over 2 per day, but without the Security Rule requirements, far more breaches would be likely to occur.

The HIPAA Security Rule does have weaknesses. To remain relevant the HIPAA Security Rule had to be technology agnostic, so specific measures for security are generally not stipulated. It is left to the discretion of each entity to determine what constitutes “reasonable” protections. If the Security Rule was more specific with regard to required security protections, many more data breaches could be prevented.

The Security Rule also only applies to HIPAA covered entities and business associates, not to any other entity. It therefore has limited reach, and does not cover health data collected by health apps, or the huge volumes of data collected and sold by data brokers. There is therefore considerable scope for improvement to better protect all health data.

The HIPAA Security Rule also calls for security awareness training for staff but does not stipulate how frequently it should be provided. With the threat landscape constantly changing, regular training must be provided to the workforce to ensure employees are kept aware of the latest threats and are taught how to avoid them. Many covered entities and business associates are compliant with this requirement yet fail to provide training regularly enough to prevent cyberattacks and the associated privacy violations.

How Has HIPAA Fared with Changing Technology?

No legislative act will be able to maintain pace with the pace at which technology has evolved, especially one covering the healthcare industry. This is why HIPAA provided a framework rather than specifics and incorporated flexibility to accommodate for changes to healthcare technology and evolving privacy and security best practices.

Updates have been made over the years which have amended HIPAA to maintain relevance, such as the 2008 Genetic Information Non-discrimination Act (GINA) which restricts the use of individuals’ genetic data by health insurers and employers and the American Recovery and Reinvestment Act, of which the HITECH Act was part, which strengthened HIPAA in relation to the adoption of EHRs.

However, many new technologies have emerged over the years that are not covered by HIPAA. Personal electronic devices are extensively used which can collect huge amounts of personal and health data, such as fitness trackers and other wearable devices and smartphones have made it much easier for individuals to obtain, use, and share healthcare data.

Many of these devices collect data that would fall under the category of PHI if created or collected by a HIPAA-covered entity but are not within the scope of HIPAA, even though the same data are often collected by those devices. The extent to which these devices are now being used, and the sheer volume of digital health and wellness data being generated outside the healthcare system by individuals, is a growing cause of concern. Without the protections of HIPAA, healthcare data may not be properly protected and could be shared extensively or sold on with ease.

The HIPAA Privacy Rule does not adequately cover the collection of healthcare data, as it only covers uses and disclosures by certain entities. It does not apply to health data itself, and this could be argued is one of the biggest failures of HIPAA. The same is true of the HIPAA Security Rule, which also has a restrictive scope and only calls for administrative, physical, and technical safeguards for the healthcare data held, received, or transmitted by HIPAA-covered entities and their business associates.

Healthcare data is extremely valuable, and not only to bad actors such as cybercriminals. Cybercriminals can use healthcare data for fraud and identity theft, but it also has tremendous value to a wide range of businesses. Healthcare and wellness data can be used by insurers to gauge risk – which can affect insurance premiums. Employers can use health data to make decisions about potential new hires, and all manner of other businesses can use the data to make decisions about individuals that could have significant consequences for the data subjects.

The question about whether HIPAA should be updated to cover all healthcare data has yet to be fully answered. Many attempts have been made to introduce legislation to cover all healthcare data, but each has failed to make it through the Senate.

The scope of HIPAA could be expanded to include individually identifiable health information collected, used, transmitted, or maintained by non-HIPAA covered entities and non-business associates. Alternatively, new separate legislation is required to cover healthcare data not currently regulated by HIPAA. The solution could well be to leave HIPAA as it is and to instead introduce a national privacy law akin to the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

HIPAA Training and Education Need to Improve

HIPAA is not perfect and there are still significant gaps in the legislation, something that the coronavirus pandemic has highlighted. HIPAA doesn’t extend to the army of contact tracers and the data they collect, nor does it adequately cover exposure notification apps and may disclosures of COVID-19 related data. This is an area, like personal health apps, that needs to be addressed as there is considerable potential for privacy violations.

Vaccination programs have highlighted several areas where education needs to be improved. There have been many cases of HIPAA being cited as a reason not to disclose or share vaccination data, when HIPAA does not place restrictions on disclosures of vaccination information by individuals to employers or others.

Training remains a key issue with HIPAA and is often a much bigger weakness than technology or the HIPAA text itself. It is often uninformed people, and not healthcare technology and privacy and security controls, that are the reason for security breaches and privacy violations. While updates to HIPAA are needed, improvements need to be made to training programs to ensure all individuals with access to PHI or systems containing PHI are aware of their responsibilities and are trained how to be HIPAA-compliant employees.

Training needs to be appropriate to the role of each individual and training needs to be reinforced. Regular training sessions need to be provided to the workforce to make sure that the requirements of HIPAA are fully understood and are not forgotten over time. At many covered entities and business associates, employee training on HIPAA is not provided frequently enough.

Proposed Updates to the HIPAA Privacy Rule

Ahead of the 25-year anniversary of the HIPAA Privacy Rule, a significant update was proposed by the HHS. The proposed update published by the HHS in 2020 is intended to address several aspects of the Privacy Rule that are hampering care coordination and adding an unnecessary administrative burden on healthcare providers.

One of the main reasons for the update, according to then HHS Secretary Alex Azar, was to “break down barriers that have stood in the way of common sense care coordination and value-based arrangements for far too long.” The proposed update will improve care coordination and case management for patients, allow families and caregivers to become more involved in the provision of care to individuals, improve patients’ access to their health data, and will introduce new flexibilities covering disclosures of PHI in emergency and threatening situations, while also reducing the administrative burden on healthcare organizations. These updates have been long overdue but there has been criticism that the updates do not go far enough, and that some of the suggested updates are ill-advised.

One of the aspects addressed in the update will make it easier for patients to obtain a copy of their electronic healthcare data, but there are potential privacy and security risks with the change. Patients will be given the “right to direct the transmission of certain protected health information in an electronic format to a third party.” This right will help patients share their healthcare data with research organizations, but there are concerns that this change could have a negative impact on patients. Patients could request their health data be sent to anyone they choose, when the transmission of data to an entity not covered by the protections of HIPAA carries a security risk. The new right will certainly give patients much greater access and control over their personal data, but potentially it increases the risks that PHI may fall into the hands of bad actors.

The Future of HIPAA

HIPAA has been a great success, but it is far from perfect. There are still areas that require tweaking to improve usability and remove some of the administrative burden placed on HIPAA-covered entities. Proposed updates to the HIPAA Privacy Rule go some way to addressing some of the issues, but for many, the new HIPAA regulations that have been proposed do not go nearly far enough and some of the proposed changes have potential to cause privacy issues.

Overall, for legislation that is 25 years old, HIPAA has, with its various amendments, survived the test of time and is even more relevant and useful now than it was when it was first signed into law in 1996. HIPAA should be viewed as a work in progress though, and as far as the Future of HIPAA is concerned, there are likely to need to be further updates to ensure it remains relevant and effective.

Future of HIPAA FAQs

Does HIPAA cover all healthcare data?

HIPAA covers identifiable healthcare data, which is any healthcare data created, collected, transmitted, or maintained by a HIPAA-covered entity or business associate for treatment, payment for healthcare, or healthcare operations relating to the past, present, or future health status of an individual. Health data is not covered by HIPAA if it is created, stored, or transmitted by a non-HIPAA-covered entity or non-business associate.

Who does HIPAA apply to?

HIPAA applies to HIPAA-covered entities and their business associates. HIPAA-covered entities are healthcare providers, health plans, and healthcare clearinghouses that conduct electronic transactions involving PHI for which the HHS has developed standards. Business associates are vendors that provide products or services to HIPAA-covered entities that requires contact with PHI. HIPAA does not apply to other entities such as reporters, senators, individuals, and most employers.

Are there privacy risks associated with health apps?

Health apps, fitness trackers, and other wearable devices are not generally covered by HIPAA, nor are the data they collect or transmit. Without the protection of HIPAA, health app developers may use, disclose, or sell health data collected through the apps, and the security measures implemented may not meet HIPAA standards. There may be privacy and security risks associated with the use of these apps and devices.

Does HIPAA prevent disclosures of COVID-19 vaccination information?

Many people hide behind HIPAA and use the regulation as an excuse not to answer questions. One of the most notable recent examples, of which there are many, came from Marjorie Taylor Greene when asked about her vaccination status and cited HIPAA as the reason she could not disclose the information. HIPAA does not prevent such discloses. It only places restrictions on uses and disclosures by healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities.

How often does HIPAA training need to be provided?

HIPAA training must be provided to all healthcare employees within a reasonable period of time after the person joins the covered entity’s workforce, as well as when functions are affected by a material change in policies or procedures and following any updates to the HIPAA Rules. HIPAA refresher training should also be provided at least annually, and no later than every two years. Annual training is the best practice.

The post Future of HIPAA: Reflections at the 25th Anniversary of HIPAA appeared first on HIPAA Journal.