Latest HIPAA News

February 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

The was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents.

Healthcare Data Breaches Past 12 Months

After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches.

Healthcare Records Breached Past 12 Months

Largest Healthcare Data Breaches Reported in February 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware
BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing
RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware
Gore Medical Management, LLC GA Healthcare Provider 79,100 Hacking/IT Incident Hacking incident
Summit Behavioral Healthcare TN Healthcare Provider 70,822 Unauthorized Access/Disclosure Phishing
Humana Inc KY Health Plan 62,950 Unauthorized Access/Disclosure Subcontractor shared PHI without consent
Nevada Orthopedic & Spine Center NV Healthcare Provider 50,000 Hacking/IT Incident Unconfirmed
Fisher Titus Health, Inc. OH Health Plan 49,636 Hacking/IT Incident Phishing
Covenant HealthCare MI Healthcare Provider 47,178 Hacking/IT Incident Phishing
UPMC PA Healthcare Provider 36,086 Hacking/IT Incident Phishing attack on BA
Grand River Medical Group IA Healthcare Provider 34,000 Hacking/IT Incident Phishing
AllyAlign Health, Inc. VA Health Plan 33,932 Hacking/IT Incident Ransomware
Harvard Eye Associates CA Business Associate 29,982 Hacking/IT Incident Ransomware attack on BA
Texas Spine Consultants, LLP TX Healthcare Provider 25,728 Unauthorized Access/Disclosure Unconfirmed
UPMC Health Plan PA Health Plan 19,000 Hacking/IT Incident Phishing attack on BA

Causes of February 2021 Healthcare Data Breaches

Three breaches of more than 100,000 record were reported in February. The largest healthcare data breach of the month was reported by Kroger, an Ohio-based chain of supermarkets and pharmacies. The breach was due to a CLOP ransomware attack on a vendor – Accellion – that resulted in the theft of the protected health information of 368,100 of its customers. Kroger was one of several HIPAA-covered entities to be affected by the breach.

Elara Caring, one of the nation’s largest providers of home-based care, announced that several employee email accounts containing protected health information had been accessed by unauthorized individuals as a result of responses to phishing emails. Cochise Eye and Laser was also the victim of a ransomware attack in which the protected health information of 100,000 individuals was potentially stolen.

February 2021 Healthcare Data Breaches - Causes

Phishing attacks were the most common cause of data breaches in February, with network server incidents in close second. These mostly involved hacking and the deployment of malware or ransomware. Hacking incidents accounted for 71.1% of the month’s breaches and 85.7% of all records breached in the month. The average size of a hacking breach was 30,239 records and the median breach size was 8,849 records.

There were 10 unauthorized access/disclosure incidents reported in February involving 172,799 records. The average breach size was 17,280 records and the median breach size was 2,497 records. There were 2 theft incidents and 1 reported loss incident reported involving a total of 3,773 records, all three of which involved paper records.

February 2021 Healthcare Data Breaches - Location of breached PHI

Entities Reporting Healthcare Data Breaches in February 2021

Healthcare providers were the worst affected covered entity type in February, with 35 breaches reported. There were 5 breaches reported by health plans and 5 reported by business associates of HIPAA-covered entities. A further 5 breaches were reported by the covered entity but had some business associate involvement.

Entities affected by February 2021 healthcare data breaches

Healthcare Data Breaches by State

Healthcare data breaches of 500 or more records were reported in 20 states in February 2021. The worst affected states were California and Texas with six breaches reported in each state. 5 entities in Pennsylvania reported breaches, there were 4 breaches reported in Florida and Michigan, 2 in each of North Carolina, Nevada, Ohio, Tennessee, and Virginia, and 1 in each of Arizona, Colorado, Georgia, Iowa, Kentucky, Louisiana, Minnesota, North Dakota, Utah, and Wyoming.

HIPAA Enforcement Activity in February 2021

In February, the HHS’ Office for Civil Rights announced two settlements had been reached with HIPAA-covered entities to resolve potential violations of the HIPAA Rules. Both enforcement actions were in response to complaints from patients who had not been provided with timely access to their medical records.

OCR launched a new enforcement initiative in late 2019 targeting healthcare providers who were not complying with the HIPAA Right of Access provision of the HIPAA Privacy Rule. Three Right of Access enforcement actions have resulted in settlements so far in 2021, and the latest two bringing the total number of settlements under this enforcement initiative to 16.

Sharpe Healthcare settled its case with OCR and paid a $70,000 penalty and Renown Health settled its case for $75,000.

The post February 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware

Posted by HIPAA Journal

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about TrickBot malware. TrickBot was first identified in 2016 and started out as a banking Trojan; but the malware has since had a host of new capabilities added and is now extensively used as a malware loader for delivering other malware variants, including ransomware such as Ryuk and Conti.

“TrickBot has evolved into a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities,” explained CISA/FBI in the alert.

In late 2019, TrickBot survived an attempt by Microsoft and its partners to disrupt its infrastructure and spam campaigns distributing the malware soon recommenced, with TrickBot activity surging in recent weeks. Earlier this month, Check Point researchers warned about an increase in TrickBot infections following the takedown of the Emotet botnet. TrickBot was the 4th most prevalent malware variant in 2020 and rose to third in January 2021; however, since the Emotet botnet was disrupted, TrickBot has become the most widely distributed malware variant and tops Check Point’s malware index for the first time.

TrickBot was used in the ransomware attack on Universal Healthcare Services that took systems offline for several weeks. TrickBot was used to gain access to UHS systems and detect and harvest data, after which the malware delivered the Ryuk ransomware payload. The attack caused UHS to suffer losses of $67 million in 2020.

TrickBot is primarily distributed via spear phishing emails, which are tailored for the organization that is being targeted. The emails use a combination of malicious attachments and hyperlinks to websites where the malware is downloaded. In February, the TrickBot gang conducted a large-scale phishing campaign targeting the legal and insurance sectors that used a.zip file attachment containing malicious JavaScript for delivering the malware.

One of the most recent phishing campaigns uses fake traffic violation notifications as the lure to get recipients to open a “photo proof” of the traffic violation. Clicking the photo launches a JavaScript file that establishes a connection with the gang’s command and control (C2) server and TrickBot malware is downloaded onto the victim’s system.

TrickBot is capable of lateral movement via the Server Message Block (SMB) Protocol, exfiltrates sensitive data from victim systems, and is capable of cryptomining and host enumeration. “TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting to trying to manipulate, interrupt, or destroy systems and data,” explained CISA/FBI.

CISA has developed a snort signature for detecting network activity associated with TrickBot malware and the CISA/FBI alert also details cybersecurity best practices that make it harder for TrickBot to be installed and will help to harden systems against network propagation.

The post CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware appeared first on HIPAA Journal.

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

Posted by HIPAA Journal

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks.

The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net.

The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised.

Healthcare Hacking Incidents Increased by 42% in 2020

Healthcare hacking incidents increased by 42% in 2020, continuing a 5-year trend that has seen hacking incidents increase each year. 470 incidents were classed as hacking-related breaches, which accounted for 62% of all breaches in the year. 31,080,823 healthcare records were compromised in the 277 incidents where the number of affected individuals is known. Many of the 2020 hacking incidents involved the use of ransomware. Ransomware attacks increased considerably in 2020, with more than double the number of ransomware attacks on healthcare organizations than in 2019.

Surge in Insider Data Breaches in 2020

There has been a four-year decline in insider breaches, but the Protenus report shows insider data breaches increased in 2020. More than 8.5 million records were exposed or compromised in those incidents – more than double the number of breached records by insiders as 2019. In fact, more records were breached by insiders in 2020 than in 2017, 2018, and 2019 combined. In 2020, 1 in 5 data breaches was an insider incident.

Insider breaches include insider errors and insider wrongdoing. 96 breaches involved insider error in 2020, of which data was obtained for 74 of the incidents. There were 45 cases of insider wrongdoing, with data obtained for 30 of the incidents. Errors by employees resulted in the exposure of the protected health information of at least 7,673,363 individuals and insider wrongdoing incidents resulted in the exposure/theft of at least 241,128 records.

Business Associates Often Involved

The number of data breaches involving business associates increased in 2020, with 12% of all breaches having at least some business associate involvement. Business associate breaches resulted in the exposure or theft of more than 24 million patient records, with 55% of all hacking incidents having some business associate involvement along with 25% of insider error incidents. The number of breaches involving business associates could be considerably higher as the researchers were unable to accurately determine if business associates were involved in many of the breaches.

Data Breaches Discovered Faster but Breach Reporting Slower

In 2020 it took an average of 187 days from the breach occurring to discovery by the breached entity, which is a considerable improvement on the 224-day average discovery time in 2019. In 2020, the median discovery time was just 15 days. However, there was considerable variation in discovery times, from almost immediately in some cases to several years after the breach in others.

Reporting on data breaches was slower than in 2019, with the average time for reporting a breach increasing from 80 days in 2019 to 85 days in 2020, with a median time of 60 days – the maximum time allowed for reporting a breach by the HIPAA Breach Notification Rule. The figures were based on just 339 out of the 758 breaches due to a lack of data.

“The current climate has increased risk for health systems as a new trend emerged of at least two data breaches per day, a troubling sign of the continuing vulnerability of patient information, heightened by the pandemic,” explained Protenus in the report. “Healthcare organizations need to leverage technology that allows organizations to maintain compliance priorities in a resource-constrained environment. Hospitals can’t afford the costs often associated with these incidents, as more than three dozen hospitals have filed bankruptcy over the last several months. Non-compliance is not an option.”

The post 2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches appeared first on HIPAA Journal.

Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras

Posted by HIPAA Journal

A hacking collective has gained access to the systems of the Californian security camera startup Verkada Inc. and the live feeds and archived footage from almost 150,000 cloud-connected surveillance cameras used by large corporations, schools, police departments, jails, and hospitals.

As initially reported by Bloomberg, Verkada’s systems were accessed by a white hat hacking collective named Advanced Persistent Threat 69420 using credentials they found on the Internet. Those credentials gave the group super admin level privileges, which provided root access to the security cameras and, in some cases, the internal networks of the company’s clients. The hackers also said they were able to obtain the full list of Verkada clients and view the company’s private financial information.

Verkada’s systems were not accessed with a view to conducting any malicious actions, instead the aim was to raise awareness of the ease at which the systems could be hacked. Malicious threat actors could also have easily gained access to the Verkada’s systems for a range of malicious purposes.

Till Kottmann, one of the hackers in the collective, said her collective accessed Verkada systems on March 8, 2021 and had full access for around 36 hours. Since the system was fully centralized, it was easy to access and download camera footage from its clients. Kottmann described the security on Verkada’s systems as “nonexistent and irresponsible.” Kottmann said an internal development system had inadvertently been exposed to the Internet and hard-coded credentials for a system account were stored in an unencrypted subdomain that provided full access.

The hackers were able to use the credentials to login to the web-based systems used by all customers to access their own security cameras, except the super admin privileges allowed them to access the security cameras of all customers.

Footage was obtained from corporate customers including Tesla, Equinox, Cloudflare, and Nissan, along with camera feeds from Madison County Jail in Huntsville, AL, Sandy Hook Elementary School in Newtown, CT and many others.

The security cameras of ICU departments in hospitals could also be accessed, including Halifax Health in Florida and Wadley Regional Medical Center in Texarkana, TX.

Verkada issued a statement about the hacking incident, saying “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.” All affected customers have now been notified and an investigation into the breach has been launched.

Surveillance Cameras are a Potential Security Risk

The hacking incident should serve as a wake-up call about the dangers of surveillance cameras. While security cameras can improve security, they may also be a security weak point. This incident is certainly notable in terms of scale, buy Verkada is not the only security camera company to have suffered a breach.

In 2020, the threat group behind the Chalubo and FBot botnets – which targets poorly secured IoT devices – was discovered to be exploiting vulnerabilities in CCTV cameras manufactured by Taiwan-based LILIN and using the devices for DDoS attacks.

Also in 2020, vulnerabilities were identified in around 700,000 security cameras including those manufactured by Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT, and Tenvis which put them at risk of being hacked. The vulnerabilities could be exploited to bypass firewalls and steal passwords. The flaws were present in a P2P solution from Shenzhen Yunni Technology Company that was used by the camera manufacturers.

The post Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras appeared first on HIPAA Journal.

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

Posted by HIPAA Journal

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of 21 million Americans.

Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities.

From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019.

AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for bankruptcy protection in June 2019.

The multi-state investigation into the breach was led by the Indiana, Texas, Connecticut, and New York Attorneys General, with the Indiana and Texas AGs also participating in the bankruptcy proceedings to ensure that the investigation continued, and the personal and protected health information of breach victims was protected. AMCA received permission from the bankruptcy court to settle the multistate action and filed for dismissal of the bankruptcy on December 9, 2020.

The multistate investigation confirmed information security deficiencies contributed to the cause of the breach and despite AMCA receiving warnings from banks that processed AMCA payments about fraudulent use of payment cards, AMCA failed to detect the intrusion.

Under the terms of the settlement, AMCA is required to create and implement an information security program, develop an incident response plan, employ a qualified chief information security officer (CISO), hire a third-party assessor to perform an information security assessment, and continue to assist state attorneys general with investigations into the data breach.

A financial penalty of $21 million has been imposed on AMCA which will be distributed pro rata between the affected states; however, due to the financial position of the company, the $21 million financial penalty has been suspended. That payment will only need to be made if AMCA defaults on the terms of the settlement agreement.

“AMCA is a cautionary tale: When a company does not adequately invest in information security, the costs associated with a data breach can lead to bankruptcy – destroying the business and leaving affected individuals in harm’s way,” said Connecticut Attorney General Tong. “My office will continue to work to protect personal information even where the business that had the responsibility to do so cannot.”

“AMCA’s security failures resulted in 21 million Americans having their data illegally accessed. I am committed to protecting New Yorkers’ personal data and will not hesitate to hold companies accountable when they fail to safeguard that information,” said New York Attorney General Letitia James. “Today’s agreement ensures that the company has the appropriate security and incident response plan in place so that a failure like this does not take place again.”

Indiana, Texas, Connecticut, and New York led the investigation and were assisted by Florida, Illinois, Maryland, Massachusetts, Michigan, North Carolina, and Tennessee. The Attorneys General of Arizona, Arkansas, Colorado, the District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, Washington, and West Virginia also joined the settlement.

The post Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation appeared first on HIPAA Journal.

Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion

Posted by HIPAA Journal

Ransomware attacks on the healthcare industry skyrocketed in 2020. In 2020, at least 91 US healthcare organizations suffered ransomware attacks, up from 50 the previous year. 2020 also saw a major ransomware attack on the cloud software provider Blackbaud, with that attack known to have affected at least 100 US healthcare organizations.

The first known ransomware attack occurred in 1989 but early forms of ransomware were not particularly sophisticated and attacks were easy to mitigate. The landscape changed in 2016 when a new breed of ransomware started to be used in attacks.

These new ransomware variants use powerful encryption and delete or encrypt backup files to ensure data cannot be easily recovered without paying the ransom. Over the past 5 years ransomware has been a constant threat to the healthcare industry, with healthcare providers being increasingly targeted in recent years. Attacks now see sensitive data stolen prior to file encryption, so even if files can be recovered from backups, payment is still required to prevent the exposure or sale of stolen data.

Healthcare ransomware attacks cripple IT systems, prevent patient medical records from being accessed, cause disruption to patient care, and put patient safety at risk. Recovering data and restoring systems can take weeks or months and mitigating the attacks is expensive, with considerable loss of revenue due to downtime. In 2020, the ransomware attack on the University of Vermont Health Network was costing $1.5 million a day in recovery costs and lost revenue.

The True Cost of Healthcare Ransomware Attacks

Researchers at Comparitech recently conducted a study to identify the true cost of ransomware attacks on US healthcare organizations. The researchers gathered information on all ransomware attacks reported to the US Department of Health and Human Services’ Office for Civil Rights since 2016, as well as attacks reported through media outlets but were not made public by OCR as they affected fewer than 500 individuals.

Calculating the true cost of healthcare ransomware attacks is difficult, as only limited data is made public. Ransoms may be paid, but the amounts are often not disclosed and attacks that affect fewer than 500 individuals are often not made public.

The researchers identified 92 healthcare ransomware attacks in 2020, including the attack on Blackbaud. More than 600 separate hospitals, clinics, and other healthcare facilities were affected by those attacks, with a further 100 affected by the attack on Blackbaud. Those attacks involved the theft or exposure of the protected health information of at least 18,069,012 patients.

Ransom demands were issued ranging from $300,000 to $1.14 million, with data from Coveware indicating an average ransom demand of $169,446 in 2020. $15.6 million in ransoms were demanded from healthcare organizations in the United States in 2020, and $2,112,744 is known to have been paid to ransomware gangs in 2020. The true figure is substantially higher as many ransoms were paid but the amounts were not publicly disclosed.

In addition to the ransom payment there is the cost of downtime, which in some cases can be weeks or months following the attack. Coveware research indicates the average downtime ranged from 15 days in Q1, 2020 to 21 days in Q4, 2020. The Comparitech researchers determined the total downtime from the attacks in 2020 was likely to be 1,669 days. Using a 2017 estimate of the cost of downtime of $8,662 per minute, the researchers determined the attacks cost at least $20.8 billion in 2020, which is more than double the estimated cost of ransomware attacks in 2019 ($8.46 billion).

The researchers identified 270 healthcare ransomware attacks in the United States between January 2016 and December 2020, which affected around 2,100 hospitals, clinics, and other healthcare facilities. The attacks resulted in the theft or encryption of the records of more than 25 million individuals, with the overall cost to the healthcare industry estimated to be $31 billion.

 

Healthcare ransomware attacks 2016-2020. Source: Comparitech.

Healthcare ransomware attacks 2016-2020. Source: Comparitech.

You can view the full findings from the Comparitech healthcare ransomware study on this link.

The post Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion appeared first on HIPAA Journal.

Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days

Posted by HIPAA Journal

Changes to the HIPAA Rules are infrequent, so when updates are proposed they tend to include a slew of new requirements and updates to existing provisions. Before any updates are made, a request for information (RFI) is issued to allow the HHS to obtain feedback on aspects of the HIPAA Rules that are causing problems, and areas where improvements could be made.

Following the RFI, a proposed rule is issued by the HHS followed by a comment period. The comment period is the last chance for industry stakeholder, including patients and their families, to voice their opinions about the proposed changes before they are signed into law.

After issuing an RFI, the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking on December 10, 2020, along with the standard 60-day comment period from the date of publication in the Federal Register (January 21, 2021). The comment period was due to expire on March 22, 2021.

Since the proposed changes include updates to the HIPAA Privacy Rule that will impact virtually everyone in the healthcare industry, the HHS has taken the decision to extend the comment period.

The proposed Privacy Rule changes include strengthening patient rights to access their own healthcare information, changes to facilitate greater family and caregiver involvement in the care of individuals in emergencies and health crises, changes to bring greater flexibility for disclosures in emergency situations, updates to reduce the administrative burden on healthcare providers, and changes to improve information sharing for care coordination and case management.

The HHS’ Office for Civil Rights is encouraging all stakeholders to read the proposed changes and submit their feedback. All comments received will be carefully considered and will shape the final rule which is expected to be issued in late 2021/early 2022.

“OCR anticipates a high degree of public interest in providing input on the proposals because the HIPAA Privacy Rule affects nearly anyone who interacts with the health care system,” said Acting OCR Director Robinsue Frohboese.  “The 45-day extension of the comment period to May 6, 2021, will give the public a full opportunity to consider the proposals and submit comments to inform future policy.”

You can view the Proposed Modifications to the HIPAA Privacy Rule here.

The post Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days appeared first on HIPAA Journal.

FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent

Posted by HIPAA Journal

On March 4, 2021, Senator Robert Menendez (D-New Jersey), and Reps. Bonnie Watson Coleman (D-New Jersey) and Mikie Sherrill (D-New Jersey) wrote a letter urging the Federal Trade Commission (FTC) to start enforcing the Health Breach Notification Rule.

The Federal Trade Commission (FTC) has a mandate to protect Americans from bad actors that betray consumer trust and misuse consumers’ healthcare data and has the authority to take enforcement action but is not enforcing compliance with the Health Breach Notification Rule.

The Health Breach Notification Rule was introduced as part of the American Recovery and Reinvestment Act of 2009 and requires vendors of personal health records, PHR related entities, and third-party service providers to inform consumers about unauthorized disclosures of personal health information.

The Health Breach Notification Rule applies to entities not covered by the Health Insurance Portability and Accountability Act (HIPAA), and has similar provisions to the HIPAA Breach Notification Rule. While the HHS’ Office for Civil Rights has enforced compliance with the HIPAA Breach Notification Rule, the FTC has yet to take any enforcement actions against entities over violations of the Health Breach Notification Rule.

In the letter to the Honorable Rebecca Kelly Slaughter, FTC Acting Chair, the lawmakers urged the FTC to take enforcement actions against companies that fail to notify consumers about unauthorized uses and disclosures of personal health information, specifically disclosures of consumers’ personal health information to third parties without consent by menstruation tracking mobile app providers.

Over the past couple of years, several menstruation and fertility tracking apps have been found to be sharing app user data with third parties without consent. In 2019, a Wall Street Journal investigation revealed the period tracking app Flo was disclosing users’ personal health information to third parties without obtaining consent. While the Flo Health explained in its privacy policy that the personal health data of consumers would be safeguarded and not shared with third parties, consumer information was in fact being shared with tech firms such as Google and Facebook.

The FTC filed a complaint against Flo over the privacy violations and a settlement was reached between Flo Health and the FTC that required the app developer to revise its privacy practices and obtain consent from app users before sharing their health information, however, the complaint did not address the lack of notifications to consumers.

Flo is not the only period tracking app to disclose consumers’ personal health information without obtaining consent. The watchdog group International Digital Accountability Council determined the fertility tracking app Premom’s privacy policy differed from its actual data sharing practices, and the app was sharing user data without consent. In 2019, Privacy International conduced an investigation into privacy violations at another period tracking app and found user data was provided to Facebook before users could view changes to its privacy policy and provide their consent.

“Stronger [Health Breach Notification Rule] enforcement would be especially impactful in the case of period-tracking apps, which manage data that is both deeply personal and highly valuable to advertisers,” wrote the lawmakers. “Looking ahead, we encourage you to use all of the tools at your disposal, including the Health Breach Notification Rule, to protect women and all menstruating people from mobile apps that exploit their personal data.”

The post FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent appeared first on HIPAA Journal.

Virginia Consumer Data Protection Act Signed into Law

Posted by HIPAA Journal

The Virginia Consumer Data Protection Act (CDPA) has been signed into law by Governor Ralph Northam. CDPA requires persons conducting business in the Commonwealth of Virginia to comply with new data privacy and security requirements. The CDPA comes into effect on January 1, 2023.

The CDPA mirrors some of the privacy and security provisions of the EUs General Data Protection Regulation (GDPR) that took effect on March 25, 2018, and the California Consumer Privacy Act (CCPA) that took effect on January 1, 2020. While there are similarities with the GDPR and the CCPA, there are some differences, so compliance with either the CCPA or the GDPR does not guarantee compliance with the CDPA.

Like the CCPA, the CDPA only applies to organizations that control or process significant amounts of consumer data, with the data threshold twice as high as the CCPA, although there is no minimum revenue threshold in the CDPA.

The CDPA applies to any person or business that:

  • Controls or processes the personal data of 100,000 or more Virginia residents in a calendar year; or
  • Controls or processes the data of 25,000 or more Virginia residents in a calendar year and also derives 50% or more of its gross revenue from the sale of personal data.

Virginia Consumer Data Protection Act Exemptions

Entities already covered by certain Federal laws that include data privacy and security provisions are exempt from compliance with the CDPA. These are entities covered by:

  • The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  • The Gramm-Leach-Bliley Act (GLBA)

HIPAA-and GLBA-covered entities are fully exempt, not only for data collected that is covered by the respective acts, but also any other data which would otherwise be covered by the act.

There are also exceptions for data covered by the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), the Drivers Privacy Protection Act, the Farm Credit Act, the Family Educational Rights and Privacy Act, and personal data processed in employment contexts.

Other entities exempt from CDPA compliance are:

  • Any body, authority, board, bureau, commission, district, or Virginian agency or any Virginian political subdivision.
  • Nonprofit organizations.
  • Higher education institutions.

Virginia Consumer Data Protection Act Requirements

The CDPA covers the personal data of any consumer who is “a natural person who is a resident of the Commonwealth acting only in an individual or household context,” but not if they are “acting in a commercial or employment context.” The personal data definition is “any information that is linked or reasonably linkable to an identified or identifiable natural person.”

The CDPA does not apply to deidentified data nor to data in the public domain. The definition of data in the public domain is “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.”

CDPA prohibits covered entities from selling personal data without consent, with sale defined as “the exchange of personal data for monetary consideration by the controller to a third party.”

CDPA places restrictions on data collection, limiting information to what is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” Data can only be used for purposes that are reasonably necessary and compatible with the purposes that consumers have consented to.

Covered entities must ensure that reasonable administrative, technical, and physical safeguards are implemented to protect any data collected or processed, and data controllers must conduct data protection assessments, although the frequency that assessments need to be performed is not defined.

Covered entities must also ensure that they provide consumers with a privacy policy that includes the types of data collected and processed, the reason for data processing, consumer rights and how they can be exercised, and consumers must be informed about the third parties with whom personal data are shared and the types of data that will be disclosed to third parties and consent must be obtained before data collection or processing.

Consumer Rights Under CDPA

Virginia residents are given the right to:

  • View the personal data held by a covered entity.
  • Correct errors in the personal data held by a covered entity.
  • Delete personal data held by a covered entity.
  • Obtain a copy of the personal data held by a covered entity.
  • Opt out of processing of personal data for targeted advertising purposes.
  • Appeal the denial of a business to act on a request within a reasonable time frame (45 days). A response to any appeal must be provided within 45 days.

Penalties for Noncompliance with the CDPA

There is no private right of action under the CDPA, so consumers cannot take legal action against a business if they believe their CPDA rights have been violated.  Enforcement of compliance lies with the Virginia Attorney General, which can impose a fine of up to $7,500 per violation. However, the state Attorney General must provide businesses with the opportunity to correct or “cure” the violation, with financial penalties applying only if those violations have not been “cured” within 30 days.

The post Virginia Consumer Data Protection Act Signed into Law appeared first on HIPAA Journal.