2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average.

There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 565 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.

December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached.

Largest Healthcare Data Breaches Reported in December 2020

There were two healthcare data breaches reported in December that each impacted more than 1 million individuals. The largest breach was a phishing attack on the Florida-based business associate, MEDNAX Services, Inc. MEDNAX provides revenue cycle management and other administrative services to its affiliated physician practice groups. Hackers gained access to its Microsoft Office 365-hosted email system after employees responded to phishing emails. The compromised accounts contained the protected health information of 1,290,670 patients of its clients.

Dental Care Alliance is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices in 20 U.S. states. Little information has been released about the exact nature of the cyberattack, other than hackers gaining access to its systems and viewing files containing patient information.

Causes of December 2020 Healthcare Data Breaches

Ransomware gangs continue to target healthcare organizations and attacks have increased considerably in recent months. 5 of the worst data breaches reported in December involved ransomware, as did many of the smaller breaches. Several healthcare providers have only just reported being affected by the ransomware attack on Blackbaud Inc., which was discovered by the cloud service provide in May 2020.

Phishing continues to be a major cause of healthcare data breaches. There were 13 data breaches involving unauthorized accessing of email accounts, the majority of which used credentials stolen in phishing attacks. While most of the month’s breaches involved unauthorized accessing of electronic protected health information, 17.75% of the month’s breaches involved paper records and films, highlighting the importance of also protecting physical records.

33 hacking/IT incidents were reported to OCR in December 2020. Those incidents accounted for 98.39% of the month’s breached records (4,173,519 records). An average of 126,470 records were breached per incident with a median breach size of 8,000 records per incident.

There were 21 unauthorized access/disclosure incidents reported to OCR which involved a total of 57,837 records. The average breach size was 2,754 records and the median breach size was 1,020 records.

There were 7 theft and loss incidents reported (5 theft/2 loss). The average breach size was 1,392 records and the median breach size was 856 records. There was also one incident involving the improper disposal of 501 records.

Entities Reporting Data Breaches in December 2020

Healthcare providers were the worst affected covered entity in December 2020 with 39 breaches reported, but there was a major increase in data breaches reported by health plans. 17 health plans reported breaches of 500 or more records in December, which is a 183% increase from November.

There were 6 data breaches reported by business associates of HIPAA covered entities, but 40% of the month’s breaches (25) had some business associate involvement. In many cases, the breach was experienced by the business associate but was reported by the covered entity.

December 2020 Healthcare Data Breaches by State

HIPAA covered entities and business associates in 58% of U.S. states reported data breaches in December. Florida was the worst affected of the 29 states with 9 reported data breaches. Pennsylvania also had a particularly bad month with 7 reported breaches, followed by Missouri and Texas with 4, and Illinois, North Carolina, and Tennessee with 3.

There were two breaches reported in each of Arizona, Connecticut, Georgia, Massachusetts, Minnesota, Ohio, and Wisconsin, and one breach reported in each of Arkansas, California, Colorado, Delaware, Indiana, Iowa, Kentucky, Louisiana, Maine, Mississippi, Nebraska, Oregon, Utah, Virginia, and West Virginia.

HIPAA Enforcement in December 2020

2020 has been a busy year in terms of HIPAA enforcement. More financial penalties were imposed on HIPAA covered entities and their business associates to resolve potential HIPAA violations in 2020 than in any other year since the HHS was given the authority to enforce HIPAA compliance.  19 settlements were reached to resolve cases where HIPAA Rules appeared to have been violated.

OCR announced one further financial penalty in December – The 13^th financial penalty under its HIPAA Right of Access initiative. Peter Wrobel, M.D., P.C., dba Elite Primary Care, agreed to pay OCR a $36,000 to resolve a case involving the failure to provide two patients with timely access to their medical records.

You can read more about 2020 HIPAA enforcement in our end of year summary.

The post December 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules.

While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for violations of multiple HIPAA Rules that impacted large numbers of individuals. The $5,100,000 penalty, imposed on Excellus Health Plan, was so large because there were multiple violations of the HIPAA Rules, over multiple years, that led to a breach of the ePHI of 9,358,891 individuals.

Penalties for Noncompliance with the HIPAA Right of Access

In late 2019, OCR announced a new HIPAA enforcement initiative to tackle non-compliance with the Right of Access standard of the HIPAA Privacy Rule. Since then, OCR has been rigorously enforcing compliance with the HIPAA Right of Access and as of December 2021, has imposed 25 penalties for HIPAA Right of Access violations totaling $1,564,650. The fines range from $3,500 to $200,000. There have been 24 settlements and one civil monetary penalty, with many of the fines imposed on small healthcare providers.

The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set.  When a request is received from an individual or their personal representative, the records must be provided within 30 days. A reasonable, cost-based fee may be charged for providing a copy of the requested records. A request for access to an individual’s health records may be denied, but only in very limited circumstances.

OCR investigates complaints from individuals who allege they have been denied access to their health records, have not received records within 30 days, or have been charged excessive amounts for copies of their records. The financial penalties imposed by OCR in 2020 for HIPAA Right of Access violations ranged from $15,000 to $160,000 and stemmed from refusals to provide copies of records or long delays. In many cases, records were only provided after OCR intervened.

2021 HIPAA Right of Access Enforcement Actions

Other 2021 HIPAA Violation Penalties

Only two HIPAA enforcement actions in 2021 were not the result of HIPAA Right of Acess violations.

Excellus Health Plan

Rochester, New York-based Excellus Health Plan, a member of the Blue Cross Blue Shield Association, was investigated to identify potential HIPAA compliance issues following a report of a data breach of 9,358,891 records in 2015. It was one of three mega data breaches to be reported by health plans that year, Anthem Inc and Premera Blue Cross being the other two, both of which had settled their cases and paid sizeable penalties.

Excellus discovered the breach in August 2015, with its investigation revealing hackers had access to its systems between December 23, 2013, and May 11, 2015. The breach was reported to OCR on September 9, 2015. Malware had been installed which allowed the hackers to exfiltrate the data of around 7 million Excellus Health Plan members and approximately 2.5 million members of Lifetime Healthcare, its non-BlueCross subsidiary, which included names, contact information, dates of birth, Social Security numbers, health plan ID numbers, claims data, financial account information, and clinical treatment information.

OCR’s investigation uncovered multiple HIPAA violations, including the failure to conduct an accurate and thorough organization-wide risk analysis, the failure to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a lack of technical policies and procedures to limit data access to authorized persons and software programs. Excellus chose to settle the case and paid a $5,100,000 penalty and agreed to implement a comprehensive Corrective Action Plan to address all areas of non-compliance.

Peachstate Health Management LLC, dba AEON Clinical Laboratories

The enforcement action against Peachstate Health Management is notable because this was the first OCR investigation to result in a financial penalty for HIPAA violations identified in a company that was not the initial subject of the investigation.

OCR launched an investigation after receiving a report from the Department of Veteran Affairs in 2015 about a data breach involving its business associate, Authentidate Holding Corporation (AHC). AHC managed the VA’s Telehealth Services Program and suffered a data breach. While investigating, OCR learned that AHC had entered into a reverse merger with Peachstate Health Management on January 27, 2016, which saw Peachstate acquired by AHC. Peachstate is a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR then launched an investigation of Peachstate to assess HIPAA Privacy and Security Rule compliance and found multiple violations of the HIPAA Rules. OCR identified multiple HIPAA Security Rule failures, including risk assessment, risk management, audit controls failures, as well as the failure to maintain documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000, and a corrective action plan was agreed to resolve the HIPAA violations.

2020 HIPAA Right of Access Enforcement Actions

Other 2020 HIPAA Violation Penalties

The remaining HIPAA violation penalties issued in 2020 were issued for non-compliance with several provisions of the HIPAA Rules. The penalty amounts reflect the seriousness of the violations, the harm caused, the number of individuals affected, the level of cooperation with OCR, the voluntary actions taken to address the violations, and the ability of the entity to pay. In each of the HIPAA violation cases below, OCR discovered multiple violations of the HIPAA Rules.

Second Largest HIPAA Violation Penalty for Premera Blue Cross

The largest HIPAA violation penalty of 2020 was imposed on the health insurer Premera Blue Cross. Premera Blue Cross was investigated over a data breach in which the protected health information of 10,466,692 individuals was obtained by hackers.

During the investigation, OCR discovered multiple potential violations of the HIPAA Security Rule. Premera Blue Cross had failed to conduct a comprehensive risk analysis, had not reduced risks to the confidentiality, integrity, and availability of ePHI to a reasonable and appropriate level, and had implemented insufficient hardware and software controls.

Premera Blue Cross agreed to pay a financial penalty of $6,850,000 to resolve the case and adopted a corrective action plan to address all areas of noncompliance.

In addition to the OCR penalty, Premera Blue Cross settled a multi-state action for $10 million and a class action lawsuit filed on behalf of victims of the breach for $74 million.

The financial penalty was the second-largest ever to be issued by OCR. The largest HIPAA violation penalty – $16 million – was paid by Anthem Inc. in 2018 and resolved an investigation into its 78.8 million record data breach that was discovered in 2015. Following on from that settlement, in 2020 Anthem Inc settled a multi-state action and paid $48.2 million in penalties. Anthem also settled a class action lawsuit filed on behalf of victims of the breach in 2018 for $115 million.

CHSPSC LLC

CHSPSC LLC, a Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, suffered a cyberattack in April 2014 in which compromised admin credentials were used by hackers to gain access to its systems. The hackers stole the ePHI of 6,121,158 individuals.

OCR investigated and found systemic noncompliance with the HIPAA Security Rule. CHSPSC had failed to conduct a comprehensive risk analysis, was not conducting information system activity reviews, and had implemented insufficient access controls and security incident response procedures. When notified about the cyberattack by the FBI, it took CHSPSC two months to respond.

CHSPSC LLC settled the case, paid a $2,300,000 penalty, and adopted a corrective action plan to address all areas of noncompliance. Community Health Systems and CHSPSC LLC also settled a multi-state action with 28 state Attorneys General over the breach for $5,000,000.

Athens Orthopedic Clinic

The Athens, GA-based healthcare provider Athens Orthopedic Clinic suffered a cyberattack in 2016 in which a hacker stole a database containing the PHI of 208,557 patients and demanded payment not to release the stolen data. When payment was not received the database was published.

OCR’s investigation into the breach uncovered systemic noncompliance with the HIPAA Rules. Athens Orthopedic Clinic had failed to conduct a comprehensive risk analysis, had not implemented security procedures to reduce risks to ePHI to a reasonable and appropriate level, had failed to implement appropriate hardware, software, and procedures for recording and analyzing information system activity, and did not implement HIPAA policies until August 2016.

OCR also found the clinic had not entered into business associate agreements with three vendors and did not provide HIPAA Privacy Rule training to the entire workforce until January 15, 2018.

Athens Orthopedic Clinic agreed to settle the case, paid a $1.5 million penalty, and adopted a corrective action plan to address all areas of noncompliance.

Lifespan Health System Affiliated Covered Entity

Lifespan Health System Affiliated Covered Entity is a Rhode Island not-for-profit health system with many healthcare provider affiliates in the state. In February 2017, an unencrypted laptop computer was stolen from an employee’s vehicle. The laptop contained the ePHI of 20,431 patients.

OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan had conducted a risk analysis and determined encryption was required for its mobile devices due to the high risk of data exposure but failed to implement encryption on mobile devices. The movement of the devices in and out of its facilities was not tracked and there was no comprehensive inventory of mobile devices. OCR also found that there was no business associate agreement between Lifespan Corporation and Lifespan ACE.

Lifespan ACE agreed to settle the case, paid a $1,040,000 penalty, and adopted a corrective action plan to address all areas of noncompliance.

Aetna

Aetna Life Insurance Company and its affiliated covered entity (Aetna) were investigated by OCR after reporting three data breaches in 2017. The first breach involved the exposure of the protected health information of 5,002 plan members over the Internet, and the other two breaches involved mailings in which sensitive PHI could be viewed through the windows of the envelopes. In the first mailing to 11,887 individuals the words ‘HIV medication’ could be viewed through the windows of the envelopes. In the second mailing to 1,600 individuals, the name and logo of an atrial fibrillation study could be viewed.

OCR determined Aetna had not performed periodic technical and non-technical evaluations of operational changes affecting the security of their ePHI, procedures had not been implemented to verify the identity of individuals or entities looking to access their ePHI, disclosures of ePHI had not been limited to the minimum necessary information to achieve the purpose for the disclosures, and there was a lack of appropriate administrative, technical, and physical safeguards to ensure the privacy of ePHI.

Aetna agreed to settle the case, paid a $1 million penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Other penalties related to be breach include a $1.15 million settlement with the New York Attorney General, a $935,000 settlement with the California Attorney General, and similar settlements with Connecticut ($99,959), the District of Columbia ($175,000), and New Jersey ($365,211.59). A class action lawsuit filed on behalf of victims of the breach was settled for $17.2 million.

City of New Haven, CT

In January 2017, the City of New Haven in Connecticut reported a data breach of the ePHI of 498 individuals to OCR. The city had terminated an employee in 2016 during her probationary period. The former employee returned to the New Haven Health Department with her union representative after she had been terminated, used her work key to access her old office, and locked herself inside. She used her login credentials to access a work computer and copied data onto a USB drive before leaving.

In addition to failing to terminate the former employee’s access rights, OCR discovered a comprehensive risk analysis had not been performed, the city had failed to implement HIPAA Privacy Rule policies, and had not issued unique IDs to allow system activity to be tracked.

The City of New Haven settled the case, paid a $202,400 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Steven A. Porter, M.D

The medical practice of Steven A. Porter, M.D in Ogden, UT provides gastroenterological services to more than 3,000 patients. On November 13, 2013, OCR received a breach notification alleging Dr. Porter’s electronic medical record company was impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until a $50,000 bill was paid.

OCR investigated and found serious violations of the HIPAA Security Rule at the practice. At the time of the investigation, a risk analysis had never been performed and risks to the confidentiality, integrity, and availability of ePHI had not been managed and reduced to a reasonable and acceptable level. The practice had also allowed Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on behalf of the practice, without entering into a business associate agreement.

Dr. Porter settled the case, paid a $100,00 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Metropolitan Community Health Services / Agape Health Services

Metropolitan Community Health Services is a Washington, NC-based Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina.

In June 2011, Metro notified OCR about a breach of the PHI of 1,263 patients. OCR conducted a compliance review and identified longstanding, systemic noncompliance with the HIPAA Security Rule.

Prior to the breach, Metro had not implemented HIPAA Security Rule policies and procedures, had failed to conduct an accurate risk analysis, and had not provided security awareness training to its workforce for more than 16 years.

Metro settled the case, paid a $25,000 penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Further information on HIPAA Penalties

You can view a summary of the HIPAA violation penalties in previous years on this link.

The post 2020-2021 HIPAA Violation Cases and Penalties appeared first on HIPAA Journal.