Latest HIPAA News

Largest Healthcare Data Breaches in 2020

Posted by HIPAA Journal

2020 was the worst ever year for healthcare industry data breaches. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third worst year in terms of the number of breached healthcare records.

The chart below clearly shows how healthcare industry data breaches have steadily increased over the past decade and the sharp rise in breaches in the past two years.

The Largest Healthcare Data Breaches in 2020

When a breach occurs at a business associate of a HIPAA-covered entity, it is often the covered entity that reports the breach rather than the business associate. In 2020, a massive data breach was experienced by the cloud service provider Blackbaud Inc. Hackers gained access to its systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be released publicly if the ransom was not paid. Blackbaud decided to pay the ransom to prevent the exposure of client data. Blackbaud received assurances that the stolen data was permanently deleted and not been further disclosed.

The total victim count from the Blackbaud ransomware attack may never be known, but more than 6 dozen healthcare providers have reported being affected to date and over 8 million healthcare records have potentially been compromised. That breach clearly tops the list of the largest healthcare data breaches in 2020 and ranks as one of the largest healthcare data breaches of all time.

2020’s Largest Healthcare Data Breaches

The individual entities that reported data breaches in 2020 involving more than 300,000 healthcare records are listed below. In some cases, the actual data breach occurred prior to 2020, but was only discovered and reported in 2020.

Trinity Health – 3,320,726 Individuals

At more than 3.3 million records, Trinity Health was the worst affected healthcare victim of the ransomware attack on Blackbaud Inc. The hackers potentially obtained the philanthropy database of the Livonia, Michigan-based Catholic health system, which contained patient and donor information from 2000 to 2020.

MEDNAX Services, Inc. – 1,290,670 Individuals

Sunrise, FL-based MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, suffered a breach of its Office 365 environment in June 2020 after employees responded to phishing emails. The breach was extensive, involving patient and guarantor information such as Social Security numbers, driver’s license numbers, and health insurance and financial information.

Inova Health System – 1,045,270 Individuals

Virginia-based Inova Health System was also a victim of the Blackbaud ransomware attack. The hackers gained access to Blackbaud’s systems on February 7, 2020 and the breach continued until May 20, 2020. Ransomware was deployed on May 14, 2020. Inova’s fundraising database was potentially compromised which contained patient and donor information.

Magellan Health Inc. 1,013,956 Individuals

Arizona-based Magellan Health was the victim of an April 2020 ransomware attack in which the protected health information of patients was potentially compromised. The attack ended with the deployment of ransomware but started with a spear phishing email. Several of its affiliated entities were also affected by the breach.

Dental Care Alliance – 1,004,304 Individuals

Sarasota, FL-based Dental Care Alliance, LLC, a dental support organization with more than 320 affiliated dental practices across 20 states, reported a breach of its systems in December. Few details have been released about the nature of the hacking incident as the investigation is still ongoing. The breach affected many of its affiliated dental practices.

Luxottica of America Inc. – 829,454 Individuals

Luxottica of America Inc., an operator of vision care facilities across the United States and owner of the eyewear brands Ray-Ban, Oakley, and Persol, experienced a cyberattack in August 2020 which saw hackers gain access to its web-based appointment scheduling system which contained the PHI of patients of its eye care partners.

Northern Light Health – 657,392 Individuals

The Maine health system Northern Light Health was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

Health Share of Oregon – 654,362 Individuals

In May 2020, the Medicaid coordinated care organization Health Share of Oregon reported the theft of a laptop computer from its non-emergent medical transportation vendor. The laptop was stolen in November 2019 and was not encrypted, which potentially gave the thief access to patents’ contact information, Health Share ID numbers, and Social Security numbers.

Florida Orthopaedic Institute – 640,000 Individuals

Florida Orthopaedic Institute suffered a ransomware attack in April which saw patient information on its servers encrypted. Prior to the use of ransomware, patient data may have been viewed or obtained by the hackers.

Elkhart Emergency Physicians – 550,000 Individuals

Elkhart Emergency Physicians reported a breach in May 2020 involving the improper disposal of patient records by a third-party storage vendor – Central Files Inc. Elkhart Emergency Physicians was the worst affected entity, but several other clients of the vendor were also impacted by the breach. The records had been dumped without being shredded after the storage facility permanently closed.

Aetna ACE – 484,157 Individuals

Aetna reported a data breach in December which occurred at business associate EyeMed, which provides vision benefit services for its members. The breach occurred when an EyeMed employee responded to a phishing email, which allowed the attacker to gain access to email accounts containing PHI. Several EyeMed clients were affected by the breach.

Saint Luke’s Foundation – 360,212 Individuals

Kansas City, MO-based Saint Luke’s Foundation was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

NorthShore University Health System – 348,746 Individuals

Evanston, IL-based NorthShore University Health System was also affected by the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database.

SCL Health Colorado – 343,493 Individuals

SCL Health Colorado was also a victim of the Blackbaud ransomware attack. The PHI of patients in its Colorado, Montana and Kansas locations was potentially accessed by the attackers.

AdventHealth – 315,811 Individuals

The Altamonte Springs, FL-based healthcare system AdventHealth was also a victim of the Blackbaud ransomware attack which saw the hackers gain access to its fundraising database.

Nuvance Health – 314,829 Individuals

Nuvance Health was a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database between February and May.

Magellan Rx Management – 314,704 Individuals

Magellan Rx Management was one of the victims of the ransomware attack on its parent company, Magellan Health, in April. The hackers potentially stole patient data prior to encrypting files.

The Baton Rouge Clinic – 308,169 Individuals

The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July involving ransomware. The attackers potentially viewed or obtained patient data prior to the deployment of ransomware.

The post Largest Healthcare Data Breaches in 2020 appeared first on HIPAA Journal.

CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool

Posted by HIPAA Journal

The DHS’ Cybersecurity and infrastructure Security Agency has launched a website providing resources related to the ongoing cyber activities of the advanced persistent threat (APT) group responsible for compromising the SolarWinds Orion software supply chain.

The threat actors behind the attack gained access to the networks of federal, state, and local governments, critical infrastructure entities, and private sector organizations around the world. In addition to compromising the software update mechanism of SolarWinds Orion, the hackers also exploited vulnerabilities in commonly used authentication mechanisms to gain persistent access to networks.

According to Microsoft, the main goal of the attackers appears to be to gain persistent local access to networks by delivering the Sunburst/Solarigate backdoor, then pivot to victims’ cloud assets. Recently it has become clear that more than one threat group is conducting cyber espionage after the discovery of a different malware variant that was introduced through the SolarWinds Orion software update feature. Microsoft and Palo Alto Networks believe the second malware variant, named Supernova, is not associated with the group that deployed the Sunburst/Solarigate backdoor.

Several resources have already been published to help organizations assess the risk associated with the cyber activity and detect and mitigate potential breaches and eliminate the threat actors from their networks. The new website pools the resources and provides easy access to pertinent information on this global incident. The website will be regularly updated as new information becomes available as the investigations into the cyber activity continue.

The APT actor has compromised the networks of a large number of entities and is selectively choosing targets of interest for further network exploitation, but any organization that has installed the compromised software updates is at risk if corrective action is not taken.

It is important for all organizations that use SolarWinds Orion to take action to investigate for signs of compromise. As CISA explained in its latest alert, “If left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk.” CISA also points out that even if entities have not installed the compromised SolarWinds Orion update, that does not necessary mean they will not be affected. Their managed service providers and partners may have been compromised, which could give the APT actor access to their networks.

The website includes a link to a free tool that has been released by CISA for detecting unusual and potentially malicious activity in Azure/Microsoft Office 365 environments. The new tool provides a narrowly focused view of activity related to the identity- and authentication-based attacks that have been observed across a wide range of sectors following the deployment of the Sunburst/Solarigate backdoor.

The tool – named Sparrow – can be used to narrow down large data sets of investigation modules and telemetry to provide information specific to the attacks on federated identity sources and applications.

The post CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool appeared first on HIPAA Journal.

OCR Announces its 19th HIPAA Penalty of 2020

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has settled a HIPAA Right of Access compliance case with Peter Wrobel, M.D., P.C., doing business as Elite Primary Care.

Elite Primary Care is a provider of primary health services in Georgia. OCR launched a compliance investigation following receipt of a compliant from an Elite Primary Care patient on April 22, 2019 who alleged he had been denied access to his health records. OCR contacted the practice and provided technical assistance on the HIPAA Right of Access on May 2, 2019. OCR advised the practice to review the facts of the request and provide access to the requested records if the request met the requirements of the HIPAA Privacy Rule.

The patient subsequently submitted a request for access in writing which was received by the practice on June 5, 2019. The patient filed a second complaint with OCR on October 9, 2019, as the practice continued to deny him access to his requested records.

Elite Primary Care sent the patient’s medical records to his new healthcare provider on November 21, 2019 and provided the patient with a copy of those records on May 8, 2020.

OCR concluded the delay in providing the patient with a copy of his requested records was in violation of the HIPAA Right of Access (45 C.F.R. § 164.524).

Under the terms of the settlement, Elite Primary Care will pay a financial penalty of $36,000 and adopt a corrective action plan that includes developing, implementing, maintaining, and revising, as necessary, written policies and procedures related to the HIPAA Right of Access provision of the HIPAA Privacy Rule. Once those policies and procedures have been checked by OCR, training will be provided to relevant members of its workforce.

The settlement was agreed with no admission of liability. OCR will monitor Elite Primary Care for 2 years to ensure continued compliance.

This is the thirteenth settlement to be announced by OCR under its HIPAA Right of Access enforcement initiative and the nineteenth HIPAA financial penalty to be announced in 2020.

“OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records.  Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee,” said OCR Director Roger Severino.

The post OCR Announces its 19th HIPAA Penalty of 2020 appeared first on HIPAA Journal.

November 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

For the second successive month, the number of reported healthcare data breaches has fallen; however, it should be noted that the number of breaches reported in October 2020 was almost three times the average monthly number due, in a large part, to the ransomware attack on the cloud service provider Blackbaud.

November saw 47 data breaches of 500 or more healthcare records reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and business associates, 25.39% fewer than October. Even with that reduction, breaches are still well above the 12-month average of 41 data breaches a month (Median = 38 breaches).

 

The number of healthcare records exposed in healthcare data breaches similarly fell for the second successive month. In November, 1,139,151 healthcare records were exposed or impermissibly disclosed, a 54.73% fall from October. The average number of monthly breached healthcare records over the past 12 months is 1,885,959 records and the median is 1,101,902 records.

Exposed healthcare records past 12 months

Largest Healthcare Data Breaches Reported in November 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause
AspenPointe, Inc. CO Healthcare Provider 295,617 Hacking/IT Incident Ransomware attack
Lawrence General Hospital MA Healthcare Provider 176,587 Hacking/IT Incident Unspecified data security incident
Alamance Skin Center NC Healthcare Provider 100,000 Loss Ransomware attack
Mercy Iowa City IA Healthcare Provider 92,795 Hacking/IT Incident Phishing
Bayhealth Medical Center, Inc. DE Healthcare Provider 78,006 Hacking/IT Incident Blackbaud ransomware attack
Tufts Health Plan MA Health Plan 60,545 Hacking/IT Incident Phishing attack on vendor
Bruce L. Boros, M.D., P.A. DBA Advanced Urgent Care FL Healthcare Provider 58,823 Unauthorized Access/Disclosure Ransomware attack
Methodist Hospital of Southern California CA Healthcare Provider 39,881 Hacking/IT Incident Blackbaud ransomware attack
One Touch Point WI Business Associate 28,658 Unauthorized Access/Disclosure unknown
People Incorporated MN Healthcare Provider 27,500 Hacking/IT Incident phishing
Chesapeake Regional Healthcare VA Healthcare Provider 24,000 Hacking/IT Incident Blackbaud ransomware attack
Seeley Enterprises Company OH Healthcare Provider 16,196 Hacking/IT Incident Ransomware attack
Golden Gate Regional Center CA Business Associate 11,315 Hacking/IT Incident Ransomware attack
Galstan & Ward Family and Cosmetic Dentistry VA Healthcare Provider 10,759 Hacking/IT Incident Ransomware attack
Kaiser Foundation Health Plan of Georgia, Inc. GA Health Plan 10,205 Unauthorized Access/Disclosure Unknown

Causes of November 2020 Healthcare Data Breaches

Hacking/IT incidents continue to dominate the breach reports, both in terms of the number of breaches and the number of breached records. There were 23 hacking/IT incidents reported in November – 48.94% of all breaches reported in the month. 867,983 records were exposed or stolen in those breaches – 76.2% of all records breached in November. The average breach size was 37,738 records and the median breach size was 8,000 records.

There were 19 data breaches classed as unauthorized access/disclosure incidents – 40.43% of the month’s data breaches. 166,115 healthcare records were improperly accessed or impermissibly disclosed in those incidents – 14.58% of the breached records in November. The average breach size was 8,723 records and the median breach size was 3,557 records.

There were 4 loss/theft incidents (2/2) reported in November involving 103,053 records – 8.51% of the month’s breaches and 103,053 healthcare records were exposed or stolen in those incidents – 9.05% of records breached in November. The average breach size was 25,763 records and the median breach size was 1,265 records. There was one incident involving the improper disposal of paperwork that contained the PHI of an estimated 2,000 individuals.

 

The chart below shows the location of breached protected health information. Up until September 2020, email was the most common location of breached patient data, with the majority of those breaches the result of phishing attacks. That changed in September due to the ransomware attack on Blackbaud. Entities impacted by that data breach continue to submit breach reports, albeit at a low level, with network server incidents remaining high due to the healthcare industry continuing to be targeted by ransomware gangs. Phishing attacks continue to be a problem in healthcare, with 13 large data breaches reported involving PHI stored in email accounts.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in November. 34 healthcare providers reported data breaches and 6 data breaches were reported by health plans.

7 data breaches were reported by business associates of HIPAA covered entities; however, 16 breaches in total had some business associate involvement, with 9 of those breaches reported by the covered entity.

Healthcare Data Breaches by State

The November data breaches were reported by HIPAA-covered entities and business associates in 23 states and the District of Columbia. Ohio was the worst affected state with 5 breaches reported, followed by Georgia and Maine with 4, and California, Florida, and Texas with 3 breaches.

Two healthcare data breaches of 500 or more records were reported by entities based in Arkansas, Delaware, Illinois, Kentucky, Maryland, Michigan, and Virginia. One breach was reported in each of Alabama, Colorado, Iowa, Idaho, Louisiana, Minnesota, North Carolina, New Mexico, Pennsylvania, Wisconsin, and the District of Columbia.

HIPAA Enforcement Activity in November 2020

There were three HIPAA enforcement actions announced by the HHS’ Office for Civil Rights in November, all of which were part of its HIPAA Right of Access enforcement initiative. OCR announced the new enforcement initiative in 2019 to crack down on healthcare providers that fail to provide patients with timely access to their health records for a reasonable cost-based fee.

In all three cases, the healthcare providers did not provide a copy of the requested records within the 30-day time frame demanded by the HIPAA Privacy Rule.

University of Cincinnati Medical Center settled with OCR and paid a $65,000 penalty, Riverside Psychiatric Medical Group paid a $25,000 penalty, and Dr. Rajendra Bhayani paid a $15,000 penalty. Under this enforcement initiative, OCR has imposed 12 financial penalties on covered entities, 10 of which have been in 2020.

The post November 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released final guidance for healthcare delivery organizations on securing the Picture Archiving and Communication System (PACS) ecosystem.

PACS is a medical imaging technology that is used to securely store and digitally transmit medical images such as MRIs, CT scans, and X-rays and associated clinical reports and is ubiquitous in healthcare. These systems eliminate the need to store, send, and receive medical images manually, and assist healthcare delivery organizations by allowing the images to be securely and cheaply stored offsite in the cloud. PACS allows medical images to be easily retrieved using PACS software from any location.

PACS is a system that by design cannot operate in isolation. In healthcare delivery organizations, PACS is usually integrated into highly complex environments and interfaces with many interconnected systems. The complexity of those environments means securing the PACS ecosystem can be a major challenge and it is easy for cybersecurity risks to be introduced that could easily compromise the confidentiality, integrity, and availability of the PACS ecosystem, protected health information (PHI), and any systems to which PACS connects.

In September 2019, a ProPublica report found 187 unprotected servers that were used to store and retrieve medical images. Those servers stored the medical images and associated PHI of more than 5 million patients in the United States. In some cases, the images could be accessed using a standard web browser and viewed using free-to-download software.

This year, the analyst team at CyberAngel scanned approximately 4.3 billion IP addresses worldwide and found 2,140 unprotected servers across 67 countries. Those servers were found to contain more than 45 million medical images. The images had up to 200 lines of metadata that included personally identifiable information and protected health information. According to the CyberAngel “Full Body Exposure” report, those images could be accessed via the Internet with a standard web browser. In some instances, login portals were present, but accepted blank username and password fields.

NIST released draft guidance on securing the PACS ecosystem shortly after the ProPublica report was published to help healthcare delivery organizations identify cybersecurity risks associated with PACS and implement stronger security controls while minimizing the impact and availability to PACS and other components.

The final version of the guidance includes a comprehensive set of cybersecurity standards and best practices to adopt to improve the security of the PACS ecosystem, with the guidance covering asset management, access control, user identification and authentication, data security, security continuous monitoring, and response planning, recovery, and restoration.

“The final practice guide, which in addition to incorporating feedback from the public and other stakeholders, builds on the draft guide by adding remote storage capabilities into the PACS architecture. This effort offers a more comprehensive security solution that more closely mirrors real-world HDO networking environments,” explained NIST.

This practice guide can be used by HIPAA covered entities and their business associates to implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of PACS

NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector is available on this link.

The guidance was developed by NIST/NCCoE in collaboration with Cisco, Clearwater Compliance, DigiCert, Forescout, Hyland, Microsoft, Philips, Symantec, TDI Technologies, Tempered Networks, Tripwire, Virtua Labs, and Zingbox.

The post NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem appeared first on HIPAA Journal.

OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published new guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules covering disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA).

An HIE is an organization that enables the sharing of electronic PHI (ePHI) between more than two unaffiliated entities such as healthcare providers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare operations, for public health reporting to PHAs, and for providing other functions and services such as patient record location and data aggregation and analysis.

HIPAA supports the use of HIEs and the sharing of health data to improve public health, which has been especially important during the COVID-19 public health emergency. The HIPAA Privacy Rule permits HIPAA-covered entities and their business associates to disclose protected health information to an HIE for reporting to a PHA that is engaged in public health, without requiring prior individual authorization.

Such disclosures are permitted under the following circumstances:

  • When disclosures are required by federal, state, local, or other laws that are enforceable in court
  • When the HIE is acting under a grant of authority or contract with a PHA for a public health activity
  • When the HIE is a business associate of the covered entity or another business associate, and wishes to provide ePHI to a PHA for public health purposes*

*The HIPAA Privacy Rule only permits an HIE which is a business associate of the covered entity or another business associate to disclose ePHI to a PHA for public health purposes if it is expressly stated that they can do so in the business associate agreement (BAA) with the covered entity. However, earlier this year in response to the COVID-19 public health emergency, OCR issued a notice of enforcement discretion stating no action will be taken against a business associate for good faith disclosures of ePHI to a PHA for public health purposes if they are not expressly permitted to disclose ePHI to a PHA in their BAA. In such cases, the business associate must inform the covered entity within 10 calendar days of the disclosure. The notice of enforcement discretion is only valid for the duration of the COVID-19 public health emergency. When the Secretary of the HHS declares the COVID-19 public health emergency over, such disclosures will no longer be permitted unless expressly permitted in the BAA.

Disclosures of ePHI by an HIE to a PHA should be limited to the minimum necessary information to achieve the purpose for the disclosure. A covered entity can rely on a PHA’s request to disclose a summary record to the PHA or HIE as being the minimum necessary PHI to achieve the public health purpose of the disclosure.

A covered entity is permitted by the HIPAA Privacy Rule to disclose ePHI to a PHA through an HIE, even if a direct request for the PHI is not received from the PHA, provided the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting on behalf of the PHA.

While the above disclosures of ePHI for public health purposes do not require authorizations to be obtained from the individuals whose PHI is being disclosed, those individuals must be notified about such disclosures. That can be achieved by stating disclosures of ePHI will occur for public health purposes in the organization’s Notice of Privacy Practices.

You can view the OCR guidance, which includes several examples related to COVID-19, on the HHS website, which can be accessed on this link (PDF).

The post OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA appeared first on HIPAA Journal.

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their individual audits.

The 2016-2017 HIPAA Audits Industry Report details the overall findings of the audits, including key aspects of HIPAA compliance that are proving problematic for covered entities and business associates.

In the report, OCR gives each audited entity a rating based on their level of compliance with each specific provision of the HIPAA Rules under assessment. A rating of 1 indicates the covered entity or business associate was fully compliant with the goals and objectives of the selected standards and implementation specifications. A rating of 2 means the entity substantially met the criteria and maintained adequate policies and procedures and could supply documentation or other evidence of compliance.

A rating of 3 means the entity minimally addressed the audited requirements and had made some attempt to comply, although had failed to comply fully or had misunderstood the HIPAA requirements. A rating of 4 means the entity made negligible efforts to comply, such as supplying policies and procedures for review that were copied directly from an association template or providing poor or generic documentation as evidence of training.  A rating of 5 means OCR was not provided with evidence of a serious attempt to comply with the HIPAA Rules.

The table below summarizes the audit results on key provisions of the HIPAA Rules. The blue and red figures indicate the most common rating in each category, with blue corresponding to mostly ratings of 1 or 2 (compliant) and red indicating implementation was inadequate, negligible, or absent.

The table clearly shows that most audited entities largely failed to successfully implement the HIPAA Rules requirements.

OCR 2016-2017 HIPAA Audits Industry ReportMost covered entities complied with the requirement of the Breach Notification Rule to send timely notifications in the event of a data breach. HIPAA requires those notifications to be sent within 60 days of the discovery of a data breach; however, most covered entities failed to include all the required information in their breach notifications.The audits revealed widespread compliance with the requirement to create and prominently post a Notice of Privacy Practices on their website. The Notice of Privacy Practices gives a clear, user friendly explanation of individuals’ rights with respect to their personal health information and details the organization’s privacy practices. However, most audited entities failed to include all the required content in their Notice of Privacy Practices.

The individual right of access is an important provision of the HIPAA Privacy Rule. Individuals have the right to obtain and inspect their health information. Most covered entities failed to properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of the PHI held within 30 days of receiving a request and only charging a reasonable cost-based fee for access.

The first phase of HIPAA compliance audits conducted by OCR in 2012 revealed widespread noncompliance with the requirement to conduct a comprehensive, organization-wide risk analysis to identify vulnerabilities and risks to the confidentiality, integrity, and availability of protected health information. In its enforcement activities over the past 11 years, a risk analysis failure is the most commonly cited HIPAA violation.

HIPAA covered entities are still failing in this important provision of the HIPAA Security Rule, with the latest round of audits revealing most audited entities failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

You can view the full 2016-2017 HIPAA Audits Industry Report on this link: https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf.

The post OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules appeared first on HIPAA Journal.

FTC Settles 2019 Consumer Data Breach Case with SkyMed

Posted by HIPAA Journal

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information.

SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted.

The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused.

It its breach notification, SkyMed explained, “Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system. At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers. There was no medical or payment-related information visible and no indication that the information has been misused.”

The FTC investigated the breach and conducted an audit to determine whether there had been a breach of the FTC Act. The FTC found multiple security and breach response failures. The FTC alleged SkyMed had not investigated whether the database had been accessed by unauthorized individuals during the time protections were not in place, and that the company failed to adequately review the database to determine what information it contained. SkyMed was therefore unable to determine whether any health information had potentially been compromised. When SkyMed confirmed that the database had been exposed, the company deleted the database to prevent any unauthorized access. SkyMed also failed to identify the individuals affected by the breach.

The FTC said every page of the SkyMed website displayed a “HIPAA Compliance” seal, which gave the impression that SkyMed’s privacy and security policies were in compliance with the standards demanded by the Health Insurance Portability and Accountability Act, yet the company had not undergone a third-party audit of its information security practices and no government agency had reviewed the HIPAA compliance claims. The FTC alleged SkyMed had deceived customers for more than 5 years by displaying the HIPAA Compliance seal on its company website.

“People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure,” Andrew Smith, director of the FTC Bureau of Consumer Protection. The company’s security practices did not meet the required standards and those expected by its customers.

The FTC said “reasonable measures” to secure the personal information of individuals who signed up for its emergency services had not been implemented. SkyMed had not used any data loss prevention tools, there was a lack of access controls, and a failure to implement authentication for its networks. When a security breach occurred and a database containing personal information was exposed, SkyMed failed to detect the exposed database for 5 months, and only then because it was found by a security researcher.

The nature of the information exposed “has caused or is likely to cause substantial injury to customers,” explained the FTC. “[SkyMed] could have prevented or mitigated these information security failures through readily available, and relatively low-cost, measures.”

The FTC alleged SkyMed had engaged in unfair and/or deceptive acts or practices under Section 5 of the FTC Act, which included two counts of deception about HIPAA compliance and its breach response. SkyMed was also determined to have engaged in unfair information security practices.

Under the terms of the settlement, SkyMed is prohibited from misrepresenting its data security practices, data breach response, and how the company protects the privacy, security, integrity, and confidentiality of the personal information, and participation in any privacy or security program sponsored by a government or any third party, including any self-regulatory or standard setting organization.

SkyMed must send breach notifications to all impacted consumers and provide information about any information that has potentially been exposed. An information security program must be implemented, which must be coordinated by a designated, qualified employee. The program must include an organization-wide risk assessment to identify potential internal and external risks, and safeguards must be implemented to ensure those risks are mitigated and personal information is protected.

Logs of database access must be created and monitored, and data encryption must be implemented for sensitive data such as financial account information, passport numbers, and health information.  Access controls are required for all data repositories containing personal data and restrictions must be put in place to limit access to sensitive data. SkyMed is also required to certify annually that it is in compliance with the requirements detailed in the FTC settlement.

The post FTC Settles 2019 Consumer Data Breach Case with SkyMed appeared first on HIPAA Journal.

House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices When Making Regulatory Determinations

Posted by HIPAA Journal

A new bill (HR 7988) has been passed by the House Energy and Commerce Committee which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been adopted by HIPAA-covered entities and business associates when making certain determinations, such as financial penalties following security breaches or for other regulatory purposes.

The HIPAA Safe Harbor Bill, if signed into law, would reward covered entities and business associates that have met cybersecurity practices through reduced financial penalties and shorter compliance audits. The legislation calls for the HHS Secretary to consider whether the entity has adequately demonstrated recognized security practices have been in place for no less than 12 months, which may mitigate financial penalties, result in an early, favorable termination of an audit, or mitigate other remedies which may otherwise have been agreed with respect to resolving potential HIPAA Security Rule violations.

The bill defines ‘Recognized Security Practices’ as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

The bill also confirms that its aim is to reduce potential sanctions, penalties, and the length of audits when cybersecurity best practices are followed, and not to give the HHS the authority to increase audit lengths, fines, and penalties when an entity is discovered not to be in compliance with recognized security standards.

The bill easily passed the house vote and is expected to pass the Senate vote next week. The bill has received considerable support from many health IT industry stakeholder groups, including HITRUST. HITRUST believes the legislation will help to improve the cybersecurity posture of the healthcare industry, will encourage healthcare organizations to take a more proactive approach to HIPAA compliance, and will ensure entities that have achieved HITRUST Cybersecurity Standard Framework (CSF) Certification are recognized for their proactive approach to protecting healthcare data.

The bill also has the backing of the Healthcare and Public Health Sector Coordinating Council (HSCC), which believes the legislation will act as a positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and patient safety.

The post House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices When Making Regulatory Determinations appeared first on HIPAA Journal.