Latest HIPAA News

Aetna Slapped with $1 Million HIPAA Fine for Three Data Breaches

Posted by HIPAA Journal

Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to settle multiple potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) that were discovered during the investigation of three data breaches that occurred in 2017.

The first of those data breaches was reported to OCR in June 2017 and concerned the exposure of the protected health information (PHI) of health plan members over the Internet. Two web services were used to display health plan-related documents to its members, but those documents could be accessed over the Internet without the need for any login credentials.

The lack of authentication allowed the documents to be indexed by search engines and displayed in search results. Aetna’s investigation revealed the PHI of 5,002 individuals had been exposed, which included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service.

The second two HIPAA breaches involved the exposure and impermissible disclosure of highly sensitive information in two mailings to plan members. In both mailings, window envelopes had been used which allowed PHI to be viewed without opening the envelopes.

The first mailing in July 2017 saw benefit notices sent to 11,887 individuals who were receiving HIV medication, either for treatment or prophylaxis. The words “HIV medication” could be seen through the windows of the envelope, along with the name and address of each individual.

The second mailing, sent in September 2017, concerned a research study on individuals with an irregular heart rhythm. Through the windows of the envelope the name and logo of the atrial fibrillation research study were clearly visible along with the name and address of the recipient. The mailing was sent to 1,600 individuals.

These three incidents resulted in the impermissible disclosure of the PHI of 18,489 individuals and during the course of the investigation OCR investigators uncovered several other violations of the HIPAA Rules.

  • Aetna had not performed periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI), in violation of 45 C.F.R. § 164.308(a)(8);
  • Procedures had not been implemented to verify the identity of individuals or entities looking to access their ePHI, in violation of 45 C.F.R. § 164.312(d);
  • Disclosures of ePHI had not been limited to the minimum necessary information to achieve the purpose for the disclosure, in violation of 45 C.F.R. § 164.514(d); and
  • There was a lack of appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in violation of 45 C.F.R. § 164.530(c).

“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.

In addition to the financial penalty, Aetna has agreed to adopt a corrective action plan to address all areas of HIPAA noncompliance discovered by OCR. OCR will be monitoring Aetna closely for noncompliance with the HIPAA Rules for 2 years.

Settlements totaling $2,725,170 were agreed in 2018 to resolve HIPAA violation cases brought by state attorneys general in California ($935,000), Connecticut ($99,959), New Jersey ($365,211.59), New York ($1,150,000) and the District of Columbia ($175,000) over these data breaches. In 2018, Aetna also settled a class action lawsuit filed on behalf of victims of the HIV medication mailing incident for $17 million.

This year has already seen more penalties imposed on covered entities and business associates than any other year since OCR was given the authority to impose fines for HIPAA violations. There have been 14 settlements announced this year totaling $13,211,500.

The post Aetna Slapped with $1 Million HIPAA Fine for Three Data Breaches appeared first on HIPAA Journal.

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

Posted by HIPAA Journal

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020.

Sept 2020 healthcare data breach report monthly breaches

Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records.

Sept 2020 healthcare data breach report monthly breached records

Causes of September 2020 Healthcare Data Breaches

The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers.

Blackbaud was able to contain the breach; however, prior to the deployment of the ransomware, the attackers exfiltrated some customer data. The breach was initially thought to only include limited data about donors and prospective donors, but further investigations revealed Social Security numbers and financial information were also exfiltrated by the hackers.

Blackbaud negotiated a ransom payment and paid to prevent the publication or sale of the stolen data. Blackbaud has reported it has received assurances that all stolen data were deleted. Blackbaud has engaged a company to monitor dark web sites but no data appears to have been offered for sale.

Blackbaud announced the ransomware attack in July 2020 and notified all affected customers. HIPAA-covered entities affected by the breach started to report the data breach in August, with most reporting in September.

It is currently unclear exactly how many U.S. healthcare organizations were affected by the breach and the final total may never be known. Databreaches.net has been tracking the Blackbaud breach reports and, at last count, at least 80 healthcare organizations are known to have been affected. The records of more than 10 million patients are thought to have been compromised as a result of the ransomware attack.

Sept 2020 healthcare data breach report causes of breaches

Unsurprisingly, given the numbers of healthcare providers affected by the Blackbaud breach, hacking/IT incidents dominated the breach reports. 83 breaches were attributed to hacking/IT incidents and 9,662,820 records were exposed in those breaches – 99.50% of all records reported as breached in September.  The mean breach size was 116,420 records and the median breach size was 27,410 records.

There were 7 unauthorized access/disclosure incidents reported in September involving a total of 34,995 records. The mean breach size was 4,942 records and the median breach size was 1,818 records. There were 4 loss/theft incidents reported involving 12,029 records, with a mean breach size of 3,007 records and a median size of 2,978 records. There was 1 improper disposal incident reported involving 1,076 records.

Most of the compromised records were stored on network servers, although there were a sizable number of breaches involving PHI stored in email accounts.

Sept 2020 healthcare data breach report - location of PHI

Largest Healthcare Data Breaches Reported in September 2020

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause
Trinity Health Business Associate 3,320,726 Hacking/IT Incident Blackbaud Ransomware Attack
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident Blackbaud Ransomware Attack
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Colorado (affiliated covered entity) Healthcare Provider 343,493 Hacking/IT Incident Blackbaud Ransomware Attack
Nuvance Health (on behalf of its covered entities) Healthcare Provider 314,829 Hacking/IT Incident Blackbaud Ransomware Attack
The  Baton Rouge Clinic, A Medical Corporation Healthcare Provider 308,169 Hacking/IT Incident Ransomware Attack
Virginia Mason Medical Center Healthcare Provider 244,761 Hacking/IT Incident Blackbaud Ransomware Attack
University of Tennessee Medical Center Healthcare Provider 234,954 Hacking/IT Incident Blackbaud Ransomware Attack
Legacy Community Health Services, Inc. Healthcare Provider 228,009 Hacking/IT Incident Phishing Attack
Allina Health Healthcare Provider 199,389 Hacking/IT Incident Blackbaud Ransomware Attack
University of Missouri Health Care Healthcare Provider 189,736 Hacking/IT Incident Phishing Attack
The Christ Hospital Health Network Healthcare Provider 183,265 Hacking/IT Incident Blackbaud Ransomware Attack
Stony Brook University Hospital Healthcare Provider 175,803 Hacking/IT Incident Blackbaud Ransomware Attack
Atrium Health Healthcare Provider 165,000 Hacking/IT Incident Blackbaud Ransomware Attack
University of Kentucky HealthCare Healthcare Provider 163,774 Hacking/IT Incident Blackbaud Ransomware Attack
Children’s Minnesota Healthcare Provider 160,268 Hacking/IT Incident Blackbaud Ransomware Attack
Roswell Park Comprehensive Cancer Center Healthcare Provider 141,669 Hacking/IT Incident Blackbaud Ransomware Attack
Piedmont Healthcare, Inc. Healthcare Provider 111,588 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Montana (affiliated covered entity) Healthcare Provider 93,642 Hacking/IT Incident Blackbaud Ransomware Attack
Roper St. Francis Healthcare Healthcare Provider 92,963 Hacking/IT Incident Blackbaud Ransomware Attack

September 2020 Data Breaches by Covered Entity Type

88 healthcare providers reported data breaches of 500 or more records in September and 2 breaches were reported by health plans. 5 breaches were reported by business associates of HIPAA-covered entities, but a further 53 breaches involved a business associate, with the breach reported by the covered entity. Virtually all of those 53 breaches were due to the ransomware attack on Blackbaud.

Sept 2020 healthcare data breach report - covered entity type

September 2020 Data Breaches by State

Covered entities and business associates in 30 states and the district of Columbia reported data breaches of 500 or more records in September.

New York was the worst affected state with 10 breaches, 6 breaches were reported in each of California, Minnesota, and Pennsylvania, 5 in each of Colorado, South Carolina, and Texas, 4 in Florida, Georgia, Massachusetts, Ohio, and Virginia, 3 in each of Iowa, Kentucky, Louisiana, and Michigan, and 2 in each of Connecticut, Maryland, North Carolina, Tennessee, and Wisconsin.

One breach was reported in each of Alabama, Delaware, Illinois, Indiana, Missouri, New Hampshire, New Jersey, Oklahoma, Washington, and the District of Columbia.

HIPAA Enforcement Activity in September 2020

Prior to September, the HHS’ Office for Civil Rights had only imposed three financial penalties on covered entities and business associates to resolve HIPAA violations, but there was a flurry of announcements about HIPAA settlements in September with 8 financial penalties announced.

The largest settlement was agreed with Premera Blue Cross to resolve HIPAA violations discovered during the investigation of its 2014 data breach that affected 10.4 million of its members. OCR found compliance issues related to risk analyses, risk management, and hardware and software controls. Premera agreed to pay a financial penalty of $6,850,000 to resolve the case. This was the second largest HIPAA fine ever imposed on a covered entity.

CHSPSC LLC, a business associate of Community Health Systems, agreed to pay OCR $2,300,000 to resolve its HIPAA violation case which stemmed from a breach of the PHI of 6 million individuals in 2014. OCR found compliance issues related to risk analyses, information system activity reviews, security incident procedures, and access controls.

Athens Orthopedic Clinic PA agreed to pay a $1,500,000 penalty to resolve its case with OCR which stemmed from the hacking of its systems by TheDarkOverlord hacking group. The PHI of 208,557 patients was compromised in the attack. OCR’s investigation uncovered compliance issues related to risk analyses, risk management, audit controls, HIPAA policies and procedures, business associate agreements, and HIPAA Privacy Rule training for the workforce.

Five of the September settlements resulted from OCR’s HIPAA Right of Access enforcement initiative and were due to the failure to provide patients with timely access to their medical records.

Entity Settlement
Beth Israel Lahey Health Behavioral Services $70,000
Housing Works, Inc. $38,000
All Inclusive Medical Services, Inc. $15,000
Wise Psychiatry, PC $10,000
King MD $3,500

 

There was one settlement to resolve a multistate investigation by state attorneys general, with Anthem Inc. agreeing to pay a financial penalty of $48.2 million to resolve multiple violations of HIPAA and state laws in relation to its 78.8 million record data breach in 2015, which is on top of the $16 million financial penalty imposed by OCR in October 2018.

The post September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised appeared first on HIPAA Journal.

6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks

Posted by HIPAA Journal

The U.S. Department of Justice has announced 6 Russian hackers have been indicted for their role in the 2017 NotPetya malware attacks and a long list of offensive cyber campaigns on multiple targets in the United States and other countries.

The six individuals are suspected members of the GRU: Russia’s Main Intelligence Directorate, specifically GRU Unit 74455, which is also known as Sandworm. The Sandworm unit is believed to be behind a long list of offensive cyber campaigns spanning several years.

Sandworm is suspected of being instrumental in attempts to influence foreign elections, including the 2016 U.S. presidential election and the 2017 French Presidential election. One of the most destructive offensive campaigns involved the use of NotPetya malware in 2017. NotPetya was a wiper malware used in destructive attacks worldwide that leveraged the Microsoft Windows Server Message Block (SMBv1) vulnerability.

Several hospitals and medical clinics were affected by NotPetya and had data wiped and computer systems taken out of action. NotPetya hit the pharmaceutical giant Merck, Danish shipping firm Maersk, and FedEx subsidiary TNT Express. The attack on Merck has been estimated to have cost $1.3 billion. In total, the malware caused more than $10 billion in damages and affected more than 300 companies worldwide.

Sandworm was also behind attempts to disrupt the 2018 Winter Olympics using Olympic Destroyer malware, and the hackers attempted to disrupt the investigation of the Novichok poisonings of former Russian spy Sergei Skripal and his daughter by the Organization for the Prohibition of Chemical Weapons and the U.K.’s Defense Science and Technology Laboratory.

Sandworm was also behind destructive attacks on Ukraine’s energy grid between December 2015 and December 2016 and other government targets using KillDisk, BlackEnergy, and Industroyer malware, along with attacks on government entities and companies in Georgia in 2018.

“The crimes committed by these defendants and Unit 74455 are truly breathtaking in their scope, scale and impact,” said U.S. Attorney for the Western District of Pennsylvania, Scott Brady. “These are not acts of traditional spying against governments. Instead, these are crimes committed by Russian government officials against real victims who suffered real harm.”

The alleged Russian operatives are Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko and Petr Nikolayevich Pliskin. Each has been charged with 7 counts – one count of  conspiracy to commit computer fraud and abuse, one count of conspiracy to commit wire fraud, one count of intentional damage to a protected computer, two counts of wire fraud, and two counts of aggravated identity theft, with the indictment also alleging false registration of domain names. In total, the maximum possible sentence if found guilty on all counts is 71 years in prison. The indictment also includes details of the specific roles each defendant played in the attacks, confirmed the detailed nature of the intelligence collected on each individual by intelligence agencies, law enforcement, foreign governments, and private companies.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney General for National Security John C. Demers.  “Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware.  No nation will recapture greatness while behaving in this way.”

Russian has responded by denying any involvement in the cyberattacks attributed to the hackers. A spokesperson for the Russian embassy in Washington said, “Russia does not and did not have intentions to engage in any kind of destabilizing operations around the world. This does not correspond to our foreign policy, national interests or our understanding of how relations between states are built. Russia respects the sovereignty of other countries and does not interfere in their affairs.”

It is unlikely that the indicted hackers will ever face a trial, as there is no extradition treaty between Russia and the United States.

The post 6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks appeared first on HIPAA Journal.

Active Threat Warning Issued About SharePoint RCE Vulnerability

Posted by HIPAA Journal

The UK National Cyber Security Centre (NCSC) has recently issued a security alert advising organizations to patch a serious remote code execution vulnerability in Microsoft SharePoint. The DHS Cybersecurity and infrastructure Security Agency is also urging organizations to patch the flaw promptly to prevent exploitation.

The vulnerability, tracked as CVE-2020-16952, is due to the failure of SharePoint to check the source markup of an application package. If exploited, an attacker could run arbitrary code in the context of the SharePoint application pool and SharePoint server farm account, potentially with administrator privileges.

To exploit the vulnerability an attacker would need to convince a user to upload a specially crafted SharePoint application package to a vulnerable version of SharePoint. This could be achieved in a phishing campaign using social engineering techniques.

The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10 and affects the following SharePoint releases:

  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019

SharePoint Online is not affected by the vulnerability.

SharePoint vulnerabilities are attractive to hackers as SharePoint is commonly used by enterprise organizations. Previous SharePoint vulnerabilities have been extensively exploited, two of which were listed in CISA’s list of the top 10 most exploited vulnerabilities between 2016 and 2019.

Microsoft issued an out-of-band patch to correct the flaw this week. The patch needs to be applied to correct the vulnerability as there are no mitigations to prevent exploitation of the flaw. The patch changes the way SharePoint checks the source markup of application packages.

A proof of concept exploit for the vulnerability has been publicly released on GitHub by security researcher Steven Seeley, who discovered the flaw and reported it to Microsoft. The PoC could easily be weaponized so there is a high risk of exploits being developed and used in attacks on organizations. At the time of the release of the patch, Microsoft was unaware of any cases of exploitation of the flaw in the wild.

According to NCSC, “This PoC can be detected by identifying HTTP headers containing the string runat=’server’ – as well as auditing SharePoint page creations.”

Rapid7 researchers have warned that the vulnerability has a very high value to hackers due to the ease at which the vulnerability can be exploited to gain privileged access.

“The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization,” explained Rapid7.  The patch should be applied as soon as possible to prevent exploitation.

The post Active Threat Warning Issued About SharePoint RCE Vulnerability appeared first on HIPAA Journal.

CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw

Posted by HIPAA Journal

A joint advisory has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warning about sophisticated advanced persistent threat actors chaining exploits for multiple vulnerabilities in cyberattacks against federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and election support systems. While there have been successful attacks on the latter, no evidence has been found to suggest any election data have been compromised to date.

Several legacy vulnerabilities are being targeted along with more recently discovered vulnerabilities, such as the Windows Server Netlogon remote protocol vulnerability – CVE-2020-1472 – also known as Zerologon. A patch for the flaw was issued by Microsoft on August 2020 Patch Tuesday but patching has been slow.

Chaining vulnerabilities in a single cyberattack is nothing new. It is a common tactic used by sophisticated threat groups to compromise networks and applications, elevate privileges, and achieve persistent access to victims’ networks

The advisory did not specify which APT groups are conducting the attacks, although Microsoft recently issued an alert about the Mercury APT group – which has links to Iran – exploiting the Zerologon flaw to gain access to government networks. Those attacks have been ongoing for at least two weeks.

CISA and the FBI explained in the advisory that attacks start with the exploitation of legacy vulnerabilities in VPNs and network access devices. In several attacks, initial access to networks was gained by exploiting the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability – CVE-2018-13379 and, to a lesser extent, the MobileIron vulnerability – CVE-2020-15505. The latter vulnerability is also being exploited by ransomware gangs following the publication of a PoC exploit for the flaw.

While the latest campaigns have been conducted exploiting the above vulnerabilities, CISA/FBI warn that other legacy vulnerabilities in Internet facing infrastructure could similarly be exploited in attacks such as:

  • Citrix Gateway/Citrix SD WAN WANOP vulnerability – CVE-2019-19781
  • Pulse Secure vulnerability – CVE-2019-11510
  • F5 BIG-IP vulnerability – CVE-2020-5902
  • Palo Alto Networks vulnerability – CVE-2020-2021
  • Citrix NetScaler vulnerability – CVE2019-19751
  • Juniper vulnerability – CVE-2020-1631

Once a flaw has been exploited to gain access to the target’s network, the attackers then exploit more recently discovered vulnerabilities such as the Zerologon flaw, which allows them to elevate privileges to administrator, steal usernames and passwords, and access Windows Active Directory servers and establish persistent access to networks. Legitimate tools such as MimiKatz and CrackMapExec are often used in the attacks.

Due to the high potential for exploitation of the Zerologon flaw, Microsoft issued multiple alerts urging organizations to apply the patch as soon as possible, as have CISA and the CERT Coordination Center.

CISA and the FBI have suggested several mitigations to block these attacks, the most important of which is patching the above vulnerabilities. Patching vulnerabilities in software and equipment promptly and diligently is the best defense against APT groups.

Other important steps to take are concerned with more traditional network hygiene and user management such as:

  • Implement multi-factor authentication on all VPN connections, ideally using physical security tokens which are the most secure method of MFA, or alternatively using authenticator app-based MFA.
  • Strong passwords should be set for all users and vendors who need to connect via VPNs.
  • Discontinue unused VPN servers.
  • Conduct audits of configuration and patch management programs.
  • Monitor network traffic for unexpected or unapproved protocols, especially outbound traffic to the Internet.
  • Use separate admin accounts on separate administration workstations.
  • Update all software to the latest versions and configure updates to be applied automatically where possible.
  • Block public access to vulnerable unused ports such as port 445 and 135.
  • Secure Netlogon channel connections by updating all domain controllers and read-only domain controllers.

CISA and the FBI suggest any organization with Internet facing infrastructure should adopt an “assume Breach” mentality.

“If there is an observation of CVE-2020-1472 or Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed,” explained CISA/FBI in the alert.

Since fully resetting an AD forest is difficult and complex, organizations should consider seeking assistance from third-party cybersecurity firms with experience of successfully completing the task.

The post CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw appeared first on HIPAA Journal.

OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) is continuing its crackdown on healthcare providers that are not fully complying with the HIPAA right of access. Last week, OCR announced its ninth enforcement action against a HIPAA-covered entity for the failure to provide patients with timely access to their medical records at a reasonable cost.

HIPAA gives patients the right to view or receive a copy of their medical records. When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received.

By obtaining a copy of their medical records, patients can share those records with other providers, research organizations, or individuals of their choosing. Patients can check their medical records for errors and submit requests to correct any mistakes. In the event of a ransomware attack that renders medical records inaccessible, patients who have a copy of their records ensure that their health histories are never lost.

Under the OCR HIPAA Right of Access Initiative, complaints from individuals who have been denied access to their medical records or have faced delays in receiving a copy of their records are investigated. When violations of the HIPAA right of access are uncovered, financial penalties are issued. The aim of penalties is to encourage compliance by making noncompliance very costly.

The latest financial penalty was imposed on NY Spine, a private medical practice with offices in New York and Miami that specializes in neurology and pain management. OCR received a complaint from a patient in July 2019 who claimed to have sent multiple requests to NY Spine in June 2019 requesting a copy of her protected health information.

NY Spine responded to the requests and provided some of her records but failed to provide the diagnostic films that she had specifically requested. It took intervention from OCR for NY Spine to provide those records. The patient was finally provided with a complete copy of all the requested records in October 2020, 16 months after the first request was submitted.

NY Spine and OCR agreed to settle the case for $100,000. NY Spine is also required to adopt a corrective action plan and will be monitored by OCR for compliance for 2 years.

“No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message,” said Roger Severino, OCR Director.

The post OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative appeared first on HIPAA Journal.

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Posted by HIPAA Journal

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million.

A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information.

The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during the breach investigation. In addition to the financial penalty, CHSPCS agreed to adopt a robust corrective action plan to address privacy and security failures discovered by OCR’s investigators.

Victims of the breach took legal action against CHS over the theft of their PHI and CHS settled the class action lawsuit in 2019 for $3.1 million. The latest settlement means CHS and its affiliates have paid $10.4 million in settlements over the breach.

“A patient’s personal information—especially health information—deserves the highest level of protection,” said Attorney General Slatery. “This settlement will require CHS to provide that moving forward.”

CHS and its affiliates were found to have failed to implement reasonable and appropriate security measures to ensure the confidentiality, integrity, and availability of protected health information on its systems. “The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure,” said Iowa Attorney General Tom Miller.

The states participating in the action were Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.

In addition to paying the financial penalty, CHS and its affiliates have agreed to adopt a corrective action plan and implement additional security measures to ensure the security of its systems. Those measures include developing a written incident response plan, providing security awareness and privacy training to all personnel with access to PHI, limiting unnecessary or inappropriate access to systems containing PHI, implementing policies and procedures for its business associates, and conducting regular audits of all business associates.

CHS must also conduct an annual risk assessment, implement and maintain a risk-based penetration testing program, implement and maintain intrusion detection systems, data loss protection measures, and email filtering and anti-phishing solutions. All system activity must be logged, and those logs must be regularly reviewed for suspicious activity.

“Community Health Systems is pleased to have resolved this six-year old matter,” said a spokesperson for CHS in a statement about the settlement. “The company had robust risk controls in place at the time of the attack and worked closely with the FBI and consistently with its recommendations after becoming aware of the attack.”

The post Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation appeared first on HIPAA Journal.

OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its 12th HIPAA penalty of 2020 and its 8th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records.

On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights.

OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018.

SJHMC did respond to the requests and provided some, but not all, of the requested records. The mother made contact with SJHMC again on May 2, May 10 and May 15, 2018 to request the records that had not been provided. SJHMC responded and sent additional records, but not the specific records that had been requested. It took until December 19, 2019 for SJHMC to provide all the records she had requested – 22 months after the initial request had been sent.

SJHMC agreed to pay the $160,000 financial penalty to settle the case with no admission of liability. SJHMC will also adopt a corrective action plan to address all areas of noncompliance and will be monitored for compliance by OCR for two years.

“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.  OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.

The post OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure appeared first on HIPAA Journal.

Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment

Posted by HIPAA Journal

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has warned that companies that facilitate ransom payments to cybercriminals on behalf of victims of the attacks could face sanctions risks for violating OFAC regulations. Victims of ransomware attacks that pay ransoms to cyber actors could similarly face steep fines from the federal government if it is discovered that the criminals behind the attacks are already under economic sanctions.

“Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” explained OFAC in its advisory on potential sanctions risks for facilitating ransomware payments. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

Several individuals involved in ransomware attacks over the past few years have been sanctioned by OFAC, including the Lazarus Group from North Korea which was behind the WannaCry 2.0 ransomware attacks in May 2017, two Iranians believed to be behind the SamSam ransomware attacks that started in late 2015, Evil Corp and its leader, Maksim Yakubets, who are behind Dridex malware, and Evgeniy Mikhailovich Bogachev, who was designated the developer of Cryptolocker ransomware, first released in December 2016.

Paying ransoms to sanctioned persons or jurisdictions threatens U.S. national security interests. “Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims,” explained OFAC.

“U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes,” wrote OFAC.

Civil monetary penalties may be imposed for sanctions violations, even if the person violating sanctions was unaware that they were engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC. Any facilitator or payer of ransom demands to sanctioned individuals, entities, or regimes could face a financial penalty up to $20 million.

Many entities do not disclose ransomware attacks or report them to law enforcement to avoid negative publicity and legal issues, but by failing to report they are hampering law enforcement investigations into attacks. OFAC explained in its advisory that the financial intelligence and enforcement agency will “consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

The advisory also includes contact information for victims of ransomware attacks to discover if there are sanctions imposed on threat actors, and whether payment of a ransom may involve a sanctions nexus.

OFAC has advised against paying any ransom demand. Not only does payment of a ransom risk violating OFAC regulations, there is no guarantee that payment of the ransom will result in valid keys being supplied, the criminals may not delete stolen data, and they could issue further ransom demands. Payment of a ransom may also embolden cyber actors to engage in further attacks.

OFAC has only offered advice and warned of sanctions risks if payments are made to certain threat actors. Aside from implementing a ban on paying any ransom payment, the attacks are likely to remain profitable and will continue. Only when the attacks cease to be profitable are cybercriminals likely to stop conducting attacks.

The post Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment appeared first on HIPAA Journal.