Latest HIPAA News

Healthcare Groups Provide Feedback on HITECH Recognized Security Practices

Posted by HIPAA Journal

Earlier this year, the HHS’ Office for Civil Rights issued a request for information (RFI) on how the financial penalties for HIPAA violations should be distributed to individuals who have been harmed by those HIPAA violations, and the “recognized security practices” under the amended Health Information Technology for Economic and Clinical Health (HITECH) Act. The comment period has now closed, and OCR is considering the feedback received.

Background

It has long been OCR’s intention to distribute a proportion of the funds raised through its HIPAA enforcement actions to victims of those HIPAA violations; however, to date, OCR has not developed a methodology for doing so and requested feedback on a method for distributing the funds to ensure they are directed to victims effectively.

In January 2021, the HITECH Act was amended by Congress to encourage healthcare organizations to adopt recognized security practices. The amendment called for the Secretary of the Department of Health and Human Services to consider whether recognized security practices had been adopted by a HIPAA-regulated entity for no less than 12 months previously, when making certain determinations. Recognized security practices are those outlined by the National Institute of Standards and Technology (NIST), HIPAA Security Rule, and privacy and security frameworks.

Essentially, if recognized security practices have been adopted and have been continuously in place for at least 12 months, financial penalties could be reduced or avoided altogether, and the length and extent of audits and compliance investigations would be reduced.

Feedback from Healthcare Industry Groups

Several healthcare industry groups responded to the RFI and provided feedback, including the Healthcare Information and Management Systems Society (HIMSS), Medical Management Association MGMA, and the Connected Health Initiative (CHI).

HIMSS

HIMSS has welcomed the amendments to the HITECH Act and in its letter to the HHS stressed the importance of a unified approach to healthy cybersecurity and information privacy practices, as emphasized in the HITECH Security Practices.

HIMSS recommended “OCR implement policies that only afford enforcement discretion to situations involving use of security best practices as that discretion applies to safeguarding electronic protected health information (PHI) and not to other areas that are within the scope of HIPAA.”

HIMSS recommends OCR should foster innovation in standards by recognizing the value of adherence to widely accepted cybersecurity frameworks and standards, such as the NIST Cybersecurity Framework and the HITRUST Common Security Framework, rather than trying to define a fixed set of cybersecurity practices, which has the potential to become outdated in a rapidly changing threat landscape. OCR should also align its work with other federal agencies to improve best practices for healthcare.

HIMSS expressed concern that “a strict interpretation of security practices in place continuously over a 12-month period could have the unintended consequence of discouraging the adoption of new methods during that time frame.” HIMSS stressed the importance of encouraging organizations to update security practices regularly as new technologies or methodologies emerge and giving them the flexibility to update processes throughout the year to meet ever-changing cybersecurity best practices without fear that they may run afoul of the requirement for consistent and continuous use. “HIMSS recommends OCR distinguish between confirming that a control is in place and narrowly defining how the control is implemented.”

With respect to the financial penalties, HIMSS suggested OCR should earmark some of the fine amounts for helping to fund and distribute educational materials and other resources to HIPAA-regulated entities to ensure that all organizations have the knowledge and resources to prevent or mitigate cyberattacks.

MGMA

MGMA explained in a letter to HHS Secretary Xavier Becerra that it represents a wide range of medical groups and hundreds of thousands of physicians, and has been working diligently to improve education on cybersecurity best practices. MGMA said its members are becoming more vigilant and are voluntarily taking steps to protect themselves and their patients and welcomes the efforts of the HHS to understand and consider those measures when making certain determinations.

MGMA has made three key recommendations. The HHS should provide HIPAA-regulated entities with the flexibility to choose which recognized security practices to adopt, as there are vast differences in the technical and financial capabilities of medical groups, which can include small private practices in rural areas to large regional and national health systems, and the full spectrum of physician specialties and organizational forms. If specific recognized security systems are required, there could be unintended consequences stemming from the increased cost and administrative burden. Medical groups need to balance security with their ability to stay financially viable and avoid interruptions to patient care. MGMA has recommended the HHS does not mandate what constitutes recognized security practices any further, and that the HHS should accept and not limit the broad statutory definition of the term recognized security practices.

MGMA has requested OCR provide best practices and education, including sample frameworks and checklists, that include real-world approaches for medical groups to implement acknowledged cybersecurity policies into their practices, and has also requested the HHS ensure potential requirements are consistent with other programs, such as the Office of National Coordinator for Health Information Technology (ONC) rulemaking to prohibit “information blocking.”

CHI

CHI said it supports OCR’s efforts to encourage the adoption of recognized security practices and for those practices to be considered as a mitigating factor when investigating data breaches, complaints, and reviews for potential HIPAA violations, but suggests that the 2021 HITECH Act revision should only apply to HIPAA compliance enforcement actions and audits.

Since current security standards will evolve over time, CHI recommends that OCR consider new and emerging risk management security standards in its recognized security practices, rather than specifying a set of security practices. CHI has also requested OCR provide up-to-date and clear information on the obligations of healthcare organizations under HIPAA, in light of the many changes that have occurred across the industry since the HITECH Act was passed, including changes to technology.

For instance, the HIPAA Privacy and Security Rules were introduced prior to the release of the first iPhone, and there is a lack of clarity about how HIPAA applies to mobile environments, which can deter healthcare providers from adopting patient-centered technologies and can prevent patients from fully benefiting from mobile technologies. Further guidance is needed to help healthcare providers adopt new technologies that enable care coordination and ensure compliance.

“OCR has created key guidance for mobile developers and those interested in the intersection between information technology and healthcare. OCR’s outreach focus is an educational campaign for that community, and we see vast improvement in the understanding, from connected health companies, of their roles and responsibilities under the HIPAA Privacy Rules,” explained CHI. However, similar educational campaigns are required for providers and patients.

CHI has requested the HHS make no revisions to the HIPAA Privacy Rule that require disclosures for any additional purposes besides to the individual when the individual exercises his/her right of access under the Rule, or to HHS for purposes of enforcement of the HIPAA Rules, as this could place an unnecessary burden on HIPAA-regulated entities and could lessen the protections for the privacy of individuals’ PHI.

CHI has also requested OCR provide sample business associate agreement language for developers and providers and should ensure that HIPAA does not prevent innovations in AI technology.

The post Healthcare Groups Provide Feedback on HITECH Recognized Security Practices appeared first on HIPAA Journal.

2 Million Patients Affected by Shields Health Care Group Cyberattack

Posted by HIPAA Journal

The protected health information of up to 2 million individuals has potentially been compromised in a Shields Health Care Group cyberattack. Massachusetts-based Shields Health Care Group provides ambulatory surgical center management and medical imaging services throughout New England. On March 28, 2022, suspicious activity was detected within its network. Immediate action was taken to secure its network and prevent further unauthorized access, and third-party forensics specialists were engaged to assist with the investigation and determine the nature and scope of the security breach.

The forensic investigation determined that an unauthorized actor had access to certain Shields systems between March 7, 2022, to March 21, 2022. Shields said a security alert had been triggered on March 18, 2022, which was investigated, but at the time it did not appear that there had been a data breach. It has since been confirmed that during that period of access, certain data was removed from its systems. Shields said it has not been made aware of any cases of actual or attempted misuse of patient data.

A review of the files that were removed from its systems or may have been accessed by unauthorized individuals confirmed the following types of information were involved: Full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.  Shields is continuing to review the affected data and will issue notifications to affected individuals on behalf of all affected facility partners when that review has been completed.

When the attack was discovered, immediate action was taken to secure its network and data, certain systems have now been rebuilt, and additional safeguards have been implemented to better protect patient data. Cybersecurity measures will be reviewed and enhanced moving forward to ensure continued data security.

The HHS’ Office for Civil Rights Breach Portal has the breach listed as affecting 2,000,000 individuals. Shields said those individuals had received services at the following 56 facility partners:

Affected Facility Partners

  • Cape Cod Imaging Services, LLC (a business associate to Falmouth Hospital Association, Inc)
  • Cape Cod PET/CT Services, LLC
  • Cape Cod Radiation Therapy Service, LLC
  • Central Maine Medical Center
  • Emerson Hospital
  • Fall River/New Bedford Regional MRI Limited Partnership
  • Falmouth Hospital Association, Inc.
  • Franklin MRI Center, LLC
  • Lahey Clinic MRI Services, LLC
  • Massachusetts Bay MRI Limited Partnership
  • Mercy Imaging, Inc.
  • MRI/CT of Providence, LLC
  • Newton Wellesley Orthopedic Associates, Inc.
  • Newton-Wellesley Imaging, PC
  • Newton-Wellesley MRI Limited Partnership
  • Northern MASS MRI Services, Inc.
  • NW Imaging Management Company, LLC (a business associate to Newton Wellesley Orthopedic Associates, Inc.)
  • PET-CT Services by Tufts Medical Center and Shields, LLC
  • Radiation Therapy of Southeastern Massachusetts, LLC
  • Radiation Therapy of Winchester, LLC
  • Shields and Sports Medicine Atlantic Imaging Management Co, LLC (a business associate SportsMedicine Atlantic Orthopaedics P.A.)
  • Shields CT of Brockton, LLC
  • Shields Healthcare of Cambridge, Inc.
  • Shields Imaging at Anna Jaques Hospital, LLC
  • Shields Imaging at University Hospital, LLC
  • Shields Imaging at York Hospital, LLC
  • Shields Imaging Management at Emerson Hospital, LLC (a business associate to Emerson Hospital)
  • Shields Imaging of Eastern Mass, LLC
  • Shields Imaging of Lowell General Hospital, LLC
  • Shields Imaging of North Shore, LLC
  • Shields Imaging of Portsmouth, LLC
  • Shields Imaging with Central Maine Health, LLC (a business associate to Central Maine Medical Center)
  • Shields Management Company, Inc.
  • Shields MRI & Imaging Center of Cape Cod, LLC
  • Shields MRI of Framingham, LLC
  • Shields PET/CT at CMMC, LLC
  • Shields PET_CT at Berkshire Medical Center, LLC
  • Shields PET-CT at Cooley Dickinson Hospital, LLC
  • Shields PET-CT at Emerson Hospital, LLC
  • Shields Radiology Associates, PC
  • Shields Signature Imaging, LLC
  • Shields Sturdy PET-CT, LLC
  • Shields-Tufts Medical Center Imaging Management, LLC (a business associate to Tufts Medical Center, Inc.)
  • South Shore Regional MRI Limited Partnership
  • South Suburban Oncology Center Limited Partnership
  • Southeastern Massachusetts Regional MRI Limited Partnership
  • SportsMedicine Atlantic Orthopaedics P.A.
  • Tufts Medical Center, Inc.
  • UMass Memorial HealthAlliance MRI Center, LLC
  • UMass Memorial MRI – Marlborough, LLC
  • UMass Memorial MRI & Imaging Center, LLC
  • Winchester Hospital / Shields MRI, LLC

The post 2 Million Patients Affected by Shields Health Care Group Cyberattack appeared first on HIPAA Journal.

Healthcare Organizations Warned About Maximum Severity Vulnerabilities in Illumina Devices

Posted by HIPAA Journal

Five vulnerabilities that require immediate patching have been identified in the Illumina Local Run Manager (LRM), which is used by Illumina In Vitro Diagnostic (IVD) devices and Illumina Researcher Use Only (ROU) instruments. The affected devices are used for clinical diagnostic DNA sequencing and testing for various genetic conditions, and for research use. Four of the vulnerabilities are critical, with three having a maximum CVSS severity score of 10 out of 10.

The vulnerabilities affect the following devices and instruments:

Illumina IVD Devices

  • NextSeq 550Dx: LRM Versions 1.3 to 3.1
  • MiSeq Dx: LRM Versions 1.3 to 3.1

Illumina ROU Devices

  • NextSeq 500 Instrument: LRM Versions 1.3 to 3.1
  • NextSeq 550 Instrument: LRM Versions 1.3 to 3.1
  • MiSeq Instrument: LRM Versions 1.3 to 3.1
  • iSeq 100 Instrument: LRM Versions 1.3 to 3.1
  • MiniSeq Instrument: LRM Versions 1.3 to 3.1

A threat actor could exploit the vulnerabilities remotely, take control of the instruments, and perform any action at the operating system level such as modifying the settings, configurations, software, or data on the instrument. It would also be possible to exploit the vulnerabilities to interact with the connected network through the affected product.

The vulnerabilities are:

  • CVE-2022-1517 – A remote code execution vulnerability due to the LRM utilizing elevated privileges, which would allow a malicious actor to upload and execute code at the operating system level. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1518 – A directory traversal vulnerability that allows a malicious actor to upload outside the intended directory structure. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1519 – The failure to restrict uploads of dangerous file types. A malicious actor could upload any file type, including executable code that allows for a remote code exploit. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1521 – A lack of authentication or authorization in the default configuration, which would allow a malicious actor to inject, replay, modify, and/or intercept sensitive data. The vulnerability has a CVSS y3 severity score of 9.1 (critical)
  • CVE-2022-1524 – A lack of TLS encryption for the transmission of sensitive information, putting information – including credentials – at risk of interception in a man-in-the-middle attack. The vulnerability has a CVSS v3 severity score of 7.4 (high severity)

The vulnerabilities were reported to Illumina by Pentest, Ltd. Illumina has developed a software patch that will prevent the vulnerabilities from being exploited remotely as an interim fix while a permanent solution is developed for current and future instruments.

The U.S. Food and Drug Administration and the Cybersecurity and Infrastructure Security Agency (CISA) have issued security alerts urging immediate action to be taken to address the vulnerabilities.

The patch for Internet-connected instruments is available here. If the instruments are not connected to the Internet, users should contact Illumina Tech Support.

The post Healthcare Organizations Warned About Maximum Severity Vulnerabilities in Illumina Devices appeared first on HIPAA Journal.

Reader Offer: Free Annual HIPAA Risk Assessment

Posted by HIPAA Journal

HIPAA Journal has partnered with The Compliancy Group to offer its readers a free annual HIPAA Risk Assessment.

 

 

Covered Entities like medical practices and Business Associates like IT providers are required conduct a HIPAA risk assessment by the 2003 HIPAA Security Rule (45 CFR § 164.308 – Security Management Process) and HITECH Act 2009.

The post Reader Offer: Free Annual HIPAA Risk Assessment appeared first on HIPAA Journal.

Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled

Posted by HIPAA Journal

Microsoft has issued a security advisory and has provided workaround to prevent a zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) from being exploited.

The vulnerability is tracked as CVE-2022-30190 and has been dubbed Follina by security researchers. According to Microsoft, “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.”

Over the weekend, security researcher nao_sec found a Word document that was leveraging remote templates to execute PowerShell commands on targeted systems via the MS-MSDT URL protocol scheme. In a recent blog post, security researcher Kevin Beaumont said the documents are not being detected as malicious by Microsoft Defender and detection by antivirus solutions is poor as the documents used to exploit the vulnerability do not contain any malicious code. Instead, they leverage remote templates to download an HTML file from a remote server, which allows an attacker to run malicious PowerShell commands.

Most email attacks that use attachments for malware delivery require macros to be enabled; however, the vulnerability can be exploited even with macros disabled. The vulnerability is exploited when the attached file is opened. Beaumont also showed that zero-click exploitation is possible if an RTF file is used, as the flaw can be exploited without opening the document via the preview tab in Explorer.

Microsoft said if an attacker successfully exploits the vulnerability, malicious code can be run with the privileges of the calling application. It would allow an attacker to install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. The vulnerability can be exploited in all Office versions since 2013, including the current version of Office 365.

The vulnerability was initially reported to Microsoft in April and the flaw was assigned a CVSS score of 7.8 out of 10 (high severity), as Microsoft did not consider the Follina vulnerability to be critical. Microsoft has now issued a workaround and guidance that involves disabling the MSDT URL Protocol until a patch is released. Immediate action is required to prevent the vulnerability from being exploited. Vulnerabilities that can be exploited via Office are rapidly adopted by threat actors, especially when they can be exploited with macros disabled.

Multiple threat actors are known to be exploiting the flaw, including the Chinese threat actor TA413, according to Proofpoint. According to Palo Alto Networks Unit 42 team, “Based on the amount of publicly available information, the ease of use, and the extreme effectiveness of this exploit, Palo Alto Networks highly recommends following Microsoft’s guidance to protect your enterprise until a patch is issued to fix the problem.

The post Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled appeared first on HIPAA Journal.

Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites

Posted by HIPAA Journal

A recent study by Source Defense examined the risks associated with the use of third- and fourth-party code on websites and found that all modern, dynamic websites included code that could be targeted by hackers to gain access to sensitive data.

SOurce Defense explained that websites typically have their own third-party supply chains, with those third parties providing a range of services and functions related to site performance, tracking and analytics, and improving conversion rates to generate more sales.

The inclusion of third- and fourth-party code on websites also introduces security and compliance risks. On the compliance side, tracking code has the potential to violate data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and from a security perspective, the code included on websites may have vulnerabilities that can be exploited by threat actors to gain access to sensitive data, including protected health information.

To explore the risks associated with third- and fourth-party code, Source Defense scanned the top 4,300 websites based on traffic and analyzed their results to identify the scale of the digital supply chain, how many partners are involved on a typical website, whether the inclusion of code by those partners leaves websites exposed to cyberattacks, whether sensitive data is being exposed, and the types of attacks that could be conducted on websites that take advantage of the digital supply chain.

The findings of the analysis are detailed in the report, Third-Party Digital Supply Chain Risk: Exposing the Shadow Code on Your Web Properties. Source Defense explained that there would be little point in a threat actor compromising a script on a static webpage; however, if scripts were included on webpages that collect sensitive data, threat actors could add malicious code to steal sensitive data. The researchers found that, on average, there were 12 third-party and 3 fourth-party scripts per website on web pages that collected data, such as login pages, account registration pages, and payment collection pages.

They identified six features on websites that could be exploited by threat actors that were commonly found on websites: Code to retrieve form input (49%), button click listeners (49%), link click listeners (43%), code to modify forms (23%), form submit listeners (22%), and input change listeners (14%). Every modern, dynamic website assessed for the study was found to contain one or more of those features.

An analysis was conducted of between 40 and 50 websites in industries where there is a higher-than-average risk. The researchers found that higher-risk industries such as healthcare had more than the average number of scripts. Healthcare websites had an average of 13 third-party and 5 fourth-party scripts on sensitive pages.

There may be a legitimate reason for including these scripts on the pages but adding that code introduces risk. “For example, a script might allow form fields to be changed or added on the fly to provide website users with a more personalized experience,” explained Source Defense in the report. “However, a threat actor could exploit this capability to add additional fields asking for credentials and personal information, which would then be sent to attacker’s website.”

“This data makes it clear that managing risk inherent in third- and fourth-party scripts is both a very necessary and a very challenging task,” explained the researchers, who recommend assessing websites for third party code, educating management about the risks, implementing a website client-side security solution, categorizing and consolidating scripts, and finding ways to recuse exposure and compliance risks.

The post Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites appeared first on HIPAA Journal.

Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server

Posted by HIPAA Journal

An information technology consultant who worked as a contractor at a suburban healthcare company in Chicago has been charged with illegally accessing the company’s network and intentionally causing damage to a protected computer.

Aaron Lockner, 35, of Downers Grove, IL, worked for an IT company that had a contract with a healthcare company to provide security and technology services. Lockner was provided with access to the network of the healthcare provider’s clinic in Oak Lawn, IL, to perform the contracted IT services.

In February 2018, Lockner applied for an employment position with the healthcare provider, but his application was denied. Lockner was then terminated from the IT firm in March 2018. A month later, on or around April 16, 2018, Lockner is alleged to have remotely accessed the computer network of the healthcare company without authorization. According to the indictment, Lockner knowingly caused the transmission of a program, information, code, and command, and as a result of his actions, intentionally caused damage to a protected computer. The computer intrusion impaired medical examinations, treatment, and the care of multiple individuals.

Locker has been indicted on one count of intentionally causing damage to a protected computer. The arraignment has been scheduled for May 31, 0222 in the U.S. District Court in the Northern District of Illinois, Eastern Division. If convicted, Lockner could serve up to 10 years in federal prison.

This case highlights the risks posed by insiders. The recently published 2022 Verizon Data Breach Investigations Report highlights the risk of attacks by external threat actors, which outnumber insider attacks by 4 to 1, but safeguards also need to be implemented to protect against insider threats.

In this case, the alleged access occurred two months after the application for employment was rejected and one month after being terminated from the IT company. When individuals leave employment, voluntarily or if terminated, access rights to systems need to be immediately revoked and scans of systems conducted to identify any malware or backdoors that may have been installed.

There have been multiple cases of disgruntled IT contractors retaining remote access to systems after termination, with one notable case at a law firm seeing a former IT worker installing a backdoor and subsequently accessing the system and intentionally causing damage after leaving employment. In that case, the individual was sentenced to 115 months in federal prison and was ordered to pay $1.7 million in restitution.

The post Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server appeared first on HIPAA Journal.

Verizon Data Breach Investigations Report Reveals 2021 Data Breach Trends

Posted by HIPAA Journal

For the past 15 years, Verizon has been publishing annual Data Breach Investigation Reports (DBIR), with this year’s report confirming just how bad the past 12 months have been. Verizon described the past 12 months as representing an unprecedented year in cybersecurity history. “From very well-publicized critical infrastructure attacks to massive supply chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months,” explained Verizon.

The 2022 DBIR was compiled in conjunction with 87 partner organizations using data from 23,896 security incidents, of which 5,212 were confirmed data breaches, 849 of the security incidents analyzed in the report occurred in the healthcare sector, with 571 of those incidents resulting in confirmed data breaches.

The report confirms there was a major increase in ransomware attacks in 2021, increasing 13% from the previous year. To add some perspective, the increase is greater than the combined increases over the previous five years. As Verizon points out in the report, ransomware is just a way of taking advantage of access to victims’ networks, but it has proven to be particularly successful at monetizing illegal access to networks and private information. Ransomware was involved in 25% of data breaches in 2021.

The most common vectors in ransomware attacks were the use of stolen credentials, mostly for desktop sharing software, which provided initial access in 40% of attacks. Phishing was the second most common vector in attacks, providing initial access in 35% of ransomware attacks followed by the exploitation of vulnerabilities in web applications and direct installs. The high percentage of attacks involving remote desktop software and email highlights the importance of locking down RDP and securing email.

The increase in ransomware attacks is alarming, as is the number of supply chain attacks, which account for 62% of system intrusions. Supply chain attacks may be conducted by financially motivated cyber actors, but oftentimes they are used by nation-state actors to gain persistent access to systems for espionage purposes.

Protecting against cyberattacks requires action to be taken to address the four main avenues that lead to initial access to networks being gained, which are credentials, phishing, exploitation of vulnerabilities, and botnets. While insiders can and do cause data breaches, by far the main cause is external actors. Breaches due to external actors outnumber insider breaches by four to 4. While external attacks are much more likely, the median number of records involved in insider breaches is far higher.

Human error continues to play a large part in data breaches. 13% of breaches involved misconfigurations, mostly of cloud storage facilities, and 82% of all data breaches analyzed in the past 12 months involved a human element. 25% of all breaches in 2021 were the result of social engineering attacks, highlighting not only the importance of implementing advanced email defenses but also providing regular security awareness training to the workforce.

The top three attack methods were the same as last year, albeit changing position. System intrusions took the top spot, followed by web application attacks, and social engineering. In healthcare, the leading causes of data breaches were web application attacks, miscellaneous errors, and system intrusions, which accounted for 76% of all data breaches.

Verizon reports that while insiders have long been a leading cause of data breaches in healthcare, the increase in web application attacks has meant external threats have overtaken insiders. Healthcare employees caused 39% of breaches in 2021, which is considerably higher than the 18% across all other industry sectors. While there will always be malicious insiders in healthcare, employees are 2.5 times more likely to make an error than to maliciously abuse their access to data, with misdelivery and loss the most common errors made in healthcare.

Healthcare data breach trends

Patterns in Healthcare data breaches. Source: Verizon DBIR 2022

 

The post Verizon Data Breach Investigations Report Reveals 2021 Data Breach Trends appeared first on HIPAA Journal.

April 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

After four successive months of declining numbers of data breaches, there was a 30.2% increase in reported data breaches. In April 2022, 56 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Healthcare data breaches in the past 12 months (April 2022)

While the number of reported breaches increased month-over-month, the number of healthcare records that were exposed or impermissibly disclosed decreased by 30% to 2,160,194 – the lowest monthly number since October 2021. The average breach size in April 2022 was 38,575 records, and the median breach size was 6,546 records.

Breached healthcare records in the past 12 months (April 2022)

Largest Healthcare Data Breaches in April 2022

22 healthcare data breaches were reported in April 2022 that affected 10,000 or more individuals. The worst breach was a hacking incident reported by Adaptive Health Integrations, a provider of software and billing/revenue services to laboratories, physician offices, and other healthcare companies. More than half a million healthcare individuals were affected.  The Arkansas healthcare provider ARcare suffered a malware attack that disrupted its systems and potentially allowed hackers to access the records of 345,353 individuals. Refuah Health Center reported a hacking and data theft incident in April, which had occurred almost a year previously in May 2021 and affected up to 260,740 patients.

Illinois Gastroenterology Group, PLLC reported a hacking incident where the attackers had access to the records of 227,943 individuals, and Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown were affected by a data breach at the cloud-EHR vendor Eye Care Leaders (ECL), which exposed the records of 194,035 individuals. The ECL cyberattack saw the attackers delete databases and system configuration files of one of its cloud services. The cyberattack affected close to a dozen eye care providers and resulted in the exposure of more than 342,000 records.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking incident with potential data theft
ARcare AR Healthcare Provider 345,353 Malware infection
Refuah Health Center NY Healthcare Provider 260,740 Hacking incident and data theft incident
Illinois Gastroenterology Group, PLLC IL Healthcare Provider 227,943 Hacking incident with potential data theft
Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown WV Healthcare Provider 194,035 Hacking incident at EHR provider
Healthplex, Inc. NY Health Plan 89,955 Email account breach
Optima Dermatology Holdings, LLC NH Healthcare Provider 59,872 Unspecified email incident
SUMMIT EYE ASSOCIATES P.C. TN Healthcare Provider 53,818 Hacking incident at EHR provider
Newman Regional Health KS Healthcare Provider 52,224 Email account breach
WellStar Health System, Inc. GA Healthcare Provider 30,417 WellStar Health System
Central Vermont Eye Care VT Healthcare Provider 30,000 Unspecified hacking incident
Frank Eye Center, P.A. KS Healthcare Provider 26,333 Hacking incident at EHR provider
New Creation Counseling Center OH Healthcare Provider 24,029 Ransomware attack
Georgia Pines CSB GA Healthcare Provider 24,000 Theft of laptop computers
The Guidance Center, Inc. AZ Healthcare Provider 23,104 Email account breach
Allied Eye Physicians and Surgeons, Inc. OH Healthcare Provider 20,651 Hacking incident at EHR provider
King County Public Hospital District No. 2 d/b/a EvergreenHealth WA Healthcare Provider 20,533 Hacking incident at EHR provider
Onehome Health Solutions FL Healthcare Provider 15,401 Theft of laptop computers
Southern Ohio Medical Center OH Healthcare Provider 15,136 Hacking incident with potential data theft
Arkfeld, Parson, and Goldstein, P.C. doing business as ilumin NE Healthcare Provider 14,984 Hacking incident at EHR provider
Pediatric Associates, P.C. VA Healthcare Provider 13,000 Hacking incident at EHR provider
Fairfield County Implants and Periodontics, LLC CT Healthcare Provider 10,502 Email account breach

Causes of April 2022 Healthcare Data Breaches

Hacking and IT incidents accounted for 73.2% of the healthcare data breaches reported in April 2022 and 97.1% of the month’s breached healthcare records. 2,098,390 individuals were affected by those hacking incidents and may have had their protected health information stolen. The average breach size was 51,180 records and the median breach size was 9,969 records. 16 of the hacking incidents involved unauthorized individuals gaining access to employee email accounts, and there were 7 breaches of electronic health records, due to the hacking incident at the EHR vendor Eye Care Leaders.

Causes of April 2022 Healthcare Data Breaches (april 2022)

There were just breaches reported as unauthorized access/disclosure incidents which involved a total of 20,391 records. The average breach size was 1,854 records and the median breach size was 820 records. There were two theft incidents reported involving laptop computers and one loss incident involving an ‘other portable electronic device’. Across the three loss/theft incidents, the records of 40,298 individuals were potentially compromised. All three breaches could have been prevented if data had been encrypted. There was also one improper disposal incident reported, involving 1,115 paper records.

Location of breached protected health information (April 2022)

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected HIPAA-covered entity, with 39 reporting breaches in April. 7 data breaches were reported by health plans, and 10 data breaches were reported by business associates. However, a further 17 data breaches occurred at business associates but were reported by the respective covered entity. The chart below shows the month’s data breaches adjusted to reflect where the breaches occurred.

Healthcare Data Breaches by Covered Entity Type (April 2022)

Healthcare Data Breaches by State

In April 2022, HIPAA-regulated entities in 26 states reported breaches. New York and Ohio were the worst affected states in April, with 7 & 6 data breaches reported respectively.

State Number of Data Breaches
New York 7
Ohio 6
California 4
Arizona, Georgia, Kansas, Michigan, Tennessee, & Virginia 3
Florida, Maryland, North Carolina & New Hampshire 2
Alabama, Arkansas, Colorado, Connecticut, Illinois, Nebraska, North Dakota, Pennsylvania, South Carolina, Utah, Vermont, Washington & West Virginia 1

HIPAA Enforcement Activity in April 2022

There were no HIPAA enforcement activities announced by the HHS’ Office for Civil Rights or State Attorneys General in April 2022. So far this year, 4 financial penalties have been imposed to resolve HIPAA violations.

The post April 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.