Latest HIPAA News

Discussion Draft of Federal Data Privacy Bill Released by House Energy and Commerce Committee

Posted by HIPAA Journal

A discussion draft of a new bipartisan data privacy bill has been released by the House Energy and Commerce Committee. The bill calls for national standards for privacy and security and would place restrictions on the collection, use, and retention of consumer data by U.S. businesses.

The draft legislation calls for all businesses to have a privacy program and to publish a privacy policy, written in clear language, which explains what data will be collected, how it will be used, how long it will be retained, and with whom consumer information will be shared.

Data security measures would also need to be implemented, which should be appropriate for the size of the business and the nature and complexity of data activities. In the event of a breach of consumer information, businesses would be required to report the breach to the Federal Trade Commission.

The Federal Trade Commission has been tasked with creating a Bureau of Privacy which would be responsible for developing rules, issuing guidance, and enforcing compliance. The FTC would also need to set a data retention time frame and create rules covering the disclosure of personal information to third parties.

The bill would give consumers much greater control over their personal data and how it can be used by businesses. Consumers will have the right to view and correct their data, control who can access their personal information, and request that businesses delete their personal information.

To help consumers find out which businesses have their personal information, the draft legislation calls for the creation of a centralized repository of data brokers. Consumers could use that repository and find out who holds a copy of their data and find out how they can exercise their right to access that data, make corrections, and arrange for their personal data to be deleted.

“This draft seeks to protect consumers while also giving data collectors clear rules of the road. It reflects many months of hard work and close collaboration between Democratic and Republican Committee staff,” explained a spokesperson for the Energy and Commerce Committee.

The release follows a Senate Commerce Committee hearing in which two data privacy bills proposed by Senate Commerce Committee Chairman, Roger Whicker (R-Miss) and Senator Maria Cantwell (D-Wash) were discussed. Both camps could not reach a consensus on what should be included in the bill, but it was agreed that the only way forward was for bipartisan legislation to be passed.

Two of the sticking points from the competing bills was whether the federal privacy bill should preempt state laws and if a private cause of action should be included. Sen. Cantwell’s bill calls for a private cause of action to allow consumers to sue companies for privacy violations, which is opposed by Congressman Wicker. Wicker’s bill calls for the new federal privacy law to replace state laws, whereas Sen. Cantwell wants state laws to be retained to provide greater protection for consumers. The discussion draft of the bill avoids both of these issues.

Feedback is being sought from industry stakeholders on the draft legislation. Comments will be accepted until the middle of January 2020.

The post Discussion Draft of Federal Data Privacy Bill Released by House Energy and Commerce Committee appeared first on HIPAA Journal.

DoE and OCR Issue Updated Guidance on Sharing Student Health Records under FERPA and HIPAA

Posted by HIPAA Journal

The Department of Education and the Department of Health and Human Services’ Office for Civil Rights have issued updated guidance on the sharing of student health records under the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).

The guidance document was first released in November 2008 to help school administrators and healthcare professionals understand how FERPA and HIPAA apply to student educational and healthcare records. The guidance includes several Q&As covering both sets of regulations. Further questions and answers have been added to clear up potential areas of confusion about how HIPAA and FERPA apply to student records, including when it is permitted to share student records under FERPA and the HIPAA Privacy Rule without first obtaining written consent.

HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. HIPAA does not usually apply to schools, since health information collected by an educational institution would usually be classed as educational records under FERPA. The HIPAA Privacy Rule excludes educational records from the definition of protected health information, but there are instances where HIPAA and FERPA intersect.

The HIPAA Privacy Rule requires consent to be obtained prior to the sharing of health information for purposes other than treatment, payment, or healthcare operations. The guidance explains that in emergencies and situations when an individual’s health is at risk, educational institutions and healthcare providers may disclose a student’s health information to someone in a position to prevent or lessen harm, including to family, friends, caregivers, and law enforcement.

The guidance states that “Healthcare providers may share (protected health information) with anyone as necessary to prevent or lessen a serious and imminent threat to the health or safety of the individual, another person, or the public—consistent with applicable law (such as state statutes, regulations or case law) and the provider’s standards of ethical conduct.” It is also permissible to share psychotherapy notes and information about mental health issues and substance abuse disorder in certain situations. The update details the situations when these disclosures are permitted.

“This updated resource empowers school officials, healthcare providers, and mental health professionals by dispelling the myth that HIPAA prohibits the sharing of health information in emergencies,” said OCR Director Roger Severino.

The update also includes information on when protected health information or personally identifiable information can be shared about a student that poses a danger to themselves or others. Additionally, disclosures of health data to law enforcement and the National Instant Criminal Background Check System are also now included in the guidance.

“Confusion on when records can be shared should not stand in the way of protecting students while they are in school,” said U.S. Secretary of Education Betsy DeVos.  “This update will provide much-needed clarity and help ensure that students get the assistance they need, and school leaders have the information they need to keep students safe.”

The post DoE and OCR Issue Updated Guidance on Sharing Student Health Records under FERPA and HIPAA appeared first on HIPAA Journal.

November 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In November 2019, 33 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). That represents a 36.5% decrease in reported breaches from October – The worst ever month for healthcare data breaches since OCR started listing breaches on its website in October 2009. The fall in breaches is certainly good news, but data breaches are still occurring at a rate of more than one a day.

600,877 healthcare records were exposed, impermissibly disclosed, or stolen in November. That represents a 9.2% decrease in breached healthcare records from October, but the average breach size increased by 30.1% to 18,208 records in November.

Largest Healthcare Data Breaches in November 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Ivy Rehab Network, Inc. and its affiliated companies Healthcare Provider 125000 Hacking/IT Incident Email
Solara Medical Supplies, LLC Healthcare Provider 114007 Hacking/IT Incident Email
Saint Francis Medical Center Healthcare Provider 107054 Hacking/IT Incident Electronic Medical Record, Network Server
Southeastern Minnesota Oral & Maxillofacial Surgery Healthcare Provider 80000 Hacking/IT Incident Network Server
Elizabeth Family Health Healthcare Provider 28375 Theft Paper/Films
The Brooklyn Hospital Center Healthcare Provider 26312 Hacking/IT Incident Network Server
Utah Valley Eye Center Healthcare Provider 20418 Hacking/IT Incident Desktop Computer
Loudoun Medical Group d/b/a Comprehensive Sleep Care Center (“CSCC”) Healthcare Provider 15575 Hacking/IT Incident Email
Choice Cancer Care Healthcare Provider 14673 Hacking/IT Incident Email
Arizona Dental Insurance Services, Inc. d.b.a. Delta Dental of Arizona Health Plan 12886 Hacking/IT Incident Email

Causes of Healthcare Data Breaches in November 2019

Hacking/IT incidents dominated November’s breach reports and accounted for 63.6% of data breaches reported in November and 90.75% of the breached records (545,293). The average breach size was 25,966 records and the median breach size was 3,977 records.

There were 7 unauthorized access/disclosure breaches reported in November involving 16,586 healthcare records. The mean breach size was 2,369 records and the median breach size was 996 records.

There were 4 incidents involving the theft of 38,998 individuals’ protected health information. Two of the incidents involved electronic devices and two involved paper records. The mean breach size was 7,799 records and the median breach size was 3,237 records.

Phishing continues to be the most common cause of healthcare data breaches. 17 of the healthcare data breaches reported in November involved PHI stored in email accounts. The majority of those breaches were due to phishing attacks.

November 2019 Healthcare Data Breaches by Covered Entity Type

There were 28 healthcare provider data breaches reported in November and four breaches were reported by health plans. It was a good month for business associates, with only one breach reported, although a further two breaches had some business associate involvement.

 

November 2019 Healthcare Data Breaches by State

Data breaches were reported by covered entities in 19 states. California was the worst affected with 4 breaches, followed by Illinois, Missouri, New York, and Texas with three breaches each. Two breaches were reported by covered entities in Florida, North Carolina, and Pennsylvania, and there was one reported beach in each of Alaska, Arizona, Colorado, Connecticut, Indiana, Maryland, Michigan, Minnesota, Nebraska, Utah, and Virginia.

HIPAA Enforcement in November 2019

There were three financial penalties imposed on HIPAA-covered entities in November to resolve HIPAA violations.

University of Rochester Medical Center (URMC) settled its HIPAA violation case with OCR for $3,000,000. OCR launched an investigation after receiving two notifications about breaches due to lost or stolen devices. OCR investigated URMC in 2010 after the first device was lost and provided technical assistance. At the time, URMC recognized the high risk of storing ePHI on devices and the need for encryption, yet this was not implemented, and unencrypted portable electronic devices continued to be used. When OCR investigated the subsequent theft of a laptop computer, its investigators found URMC had failed to conduct an organization-wide risk analysis, risks had not been reduced to a reasonable and appropriate level, and URMC had not implemented appropriate device media controls.

Sentara Hospitals agreed to settle its HIPAA violation case with OCR for $2,175,000. OCR launched a compliance investigation in response to a complaint from a patient in April 2017. The patient had received a bill from Sentara containing another patient’s protected health information. Sentara Hospitals reported the breach as affecting 8 individuals, but OCR found that 577 letters had been misdirected to 16,342 different guarantors. Sentara Hospitals refused to update its breach report with the new total. OCR also found Sentara Hospitals had failed to enter into a business associate agreement with one of its vendors.

A substantial financial penalty was also imposed on The Texas Department of Aging and Disability Services (DADS). DADS had reported a breach of 6,617 patients’ ePHI to OCR in 2015. An error in a web application allowed ePHI to be accessed over the internet by individuals unauthorized to view the data. ePHI had been exposed for around 8 years. OCR investigated and found that DADS had failed to conduct an organization-wide risk analysis, there was a lack of access controls, and DADS failed to monitor information system activity. DADS settled the HIPAA violation case and paid a penalty of $1.6 million.

The post November 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Poor RSA Encryption Implementation Opens Door to Attacks on Medical Devices and Implants

Posted by HIPAA Journal

Encryption renders data inaccessible to unauthorized individuals, provided the private key to decrypt data is not compromised and strong encryption is used.

Not all algorithms provide the same level of protection. The strength of encryption relies on the length of the key. The longer the key, the more computational power is required to break the encryption. When strong encryption is used, the computing power and time required to break the encryption renders the data virtually inaccessible.

DES was once considered a strong form of encryption but the computing power now available makes cracking the encryption possible even on relatively inexpensive computers. DES used 56-bit keys, which were fine in the 1970’s, but today the keys are nowhere near long enough. Strong encryption today is generally considered to require 256-bit keys, such as those generated by the AES algorithm. With AES-256, for the time being at least, sensitive data can be adequately secured. Providing the key is not disclosed, encrypted data cannot be accessed.

RSA is an alternative encryption standard that is commonly used to protect sensitive data. It uses an asymmetric cryptographic algorithm using two keys – A private key and a public key. The public key can be given to anyone, as it cannot be used on its own to decrypt data. For that the private key is also required.

The keys are generated by multiplying two random prime numbers. RSA keys are long and cannot easily be guessed or brute forced due to the level of computing power required. However, if errors are made implementing RSA encryption, keys can easily be cracked.

One of the problems that can arise is when RSA keys are not encrypted using truly random prime numbers. Errors in randomness weakens the encryption. A recent analysis of RSA certificates by Keyfactor has shown that in many IoT devices, the factors used to generate the keys are not entirely random, which makes it much easier to deduce the private key.

In such cases, a considerable amount of computing power is still required, but not enough to make cracking the encryption sufficiently difficult. According to Keyfactor, all it would take is around $3,000 of compute time on a single Azure virtual machine to crack these weak keys. At such a low cost, threat actors may find it well worth the investment.

Using a scalable GCD algorithm on their Azure VM, the researchers collected 175 million RSA certificates from the internet. 75 million of those keys were actively used to encrypt traffic and 100 million were publicly available keys. Keyfactor’s analysis identified 435,000 RSA certificates that shared the same factor. That equates to around 1 in 172 RSA certificates. Keyfactor was able to break all 435,000 certificates for less than $3,000 in Azure compute time.

Shared factors are mostly used in lightweight IoT devices. This is because they do not have sufficient entropy to generate truly random numbers as they lack the necessary processing power. The random numbers used are therefore predictable.  Discover the two prime numbers used to generate the key and the private key can be derived.

“Lightweight IoT devices are particularly prone to being in low entropy states due to the lack of input data they might receive, as well as the challenge of incorporating hardware-based random number generation economically,” explained Keyfactor. “Keys generated by lightweight IoT devices are therefore at risk of not being sufficiently random, increasing the chance that two keys share a factor and allow the key to be broken.”

One example they found involved an 8,192-bit RSA key. That key was extremely large, so it should not have been possible to guess it no matter how much time was devoted to the task. Yet guess that key they did. The length of the key was fine, but since the factor used was not entirely random, the length of the key was irrelevant.

A threat actor with the derived private key cannot be distinguished by the genuine private key holder, which opens the door to man-in-the-middle attacks, data tampering, and data theft.

This has major implications for a wide range of industries that use large numbers of IoT devices. Healthcare for example. In healthcare, many medical devices and implants have low entropy, so the encryption could be cracked and data obtained for a relatively small investment.

“The findings are alarming. The research finds inordinate rates of compromise impacting IoT devices with design constraints and limited entropy,” Keyfactor CTO Ted Shorter said. “These devices could include cars, medical implants and other critical devices, that if compromised, could result in life-impacting harm.”

Making existing IoT devices more secure is a major challenge. It may not be possible to patch affected IoT devices and if they lack sufficient processing power, they will remain insecure. The solution is to build sufficient entropy into the devices to ensure truly random factors are used to generate strong RSA keys.

The post Poor RSA Encryption Implementation Opens Door to Attacks on Medical Devices and Implants appeared first on HIPAA Journal.

$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its second enforcement action under its HIPAA Right of Access Initiative. Florida-based Korunda Medical has agreed to settle potential violations of the HIPAA Right of Access and will adopt a corrective action plan and bring its policies and procedures in line with the requirements of the HIPAA Privacy Rule.

In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The complainant alleged that Korunda Medical refused to send an electronic copy of her medical records to a third party and was overcharging patients for providing copies of their medical records. Under HIPAA, covered entities are only permitted to charge a reasonable, cost-based fee for providing access to patients’ protected health information.

The initial complaint was filed with OCR on March 6, 2019. On March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access and closed the complaint. Four days later, a second complaint was received which demonstrated continued noncompliance with the HIPAA Right of Access. On May 8, 2019, OCR advised Korunda Medical that a compliance investigation had been launched. As a result of OCR’s intervention, the complainant was provided with a copy of her medical records free of charge. Continued noncompliance with the HIPAA Right of Access resulted in a $85,000 financial penalty for Korunda Medical.

“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law,” said OCR Director, Roger Severino.

The HIPAA Right of Action Initiative is a HIPAA enforcement drive to ensure HIPAA-covered entities are providing patients with copies of their medical records in a timely manner, in the format of their choosing, and without being overcharged. The first enforcement action under this initiative was announced in September 2019. Bayfront Health St Petersburg was also required to pay a financial penalty of $85,000 to resolve HIPAA Right of Access failures.

This is the ninth HIPAA enforcement action of 2019. OCR has settled 8 HIPAA violation cases this year and has issued one civil monetary penalty, with the financial penalties ranging from $10,000 to $3 million. So far in 2019, $12,209,000 has been paid to OCR to resolve HIPAA violations.

The post $85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures appeared first on HIPAA Journal.

Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices

Posted by HIPAA Journal

A Colorado IT firm that specializes in providing managed IT services to dental offices has been attacked with ransomware. Through the firm’s systems, more than 100 dental practices have also been attacked and have had ransomware deployed.

The attack on Englewood, CO-based Complete Technology Solutions (CTS) commenced on November 25, 2019. According to a report on KrebsonSecurity, CTS was issued with a ransom demand of $700,000 for the keys to unlock the encryption. The decision was taken not to pay the ransom.

In order to provide IT services to the dental practices, CTS is able to logon to their systems using a remote access tool. That tool appears to have been abused by the attackers, who used it to access the systems of all its clients and deploy Sodinokibi ransomware.

Some of the dental practices impacted by the attack have been able to recover data from backups, specifically, dental practices that had a copy of their backup data stored securely offsite. Many dental practices are still without access to their data or systems and are turning patients away due to ongoing system outages.

KrebsonSecurity reports that some of those practices are trying to negotiate with the attackers to obtain keys to unlock their own data.

Recovery has been complicated in some cases due to multiple ransom notes and file extensions, which has meant it has only been possible to recover some of their encrypted data after paying the ransom demand. That has meant paying again for further keys to unlock the encrypted files. Black Talon Security told KrebsonSecurity that one dental practice had 50 devices encrypted and received more than 20 ransom notes. Multiple payments had to be made to recover records.

The attack is similar to the one that was conducted on the Wisconsin firm PerCSoft, through which around 400 dental offices were attacked with ransomware in August 2019. PerCSoft provides digital data backup services for dental offices. Sodinokibi ransomware was also used in that attack.

It is becoming increasingly common for ransomware gangs to target managed service providers. A single attack on a managed service provider can allow the attackers to attack hundreds of other companies, making the returns far higher.

A recent report by Kaspersky Lab also confirmed that ransomware attackers are targeting backups and Network Attached Storage (NAS) devices to make it much harder for victims to recover their files for free without paying the ransom.

The latest attack shows just how important it is not only to ensure that backups of all critical data are made, but why it is essential for at least one copy of a backup to be stored securely off site, on a non-networked device that is not accessible over the internet.

The post Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices appeared first on HIPAA Journal.

Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018

Posted by HIPAA Journal

Cyberattacks on healthcare organizations have increased in frequency and severity in the past year, according to recently published research from Malwarebytes.

In its latest report – Cybercrime Tactics and Techniques: The 2019 State of Healthcare – Malwarebytes offers insights into the main threats that have plagued the healthcare industry over the past year and explains how hackers are penetrating the defenses of healthcare organizations to gain access to sensitive healthcare data.

Cyberattacks on healthcare organizations can have severe consequences. As we have seen on several occasions this year, attacks can cause severe disruption to day to day operations at hospitals often resulting in delays in healthcare provision. In at least two cases, cyberattacks have resulted in healthcare organizations permanently closing their doors and a recent study has shown that cyberattacks contribute to an increase in heart attack mortality rates. Even though the attacks can cause considerable harm to patients, attacks are increasing in frequency and severity.

Malwarebytes data shows the healthcare industry was the seventh most targeted industry sector from October 2018 to September 2019, but if the current attack trends continue, it is likely to be placed even higher next year.

Healthcare organizations are an attractive target for cybercriminals as they store a large volume of valuable data in EHRs which is combined, in many cases, with the lack of a sophisticated security model. Healthcare organizations also have a large attack surface to defend, with large numbers of endpoints and other vulnerable networked devices. Given the relatively poor defenses and high value of healthcare data on the black market it is no surprise that the industry is so heavily targeted.

Detection of threats on healthcare endpoints were up 45% in Q3, 2019, increasing from 14,000 detections in Q2 to 20,000 in Q3. Threat detections are also up 60% in the first three quarters of 2019 compared to all of 2018.

Many of the detections in 2019 were Trojans, notably Emotet in early 2019 followed by TrickBot in Q3. TrickBot is currently the biggest malware threat in the healthcare industry. Overall, Trojan detections were up 82% in Q3 from Q2, 2019. These Trojans give attackers access to sensitive data but also download secondary malware payloads such as Ryuk ransomware. Once data has been stolen, ransomware is often deployed.

Trojan attacks tend to be concentrated on industry sectors with large numbers of endpoints and less sophisticated security models, such as education, the government, and healthcare.  Trojans are primarily spread through phishing and social engineering attacks, exploits of vulnerabilities on unpatched systems, and as a result of system misconfigurations. Trojans are by far the biggest threat, but there have also been increases in detections of hijackers, which are up  98% in Q3, riskware detections increased by 85%, adware detections were up 34%, and ransomware detections increased by 15%.

Malwarebytes identified three key attack vectors that have been exploited in the majority of attacks on the healthcare industry in the past year: Phishing, negligence, and third-party supplier vulnerabilities.

Due to the high volume of email communications between healthcare organizations, doctors, and other healthcare staff, email is one of the main attack vectors and phishing attacks are rife. Email accounts also contain a considerable amount of sensitive data, all of which can be accessed following a response to a phishing email. These attacks are easy to perform as they require no code or hacking skills. Preventing phishing attacks is one of the key challenges faced by healthcare organizations.

The continued use of legacy systems, that are often unsupported, is also making attacks far too easy. Unfortunately, upgrading those systems is difficult and expensive and some machines and devices cannot be upgraded. The problem is likely to get worse with support for Windows 7 coming to an end in January 2020. The sow rate of patching is why Malwarebytes is still detecting WannaCry ransomware infections in the healthcare industry. Many organizations have still not patched the SMB vulnerability that WannaCry exploits, even though a patch was released in March 2017.

Negligence is also a key problem, often caused by the failure to prioritize cybersecurity at all levels of the organization and provide appropriate cybersecurity training to employees. Malwarebytes notes that investment in cybersecurity is increasing, but it often doesn’t extend to brining in new IT staff and providing security awareness training.

As long as unsupported legacy systems remain unpatched and IT departments lack the appropriate resources to address vulnerabilities and provide end user cybersecurity training, cyberattacks will continue and the healthcare industry will continue to experience high numbers of data breaches.

The situation could also get a lot worse before it gets better. Malwarebytes warns that new innovations such as cloud-based biometrics, genetic research, advances in prosthetics, and a proliferation in the use of IoT devices for collecting healthcare information will broaden the attack surface even further. That will make it even harder for healthcare organizations to prevent cyberattacks. It is essential for these new technologies to have security baked into the design and implementation or vulnerabilities will be found and exploited.

The post Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018 appeared first on HIPAA Journal.

$2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 8th HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle potential violations of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to address areas of noncompliance.

Sentara operates 12 acute care hospitals in Virginia and North Carolina and has more than 300 care facilities in both states. OCR launched a compliance investigation in response to a complaint from a patient on April 17, 2017. The patient had reported receiving a bill from Sentara containing another patient’s protected health information.

Sentara did report the breach to OCR, but the breach report stated that only 8 individuals had been affected, when the mailing had been misdirected and 577 individuals had had some of their PHI impermissibly disclosed. OCR determined that those 577 patients had their information merged with 16,342 different guarantor’s mailing labels.

OCR advised Sentara that under the HIPAA Breach Notification Rule – 45 C.F.R. § 164.408 – notifications were required and that the breach total needed to be updated, but Sentara persisted in its refusal to update the breach report and issue notifications. Sentara maintained that since the bills only contained names, account numbers, and dates of service, and not diagnoses, treatment information, and other medical information, it did not constitute a reportable breach.

OCR also found that Sentara Hospitals provides services for its member covered entities but had not entered into business associate agreements with its business associate until October 17, 2018.

Sentara Hospital’s parent organization and business associate, Sentara Healthcare, had been allowed to create, receive, maintain, and transmit PHI on its behalf without a BAA being in place. Sentara Hospitals had therefore not received satisfactory assurances that PHI would be safeguarded, in violation of 45 C.F.R. § 164.504(e)(2).

The corrective action plan requires Sentara Hospitals to revise its policies and procedures and ensure they are compliant with HIPAA Rules. Policies and procedures must be checked and revised at least annually, or more frequently if appropriate. OCR will be scrutinizing Sentara’s compliance efforts for a period of two years from the start date of the corrective action plan.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said OCR Director, Roger Severino.  “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

The latest settlement is another example of when HIPAA violations are uncovered in response to complaints from patients rather than data breach investigations. All it takes is for one patient to submit a complaint about a potential HIPAA violation for a compliance review to be launched. These investigations can occur at any time, which shows how important it is for healthcare organizations to ensure their policies and procedures fully meet the requirements of HIPAA.

So far in 2019, HIPAA-covered entities and business associates have paid $12,124,000 to OCR to resolve violations of HIPAA Rules.

The post $2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures appeared first on HIPAA Journal.

October 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches.

This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States.

Largest Healthcare Data Breaches in October 2019

Breached Entity Entity Type Individuals Affected Type of Breach
Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident
Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident
The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident
Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure
Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident
University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident
Prisma Health – Midlands Healthcare Provider 19,060 Hacking/IT Incident
South Texas Dermatopathology Laboratory Healthcare Provider 15,982 Hacking/IT Incident
Central Valley Regional Center Business Associate 15,975 Hacking/IT Incident
Texas Health Harris Methodist Hospital Fort Worth Healthcare Provider 14,881* Unauthorized Access/Disclosure

The largest healthcare data breach in October was reported by Betty Jean Kerr People’s Health Centers and was the result of a ransomware attack. At the time of issuing notifications, files that were encrypted in the attack remained locked. The decision was taken not to pay the ransom demand, but it was not possible to restore files from backups. Those files contained the health information of 152,000 patients.

The Kalispell Regional Healthcare data breach was due to a May 2019 phishing attack. An initial investigation did not uncover the extent of the breach. The forensic investigation revealed in August that the health information of up to 140,209 patients may have been accessed.

The Methodist Hospitals, Inc. data breach was also the result of a phishing attack. The incident was reported in October, but the initial email account compromise occurred in March 2019. Two accounts were breached for a total of four months.

South Texas Dermatopathology Laboratory is the last healthcare organization to report that its patients have been impacted by the data breach at the collection agency, AMCA. Its 15,982 records take the total number of individuals impacted by the AMCA breach to 26,059,725.

*Also of note is the data breach at Texas Health Resources. The breach makes the top 10 list of the most healthcare records exposed, but the breach was more far reaching than the table above shows. The Texas Health data breach involved a total of 82,577 records, but the breach was reported to the HHS’ Office for Civil Rights as 15 separate breaches, with one breach report submitted for each of its affected facilities. Had the incident been reported as a single incident, the month’s total would stand at 38 breaches – two more than September.

Causes of October 2019 Healthcare Data Breaches

There were 18 hacking/IT incidents reported in October involving 501,847 healthcare records. The average breach size was 27,880 records and the median breach size was 9,413 records.

There were 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records. The mean breach size was 4,813 records and the median breach size was 2,135 records. Those incidents include the 15 separate breach reports from Texas Health Resources.

There were 5 loss/theft incidents involving 13,454 records. The mean breach size was 2,350 records and the median breach size was 2,752 records. One improper disposal incident was reported involving 11,754 records.

Location of Breached Health Information

Phishing continues to cause problems for healthcare organizations. Not only are healthcare providers struggling to block phishing attacks, they are also not detected quickly when they do occur. Several phishing attacks have been reported that have taken weeks to discover.

Multi-factor authentication can help to reduce the risk of stolen credentials being used by cybercriminals to access corporate email accounts, yet many healthcare organizations only implement this important security measure after a phishing attack has occurred.

This high number of “other” breaches is due to the mailing error at Texas Health, which accounts for 15 of the 19 incidents in the other category.

The majority of the network server breaches were due to ransomware attacks, which include the largest healthcare data breach of the month. That breach highlights just how important it is to ensure that a viable backup copy of all data is created, that the backup is tested to make sure data recovery is possible, and that at least one backup copy is stored on a non-networked device that is not exposed to the internet.

October 2019 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in October with 45 reported incidents. Three breaches were reported by health plans, and four breaches were reported by business associates of HIPAA-covered entities. A further four breaches also had some business associate involvement but were reported by the covered entity.

October 2019 Healthcare Data Breaches by State

October saw healthcare organizations and business associates in 24 states report data breaches. With 15 breach reports coming from Texas Health, Texas was unsurprisingly the worst affected state with 17 incidents.

There were 4 breaches reported by entities based in Ohio, three breaches reported in California, and two breaches reported in each of Arkansas, Florida, Louisiana, Maryland, New Mexico, South Carolina, and Virginia. A single breach was reported in each of Alabama, Arizona, Georgia, Illinois, Indiana, Kentucky, Minnesota, Missouri, Mississippi, Montana, New York, Oregon, South Dakota, and Washington.

HIPAA Enforcement Actions in October 2019

A further two financial penalties for HIPAA violations were announced by the HHS’ Office for Civil Rights in October – One settlement and one civil monetary penalty.

OCR launched an investigation of Elite Dental Associates following a complaint from a patient who had some of her PHI publicly disclosed in response to a Yelp review. OCR found she was not the only patient to have had PHI disclosed in that manner. OCR also determined that the practice’s notice of privacy practices did not include sufficient information and was therefore not compliant with the HIPAA Privacy Rule. Elite Dental Associates agreed to settle its HIPAA violation case with OCR for $10,000.

OCR launched an investigation of Jackson Health System following the disclosure of PHI in the media. A photograph of an operating room display had been published which contained the health information of two individuals, including a well-known NFL star. The OCR investigation uncovered multiple Privacy Rule, Security Rule, and Breach Notification Rule violations spanning several years. OCR imposed a civil monetary penalty of $2,154,000 on Jackson Health System.

The post October 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.