Latest HIPAA News

$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit

Posted by HIPAA Journal

In March 2015, the Seattle-based health insurer Premera Blue Cross announced it had experienced a major data breach that impacted around 10.6 million plan members. The breach occurred in 2014 and resulted in the theft of a broad range of data, including Social Security numbers, bank account information, and health data. The cyberattack is thought to have been conducted by an APT group operating out of China.

Shortly after the data breach was announced, several class action lawsuits were filed seeking damages for victims of the breach. More than 40 of those class action lawsuits were consolidated into a single class action lawsuit in the United States District Court in Oregon.

The lawsuit alleged the cybersecurity practices at Premera Blue Cross were insufficient and vulnerabilities were exploited by threat actors to gain access to the sensitive information of its plan members.

Premera Blue Cross has made the decision to settle the lawsuit and a $74 million settlement has been proposed. Under the terms of the settlement, Premera Blue Cross will pay $32 million to victims of the breach.

Most of the fund will cover the cost of an additional two years of credit monitoring and identity theft protection services. Victims of the data breach will also be able to claim back provable out-of-pocket expenses relating to the breach and can claim for the time spent remedying issues related to the breach.

A cash payment of up to $50 will be available to individuals who do not submit out-of-pocket expenses claims and up to $50 can be claimed as compensation by California residents under the California Confidentiality of Medical Information Act. The fund will also cover attorneys’ fees and administrative and notification costs.

The remaining $42 million will be invested by Premera Blue Cross in its information security program over the next three years. Some of the measures that Premera Blue Cross will be implementing are encryption for sensitive types of personal information, improved data security controls, annual third-party security audits, enhanced network logging and monitoring, and the migration of certain data into archived, secure databases with strict access controls. Premera Blue Cross will also be strengthening its passwords, enhancing email security, and will reduce employee access to sensitive data.

Premera Blue Cross has already taken steps to improve security and has recently achieved HITRUST certification. HITRUST certification demonstrates the ability of the company to identify risks, protect data, detect cyberattacks, and respond to data breaches.

“Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state and federal regulators and their information security experts,” said Premera’s Executive Vice President and Chief Information Officer, Mark Gregory. “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack.”

The settlement agreement will resolve the litigation with no admission of wrongdoing by Premera Blue Cross nor any acceptance that harm has been experienced by victims of the breach.

“This is a great result that will provide real and meaningful relief to the class,” said Keith Dubanevich, interim liaison counsel for the plaintiffs. A motion for preliminary approval has already been filed. The settlement now awaits court approval.

The post $74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit appeared first on HIPAA Journal.

$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit

Posted by HIPAA Journal

In March 2015, the Seattle-based health insurer Premera Blue Cross announced it had experienced a major data breach that impacted around 10.6 million plan members. The breach occurred in 2014 and resulted in the theft of a broad range of data, including Social Security numbers, bank account information, and health data. The cyberattack is thought to have been conducted by an APT group operating out of China.

Shortly after the data breach was announced, several class action lawsuits were filed seeking damages for victims of the breach. More than 40 of those class action lawsuits were consolidated into a single class action lawsuit in the United States District Court in Oregon.

The lawsuit alleged the cybersecurity practices at Premera Blue Cross were insufficient and vulnerabilities were exploited by threat actors to gain access to the sensitive information of its plan members.

Premera Blue Cross has made the decision to settle the lawsuit and a $74 million settlement has been proposed. Under the terms of the settlement, Premera Blue Cross will pay $32 million to victims of the breach.

Most of the fund will cover the cost of an additional two years of credit monitoring and identity theft protection services. Victims of the data breach will also be able to claim back provable out-of-pocket expenses relating to the breach and can claim for the time spent remedying issues related to the breach.

A cash payment of up to $50 will be available to individuals who do not submit out-of-pocket expenses claims and up to $50 can be claimed as compensation by California residents under the California Confidentiality of Medical Information Act. The fund will also cover attorneys’ fees and administrative and notification costs.

The remaining $42 million will be invested by Premera Blue Cross in its information security program over the next three years. Some of the measures that Premera Blue Cross will be implementing are encryption for sensitive types of personal information, improved data security controls, annual third-party security audits, enhanced network logging and monitoring, and the migration of certain data into archived, secure databases with strict access controls. Premera Blue Cross will also be strengthening its passwords, enhancing email security, and will reduce employee access to sensitive data.

Premera Blue Cross has already taken steps to improve security and has recently achieved HITRUST certification. HITRUST certification demonstrates the ability of the company to identify risks, protect data, detect cyberattacks, and respond to data breaches.

“Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state and federal regulators and their information security experts,” said Premera’s Executive Vice President and Chief Information Officer, Mark Gregory. “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack.”

The settlement agreement will resolve the litigation with no admission of wrongdoing by Premera Blue Cross nor any acceptance that harm has been experienced by victims of the breach.

“This is a great result that will provide real and meaningful relief to the class,” said Keith Dubanevich, interim liaison counsel for the plaintiffs. A motion for preliminary approval has already been filed. The settlement now awaits court approval.

The post $74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit appeared first on HIPAA Journal.

AMCA Data Breach Impacts 12 Million Quest Diagnostics Patients

Posted by HIPAA Journal

A hacker has gained access to the systems of Elmsford, NY-based billing collections company American Medical Collection Agency (AMCA) and potentially viewed and copied the protected health information of 11.9 million patients of Quest Diagnostics.

Quest Diagnostics is one of the largest blood testing laboratories in the United States but is just one entity that uses AMCA services. It is possible that the breach could be much larger and impact patients of other healthcare organizations. At almost 12 million records, it is already the second largest healthcare data breach ever to be reported, behind Anthem’s 78.8 million record data breach of 2015.

The data breach first came to light in May 2019 when researchers at Gemini Advisory notified databreaches.net that they had discovered the payment card details of around 200,000 patients listed for sale on a darknet marketplace. Gemini Advisory determined that the credit card details came from AMCA and appeared to have been obtained between September 2018 and March 2019.

Gemini Advisory notified AMCA about the potential breach, although no response was received. The matter was then reported to law enforcement which contacted AMCA to confirm that a breach had occurred.

AMCA provides billing collection services to Optum360, which is a business associate of Quest Diagnostics and a unit of the health insurer UnitedHealth Group. AMCA notified Quest Diagnostics and the revenue cycle management vendor Optum360 about the breach on May 14, 2019.

AMCA said a breach had occurred that resulted in the exposure of patient data between August 1, 2018 and March 30, 2019. Computer forensics experts have been retained to investigate the breach and determine exactly how many patients had been affected and the investigation is ongoing.  AMCA suspects around 11.9 million Quest patients have been impacted by the breach. AMCA also confirmed the compromised system contained data from entities other than Quest Diagnostics.

The hackers gained access to systems containing information such as names, personal information, Social Security numbers, financial information, and medical information, although no laboratory test results were compromised.

While Quest Diagnostics and Optum360 have been made aware of the scale of the breach, they have not yet received full information about the patients that have been affected. Quest Diagnostics also said it has not yet ben able to verify the accuracy of the information provided by AMCA.

Quest Diagnostics has issued a statement saying it is working closely with Optum360 and will send notification letters to all affected individuals when AMCA provides full details of the breach.

The post AMCA Data Breach Impacts 12 Million Quest Diagnostics Patients appeared first on HIPAA Journal.

40% of Healthcare Delivery Organizations Attacked with WannaCry Ransomware in the Past 6 Months

Posted by HIPAA Journal

Healthcare organizations have been slow to correct the flaw in Remote Desktop Services that was patched by Microsoft on May 14, 2019, but a new report from cybersecurity firm Armis has revealed many healthcare organizations have still not patched the Windows Server Message Block (SMB) flaw that was exploited in the WannaCry ransomware and NotPetya wiper attacks in May and June 2017.

The WannaCry attacks served as a clear reminder of the importance of prompt patching. Microsoft released patches for the vulnerability on March 2017. On May 12, 2017, the WannaCry ransomware attacks started. In the space of just a few days, more than 200,000 devices were infected in 150 countries.

The hackers behind the attack used the NSA exploits EternalBlue and DoublePulsar to spread the malware across entire networks. The National Health Service (NHS) in the UK was hit particularly badly due to the extensive use of legacy systems and the failure to apply patches promptly. Around one third of NHS Trusts in the UK were affected, 19,000 appointments had to be cancelled at a cost of around £20 million, and the cleanup cost was around £72 million.

Globally, the attacks are estimated to have cost $4 billion, with $325 million of that amount paid in ransoms to recover files that were encrypted by the ransomware.

WannaCry is still active and is being used in attacks around the globe, even though the attacks could be prevented by applying Microsoft’s MS17-010 patch.

According to the Armis report, around 40% of healthcare delivery organizations have experienced at least one WannaCry ransomware attack in the past 6 months. It is a similar story in manufacturing, where 60% of companies in the sector have experienced at least one attack in the past 6 months.

The problem is the continued reliance on legacy software. “In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling,” said Armis VP of research, Ben Seri.

Searches on the Shodan search engine showed around 1.7 million devices are still vulnerable to attack, even though patches were released by Microsoft more than 2 years ago. Those devices are being attacked at an alarming rate.

According to Armis, attacks are taking place in 103 countries at a rate of around 3,500 devices per hour. Seri determined that around 145,000 devices are currently compromised.

Thanks to the identification and activation of a kill switch in May 2017, it was possible to prevent encryption, even on devices that had been compromised. While that prevented many organizations from having to pay the ransom, it did not mean the threat had been neutralized entirely. Several variants of the ransomware are now in use, some of which lack the kill switch.

In Q3, 2018, 30% of all ransomware attacks involved WannaCry and the United States has the highest number of attacks. In the United States there are around 130,000 new attacks conducted every week.

All it takes is for one device to be infected with WannaCry. That device can then be used to move laterally and infect many other vulnerable devices on the network through the use of the DoublePulsar exploit.

The failure to apply patches due to having to rebuild systems is not the only problem. Seri explained that healthcare organizations often have a large number of unmanaged devices. Security agents have been turned off or uninstalled out of frustration, unsanctioned devices are connected to the network, and many IoT devices are allowed to connect to the network, even though they cannot have security agents installed. This creates a major blind spot for IT teams who are unable to monitor those devices and, in many cases, they have zero visibility into their existence.

Preventing attacks is straightforward in theory, but time consuming and complicated in practice. Patches must be applied, even though that process is difficult and time consuming. It is essential for IT teams to maintain an asset inventory of all devices that connect to the network and to monitor those devices and monitor networks for other unknown, suspicious, or misplaced devices.

Solutions also need to be implemented that monitor and protect unmanaged devices that lack security controls. “Healthcare and manufacturing environments are rampant with such devices from MRIs to infusion pumps to ventilators to industrial control devices, robotic arms, HMIs, PLCs, etc. Without such solutions, these devices, and consequently your entire network, are sitting ducks for any hacker,” explained Seri.

According to Seri, 70% of devices in healthcare are running old operating systems such as Windows 7. Seri points out that Windows 7 will reach end of life in 2020 and will no longer be supported, which will leave the healthcare industry even more vulnerable to attack.

The latest patch for the flaw in RDS is also not being applied, even though the flaw can be exploited remotely with no user interaction required in a WannaCry-style attack. As Seri explained, many organizations will not consider patching until an exploit is developed and attacks commence. Of course, by then, it may be too late.

The post 40% of Healthcare Delivery Organizations Attacked with WannaCry Ransomware in the Past 6 Months appeared first on HIPAA Journal.

Almost 1 Million Windows Devices Still Vulnerable to Microsoft BlueKeep RDS Flaw

Posted by HIPAA Journal

More than two weeks after Microsoft issued a patch for a critical, wormable flaw in Remote Desktop Services, nearly 1 million devices have yet to have the patch applied and remain vulnerable. Those devices have also not had the recommended mitigations implemented to reduce the potential for exploitation of the flaw.

The vulnerability – CVE-2019-0708 – can be exploited remotely with no user interaction required and could allow a threat actor to execute arbitrary code on a vulnerable device, view, change, or delete data, install programs, create admin accounts, and take full control of the device. It would also be possible to then move laterally and compromise other devices on the network. Microsoft has warned that the vulnerability could be exploited via RDP and could potentially be used in another WannaCry-style attack.

Microsoft released patches for the vulnerability on May 14 and, due to the seriousness of the flaw, the decision was taken to also release patches for unsupported Windows versions. The flaw affects Windows XP, Windows 7, Windows 2003, Windows Server 2008, and Windows Server 2008 R2. Patches are available for all vulnerable systems.

Microsoft also detailed mitigations that could be implemented if the patch could not be promptly applied.

  • Disable RDP from outside the organization and limit its use internally
  • Block TCP port 3389 at the firewall
  • Implement Network Level Authentication (NLA)

Due to the seriousness of the flaw, Robert Graham of Errata Security conducted a scan to determine how many devices had not yet been patched. Graham used a masscan port scanner and an additional scanning tool to scan the internet to identify systems that were still vulnerable to the BlueKeep vulnerability. 7 million systems were identified that had port 3389 open and 950,000 of those systems had not had the patch applied. All of those systems are vulnerable to attack and if a worm-like exploit is developed, every one could be compromised.

While an exploit for the vulnerability does not appear to be in use in the wild as of yet, it is only a matter of time before one is developed and used to attack vulnerable devices. Several security firms claim to have already developed a workable exploit for the vulnerability, although they have not released that exploit publicly.

Graham has predicted an exploit will be developed by a threat actor and used in real world attacks in the next couple of months, although attacks could take place much sooner. Some evidence has already been found which suggests hackers are already searching for vulnerable devices. GreyNoise Intelligence identified several dozen hosts that are being used to scan the internet for unpatched devices.

All it takes is for one device to remain vulnerable to give an attacker a foothold in the network, after which many more devices could be compromised even if they are not vulnerable to BlueKeep.

Any healthcare organization that has yet to apply the patch or implement the recommended mitigations should do so as soon as possible to prevent the vulnerability being exploited.

Opatch has also released a micropatch that can be applied to always-on servers which means they can be protected without having to reboot the servers.

The post Almost 1 Million Windows Devices Still Vulnerable to Microsoft BlueKeep RDS Flaw appeared first on HIPAA Journal.

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Posted by HIPAA Journal

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000.

MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules.

Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen.

A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in the lawsuit: Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The plaintiffs’ investigation into the breach revealed hackers had exploited several vulnerabilities, MIE had poor password policies in place, and security management protocols had not been followed.

Under the terms of the consent judgement, in addition to the financial penalty, MIE must implement and maintain an information security program and deploy a security incident and event monitoring (SIEM) solution to allow it to detect and respond quickly to cyberattacks.

Data loss prevention technology must be deployed to prevent the unauthorized exfiltration of data, controls must be implemented to prevent SQL injection attacks, and activity logs must be maintained and regularly reviewed.

Password policies must be implemented that require the use of strong, complex passwords and multi-factor authentication and single sign-on must be used on all systems that store or are used to access ePHI.

Additional controls need to be implemented covering the creation of accounts that have access to ePHI. MIE must refrain from using generic accounts that can be accessed via the Internet and no generic accounts are allowed to have administrative privileges.

MIE is also required to comply with all the administrative and technical safeguards of the HIPAA Security Rule and states’ deceptive trade practices acts with respect to the collection, maintenance, and safeguarding of consumers’ protected health information. Reasonable security policies and procedures must be implemented and maintained to protect that information. MIE must also provide appropriate training to all employees regarding its information security policies and procedures at least annually.

In addition, MIE is required to engage a third-party professional to conduct an annual risk analysis to identify threats and vulnerabilities to ePHI each year for the next five years. A report of the findings of that risk analysis and the recommendations must be sent to the Indiana Attorney General within 180 days and annually thereafter.

The consent judgement has been agreed by all parties and resolves the alleged HIPAA violations and violations of state laws. The consent judgement now awaits court approval. The consent judgement can be found on the website of the Florida Office of the Attorney General – PDF.

The post Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering appeared first on HIPAA Journal.

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Posted by HIPAA Journal

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules.

On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate.

Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.

 

You can download the HHS Fact Sheet on direct liability of business associates on this link.

business associate liability for HIPAA violations

Penalties for HIPAA Violations by Business Associates

The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the HHS determined that the language of the HITECH Act called for a maximum financial penalty of $1.5 million for violations of an identical provision in a single year. That maximum penalty amount was applied across the four penalty tiers, regardless of the level of culpability.

A re-examination of the text of the HITECH Act in 2019 saw the HHS interpret the penalty requirements differently. The $1.5 million maximum penalty was kept for the highest penalty tier, but each of the other penalty tiers had the maximum possible fine reduced to reflect the level of culpability.

Subject to further rulemaking, the HHS will be using the penalty structure detailed in the infographic below.

 

The post HHS Confirms When HIPAA Fines Can be Issued to Business Associates appeared first on HIPAA Journal.

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Posted by HIPAA Journal

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000.

MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary.

Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach.

OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules.

OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A).

As a result of that failure, there was an impermissible disclosure of 3.5 million individual’s PHI, in violation of 45 C.F.R. § 164.502(a).

MIE chose to settle the case with OCR with no admission of liability. In addition to paying a financial penalty, MIE has agreed to adopt a corrective action plan that requires a comprehensive, organization-wide risk analysis to be conducted and a risk management plan to be developed to address all identified risks and reduce them to a reasonable and acceptable level.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

While the settlement releases MIE from further actions by OCR over the above violations of HIPAA Rules, MIE is not out of the woods yet. In December 2018, a multi-state lawsuit was filed against MIE by 12 state attorneys general over the breach.

The lawsuit alleged there was a failure to implement adequate security controls, that known vulnerabilities had not been corrected, encryption had not been used, security awareness training had not been provided to staff, and there were post-breach failures at MIE. That lawsuit has yet to be resolved. It could well result in a further financial penalty for MIE.

This is OCR’s second financial penalty of 2019. Earlier this month, a $3,000,000 settlement was agreed with Touchstone Medical Imaging to resolve multiple HIPAA violations, several of which were related to the delayed response to a data breach.

The post Medical Informatics Engineering Settles HIPAA Breach Case for $100,000 appeared first on HIPAA Journal.

PHI of 1.5 Million Individuals Exposed Online by Inmediata

Posted by HIPAA Journal

In April, Inmediata, a provider of clearinghouse services to healthcare organizations, announced that the protected health information of certain patients had been exposed online as a result of a misconfigured setting on an internal web page.

The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 1,565,338 individuals had their PHI exposed. That makes the data breach the largest to be reported in 2019.

The information had been made available to employees through an internal web page, but the failure to configure that page correctly allowed the data to be made accessible over the internet without the need for authentication. The page was indexed by Google and patient information could be found through online searches.

The information had been provided by hospitals, health plans, and independent physicians and included names, addresses, dates of birth, gender, claims data and, for a small number of patients, Social Security numbers.

Inmediata immediately deactivated the web page when it was discovered that patient information had been exposed and a computer forensics firm was retained to conduct an investigation to determine whether any patient information had been accessed by unauthorized individuals during the time it was available online.

While the investigation did not uncover any evidence to suggest that information had been accessed or copied by unauthorized individuals, it was not possible to rule out unauthorized data access entirely.

Immediata started sending breach notification letters to affected individuals on April 22, 2019. As if suffering such a large data breach was not bad enough, there were further impermissible disclosures of protected information in the breach response.

Individuals reported receiving breach notification letters addressed to other individuals. In addition, several individuals complained that it was not made clear who the company was and why it had their personal information.

You can read more about the mailing error on this link.

The post PHI of 1.5 Million Individuals Exposed Online by Inmediata appeared first on HIPAA Journal.