Latest HIPAA News

‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records

Posted by HIPAA Journal

A major case of snooping on celebrity medical records has been reported that has resulted in ‘dozens’ of healthcare workers being fired from Chicago’s Northwestern Memorial Hospital for accessing the medical records of Jussie Smollett without authorization.

Jussie Smollett attended the hospital’s emergency room for treatment for injuries sustained in an alleged racially motivated attack by two men on January 29, 2019.

Following a police investigation into the alleged attack, Chicago Police Superintendent Eddie Johnson announced that the Empire actor had been arrested on February 21 and charged with disorderly conduct and filing a false police report. The police allege that the attack was a hoax and that it had been staged by Smollett as a publicity stunt.

Curiosity got the better of some employees at Northwestern Memorial Hospital who searched for Smollett on the hospital’s system, some of whom accessed his chart and viewed his medical records.

Accessing the medical records of patients without authorization is a violation of Health insurance Portability and Accountability Act (HIPAA) Rules and can result in disciplinary action and, in certain cases, criminal penalties for the employees concerned.

Northwestern Memorial Hospital reviewed PHI access logs and took decisive action over the privacy violations. Employees found to have snooped on Smollett’s medical records were fired.

Northwestern Memorial Hospital has neither confirmed that Smollett was a patient nor provided information about the number of employees that have been terminated, stating that HIPAA prevents such information from being disclosed.

Some employees that were terminated have spoken to the media about the incident. CBS Chicago claims dozens of hospital employees have been terminated for the HIPAA violations while NBC Chicago has reported there have been at least 50 terminations for snooping.

The post ‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records appeared first on HIPAA Journal.

HIPAA Compliance at Odds with Healthcare Cybersecurity

Posted by HIPAA Journal

The College of Healthcare Information Management Executives (CHIME) has told Congress that complying with HIPAA Rules is not enough to prevent data breaches and HIPAA compliance can, in some cases, result in a lessening of healthcare cybersecurity defenses.

Russell P. Branzell, President and CEO of CHIME and Shafiq Rab, CHCIO Chair of the CHIME Board of Trustees recently responded to a request for information (RFI) by Congress on ways to address rising healthcare costs.

In a March 1, 2019 letter to Lamar Alexander, Chairman of the Committee on Health, Education, Labor, and Pensions (HELP), they explained that the use of technology in healthcare helps to reduce costs and can, if harnessed correctly, improve efficiency as well as outcomes.

“Significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.”

The use of technology and data sharing are essential for improving the level of care that can be provided to patients, yet both introduce new risks to the confidentiality, integrity, and availability of healthcare data. While policies are being introduced to encourage the use of technology and improve interoperability, it is also essential for cybersecurity measures to be implemented to protect patient data. Any policy recommendations must also include security requirements.

“As we increase interoperability, additional threats to data integrity will arise. Without proper safeguards, the safe and secure transmission of sensitive data will continue to be a challenge and will hinder efforts to care outcomes,” wrote CHIME.

Healthcare organizations that comply with HIPAA Rules will have met the minimum standards for healthcare data privacy and security set by the HHS. That does not mean that HIPAA-compliant organizations are well protected against cyberattacks. HIPAA is complex and compliance requires a significant amount of resources. That can mean fewer resources are then available to tackle cybersecurity issues and protect against actual cyber threats.

Healthcare providers are devoting resources to meeting standards set by the HHS and its Office for Civil Rights (OCR), even though the measures introduced for HIPAA compliance may not address the most serious threats. As a result, their ability to protect patient data could be diminished rather than increased as a result.

CHIME also pointed out that enforcement of compliance with HIPAA Rules, via breach investigations and compliance audits, are unduly punitive. OCR appears to be more focused on punishment rather than helping healthcare providers recover from a breach, learn from it, and share the lessons learned with other healthcare organizations.

Healthcare providers should not have the burden of protecting PHI in areas outside their control. CHIME suggests safe harbors should be introduced “for organizations that demonstrate, and certify, cybersecurity readiness.” That may require amendments to the HITECH Act, along with a change to the language used for the definition of a breach so it no longer presumes guilt.

CHIME has also called for the HHS to issue better guidance for healthcare providers to help them assess threats that are within their control. Healthcare providers should not have full responsibility for protecting PHI outside of their domain. CHIME has also suggested that the balance of responsibility for security needs to be split more evenly between covered entities and their business associates.

When considering enforcement actions, OCR should assess the level of effort that has gone into protecting systems and PHI and policies should be pursued that reward healthcare providers for good faith efforts to prevent cyberattacks, such as demonstrating sufficient compliance with NIST’s Cybersecurity Framework (CSF).

These measures will help encourage healthcare providers to invest more in cybersecurity, which in turn will help to prevent more breaches and allow healthcare providers to avoid the high costs of mitigating those breaches, thus helping to reduce healthcare costs.

The post HIPAA Compliance at Odds with Healthcare Cybersecurity appeared first on HIPAA Journal.

Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack

Posted by HIPAA Journal

A new Moody’s Investors Service Report has revealed four industry sectors – hospitals, banks, market infrastructure providers, and securities firms – face significant financial risks from cyberattacks.

Those four sectors were determined to have high risk exposure to cyberattacks. All four sectors are heavily reliant on technology for day to day operations, distribution of content, or customer engagement. Increasing digitalization and interconnectedness within each sector and across different sectors is increasing cyber risk.

For the report, Moody’s assessed vulnerability to a cyberattack and the impact such an attack could have on critical businesses processes, disclosure of data, and reputation damage. Cybersecurity measures that had been deployed to protect against attacks were not considered for the report, unless mitigants had been applied uniformly across each sector – Supply chain diversity for instance. In total, 35 broad industry sectors were assessed and were given a rating of low-risk, medium-risk, or high-risk.

The health insurance, pharmaceutical, and medical device industries were rated in the medium-risk category. Hospitals were rated high risk, primarily due to the sensitive and essential nature of data used by hospitals, the value of healthcare data to hackers, the increasing number of vulnerabilities introduced from connected medical devices, and the time it would likely take to recover from an attack and the disruption to the business while an attack was mitigated.

A successful cyberattack can be costly to mitigate. Breached entities have to increase investment in technology and infrastructure, cover the cost of regulatory fines and litigation, pay higher insurance premiums, increase R&D spending, and attacks can have serious reputational effects, including higher customer churn rates and a reduction in creditworthiness.

“We view cyber risk as event risk that can have material impact on sectors and individual issuers,” said Moody’s Managing Director Derek Vadala. “Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers’ financial profiles and business prospects.”

The financial impact of a cyberattack can be significant and long-lasting so it is important for businesses and organizations in the high-risk sectors to have “robust sources of liquidity” to weather the storm.

While larger hospitals are likely to have more financial resources to devote to mitigating threats and recovering from cyberattacks, they are not immune to attack and can still suffer a significant financial impact, especially considering many hospitals have not purchased cyber insurance due to the high cost.

Cyberattacks on businesses and organizations in high-risk sectors could potentially be catastrophic, which could have an impact on the ability of breached entities to pay back debts. Combined, the four high-risk industry sectors hold $11.7 trillion in rated debt.

In addition to the financial costs and damage to an entity that is attacked, cyberattacks in the high-risk sectors would likely have broad ripple effects and a far-reaching impact on other industry sectors.

The post Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack appeared first on HIPAA Journal.

Ransomware Attack Impacts 400,000 Patients of Columbia Surgical Specialists of Spokane

Posted by HIPAA Journal

A ransomware attack on Columbia Surgical Specialists of Spokane in Washington has potentially allowed unauthorized individuals to access the protected health information of up to 400,000 patients.

The security breach was reported to the Department of Health and Human Services’ Office for Civil Rights on February 18, 2019 and is listed as a hacking/IT incident affecting a network server.

No breach notice has been published on the healthcare provider’s website at the time of writing, so little is known about the nature and extent of the attack. However, HIPAA Journal has learned that this was a ransomware incident that occurred on January 7, 2019.

The files encrypted by the ransomware are being recovered from backups and no ransom has been paid. Notifications will be sent to patients in due course.

Further information on the Columbia Surgical Specialists of Spokane breach will be posted here as and when it becomes available.

Mary Free Bed Rehabilitation Hospital Breach Impacts 4,755 Patients

Mary Free Bed Rehabilitation Hospital in Grand Rapids, MI, has announced that 4,755 patients have had some of their protected health information exposed as a result of a ransomware attack on its billing service provider, Wolverine Solutions Group.

Wolverine Solutions Group experienced a ransomware attack on September 25, 2018, although the hospital only learned the names of the patients whose PHI may have been compromised on February 6, 2019. Some healthcare clients were notified as early as November that their patients had been impacted by the breach, but due to the ongoing process of file recovery it has taken some time to determine all of the patients that have been affected.  Wolverine Solutions has been issuing notifications based on rolling discovery dates.

The attack affected Wolverine Solutions’ systems which contained names, addresses, billing numbers, and insurance providers’ names. Around one quarter of affected Mary Free Bed patients also had their Social Security number exposed.

While PHI could have potentially been viewed, Wolverine Solutions Group believes the attack was conducted with the sole purpose of obtaining a ransom payment. However, since data access/theft could not be ruled out, Wolverine Solutions Group has offered affected individuals 12 months of credit monitoring and identity repair services without charge.

All Mary Free Bed Rehabilitation Hospital patients affected by the breach were sent notification letters by Wolverine Solutions on March 4, 2019.

The post Ransomware Attack Impacts 400,000 Patients of Columbia Surgical Specialists of Spokane appeared first on HIPAA Journal.

New Jersey Expands Definition of Personal Information Requiring Breach Notifications

Posted by HIPAA Journal

The New Jersey Assembly has unanimously passed a bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach.

New Jersey breach notification laws require businesses and public entities to send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that allows the account to be accessed.

The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act expands the definition of personal information to include email addresses and usernames along with a password or answers to security questions that would allow accounts to be accessed.

The bill – A-3245 – was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. An identical bill – S-52- was passed by the Senate and Assembly in 2018, but it was not signed by then state governor Chris Christie. Current state governor Phil Murphy is expected to sign the bill.

The bill closes a gap in current laws that would allow businesses to avoid notifying consumers of breaches of online information. If online accounts are compromised, criminals can gain access to a range of sensitive information that can be used for identity theft and fraud. If an online account can be accessed by someone else as a result of a data breach, consumers have the right to be informed so they can take steps to secure their accounts.

Under the new law, breach notifications can be mailed to consumers or electronic notices can be provided. A substitute breach notice can be issued if the cost of providing notices would exceed $250,000 or if more than 500,000 individuals have been affected. In such cases, breach victims should be emailed, and a notice should be posted in a prominent position on the company’s website.

However, a business or public entity that furnishes an email account is prohibited from issuing email notifications to breached accounts and must deliver notices by other means, such as providing a conspicuous notice when the user logs into their account from an IP address or location that has previously been used by the user to access their account.

Any business or public entity found to have willfully violated state data breach notification laws can be fined up to $10,000 for a first offense and up to $20,000 for any subsequent offenses. There is also a private right of action for individuals who have suffered ascertainable losses as a result of a data breach.

The post New Jersey Expands Definition of Personal Information Requiring Breach Notifications appeared first on HIPAA Journal.

Nevada Senator Proposes New Federal Data Privacy Act

Posted by HIPAA Journal

Nevada Senator Catherine Cortex Masto, (D-NV) has introduced a bill – the Data Privacy Act – which calls for greater accountability and transparency for data collection practices, improved privacy protections for consumers, and the prohibition of discriminatory data practices.

HIPAA-covered entities are required to obtain consent from patients prior to using or disclosing their health information for reasons other than the provision of healthcare, payment for healthcare, or for healthcare operations. However, companies not bound by HIPAA Rules do not have the same restrictions in place.

Several states have introduced or are considering introducing laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, currently protection is provided by patchwork of state laws. Privacy protections can vary greatly depending on where a person lives.

The bill – The Digital Accountability and Transparency to Advance Privacy (DATA Privacy) Act – calls for GDPR-style data privacy protections to be introduced to limit the collection of personal data, to protect data that are collected, and to prevent personal data from being used to discriminate against individuals.

If the Data Privacy Act is passed, consumers will be given a greater say about the types of information that are collected, how that information is used, and with whom the information can be shared.

The Data Privacy Act calls for companies to provide consumers with a method of opting in or opting out of the collection and sharing of sensitive data, including biometric data, genetic information, and location data.

Consumers must be told what information will be collected, how it will be used, and with whom it will be shared. A process must be created that allows consumers to check the accuracy of their data, to request a copy of the information that has been collected, and to be provided with the option of transferring or deleting their data without any negative repercussions.

Restrictions will also be placed on the data that can be collected. Companies will only be permitted to collect data if there is a legitimate business reason for doing so and individuals whose data are collected must not be subjected to unreasonable privacy risks. The bill also aims to protect consumers from discriminatory targeted advertising practices based on race, sex, gender, sexual orientation, nationality, religious belief, or political affiliation.

Any company that collects the personal data of more than 3,000 individuals in a calendar year would be required to provide consumers with a notice of their privacy policies that describes how their data will be used.

Any business with annual revenues of more than $25 million will also be required to appoint a Privacy Officer, whose responsibilities will include training staff on data privacy.

The FTC and state attorneys general will be given the authority to enforce compliance with the new Act and issue financial penalties to companies found not to be in compliance.

The Data Privacy Act is intended to improve privacy protections for consumers without placing an unnecessary burden on small businesses.

“My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used,” said Cortez Masto. “I’m proud to introduce this legislation with my colleagues and will continue this fight to strengthen consumer privacy and data security.”

The post Nevada Senator Proposes New Federal Data Privacy Act appeared first on HIPAA Journal.

Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity

Posted by HIPAA Journal

Senator Mark Warner (D-Va) has written letters to leaders of the Department of Health and Human Services (HHS), the Food and Drug Administration (FDA), the Centers for Medicare and Medicaid Services (CMS), the National Institute of Standards and Technology (NIST), and 12 healthcare associations requesting answers to a list of healthcare cybersecurity questions.

Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, is deeply concerned about the state of cybersecurity in healthcare and is calling for a collaborative effort “to develop a short- and long-term strategy reducing cybersecurity vulnerabilities in the health care sector” and “develop a national strategy that improves the safety, resilience, and security of our healthcare industry.”

The healthcare industry is being targeted by cybercriminals and those attacks are succeeding far too frequently. 2014 was the sixth successive year to see an annual increase in healthcare data breaches. In 2015, another record was broken. The most healthcare records ever breached. 113 million healthcare records were exposed that year.

Even though investment in cybersecurity is increasing, records continue to be broken each year and data breaches have now reached unprecedented levels. 2016 saw the record for the most healthcare data breaches in a single year broken again, and again in 2017, and yet again in 2018. Last year, healthcare data breaches were reported at a rate of one a day. That trend is likely to continue unless action is taken.

2009-2018 healthcare data breaches

In the letters, Warner cited a 2015 GAO report that estimated cyberattacks on the healthcare industry would result in $305 million in losses over a five-year period and a Trend Micro report in the same year which suggests 100,000 healthcare devices and systems have been exposed over the internet.

Healthcare data is of high value to cybercriminals and hospitals store vast quantities of patient data. Successful attacks can be extremely profitable, either through theft and resale of healthcare data or by preventing healthcare providers from accessing patient data through ransomware attacks. Cyberattacks cannot be prevented, but it is possible to improve resilience and stop most of those attacks from succeeding.

As a first step, Warner has asked each agency to supply details of the actions each has taken to identify and reduce vulnerabilities in the healthcare industry, and what each agency has done to develop a national strategy to reduce vulnerabilities. Warner wants to know whether each department and agency has been seeking input from private sector healthcare stakeholders to address vulnerabilities and any potential changes to current laws and regulations that would help to combat cyberattacks on healthcare entities.

Similar questions have been sent to healthcare associations and organizations including the Healthcare Information Management and Systems Society (HIMSS), the American Hospital Association (AHA), the American Medical Association (AMA), and the Health Information Sharing and Analysis Center (H-ISAC). They have been asked to explain the steps that they have taken to improve security awareness and their technical capabilities.

The sheer volume of successful cyberattacks has prompted state regulators to introduce new requirements for entities doing business in their respective states to improve security and privacy protections, but what is also required is a nationwide effort to improve privacy and security. Federal regulators and Congress are taking steps to develop a national cybersecurity strategy. Warner hopes that his efforts will help to speed up that process.

The post Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity appeared first on HIPAA Journal.

Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices

Posted by HIPAA Journal

Several healthcare associations have requested a safe harbor for healthcare organizations that would prevent OCR and state attorneys general from issuing financial penalties for breaches of protected health information if the breached entity has met certain standards for safeguarding protected health information (PHI).

The suggestions were made in response to the Department of Health and Human Services’ request for information (RFI) on potential changes to HIPAA to reduce the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS received more than 1,300 comments on possible changes prior to the February 12, 2019 deadline.

The safe harbor was suggested by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA).

Healthcare organizations can adopt cybersecurity frameworks, create layered defenses to keep their networks secure, provide security awareness training to employees, and adopt cybersecurity best practices, yet still experience a data breach.

OCR has already made it clear that its area of focus for enforcement is egregious violations of HIPAA Rules, such as widespread noncompliance and HIPAA-covered entities that have little regard for HIPAA Rules. However, all breaches of 500 or more records are investigated, and if HIPAA violations are discovered, financial penalties could be issued.

It has been argued that entities that have made reasonable efforts to keep patient information private and confidential should not be at risk of significant penalties.

CHIME suggested OCR should create “A safe harbor for providers who have demonstrated they are meeting a set of best practices such as those developed under the public-private effort known as the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).”

The AHA suggested healthcare organizations that experience cyberattacks should be provided with support and resources, and rather than punishing the breached entity, “Enforcement efforts should rightly focus on investigating and prosecuting the attackers.”

Most healthcare organizations take significant steps to prevent successful cyberattacks. The AHA said that when an attack occurs, an investigation is necessary to determine how access to systems and data was gained. Lessons can be learned, safeguards improved, and details of the vulnerabilities and threats should then be shared widely to allow other healthcare organizations to prevent similar attacks.

The AHA suggested there should be “A safe harbor for HIPAA covered entities that have shown, perhaps through a certification process, that they are in compliance with best practices in cybersecurity, such as those promulgated by HHS, in cooperation with the private sector.”

The AMA suggests that “OCR could revise [the HIPAA Security Rule] to include a new clause stating that covered entities that adopt and implement a security framework – such as the NIST Cybersecurity Framework – or take steps toward applying the Health Industry Cybersecurity Practices – the primary publication of the Cybersecurity Act of 2015 Task Group – are in compliance with the Security Rule.”

The AMA also suggests that OCR should change its approach to securing health information from issuing penalties for failures to providing positive incentives to encourage healthcare organizations to improve security and better protect health information.

CHIME stated that the current policy that calls for breaches to be reported and listed on the OCR breach portal in perpetuity is unduly punitive and that there should be a mechanism for removing breached entities from the listings once they have taken actions to correct vulnerabilities that contributed to the breach.

The HHS is now assessing all comments and feedback received in relation to its RFI and will determine which aspects of HIPAA Rules should be changed. A notice of proposed rulemaking will then be issued, although the HSS has not provided a time frame for doing so.

The post Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices appeared first on HIPAA Journal.

New York State Departments Investigate Facebook Over Health Data Sharing Practices

Posted by HIPAA Journal

A recent analysis of Facebook’s data collection practices has revealed sensitive health data is obtained by Facebook from third party apps, even if the user has not logged in via Facebook or does not even have a Facebook account.

Private information including blood pressure measurements, heart rate data, menstrual cycle data, and other health metrics are provided to Facebook, often without the user’s knowledge or any specific disclosure that data provided by users or collected directly by the apps are shared with the ocial media platform.

The investigation was conducted by the Wall Street Journal, which conducted tests on various health-related apps. While it was known that some of those apps send data to Facebook about when they are used, the extent of data sharing was not well understood. The report revealed that 11 popular smartphone apps have been passing sensitive data to Facebook without apparently obtaining consent from users.

One app, Flo Period & Ovulation Tracker, shares dates of a user’s last period with Facebook and the predicted date when the user is ovulating. The Instant Heart Rate: HR Monitor App in the Apple iOS store was found to send users’ heart rate information to Facebook as soon as it is recorded. None of the apps that were found to be sharing sensitive data appeared to offer users a way of opting out of having their data sent to Facebook.

The WSJ report notes that while the data sent by these apps may be anonymous, Facebook could match the information with a particular Facebook user and use the data to serve them targeted ads.

The WSJ contacted Facebook for comment and received a reply confirming that some of the apps cited in its report appeared to be violating its business terms and that the platform does not permit app developers to send “health, financial information or other categories of sensitive information,” and that it is the responsibility of the app developers to be clear to their users about the information that is being shared. A Facebook spokesperson told Reuters, “We also take steps to detect and remove data that should not be shared with us.”

New York Governor Instructs State Departments to Investigate Facebook

On Friday, February 22, 2019, New York State Governor Andrew M. Cuomo issued a press release stating that he has instructed the Department of State and the Department of Financial Services to investigate how Facebook is acquiring health data and other sensitive information from developers of smartphone apps and the alleged privacy violations and breaches of Facebook’s own business terms.

Cuomo said that if the findings of the WSJ are correct, it amounts to “an outrageous abuse of privacy.”

Cuomo is determined to hold companies responsible for upholding the law and ensuring the sensitive data of smartphone users is kept private and confidential. Personal data should not be shared with other companies without users’ express consent.

Cuomo is also calling for federal regulators to investigate and put an end to the practice to protect consumers’ rights.

The post New York State Departments Investigate Facebook Over Health Data Sharing Practices appeared first on HIPAA Journal.