Latest HIPAA News

ONC and CMS Propose New Rules on Patient Access and Information Blocking

Posted by HIPAA Journal

On Monday, February 11, 2019, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) released new rules covering patient data access and information blocking.

The aim of the new rules is to advance interoperability and support the meaningful exchange and use of health information. The rules are intended to increase competition, encourage innovation, and give patients control over their health data.

One of the main goals is to make health information accessible via application programming interfaces (APIs). Currently consumers use a wide range of smartphone apps for paying bills and accessing information. It should be just as easy to gain access to healthcare data through apps and for healthcare data to be provided electronically at no cost.

One of the main requirements of the new rules is for healthcare providers and health plans to implement data sharing technologies that support the transition of care to new healthcare providers and health plans. Whenever a patient wishes to start seeing a new physician or wants to change to a new health plan, their health data should be seamlessly transferred.

The CMS rule proposes that by 2020, all healthcare organizations working with Medicare and Medicaid will be required to share health information and claims data with patients electronically via an API. This would make it easy for patents to change health plan and take their data with them. It will ensure that by 2020, 125 million patients will be able to receive their claims information electronically.

The ONC rule updates its conditions of certification, which require health IT developers to publish APIs that allow access to patient data without any special effort. The goal is for healthcare organizations to adopt standardized APIs to support the accessing of structured and unstructured health data via mobile devices.

The ONC rule implements the 21st Century Cure Act’s information blocking provisions and adds seven new exceptions to the information blocking rule – Actions and activities which are not classed as information blocking.

The new exceptions are:

  • Practices that prevent patients from being harmed
  • Practices that protect the privacy of electronic health information
  • Practices that ensure the security of electronic health information
  • Maintaining and improving health IT performance with user agreement
  • Recovering reasonable costs to allow the exchange, use, and accessing of electronic health information
  • Denying access, exchange, and use of electronic health information because it is unfeasible or would impose a substantial burden, which is unreasonable under the circumstances.
  • Licensing of technical artifacts to support the interoperability of electronic health information on reasonable and non-discriminatory terms

The ONC has proposed that healthcare providers found to be blocking information sharing should be named and shamed to discourage the practice and suggests that those organizations may also face financial penalties. “We are going to expose the bad actors who are purposely trying to keep patients from their own information,” explained CMS Administrator Seema Verma

Comments have also been requested on including pricing information along with electronic health information to allow patients to see exactly how much they are paying for their healthcare.

“These proposed rules strive to bring the nation’s healthcare system one step closer to a point where patients and clinicians have the access they need to all of a patient’s health information, helping them in making better choices about care and treatment,” said HHS Secretary Alex Azar. “By outlining specific requirements about electronic health information, we will be able to help patients, their caregivers, and providers securely access and share health information. These steps forward for health IT are essential to building a healthcare system that pays for value rather than procedures, especially through empowering patients as consumers.”

The post ONC and CMS Propose New Rules on Patient Access and Information Blocking appeared first on HIPAA Journal.

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns

Posted by HIPAA Journal

Each year, HIMSS conducts a survey to gather information about security experiences and cybersecurity practices at healthcare organizations. The survey provides insights into the state of cybersecurity in healthcare and identifies attack trends and common security gaps.

166 health information security professionals were surveyed for the 2019 HIMSS Cybersecurity Survey, which was conducted from November to December 2018.

This year’s survey revealed security incidents are a universal phenomenon in healthcare. Almost three quarters (74%) of healthcare organizations experienced a significant security breach in the past 12 months. 22% said they had not experienced a significant security incident in the past year. The figures are in line with the 2018 HIMSS Cybersecurity Survey, when 21% of respondents said they had not experienced a significant security incident.

In 2018, 82% of hospital systems reported a significant security incident, as did almost two thirds of non-acute and vendor organizations.

The most common actors implicated in security incidents were online scam artists (28%) and negligent insiders (20%). Online scam artists used tactics such as phishing, spear phishing, whaling, and business email compromise to gain access to healthcare networks and data. Online scam artists often impersonate senior leaders in an organization and make requests for sensitive data and fraudulent wire transfers.

Threat actors use a variety of methods to gain access to healthcare networks and patient data, although a high percentage of security breaches in the past 12 months involved email. 59% of respondents said email was a main source of compromise. Human error was rated as a main source of compromise by 25% of respondents and was the second main cause of security incidents.

HIMSS said it is not surprising that so many healthcare organizations have experienced phishing attacks. Phishing attacks are easy to conduct, they are inexpensive, can be highly targeted, and they have a high success rate. Email accounts contain a trove of sensitive information such as financial data, the personal and health information of patients, technical data, and business information.

Even though email is one of the most common attack vectors, many healthcare organizations are not doing enough to reduce the risk of attacks. The HIMSS Cybersecurity Survey revealed 18% of healthcare organizations are not conducting phishing simulations on their employees to reinforce security awareness training and identify weak links.

While email security can be improved, there is concern that by making it harder for email attacks to succeed, healthcare organizations will encourage threat actors to look for alternative methods of compromise. It is therefore important for security leaders to diligently monitor other potential areas of compromise.

The most common ways that human error leads to the exposure of patient data is posting patient data on public facing websites, accidental data leaks, and simple errors.

HIMSS explained that it is imperative to educate key stakeholders on IT best practices and to ensure those practices are adopted. Significant security incidents caused by insider negligence were commonly the result of lapses in security practices and protocols.

HIMSS suggests that additional security awareness training should be provided to all employees, not just those involved in security operations and management. Individuals in security teams should also be given additional training on current and emerging threats along with regular training to ensure they know how to handle and mitigate security threats.

Email attacks and the continued use of legacy (unsupported) systems such as Windows Server and Windows XP raise grave concerns about the security of the healthcare ecosystem.

69% of respondents said they continue to use at least some legacy systems. 48% are still using Windows Server and 35% are still using Windows XP, despite the security risks that those legacy systems introduce.

While it is encouraging to see that 96% of organizations conduct risk assessments, only 37% of respondents said they conduct comprehensive risk assessments. Only 58% assess risks related to their organization’s website, 50% assess third party risks, and just 47% assess risks associated with medical devices.

HIMSS suggests cybersecurity professionals should be empowered to drive change throughout the organization. “Rather than being “hermetically sealed off” from the rest of the organization they serve, cybersecurity professionals should be both a visible and integral part of the strategic planning and operational infrastructure of their organizations,” a feeling that was shared by 59% of respondents.

It is good to see that in response to the growing threat of attacks, healthcare organizations are allocating more of their IT budgets to cybersecurity. 72% of respondents said their budget for cybersecurity had increased by 5% or more or had remained the same.

You can download the 2019 HIMSS Cybersecurity Survey Report on this link (PDF).

The post HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns appeared first on HIPAA Journal.

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000.

Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital.

In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients.

In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information.

Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed patients’ ePHI over the internet. Patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information could all be accessed without a username or password.

OCR investigated the breaches and Cottage Health’s HIPAA compliance efforts. OCR determined that Cottage Health had failed to conduct a comprehensive, organization-wide risk analysis to determine risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. § 164.308(a)(l)(ii)(A).

Risks and vulnerabilities had not been reduced to a reasonable and acceptable level, as required by 45 C.F.R. § 164.308(a)(l )(ii)(B).

Periodic technical and non-technical evaluations following environmental or operational changes had not been conducted, which violated 45 C.F.R. § 164.308(a)(8).

OCR also discovered Cottage Health had not entered into a HIPAA-complaint business associate agreement (BAA) with a contractor that maintained ePHI: A violation of 45 C.F.R. § 164.308(b) and 164.502(e).

In addition to the financial penalty, Cottage Health has agreed to adopt a 3-year Corrective Action Plan (CAP). The CAP requires Cottage Health to conduct a comprehensive, organization-wide risk analysis to determine all risks to the confidentiality, integrity, and availability of ePHI. Cottage Health must also develop and implement a risk management plan to address all security risks and vulnerabilities identified during the risk analysis. The risk analysis must be reviewed annually and following any environmental or operational changes. A process for evaluating environmental or operational changes must also be implemented.

Cottage Health must also develop, implement, and distribute written policies and procedures covering the HIPAA Privacy and Security Rules and must train all staff on the new policies and procedures. Cottage Health must also report to OCR annually on the status of its CAP for the following three years.

“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino. “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”

A Record Year for HIPAA Fines and Settlements

It has been a busy year of HIPAA enforcement for OCR. In 2018, 10 settlements have been agreed with HIPAA-covered entities and business associates in response to violations of HIPAA Rules and one civil monetary penalty has been issued. The 11 financial penalties totaled $28,683,400, which exceeded the previous record of $23,505,300 set in 2016 by 22%.

2018 also saw OCR agree the largest ever HIPAA settlement in history. Anthem Inc., settled alleged violations of HIPAA Rules for $16,000,000. The settlement was almost three times larger than the previous record – The $5.5 million settlement with Advocate Health Care Network in 2016.

Further Information: 2018 HIPAA Fines and Settlements

The post OCR Settles Cottage Health HIPAA Violation Case for $3 Million appeared first on HIPAA Journal.

EHR Vendor False Claims Act Violation Case Settled for $57.25 Million

Posted by HIPAA Journal

The Tampa, FL-based electronic health record (EHR) software developer Greenway Health LLC has agreed to settle violations of the False Claims Act with the Department of Justice for $57.25 million.

The case concerns Greenway Health’s EHR product Prime Suite. The DOJ alleged that by misrepresenting the capabilities of the product, users submitted false claims to the U.S. government. Further, Greenway Health was alleged to have provided unlawful remuneration to users to induce them to recommend the EHR product to other healthcare providers.

The U.S. government provided incentives to healthcare organizations to encourage them to transition to EHRs from paper records through the Meaningful Use program. Most healthcare providers have now made the change and now rely on EHR systems to support the healthcare decision process. It is therefore essential that EHR products allow patient health information to be recorded and transmitted accurately.

In order for healthcare providers to qualify for Meaningful Use payments, they must only use EHR products that have been certified as meeting certain criteria stipulated by the Department of Health and Human Services (HHS). In order to receive certification, EHR software developers must have their products tested by an independent, accredited testing laboratory authorized by the HHS. Certification is then provided by an official certification body.

Greenway Health was alleged to have falsely obtained 2014 Edition certification for Prime Suite by concealing the fact that the product did not fully comply with all HHS criteria, such as the use of standardized clinical terminology to ensure reciprocal flow of patient information and the accuracy of electronic prescriptions. Greenway Health was alleged to have modified its test-run software to deceive the company that certified Prime Suite into believing it used the requisite clinical vocabulary.

Healthcare providers who used Prime Suite needed to meet targets for EHR-related activities in order to receive Meaningful Use incentive payments. One such target was to provide a certain percentage of patients with clinical summaries after office visits. The 2011 Edition of Prime Suite did not accurately calculate the percentage of office visits for which users distributed clinical summaries and, as a result, it caused users to submit false claims. Greenway Health chose not to correct the error as by doing so its users would not qualify for Meaningful Use incentive payments.

Greenway Health was also alleged to have violated the Anti-Kickback Statute by paying money to users as an incentive to recommend the product to other healthcare providers.

“This resolution demonstrates our continued commitment to pursue EHR vendors who misrepresent the capabilities of their products, and our determination to promote public health while holding accountable those who seek to abuse the government’s trust,” said Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division.

This is the second case against an EHR provider to have been pursued and resolved in the past two years. eClinicalWorks was also accused of covering up the failure of its platform to pass certification testing. eClinicalWorks paid $155 million to settle its case.

“These cases are important, not only to prevent theft of taxpayer dollars, but to ensure that the promise of health technology is realized in the form of improved patient safety and efficient healthcare information flow,” said United States Attorney Christina E. Nolan for the District of Vermont.

In addition to the financial penalty, Greenway Health has entered into a 5-year Corporate Integrity Agreement (CIA) with the HHS’ Office of Inspector General. Under the terms of the CIA, Greenway Health is required to retain an Independent Review Organization to assess its software quality control and compliance systems and to review arrangements with healthcare providers to ensure compliance with the Anti-Kickback Statute.

Greenway Health must also allow all users of Prime Suite to upgrade to the latest version of the platform at no additional charge and, if they so wish, allow customers to transfer their data to another EHR software provider without incurring penalties, service charges, or other contractual amounts owed in connection with the goods/services already provided.

The post EHR Vendor False Claims Act Violation Case Settled for $57.25 Million appeared first on HIPAA Journal.

Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case

Posted by HIPAA Journal

Community Health Systems’ (CHS) patients whose protected health information (PHI) was stolen in a cyberattack in 2014 have been offered compensation for the theft of their PHI.

Tennessee-based Community Health Systems operates over 200 hospitals, making it one of the largest healthcare systems in the U.S.

In 2014, CHS discovered malware had been installed on its network. The malware allowed unauthorized individuals to gain access to patient information between April and June 2014. The cyberattack is believed to have been conducted by threat actors based in China.

An advanced malware variant was used in the attack, which had the sole purpose of obtaining sensitive information. An investigation into the breach confirmed that patient data including names, addresses, phone numbers, dates of birth, and Social Security numbers had been exfiltrated. The PHI of 4.5 million patients was stolen by the attackers.

At the time it was the largest healthcare data breach to be reported to the Department of Health and Human Services’ Office for Civil Rights and still ranks as one of the top six healthcare data breaches of all time.

Following the breach, many lawsuits were filed by patients seeking compensation for the theft of their personal information. The lawsuits were consolidated into a single lawsuit, which survived attempts by CHS to have the case dismissed. A settlement has now been reached to resolve the lawsuit.

The settlement specifies two different payments for breach victims. Individuals who can prove they have incurred out-of-pocket expenses as a result of the breach and/or can show evidence of time lost securing their accounts, can claim up to $250 in compensation. Individuals who have suffered identity theft or fraud as a result of the breach can recover up to $5,000 in losses.

Legal fees totaling $900,000 have also been covered by the settlement agreement along with a payment of $3,500 for each representative class member.

In order to qualify for payment, a compensation claim must be submitted by August 1, 2019. Individuals who do not want to be included in the settlement and those who wish to file an objection, have until May 18 to notify CHS.

The settlement must still be assessed for fairness and approved by a judge. A hearing has been scheduled for August 13, 2019.

The post Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case appeared first on HIPAA Journal.

Aetna Settles HIV Status Breach Case with California AG for $935,000

Posted by HIPAA Journal

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy violation that exposed state residents’ HIV status.

On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California.

The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution.

In addition to the financial penalty, the settlement agreement requires Aetna to designate an employee to implement and maintain its mailing program, oversee compliance with state and federal laws, and the management of external vendors to ensure they handle medical data in compliance with state and federal laws and Aetna’s policies and procedures. Aetna is also required to complete an annual privacy risk assessment to evaluate compliance with the terms of the settlement for the next three years.

“A person’s HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry,” said Attorney General Bercerra. “Aetna violated the public’s trust by revealing patients’ private and personal medical information.”

The privacy violation has proven expensive for Aetna. In January 2018, Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200. Also in January, Aetna agreed to pay the New York Attorney General $1,150,000 to settle its case and resolve alleged HIPAA violations and breaches of state law.

A further $640,170.59 was paid to settle a multi-state action by Attorneys General in New Jersey, Connecticut, Washington, and the District of Columbia. The latest settlement brings the total financial penalties issued to date in relation to the breach to $2,725,170.59.

The post Aetna Settles HIV Status Breach Case with California AG for $935,000 appeared first on HIPAA Journal.

Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data

Posted by HIPAA Journal

The Oregon Health Information Property Act proposes patients should be allowed to give authorization to their healthcare providers to sell on their health data and to receive payment in exchange for allowing their data to be used by third parties.

Currently, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule limits the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered entities are only permitted to use or disclose PHI for purposes related to the provision of treatment, payment for healthcare, or healthcare operations. While there are some exceptions, other uses and disclosures are prohibited unless consent is first obtained from patients.

The HIPAA Privacy Rule covers PHI, which is identifiable patient information. If PHI is stripped of information that allow an individual to be identified, it is no longer considered PHI and is no longer subject to Privacy Rule controls. That means that if a HIPAA-covered entity de-identifies PHI, they can then sell that information on for profit. That information can be valuable to research organizations and other entities.

Senate Bill 703, dubbed the Oregon Health Information Property Act, is sponsored by Senator Floyd Prozanski (D-Eugene) and has the support of than 40 co-sponsors. Essentially, the bill would see consumers health information treated in a similar way to property and would allow them to profit from its sale.

The Oregon Health Information Property Act

The Oregon Health Information Property Act has three main components:

  1. It would require HIPAA-covered entities and their business associates and subcontractors to obtain a signed authorization from consumers before they de-identify PHI to sell on to third parties.
  2. Consumers could choose if they want to receive payment in exchange for giving authorization to allow their health data to be sold.
  3. The bill also prevents consumers from being discriminated against for refusing to sign an authorization or choosing to receive payment.

HIPAA-covered entities are able to profit from selling de-identified data so it is argued that patients should receive a cut of the payment; however, despite having attracted considerable support, concern has been voiced about the impact of these authorizations.

The bill, in its current form, does not place any limitations on the uses of health data once authorization has been provided. Information could therefore be used for a wide range of purposes once authorization has been given – Reasons that may not necessarily be listed on the authorization form.

The bill also makes no distinction between an individual’s protected health information, health information or de-identified data. By signing a form to receive a small payment, consumers would be relinquishing their privacy and important protections afforded by HIPAA, which could have various unintended repercussions.

The post Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data appeared first on HIPAA Journal.

New Cybersecurity Framework for Medical Devices Issued by HSCC

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle.

The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector.

More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing Act of 2015.

“It is important for medical device manufacturers and health IT vendors to consider the JSP’s voluntary framework and its associated plans and templates throughout the lifecycle of medical devices and health IT because doing so is expected to result in better security and thus better products for patients,” explained HSCC.

Cybersecurity controls can be difficult to integrate into existing processes. Organizations often fail to recognize how important security controls are, and when considering how to enhance cybersecurity many do not know where to start or have insufficient resources to devote to the task. The framework helps by providing guidance on how to create a security policy and procedures that align with and integrate into existing processes.

HSCC is urging organizations to commit to implementing the JSP as it is believed that by doing so patient safety will be improved.

The JSP can be adopted by organizations of all sizes and stages of maturity and helps them enhance cybersecurity of medical devices by addressing key challenges. Many large manufacturers have already created similar cybersecurity programs to the JSP, so it is likely to be of most use for small to medium sized companies that lack awareness of the steps to take to improve cybersecurity as well as those with fewer resources to devote to cybersecurity.

The JSP utilizes security by design principles and identifies shared responsibilities between industry stakeholders to harmonize security standards, risk assessment methodologies, reporting of vulnerabilities, and improve information sharing between device manufacturers and healthcare providers. The JSP covers the entire lifecycle of medical devices, from development to deployment, management, and end of life. The JSP includes several recommendations including the incorporation of cybersecurity measures during the design and development of medical devices, handling product complaints related to cybersecurity incidents, mitigation of post-market vulnerabilities, managing security risk, and decommissioning devices at end of life.

The Medical Device and Health IT Joint Security Plan can be downloaded on this link.

The post New Cybersecurity Framework for Medical Devices Issued by HSCC appeared first on HIPAA Journal.

Analysis of 2018 Healthcare Data Breaches

Posted by HIPAA Journal

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR).

2018 Was a Record-Breaking Year for Healthcare Data Breaches

Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States.

The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year.

Healthcare data breaches 2009-2018

In 2018, 365 healthcare data breaches were reported, up almost 2% from the 358 data breaches reported in 2017 and 83% more breaches that 2010.

2018 was the worst year in terms of the number of breaches experienced, but the fourth worst in terms of the number of healthcare records exposed, behind 2015, 2014, and 2016. The last two years have certainly seen an improvement in that sense, although 2018 saw a 157.67% year-over-year increase in the number of compromised healthcare records.

healthcare records exposed 2009-2018

2018 Healthcare Data Breaches by Month

Healthcare data breaches in 2018 by month

Healthcare Records Exposed Each Month in 2018

records exposed in healthcare data breaches in 2018 by month

Largest 2018 Healthcare Data Breaches

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1  AccuDoc Solutions, Inc. Business Associate 2,652,537 Hacking/IT Incident
2 Iowa Health System d/b/a UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
3 Employees Retirement System of Texas Health Plan 1,248,263 Unauthorized Access/Disclosure
4 CA Department of Developmental Services Health Plan 582,174 Theft
5 MSK Group Healthcare Provider 566,236 Hacking/IT Incident
6 CNO Financial Group, Inc. Health Plan 566,217 Unauthorized Access/Disclosure
7 LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
8 Health Management Concepts, Inc. Business Associate 502,416 Hacking/IT Incident
9 AU Medical Center, INC Healthcare Provider 417,000 Hacking/IT Incident
10 SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal

Click for further information on the largest healthcare data breaches of 2018.

Causes of 2018 Healthcare Data Breaches

The biggest causes of healthcare data breaches in 2018 were hacking/IT incidents (43.29%) and unauthorized access/disclosures (39.18%), which together accounted for 82.47% of all data breaches reported in 2018. There were 42 theft incidents (11.5%) reported in 2018, 13 cases (3.56%) of lost PHI/ePHI, and 9 cases (2.47%) of improper disposal of PHI/ePHI.

Causes of 2018 Healthcare Data Breaches

There was a 5.33% annual increase in hacking/IT incidents – 158 breaches compared to 150 in 2017. While the number of hacking/IT-related breaches rose only slightly, the breaches were far more damaging in 2018 and resulted in the theft/exposure of 161.89% more healthcare records. The mean breach size of hacking/IT incidents in 2017 was 23,218 records and in 2018 it rose to 57,727 records in 2018 – A year-over-year increase of 148.63%.

2018 saw an even larger increase in unauthorized access/disclosure incidents. 14.4% more incidents were reported in 2018 than 2017 and 146.49% more healthcare records were exposed in unauthorized access/disclosure incidents than the previous year. The mean breach size of unauthorized access/disclosure incidents in 2017 was 9,893 records and 21,316 records in 2018 – An increase of 115.47%.

Loss, theft, and improper disposal incidents all declined in 2018. Loss incidents fell from 16 to 13 year-over-year (-18.75%), improper disposal incidents fell from 11 to 9 (-18.18%), and theft incidents fell from 56 in 2017 to 42 in 2018 (-25%).

While there was a reduction in the number of cases of theft and improper disposal year-over-year, the severity of those two types of breaches increased in 2018. The mean breach size of theft incidents rose from 6,908 records in 2017 to 16,605 records in 2018 – A rise of 140.37%. Improper disposal incidents increased from a mean of 2,802 records in 2017 to 37,794 records in 2018 – A rise of 1,248.82%.

There was a slight reduction in the severity of loss incidents, which fell from an average of 2,461 records in 2017 to 2,305 – A fall of 6.33%.

records exposed by breach cause

Location of Breached Protected Health Information

The breakdown of 2018 healthcare data breaches by the location of breached PHI highlights the importance of increasing email security and providing further training to healthcare employees. 33.42% of all healthcare data breaches in 2018 involved email. Those breaches include phishing attacks, other unauthorized email access incidents and misdirected emails.
While healthcare organizations may be focused on preventing cyberattacks and improving technical defenses, care must still be taken with physical records. There were 81 breaches of physical PHI such as charts, documents, and films in 2018. Paper/films were involved in 22.19% of breaches.

The next most common location of breached PHI was network servers, which were involved in 20.27% of breaches in 2018. These incidents include hacks, ransomware attacks, and malware-related breaches.

Location of Breached Protected Health Information

2018 Healthcare Data Breaches by Covered Entity Type

Given the relative percentages of healthcare providers to health plans, it is no surprise that more healthcare provider data breaches occurred. 74.79% of the year’s breaches affected healthcare providers, 14.52% occurred at health plans, and 10.68% affected business associates of HIPAA-covered entities.

2018 Healthcare Data Breaches by Covered Entity

Business associate data breaches were the most severe, accounting for 42% of all exposed/stolen records in 2018, followed by healthcare provider breaches and breaches at health plans.  The mean breach size for business associate data breaches was 140,915 records, 53,471 records for health plan data breaches, and 17,974 records for healthcare provider data breaches.

2018 Healthcare Data Breaches by Covered Entity (records)

States Worst Affected By 2018 Healthcare Data Breaches

Being the two most populated states, it is no surprise that California and Texas were the worst affected by healthcare data breaches in 2018. Only four states avoided healthcare data breaches in 2018 – New Hampshire, South Carolina, South Dakota, Vermont.

Number of Breaches State
38 California
32 Texas
19 Illinois
18 Florida
18 Massachusetts
16 New York
14 Missouri
11 Pennsylvania
10 Iowa, Michigan, Minnesota, Wisconsin
9 Maryland, Ohio, Oregon
8 Arizona, North Carolina, Virginia
7 Georgia, New Jersey, Tennessee, Washington
6 Colorado, Kansas, Nevada
5 Arkansas, Indiana, Nebraska, New Mexico, Utah
4 Connecticut, Kentucky
3 Alaska, Louisiana, Mississippi, Montana, Rhone Island
2 Alabama, District of Columbia, Oklahoma, Wyoming
1 Hawaii, Idaho, Maine, North Dakota, West Virginia
0 New Hampshire, South Carolina, South Dakota, Vermont

HIPAA Fines and Settlements in 2018

The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and has the authority to issue financial penalties for violations of Health Insurance Portability and Accountability Act (HIPAA) Rules. State attorneys general also play a role in the enforcement of HIPAA compliance and can also issue fines for HIPAA violations.

In 2018, OCR issued 10 financial penalties to resolve HIPAA violations that were discovered during the investigation of healthcare data breaches and complaints.

Summary of 2018 HIPAA Fines and Settlements

The financial penalties issued by OCR in 2018 totaled $25,683,400, making 2018 a record-breaking year for HIPAA penalties.

2018 HIPAA fines and penalties total

12 financial penalties were issued by state attorneys general over violations of HIPAA Rules.

You can read more about the – HIPAA fines and settlements in 2018 here.

The post Analysis of 2018 Healthcare Data Breaches appeared first on HIPAA Journal.