Latest HIPAA News

27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year

Posted by HIPAA Journal

According to a new report from Kaspersky Lab, 27% of healthcare employees said their organization had experienced at least one ransomware attack in the past five years and 33% said their organization had experienced multiple ransomware attacks.

In its report – Cyber Pulse: The State of Cybersecurity in Healthcare – Kaspersky lab explained that up until January 1, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights has been notified of more than 110 hacking/IT-related data breaches that have affected more than 500 individuals.

The impact of those breaches can be serious for the organizations concerned. Not only can breaches result in millions of dollars in costs, they can permanently damage the reputation of a healthcare organization and can result in harm being caused to patients.

To investigate the state of cybersecurity in healthcare, Kaspersky Lab commissioned market research firm Opinion Matters to conduct a survey of healthcare employees in the United States and Canada to explore the perceptions of healthcare employees regarding cybersecurity in their organization. 1,758 U.S. and Canadian healthcare employees were surveyed.

81% of small healthcare organizations (1-49 employees), 83% of medium-sized healthcare organizations (50-249 employees), and 81% of large healthcare organizations (250+ employees) said they had experienced between 1 and 4 ransomware attacks.

The cost of mitigating ransomware and malware attacks is considerable. According to the Ponemon Institute/IBM Security’s 2018 Cost of a Data Breach Report, the average cost of a data breach has now risen to $3.86 million. Kaspersky Lab’s 2018 Cost of a Data Breach Report places the average cost at $1.23 million for enterprises and $120,000 for SMBs.

While cybersecurity is important for reducing financial risk, 71% of healthcare employees said it was important for cybersecurity measures to be implemented to protect patients and 60% said it was important to have appropriate cybersecurity solutions in place to protect people and companies they work with.

Even though healthcare organizations have invested heavily in cybersecurity, many employees lack confidence in their organization’s cybersecurity strategy. Only 50% of healthcare IT workers were confident in they cybersecurity strategy, that fell to 29% for management and doctors, 21% for nurses, 23% for finance department employees, and 13% for the HR department.

Many healthcare employees appear to have a false sense of security. Even though healthcare data breaches are being reported on a daily basis, 21% of respondents had total faith in their organization’s ability to prevent cyberattacks and did not believe they would suffer a data breach in the forthcoming year.

While 73% of surveyed employees said they would inform their security team if they received an email from an unknown individual requesting PHI or login credentials, 17% of employees said they would do nothing if they received such a request. 17% of employees also admitted to having received an email request from a third-party vendor for ePHI and provided the ePHI as requested.

“Healthcare companies have become a major target for cybercriminals due to the successes they’ve had, and repeatedly have, in attacking these businesses. As organizations look to improve their cybersecurity strategies to justify employee confidence, they must examine their approach,” explained Rob Cataldo, VP of enterprise sales at Kaspersky Lab. “Business leaders and IT personnel need to work together to create a balance of training, education, and security solutions strong enough to manage the risk.”

The post 27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year appeared first on HIPAA Journal.

Federal GDPR-Style Data Privacy Bill Introduced

Posted by HIPAA Journal

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act.

The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm.

The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions.

As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data.

The bill would also require companies to disclose the names of the persons or companies to whom users’ personal data have been sold to and individuals/companies that have been licensed to use personal data.

There are notable differences between GDPR and the Data Care Act. The latter does not include the right to restrict or object to the processing of personal information, there are no data breach notification requirements, a Data Protection Officer does not need to be appointed, and there is no requirement for risk assessments related to high-risk processing activities.

If passed, the Data Care Act will be enforced by the Federal Trade Commission which will be given the authority to issue financial penalties to companies that fail to comply. State attorneys general will also be authorized to bring civil actions against firms for noncompliance.

GDPR failures can attract a maximum penalty of €20 million or 4% of global annual turnover, whichever is greater. The maximum penalty for Data Care Act violations is $16,500 per covered person.

The bill is primarily concerned with currently unregulated online companies, ISPs and FCC common carriers, although it also has implications for regulated industries such as the financial services and healthcare.

Health data will be covered by the Data Care Act in three categories: Health data related to the provision of medical services related to the physical and mental health of an individual; Health data processed in relation to the provision of health and wellness services; and health data that is derived from medical tests, including genetic and biological samples. The FTC will have the authority to further define the types of information classed as health data.

Individuals will be given the right to dispute the completeness of their personal health information, although according to the bill, “[The Data Care Act] does not preempt laws that address the collection, use, or disclosure of health information covered by the Health Insurance Portability and Accountability Act or financial information covered by Gramm-Leach-Bliley Act.”

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” explained Senator Schatz.

“For too long, Americans’ digital privacy has been far from guaranteed, and it is time for Congress to pass legislation providing comprehensive protections for personal information,” wrote the Center for Democracy and Technology in a press release announcing the publication of a discussion draft of the bill.

In addition to Senator Schatz, the bill has been co-sponsored by Senators Maggie Hassan (D-N.H.), Michael Bennet (D-Colo.), Tammy Duckworth (D-Ill.), Amy Klobuchar (D-Minn.), Patty Murray (D-Wash.), Cory Booker (D-N.J.), Catherine Cortez Masto (D-Nev.), Martin Heinrich (D-N.M.), Ed Markey (D-Mass.), Sherrod Brown (D-Ohio), Tammy Baldwin (D-Wis.), Doug Jones (D-Ala.), Joe Manchin (D-W.Va.), and Dick Durbin (D-Ill.).

The discussion draft of the bill can be downloaded from the Center for Democracy and Technology on this link.

The post Federal GDPR-Style Data Privacy Bill Introduced appeared first on HIPAA Journal.

OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a request for information (RFI) seeking comments from the public on potential modifications to Health Insurance Portability and Accountability Act (HIPAA) Rules to promote coordinated, value-based healthcare.

OCR is seeking suggestions about changes to aspects of the HIPAA Privacy and Security Rules that are impeding the transformation to value-based healthcare and provisions of HIPAA Rules that are discouraging coordinated care between individuals and their healthcare providers.

HIPAA was first enacted 22 years ago at a time when few healthcare providers were using digital health records. While there have been updates to HIPAA over the years, many industry stakeholders believe further updates are necessary now that the majority of healthcare organizations have transitioned to digital health records.

Recently, the American Medical Informatics Association (AMIA) and American Health Information Management Association (AHIMA) explained to Congress that changes to HIPAA are required to improve patients’ access to their health data and to make it easier for that information to be shared with other healthcare providers and research organizations. Currently, aspects of the HIPAA Privacy Rule are discouraging providers from sharing data and patients are still have difficulty accessing their health information in a format that allows them to easily use and reuse their data.

OCR is encouraging the public to submit their comments to help OCR identify problem areas and remove regulatory obstacles that are hampering the transformation to value-based healthcare as well as aspects of HIPAA Rules that place an unnecessary burden on covered entities and their business associates which impede their ability to conduct care coordination and case management. However, changes can only be made to HIPAA Rules if they do not jeopardize the privacy and security of protected health information.

Specifically, OCR is seeking feedback on the following aspects of HIPAA Rules:

  • Changes to the HIPAA Privacy Rule to promote information sharing for treatment, care coordination, and/or case management which encourages, incentivizes, or requires HIPAA-covered entities to disclose PHI to other covered entities.
  • Changes to the HIPAA Privacy Rule to encourage healthcare providers and other covered entities to share treatment information with patients, their loved ones, and caregivers of adults in health emergencies, especially related to opioid misuse.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record (EHR) in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Changes to the requirement for healthcare providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices.

Comments are also being sought from healthcare providers, business associates, and other covered entities along with answers to 54 questions detailed in the RFI.

The RFI will be published on December 14, 2018 and comments will be accepted for 60 days after the publication date. The RFI can be downloaded on this link.

The post OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing appeared first on HIPAA Journal.

30% of Healthcare Databases Misconfigured and Accessible Online

Posted by HIPAA Journal

A recent study by the enterprise threat management platform provider Insights has revealed an alarming amount of healthcare data is freely accessible online as a result of exposed and misconfigured databases.

While a great deal of attention is being focused on the threat of cyberattacks on medical devices and ransomware attacks, one of the primary reasons why hackers target healthcare organizations is to steal patient data. Healthcare data is extremely valuable as it can be used for a multitude of nefarious purposes such as identity theft, tax fraud and medical identity theft. Healthcare data also has a long lifespan – far longer than credit card information.

The failure to adequately protect healthcare data is making it far too easy for hackers to succeed.

Healthcare Organizations Have Increased the Attack Surface

The cloud offers healthcare organizations the opportunity to cut back on the costs of expensive in-house data centers. While cloud service providers have all the necessary safeguards in place to keep sensitive data secure, those safeguards need to be activated and configured correctly.

Healthcare organizations that have moved data to the cloud have increased the attack surface, yet a substantial percentage have not effectively managed the risks and have left healthcare data exposed.

The problem is not the use of the cloud, but “a lack of process, training, and cybersecurity best practices,” according to Insights. The problem is also not confined to the healthcare industry, as other industry sectors face the same problems, but healthcare organizations face greater risks as hackers are searching for healthcare data.

The Insights report concentrates on exposed healthcare databases which are increasingly being targeted by hackers due to the large volumes of valuable data that can be obtained and the ease of gaining access to those databases. Many are left totally unprotected. All hackers need to know is where to look.

Insights Identified 16,667 Exposed Medical Records Per Hour

For the study, the researchers looked at two commonly used technologies for handling medical records and well-known commercially available databases.

The researchers wanted to demonstrate just how easy it is to find healthcare data. They used no hacking techniques to find the exposed data, only Google and Shodan searches, technical documentation, subdomain enumeration, and educated guesses about the combination of sites, systems and data.

After 90 hours of research and evaluations of 50 databases, 15 exposed databases were found. Those databases contained 1.5 million health records. That’s a rate of 16,667 medical records per hour. Even with a conservative estimate of a price of $1 per medical record on the black market, that would mean a full-time hacker could earn $33 million per year.  Insights estimated 30% of healthcare databases are exposed online.

“Although our findings were not statistically significant, our [database exposure] rate of 30% is fairly consistent with what we’re seeing across all industries for exposed assets,” explained Insights in the report.

The researchers found healthcare data at rest and in motion. The researchers identified open Elasticsearch databases, which can be found using the search engine Shodan. One of those databases contained the records of 1.3 million patients. The records came from a large healthcare clinic in a major European capital city.

Unsurprisingly, given the number of cases of misconfigured MongoDB databases that have been discovered this year, the researchers found a misconfigured MongoDB database used by a Canadian healthcare provider.

In addition to databases, the researchers noted one healthcare provider was using vulnerable SMB services despite the recent WannaCry attacks and one U.S hospital was using an exposed FTP server. “FTP’s usually hold records and backup data and are kept open to enable backup to a remote site. It could be a neglected backup procedure left open by IT that the hospital doesn’t even know exists,” wrote Insights.

“Healthcare budgets are tight, and if there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out. Healthcare organizations need to carefully balance accessibility and protection,” explained Insights analyst, Ariel Ainhoren.

The report – Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry – can be downloaded on this link.

The post 30% of Healthcare Databases Misconfigured and Accessible Online appeared first on HIPAA Journal.

Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400

Posted by HIPAA Journal

OCR has fined a Colorado hospital $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI.

Pagosa Springs Medical Center (PSMC) is a critical access hospital, part of the Upper San Juan Health Service District, which provides more than 17,000 hospital and clinic visits a year. As a HIPAA-covered entity, PSMC is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

One of the provisions of the HIPAA Privacy Rule is to limit access to protected health information to authorized individuals. When an employee is terminated, leaves the organization, or changes job role and is no longer required to have access to PHI, access rights must be terminated. The failure to terminate remote access is a violation of HIPAA Rules and could potentially result in an impermissible disclosure of ePHI.

On June 7, 2013, OCR received a complaint about a former employee of PSMC who continued to have remote access to a web-based scheduling calendar after leaving PSMC. OCR investigated and confirmed remote access to the calendar had continued and that the former employee had accessed the calendar on two occasions on July 8 and September 10, 2013 as a direct result of the failure to de-activate the former employee’s username and password. The calendar contained the electronic protected health information of 557 patients.

Further, the web-based calendar used by PSMC had been provided by a company (Google) that had not signed a business associate agreement with PSMC. Consequently, the use of the calendar in connection with ePHI constituted an impermissible disclosure. Without a BAA in place, PSMC had not received satisfactory assurances that Google would safeguard the ePHI contained in the calendar.

It should be noted that Google Calendar is now a “HIPAA compliant” calendar service, as it is included in Google’s BAA. However, unless a signed BAA is obtained by a covered entity prior to using the service in connection with any ePHI, it constitutes a HIPAA violation.

In addition to the financial penalty, PSMC has agreed to adopt a substantial corrective action plan to address all HIPAA compliance failures, including updating its security management and business associate agreement policies and procedures. Staff must also be trained on those new policies and procedures. The corrective action plan last for two years, during which time PSMC will have to submit annual reports to the HHS on whether it has met its compliance obligations.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

The settlement sends a message to all HIPAA covered entities of the importance of ensuring access to ePHI is promptly terminated when it is no longer required and serves as yet another reminder of the importance of making sure that a BAA is entered into with all vendors prior to any disclosure of ePHI.

This is the second OCR financial penalty for a HIPAA violation to be announced this month and the tenth OCR HIPAA penalty of 2018.

The post Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400 appeared first on HIPAA Journal.

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

Posted by HIPAA Journal

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.

DHS/FBI Issue Fresh Alert About SamSam Ransomware

Posted by HIPAA Journal

In late November, the Department of Justice indicted two Iranians over the use of SamSam ransomware, but there is unlikely to be any let up in attacks.

Due to the high risk of continued SamSam ransomware attacks in the United States, the Department of Homeland Security (DHS) and FBI have issued a fresh alert to critical infrastructure organizations about SamSam ransomware.

To date, there have been more than 200 SamSam ransomware attacks, most of which have been on organizations and businesses in the United States. The threat actors behind SamSam ransomware have received approximately $6 million in ransom payments and the attacks have resulted in more than $30 million in financial losses from computer system downtime.

The main methods of attack have been the use of the JexBoss Exploit Kit on vulnerable systems, and more recently, the use of Remote Desktop Protocol (RDP) to gain persistent access to systems. Access through RDP is achieved through the purchase of stolen credentials or brute force attacks.

Once access is gained, privileges are escalated to gain administrator rights. The threat actors then explore the network and deploy and execute the ransomware on as many devices as possible to maximize the disruption caused. A ransom demand is then placed on the desktop. Ransoms of between $5,000 and $50,000 are usually demanded, depending on the extent of encryption.

The FBI has analyzed the systems of many SamSam ransomware victims and has determined in many cases there has been previous unauthorized network activity unrelated to the SamSam ransomware attacks. This suggests the SamSam ransomware threat actors have purchased stolen credentials that have previously been used by other threat actors.

“Detecting RDP intrusions can be challenging because the malware enters through an approved access point,” explained DHS/FBI in the report, but there are steps that can be taken to make systems more secure.

Summary of DHS/FBI Advice to Improve Network Security

  • Audit the network for systems that use Remote Desktop Protocol for communications and disable RDP, if possible
  • Close open RDP ports on cloud-based virtual machine instances with public IPs, especially port 3389, unless there is a valid reason for keeping ports open
  • Adhere to cloud providers’ best practices for remote access to cloud-based VMs
  • Locate all systems with open RDP ports behind firewalls and ensure VPNs are used to access those systems remotely
  • Ensure third parties that require RDP access adhere to internal remote access policies
  • Enforce the use of strong passwords
  • Use multi-factor authentication, where possible
  • Ensure software is kept up to date and patches are applied promptly
  • Ensure all data are backed up regularly
  • Implement logging mechanisms that captured RDP logins and retain logs for 90 days. Review logs regularly for attempted intrusions
  • Where possible, disable RDP on critical devices and minimize network exposure for all control system devices
  • Regulate and limit external-to-internal RDP connections
  • Restrict user permissions, especially related to the use of unauthorized/unwanted software applications
  • Use spam filtering technology to scan all email attachments and make sure the attachment extensions match file headers
  • Disable file and printer sharing services where possible. If those services are required, use strong Active Directory authentication.

Technical details of four SamSam (MSIL/Samas.A) ransomware variants have been released (Alert: AA18-337A) to help network defenders protect against attacks.

The post DHS/FBI Issue Fresh Alert About SamSam Ransomware appeared first on HIPAA Journal.

AMIA and AHIMA Call for Changes to HIPAA to Improve Access and Portability of Health Data

Posted by HIPAA Journal

The American Medical Informatics Association (AMIA) and the American Health Information Management Association (AHIMA) have called for changes to HIPAA to be made to improve patients’ access to their health information, make health data more portable, and to better protect health data in the app ecosystem.

At a Wednesday, December 5, 2018, Capitol Hill briefing session, titled “Unlocking Patient Data – Pulling the Linchpin of Data Exchange and Patient Empowerment,” leaders from AMIA and AHIMA joined other industry experts in a discussion about the impact federal policies are having on the ability of patients to access and use their health information.

Currently, consumers have access to their personal information and integrate and use that information to book travel, find out about prices of products and services from different providers, and conduct reviews and comparisons. However, while many industries have improved access to consumer information, the healthcare industry is behind the times and has so far failed to implement a comparable, patient-centric system.

“Congress has long prioritized patients’ right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles,” said AMIA President and CEO Douglas B. Fridsma. “But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined.”

AHIMA CEO Wylecia Wiggs Harris said, “AHIMA’s members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape… the language in HIPAA complicates these efforts in an electronic world.”

The P in HIPAA does stand for portability, yet patients are still struggling to obtain their health data in a usable form that allows them to share that information with other entities. Health data should be portable, as is the case with other types of consumer information. Changes to HIPAA legislation will help the healthcare sector catch up with other industries.

Changes to HIPAA Required to Support Access and Portability of Health Data

Both AMIA and AHIMA suggest HIPAA needs to be modernized to improve patient access to health data and two options were suggested. One option is the establishment of a new term – “Health Data Set” – that incorporates all data about a patient that is held by a HIPAA-covered entity or business associate, including clinical, biomedical, and claims information.

Alternatively, the definition of a Designated Record Set that is currently used in HIPAA legislation could be updated and for certified health IT to be required to provide that data set in electronic form and in a way that allows patients to use and reuse their data.

Both options would serve as a solution to the problem – The former would support a patient’s right to access their health data and also support the development of the ONC’s certification program in the future to allow patients to view, download, and electronically transmit their health data to third parties through an Application programming interface (API). The update to current record set definition would help to clarify rules for both providers and patients.

HIPAA Right of Access Should be Extended

AMIA and AHIMA also support the extension of the HIPAA individual right of access and amendment to entities that are not covered by HIPAA but manage individual health data: Entities such as companies that develop mHealth apps and health social media applications.

Similar data is created, stored, and transmitted by HIPAA-covered and non-HIPAA-covered entities, yet data access policies differ for both groups. There should be greater uniformity of data access, regardless of what type of entity collects and stores health data.

AMIA and AHIMA also suggest federal regulators should clarify current guidance related to third-party legal requests. “Health Information management (HIM) professionals continue to struggle with the existing Office for Civil Rights guidance that enables third-party attorneys to request a patient’s PHI,” explained AHIMA’s Wylecia Wiggs Harris. “AHIMA members increasingly face instances in which an attorney forwards a request for PHI on behalf of the patient but lacks the information required to validate the identity of the patient. As a result, the HIM professional is challenged as to whether to treat it as an authorization or patient access request, which has HIPAA enforcement implications.”

The post AMIA and AHIMA Call for Changes to HIPAA to Improve Access and Portability of Health Data appeared first on HIPAA Journal.

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

Posted by HIPAA Journal

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals.

Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures.

A Failure to Implement Adequate Security Controls

The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access.”

The breach in question occurred between May 7 and May 26, 2015. Hackers were able to gain access to its WebChart electronic health record system and highly sensitive patient information – The exact types of data sought by identity thieves – Names, addresses, dates of birth, Social Security numbers, and health information.

Known Vulnerabilities Were Not Corrected

Medical Informatics Engineering had set two ‘tester’ accounts, one of which could be accessed with the username and password ‘tester’ and the other with the username and password ‘testing.’ Both accounts could be accessed remotely without the need for any further identification. The lawsuit alleges Medical Informatics Engineering was aware of the security issue as the accounts were identified as high risk by a third-party penetration testing firm, Digital Defense, in January 2015. Even though the accounts were high risk, Medical Informatics Engineering continued to use the accounts. The accounts were set up to enable one of its healthcare provider clients to login without having to use unique usernames and passwords.

While those accounts did not have privileged access, they did allow the hackers to gain a foothold in the network. Through those accounts the attackers conducted an SQL injection attack, which allowed them to gain access to other accounts with administrative privileges that were used to exfiltrate data.

Post-Breach Response Failures

While the initial attack and data exfiltration went unnoticed, a further attempt to exfiltrate data using malware caused network performance to slow to such an extent that an alarm was generated, alerting Medical Informatics Engineering that its systems had been compromised. While investigating the malware attack the attackers were still able to exfiltrate further data through SQL queries demonstrating the company’s post-breach response was “inadequate and ineffective.”

No Encryption or Employee Security Awareness Training

No encryption had been used to protect stored data and no security system had been implemented to alert Medical Informatics Engineering about possible hacking attempts. Had such a system been implemented, it would have been easy to identify unauthorized access as two of the IP addresses used by the attackers originated in Germany.

The lawsuit also alleges Medical Informatics Engineering had no documentation to confirm security awareness training had been provided to its employees prior to the data breach.

In addition to violations of HIPAA Rules, the lawsuit alleges Medical Informatics Engineering violated several state statutes relating to the protection of personal information, unfair and deceptive practices, and data breach notifications.

The post 12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering appeared first on HIPAA Journal.