Latest HIPAA News

New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach

Posted by HIPAA Journal

A malware infection at St. Peter’s Surgery & Endoscopy Center in New York has potentially allowed hackers to gain access to the medical records of as many as 135,000 patients.

This is the second largest healthcare data breach of 2018, the largest to hit New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016, and the fifth largest healthcare data breach in New York since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries in October 2009.

The data breach at St. Peter’s Surgery & Endoscopy Center was discovered on January 8, 2018: The same day as hackers gained access to its server. The rapid detection of the malware limited the time the hackers had access to the server and potentially prevented patients’ data from being viewed or copied. However, while no evidence of data access or data theft was discovered, it was not possible to rule either out with a high degree of certainty.

In its substitute branch notice, St. Peter’s Surgery & Endoscopy Center says the servers it uses are separate from St. Peter’s Hospital and Albany Gastroenterology Consultants. Protected health information held by those medical centers was not compromised as a result of the malware infection. Only patients who have previously visited St. Peter’s Surgery & Endoscopy Center for medical treatment have potentially been affected. Letters to affected patients were mailed on February 28, 2018 and the incident has been reported to the HHS’ Office for Civil Rights.

The information potentially accessed/copied was limited to patients’ names, addresses, dates of birth, dates of service, diagnosis codes, procedure codes, and insurance information. Some patients also had Medicare information exposed. Patients without Medicare did not have their social security numbers exposed and no patients’ banking or credit/debit card numbers were exposed.

Patients whose Medicare information was exposed have been offered one year of credit monitoring and identity theft protection services without charge “out of an abundance of caution” and all patients have been advised to check their health insurance statements carefully for any sign of fraudulent use of their information.

No information has been released on the exact nature of the security breach, such as how the hackers gained access to the server to install malware. St. Peter’s Surgery & Endoscopy Center said action is being taken to bolster security, which includes further staff training. The purchase of additional – and more elaborate – anti-virus and anti-malware solutions is also being evaluated.

The post New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach appeared first on HIPAA Journal.

Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members

Posted by HIPAA Journal

Tufts Health Plan is alerting 70,320 of its members that their health plan member ID numbers have been exposed.

A mailing vendor used by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage members between December 11, 2017 and January 2, 2018.

Window envelopes were used which naturally allowed plan members’ names and addresses to be seen, but Tufts Health Plan member IDs were also visible through the plastic windows of the envelopes. The mailing error was discovered by Tufts Health Plan on January 18.

Tufts Health Plan notes that its member IDs are not comprised of Social Security numbers or Medicare numbers, but potentially the member ID numbers could be misused by individuals to receive services covered by the health plan.

Legal experts were consulted about the breach to assess the potential risk to plan members. The risk of misuse of the numbers is believed to be very low as the only individuals likely to see the member IDs would be employees of the postal service. Plan members have been told that in the unlikely event that their member IDs are misused they will not be responsible for any charges.

Plan members should check their Explanation of Benefits statements carefully and should report any services detailed on the statements that have not been received.

The health plan reports that it has been working closely with its vendor to ensure similar incidents do not occur in the future. The mailing vendor has confirmed that the error that caused the privacy incident has now been fixed.

In this case, the privacy breach was limited and patients should not be adversely affected, but similar incidents have occurred at other healthcare organizations that have caused serious problems for some individuals.

On July 28, 2017, a business associate of Aetna sent a mailing to approximately 12,000 plan members detailing a change to pharmacy benefits for individuals who were receiving HIV medications. The medications are prescribed to treat HIV and as Pre-exposure Prophylaxis (PrEP) to prevent contraction of HIV. Information about those medications were clearly visible through the plastic windows of the envelopes. The disclosure was not limited to the postal service. In some cases, the information was inadvertently disclosed to family members and roommates.

A class-action lawsuit was filed against Aetna which was recently settled for $17 million. Aetna was also fined $1.15 million by the New York Attorney General over the privacy breach and further actions may be taken against the health insurer by other state attorneys general and the HHS’ Office for Civil Rights.

A similar privacy incident affected Amida Care in 2017, again involving information related to HIV. In that case, the words “Your HIV detecta” were visible through the clear plastic windows of envelopes next to the name and the address, even though an additional sheet of paper had been inserted to prevent information on the enclosed double-sided flyer from being visible.

These incidents clearly highlight the risks of using window envelopes for healthcare mailings. If the decision is taken to use this type of envelope, stringent checks should be conducted to ensure that the letters cannot slip to reveal sensitive information and that the content of the mailings cannot be seen.

The post Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members appeared first on HIPAA Journal.

Hacking Responsible for 83% of Breached Healthcare Records in January

Posted by HIPAA Journal

The latest installment of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that overall, at least 473,807 patient records were exposed or stolen in January, although the number of individuals affected by 11 of the 37 breaches is not yet known. The actual total is likely to be considerably higher, possibly taking the final total to more than half a million records.

The report shows insiders are continuing to cause problems for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches.

While insiders were the main cause of breaches, the incidents affected a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. 7 incidents were attributed to insider error and five were due to insider wrongdoing.

Protenus has drawn attention to one particular insider breach. A nurse was discovered to have accessed the health information of 1,309 patients without authorization over a period of 15 months. If the healthcare organization had technology in place to monitor for inappropriate access, the privacy of hundreds of patients would not have been violated.

The second biggest cause of healthcare data breaches in January were hacking/IT incidents. There were 11 hacking/IT incidents reported by healthcare organizations in January – 30% of all breaches. In contrast to insider incidents, these were not small breaches. They accounted for 83% of all breached records in January. One single hacking incident involved 279,865 records. That’s 59% of all breached records in the month.

In total, 393,766 healthcare records were exposed by hacks and other IT incidents. The final figure could be substantially higher as figures for five of those breaches have not been obtained. One of the incidents involving an unknown number of records was the ransomware attack on the EHR company Allscripts, which resulted in some of its applications being unavailable for several days. That incident could well be the biggest breach of the month.

Ransomware attacks are still a major problem in healthcare, with six of the 11 incidents involving ransomware or malware. Phishing – the subject of February’s cybersecurity letter from the HHS’ Office for Civil Rights – was involved in at least two breaches.

The loss or theft of electronic devices containing ePHI or physical records accounted for 22% of the breaches. Two incidents involving the loss of patient records impacted 10,590 individuals and four out of the six theft incidents impacted 50,929 individuals. The number of individuals affected by the other two theft incidents is unknown. The cause of 16% of January’s data breaches has not yet been disclosed.

The types of breached entities followed a similar pattern to previous months, with healthcare providers accounting for the majority of breaches (84%). 5% of the breaches had some BA involvement and 3% affected health plans. 8% affected other entities.

Information on the length of time it took to detect breaches was only obtained for 11 of the 37 incidents. The median time from the incident to detection was 34 days and the average was 252 days. The average was affected by one incident that took 1445 days to discover.

The median time from discovery of a breach to reporting the incident was 59 days; one day shy of the 60-day absolute limit of the Breach Notification Rule. The average was 96 days. Four healthcare organizations took longer than 60 days to report their breaches, with one taking more than 800 days.

The post Hacking Responsible for 83% of Breached Healthcare Records in January appeared first on HIPAA Journal.

Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year

Posted by HIPAA Journal

According to a recent report in the Post and Courier, the Medical University of South Carolina (MUSC) terminated 13 employees last year for violating HIPAA Rules by snooping on patient records. In total, there were 58 privacy violations in 2017 at MUSC, all of which have been reported to the Department of Health and Human Services’ Office for Civil Rights.

All of the breaches affected only small numbers of patients. Out of the 58 breaches, 11 incidents were categorized as snooping on medical records. Other breaches were unauthorized disclosures such as when the health information of a patient is accidentally sent or faxed to the wrong person.

Over the past five years, there have been 307 breaches detected at MUSC, resulting in 30 members of non-physician staff being fired. None of the breaches have been listed on the OCR breach portal, which only shows breaches impacting 500 or more individuals. Under HIPAA Rules, all PHI breaches must be reported, although it is only large breaches of more than 500 records that are made public and are detailed on the breach portal.

The revelations were made at a recent meeting of the hospital’s board of trustees. MUSC opted for transparency, which is considered important to help prevent future privacy breaches. The medical university has made it abundantly clear what actions will be taken against employees discovered to have violated HIPAA Rules.

According to the Post and Courier, one board member questioned whether the decision to terminate employees for minor privacy breaches was a Draconian measure; however, the threat of federal audits over data breaches involving employees has made such swift and decisive action necessary. Heavy fines can be imposed when audits reveal HIPAA Rules have not been followed. The actions taken by MUSC clearly show that it takes privacy and security seriously and that HIPAA violations by employees will not be tolerated.

OCR may be focused on pursuing financial penalties for serious breaches of PHI that affect large numbers of individuals, but that does not mean that investigations do not take place for smaller breaches. There have been multiple investigations of small breaches that have resulted in financial penalties for HIPAA violations by covered entities and their business associates.

The most recent example was in early February when a $3.5 million settlement between OCR and Fresenius Medical Care North America (FMCNA) was announced. FMCNA had experienced five small data breaches in a six-month period in 2012. In 2013, Hospice of North Idaho settled with OCR for $50,000 over a breach impacting 441 patients. Further, in 2016, OCR made it clear that it would be stepping up investigations of covered entities that had experienced small breaches of PHI.

While small breaches may not make the headlines, they are serious for the individuals concerned, which is something MUSC makes clear in its employee training sessions. Efforts to communicate the importance of privacy have also been stepped up, and it is made clear to employees that the hospital has a clear policy of terminating employees for violating HIPAA Rules.

It would be unreasonable to single out MUSC as having a poor record for privacy breaches, as many hospitals are likely to have similar stats. What is certainly commendable is the full transparency and swift and decisive action when patient privacy is violated with malicious intent or when the privacy of patients is violated by curious employees.

The post Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year appeared first on HIPAA Journal.

OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit

Posted by HIPAA Journal

The U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG) has issued a Flash Audit Alert alleging Health Net of California has refused to cooperate with a recent security audit.

Health Net provides benefits to federal employees, and under its contract with OPM, is required to submit to audits. OPM has been conducting security audits on FEHBP insurance carriers for the past 10 years, which includes scanning for vulnerabilities that could potentially be exploited to gain access to the PHI of FEHBP members.

When OPM conducts audits, it is focused on the information systems that are used to access or store the data of Federal Employee Health Benefit Program (FEHBP) members. However, OPM points out that many insurance carriers do not segregate the data of FEHBP members from the data of commercial and other Federal customers. Audits of technical infrastructure need to be conducted on all parts of the system that have a logical or physical nexus with FEHBP data. Consequently, systems containing data other than that of FEHBP members will similarly be assessed for vulnerabilities.

In its Flash Audit Alert, OPM said Health Net refused to allow OPM to conduct vulnerability and configuration management testing and documentation was not provided that would allow OPM to test whether Health Net was able to remove information system access for contractors who no longer needed data access and for terminated employees.

By refusing to cooperate, OPM was unable to determine whether Health Net has been acting as a responsible custodian of sensitive protected health information of FEHBP members.

Health Net maintains that it has cooperated with OPM and allowed the agency to conduct the audit, although the insurance carrier consulted with its external counsel and was advised that if it cooperated fully with OPMs requests and submitted to certain parts of the audit process, it would risk violating contracts with other third parties. Health Net has obligations to those third parties to ensure their data is protected.

Health Net maintains that it has – and will – be able to satisfy the requests of OPM and OIG without compromising the security of its system and the privacy and confidentiality of members’ and employees’ data. Health Net also claims that the allegations made in the OPM report are unfounded.

“We understand the concerns associated with work of this nature, we take great care to minimize risk. Our procedures were developed as part of a collaborative working group comprised of health insurance industry Chief Information Officers and Chief Information Security Officers,” said OPM in its report. “There is nothing unique about Health Net, its technical environment, or the nature of our proposed testing that would exempt Health Net from our oversight and this testing.”

At this stage it is unclear what, if any, action OPM will take against Health Net if the company continues to refuse to comply with its audit requests in full.

The post OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit appeared first on HIPAA Journal.

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Posted by HIPAA Journal

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection.

The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients.

The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician.

Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23, 2017, following an extensive investigation into the hacker’s activities. Patients impacted by the breach were notified by mail this month.

UVa has since implemented a number of additional security controls to prevent further incidents of this nature from occurring.

Thousands of Victims’ Sensitive Information Viewed

fruitfly malware

Phillip R. Durachinsky

UVa is only one victim of the hacker. Other businesses were also affected and had information compromised, although the extent of the hacker’s activities have not fully been determined. The FBI investigation is continuing, although the hacker has been arrested and charged in a 16-count indictment for numerous computer offenses including violations of the Computer Fraud and Abuse Act and Wiretap Act, in addition to aggregated identity theft and the production of child pornography.

The hacker has been identified as Phillip R. Durachinsky, 28, of North Royalton, Ohio. Durachinsky allegedly developed a Mac malware called FruitFly more than 13 years ago and used the malware to spy on thousands of individuals and companies. The malware provided Durachinsky with full access to an infected device, including access to the webcam. The malware took screenshots, allowed the uploading and downloading of files, and could log keystrokes. Durachinsky also developed the malware to give him a live feed from multiple infected computers simultaneously.

Victims include schools, businesses, healthcare organizations, a police department, and local, state, and federal government officials. Over 13 years, Durachinsky spied on thousands of individuals, mainly using the Mac form of the malware, although a Windows-based variant was also used.

In addition to gaining access to UVa patients records, Durachinsky used the malware to view highly sensitive information of other non-UVa victims. He was able to gain access to financial accounts, photographs, tax records, and internet search histories. Durachinsky also allegedly surreptitiously took photographs of his victims via webcams and kept notes on what he was able to view.

The FBI discovered that an IP address associated with the malware was also used to access Durachinsky’s alumni email account at Case Western Reserve University, which led to his arrest. More than 20 million images were discovered on Durachinsky’s devices by the FBI agents.

The post 1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware appeared first on HIPAA Journal.

Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days

Posted by HIPAA Journal

In January, a new data breach notification bill was introduced in Colorado that proposed updates to state laws to improve protections for residents affected by data breaches. The bill introduced a maximum time frame of 45 days for companies to notify individuals whose personal information was exposed or stolen as a result of a data breach. The definition of personal information was also updated to include a much wider range of information including data covered by HIPAA – medical information, health insurance information, and biometric data.

Last week, Colorado’s House Committee on State, Veterans, and Military Affairs unanimously passed an updated version of the bill, which has now been passed to the Committee on Appropriations for consideration.

The updated bill includes further new additions to the list of data elements classed as personal information – passport numbers, military, and student IDs. There has also been a shortening of the time frame organizations have to issue notifications. Instead of the 45 days proposed in the original bill, the time frame has been cut to just 30 days following the date of determination that a security breach has occurred.

Typically, when states propose legislation to improve protections for state residents whose personal information is exposed, organizations in compliance with federal data breach notification laws are deemed to be in compliance with state laws.

However, the new bill clarifies that will not necessarily be the case. Healthcare organizations covered by HIPAA laws have up to 60 days to issue notifications to breach victims. The amended bill states that when federal laws require notifications to be sent, the breached entity will be required to comply with the law with the shortest time frame for issuing notices.

That means HIPAA covered entities who experience a data breach that impacts Colorado residents would have half as long to issue notifications.

The original bill required breached entities to issue notifications to the state attorney general within 7 days of the discovery of a breach impacting 500 or more Colorado residents. The amended bill has seen that requirement relaxed to 30 days following the discovery of a breach of personal information. Further, the state attorney general does not need to be notified of a breach if there has been no misuse of breached data or if data misuse is unlikely to occur in the future.

If the new legislation is passed, Colorado residents will be among the best protected individuals in the United States. Only Florida has introduced such strict time scales for sending notifications to breach victims. Colorado residents would also be much better protected when their data is exposed by a healthcare organization, with the time frame for notification cut in half.

The post Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days appeared first on HIPAA Journal.

AJMC Study Reveals Common Characteristics of Hospital Data Breaches

Posted by HIPAA Journal

The American Journal of Managed Care has published a study of hospital data breaches in the United States. The aim of the study was to identify common characteristics of hospital data breaches, what the biggest problem areas are, the main causes of security incidents and the types of information most at risk.

The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30% of all large healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights by providers between 2009 and 2016.

Over that 7-year time period there were 215 breaches reported by 185 nonfederal acute care hospitals and 30 hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals experienced 2 breaches. In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the theft/exposure of the highest number of health records.

While hacks were commonly experienced, it was not electronic healthcare data that was the biggest problem area. Paper and film were the most common locations of breached protected health information. 65 hospitals reported paper/film data breaches over the time period that was studied; however, while those breaches were the most common, they typically affected a relatively small number of patients.

Recently, there has been an increase in hacks and malware and ransomware attacks on network servers, although between 2009 and 2016 – for hospitals at least – network servers were the least common location of breached PHI. While the least common, they were the most severe. Network server breaches resulted in the highest number of stolen records.

The second most common location of breaches was PHI stored in locations other than paper/film, laptops, email, desktops, EHRs, or network servers. Those breaches had been reported by 56 hospitals. In third place was laptop breaches, reported by 51 hospitals.

The types of data breaches most commonly experienced were theft incidents, which had been reported by 112 hospitals. Unauthorized access/disclosures were in second place with incidents reported by 54 hospitals. Hacking/IT incidents was third and was behind 27 hospital data breaches.

Multivariate logistic regression analyses were performed to explore factors associated with hospital data breaches. The researchers found significant differences between hospitals that had experienced a data breach and those that had not.

Teaching hospitals and pediatric hospitals were found to be the most susceptible to data breaches. 18% of teaching hospitals had experienced at least one data breach, compared to 3% without a breach. Six percent of pediatric hospitals had experienced a breach compared to 2% that had not.

Larger hospitals were also more prone to data breaches than smaller facilities. 26% of large hospitals had experienced a data breach, compared to 10% that had no breaches. Investor-owned hospitals had reported fewer breaches than not-for profit hospitals.

There were no significant differences based on the level of IT sophistication, health system membership, biometric security use, hospital region, or area characteristics.

The researchers suggest that while hospitals have invested in technology and have digitized health data to meet Meaningful Use requirements, security has not been a major focus and investment in data security has been lacking. Hospitals are typically only spending 5% of their IT budgets on security and that needs to improve if hospital data breaches are to be prevented. Security measures also need to be improved for paper/films to reduce the opportunity for unauthorized access and theft.

The researchers suggest hospitals should be conducting regular audits to determine who is accessing PHI, while audits of data security protections will help hospitals identify vulnerabilities before they are exploited.

The use of biometric identifiers can limit the potential for unauthorized access of ePHI and 2-Factor authentication should be implemented on all user accounts.

The researchers also suggest access to PHI should be limited to the minimum necessary amount to allow employees to complete their work duties. By restricting access, the severity of data breaches will be reduced.

The methodology, full results, and conclusions can be found on this link.

The post AJMC Study Reveals Common Characteristics of Hospital Data Breaches appeared first on HIPAA Journal.

January 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

Our January 2018 Healthcare Data Breach Report details the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights in January 2018. There were 21 security breaches reported to OCR in January which is a considerable improvement on the 39 incidents reported in December 2017.

Healthcare data breaches by Month (August 2017-January 2018)

Last month saw 428,643 healthcare records exposed. While there was a 46.15% drop in the number of healthcare data breaches reported in January month over month, 87,022 more records were exposed or stolen than in December. January was the third consecutive month where the number of breached records increased month over month.

records exposed in January 2018 Healthcare Data Breaches

The mean breach size in January was 20,412 records – very similar to the mean breach size in December 2017 (20,487 records). However, the high mean value was due to a particularly large breach of 279,865 records reported by Oklahoma State University Center for Health Sciences. In January, the healthcare data breaches reported were far less severe than in December. In January the median breach size was 1,500 records. In December it was 15,857 records.

Largest Healthcare Data Breaches in January 2018

In January there were only four breaches reported that impacted more than 10,000 individuals, compared to nine such incidents in December 2017. Hacking incidents continue to result in the largest data breaches with five of the top six breaches the result of hacking/IT incidents, which includes hacks, malware infections and ransomware attacks.

 

Covered Entity Entity Type Individuals Affected Type of Breach
Oklahoma State University Center for Health Sciences Healthcare Provider 279865 Hacking/IT Incident
Onco360 and CareMed Specialty Pharmacy Healthcare Provider 53173 Hacking/IT Incident
Agency for Health Care Administration Health Plan 30000 Hacking/IT Incident
Decatur County General Hospital Healthcare Provider 24000 Hacking/IT Incident
Charles River Medical Associates, pc Healthcare Provider 9387 Loss
Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc. Healthcare Provider 5228 Hacking/IT Incident
RGH Enterprises, Inc. Healthcare Provider 4586 Unauthorized Access/Disclosure
Gillette Medical Imaging Healthcare Provider 4476 Unauthorized Access/Disclosure
Zachary E. Adkins, DDS Healthcare Provider 3677 Theft
Steven Yang, D.D.S., INC. Healthcare Provider 3202 Theft

Main Causes of Healthcare Data Breaches in January 2018

While hacking/IT incidents and unauthorized access/disclosures shared top spot in January, the biggest cause of breaches was actually errors made by employees and insider wrongdoing. Insiders were behind at least 11 of the 21 breaches reported in January.  Four of the five loss/theft incidents involved portable electronic devices. Those incidents could have been avoided if encryption had been used.

Main Causes of January 2018 Data Breaches

  • Hacking/IT Incidents: 7 breaches
  • Unauthorized Access/Disclosure: 7 breaches
  • Loss/theft of physical records and portable devices: 5 breaches

January 2018 Healthcare Data Breaches by Incident Type

 

Records Exposed by Breach Type

The vast majority of individuals impacted by healthcare data breaches in January 2018 had their health data accessed or stolen in hacking/IT incidents. January saw a significant reduction in records exposed due to loss or theft – In December, incidents involving the loss or theft of devices and physical records impacted 122,921 individuals.

Main Causes of Exposed Healthcare Records in January 2018

  • Hacking/IT Incidents: 394,787 healthcare records exposed in 7 security incidents
  • Loss/theft of physical records and portable devices: 18,519 records exposed in 5 incidents
  • Unauthorized Access/Disclosure: 13,329 healthcare records exposed in 7 incidents

Main Causes of Healthcare Data Breaches in January 2018 - Records by breach type

Location of Data Breaches in January 2018

Overall, more incidents were reported involving electronic copies of health data in January, but covered entities must ensure that appropriate physical security and access controls are in place to prevent unauthorized accessing and theft of paper records. Training must also be provided to staff on disposing of physical records. Two improper disposal incidents were reported in January involving physical records.

Main Locations of Exposed Healthcare Records in January 2018

  • Paper/Films: 13,514 records exposed in 7 incidents: 4 unauthorized access/disclosures; 2 improper disposal incidents, and one incident involving the loss of records
  • Network Servers: 310,593 healthcare records exposed in 4 hacking/IT incidents involving network servers: 1 Hack, 2 malware incidents and one incident for which the cause is unknown
  • Laptop computers: 3 incidents involving laptop computers: 2 stolen devices and one hack/IT incident
  • Email: Three incidents involving unauthorized access/disclosure due to phishing and two hacking incidents
  • EMRs:  3 incidents involving EMRs: 2 unauthorized access incidents (Physician/nurse) and 1 hacking incident

January 2018 Healthcare Data Breaches - Location of breached PHI

January 2018 Healthcare Data Breaches by Covered Entity

In January, no business associates of HIPAA covered entities reported data breaches, and according to the OCR breach summaries, none of the 21 security breaches had any business associate involvement. Healthcare providers were the worst affected with 19 breaches reported.

Healthcare Records Breached

  • Healthcare providers: 398,009 healthcare records exposed in 19 incidents
  • Health plans: 30,634 healthcare records exposed in 2 incidents

January 2018 Healthcare Data Breaches by Entity Type

January Healthcare Data Breaches by State

In January, covered entities based in 15 states reported data breaches that impacted more than 500 individuals.

California was the worst hit state by some distance with 5 covered entities reporting breaches. Tennessee and Wyoming had two breaches apiece, with one incident reported by organizations based in Florida, Illinois, Kentucky, Massachusetts, Maryland, New Mexico, Nevada, Ohio, Oklahoma, Pennsylvania, Utah, and Washington.

Financial Penalties for HIPAA Covered Entities in January

There were no OCR HIPAA fines or settlements announced in January to resolve violations of HIPAA Rules, although the New York Attorney General did settle a case with health insurer Aetna.

Aetna was required to pay the NY AG’s office $1.15 million to resolve violations of HIPAA Rules and state laws. The violations were discovered during an investigation into a serious privacy breach experienced in July 2017. A mailing was sent to approximately 12,000 members in which details of HIV medications were visible through the clear plastic windows of the envelopes – An unauthorized disclosure of PHI. The mailing was sent on behalf of Aetna by a settlement administrator.

Further, it was alleged that Aetna provided PHI to its outside counsel, who in turn provided that information to the settlement administrator – a subcontractor – yet no business associate agreement was in place prior to that disclosure.

Aetna also settled a class action lawsuit in January over the breach. The lawsuit was filed by HIV/AIDS organizations on behalf of the victims of the breach. Aetna settled the lawsuit for $17,161,200.

That is unlikely to be the end of the fines. OCR may decide to take action over the breach and alleged HIPAA violations, and other state attorneys general have opened investigations. Aetna is also embroiled in costly legal action with its settlement administrator.

Data source for breaches: Department of Health and Human Services’ Office for Civil Rights.

The post January 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.