Legal News about HIPAA and Healthcare Compliance

HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) has finalized the proposed modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (Part 2). “The Final Rule strengthens confidentiality protections while improving care coordination for patients and providers. Patients can seek needed treatment and care for substance use disorder knowing that greater protections are in place to keep their records private, and providers can now better share information to improve patient care,” said OCR Director Melanie Fontes Rainer.

The Part 2 regulations have been in effect since 1975 and protect “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder [SUD] education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” These records are subject to strict protections due to the sensitivity of the information contained in those records and avoid deterring people from seeking treatment for SUD due to fears about discrimination and prosecution.

The bipartisan Coronavirus Aid, Relief, and Economic Security Act (CARES Act) called for the Part 2 regulations to be more closely aligned with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Breach Notification, and Enforcement Rules. On December 2, 2022, the HHS, via the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), published a Notice of Proposed Rulemaking (NPRM) to implement the changes required by the CARES Act. The comments received from industry stakeholders in response to the NPRM have been considered and appropriate modifications have been made before finalizing the changes.

The modifications include permitting the use and disclosure of Part 2 records based on a single patient consent. Once that consent has been given by a patient it covers all future uses and disclosures for treatment, payment, and health care operations. The final rule also permits disclosure of records without patient consent to public health authorities, provided the records are first deidentified using the methods stated in HIPAA. Redisclosure of Part 2 records by HIPAA-covered entities and business associates is permitted, provided those disclosures are in accordance with the HIPAA Privacy Rule, with certain exceptions. Separate consent is required for the disclosure of SUD clinician notes, which will be handled in the same way that psychotherapy notes are handled under HIPAA.

Patients’ SUD treatment records were already protected and could not be used to investigate or prosecute the patient unless written consent is obtained from the patient or as required by a court order that meets Part 2 requirements. Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have also been expanded in the final rule. The final rule clarifies the steps that investigative agencies must follow to be eligible for safe harbor. Before any request for records is made, the agency is required to search the SAMHSA treatment facility directory and check the provider’s Notice of Privacy Practices to determine if they are subject to Part 2.

The final rule gives patients new rights to obtain an “accounting of disclosures,” request restrictions on certain disclosures, and opt out of receiving fundraising communications, as is the case under the HIPAA Privacy Rule. Patients will also be able to file a complaint about Part 2 violations directly with the Secretary. In the event of a breach of Part 2 records, the requirements for notifications are now the same as the HIPAA Breach Notification Rule. The HHS has also been given enforcement authority, including the ability to impose civil monetary penalties for Part 2 violations. The criminal and civil penalties for Part 2 violations will be the same as those for violations of the HIPAA Rules.  Other changes that have been introduced based on comments received on the NPRM include a statement confirming that Part 2 records do not need to be segregated and that it is not permitted to combine patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.

“Patient confidentiality is one of the bedrock principals in health care. People who are struggling with substance use disorders must have the same ability to keep their information private as anyone else. This new rule helps to ensure that happens, by strengthening confidentiality protections and improving the integration of behavioral health with other medical records,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration has made it a priority to end the stigmatization of those living with substance use disorders and give health care providers the tools they need so they can treat the whole patient while continuing to protect patient privacy. We will not rest until behavioral health is fully integrated into health care and those struggling with behavioral health challenges get the best treatment available.”

The final rule is due to be published in the Federal Register in mid-February. The compliance date has been set as 2 years from the date of publication. A fact sheet has been published by the HHS summarizing the changes that have been made in the Final Rule.

The post HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations appeared first on HIPAA Journal.

U.S. Fertility Proposes $5.75 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

US Fertility LLC, the operator of more than 100 fertility clinics across the United States, has proposed a $5.75 million settlement to resolve a class action lawsuit that was filed in response to a data breach that exposed the data of around 900,000 patients.

U.S. Fertility announced in November 2020 that hackers had gained access to its network and installed malware (ransomware) that rendered certain systems inaccessible. The breach was detected on September 14, 2020; however, the hackers first gained access to the network on August 12, 2020. Before encrypting files, the hackers exfiltrated sensitive patient data including names, addresses, dates of birth, MPI numbers, Social Security numbers, medical information, and financial information.

A class action lawsuit was filed that alleged U.S. Fertility was negligent by failing to implement reasonable and appropriate cybersecurity measures to protect highly sensitive patient data from unauthorized access. Had those measures been implemented, the breach could have been prevented or its severity would have been severely reduced. U.S. Fertility maintains there was no wrongdoing but decided to settle the lawsuit.

Under the settlement terms, all class members are entitled to a $50 cash payment. Class members whose data was stolen from a California clinic will be entitled to claim an additional cash payment of $200. Claims may also be submitted for up to 4 hours of lost time at $25 per hour, and unreimbursed out-of-pocket losses can be claimed and will be paid up to a maximum of $15,000 per claimant. Claims for reimbursement of losses must be supported by receipts, account statements, IRS documents, police reports, FTC reports, professional invoices, and other documentation. The cash payments may be reduced and paid pro-rata depending on the number of claims submitted.

Individuals who wish to object to the settlement or exclude themselves have until February 20, 2024, to do so. All claims must be submitted by March 19, 2024. The final settlement hearing has been scheduled for April 18, 2024.

The post U.S. Fertility Proposes $5.75 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Montefiore Medical Center has agreed to settle the investigation and has paid a $4.75 million penalty to resolve the alleged HIPAA violations. With this one penalty, OCR has already exceeded its total collections from its HIPAA enforcement actions in 2023 and this is the largest financial penalty to be imposed by OCR since January 2021’s $5.1 million penalty for Excellus Health Plan.

Like the Excellus investigation, OCR uncovered multiple failures to comply with the HIPAA Security Rule; however, the Excellus investigation was in response to a breach of the PHI of 9.35 million individuals. Montefiore Medical Center’s penalty stemmed from a report of a breach of the PHI of 12,517 patients. The scale of a data breach is taken into consideration by OCR when determining an appropriate penalty, but it is the nature of the underlying HIPAA violations that has the biggest impact on the size of a penalty, and Montefiore Medical Center’s HIPAA violations were deemed to be severe.

Montefiore Medical Center, a non-profit hospital system based in New York City, was notified by the New York Police Department in May 2015 that evidence had been uncovered of criminal HIPAA violations at the medical center. A patient’s protected health information had been stolen by an employee. An investigation was launched which revealed the employee had unlawfully accessed the medical records of 12,517 patients, copied their information, and sold the information to identity thieves. The former employee had been accessing the records without authorization for 6 months between January 1, 2013, through June 30, 2013.

Montefiore Medical Center notified OCR about the breach on July 22, 2015, and OCR informed Montefiore Medical Center on November 23, 2015, that it had initiated an investigation to assess whether the medical center was compliant with the HIPAA Rules. OCR determined that Montefiore Medical Center had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; failed to implement procedures to review records of activity in information systems, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems.

The insider incident investigated by OCR was not the last time that the medical center has had to deal with malicious insiders. There was an incident involving an employee accessing patient records without authorization between January 2018 and July 2020. The employee had accessed the records of 4,000 patients in connection with a vendor as part of a billing scam. In 2021, the medical center confirmed that another employee had accessed the medical records of patients without authorization over a period of 5 months in 2020. The Medical Center has since implemented a system to monitor patient records for unauthorized access by employees.

Montefiore Medical Center chose to settle the allegations with no admission of wrongdoing and agreed to implement a corrective action plan which includes the following requirements:

  • Conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
  • Develop a written risk management plan or plans sufficient to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
  • Develop and implement a plan to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.
  • Distribute the revised policies and procedures to the workforce and provide training to the workforce on those revised policies and procedures.
  • Review and revise current Privacy and Security Rules policies and procedures based on the findings of the risk analysis.

OCR will monitor Montefiore Medical Center for compliance with the HIPAA Rules for 2 years. “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”

In the announcement about the settlement, OCR reminded HIPAA-regulated entities of their obligations under HIPAA to implement safeguards to mitigate or prevent cyber threats, including threats that originate inside as well as outside the organization. This settlement makes clear the consequences of failing to implement those safeguards.

The post Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty appeared first on HIPAA Journal.

FTC Orders Blackbaud to Improve Security and Enforce Data Retention Policies

Posted by Steve Alder

The Federal Trade Commission (FTC) has ordered South Carolina-based Blackbaud to implement a raft of security measures and enforce its data retention policies to ensure that customer data is not retained any longer than it is needed. Blackbaud is a customer relationship management software provider, whose software is used by 35,000 fundraising entities, including many nonprofit healthcare organizations to increase philanthropic revenue. In early 2020, a hacker used a Blackbaud customer’s login name and password to access the customer’s Blackbaud-hosted database. Once access was gained, the hacker was able to move laterally by exploiting security vulnerabilities to access multiple Blackbaud-hosted environments and remained undetected in Blackbaud’s environment for 3 months.

Over those 3 months, the hacker exfiltrated a vast amount of unencrypted data from tens of thousands of customers, which included the personal and protected health information of millions of individuals. The stolen data included names, contact information, medical information, health insurance information, Social Security numbers, and bank account details. The hacker threatened to publish the stolen data and Blackbaud negotiated a 24 Bitcoin ($235,000) payment for the data to be deleted. Blackbaud was, however, unable to conclusively verify that the stolen data had been deleted.

A Catalog of Security Failures

According to the FTC complaint, the acts and practices of Blackbaud constituted unfair and/or deceptive practices in violation of Section 5(a) of the Federal Trade Commission (FTC) Act. The FTC alleged that Blackbaud had failed to implement reasonable and appropriate security practices to protect the sensitive personal information of consumers. The lack of safeguards allowed an unauthorized individual to gain access to customer data and deficient security practices and the failure to enforce its data retention policies magnified the severity of the data breach.

The FTC alleged that Blackbaud allowed customers to store highly sensitive information such as Social Security numbers and bank account information in unencrypted fields and customers could upload attachments containing sensitive personal information which were not encrypted. Further, Blackbaud did not encrypt its database backup files which contained complete customer records from the products’ databases.

While Blackbaud had data retention policies, these were not enforced, which meant the company retained the data of its customers for years longer than was necessary, even the data of former customers and prospective customers. The FTC also slammed Blackbaud for waiting for 2 months to notify customers about the data breach and misrepresenting the scope and severity of the data breach in those notifications due to “an exceedingly inadequate investigation.”

Blackbaud explained in the July 16, 2023, notification letters that financial information and Social Security numbers were not compromised and said no action was required because no personal information was accessed. Blackbaud’s post-breach investigation determined on July 31, 2020, that the hacker had exfiltrated customer data, but then waited until October 2020 to disclose that information to its customers.

The affected consumers were denied the opportunity to take steps to protect against identity theft and fraud, and since the breach, Blackbaud has received multiple complaints from consumers about identity theft and fraud using their personal information, indicating the hacker did not delete the data. Blackbaud did agree to pay for credit monitoring services, but those services were offered months after the breach and only to a limited subset of the affected customers.

Blackbaud made explicit representations about its information security practices which led customers to believe that personal information would be protected; however, the FTC alleged that there were insufficient password controls, a lack of multifactor authentication, a failure to monitor logs for signs of unauthorized system activity,  a failure to enforce its data retention policies, a failure to patch outdated software and systems promptly, a failure to implement appropriate firewall controls, a failure to implement appropriate network segmentation, and a failure to test, audit, assess, or review its products’ or applications’ security features. Blackbaud also failed to conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases.

FTC Orders Major Security Updates and Data Deletion

The FTC alleged unfair information security practices, unfair data retention practices, unfair inaccurate breach notifications, deceptive initial breach notifications, and deceptive security statements. The FTC’s proposed order requires Blackbaud to implement and maintain a comprehensive information security program that complies with industry best practices. The order includes 14 security requirements and Blackbaud is also required to delete all customer data that is not required and undergo independent security assessments.

“Today’s action builds on a series of cases that have made clear that maintaining a data retention and deletion schedule is a critical part of protecting consumers’ data security,” said FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya in a joint statement about the consent order. “The Commission has also made clear that efforts to downplay the extent or severity of a data breach run afoul of the law.”

Blackbaud previously settled a multistate action with the attorneys general in 48 states and the District of Columbia and paid a $49.5 million penalty, and was ordered to pay a $3 million civil monetary penalty by the U.S. Securities and Exchange Commission for omitting important facts about the data breach in its August 2020 quarterly report. Blackbaud is also being sued by consumers whose personal information was stolen.

The post FTC Orders Blackbaud to Improve Security and Enforce Data Retention Policies appeared first on HIPAA Journal.

Florida Bill Seeks Safe Harbor for Organizations with Robust Cybersecurity Programs

Posted by Steve Alder

Healthcare organizations and businesses in Florida could soon be given protection against data breach lawsuits if they implement and maintain cybersecurity measures that meet government and industry standards. The Florida Cybersecurity Incident Liability Act (H.B 473) has been introduced in the Florida legislature and aims to introduce a “safe harbor” that limits liability for all businesses that implement reasonable and appropriate cybersecurity measures that meet industry standards and cybersecurity frameworks.

Businesses can make significant investments in cybersecurity to protect their networks and sensitive data from unauthorized access, but the sophisticated nature of cyber threats means that cyberattacks may still succeed. It is now common for multiple lawsuits to be filed over data breaches that allege a failure to implement appropriate cybersecurity measures, irrespective of the cybersecurity measures that have been implemented. The Florida Cybersecurity Incident Liability Act is intended to provide businesses with a legal defense against tort claims in data breach lawsuits and encourage the adoption of security frameworks.

The Florida Cybersecurity Incident Liability Act will place limitations on liability for cybersecurity incidents. Counties, municipalities, and businesses that acquire, maintain, store, or use personal information will not be liable in connection with a cybersecurity incident provided they have adopted a cybersecurity program that substantially aligns with any standards, guidelines, or regulations that implement any of the following:

  • The NIST Framework for Improving Critical Infrastructure Cybersecurity
  • NIST Special Publication 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • NIST Special Publication 800-53 and 800-53A – Security and Privacy Controls for Information Systems and Organizations / Assessing Security and Privacy Controls in Information Systems and Organizations
  • The Federal Risk and Authorization Management Program 42 security assessment framework
  • The Center for Internet Security (CIS) Critical Security Controls.
  • The International Organization for Standardization/International Electrotechnical Commission 27000 series (ISO/IEC 27000) family of standards

There will also be limitations on liability for entities that are regulated by the state or Federal Government or that are otherwise subject to the following laws and regulations:

  • The Health Insurance Portability and Accountability Act’s security requirements (45 C.F.R. part 160 and part 164 55 subparts A and C)
  • The Health Information Technology for Economic and Clinical Health (HITECH) Act requirements (45 C.F.R. parts 160 and 164.)
  • Title V of the Gramm-Leach-Bliley Act
  • The Federal Information Security Modernization Act of 2014

The scale and scope of substantial alignment of a cybersecurity program with these laws reflect the size, complexity, and nature of the business activities, as well as the sensitivity of the personal information collected and stored, the availability and cost of security improvement tools, and the available resources for cybersecurity. In data breach lawsuits, the defendant will have the burden of proof to establish substantial compliance with these laws, cybersecurity frameworks, and standards.

The post Florida Bill Seeks Safe Harbor for Organizations with Robust Cybersecurity Programs appeared first on HIPAA Journal.

Russian National Sanctioned for Medibank Ransomware Attack

Posted by Steve Alder

A Russian national who was involved in a ransomware attack on the Australian health insurance provider Medibank in 2022 has been sanctioned by the governments on Australia, the United States, and the United Kingdom.

Alexander Ermakov (aka blade_runner, GistaveDore, GustaveDore, or JimJones), 33, is believed to have been a member of the now-disbanded ransomware group REvil. REvil was one of the most notorious cybercriminal groups until July 2021 when the group ceased operations and disappeared. Prior to that, the group was a ransomware-as-a-service group that encrypted appropriately 175,000 computers and was paid an estimated $200 million in ransom payments from its attacks.

In October 2022, REvil gained access to the Medibank network and stole the data of approximately 9.7 million of its customers and then used ransomware to encrypt files. The stolen data included names, dates of birth, Medicare numbers, and highly sensitive medical information including mental health, sexual health and drug use data.

As a Russian national, Ermakov is unlikely to face justice for the Revil attacks as there is no extradition treaty with Australia, the United States, or the United Kingdom and Ermakov is unlikely to travel to any country where there is a risk of arrest. The U.S. Department of the Treasury criticized Russia for allowing ransomware gangs to operate within its borders and freely conduct attacks around the world, and for enabling ransomware attacks by cultivating and co-opting criminal hackers. The Treasury has called for Russia to take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.

The sanctions mean that it is a criminal offence to provide any assets to Ermakov or to use or deal with any of his assets, which includes making ransom payments through cryptocurrency wallets. Australia was the first to sanction Ermakov, closely followed by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the UK government. OFAC said all property and interests in property of Ermakov that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. Any entities that are directly or indirectly 50% or more owned by Ermakov are also blocked. Violation of the sanctions is punishable by up to 10 years’ imprisonment.

“Russian cyber actors continue to wage disruptive ransomware attacks against the United States and allied countries, targeting our businesses, including critical infrastructure, to steal sensitive data,” said Under Secretary of the Treasury Brian E. Nelson. “Today’s trilateral action with Australia and the United Kingdom, the first such coordinated action, underscores our collective resolve to hold these criminals to account.”

The post Russian National Sanctioned for Medibank Ransomware Attack appeared first on HIPAA Journal.

Lincare Holdings Proposes $7.25 Million Settlement to Resolve Data Breach Lawsuit

Posted by Steve Alder

A $7.25 million settlement has been proposed to resolve a class action lawsuit – In re: Lincare Holdings Inc. Data Breach Litigation – filed against Lincare Holdings over a September 2021 data breach that affected 2,918,444 individuals.

Lincare Holdings is a provider of in-home respiratory care and equipment. In September 2021, unauthorized activity was detected within its network and the forensic investigation confirmed an unauthorized third party had gained access to files containing patient data. The exposed protected health information included names, addresses, Lincare account numbers, dates of birth, treatment information, provider names, dates of service, diagnosis and procedure information, account or record numbers, health insurance information, and prescription information, and for a small number of affected individuals, Social Security numbers.

Legal action was taken by the affected individuals who alleged that Lincare Holdings was negligent for failing to implement reasonable and appropriate cybersecurity measures, and had those measures been implemented, the data breach could have been avoided. Lincare has not admitted any wrongdoing but has proposed a settlement to end the litigation.

Class members will be permitted to submit claims for up to $5,000 as reimbursement for out-of-pocket losses fairly traceable to the data breach, including up to 4 hours of lost time at $20 per hour. Recoverable losses include bank fees, credit fees, communication costs, unreimbursed fraudulent charges, and losses to identity theft. Individuals who were California residents at the time of the breach can also claim an additional $90.

All class members are eligible to receive a one-year membership to Medical Shield services, which includes medical record monitoring, health insurance monitoring, dark web monitoring, real-time authentication alerts, high-risk transaction monitoring, Medicare monitoring, provider monitoring HSA monitoring, ICD monitoring, credit freeze assistance, and identity theft remediation services. They will also be covered by a $1 million identity theft insurance policy.

Claims must be submitted by April 15, 2024, and any class member wishing to object to or exclude themselves from the settlement must do so by March 14, 2024. The final hearing has been scheduled for June 12, 2024.

The plaintiff and class members were represented by John A. Yanchunis of Morgan & Morgan; Stephen R. Basser of Barrack Rodos & Bacine; Raina Borrelli of Turke & Strauss LLP; Alexandra M Honeycutt of Milberg Coleman Bryson Phillips Grossman PLLC; and Carl V Malmstrom of Wolf Haldenstein Adler Freeman & Herz LLC

The post Lincare Holdings Proposes $7.25 Million Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

December 2023 Healthcare Data Breach Report

Posted by Steve Alder

There was no letup in healthcare data breaches as the year drew to a close, with December seeing the second-highest number of data breaches of the year. The Department of Health and Human Services (HHS) Office for Civil Rights received 74 reports of healthcare data breaches of 500 or more records in December, which helped make 2023 a record-breaking year for healthcare data breaches. While there may still be some late additions to the list, as of January 18, 2023, 725 data breaches of 500 or more healthcare records have been reported to OCR in 2023 – The highest number since OCR started publishing records of data breaches on its “Wall of Shame.” To add some perspective, that is more than twice the number of data breaches that were reported in 2017.

It is not just the number of data breaches that is concerning. Healthcare data breaches have been increasing in severity and there have been ransomware attacks that have seen patients contacted and threatened directly with the exposure of their sensitive health data. Many of the data breaches reported in 2023 have been on a colossal scale, with December no exception with two multi-million-record data breaches reported.

Since 2009, when OCR created its Wall of Shame, the number of breached records has been trending upwards, but even the most pessimistic of security professionals would not have predicted at the start of 2023 that there would be such a massive rise in breached records. 2021 was a bad year with 45.9 million records breached, and 2022 was worse with 51.9 million breached records, but in 2023, an astonishing 133 million records were exposed or stolen. On January 18, 2023, the OCR breach portal showed 133,068,542 individuals had their protected health information exposed or stolen in 2023.

We will explore the year’s data breaches in greater detail and make predictions for the coming year in posts over the next few days but first, let’s take a dive into December’s data breaches to see where and how 11,306,411 healthcare records were breached.

The Biggest Healthcare Data Breaches in December 2023

Two of the largest data breaches of 2023 were reported in December, the largest of which occurred at the New Jersey-based analytics software vendor, HealthEC. Hackers gained access to a system used by more than 1 million healthcare professionals to improve patient outcomes. The platform contained the protected health information of 4,452,782 individuals. The data breach was the second in as many months to result in the exposure of the health data of more than 1 million Michigan residents, prompting the Michigan Attorney General to call for new legislation to hold companies accountable for breaches of healthcare data.

A 2.7 million-record data breach was reported by another business associate, ESO Solutions. ESO Solutions is a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, and had its network breached and files encrypted with ransomware. At least 12 health systems and hospitals are known to have been affected.

More than 900,000 records were obtained by hackers who gained access to an archive of data from the now defunct Fallon Ambulance Services, which was being stored to meet data retention requirements by Transformative Healthcare, and a cyberattack on Electrostim Medical Services exposed the data of almost 543,000 patients.

It has now been 7 months since the Clop hacking group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution and data breach reports continue to be issued. More than 2,600 organizations worldwide had data stolen in the attacks, with the healthcare industry among the worst affected.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Data Breach
HealthEC LLC NJ Business Associate 4,452,782 Hacking incident (Data theft confirmed)
ESO Solutions, Inc. TX Business Associate 2,700,000 Ransomware attack
Transformative Healthcare (Fallon Ambulance Services) MA Healthcare Provider 911,757 Hacking incident (Data theft confirmed)
Electrostim Medical Services, Inc. dba EMSI FL Healthcare Provider 542,990 Hacking incident
Cardiovascular Consultants Ltd. AZ Healthcare Provider 484,000 Ransomware attack (Data theft confirmed)
Retina Group of Washington, PLLC MD Healthcare Provider 455,935 Ransomware attack
CompleteCare Health Network NJ Healthcare Provider 313,973 Ransomware attack (Data theft confirmed)
Health Alliance Hospital Mary’s Avenue Campus NY Healthcare Provider 264,197 Hacking incident (Data theft confirmed)
Independent Living Systems, LLC FL Business Associate 123,651 Hacking incident (MOVEit)
Pan-American Life Insurance Group, Inc. LA Health Plan 105,387 Hacking incident (MOVEit)
Meridian Behavioral Healthcare, Inc. FL Healthcare Provider 98,808 Hacking incident
Mercy Medical Center IA Healthcare Provider 97,132 Hacking incident at business associate (PJ&A)
Pan-American Life Insurance Group, Inc. LA Business Associate 94,807 Hacking incident (MOVEit)
Regional Family Medicine AR Healthcare Provider 80,166 Hacking incident
HMG Healthcare, LLC TX Healthcare Provider 80,000 Hacking Incident (Data theft confirmed)
Heart of Texas Behavioral Health Network TX Healthcare Provider 63,776 Hacking incident
Kent County Community Mental Health Authority d/b/a Network180 MI Healthcare Provider 59,334 Unauthorized email account access
Highlands Oncology Group PA AR Healthcare Provider 55,297 Ransomware attack
Southeastern Orthopaedic Specialists, PA NC Healthcare Provider 35,533 Ransomware attack (Data theft confirmed)
Eye Physicians of Central Florida, PLLC, a division of Florida Pediatric Associates, LLC FL Healthcare Provider 31,189 Hacking incident (Data theft confirmed)
Clay County Social Services MN Business Associate 22,005 Ransomware attack (Data theft confirmed)
Bellin Health WI Healthcare Provider 20,790 Hacking incident
Neuromusculoskeletal Center of the Cascades, PC OR Healthcare Provider 19,373 Unauthorized email account access
Independent Living Systems, LLC FL Healthcare Provider 19,303 Hacking incident (MOVEit)
Community Memorial Healthcare, Inc. KS Healthcare Provider 14,798 Hacking incident
VNS Choice dba VNS Health Health Plans NY Health Plan 13,584 Unauthorized email account access
Hi-School Pharmacy WA Healthcare Provider 12,779 Ransomware attack

Many HIPAA-regulated entities keep information to the bare minimum in their breach reports, which allows them to meet legal requirements for breach reporting while minimizing the risk of disclosing information that could be used against them in class action lawsuits. The problem with this minimalistic breach reporting is the victims of the breach are not given enough information to accurately assess the risk they face, and the lack of transparency in data breach reporting makes it difficult to accurately assess how hackers are gaining access to healthcare networks and the nature of the attacks.

This is especially true for ransomware attacks and data theft/extortion attacks. Several breaches have been reported as hacking incidents where a possibility of unauthorized access to or theft of patient data, when the threat actors behind the attacks have claimed responsibility and have added the breached entity to their data leak sites. This trend has grown throughout the year.

December 2023 Data Breach Causes and Data Locations

All of December’s data breaches of 10,000 or more records were hacking incidents, which accounted for 83.78% of the month’s 74 data breaches (62 incidents) and 99.79% of the month’s breached healthcare records (11,283,128 records). The average breach size was 181,986 records and the median breach size was 6,728 records. In 2009, hacking incidents accounted for 49% of all data breaches of 500 or more records. In 2023, hacking incidents accounted for 79.72% of all large data breaches. Something clearly needs to be done to improve resiliency to hacking and there are signs of action being taken at the state and federal level.

In December 2023, OCR published its Healthcare Sector Cybersecurity Strategy which details several steps that OCR plans to take to improve cyber resiliency in the healthcare sector and patient safety. The extent to which these plans will be made a reality will depend on Congress making the necessary funding available. OCR is planning a much-needed update to the HIPAA Security Rule in 2024 and has stated that it will establish voluntary cybersecurity goals for the healthcare sector. OCR will be working with Congress to provide financial assistance for domestic investments in cybersecurity to help cover the initial cost. The New York Attorney General has also announced that there will be new cybersecurity requirements for hospitals in the state after a significant increase in cyberattacks, and that funds have been made available to help low-resource hospitals make the necessary improvements.

There were 8 data breaches classified as unauthorized access/disclosure incidents, involving 14,998 healthcare records. The average breach size was 1,875 records and the median breach size was 1,427 records. There were four loss/theft incidents reported in December, two of which involved stolen paperwork and two involved the loss of electronic devices, with the latter preventable if encryption had been used. 8,285 records were lost across these incidents.

The most common location of breached healthcare data was network services, which is unsurprising given the large number of hacking incidents. 14 data breaches involved protected health information stored in email accounts, three of which resulted in the exposure of more than 10,000 records.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in December with 49 reported breaches of 500 or more records, followed by business associates with 13 breaches, health pans with 11, and a single breach at a healthcare clearinghouse. While healthcare providers suffered the most breaches, it was data breaches at business associates that exposed the most records. Across the 13 business associate-reported breaches, 7,416,567 records were breached, compared to 3,730,791 records in the 49 breaches at healthcare providers. The health plan breaches exposed 156,479 records and 2,574 records were exposed in the healthcare clearinghouse data breach.

These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. A deeper dive into the data to determine where the breach actually occurred reveals there were 24 data breaches at business associates (7,544,504 records), 43 data breaches at healthcare providers (3,616,078 records), 6 data breaches at health plans (143,255 records), and one breach at a healthcare clearinghouse (2,574 records).

The average size of a business associate data breach was 314,354 records (median: 2,749 records), the average size of a healthcare provider data breach was 84,095 records (median: 5,809 records), and the average health plan data breach was 23,876 records (median: 7,695 records). The chart below shows where the data breaches occurred rather than the reporting entity.

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 32 states reported data breaches of 500 or more records in December. California was the worst affected state with 85 large data breaches followed by New York and Texas with 7 reported breaches.

State Number of Breaches
California 8
New York & Texas 7
Florida 6
Massachusetts 4
New Jersey, Tennessee & Wisconsin 3
Arkansas, Connecticut, Illinois, Kansas, Kentucky, Louisiana, Maryland, North Carolina & Washington 2
Alaska, Arizona, Colorado, Iowa, Michigan, Minnesota, Mississippi, Missouri, Montana, New Mexico, North Dakota, Oregon, South Carolina, Virginia & West Virginia 1

HIPAA Enforcement in December 2023

OCR announced two enforcement actions against healthcare providers in December to resolve alleged violations of the HIPAA Rules. OCR continued its enforcement initiative targeting noncompliance with the HIPAA Right of Access with its 46th enforcement action over the failure to provide individuals with timely access to their medical records. Optum Medical Care of New Jersey settled its investigation and agreed to pay a financial penalty of $160,000 to resolve allegations that patients had to wait between 84 days and 231 days to receive their requested records when they should have been provided within 30 days.

OCR also announced its first-ever settlement resulting from an investigation of a phishing attack. Lafourche Medical Group in Louisiana suffered a phishing attack that resulted in the exposure of the protected health information of almost 35,000 individuals. While phishing attacks are not HIPAA violations, OCR’s investigation uncovered multiple violations of the HIPAA Security Rule, including no risk analyses prior to the 2021 phishing attack, and no procedures to regularly review logs of system activity before the attack. Lafourche Medical Group chose to settle the investigation and paid a $480,000 penalty.

These two enforcement actions bring the total number of OCR enforcement actions involving financial penalties up to 13, the lowest annual total since 2019, although there was a slight increase in funds raised from these enforcement actions with $4,176,500 collected in fines. OCR is pushing Congress to increase the penalties for HIPAA violations to make penalties more of a deterrent and also to provide much-needed funding to allow OCR to clear the backlog of HIPAA compliance investigations, in particular investigations of hacking incidents. Currently, OCR’s hands are tied, as the department’s budget has remained the same for years, aside from annual increases for inflation, yet its caseload of breach investigations has soared.

HIPAA Enforcement by State Attorneys General

State attorneys general have the authority to enforce HIPAA compliance and 2023 saw an increase in enforcement actions. The HIPAA Journal has tracked 16 enforcement actions by state attorneys general in 2023 that resolved violations of HIPAA or equivalent state consumer protection and data breach notification laws. In December, three enforcement actions were announced, two by New York Attorney General Letitia James and one by Indiana Attorney General Todd Rokita. New York has been particularly active this year having announced 4 settlements to resolve HIPAA violations in 2023 and the state also participated in two multi-state actions.

In December, AG James announced a settlement had been reached with Healthplex to resolve alleged violations of New York’s data security and consumer protection laws with respect to data retention, logging, MFA, and data security assessments which contributed to a cyberattack and data breach that affected 89,955 individuals. The case was settled for $400,000. AG James also investigated New York Presbyterian Hospital over a reported breach of the health information of 54,396 individuals related to its use of tracking technologies on its website, which sent patient data to third parties such as Meta and Google in violation of the HIPAA Privacy Rule and New York Executive Law. The case was settled for $300,000.

The Indiana Attorney General investigated CarePointe ENT over a breach of the health information of 48,742 individuals. AG Rokita alleged that CarePointe ENT was aware of security issues several months before they were exploited by cybercriminals but did not address them in a timely manner. There was also no business associate agreement with its IT services provider. The investigation was settled for $125,000.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on January 18, 2023.

The post December 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Merck Reaches Settlement with Insurers over $1.4 Billion NotPetya Malware Attack

Posted by Steve Alder

The Pharmaceutical giant Merck has finally obtained a settlement with its insurance policy providers over a June 2017 cyberattack that Merck claimed resulted in $1.4 billion in damages. Merck was infected with the infamous NotPetya wiper malware – a malware variant that appeared to be ransomware but was in fact a wiper. The malware has been linked to Russian state-sponsored hackers and was used to attack targets in Ukraine, but attacks occurred globally, resulting in an estimated $10 billion in losses worldwide.

Merck was badly hit by the attack and claimed that 40,000 of its computers were wiped by NotPetya malware, and when it tried to recover those losses under its ‘all-risk insurance policies, its insurers refused to pay out, claiming the cyberattack was excluded as the policy did not cover acts of war.

Merck challenged the decision and maintained that the exclusions in its insurers’ policies did not apply to NotPetya and a trial court judge ruled in Merck’s favor. After examining the language of the war exclusion of the policies, the history of how war exclusions have been interpreted in the past, and the nature of the all-risk policy, the trial court concluded that the cyberattack could not be excluded. The trial court’s decision was affirmed in May 2023 by a state appellate court.

The language of war exclusion did not include any reference to cyberwarfare or cyberattacks and the insurers failed to demonstrate that the NotPetya cyberattack on Merck was a hostile or warlike action, therefore the war exclusion did not apply and Merck was entitled to recover approximately $700 million of its losses. Ultimately, if the insurers had wanted to exclude certain types of cyberattacks from their coverage, they should have included language to that effect in their policies.

The insurers challenged the decision of the appellate court and sought to have the decision reversed by a New Jersey Supreme Court; however, this month, they decided to drop the appeal and reached a settlement with Merck over the claims. Had the case been resolved through the courts in the insurers’ favor, a legal precedent would have been set that would have had implications for all cyber insurance claims; however, since the legal challenge has been resolved with a confidential settlement, that is not the case. That said, insurers are likely to tighten up the language of their policies to make it clear exactly what types of cyberattacks will and will not be covered by their policies.

The post Merck Reaches Settlement with Insurers over $1.4 Billion NotPetya Malware Attack appeared first on HIPAA Journal.