15-Year Employee Privacy Breach Discovered by Metro Health System

Posted by Steve Alder

Metro Health System in Cleveland, OH, has discovered an employee has accessed patient records without a valid work reason. The unauthorized access was discovered on April 27, 2023, and the subsequent investigation confirmed that patient records had been accessed without authorization at various times over the past 15 years. The earliest incident occurred in 2008.

The information viewed included patient names, dates of birth, and clinical information. No Social Security numbers or financial information were accessed. A spokesperson for Metro Health said the employee has been disciplined per its sanctions policy and no evidence has been found to indicate redisclosure of patient data or any misuse of that information. Affected individuals are being notified by mail, steps are being taken to improve its privacy practices, and further training has been provided to the workforce.

COX Health Affected by Hacking of Fortra GoAnywhere File Transfer Solution

Springfield, MO-based CoxHealth has recently confirmed that patient data was compromised in a January 2023 cyberattack on its billing vendor, Intellihartx. The Clop ransomware group exploited a vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution, stole sensitive data, and demanded a ransom to prevent the release of that information.

CoxHealth says up to 203,000 patients had their protected health information stolen in the attack, including names, addresses, birth dates, Social Security numbers, diagnoses, and billing and insurance information. The 203K figure is the maximum number of patients that could have been affected. It was not possible to determine with any degree of certainty exactly how many individuals had been affected. Intellihartx has offered complimentary credit monitoring and identity theft protection services to affected individuals.

SoutheastHealth Issues Statement About Potential Vendor Breach

SoutheastHealth in Cape Girardeau, MO, has issued a statement about a potential data breach at a vendor, ITX (Intellihartx).  SoutheastHealth said it learned about a potential breach when one of its patients said they had received a letter from Intellihartx saying their protected health information had been exposed and potentially stolen.

SoutheastHealth said names, addresses, dates of birth, billing information, insurance information, diagnoses, medications, and Social Security numbers were potentially stolen in the attack on the file transfer solution and confirmed that its own systems were not affected. SoutheastHealth said it does not currently have a business relationship with Intellihartx and no formal notification was received from Intellihartx confirming SoutheastHealth was one of the companies affected.

The post 15-Year Employee Privacy Breach Discovered by Metro Health System appeared first on HIPAA Journal.

Atlantic General Hospital Increases Ransomware Victim Count to Almost 140,000 Individuals

Posted by Steve Alder

In March 2023, Atlantic General Hospital notified the Maine Attorney General that it had fallen victim to a ransomware attack in which the protected health information of 30,704 individuals was exposed; however, the ransomware attack was far more extensive than was previously thought and the total has been upwardly revised to 136,981 individuals.

The attack was detected on January 29, 2023, and the forensic investigation confirmed hackers had access to its network between January 20 and January 29, 2023. The initial review of files that were potentially compromised in the breach was completed on March 6, 2023, and confirmed that names, medical record numbers, treating/referring physician names, health insurance information, subscriber numbers, medical history information, and diagnosis/treatment information may have been accessed or acquired. Notification letters were sent on March 24, 2023, and complimentary credit and identity monitoring services were offered to affected individuals.

The investigation into the attack continued, and additional files were discovered to have been compromised. The review of those files was completed on May 15, 2023, and after obtaining up-to-date contact information, additional notification letters were sent to affected individuals on June 22, 2023. The compromised information included names in combination with one or more of the following: Social Security number, date of birth, financial account information, medical/treatment information, and health insurance information. Those individuals have also been offered complimentary credit and identity monitoring services. Atlantic General Hospital says it is working on implementing additional safeguards to improve data security and has provided further training to its workforce.

Palomar Health Patients Impacted by PharMerica Ransomware Attack

Palomar Health in San Diego, CA, has recently confirmed that patient data was exposed in a ransomware attack on its business associate, PharMerica, a nationwide provider of pharmacy services. The ransomware attack was detected on or around March 14, 2023, and the forensic investigation confirmed that at least 5,815,591 individuals had been affected. The attack was conducted by the Money Message ransomware group, which added the stolen data to its leak site in late March. The attack has been covered in more detail here.

Palomar Health has confirmed that the following data was potentially compromised in the attack: name, address, date of birth, Social Security number, medications, and health insurance information. Individuals affected received care at Palomar Continuing Care Center in Escondido or The Villas at Poway (Villa Pomerado) between 2001 and 2020. PharMerica is offering complimentary credit and identity theft monitoring services to the affected individuals and is issuing notification letters to patients directly. It is currently unclear how many Palomar Health patients have been affected.

Desert Physicians Management Cyberattack Affects Patients of its Healthcare Provider Clients

Desert Physicians Management in Apple Valley, CA, a provider of administrative support services to physicians’ groups, including Choice Physicians Network/Choice Medical Group, Choice Healthcare Associates, and Horizon Valley Medical Group, has recently announced that unauthorized individuals gained access to its computer systems and copied certain files from its network.

The security breach was detected on April 23, 2023, and the forensic investigation confirmed on or around May 18, 2023, that some of the files acquired by the attackers included protected health information provided by its healthcare provider clients. The compromised information was limited to names, addresses, dates of birth, health insurance information, and clinical information, including diagnosis, treatment information, and/or medication information. Desert Physicians Management said additional security measures have been implemented to help prevent similar incidents from occurring in the future.

The post Atlantic General Hospital Increases Ransomware Victim Count to Almost 140,000 Individuals appeared first on HIPAA Journal.

Interview: Wei Pan, Head of Engineering, Celo Health

Posted by Steve Alder

As part of our interview series, we spoke with Wei Pan, Head of Engineering at Celo Health. Celo Health is the developer of a HIPAA-compliant secure messaging platform that enables healthcare teams to collaborate seamlessly and securely on patient care.

Wei Pan, Head of Engineering at Celo Health

Wei Pan, Head of Engineering at Celo Health

Tell the readers about your career in the healthcare industry

I hold more than 15 years of experience in software development, specifically in the area of healthcare security.  I graduated from the University of Auckland with a bachelor’s and a master’s in computer science. My development expertise is focused on cloud software architectures and web applications, iOS, Android, and Microsoft technologies. A key part of my career over the years, has been managing development teams in different parts of the world. I’ve been able to manage these dynamics successfully primarily because of the type of development methodology I’ve implemented called Kanban.  This is an agile development method focused on process improvement, managing workflow efficiently, fostering team collaboration and transparency, and reducing lead time for new ideas from the ideation cycle all the way to customer delivery.  To be successful in software development, you must focus on process improvement so the end result is quality, reliability, and rapid delivery to the customer. Most importantly, the software we develop must be highly secure and compliant with numerous regulations worldwide including HIPAA and the HITECH Act.

What was your first position?

My first position was as a software programmer and then later as a development manager for a company that focused on patient safety in an anesthetic environment. This is where I honed my skills in developing software compliant with patient data security standards, as well as improving workflow that led to better outcomes for patients in anesthesia departments.  Early on, I realized the need to develop solutions for healthcare companies that were easy to use. Healthcare companies don’t have time to learn complex technology since they need to focus on what they do best – patient care. Just as important, the software had to fit their needs rather than the healthcare company changing its processes to fit the software.

It was also during this early part of my career that I learned about hand-held mobile technology – such as Nokia phones – before smartphones were invented.  This was invaluable experience for me since a lot of the cutting-edge technologies with those devices at the time became the technology foundation that allowed the breakthrough of smartphones. I learned valuable lessons during this part of my career on how critical it is for software companies to be always looking ahead to how new and emerging technologies can improve software so it evolves with the market’s changing needs and rules and regulations.

What is your current position?

For the past five years, I have served as Head of Engineering for Celo Health. I lead a team of engineers located in different countries and time zones. We have dedicated teams focused on iOS, Android, cloud, and web technologies. Other parts of our team include quality assurance, product designers, and maintenance.

What are the main challenges in your position?

The biggest challenge I was faced with when I joined the company was building a new solution architecture from the ground up. As we rewrote the software, the focus was building a global platform with high scalability, security, and ease of use. Our focus on usability really helped define a market advantage for Celo’s software since customers report instant onboarding of employees with little to no training needed.

A major challenge, not unlike other companies, is recruiting the right people. Naturally, we want to recruit bright and technically proficient employees with the right mindset. Successful development requires employees who understand and share the same vision of the company and are passionate to learn new technologies. We also seek employees who want to take responsibility and support their colleagues in other technology areas beyond the scope of their job roles.  These are important attributes since it allows us to give them a sense of ownership and to be a critical part of delivering value to our healthcare customers.

Another key challenge, which is common for many small- or medium-sized software companies, is the ability to deliver quickly to market. That is critical for company growth.  Healthcare companies need to evolve based on their market dynamics and changing regulations. Software has to keep up with all that so we are constantly developing new features and custom workflows for our customers so they can deliver better outcomes, meet compliance requirements and compete more successfully in their market. That’s why software development is not a clock-in type of job but rather one that may require long hours, at times, to meet goals and deadlines. We manage this by offering the latest business and development software technologies, tools, and methodologies for our teams in a very flexible work environment.

Tell the readers about any significant event in your career

The most significant event for me was starting my career with Celo, where I took on the ambitious challenge of completely overhauling the product architecture to suit the future growth of the platform. It required rapid recruitment of technical specialists in cloud, web applications, Microsoft and iOS and Android, among other technologies, as well as implementing new processes and methodologies. All of this had to be done quickly and in less than a year. This work was validated after we delivered a platform that not only offered high security, scalability, and ease of use but also collaboration features specifically tailored for healthcare providers.

Are you working on any interesting projects?

Our team is continuously evolving Celo’s platform with new features to keep up with our customers’ changing needs. We are working on bringing the best of technological innovation to healthcare professionals in our platform such as AI.

What products/services do you provide for the healthcare industry and what is unique about them?

Celo Health provides a HIPAA-compliant messaging platform that enables healthcare teams to collaborate seamlessly and securely on patient care. Celo’s platform, which utilizes health-grade encryption,  differentiates itself by being one of the few solutions in the market that is not only HIPAA-compliant but also globally compliant with international data security regulations.

The platform features a built-in directory that enables healthcare teams to reach the right person instantly. It is so easy to use that many customers report a 92 percent onboarding rate of staff in the first week of implementation. Celo’s technology also utilizes Microsoft Azure, a cloud computing platform, which has more security certifications and accreditations – HIPAA and globally-  than any other cloud provider in the market. Celo’s goal is to go above and beyond the required minimum standards.  Consequently, we provide input on how to safeguard healthcare information for the future by working directly with regulators on future healthcare privacy legislation.

When did you first get involved with HIPAA compliance?

I became involved with patient data security early on in my career. However, my involvement in developing HIPAA compliance software started when I joined Celo. We used some of the top HIPAA consultants in the industry to provide us with guidance on developing our technology. Our experience in developing compliant software with GDPR, IS0 27001, SOC 2 cloud compliance, Cyber Essentials, and ICO, also proved valuable when working to achieve HIPAA compliance within our platform.

What are your main challenges regarding HIPAA?

The wording, rules, and policies are a bit outdated. A lot of their rules also don’t apply to software-as-service companies (SaaS).  So, HIPAA needs to address standard rules on how technology complies with patients’ data, and specifically, how data is transmitted in a secure cloud deployment model. There needs to be a clear blueprint for this.

What do you think needs to be improved in the HIPAA regulations?

I believe HIPAA needs to align better with international global standards such as GDPR. I believe the HHS can learn from the GDPR, Europe’s strict data security policy, and find a balance that fully addresses the evolving trends in U.S. healthcare regarding patient data security, as well as cybersecurity. There are also data security and cybersecurity best practices being introduced by standard organizations such as IEEE and through security industry conferences, as well as by Microsoft, Google, and Amazon, that can be leveraged by the HHS to update the HIPAA regulations.

Do you have any predictions for the future of HIPAA?

The software industry offers data security technology that can promote more data sharing and interoperability (better integration and connectivity with other data sources) in the healthcare industry. I think HIPAA will move to promote those areas and allow better access to software throughout the healthcare ecosystem.  HIPAA also needs to address data security in terms of the consumerization of health care with patients’ growing need to access their data, as well as new healthcare deliverable models like Telehealth and new entrants in the market such as Walmart’s health supercenters and Amazon’s online health services.

Do you have any predictions for the future of healthcare regulation?

There are many new healthcare provider models that have been introduced to fill in the gaps on patients’ access to healthcare whether it’s constrained due to economic, medical worker shortages, or geographic issues. Future healthcare regulation will need to address these new entrants, such as the single doctor operating out of his home, retail health supercenters, and online healthcare services, to name a few.

Do you have any predictions for the future of healthcare technology?

Technology will make it easier to deliver full and unified information on patients. Currently, there are gaps in information primarily due to the lack of interoperability but that is changing as technology companies develop open, standard-based platforms that easily integrate with other systems and applications. More technology applications will offer integration with Artificial Intelligence which will transform healthcare business processes and make patient care, reporting, compliance, and administration more productive and efficient.

Do you have any predictions for the future of the healthcare industry?

I believe the healthcare industry will more widely adopt healthcare interoperability standards, rules for exchanging healthcare data electronically among different systems or applications, such as FHIR, and HL7.  As healthcare providers are faced with more financial constraints and limited resources, they’ll see the benefits of interoperability through more efficient and productive operations.

Anything else you would like to share with our readers?

The consumerization of healthcare has led patients to seek more personalized care, transparency in pricing, and more choices such as retail clinics and virtual care. At the same time, healthcare organizations are faced with daunting challenges in terms of financial resources, declining workforce resources, and changing compliance requirements.  Celo and others continuously deliver new products to address these evolving business dynamics. Healthcare has taken its time in adopting new technology, but this will change in the near future as providers now see the benefits: more cost efficiencies, improved productivity, easier compliance, and most importantly, better patient outcomes.

The post Interview: Wei Pan, Head of Engineering, Celo Health appeared first on HIPAA Journal.