Washington Hospital Pays $240,000 HIPAA Penalty After Security Guards Access Medical Records

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) investigates all reported breaches of the protected health information of 500 or more individuals and some smaller breaches to determine if the breach was caused by the failure to comply with the HIPAA Rules. OCR’s latest HIPAA enforcement action confirms that it is not the scale of a data breach that determines if a financial penalty must be paid but the severity of the underlying HIPAA violations.

A relatively small data breach was reported to OCR on February 28, 2018, by Yakima Valley Memorial Hospital (formerly Virginia Mason Memorial), a 222-bed non-profit community hospital in Washington state. The hospital discovered security guards had been accessing the medical records of patients when there was no legitimate work reason for the medical record access, and 419 medical records had been impermissibly viewed.

OCR launched an investigation into the snooping incident in May 2018 and discovered widespread snooping on medical records by security guards in the hospital’s emergency department. 23 security guards had used their login credentials to access medical records in the hospital’s electronic medical record system when there was no legitimate reason for the access. The security guards were able to view protected health information such as names, addresses, dates of birth, medical record numbers, certain notes related to treatment, and insurance information. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule – 45 C.F.R. § 164.316.

Yakima Valley Memorial Hospital chose to settle the case with OCR and agreed to pay a financial penalty of $240,000 with no admission of liability. A corrective action plan has been adopted to ensure full compliance with the HIPAA Rules, which includes an accurate and comprehensive risk analysis, the development and implementation of a risk management plan to address the risks identified by the risk analysis, updates to its HIPAA policies and procedures, the enhancement of its current HIPAA security training program, and a review of its relationships with vendors and third-party service providers to identify business associates, and to obtain business associate agreements if they are not already in place.

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.”

This is the 6th OCR HIPAA enforcement action of 2023 that has resulted in a financial penalty, and the second to be announced by OCR this month. So far this year, penalties totaling $1,901,500 have been imposed by OCR to resolve violations of the HIPAA Rules.

The post Washington Hospital Pays $240,000 HIPAA Penalty After Security Guards Access Medical Records appeared first on HIPAA Journal.

Johns Hopkins Investigating Cyberattack and Data Breach

Posted by Steve Alder

Johns Hopkins University and Johns Hopkins Health System are investigating a May 31, 2023, cyberattack and data breach that targeted a widely used software tool. While the tool that was targeted was not mentioned in the attack, the breach date coincides with the Clop/FIN11 attacks on the MOVEit Transfer managed file transfer solution.

While the investigation into the data breach is ongoing, the initial findings indicate that sensitive personal and financial information was impacted, including names, contact information, and health billing records. Notifications will be sent to all affected individuals in the coming weeks once the full scope and breadth of the breach are determined. Johns Hopkins has confirmed that credit monitoring services will be offered to affected individuals. In the meantime, Johns Hopkins urges all students, faculty staff, and their dependents to take immediate action to protect their personal information, including conducting reviews of their statements, credit reports, and accounts for unusual activity, and should consider placing a fraud alert and credit freeze with a national credit bureau.

At this stage, it is unclear how many individuals have been affected.

PHI of 33,000 Patients Exposed in Maimonides Medical Center Cyberattack

Maimonides Medical Center in Brooklyn, NY, has confirmed that the protected health information of approximately 33,000 patients was stored on systems that were accessed by an unauthorized individual. The security breach was discovered on April 4, 2023, and unauthorized access was immediately blocked. The forensic investigation confirmed the initial access occurred on March 18, 2023.

The review of affected files revealed the majority of individuals only had their names, addresses, and limited clinical information exposed, such as diagnoses and treatment information; however, some individuals also had their Social Security numbers exposed. Affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. Third-party cybersecurity experts were hired to assess system security and ensure that adequate safeguards were in place, and additional authentication measures have now been implemented.

iSpace Inc. Notifies 24,400 Individuals About Data Breach

iSpace, Inc., a provider of insurance eligibility services, has recently started notifying 24,382 individuals about a cyberattack that was discovered on February 5, 2023. In a May 31, 2023, notification to the California Attorney General, iSpace explained that the forensic investigation confirmed a system compromise had occurred and that there was file exfiltration between January 30 and February 5, 2023.

The analysis of the impacted files confirmed that they contained names, Social Security numbers, dates of birth, diagnosis information, health insurance group/policy numbers, health insurance information, subscriber numbers, and prescription information. At the time of issuing notifications, no actual or attempted misuse of the affected individuals’ information had been detected. iSpace said it engaged the services of security specialists to assist in examining its privacy and security policies and practices and will update them accordingly. The delay in issuing notifications was due to the lengthy investigation and data review process, which was completed on March 3, 2023, and the subsequent verification of contact information.

Normal Operations Resume After Richmond University Medical Center Ransomware Attack

Richmond University Medical Center (RUMC) in West Brighton, NY, has confirmed that it has fully recovered from a ransomware attack that was detected in the first week of May. The attack forced the medical center to shut down systems and activate its emergency protocols, and the staff recorded patient information manually while systems were restored. The investigation into the ransomware attack is ongoing to determine the extent to which patient information was involved, and notification letters will be sent to affected individuals when that process has been completed.

The post Johns Hopkins Investigating Cyberattack and Data Breach appeared first on HIPAA Journal.