Patient Data Compromised in Palomar Health Medical Group Cyberattack

Posted by Steve Alder

Palomar Health Medical Group has warned patients that they may have been affected by an April 2024 cyberattack, and DaVita has learned that tracking tools on its website and mobile app may have sent user data to third-party vendors.

Palomar Health Medical Group Announces April 2024 Cyberattack

Palomar Health Medical Group, a provider of primary and specialty care to communities in North San Diego County, has informed patients about a recent cyberattack that exposed some of their protected health information. A security breach was detected on or around May 5, 2024, and immediate action was taken to prevent further unauthorized access to its systems. An investigation was launched to determine the nature and scope of the incident, which confirmed that hackers had access to its network from April 23, 2024, to May 5, 2024.

Palomar Health Medical Group said the attack “may have caused certain files to files to become unrecoverable,” which suggests that ransomware was used. Palomar Health Medical Group has confirmed that certain files were exfiltrated from its network and the review of those files is ongoing, as is the process of restoring the affected files. A full recovery of the affected systems was expected by July 1, 2024; however, the recovery process is taking longer than anticipated.

It is still not possible to tell exactly how many patients have been affected or the specific types of data that have been exposed or obtained in the attack; however, Palomar Health Medical Group has identified the categories of data involved. The compromised data varies from individual to individual and, based on the initial findings of the investigation, will include patient names in combination with one or more of the following: address, date of birth, Social Security number, medical history information, disability information, diagnostic information, treatment information, prescription information, physician information, medical record number, health insurance information, subscriber number, health insurance group/plan number, credit/debit card number, security code/PIN number, expiration date, email address and password, and username and password.

The breach has affected current and former patients of Palomar Health Medical Group and its affiliates Graybill Medical Group and Pacific Accountable Care. Individual notification letters will be mailed to the affected individuals when the file review is completed.

DaVita Notifies Patients About Tracking Technology Privacy Incident

DaVita Inc., a Denver, CO-based provider of kidney dialysis services, notified 67,443 patients on July 2, 2024, about a pixel-related data breach.  Pixels are online tracking technologies that are used on websites and mobile applications for recording visitor activity. DaVita explained that it learned on June 17, 2024, that tracking tools had been installed on its website health portal and Care Connect mobile application that they may have transmitted data to third-party vendors.

The types of information disclosed varied from individual to individual based on their interactions on the website and use of the mobile application. That information may have included usernames and third-party identifiers/cookies, employment status, patient classification/reference, information about the use of the app or pages visited on the website, and information indicating whether the user was signed into a DaVita account, but not the account password. For certain users, limited demographic information may also have been disclosed and, potentially, lab test names or lab test resources viewed on the website but no lab test results. The above types of information could be tied to an individual via their IP address and third-party identifiers, such as if a user was logged into their Google or Facebook account at the time. First and last names would only have been disclosed if they were used to create a username.

DaVita said it has removed all third-party tracking technologies that are not part of a HIPAA-compliant service and has implemented new policies and procedures and provided additional training to members of its workforce to prevent similar privacy breaches in the future. DaVita said it is not aware of any misuse of the disclosed information that is likely to result in financial or similar harm.

The post Patient Data Compromised in Palomar Health Medical Group Cyberattack appeared first on The HIPAA Journal.

Pennsylvania’s Updated Breach Notification Law Requires Credit Monitoring Services for Breach Victims

Posted by Steve Alder

Pennsylvania has updated its data breach notification law, narrowing the definition of personal information, adding the requirement to notify the state Attorney General, and requiring credit monitoring services to be provided to data breach victims in certain circumstances. The Breach of Personal Information Notification Act was amended by Senate Bill 824 and was signed into law by state Governor Josh Shapiro on June 28, 2024. The amended law takes effect on September 26, 2024.

The law requires organizations that maintain computerized data that includes personal information to issue notifications to the affected individuals in the event of a breach of their unencrypted and unredacted personal information, or if personal information is reasonably believed to have been accessed or obtained by an unauthorized individual. Notifications must be sent without unreasonable delay, but there is no fixed time frame for issuing those notifications unless the breach occurs at a Pennsylvania state agency or state agency contractor, in which case the notifications must be issued within 7 days of the determination of a data breach.

Personal information is defined as an individual’s name combined with any of the following: Social Security number, driver’s license number, state identification card number, financial account /credit card/debit card number along with information that would allow the account to be accessed, medical information, health insurance information, or a username/email address and password combination that would allow the online account to be accessed. The amendment changes the term “medical information” to “medical information in the possession of a state agency or state agency contractor.”

In addition to issuing individual notifications, entities are now required to notify the Pennsylvania Attorney General at the same time that individual notifications are sent if the breach requires notification to more than 500 individuals in the Commonwealth, with exemptions for certain insurance companies. The Attorney General should be informed about the date of the breach, the known or estimated number of affected individuals, the known or estimated number of affected Pennsylvania residents, and a summary of the breach incident.

Previously, entities that suffered a breach subject to the Breach of Personal Information Notification Act were required to notify consumer reporting agencies about the breach if it affected more than 1,000 individuals. The threshold for notification has now been reduced to 500 individuals. The most important change for Pennsylvania residents is the legal requirement for a breached entity to provide credit monitoring services for 12 months, under certain circumstances.

Credit monitoring services must be provided if a consumer reporting agency is required to be notified by law and if the breach involved an individual’s Social Security number, bank account number, driver’s license number, or state identification number. The services must include access to an independent credit report from a consumer reporting agency if the individual is not eligible to obtain a free credit report and access to credit monitoring services for 12 months from the date of notification. If the individual is eligible to receive those services free of charge for 12 months, it is an acceptable alternative to advise them of the availability of those free services.

The post Pennsylvania’s Updated Breach Notification Law Requires Credit Monitoring Services for Breach Victims appeared first on The HIPAA Journal.

Industry Groups Give Feedback on CISA’s Proposed Cybersecurity Reporting Requirements

Posted by Steve Alder

In April, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) issued a Notice of Proposed Rulemaking (NPRM) introducing new requirements for critical infrastructure entities to report certain cybersecurity incidents. CISA sought comment from the public, and several healthcare stakeholders have provided feedback on the proposed rule.

Background

The proposed rule requires critical infrastructure entities to report cybersecurity incidents to CISA within 72 hours of detecting a cybersecurity incident and within 24 hours of making a ransomware payment. The types of covered incidents include:

  • Unauthorized system access
  • Denial of Service (DOS) attacks with a duration of more than 12 hours
  • Malicious code on systems, including variants if known
  • Targeted and repeated scans against services on systems
  • Repeated attempts to gain unauthorized access to systems
  • Email or mobile messages associated with phishing attempts or successes
  • Ransomware attacks against critical infrastructure, including the variant and ransom details if known

The types of information that must be submitted to CISA include:

  • Incident date and time
  • Incident location
  • Type of observed activity
  • Detailed narrative of the event
  • Number of people or systems affected
  • Company/Organization name
  • Point of Contact details
  • Severity of event
  • Critical infrastructure sector
  • Anyone else who has been informed

CISA will share the information with federal and non-federal partners to improve detection and the minimization of the harmful impacts on critical infrastructure entities, accelerate mitigation of exploited vulnerabilities, and allow software developers and vendors to develop more secure products. The information will also be shared with law enforcement to help with the investigation, identification, capture, and prosecution of the perpetrators of cybercrime.

Healthcare Industry Groups Give Feedback to CISA

The Workgroup for Electronic Data Interchange (WEDI) and the Medical Group Management Association (MGMA) have called for CISA to align the reporting time frame with the HHS’ Office for Civil Rights, as having to submit reports to multiple agencies will place a considerable administrative burden on healthcare organizations. MGMA believes the new reporting requirements will be overly burdensome for medical groups, and the duplicative reporting requirements may affect the ability of those groups to operate effectively, especially when dealing with a cyberattack.

MGMA explained that under HIPAA, covered entities must report cybersecurity incidents to the HHS’ Office for Civil Rights within 60 days for HIPAA compliance. Rather than layering different reporting requirements on each other, MGMA suggests that CISA should work closely with the HHS to seamlessly incorporate data that must reported under HIPAA. This will promote collaboration and prevent covered entities from reporting the same incident multiple times in different formats. MGMA said the sized-based criteria for reporting means small medical groups will not have the burden of reporting incidents but using the SBA definition means that many small physician offices will be impacted, even practices with annual revenues as low as $9 million.

The short timeframe for reporting incidents was criticized by WEDI, which said it could take longer than 72 hours to gather all the necessary information for the initial report. WEDI has called for CISA to be flexible with the reporting timeframe, such as allowing the initial report to be submitted with as much information as it has been possible to gather within 72 hours and allowing additional information to be submitted after that deadline as it becomes available. WEDI also proposes a carve-out for certain ransomware attacks. WEDI has requested that CISA not consider an attack to be a data breach if no protected health information has been accessed, provided the entity has made a good faith effort to deploy a recognized security program and has implemented security policies and procedures.

CHIME/AEHIS Members Express Concern

The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) have urged CISA to consider that the core mission of healthcare is patient safety and not to implement regulatory requirements that could jeopardize that mission.

One concern from their members is the reporting requirements under HIPAA, which require security breaches to be reported to OCR within 60 days of the discovery of a data breach. They are concerned that the clock would start ticking for reporting under HIPAA on the date of submission of the incident report to CISA, and that could create considerable additional burdens for HIPAA-regulated entities. CHIME and AEHIS have asked CISA to clarify the reporting requirements for managed service providers and other third-party service providers that provide products or services to HIPAA-covered entities, requesting that the service provider be considered the covered entity for reporting under CIRCIA.

After the initial incident report, critical infrastructure entities are required to submit supplemental reports following a significant cybersecurity incident, with those supplemental reports submitted without delay or as soon as possible. There is concern that with the threat of enforcement, HIPAA-covered entities may feel compelled to prioritize reporting of incidents over patient safety. CHIME/AEHIS have requested that the supplemental reports be submitted every 72 hours at a minimum or every 5 days, and for those reports to only be required if substantial new or different information becomes available.

CHIME/AEHIS point out that the definition of larger hospitals – those with 100 or more beds – is inadequate and that a more nuanced approach is required with other factors considered other than bed count, and not require reporting of incidents by critical access hospitals (CAHs), which are already under considerable financial strain. Making CAHs report incidents could increase the financial strain on the hospitals, leading to more closures and reduced access to healthcare for patients.

CHIME/AEHIS have received feedback from their members about the level of detail required by CISA about the security architecture of breached entities. “If CISA requires hospitals and healthcare systems to define their entire security architecture, that is a tremendous amount of information to include in a report,” explained the industry groups. “Our members do not believe that CISA needs to know an entire description of an organization’s security program – as it is not helpful to fulfill the purpose of CIRCIA, is potentially considered intellectual property (IP), and/or sensitive for the organization.”

The post Industry Groups Give Feedback on CISA’s Proposed Cybersecurity Reporting Requirements appeared first on The HIPAA Journal.