Medicare Data Exposed in Data Breach at Boston Consulting Firm

Posted by Steve Alder

Greylock McKinnon Associates, Inc., (GMA) a Boston consulting firm that provides litigation support, has suffered a data breach affecting 341,650 individuals. According to the GMA breach notice, a security incident was detected on May 30, 2023, with the subsequent forensic investigation revealing it had fallen victim to a sophisticated cyberattack. The exposure of sensitive personal data was detected on February 7, 2024.

The breach included Medicare health insurance claim numbers (which contain Social Security numbers), health insurance information, and medical information along with names, addresses, and dates of birth. GMA said the personal data was obtained by the Department of Justice (DoJ) as part of a civil litigation matter, and that the data was provided to GMA by the DOJ in relation to the litigation support provided by the firm. GMA confirmed that the affected individuals were not the subject of the investigation or the associated litigation, and the DOJ has confirmed that the incident does not affect their current Medicare benefits or coverage. Notification letters were sent to the affected individuals on April 8, 2024, and they have been offered complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services.

Medicare data, medical information, and health insurance information are classed as protected health information under the Health Insurance Portability and Accountability Act (HIPAA), but only if that information is collected, processed, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity. Neither GMA nor the DOJ are HIPAA-covered entities or business associates, so the breached information is not protected under HIPAA.

However, companies such as GMA are required to comply with the Federal Trade Commission (FTC) Act, and the FTC has taken several actions against companies over data breaches in recent months, including the failure to issue prompt notifications, as required by the FTC’s Health Breach Notification Rule. Like the HIPAA Breach Notification Rule, the FTC Health Breach Notification Rule requires individual notification letters to be issued without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security. GMA sent its notification letters 9 months after the security breach was detected, which could see the company investigated by the FTC. GMA is currently facing at least one class action lawsuit over the data breach, which alleges violations of the FTC Act and Health Breach Notification Rule.

The post Medicare Data Exposed in Data Breach at Boston Consulting Firm appeared first on HIPAA Journal.

Companies with Strong Cybersecurity Programs Deliver Higher Returns for Shareholders

Posted by Steve Alder

Investing in cybersecurity can help organizations prevent data breaches and avoid regulatory fines, but there are other benefits. A recently released report from Diligent Institute and Bitsight shows organizations that have a strong cybersecurity program tend to have better financial performance and deliver higher returns for their shareholders.

For the report, Diligent Institute and Bitsight analyzed data from 4,149 mid to large-sized organizations in multiple sectors across Australia, Canada, France, Germany, Japan, the United Kingdom, and the United States. Cybersecurity oversight at the committee level was assessed to determine the impact on cybersecurity risk ratings and each company’s cyber oversight structure was correlated with their security performance data, with each company given a security performance classification of basic, intermediate, or advanced.

The study revealed companies with advanced security ratings created almost 4 times the amount of value for their shareholders as companies with basic security ratings. Over three and five years, companies with an advanced security rating had a Total Shareholders’ Return (TSR) of 372% and 91% higher respectively, compared to companies with a basic security rating. Over three and five years, the average TSR for companies with an advanced security rating was 71% and 67%, compared to a 37% and 14% TSR for companies with a basic security rating.

The report showed that healthcare and other highly-regulated sectors appreciate the importance of cybersecurity and understand that cybersecurity is not simply an IT problem, rather it is an enterprise risk that can have an impact on the company’s short-term performance and long-term health. Healthcare outperformed other sectors in terms of cybersecurity performance and had the highest average security rating of all industries represented in the study.

In addition to the correlation between cybersecurity performance and shareholder return, the researchers found a correlation between board structure and security ratings, with companies that had specialized risk or audit committees performing better than those that did not. Companies with specialized risk or audit committees had an average security rating of 710, compared to an average rating of 650 for companies that had neither of these committees.

Integrating a cybersecurity expert into a board committee tasked with cybersecurity risk oversight makes a significant difference to an organization’s security performance; however, simply having a cybersecurity expert on the board does not mean a company will have a better security rating. Companies with cybersecurity experts on the board had an average security score of 580, compared to an average rating of 700 for companies that had cybersecurity experts on either audit committees or specialized risk committees. The researchers note that it is rare for boards to include cybersecurity experts, with only 5% of the assessed companies having cybersecurity experts on their boards. “Companies seeking to hire cybersecurity expertise for the board should first ensure that the board is appropriately organized so that expertise can be properly incorporated into the oversight mechanisms,” suggested the researchers.

The post Companies with Strong Cybersecurity Programs Deliver Higher Returns for Shareholders appeared first on HIPAA Journal.

Healthcare Data Breaches Up 53% from Q1, 2023

Posted by Steve Alder

Data compromises have increased by 90% compared to Q1, 2023, according to the Q1 2024 Data Breach Report from the Identity Theft Resource Center (ITRC). In Q1, 2024, there were 841 publicly reported data compromises, up from 442 compromises in Q1, 2023. While data compromises almost doubled, there was a 72% fall in the number of victims compared to Q1, 2023, and a drop of 81% from the previous quarter, with 24,474,351 individuals known to have been affected by the 841 data breaches.

In Q1, 2023, healthcare was the most attacked industry; however, in Q1, 2024, healthcare dropped to second place (124 notices and more than 6 million records breached), behind financial services (224 notices and more than 18 million records breached). Healthcare data breaches increased by 53% from Q1, 2023 and were up 69.9% from Q1, 2022; however, the number of victims (6,071,259 individuals) in Q1, 2024, were down 57.2% from Q1, 2023 (14,199,413 individuals). Healthcare placed second in the top 10 compromises of Q1, 2024, with a 2.35 million data breach at Medical Management Resource Group (American Vision Partners), behind LoanDepot which had a breach of more than 16 million records; however, healthcare topped the list with 6 of the 10 largest data breaches in the quarter.

The number of organizations impacted by supply chain attacks more than tripled in Q1 2024 compared to Q1, 2024, with 50 new attacks that affected 243 organizations and involved the data of 7.5 million individuals. In Q1, 2023, 73 entities were affected by supply chain attacks and there were 11.4 million victims. Cyberattacks were the biggest cause of data breaches (642 compromises), followed by phishing/smishing/BEC attacks (108 compromises), and system and human error (85 compromises). It is now increasingly common for data breach notices to not provide information about the cause of the breach. In Q1, 2024, 439 compromises did not state the root cause of the breach (52.2%) compared to 166 of the 442 data compromises (37.6%) in Q1, 2023. More than two-thirds of cyberattack-related data breaches included no information about the root cause of the breach.

“The dramatic increase in data compromises continues to concern us,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “However, the decrease in victims impacted is a bit of good news, though still too high. We believe it is due to identity criminals launching more targeted attacks, which differ from tactics used five to ten years ago. With that said, it is critical that businesses and consumers continue to practice good password hygiene and transition to Passkeys when possible.”

The post Healthcare Data Breaches Up 53% from Q1, 2023 appeared first on HIPAA Journal.

Atlanta Women’s Health Group Sued Over 2023 Ransomware Attack

Posted by Steve Alder

Atlanta Women’s Health Group is facing a class action lawsuit over an April 2023 cyberattack that saw an unauthorized third party gain access to its servers and the sensitive data of tens of thousands of its patients. Atlanta Women’s Health Group discovered the attack on April 12, 2023, and its forensic investigation confirmed that patients’ protected health information had been exposed. The types of information involved included names, dates of birth, patient ID numbers, and other information that may be contained in medical records. It was not possible to determine the exact types of information that were accessed or acquired, so notifications were sent to all individuals who had potentially been affected.

A lawsuit – M.T., vs. Atlanta Women’s Health Group P.C. – was filed in the U.S. District Court for the Northern District of Georgia Atlanta Division that alleged the OB/GYN healthcare provider had implemented inadequate data security measures and breached its duties imposed by law. As a result of those failures, unauthorized individuals were able to gain access to its network and steal highly sensitive patient data. Had appropriate cybersecurity measures been implemented, the cyberattack and data breach could have been avoided.

The lawsuit also alleged that while the Department of Health and Human Services’ Office for Civil Rights was notified about the breach within 60 days of discovery, it took Atlanta Women’s Health Group 10 months to issue email notifications to the plaintiff and class members about the attack and did not explain the reason for the delay. The letters stated that all patients were notified about the attack out of an abundance of caution; however, if that is the case, there was no reason to wait 10 months to send the notifications. The lawsuit also stated that the notification letters did not explain when the attack occurred, only when it was detected, and that while Atlanta Women’s Health Group claimed to have obtained evidence that the hackers had deleted the stolen data, the practice has no proof that the data has been permanently erased and copies of that data have not been made by the attackers.

The lawsuit claims the plaintiff and class members have been “exposed to a present injury in the form of actual misuse of their PII and PHI and have further been exposed to an ongoing substantial, heightened, and imminent risk of financial fraud and identity theft for years to come,” and that they have “suffered numerous actual and concrete injuries and damages.” The lawsuit alleges breach of fiduciary duty, negligence, negligence per se, and invasion of privacy/intrusion upon seclusion and seeks class action certification, a jury trial, and declaratory and injunctive relief. The plaintiffs are represented by MaryBeth V. Gibson of the Gibson Consumer Law Group, LLC; Todd McClelland of Sterlington, PLLC; Michael Sullivan, David H. Bouchard, and Gabriel Knisely of Finch McCranie, LLP.

The post Atlanta Women’s Health Group Sued Over 2023 Ransomware Attack appeared first on HIPAA Journal.

Seattle Children’s Hospital Website Tracking Technology Lawsuit Dismissed with Prejudice

Posted by Steve Alder

A class action lawsuit against Seattle Children’s Hospital (SCH) over its use of pixels and other tracking technologies on its website has been dismissed with prejudice by a Washington court. Like many other hospitals, SCH had added pixels to its website which could track user behavior on the site. The tracking technologies were used to gather information on how the website was used to improve the site and patient engagement. Depending on a user’s interactions on the website, the pixels may have captured identifiers and health information, which was transferred to third parties.

A lawsuit was filed by parents who had used the site alleging the addition of pixels violated the Washington Privacy Act, Washington Consumer Protection Act, and Washington Uniform Health Care Information Act. They alleged an invasion of privacy, breach of implied contract, conversion, and unjust enrichment. SCH argued that the information gathered by the pixels did not amount to confidential health information and that users had accepted the terms of its privacy policy and by doing so had consented to having anonymous data shared with third parties. In cases where identifying information was disclosed to third parties, it only occurred because the plaintiffs had that information placed on their browsers by third parties such as Facebook, and not by SCH, and that the plaintiffs had consented to having that identifying information placed on their browsers.

In the lawsuit, the plaintiffs alleged that there had been sensitive interactions on the SCH website, and health information related to those interactions was transmitted to third parties. SCH maintained that the sensitive interactions that were described by the plaintiffs could only happen on its patient portal and that pixels and other tracking technologies were not present on the portal. The Washington court sided with SCH and dismissed all of the plaintiffs’ claims with prejudice.

The post Seattle Children’s Hospital Website Tracking Technology Lawsuit Dismissed with Prejudice appeared first on HIPAA Journal.

Payers and Providers Plan to Use Generative AI to Improve Patient Engagement

Posted by Steve Alder

Generative AI (genAI) has tremendous potential in healthcare, with payers enthusiastic about using genAI to enhance the patient experience and improve patient engagement and outcomes. A recent survey of CXOs at 350 U.S. health plans and health systems by HFS Research and Cognizant explored the impact of genAI on consumer experiences and engagement. The U.S. healthcare system is experiencing deteriorating health outcomes, declining life expectancy, an increase in chronic conditions, and opioid and mental health epidemics. At the same time, technological innovation is accelerating, AI systems are being adopted at scale, there has been a resurgence in digital-health-fueled primary care, and the introduction of innovative care models. Together there are significant opportunities for reducing costs, enhancing the experiences, and improving health outcomes.

One of the ways that these goals can be realized is through the use of genAI. Surveyed payers were convinced that gen AI was a game changer and would be invaluable in improving the efficiency of administrative functions, especially customer service and claims management, and they were also planning to use genAI to improve member engagement, health and wellness, and the value of coverage.

18% of payers plan to apply genAI to address member management, including hyper-personalization to improve member engagement and streamline interactions with providers. 16% said they plan to use genAI to address the needs of multiple generations and help them with disease prevention and wellness. 14% said they plan to use GenAI to develop dynamic health plans that can adapt throughout the year based on member needs and circumstances, gleaned from social determinants of health (SDOH) while tailoring plans to the individual. Providers generally accepted that genAI has the potential to have a positive impact on care delivery but were less convinced than payers about the impact genAI will have.

Across these two groups, more than 70% of respondents anticipated that the greatest impact of genAI would be on health outcomes and the consumer experience. Approximately 50% of payers and providers said they plan to invest between $1 million and $10 million in genAI, with around 70% of respondents saying that money will be invested in the next two years. While there is a great deal of enthusiasm around genAI and significant investment, only 20% of payers and providers have a GenAI vision, and that must change if they are to improve the success of their investments.

One of the main challenges highlighted by the survey will be the lack of appropriate skills. Payers and providers will need people with programming, statistics, machine learning, data processing, and visualization skills, and those skills are in high demand for other emerging technologies and managing current operations; however, using systems such as ChatGPT, which use plain English language, will reduce the demand for high skills without competing with applications that require technical skills. Further, since the skills to deploy genAI are geography agnostic, providers and payers will be able to recruit from the global talent pool.

The post Payers and Providers Plan to Use Generative AI to Improve Patient Engagement appeared first on HIPAA Journal.