ONC Reports on Progress on Advancing Nationwide, Trusted Health Information Networks

Posted by Steve Alder

The HHS Office of the National Coordinator for Health Information Technology (ONC) has provided an update to Congress on the progress that has been made on the access, exchange, and use of electronic health information through trusted health information networks (HINs) and health information exchanges (HIEs).

HealthIT is integral to healthcare delivery, and it has become even more so since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. Across the United States, hundreds of physician offices, hospitals, and health systems now use ONC-certified healthIT to access, process, store, and exchange electronic health information (EHI) and ONC reports significant progress in the past year toward nationwide interoperability, and connecting nationwide, trusted HINs.

According to the ONC report, 85% of hospitals have electronically queried or found patient health information through various methods; 64% of hospitals reported using nationwide networks that enable data exchange across different healthIT systems in 2021, around half of physicians searched for or queried patient health information via their EHR when seeing a new patient in 2021, and HINs are one of the most common methods used by hospitals to electronically send and receive summary of care cards.

There are, however, barriers to progress. As explained to Congress in a February 2023 report, those barriers have resulted in uneven progress across healthcare and have affected the ability to realize the full potential of certified health IT. In 2021, 72% of hospitals reported challenges exchanging data across different EHR vendor platforms, 54% faced challenges developing customized interfaces, 57% faced challenges matching and identifying the correct patient between systems, and in 2022, around three-quarters of hospitals experienced at least one challenge to electronic public health reporting.

HIN’s and NIEs each have limitations, which are being addressed through the Trusted Exchange Framework and Common Agreement (TEFCA). TEFCA simplifies network participation by providing a way for healthcare providers, health plans, and patients to make a single connection to access EHI on a nationwide scale, and TEFCA supports a broader range of exchange purposes, including treatment, payment, healthcare operations, public health, government benefits determination, and individual access services.

ONC published version 1.1. of TEFCA in November 2023, and in December, five organizations completed the TEFCA onboarding process and were officially designated as Qualified Health Information Networks (QHINs), and a further two organizations were designated as QHINs in February 2024.

ONC anticipates more organizations will be designated as QHINs in the coming year and reports that most hospitals are aware of TEFCA and plan to participate. ONC expects TEFCA will scale significantly and will create a pathway for modern information sharing and patients will experience the benefits, especially those that have multiple healthcare providers as it will make it much easier to efficiently access and manage their own health information, although virtually everyone that uses the healthcare system will benefit from connected HINs eventually, said ONC.

ONC thanked Congress for its commitment to the 21st Century Cures Act, which envisioned TEFCA, and recommended support for the implementation of the health IT provisions of the Cures Act.

The post ONC Reports on Progress on Advancing Nationwide, Trusted Health Information Networks appeared first on HIPAA Journal.

Otolaryngology Associates Data Breach Affects Almost 317,000 Patients

Posted by Steve Alder

A cyber threat actor has tried to extort money from the Indiana ENT specialists, Otolaryngology Associates, after gaining access to its network and exfiltrating patient and employee data. Otolaryngology Associates said its security system generated alerts about a potential intrusion on February 17, 2024, a few hours after the threat actor gained access to the network. Immediate action was taken to secure the network and block the attack, and at no point was access to the network prevented.

Three days later on February 20, and again on February 21, a threat actor made contact and claimed to have stolen data in the attack and threatened to publish the stolen data if the ransom was not paid. Third-party forensic experts were engaged to investigate the breach and they determined that the threat actor had not manually accessed files on the network but had run programs that exfiltrated data from internal systems.

The forensic investigation was able to narrow down the data that may have been exfiltrated, but it was not possible to determine exactly what types of data had been taken. The review of the files on the compromised parts of the network revealed they contained the protected health information of 316,802 individuals. For the majority of the affected individuals, the information potentially stolen in the attack was limited to information contained in billing records, which do not include Social Security numbers or driver’s license numbers. The exposed information was limited to names, OA medical record numbers, service codes, date(s) of service, treating physician names, appointment locations, insurance company names, and the dollar amount of charges.

A subset of the affected individuals may have had one or more of the following exposed: Social Security number, driver’s license number, address, email address, telephone number, date of birth, appointment schedule, referral forms, and/or insurance plan numbers. Affected employees may have had their bank account information and payroll information exposed. The individual notification letters state the types of information that have been exposed. OA Facial Plastics patients were not affected as OA Facial Plastics systems were not accessed by the attacker.

Otolaryngology Associates said it has implemented additional security measures to prevent further attacks and has instructed a cybersecurity firm to monitor the dark web for any release of patient data. At the time of issuing the notifications, no patient data has been publicly released.

The post Otolaryngology Associates Data Breach Affects Almost 317,000 Patients appeared first on HIPAA Journal.

Email Accounts Compromised at Aveanna Healthcare and UNC Hospitals & School of Medicine

Posted by Steve Alder

Email accounts have been compromised at the Georgia home health provider Aveanna Healthcare and UNC Hospitals and School of Medicine in North Carolina. Patient data has been exposed and potentially stolen in the attacks.

Aveanna Healthcare

Aveanna Healthcare, an Atlanta, GA, provider of home health and hospice care, has announced a security breach of its email environment and the exposure of the data of 65,482 patients. Anomalous activity was identified in an employee email account on September 22, 2023. The account was immediately secured, and an investigation was launched to determine the nature of the activity, and whether patient data had been exposed or stolen.

The investigation confirmed that an unauthorized third party had gained access to its email environment and potentially obtained files that contained patient information. Third-party specialists were engaged to review the affected files to determine the individuals affected and the types of data that may have been compromised. That process was completed on March 12, 2024, and notification letters started to be mailed to the affected individuals on March 15, 2024. The affected individuals have been offered complimentary identity theft protection services.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: Social Security number, driver’s license or state identification number, date of birth, medical information, diagnosis, treatment information, MRN/patient identification number, incidental health reference, provider name, health insurance information, prescription information, Medicare/Medicaid number, and treatment cost information. Aveanna Healthcare said it has not found any evidence to indicate patient data has been misused.

UNC Hospitals & School of Medicine

UNC Hospitals & School of Medicine has reported a breach of its email environment. A School of Medicine employee received a phishing email from a known and trusted contact and followed the link in the email, believing the message to be a genuine communication. The employee’s email account was protected with multi-factor authentication (MFA); however, the threat actor tricked the employee into sharing the MFA code, allowing the email account to be accessed.

The email account was compromised on February 1, 2024, and the incident was discovered the following day. The account was immediately secured; however, patient information in the account may have been viewed or acquired. While there have been no reports of misuse of patient information, UNC Hospitals is offering complimentary credit monitoring services to individuals who had their driver’s license numbers, Social Security numbers, financial account information, and/or health insurance information exposed. At this stage, it is unclear how many individuals have been affected.

The post Email Accounts Compromised at Aveanna Healthcare and UNC Hospitals & School of Medicine appeared first on HIPAA Journal.