February 29, 2024: HIPAA Deadline for Reporting Small Healthcare Data Breaches
The deadline for reporting healthcare data breaches of fewer than 500 records is fast approaching. These small data breaches usually need to be reported by March 1; however, since 2024 is a leap year, this year’s deadline is February 29.
The HIPAA Breach Notification Rule requires HIPAA-regulated entities to issue notifications to all individuals whose protected health information has been exposed or impermissibly disclosed without unnecessary delay, and no later than 60 days from the discovery of a data breach. HIPAA-regulated entities are also required to report data breaches to the Secretary of the HHS via the Office for Civil Rights (OCR) breach reporting portal.
The HIPAA Breach Notification Rule requires large data breaches – those that affect 500 or more individuals – to be reported to OCR no later than 60 days from the date of the discovery of the data breach, but there is more flexibility for reporting data breaches affecting fewer than 500 individuals. HIPAA-regulated entities must also report these breaches via the OCR breach reporting portal, but they have 60 calendar days from the end of the year when the breach was discovered to report the data breaches.
If a HIPAA-regulated entity chooses to take advantage of this Breach Notification Rule flexibility, the extended time frame ONLY applies to breach reporting to OCR. The individuals who had their PHI exposed or impermissibly disclosed must still be notified about the breach within 60 days of when the breach was discovered.
All data breaches must be reported individually through the OCR breach reporting portal. The breach reports must include details of the breaches and the efforts made to remediate those incidents. If a HIPAA-regulated entity has experienced multiple small data breaches, reporting these breaches may take some time. It is therefore best not to wait until the last minute to report these small data breaches.
The post February 29, 2024: HIPAA Deadline for Reporting Small Healthcare Data Breaches appeared first on HIPAA Journal.
HHS guidance on using online tracking technologies: How to make your analytics HIPAA-compliant – pharmaphorum
February 29, 2024: HIPAA Deadline for Reporting Small Healthcare Data Breaches – The HIPAA Journal
Never Say Never Again: HHS Signals the Return of HIPAA Audit Program – Quarles & Brady LLP
Never Say Never Again: HHS Signals the Return of HIPAA Audit Program Quarles & Brady LLP
Free Decryptor Released for Rhysida Ransomware – HIPAA Journal
Free Decryptor Released for Rhysida Ransomware HIPAA Journal
Free Decryptor Released for Rhysida Ransomware – HIPAA Journal
Free Decryptor Released for Rhysida Ransomware HIPAA Journal
Free Decryptor Released for Rhysida Ransomware
Healthcare organizations that have been unable to recover files that were encrypted in Rhysida ransomware attacks may now be able to recover the files for free as a decryptor has been released.
Rhysida is a ransomware-as-a-service operation that emerged in May 2023. Like many emerging ransomware groups, attacks have been conducted on U.S. healthcare organizations. In August 2023, following attacks on the healthcare and public health sector, the HHS’ Health Sector Cybersecurity Coordination Center issued an alert about the group. In November, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory and shared indicators of compromise and mitigations.
Organizations that were unable to prevent attacks and chose not to pay the ransom may now be able to recover their encrypted files. Researchers in South Korea identified an encryption flaw in the encryptor used by Rhysida ransomware, which has allowed them to develop a Windows decryptor. The random number generator (CSPRNG) used to generate a unique private encryption key was flawed, which allowed them to determine the initial state of CSPRNG during an attack. Since the method used does not include high entropy data sources, the seed value used when encrypting files is predictable. Knowing the initial CSPRNG state and then reviewing logs and other data at the time of the infection allowed the researchers to identify a range for the seed value. The decryptor tries potential seed values until it finds the correct value and from there it is possible to determine all random numbers used to encrypt files and recover all locked data.
An automated decryption tool was developed and has been made available free of charge on the Korean Internet & Security Agency (KISA) website along with a technical paper in English and Korean that explains how to use the decryptor. The decryptor can only be used to recover files that have been encrypted using the Rhysida Windows encryptor. Several cybersecurity firms had already found the flaw and were able to recover files encrypted by Rhysida. Unfortunately, now that the flaw has been made public, the ransomware developer is likely to fix it. When that happens, recovery of files will only be possible from backups or by paying the ransom.
The post Free Decryptor Released for Rhysida Ransomware appeared first on HIPAA Journal.
February 14, 2024 Healthcare Data Breach Round-Up
Data breaches have recently been reported by the Hampton-Newport News Community Services Board, Marywood Nursing Care Center, Health Alliance, United Regional Health Care System, Nabholz Construction, and J.D. Gilmour & Co.
Hampton-Newport News Community Services Board
The Hampton-Newport News Community Services Board, a Virginia-based provider of behavioral health and intellectual and developmental disability services, has notified 44,312 individuals that some of their protected health information was compromised in a recent ransomware attack. Technical disruptions were experienced on November 12, 2023, and it soon became clear that the disruption was due to the use of ransomware. Third-party cybersecurity experts were engaged to assist with the investigation and remediation, and they determined that the attackers gained access to its network on September 26, 2023.
A review was conducted of all files that could have been accessed which confirmed that patient data had been exposed. The exposed data varied from patient to patient and may have included names in combination with Social Security numbers, addresses, ZIP codes, driver’s license numbers, dates of birth, clinical information such as diagnosis/conditions, lab results, medications or other treatment information, claims information and insurance information. The Hampton-Newport News Community Services Board was unable to confirm if the above data was accessed or stolen in the attack. Credit monitoring and identity restoration services have been offered to the affected individuals.
Marywood Nursing Care Center
Marian Village Corporation, doing business as Marywood Nursing Care Center in Massachusetts, experienced a security breach that involved the protected health information of 6,178 individuals. The breach notification sent to the Massachusetts Attorney General does not state when the breach was detected or when it occurred, only that an unauthorized individual accessed its network and potentially stole files that contained names, claim information, and addresses. No other information was compromised in the attack. The affected individuals have been offered complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge. Marywood said it has deployed additional monitoring tools and will continue to review and enhance the security of its systems.
Health Alliance
Health Alliance in Illinois has recently confirmed that the protected health information of 6,900 of its members was exposed in a data breach at a subcontractor of one of its business associates. Health Alliance Contracted with OnTrak, which used the subcontractor Keenan. On August 27, 2023, Keenan discovered the unauthorized access and disconnected its network to contain the incident. The forensic investigation confirmed that an unauthorized third party had gained access to records containing health plan members’ data. Keenan notified Health Alliance about the breach on December 20, 2023, and provided a list of the affected members on January 10, 2024.
Health Alliance then reviewed and matched the list to the records of its members and notification letters have now been sent. Health Alliance said the following information was compromised in the incident: name, address, member number, date of birth, health coverage information, and, in some cases, Social Security number. Keenan has offered the affected individuals a 24-month membership to the Experian IdentityWorksSM Credit 3B service.
Nabholz Construction
Nabholz Construction, a provider of construction-related services in Arkansas, has been affected by a data breach at Cadence Bank, that exposed the protected health information of 5,326 members of its Corporation Employee Welfare Health Plan. Cadence Bank informed Nabholz on November 29, 2023, that data had been exposed in a cyberattack that exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution. Progress Software issued a patch to fix the vulnerability on May 31, 2023; however, Cadence Bank determined that the vulnerability had been exploited between May 28, and May 31, 2023. The data compromised in the attack included names, Social Security numbers, dates of birth, addresses, medical information such as treatment information, provider names, medications, and health insurance information.
J.D. Gilmour & Co., Inc.
J.D. Gilmour & Co., Inc., a Glendale, CA-based insurance agency, discovered unauthorized access to its email environment on June 29, 2023. Third-party cybersecurity experts were engaged and conducted a forensic investigation of its entire email tenant, which confirmed there had been unauthorized access to a single employee email account. The review of the email account determined on October 27, 2023, that the protected health information of 2,481 individuals had been exposed. On December 21, 2023, J.D. Gilmour & Co. obtained the authorization to mail notification letters from the affected client. The affected individuals have been offered Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no cost.
United Regional Health Care System
United Regional Health Care System has recently reported a hacking-related data breach to the HHS’ Office for Civil Rights that affected 36,900 patients. There is currently no mention of a data breach on the website of the Wichita Falls, TX-based health system but the breach notification submitted to the Texas Attorney General states the breach occurred on May 30, 2023, and involved names, dates of birth, medical information, and insurance information.
The post February 14, 2024 Healthcare Data Breach Round-Up appeared first on HIPAA Journal.