Paubox Launches HIPAA Compliant Online Forms

Posted by Steve Alder

Paubox, the market leader in HIPAA-compliant email, has added a new feature to the Paubox Email Suite that allows HIPAA-regulated entities to create secure, HIPAA-compliant online forms for collecting patient data.

Healthcare providers need to collect information from patients and the easiest and most efficient way to do so is by using an online form. Patients can be sent a link to a form that they can access on their mobile devices and can quickly and efficiently provide the required information. They can share files and attach images to help their provider better prepare for an appointment, which can shorten appointment times and allow providers to see more patients.

Online forms streamline information collection and can be used for getting feedback, arranging telehealth services, collecting insurance information, and obtaining consent. Before any online form can be used by a HIPAA-regulated entity, they must ensure that the forms are HIPAA-compliant and securely collect, store, and transmit patient data. The providers of online forms are classed as business associates and their forms must be covered by a business associate agreement.

Paubox is a HITRUST CSF-certified leader in HIPAA-compliant communication and marketing solutions for healthcare organizations and is trusted by more than 5,000 healthcare organizations worldwide, including AdaptHealth, CostPlus Drugs, Covenant Health, and SimonMed Imaging. The new Paubox Forms feature is covered by Paubox’s business associate agreement and can be used free of charge with existing Paubox Email Suite paid subscriber plans.

Paubox Forms includes an intuitive form builder that allows healthcare organizations to create forms for a variety of different healthcare needs, including customizable question types such as text fields, dropdowns, multiple-choice, signature collection, and secure file uploads. Paubox Forms integrates directly with Paubox Marketing and enhances the efficiency of patient communications and marketing and allows patients and staff to share information and files without the cumbersome need for portals or extra steps.

“With Paubox Forms, we’re setting a new standard for secure patient data collection in healthcare. Providers can gather essential information effortlessly while upholding the highest standards of HIPAA compliance and data protection. It’s our commitment to advancing healthcare communication with solutions that are secure and seamlessly integrated into daily workflows, empowering providers to deliver better care without compromising on privacy or efficiency,” Hoala Greevy, CEO of Paubox told The HIPAA Journal. “Paubox Forms was inspired by our commitment to innovation and customer feedback. We’ve created a solution that not only meets the current needs of healthcare providers but also paves the way for future advancements in secure healthcare communication.”

Early adopters of the forms have benefitted from the speed and efficiency of data collection. “As the landscape changes, remote clients need new workflows designed around them,” said Tony Cox, CIO at Henderson Behavioral Health, who has recently started using Paubox Forms. “The biggest advantage of an online form over paper is speed, getting the consent or Release of Information in before the client’s appointment, which allows us to be better prepared and see more clients.”

The post Paubox Launches HIPAA Compliant Online Forms appeared first on HIPAA Journal.

FTC Orders Blackbaud to Improve Security and Enforce Data Retention Policies

Posted by Steve Alder

The Federal Trade Commission (FTC) has ordered South Carolina-based Blackbaud to implement a raft of security measures and enforce its data retention policies to ensure that customer data is not retained any longer than it is needed. Blackbaud is a customer relationship management software provider, whose software is used by 35,000 fundraising entities, including many nonprofit healthcare organizations to increase philanthropic revenue. In early 2020, a hacker used a Blackbaud customer’s login name and password to access the customer’s Blackbaud-hosted database. Once access was gained, the hacker was able to move laterally by exploiting security vulnerabilities to access multiple Blackbaud-hosted environments and remained undetected in Blackbaud’s environment for 3 months.

Over those 3 months, the hacker exfiltrated a vast amount of unencrypted data from tens of thousands of customers, which included the personal and protected health information of millions of individuals. The stolen data included names, contact information, medical information, health insurance information, Social Security numbers, and bank account details. The hacker threatened to publish the stolen data and Blackbaud negotiated a 24 Bitcoin ($235,000) payment for the data to be deleted. Blackbaud was, however, unable to conclusively verify that the stolen data had been deleted.

A Catalog of Security Failures

According to the FTC complaint, the acts and practices of Blackbaud constituted unfair and/or deceptive practices in violation of Section 5(a) of the Federal Trade Commission (FTC) Act. The FTC alleged that Blackbaud had failed to implement reasonable and appropriate security practices to protect the sensitive personal information of consumers. The lack of safeguards allowed an unauthorized individual to gain access to customer data and deficient security practices and the failure to enforce its data retention policies magnified the severity of the data breach.

The FTC alleged that Blackbaud allowed customers to store highly sensitive information such as Social Security numbers and bank account information in unencrypted fields and customers could upload attachments containing sensitive personal information which were not encrypted. Further, Blackbaud did not encrypt its database backup files which contained complete customer records from the products’ databases.

While Blackbaud had data retention policies, these were not enforced, which meant the company retained the data of its customers for years longer than was necessary, even the data of former customers and prospective customers. The FTC also slammed Blackbaud for waiting for 2 months to notify customers about the data breach and misrepresenting the scope and severity of the data breach in those notifications due to “an exceedingly inadequate investigation.”

Blackbaud explained in the July 16, 2023, notification letters that financial information and Social Security numbers were not compromised and said no action was required because no personal information was accessed. Blackbaud’s post-breach investigation determined on July 31, 2020, that the hacker had exfiltrated customer data, but then waited until October 2020 to disclose that information to its customers.

The affected consumers were denied the opportunity to take steps to protect against identity theft and fraud, and since the breach, Blackbaud has received multiple complaints from consumers about identity theft and fraud using their personal information, indicating the hacker did not delete the data. Blackbaud did agree to pay for credit monitoring services, but those services were offered months after the breach and only to a limited subset of the affected customers.

Blackbaud made explicit representations about its information security practices which led customers to believe that personal information would be protected; however, the FTC alleged that there were insufficient password controls, a lack of multifactor authentication, a failure to monitor logs for signs of unauthorized system activity,  a failure to enforce its data retention policies, a failure to patch outdated software and systems promptly, a failure to implement appropriate firewall controls, a failure to implement appropriate network segmentation, and a failure to test, audit, assess, or review its products’ or applications’ security features. Blackbaud also failed to conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases.

FTC Orders Major Security Updates and Data Deletion

The FTC alleged unfair information security practices, unfair data retention practices, unfair inaccurate breach notifications, deceptive initial breach notifications, and deceptive security statements. The FTC’s proposed order requires Blackbaud to implement and maintain a comprehensive information security program that complies with industry best practices. The order includes 14 security requirements and Blackbaud is also required to delete all customer data that is not required and undergo independent security assessments.

“Today’s action builds on a series of cases that have made clear that maintaining a data retention and deletion schedule is a critical part of protecting consumers’ data security,” said FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya in a joint statement about the consent order. “The Commission has also made clear that efforts to downplay the extent or severity of a data breach run afoul of the law.”

Blackbaud previously settled a multistate action with the attorneys general in 48 states and the District of Columbia and paid a $49.5 million penalty, and was ordered to pay a $3 million civil monetary penalty by the U.S. Securities and Exchange Commission for omitting important facts about the data breach in its August 2020 quarterly report. Blackbaud is also being sued by consumers whose personal information was stolen.

The post FTC Orders Blackbaud to Improve Security and Enforce Data Retention Policies appeared first on HIPAA Journal.

LockBit Ransomware Gang Claims Responsibility for Attack on Saint Anthony Hospital

Posted by Steve Alder

The LockBit ransomware gang has added Chicago’s Saint Anthony Hospital to its data leak site and is demanding a ransom payment of almost $900,000 from the nonprofit hospital to prevent the release of the stolen data. Earlier this week, Saint Anthony Hospital confirmed that it was still investigating the attack, which was detected on December 18, 2023. Saint Anthony Hospital took immediate action to secure its network to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the unauthorized activity. The prompt action taken by the hospital in response to the attack allowed care to continue to be provided to patients without disruption.

The investigation confirmed on January 7, 2024, that an unknown, unauthorized third party had copied files from its network on December 18, 2023, which contained patient information. Those files are being reviewed to determine the number of patients affected and the types of information involved, and that process is ongoing. At this stage, Saint Anthony Hospital is unable to say how many individuals have been affected and the specific types of data involved. Individual notification letters will be mailed to the affected individuals when that process is completed.

While the theft of patient data has been confirmed, the forensic investigation did not find any evidence that its electronic medical record database or financial systems as a whole were compromised. Saint Anthony Hospital said that as part of its commitment to data privacy, existing data security policies and procedures are being reviewed and will be updated as appropriate to better protect patient data in the future.  The incident has been reported to the Federal Bureau of Investigation, Department of Health and Human Services, and other regulators. Since some patient data has been stolen, patients have been advised to remain vigilant against incidents of identity theft and should review their account and explanations of benefits statements for unusual activity, and report any suspicious activity to their insurance company, health care provider, or financial institution.

Since the notification was issued, the LockBit ransomware group added Saint Anthony Hospital to its data leak site. The LockBit group has previously claimed that it prohibits affiliates from attacking hospitals. Last year, an affiliate conducted an attack on Toronto’s Hospital for Sick Children (SickKids), which was promptly followed by an apology from the group, and a free decryptor was issued to allow the hospital to recover files for free, and the group claimed that the affiliate behind the attack had been kicked out of its program for violating its operating rules. The latest attack suggests its policy of not attacking hospitals has been canceled. In the listing on its data leak site, the LockBit group claimed that “Always US hospitals put their greedy interest over those of their patients and clients,” apparently oblivious to the fact that Saint Anthony Hospital is a nonprofit healthcare provider.

Saint Anthony Hospital has indicated the ransom will not be paid. “As a vital safety-net hospital to the people in the communities we serve, we are dedicated to using our resources to care for our community’s most vulnerable and not to rewarding the illegal actions of bad actors,” said CIO Jeff Eilers.

The post LockBit Ransomware Gang Claims Responsibility for Attack on Saint Anthony Hospital appeared first on HIPAA Journal.