Extortion Attempt on Sports Medicine Provider Exposes Private Data of 7,000 Individuals
Sports Medicine & Rehabilitation Therapy (SMART), based in Massachusetts, has contacting 7,000 clients regarding a breach of their protected private health information that occurred in September 2017. Potentially, the breach impacted all clients whose data was saved during a visit to a SMART outlet prior to December 31, 2016. Hackers, in an extortion attempt, accessed SMART systems, allegedly stole private information, and asked...
Multiple Breaches Lead to $2m Fine for Cottage Health
Cottage Health, the Santa Barbara-based healthcare provider, will pay $2 million to resolve multiple violations of state and federal laws as per a directive from the California attorney general’s office. The group was examined by the California attorney general’s office in relation to a breach of private patient data back in 2013. The breach of data was found by the organization on December 2, 2013, when someone made the healthcare...
Rocky Mountain Health Care Services has Second Unencrypted Laptop Stolen
An unencrypted laptop has been stolen from one of its employees of Rocky Mountain Health Care Services of Colorado Springs. This is the second such incident to be identified in just three months. The most recent incident was identified on September 28. The laptop computer was seen to store the protected health information of a small number of patients. The types of data stored on the device included first and last names, addresses,...
Clinic Worker Who Stole PHI Jailed for Five Years
A staff member at a clinic who stole the protected health information of mentally ill patients and sold the data to identity thieves for profit has fail in an appeal to get a five-year jail term lessened. Jean Baptiste Alvarez, aged 43, of Aldan, PA, obtained daily census sheets from the Kirkbride Center, a 267-bed behavioral health care facility located in Philadelphia. The census sheets included all the information required to steal...
Suspected UPMC Susquehanna Phishing Attack Exposes 1,200 Patients’ PHI
A network of hospitals and medical centers in Williamsport, Wellsboro and Muncy in Pennsylvania, called UPMC Susquehannam has revealed that the protected health information of 1,200 patients has possibly been accessed by unauthorized people. Access to patient information is thought to have been obtained after an worker replied to a phishing email. While information regarding the breach date have not been published, UPMC Susquehanna...
Blue Cross and Blue Shield of Florida Breach Impacts Almost 1,000 People
Blue Cross and Blue Shield of Florida, dba Florida Blue, has announced to the public that the personally identifiable information of a small number of insurance applicants has been improperly accessed online. Florida Blue discovered to the exposure of patient data in late August 2017 and immediately initiated a review. Florida Blue reports that the showed that 475 insurance applications had been saved to the cloud by an unaffiliated...
New Jersey Medical Practice has Boxes of Medical Records Stolen
Otolaryngology Associates of Central Jersey is making contact with patients to advise them of breach of their protected health information, following a theft at an off-site storage service in East Brunswick, NJ. The thieves removed thirteen boxes of paper medical records from the service, which included data like names, addresses, health insurance account numbers, birth dates, dates of military duty served, and the names of treating...
Alex Azar Nominated for HHS Secretary by President Trump
Alex Azar, the former Deputy Secretary of the Department of Health and Human Services, is now the favorite to take over the reins from former Secretary Tom Price after receiving the presidential nomination for the role by President Trump. During the Presidential term of George W. Bush, Azar served as general counsel to the HHS and Deputy Secretary President Trump confirmed, via his Twitter account, that he believes Azar is the best...
Cook County Health Patients Affected by Data Breach
Illinois-based Cook County Health and Hospitals System, a health system comprising two hospitals and more than a dozen community health centers in Cook County, has advised its patients of a possible breach of their protected health information. The breach was experienced at the offices of Experian Health, a business associate of Cook County Health and Hospitals System. Experian Health is utilized to determine insurance eligibility and...
2017 Data Breach Report Reveals 305% Annual Rise in Breached Records
The Risk Based Security (RBS) 2017 data breach report has shown there has been a 305% surge in the number of records exposed in data breaches in the last 12 months. For its latest breach report RBS, a provider of real time information and risk analysis tools, reviewed analyzed breach reports from the first three quarters of 2017. RBS explained in a recently published blog post, this year has been “yet another record breaker for data...
NY AG Brings in Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
Aiming to protect New Yorkers from unwelcome breaches of their personal information, The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. It is hoped that this Act with ensure that those affected will be notified when such breaches are incurred. Sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian...
New Variant of WannaCry Ransomware Detected in FirstHealth CyberAttack
A new variant of the WannaCry ransomware has been detected in a cyber attack on FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health provider. WannaCry ransomware came to global attention in cybers attacks in May 2017. In excess of 230,000 computers were infected within one day of the worldwide attacks starting. The ransomware variant had wormlike features and was capable of spreading quickly and affecting all...
Dental Offices and HIPAA Compliance: What Needs to Be Addressed?
Dr. Joseph Beck became the first ever dentist to be receive a HIPAA violation fine in 2014. This alerted dental offices to HIPAA compliance and the importance of it. Until then, dental offices had not been subjected fines for noncompliance with HIPAA Rules. The penalty was not applied by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000...
Consolidated Inc. Data Breach Impacts 21,856 People
Nebraska-based CBS Consolidated Inc., operating as Cornerstone Business & Management Solutions, completed a routine audit of system logs on July 10, 2017 and found an unfamiliar account on the server. Closer inspection of that account showed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies. 21,856 people who received durable medical...
3,725 Veterans Have Their PHI Exposed Due to Missing Laptop
A laptop computer, no longer in use, owned by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has gone missing, potentially leading to the exposure of sensitive patient data. The laptop was linked to a hematology analyzer and held data related to hematology tests. The laptop was in operation between April 2013 and May 2016, but was put out of use when the device became unusable. The laptop, which had been purchased from...
Data Breaches Drop For Second Consecutive Month
The latest report of the Breach Barometer from Protenus/Databreaches.net Healthcare shows that data violations have dropped for the second consecutive month, according to . In August, there were 33 reported healthcare data violations, down from 36 incidents in July and 56 in June. While the drop int he number of data breaches is encouraging, that is still more than one healthcare data breach per day. While it was the second best month...
OIG: Multiple Security Weaknesses in Alabama’s Medicaid Management Information System
The HHS’ Office of Inspector General (OIG) has completed an audit of Alabama’s Medicaid data and information systems to adetermine whether the state was in compliance with federal regulations. The review included the Medicaid Management Information System (MMIS) and associated policies and processes. OIG also carried out a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could...
HHS Withdraws Proposed Rule for Health Plans Certification of Compliance
A new rule for certification of compliance for health plans was proposed by the HHS In January 2014, requiring all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate HIPAA compliance. The proposed rule ‘Administrative Simplification: Certification of Compliance for Health Plans’ was drafted to promote more consistent testing procedures for CHPs. The HHS has now dediced to withdraw the...
Medical Device Cybersecurity Emphasis for New AEHIS/ MDISS Partnership
A new working relationship d between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS) will focus on helping advance medical device cybersecurity and improve patient data security. The two groups will cooperate to aid members identify, mitigate, and prevent cybersecurity...
Internet of Things Medical Resilience Partnership Act to Provide Direction on Devices
The Internet of Medical Things Resilience Partnership Act, aimed at establishing public-private stakeholder partnership which will be tasked with developing a cybersecurity framework to prevent data breaches, has been approved by the U.S. House of Representatives. The hope is that this framework will be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more secure from...
Over Half of Cloud Storage Services are Misconfigured: Report
A recent report by cloud threat defense firm RedLock claims more than half of businesses have made errors that have exposed sensitive data to the general public vuia the cloud. The study shows many organizations are not adhering to established security best practices, such as using multi-factor authentication for all privileged account subscirbers. Worse again, many groups are failing to constantly review their cloud environments...
Hacking Group ‘The Dark Overlord’ Attacks Another Healthcare Organization
After a seemingly prolonged period of inactivity, the hacking group TheDarkOverlord has revealed another attack on a U.S. healthcare supplier, Mass-based SMART Physical Therapy (SMART PT). The hack reportedly happened on September 13, 2017, with the announcement of the data theft released by TDO on Twitter on Friday 22, 2017. No details were given as to how access to the data was gained, although it was revealed to databreaches.net...
What is the Definition of a HIPAA Covered Entity?
HIPAA compliance applies to covered entities and business associates, but what is the definition of a HIPAA covered entity and what are HIPAA business associates? Knowing the definition of a covered entity and business associate is essential. If you are classed as either, you must comply with HIPAA Rules. There are severe financial penalties for noncompliance with HIPAA and ignorance is not a valid defense. What is the Definition of a...
Catholic Charities of the Diocese of Albany Discovers Long-Term Malware Infection
Catholic Charities of the Diocese of Albany (CCDA) has discovered, during a software upgrade in August 2017, that malware was installed on one of the computer servers used by its Glens Falls premise, which provides services in Saratoga, Warren and Washington Counties in New York. A quick response was taken to block access to the server and CCDA called in a computer security firm to carry out an investigation into the unauthorized...
Responding to a Cyberattack: Advice Issued by OCR
Recently, the Department of Health and Human Services’ Office for Civil Rights published new guide lines for covered organizations on the correct way to respond to a cyberattack. These guideline included a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of steps that should be taken. Preparation is key is a correct response. Covered entities must have response and...
128,000 Arkansas Patients Attacked with Ransomware
128,000 patients at the Arkansas Oral Facial Surgery Center in Fayetteville have had their private information potentially impacted following a a ransomware. Ransomware was believed to have been placed on its network between July 25 and 26, 2017. The attack was identified quickly, although not before files, x-ray images, and documents had been encrypted. The incident did not break through the encryption of its patient database, except...
HITRUST/AMA Begin Project to Assist Small Healthcare Firms with HIPAA Compliance
HITRUST has revealed it will be working with the American Medical Association (AMA) for a new project that will assist small healthcare companies with HIPAA compliance, cybersecurity and cyber risk management. Small healthcare providers can be more exposed to cyberattacks, as they usually lack the resources to dedicate to cybersecurity and do not tend to have the budgets at their disposal to employ skilled cybersecurity staff. This...
HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone
A partial waiver of HIPAA has been issued by the U.S. Department of Health and Human Services in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands, the thrid such waiver of 2017 following the has already issuing of waivers of HIPAA sanctions and penalties in areas affected by hurricanes earlier this year. The previous waivers were issued in relation to Hurricane Harvey and Hurricane Irma and, as was the...
Hospitals in Irma Disaster Area Granted Limited HIPAA Waiver
A limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Hurricane Irma has been issued by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in the U.S. Virgin Islands, Puerto Rico, and Florida. OCR says that the HIPAA Privacy and Security Rules are still in place and covered organizations must continue to obey HIPAA Rules; however, certain parts of the Privacy Rule have...
OCR Warns Covered Entities to Prepare for Natural Disasters
Medical Centers and Hospitals in Texas and Louisiana have been stretched due to Hurricane Harvey,and are trying to provide medical services without breaching HIPAA Rules. Concern arose regarding when it is allowable to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights...
Finding ‘Big, Juicy, Egregious’ HIPAA Breaches Priority for OCR Head
The main enforcement priority for 2017 of Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), is to find a “big, juicy, egregious” HIPAA breach to use as an example for other healthcare groups on the risks of failing to follow HIPAA Rules. When choosing which cases to pursue, OCR considers the chance to use such a case as an educational tool to warn covered groups of the need to...
Hurricane Harvey Disaster Zone: HHS Issues Partial Waiver of HIPAA Sanctions
HHS Secretary Tom Price announced that OCRis issuing a partial waiver of sanctions and financial penalties for specific Privacy Rule breaches for hospitals in Texas and Louisiana in the Hurricane Harvey emergency zone. This partial waiver is only applicable to the provisions of the HIPAA Privacy Rule as outlined below: The obligations to recieve a patient’s agreement to talk with family members or friends involved in the patient’s...
HIPAA Privacy Rule Violation Penalties Waived in Wake of Hurricane Harvey
Secretary of the U.S. Department of Health and Human Services Tom Price has announced that certain HIPAA compliance violation penalties will be waived in the disaster area of Hurricane Harvey in Texas and Louisiana. Following any natural disaster, hospitals and health systems must operate in difficult circumstances. During such times, it can be a major challenge to provide treatment while complying with all aspects of HIPAA Rules....
Noncompliance With HIPAA: Costs for Healthcare Organizations
Noncompliance with HIPAA can cost healthcare organizations dearly. If regulators discover willful violations of HIPAA Rules, multi-million-dollar fines are possible. Fines for Noncompliance with HIPAA Rules The Department of Health and Human Services’ Office for Civil Rights is the primary enforcer of HIPAA Rules and investigates all data breaches that impact more than 500 individuals. When a data breach is experienced, the breached...
Getting Basics Correct Key to Avoiding Data Breaches
Intrusion identification systems, next generation firewalls, insider threat management software and data encryption will all help healthcare groups recognize danger, cut out security violations, and identify attacks quickly when they happen. even with all of these measures it is still vitally important to address the security basics. The Office for Civil Rights Breach portal is filled with examples of HIPAA data breaches that have...
Breach Notification Rule is Violated by Delaying Issuing of Breach Notifications
The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) states that covered organizations to advise the HHS’ Office for Civil Rights of any violation of private health information and issue notification correspondence to affected people as soon as is unreasonable and no later than 60 days after the identification of the breach. July’s Breach Barometer reports from Protenus indicated that many covered organizations have had...
U.S. Senate Passes Jessie’s Law Allowing Drug Histories to be Shared with Doctors
Last week, the U.S. Senate passed new legislation – Jessie’s Law – that allows details of patients’ past drug abuse to be shared with physician’s if patients give their consent. At present, drug abuse histories are prohibited from being shared to protect the privacy of patients. That information is kept separate from a patient’s medical record. Unfortunately, the law can have terrible consequences, as was highlighted by a tragic...
2017 Healthcare Data Breach Trends Highlighted in Protenus Report
Protenus, working with Databreaches.net, has released its Breach Barometer mid-year review. The report includes all healthcare data violations reported over the past six months and gives important insights into the latest data breach trends. The Breach Barometer is a detailed review of healthcare data breaches, including not only the data breaches made known to the Department of Health and Human Services’ Office for Civil Rights’...
NotPetya Attack on Nuance Communications Not Reported to OCR
The Department of Health and Human Services’ Office for Civil Rights has previously made it clear, in its ransomware guidance, if ePHI is encrypted ransomware attacks are usually HIPAA breaches and are always reportable violations. In the guidance on ransomware guidance OCR says that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” adding that the definition of a...
47% of Healthcare Orgs Have Had a HIPAA Data Breach in the Past 24 Months
A recent survey conducted by KMPG has revealed that 47% of healthcare organizations have experienced a HIPAA data breach in the past 24 months. The last time the KPMG Cyber Healthcare and Life Sciences Survey was conducted in 2015, 37% of respondents confirmed they had experienced a data breach over the same time period. 70% of respondents said they had experienced at least one security breach due to an unplugged vulnerability being...
HIPAA Breaches Under Investigation Highlighted in OCR Data Breach Portal Update
In June 2017, the Department of Health and Human Services announced it was considering an update to its data breach portal, normally called the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act states that the OCR must maintain a public list of breaches of protected health information that have affected more than 500 individuals. All 500+ record data breaches submitted or made known to OCR since 2009 are listed on the breach...
33% of Patients Access Their Health Data via Patient Portals
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allow people to view information regarding their health stored by their providers. However, as revealed in a recent U.S. Government Accountability Office (GAO) report, few patients are actually exercising this right using the provided patient portals. The Medicare Electronic Health Record Incentive Program encouraged healthcare organizations to move from...
Data Breach Reporting Tool Updated by OCR
Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights developed its data breach reporting tool to allow HIPAA-covered entities to easily submit reports of data breaches. A summary of data breach reports is published via the data breach reporting tool and is viewable by the public. The data breach list – which is commonly known as OCR’s Wall of Shame – details all reported...
Model Patient Request for Health Information Form Issued by AHIMA
A model patient request for health information form has been issued by the American Health Information Management Association (AHIMA) that can be used by healthcare providers to give to patients who request copies of their health information. The HIPAA Privacy Rule permits patients to obtain copies of their health data from their providers, although at many hospitals the process is inefficient, lacks transparency and patients are...
Hows Does HIPAA Affect Use of Google Drive?
The service G Suite – formerly known as Google Apps, of which Google Drive is a part – is compliant with HIPAA. The service does not breach HIPAA Rules, however users of the service may breach the rules themselves. G Suite includes all of the required security measures controls to make it a HIPAA-compliant service and can be used by HIPAA-covered organizations to share PHI (in accordance with HIPAA Rules), once the account is...
Study: Data Breaches by Ex Employees a Concern
A recent study carried out by OneLogin showed many groups are not doing enough to stop data violations by ex-employees. While access to computer systems and applications is a requirement during employment, many organizations are neglecting to block access to systems quickly when employees depart the company, even though ex-employees pose a significant data danger to security. Preventing access to networks and email accounts when an...
ONC Office of the Chief Privacy Officer Funding Stopping in 2018
The withdrawal of funding for the Office of the Chief Privacy Officer has resulted in ONC National Coordinator Don Rucker, M.D. confirming that the office will be closed during 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been acting as Acting Chief Privacy Officer until a permanent replacement to the role previously filled by Lucia Savage is identified, following her departure in January. It now seems...
HHS Announces Closing Out of Office of the Chief Privacy Officer
The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) will be closing out the Office of the Chief Privacy Officer in FY 2018 due to cuts to its budget. The budget cuts are intended to make the ONC more accountable and a much leaner organization. The ONC will have to operate with $22 million less funding in FY 2018, and the Office of the Chief Privacy Officer is one of...
ONC Offers Tips to Improve Patient Data Access
The HHS’ Office of the National Coordinator for Health Information Technology (ONC) has given covered entities tips to improve patient data access, explaining how important it is for patients to be given access to their health information. In its report – Improving the Health Records Request Process for Patients – ONC explains that under HIPAA Rules, patients are given the right to access their records. Healthcare organisations must...
File Sharing Tools and Cloud Computing: OCR Highlights Risks
File sharing and collaboration services offer many advantages to HIPAA-covered companies, although the services can also introduce risks to the privacy and security of electronic health information. Many groups use these services, including among those healthcare organizations, yet they can lead to the exposure or disclosure of sensitive information. The Department of Health and Human Services’ Office for Civil Rights (OCR) has...
Anthem Agrees Largest Ever Data Violation Settlement
The largest ever data violation settlement has recently been agreed by the health insurer Anthem Inc. Anthem was hit with a cyber attack in 2015 resulting in the theft of 78.8 million records of current and former health plan subscribers. The breach involved names, addresses, Social Security numbers, email addresses, birth dates and employment/income information being accessed with the necessary permission. A breach of that size...
Healthcare Data Breach Resolution Costs Fall
Healthcare data breach resolution costs are still higher than all other industries, but the latest Ponemon Institute/IBM Security study has shown that for the first time ever, those costs have fallen year-over-year. For seven years, Ponemon/IBM have been conducting their cost of a data breach study, and each year the costs of resolving data breaches has risen. However, this year, average breach resolution costs fell by around 10%. The...
Healthcare Data Breach Report Shows Breaches Are Taking Years to Detect
The latest healthcare data breach report issued by Protenus, in conjunction with databreaches.net, shows healthcare data breaches increased in May, with 37 breaches reported compared to 34 the previous month. The numbers of records exposed in those breaches was 255,108, although not all breach figures are known. That still represents a jump from last month when 232,060 healthcare records were known to have been exposed or stolen. One...
CoPilot Fined $130,000 by NY AG for Breach Notification Submitted Late
A data breach that happened in the second half of 2015 should have seen targeted people warned within 2 months. However it took CoPilot Provider Support Services Inc., until January 2017 to send out official breach notifications. An administration portal controlled by CoPilot was accessed by an unauthorized person on October 26, 2015. That person also stole the data of 221,178 people. The stolen data included names, dates of birth,...
New York Attorney General Fines CoPilot for Delaying Breach Notifications
Under Health Insurance Portability and Accountability Act (HIPAA) Rules, covered entities must report data breaches within 60 days of the discovery of a breach. Affected individuals must also be notified within the same time frame. State legislation has been introduced that similarly requires organizations to issue notifications and report the incidents to state officials. Breach reports are also covered by other federal legislation...
HHS Looking Into OCR’s Wall of Shame Following Criticism
The Department of Health and Human Services’ Office for Civil Rights started publishing OCR’s ‘Wall of Shame’ – summaries of healthcare data breaches – on its website in 2009. The data breach list only includes a short synopsis of data breaches, including the name of the covered organization, the state in which the covered organization is based, covered organization type, date of notification, type of...
HHS Considers Making Changes to the OCR Wall of Shame
Since the HITECH Act came into force in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing data breach summaries on its website. The website lists brief details of the type of data breach experienced by HIPAA-covered entities with information such as the cause of the breach, the devices that were involved, the number of individuals affected and the name of the company that experienced...
OCR Issues Guidance on the Correct Response After a Cyberattack
The increase in hacking incidents in 2017 and major worldwide cyber incidents such has Wannacry ransomware attacks have prompted the Department of Health and Human Services’ Office for Civil Rights (OCR) to issue new guidance on the correct response after a cyberattack. Yesterday, OCR sent a Quick Response Cyber Attack Checklist to its security and privacy list subscribers explaining the correct procedures to follow after a...
Need for Access Controls and Alerts Highlighted by Internal Staff Snooping Incidents
Ransomware, malware and unaddressed software weaknesses pose a danger to the confidentiality, integrity and access to PHI, although healthcare groups should put in place processes to deal with the threat internally. This year has seen a multitude of cases involving employees snooping and accessing medical records without permission. The HIPAA Security Rule 45 CFR §164.312(b) requires covered organizations to “Implement hardware,...
$387,000 HIPAA Penalty for Disclosing HIV Status to Employer
Following a Department of Health and Human Services’ Office for Civil Rights (OCR) investigation of a complaint about a case of impermissible disclosure of PHI, St. Luke’s-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA compliance violations In September 2014, a complaint was submitted to the OCR about a possible privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the...
Egregious HIPAA Breach Punished with $378,000 Fine
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced yet another settlement to resolve HIPAA violations, this time for the careless handling of extremely sensitive health information. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $378,000 to resolve an impermissible disclosure of patients’ protected health information to their employers. A wide range of highly sensitive information...
Dept. of Health and Human Services Issues Ransomware Warning
Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and...
NIST Issues Guidance on Securing Drug Pumps
Guidance on securing drug pumps has been issued by the National Institute of Standards and Technology (NIST) to help healthcare organizations mitigate the risk of cyberattacks that could cause patients to come to harm or allow sensitive data to be stolen. Over the past two years there has been concern raised about the lack of security on medical devices, with drug pumps a particularly serious concern. If threat actors are able to gain...
$2.4 Million HIPAA Fine Following Memorial Hermann Health System HIPAA Breach
A HIPAA compliance breach arising from disclosure on a press release issued by Memorial Hermann Health System (MHHS) in September 2015 has led to the organization agreeing to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. MHHS is a 16-hospital health system which os located in Texas, treating patients in the Greater Houston area. In...
Memorial Hermann Health System HIPAA Fine Issued for Improper Disclosure of PHI
An unauthorized disclosure of a patient’s name has resulted in a Memorial Hermann Health System HIPAA compliance fine. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle potential HIPAA Privacy Rule violations with Memorial Hermann Health System with the payment of a $2.4 million penalty. Memorial Hermann Health System must also adopt a corrective action plan to ensure HIPAA Rules are...
New Mexico HIPAA Violation Lawsuit Heads to NM Supreme Court
A New Mexico HIPAA violation lawsuit filed by the victim of a sexual assault whose identity was improperly disclosed has been referred to the Supreme Court to assess whether the claim has standing. The lawsuit was filed by the plaintiff ‘G.R.’ who suffered a sexual assault and sought treatment for her injuries at Gallup Indian Medical Center (GIMC) where she was employed. G.R. alleges that following treatment, details of the assault...
Motion Filed to Dismiss ‘Baseless’ MDLive HIPAA Lawsuit
A motion has been submitted to dismiss a MDLive HIPAA lawsuit that was filed b y a plaintiff who alleges the firm improperly disclosed protected health information to a third party without informing or obtaining consent from users of the telehealth platform. The MDLive HIPAA lawsuit was filed by plaintiff Joan Richards, who alleges MDLive takes screenshots of data entered on the app on multiple occasions during the first 15 minutes of...
Healthcare Cyber Threat Landscape to be Covered in HIMSS Privacy and Security Forum
Over the next week, the HIMSS Privacy and Security Forum will be held in San Francisco. The two-day conference provides an chance for CISOs, CIOs and other healthcare professionals to obtain valuable guidance from security experts on the most recent cybersecurity threats, along with practical tips on how to limit the chance of damage being inflicted. In excess of 30 speakers will be present at the event and will provide talks on a...
Alleged Patient Privacy Violations Could Lead to Class Action Lawsuit for MDLive
Claims that telemedicine company MDLive violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining official consent from patients have resulted in a class action lawsuit has being filed. App users must enter in a range of private information into the MDLive app; however, the complainant claims that during the first 15 minutes of use, the app takes an average of 60...
CardioNet Settles HIPAA Violations with OCR for $2.5 Million
Pensylvania-based CardioNet has agreed a $2.5 million settlement to resolve potential HIPAA compliance violations. The provider of remote mobile monitoring and quick response services to patients in danger of suffering cardiac arrhythmias. Settlements have previously been agreed with healthcare suppliers, health plans, and business clients of covered organizations, but this is the first-time OCR has settled potential HIPAA breaches...
Risk Analysis and Risk Management Errors Results in $2.5 Million HIPAA Settlement
Risk analysis and risk management errors have resulted in a $2.5 million HIPAA compliance penalty for CardioNet, a provider of remote mobile monitoring and rapid response services to patients at risk of cardiac arrhythmias. The Department of Health and Human Services’ Office for Civil Rights agreed to settle the potential HIPAA violations with no admission of liability. In addition to the substantial HIPAA settlement, CardioNet is...
CCDH Agrees OCR Settlement for Potential Violations
The OCR recently revealed it has agreed to settle potential breaches of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice located in Park Ridge, Illinois. On August 13, 2015, OCR completed a HIPAA compliance review of CCDH following an audit of FileFax Inc., which was contracted by CCDH to store inactive patient histories and...
Supreme Court Ruling: Donor Network Must Disclose Patient Details
A New York Supreme Court Judge has recently ruled that patient details recorded by the New York Organ Donor Network must be handed over to a plaintiff and that HIPAA does not give basis for denying this request. Patrick McMahon believes he was fired from his position of Transplant Coordinator by the New York Organ Donor Network following complaints he filed about organ harvesting from four patients who were still displaying clear...
HIPAA Rules on Business Associate Agreements
This week, the HHS’ Office for Civil Rights (OCR) sent a warning to covered entities about the need to ensure HIPAA compliance rules on business associate agreements are followed. OCR announced a settlement had been reached with an Illinois healthcare provider for disclosing protected health information (PHI) without first obtaining a signed copy of a BAA. What is a Business Associate Agreement? Under HIPAA Rules, a business associate...
$31,000 HIPAA Penalty for a Business Associate Agreement Violation
The Department of Health and Human Services’ Office for Civil Rights has issued a $31,000 HIPAA penalty for a business associate agreement violation to The Center for Children’s Digestive Health (CCDH), a for-profit 7-center Illinois pediatric healthcare provider. OCR discovered potential HIPAA violations during an investigation of the document storage solution provider FileFax. The investigation revealed that FileFax had obtained the...
Denver-Based Metro Community Agrees $400,000 HIPAA Penalty
Metro Community Provider Network (MCPN), a Denver, CO-based federally-qualified health center (FQHC), has agreed to pay OCR $400,000 and implement a stringent corrective action plan to resolve all HIPAA compliance issues found during an OCR investigation into a a data breach that occurred in 2011. The incident that lead to the OCR investigation was a phishing attack that happened on December 5, 2011. A hacker sent phishing emails to...
Are HIPAA Rules Outdated and is an Update Overdue?
Are HIPAA Rules outdated? Is an update long overdue? An article recently published in the journal JAMIA explores potential updates to HIPAA to keep the legislation relevant. The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton in 1996 at a time when the Internet was in its infancy. Now, almost two decades later, a lot has changed. The majority of healthcare organizations have now...
Security Management Process HIPAA Violations Resolved with $400,000 OCR Settlement
Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that a $400,000 settlement had been agreed with Metro Community Provider Network (MCPN) to resolve potential security management process HIPAA violations. The Denver, CO-based federally-qualified health center (FQHC) experienced a phishing attack in December 2011 that resulted in unauthorized access to the email accounts of employees. The...
Study Analyses Hospital Data Breach Risk
A recent study published in JAMA Internal Medicine looked at the hospital data breach risk and determined which organizations are most at risk of experiencing data breaches. The researchers discovered that hospital data breach risk is positively linked with the size of the hospital. Larger hospitals are more likely to experience data breaches, as are hospitals with a strong focus on teaching. Smaller hospitals may have smaller budgets...
40% of Second-Hand Devices Found to Contain PII
The danger of failing to ensure mobile devices have all data securely wiped before being recommissioned or resold has been highlighted by a recent study conducted by National Association for Information Destruction (NAID). In the largest study of its type to date, NAID analysed data on more than 250 devices that had been sold on the second-hand market. 40% of those devices were found to contain personally identifiable information. It...
Mecklenburg County HIPAA Violation Prompts Policy Update
A recently discovered Mecklenbury County HIPAA violation has infuriated county officials. An investigation has now been conducted to determine how HIPAA Rules were so easily violated. The incident was discovered on Monday this week. A member of the Mecklenburg County staff received a freedom of information request from the media who were investigating how 185 female patients were not informed about abnormal PAP smear results. While...
Severino Appointed as Director of HHS’ Office for Civil Rights
Former civil rights trial attorney Roger Severino has been appointed, by the Department of Health and Human Services’ Office for Civil Rights, to lead its HIPAA enforcement efforts. Mr Severino moves to the OCR from his role at the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he held the position of Director since May 2015. An official announcement about the...
New Resource Provides HIPAA Help for mHealth Developers
A new online tool has been released by the Connected Health Initiative providing HIPAA help for mHealth developers and healthcare providers. The new tool – called HIPAA Check – has been developed to aid understanding of the complexities of the HIPAA Privacy and Security Rules. Health apps now track a range of user metrics. Data collected by the apps are stored along with personally identifiable information. Much of the information...
ONC Updates SAFER Guides to Assist HIPAA-Covered Entities with EHR Safety and Security
The Office of the National Coordinator for Health IT (ONC) has released updated versions of its SAFER Guides. The series of guides provide useful information to help covered entities make their EHRs more usable and safer and can be used by HIPAA-covered entities to assess potential vulnerabilities in their EHRs. Hackers search for vulnerabilities in EHRs that can be exploited to gain access to data. It is therefore essential that...
Roger Severino to Lead OCR’s HIPAA Enforcement Efforts
The Department of Health and Human Services’ Office for Civil Rights has a new Director to lead its HIPAA enforcement efforts. Late last week, the Trump Administration quietly installed Roger Severino as the new head of OCR filling the position left vacant following the departure of Jocelyn Samuels. No official announcement about the appointment has been made by the Trump Administration, although an OCR spokesperson has confirmed that...
Should There be a Criminal Investigation of a HIPAA Breach Involving an Employee?
A criminal investigation of a HIPAA compliance breach is launched when health data are stolen for malicious purposes, but what about cases involving curious employees? Healthcare data breaches are often discovered during routine audits of ePHI access logs. Healthcare providers discover that rogue employees have accessed patients’ data with no legitimate work reason for doing so. In such cases, the employees are disciplined and often...
Doctor Breached HIPAA Privacy Rule Through Social Media Retaliation
An employee at the Dr. O Medical and Wellness Center in San Antonio, Texas as been sanctioned by the Texas Medical Board after allegedly retaliating against a patient by posting a video on Facebook and YouTube of them wearing only underwear. The doctor’s actions appear to be a clear violation of the HIPAA Privacy Rule. The patient in question, Clara Aragon-Delk, underwent a number of cosmetic surgery procedures beginning in 2015....
Doctor Sanctioned Over Social Media HIPAA Violations
A San Antonio, TX-based doctor has been sanctioned by the Texas Medical Board for social media HIPAA compliance violations after retaliating against a patient by posting a video testimonial of the patient on Facebook and YouTube. The video of the patient in her underwear clearly showed the patient’s face, allowing her to be identified. However, prior permission to use the video had not obtained from the patient. Dr. Tinuade...
Data Breach Notification Laws in New Mexico Passed by Senate Committee
There are currently no data breach notification laws in New Mexico, but that is likely to change soon. New Mexico is one of three states that have yet to implement data breach notification laws, the other two being Arkansas and South Dakota. All three states are now in the advanced stages of introducing laws that will require companies to notify consumers in the event that their personal information is exposed or stolen. Currently...
Device Theft Highlights Importance of Encrypting HIPAA-Covered Data
Encrypting HIPAA-covered data is not mandatory. The Health Insurance Portability and Accountability Act does cover the use of encryption to safeguard the protected health information of patients and health plan members, but encryption is only an addressable issue. However, that does not mean that encryption can simply be ignored. HIPAA-covered entities are required to conduct a risk analysis to identify all potential risks to the...
New Security Framework for Small Healthcare Providers
A security framework for small healthcare providers has been released by the Health Information Trust Alliance (HITRUST). The security framework is a revised version of the HITRUST common security framework (HITRUST CSF) and can be used to create, access, store and exchange healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA). The HITRUST CSF is the most widely adopted security framework for the...
AHIMA Helps Covered Entities Prepare for a HIPAA Compliance Audit
The American Health Information Management Association has released a new toolkit to help covered entities prepare for a HIPAA compliance audit. The Department of Health and Human Services’ Office for Civil Rights commenced the much delayed second phase of the Health Insurance Portability and Accountability Act audit program in the last quarter of 2016. Those audits started with ‘desk audits’ of HIPAA-covered entities. The desk...
AHIMA Releases Updated HIPAA Compliance Audit Toolkit
The second phase of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits has begun. Towards the end of 2017, covered organizations were selected for desk audits and the initial round of audits have now been finished. Now OCR has progressed to auditing business associates of covered organizations. Speaking at HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were...
Importance of Internal Audits of PHI Access Logs Highlighted by Recent HIPAA Breach
The importance of conducting internal audits of PHI access logs has been highlighted by a recent HIPAA breach discovered by Chadron Community Hospital in Nebraska. On January 3, 2017, the hospital discovered a former employee had improperly accessed the protected health information of patients. The investigation into the privacy breach revealed that the former employee had been accessing the PHI of patients without authorization for...
Guidance on Cyber Threats Issued to Healthcare Organizations by OCR
The U.S. Department of Health and Human Services’ Office of Civil Rights has issued new guidance on cyber threats, advising HIPAA-covered entities to obtain the latest intelligence on new cyber threats that could potentially allow cybercriminals to gain access to the protected health information of patients and health plan members. Threat intelligence is issued by many organizations, although OCR recommends in its guidance on cyber...
HIPAA Noncompliance Penalties Likely to Increase
The Department of Health and Human Services’ Office for Civil Rights is expected to issue more HIPAA noncompliance penalties over the coming year. While OCR assists HIPAA-covered entities with their compliance efforts by issuing guidance, 2017 is likely to see OCR crackdown on non-compliance. Organizations found to have violated HIPAA Rules can expect to have to dig deep and pay for their failure to comply with the HIPAA Privacy,...
New Simplified HITRUST CSF for Small Healthcare Providers
This week, HITRUST announced it has created a new, simplified HITRUST CSF for small healthcare providers to help them with their compliance and risk management programs. A New HITRUST CSF for Small Healthcare Providers The HITRUST CSF is a certifiable framework that was developed to help healthcare organizations manage risk and comply with industry regulations such as HIPAA. The framework is flexible and can be tailored to suit...
HIPAA Privacy Rule Compliance: Patient Copies of Health Information
An important element of HIPAA Privacy Rule compliance is ensuring patient copies of health information are provided on request. The Health Insurance Portability and Accountability Act requires HIPAA-covered entities to provide either electronic or paper copies of patient health records to the patient, or their nominated representative, if they are specifically requested. This week, the American Health Information Management...
Deadline for Small Healthcare Data Breach Notification is March 1
The Health Insurance Portability and Accountability Act’s Breach Notification Rule stated that all covered organizations must make violations of unsecured electronic protected health information known to the Department of Health and Human Services’ Office for Civil Rights (OCR). While large scale data violations – those affecting 500 or more individuals – must be reported to OCR within 60 days of the the breach being found, covered...
Texting, Social Media, & Case Walkthrough HIPAA Guidance to be Published in 2017
Recently at HIMSS17, OCR’s Deven McGraw outlined the HIPAA guidance OCR expects to publish in 2017. OCR may be busy reviewing the findings of the HIPAA compliance desk audits of healthcare groups and their business associates, but a flurry of new HIPAA guidance documentation is set to be published this year. In 2016, the Joint Commission cancelled the ban on the use of text messages for making orders, although within weeks of the...