Virginia Governor Glenn Youngkin recently signed S.B. 354, upgrading the Virginia Consumer Protection Act to stop the collection, disclosure, selling, or passing on of reproductive or sexual health data without the consumers’ permission. The change will be effective on July 1, 2025.

The Virginia Consumer Protection Act is a detailed consumer privacy legislation controlling consumer dealings for goods and services offered for personal, household, or family use. The legislation protects the rights of Virginia residents concerning the collection of personal data by businesses. Personal data pertains to any data associated or reasonably linked to a Virginia citizen, not including publicly accessible data, protected health information (PHI) covered by HIPAA, medical records, patient identifying data, and other data associated with other federal laws compliance. The Virginia Consumer Protection Act became effective on January 1, 2023,

With the Virginia Consumer Protection Act, consumers can validate if a controller is handling their personal information; correct errors in their personal information; ask that personal data be removed, get copies of the personal information kept by a controller and choose not to allow the processing of personal information for targeted marketing, selling personal information, and profiling.

With a private right of action as stipulated in the Virginia Consumer Protection Act, consumers can file a claim for $500 cash or actual losses, whichever is higher, including reasonable legal fees and costs. In case of willful violation, damages could triple or increase to $1,000, whichever is higher. The State Attorney General or an attorney for a county or city could investigate the incident and take legal action against organizations violating the Act on behalf of consumers.

“Reproductive or sexual health information” has a broad definition and consists of any “data associated with the past, present, or future of an individual’s reproductive or sexual health” that a consumer transacts under the Act. This doesn’t cover HIPAA-protected data – reproductive or sexual health data kept by a HIPAA-covered entity – or data associated with the therapy of substance use disorder.

The following are covered by the definition of “Reproductive or sexual health information”

• Attempts to research or get reproductive or sexual health data, services, or products
• Use or order of birth control pills, contraceptives, or other drugs associated with reproductive health, such as abortifacients
• Health condition diagnoses, sexually transmitted diseases, maternity, menstruation, ovulation, whether or not an individual is sexually active, or able to conceive, or engages in sex without protection.
• Reproductive or sexual health therapies or surgical procedures, such as pregnancy terminations
• Physical functions, vital signs, physical measurements, or symptoms associated with menstruation or being pregnant, such as cramps, basal temperature, hormone levels, or bodily discharge

Any data included in the list of covered definitions of the types of information that is taken or extrapolated from non-medical-connected data, like proxy, derivative, deduced, arising, or algorithmic information.
The Virginia Consumer Protection Act forbids any vendor from getting, exposing, selling, or distributing” personally identifiable reproductive or sexual health data associated with any “consumer transaction” without consumer permission. Authorization is necessary even when the collection of that information is necessary to deliver goods or services asked for by the consumer.

The Supreme Court has turned down a case concerning the immunity of the Federally Qualified Health Center (FQHC) from liability associated with the exposure of personally identifiable information (PII) of patients due to a data breach. Sandhills Medical Foundation is an FQHC that provides healthcare services to patients in Chesterfield, Lancaster, Kershaw, and Sumter Counties in South Carolina. Netgain Technologies, Sandhills’ vendor, offers electronic storage for its scheduling, payment, and reporting systems. On January 8, 2021, the vendor informed Sandhills about a November 15, 2020 ransomware attack. The ransomware group accessed its systems using compromised credentials and stole sensitive information. The threat group deployed ransomware on December 3, 2020.

Sandhills confirmed that the breach affected the data of 39,602 individuals. Protected Health Information (PHI) was not compromised, but the attackers may have determined diagnoses and medical conditions. The data stolen during the attack included names, birth dates, residential addresses, email addresses, Social Security numbers, and driver’s license numbers. One of the impacted persons, Joann Ford, filed a lawsuit in response to the data breach on behalf of herself and other similarly situated persons. Ford got healthcare services at Sandhills in 2018 but stopped going to Sandhills prior to the November ransomware attack. Her PII was included in the data stolen during the attack. The attacker used her PII later to commit fraud and get a loan.

Sandhills had the lawsuit taken to federal court to determine if it is entitled to federal immunity shielding it from legal responsibility. Ford furnished her information to Sandhills as a condition for getting her treatment. Sandhills exhibited that her PII was stolen because of performing medical, dental, surgical, or similar functions. As per 42 U.S.C. § 233(a), the Federal Tort Claims Act (FTCA) was applied to the case, and so the District Court confirmed that Sandhills was immune and the United States became the substitute defendant in place of Sandhills.

The United States submitted a motion to dismiss the case for insufficient subject matter jurisdiction saying the appellant did not use up all her administrative solutions with the Department of Health and Human Services prior to taking legal action, as mandated by the FTCA. Although the appellant conceded, she held on to the argument that Sandhills wasn’t immune under § 233(a) because her PII was given to the vendor, not concerning a medical, dental, surgical, or similar function.

The District Court approved the motion to dismiss, but Ford appealed the decision. The decision of the United States Court of Appeals for the Fourth Circuit is that § 233(a) is not applicable to the claims, since Sandhills wasn’t doing a similar function at the time the hacker stole the PII of the appellant. The District Court’s judgment was released in March 2024, remanding the case for further proceedings.

The Appellate court stated that if [§ 233(a)] is used on any action taken by a patient to be given healthcare, it would keep Sandhills from any claims in spite of their lacking connection with their treatment. In a scenario where the Appellant supplied her PII and billing details to Sandhills but did not come for her appointment, the Appellant would have sustained the same damage she claims here from the data breach without getting treatment. This week, the Supreme Court posted the legal action as Certiorari Denied, turning down the case.

According to the 2024 Annual Data Breach Report from the Identity Theft Resource Center (ITRC), data compromises decreased by 1% in 2024, that 44 less than 2023’s record-breaking total. Victims of data compromises increased by 312%, from 419 million (2023) to 1,728,519,397 (2024). 80% of data compromises in 2024 were due to cyberattacks. Cyberattacks accounted for 93% of breach notifications. The rest of the breach notifications were due to system and human error, physical attacks, and supply chain attacks.

The huge rise in victim notifications was mostly because of several mega data breaches. 2024 had 6 data breach reports involving over 100 million records. Although the Change Healthcare data breach was the biggest healthcare data breach ever, affecting 190 million healthcare records, it just placed third in 2024 because of two major data breaches. The Advance Auto Parts Inc. breach was the second biggest affecting 380 million consumers but the Ticketmaster Entertainment data breach was the first affecting 560 million individuals. The other three 100 million+ data breaches were the DemandScience by Pure Incubation data breach affecting 121.8 million, the AT&T data breach affecting 110 million, and the MC2 Data data breach affecting 100 million. These six breaches affected roughly 85% of all breach victims in 2024.

2024 was a notably bad year in terms of the number of breached U.S. healthcare records, though the number of healthcare data breach reports dropped by 3.5%. Presently, the OCR breach portal lists 721 data breaches for 2024, and 747 data breaches for 2023. The number of breached records increased because of the Change Healthcare data breach. There were 168 million breached records in 2023 and 247 million breached records in 2024.

ITRC’s statistics for healthcare does not include a lot of data breaches that occur at business associates of healthcare providers, which were under other categorizations. The ITRC information indicates a drop in healthcare data breaches. In 2023, there were 811 compromises with 60 million victims, while in 2024, there were 536 compromises with 47 million victims. In 2023, the healthcare sector had the most number of compromises but became number two in 2024 following financial services. Healthcare was number 10 when it comes to number of breached records. Throughout all industries, ITRC monitored 3,158 compromises in 2024, which include 288 unknown compromises, 2 data leaks, 18 data exposures, and 2,850 data breaches.

Many data breaches could have been avoided by adhering to cybersecurity guidelines just like in the following data breaches in 2024. In the data breaches at Advanced Auto Parts, Ticketmaster, AT&T, and Change Healthcare, hackers used compromised credentials to acquire access to their systems without multifactor authentication. Those 4 data breaches resulted in over 1.24 billion preventable record exposures because of lacking multifactor authentication. ITRC additionally discovered 29 cyberattacks in 2024 that were the consequence of credential stuffing, which were also preventable with multifactor authentication. If approved, the HIPAA Security Rule proposed update will require multifactor authentication in healthcare to secure protected health information.

The trend with breached organizations is not including important details in their data breach notifications. Breach victims are usually provided minimal details concerning the nature of the breach. The ITRC report states that the issue is not limited to healthcare. In 2023, 45% of breach notices lacked actionable details regarding the main reason for the data breach. In 2024, 65% of breach notices was missing actionable details concerning the main cause of the data breach. Without enough information, breach victims cannot precisely determine the level of risk.

The United States has not implemented a government data privacy legislation yet, even if there is bipartisan support for this type of legislation. A complete government data privacy legislation was proposed, yet it did not get approved in 2024. Therefore, individual states need to enforce rules to secure the privacy of state locals and be sure breach notifications are sent after an incident.

It is good that more states are implementing privacy laws. 40% of states currently have detailed data privacy regulations. The following states all have detailed privacy regulations by 2025: Delaware, Iowa, Minnesota, Maryland, Nebraska, New Jersey, New Hampshire, and Tennessee. The following states will likely pass privacy regulations in 2025: Michigan, Ohio, Oklahoma, and Pennsylvania.

The White House has approved the proposed HIPAA Security Rule update by the U.S. Department of Health and Human Services. A Notice of Proposed Rulemaking (NMPR) draft was published and will be included in the Federal Register by January 6, 2025. The HHS wants feedback from HIPAA-covered entities, healthcare sector stakeholders, and the community about the proposed rule. The comment will be accepted 60 days after the NMPR is published in the Federal Register.

This is the first major HIPAA Security Rule change in about ten years after the HHS Healthcare and Public Health Sector Cybersecurity Performance Goals were published in January 2023. The voluntary goals aim to urge healthcare providers to improve cybersecurity. However, the voluntary goals would be insufficient to get the behavioral improvements required throughout the industry to improve cybersecurity.

The objective of the original HIPAA Security Law was to make healthcare providers enforce security guidelines, procedures, and safety measures to protect the integrity, confidentiality, and availability of electronic health data. The Security Rule was created in a way that would stay applicable for years without the need for regular revisions to take into account technological developments. The Security Law was likewise created to be adaptable to make sure it was relevant to companies of various types and sizes. Therefore, the HIPAA Security Law doesn’t indicate the technologies that ought to be utilized to protect ePHI, and most of the implementation requirements in the original Security Rule are addressable instead of required components.

Since the enactment of the HIPAA Security Rule, there have been significant improvements in technology and cybersecurity. Now, it is necessary to enhance cybersecurity because of the substantial rise in cyberattacks in the HPH sector. The proposed HIPAA Security Rule upgrade addresses present and potential cybersecurity threats. Updates to present cybersecurity procedures must reflect developments in technology and cybersecurity, and make sure that physicians, health plans, and other healthcare providers satisfy their responsibilities to secure patients’ protected health information (PHI).

The proposed HIPAA Security Rule update has 393 pages that specify the measures that should be put in place by HIPAA-regulated entities and their business associates to reinforce cybersecurity protection for individuals’ PHI. In the last 5 years, reports of big data breaches involving 500 and up records increased by 102%, and the number of people affected by data breaches increased by 1002%. The increase in data breach victims is because hacking incidents increased by 89% and ransomware attacks increased by 102% since 2019. 2023 had 167 million people impacted by healthcare data breaches, while over 180 million people had been impacted by healthcare data breaches as of 30 November 2024.

The proposed rule tackles areas of HIPAA Security Rule noncompliance and modifications to the environment where medical care is given. The most recent cybersecurity guidelines, recommendations, techniques, and processes enhance protections against internal and external threats, and court judgments that have impacted the observance of the HIPAA Security Law.

Important Requirements of the Proposed HIPAA Security Law Update

The proposed HIPAA Security Law update changes definitions and enforcement requirements to address developments in technology and terminology and minimizes the difference between essential and addressable enforcement requirements. All Security Rule guidelines, procedures, strategies, and analyses should be recorded by HIPAA-covered entities, including the update’s specific compliance schedules for current Security Rule specifications.

The improvement and changes of a technology asset inventory and network map show the flow of ePHI across the covered entity’s electronic data systems continuously every 12 months and when there is a change to the covered entity’s operations or environment that may impact ePHI.

Conducting risk analysis with greater specificity means including an assessment of the technology asset inventory and network map, the recognition of all anticipated risks to the integrity, availability, and confidentiality of ePHI, the recognition of possible vulnerabilities and conditions relevant to the covered entity’s electronic data systems, and an evaluation of the risk level for every known threat and vulnerability, depending on the likelihood that every known threat will take advantage of the vulnerabilities.

HIPAA-covered entities need to undergo yearly audits of HIPAA compliance.

HIPAA-covered entities must prepare backup planning and security incident response that include procedures for re-establishing electronic data systems and data in 72 hours; procedures for employees to report potential or identified security incidents; and procedures for testing and changing incident response plans.

Improved security procedures with restricted exceptions, HIPAA-covered entities need to employ these security procedures:

• ePHI at rest and in transit must be encrypted
• Network segmentation
• Multi-factor authentication
• Vulnerability scanning two times a year
• Penetration tests every year
• Anti-malware protection
• Removal of external software programs from pertinent electronic data systems
• Deactivate network ports according to the covered entity’s risk analysis.
• Individual technical settings for backup and restoration of ePHI and electronic data systems.
• Evaluate and test the efficiency of some security measures every year

Certain covered entities must be notified within 24 hours when an employee’s access to ePHI or electronic data systems is modified or terminated. Covered entities must be notified without undue delay by business associates upon the implementation of contingency plans and not later than one day after the implementation.

Business associates and contractors must present yearly confirmation of their technical safety measures as verified by a subject matter expert in compliance with the Security Rule.

Before President Trump’s inauguration, the proposed Security Rule update will be included in the Federal Register; nevertheless, it is the Trump-Vance administration who will decide to move ahead with the Security Rule update. There is strong support for greater cybersecurity requirements for the healthcare industry though. According to Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger, the projected cost of implementing the Security Rule update is $9 billion for the first year and $6 billion for the next four years.

OnePoint Patient Care, based in Tempe, AZ, reported a data breach to the HHS’ Office for Civil Rights (OCR) on October 14, 2024, due to hacking that affected the protected health information (PHI) of 795,916 people. The same incident was reported to the Maine Attorney General on November 22, 2024, but the number of affected people was 1,741,152, including 99 Maine residents. OnePoint began mailing notification letters to the impacted persons on November 26, 2024.

No additional information about the data breach was included in the notification letter to the Maine Attorney General. The same information was given as the published post in its October 25, 2024 announcement since no further information regarding the cause of the breach has been discovered. The ransomware-as-a-service group Inc Ransom group, which uses double extortion tactics, stated that it was behind the attack. INC Ransom attacks networks, discovers sensitive information, extracts that information, and proceeds with file encryption. INC Ransom requires the payment of a ransom to release the decryption keys and to stop the exposure of the stolen information.

Though the attackers issued a ransom demand, OnePoint did not pay the ransom to recover files, and so OnePoint Patient Care was put on the group’s data leak website making the stolen information downloadable. The INC Ransom data leak site indicates that the OnePoint Patient Care post had 14,246 views by November 28, 2024. However, the number of times the information was downloaded is unknown.

OnePoint Patient Care mentioned in the notification letters that no actual or attempted data misuse has been identified; however, misuse of the stolen data is very likely. Therefore,  all impacted persons should use the credit monitoring and identity theft services offered and be watchful against data misuse.

The October 25, 2024 post by OnePoint Patient Care mentioned that it detected suspicious activity within its computer system on August 8, 2024. It immediately took action to limit the breach and stop continuing unauthorized systems access.

Third-party cybersecurity specialists investigated the breach and confirmed on August 15, 2024 that the attackers accessed its systems from August 6 to August 8, 2024, and exfiltrated files without authorization. Some files included customer data such as names, medical record numbers, diagnoses, prescription details, and addresses. The Social Security numbers of some customers were also compromised.

The affected people received notification about the potential exposure of their PHI and were told to keep track of their credit reports, statements of account, and benefit statements for fraudulent transactions. Those whose Social Security numbers were compromised received free credit monitoring and identity theft protection services. OnePoint Patient Care expressed its commitment to protecting the privacy and security of personal information and is enforcing safety measures to prevent the same breaches down the road.

The Advanced Research Projects Agency for Health (ARPA-H), a Department of Health and Human Services (HHS) agency, has started a new cybersecurity program that attempts to improve and systemize cybersecurity at U.S. hospitals to continue providing patient care.

ARPA-H’s goal is to facilitate better health results by aiding the creation of high-impact solutions to society’s most difficult health issues like cybersecurity. Healthcare cyberattacks upset critical systems and adversely affect patient care, possibly even contributing to the shutdown of healthcare services. To help deal with the issue, ARPA-H has introduced the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) Program. Over $50 million is invested into developing software programs to help IT groups in hospitals better secure their systems, including protected health information, against cyberattacks.

Hospitals have many internet-connected devices that must be kept completely patched and updated. Updating software programs to resolve vulnerabilities requires disconnecting devices online, which is usually troublesome. Therefore, whenever patches are made available to correct known vulnerabilities, patch applications may take months. Actively supported internet-connected devices stay vulnerable for over a year and older hospital devices stay vulnerable for much longer. The UPGRADE Program seeks to improve and make cybersecurity automatic by creating software programs that can be utilized to check for vulnerabilities in hospital environments that hackers can exploit, and immediately create and release mitigations to avoid vulnerability exploitation; nevertheless, modeling hospitals is a problem because every hospital carries a unique number and variety of devices.

It is difficult to address all the problems of the software systems employed in a particular healthcare center, and this restriction allows hospitals and clinics to be exposed to ransomware attacks, stated UPGRADE Program Manager Andrew Carney. The UPGRADE program seeks to minimize the effort required to safeguard hospital equipment and ensure that devices are secure and working allowing healthcare providers to concentrate on patient care.

For the UPGRADE program to succeed, ARPA-H will need the expertise of the IT team, cybersecurity specialists, healthcare companies, medical device suppliers and vendors, and others to create a customized, scalable software collection for enhancing cyber resilience. The software program will study types of digital hospital conditions to determine software vulnerabilities. Upon identification of vulnerabilities, the program will automatically get or create a patch, which will be tried in the model setting so that it can be used with little disruption to hospital devices. The goal is to lessen the period that devices are vulnerable from a few months to a few days.

With the UPGRADE program, ARPA-H is in search of recommendations from expert teams on four technical zones: the development of a vulnerability mitigation software system, the creation of high-precision hospital equipment, the techniques for auto-discovery of vulnerabilities, and the auto-creation of custom protection. ARPA-H expects several awards with its upcoming solicitation.

According to HHS Deputy Secretary Andrea Palm, this UPGRADE program is another example of HHS’ continuing dedication to enhancing cyber resiliency throughout the health care system. ARPA-H’s UPGRADE can help improve HHS’ Healthcare Sector Cybersecurity Strategy ensuring that all hospital devices, big or small, can work safely and adjust to the changing environment.

Federal Judge Dismisses CommonSpirit Health Data Breach Lawsuit Due to Insufficient Standing

A federal court judge decided to dismiss a class action lawsuit filed against CommonSpririt Health concerning its 2022 data breach due to the failure of the plaintiff to show that they suffered harm from the data breach.

CommonSpirit Health experienced a ransomware attack on October 2, 2022, that affected over 100 CommonSpirit Health services throughout the United States. A threat actor acquired access to its systems on September 16, 2022, and got access to those systems until October 3, 2022. Based on the forensic investigation and document assessment, the protected health information (PHI) of about 623,000 patients were exposed. The breached data contained full names, addresses, healthcare organizations, patient’s facility/account numbers, medical record numbers, dates of medical services, treatment/medicine details, and other health insurance data.

CommonSpririt Health faced multiple class action lawsuits associated with the cyberattack and data breach that had the same claims. The lawsuits purport that CommonSpirit Health was negligent because of the inability to apply sensible and appropriate safeguards to protect the privacy of the protected health information it held and delayed sending breach notifications, which were not sent until April 5, 2023.

One of those lawsuits, Bonnie Maser v. CommonSpirit Health, alleged that the plaintiff suffered injuries because of the breach, including over $3,000 in bank account fraud that resulted in the closure of her account. Because of the fraud, the plaintiff could not pay for her rent, gave up her housing, her credit score slipped 60 points, and she reported to continue to suffer harm, which include panic attacks due to the anxiety of the data breach. Maser’s lawsuit claimed negligence, unjust enrichment, breach of implied contract, and breach of the implied covenant of good faith and fair dealing.

CommonSpirit Health contended that the plaintiff was unable to assert a concrete or imminent hurt to support Article III standing, failed to adequately claim the minimum amount in controversy under the Class Action Fairness Act, and did not state a claim upon which aid could be given. U.S. Magistrate Judge Suan Prose advised the dismissal of the lawsuit as a result of insufficient Article III standing, since the plaintiff was unsuccessful to demonstrate that the fraudulent costs were reasonably traceable to the data breach.

This is CommonSpirit Health’s second lawsuit to be tossed as a result of little standing. Two lawsuits against CommonSpirit Health, one by Leeroy Perkins and another by Jose Antonio Koch individually and on behalf of his two minor children, were filed in Illinois and consolidated into one lawsuit. District Court Judge Harry D. Leineweber dismissed the lawsuit because of a lack of standing.

BioPlus Specialty Pharmacy Services Proposes to Settle a Data Breach Lawsuit

BioPlus Specialty Pharmacy Services has proposed to resolve a class action lawsuit that was filed because of a data breach in 2021 that compromised the information of around 350,000 patients. Hackers obtained access to the BioPlus network for over 2 weeks between October and November 2021, and possibly stole names, contact details, dates of birth, Social Security numbers, health insurance data, and prescription data. The Florida specialty pharmacy group informed the impacted persons within one month and provided them with complimentary credit monitoring services.

The lawsuit alleged that BioPlus should have avoided the breach and may have done so if acceptable cybersecurity procedures were put in place and industry-standard security guidelines were adopted. BioPlus did not accept the allegations; nevertheless, a settlement was offered to end the legal action. BioPlus refused any liability or wrongdoing associated with the cyberattack and data breach.

The stipulations of the proposed settlement allow class members to file claims of approximately $7,550 and will be repaid for out-of-pocket costs incurred due to the data breach. The maximum claims allowed will depend on whether Social Security numbers were exposed. If they were, class members are permitted to get a cash payment of $50 and can claim as much as $7,500 for recorded expenditures sustained because of the data breach, including 3 hours of lost time valued at $25 per hour, and any unreimbursed expenses to identity theft and scam.

Class members who didn’t have their Social Security numbers breached cannot claim a cash payment and claims will be limited to a maximum of $750, which includes 2 hours of lost time worth $25 an hour. Any individual who wishes to object to or be ruled out from the settlement must do so by June 18, 2024, and all claims should be sent in by the same date. The court gave the settlement preliminary approval. The schedule of the final settlement hearing is on August 22, 2024. Morgan & Morgan and Markovits, Stock, & DeMarco LLC attorneys represent the plaintiff and class.

Rebound Orthopedics & Neurosurgery Cyberattack

Rebound Orthopedics & Neurosurgery located in Vancouver, WA recently reported that it encountered a cyberattack on February 2, 2024. It detected the attack on February 3 because its computer systems, which include its patient and scheduling sites, were disconnected from the web, and the outage continued for over 2 weeks. Computer forensics experts investigated the incident and reported that an unidentified and unauthorized person accessed its system and viewed or stole files that were kept on its systems. A comprehensive analysis was performed on those files which affirmed that they included patient data though no proof shows the misuse of any data in those files.

It is uncertain at this time what data was affected since that data wasn’t provided in the sample notification sent to the Montana Attorney General. The incident is not yet posted on the HHS’ Office for Civil Rights portal, thus the number of individuals affected is uncertain. Rebound Orthopedics & Neurosurgery stated that extra security measures were applied to avoid the same incidents later on and free credit monitoring services were provided to the impacted persons for two years.

BlueCross BlueShield of Tennessee Cyberattack

BlueCross BlueShield of Tennessee, Inc. (BCBST) and Volunteer State Health Plan, Inc., also known as BlueCare Plus Tennessee, sent notification letters to approximately 2,000 persons regarding two security incidents that compromised their sensitive data.

BCBST stated it detected suspicious access attempts to its member website on or about December 19, 2023. The attempts involved logging in utilizing a combination of usernames and passwords that were from an unidentified source. The investigation found no evidence that suggests a breach of the BCBST network. It would seem that this incident was a credential stuffing attack, which is a type of attack that uses username/password combinations taken from a third-party breach by a threat actor to try to access other platform accounts.

The member website was promptly deactivated while investigating the unauthorized activity. BCBST enhanced its password security and engaged third-party forensics professionals to help with the investigation. From January 18 to January 24, 2024, BCBST discovered that a similar incident happened on August 7, 2023. The information possibly accessed during these two incidents contained names, birth dates, addresses, names of providers, subscriber IDs, group numbers and names, plan data, medical data, claims details, and user IDs and passwords. Less than 1% of the impacted people had compromised financial data. The breached data only contained IDs and passwords for those whose plan coverage concluded over two years ago.

BCBST is using new access requirements and has informed the impacted persons and provided them with identity monitoring services for free. They were likewise asked to alter their web account passwords when they log in and utilize a password that wasn’t used anywhere else. Two different reports of data breaches were submitted to the HHS’ Office for Civil Rights that impacted 1,251 and 790 persons.

Orsini Pharmaceutical Services Hacking

Orsini Pharmaceutical Services based in Illinois has recently uncovered that there was unauthorized access to the email account of an employee. The breach was discovered on January 10, 2024, and the investigation revealed that a single email account was exposed from January 8 to January 10, 2024. The email account was analyzed to determine the types of information that were exposed, which revealed that the protected health information (PHI) of 1,433 individuals was held in the account, including names, dates of birth, addresses, health insurance data, medical record numbers, diagnoses, and/or prescription details.

Orsini Pharmaceutical Services did not get any evidence that suggests that the attack was intended to acquire patient data, yet the possibility could not be eliminated. Extra safeguards and technical security procedures were put in place to secure and keep track of its systems. The affected people have been informed and offered free membership to a credit monitoring service for 12 months.

R1 RCM Data Breach Affects 16,000 Individuals

R1 RCM Inc., a revenue cycle management services provider to hospitals, announced a PHI breach involving 16,121 patients. Based on a breach notification submitted to the Massachusetts Attorney General, R1 discovered on November 23, 2023 that an unauthorized third party acquired PHI related to St. Rose Dominican Hospital de Lima of Dignity Health. However, the breach did not affect the hospital’s system.

R1 conducted a review to find out the types of data that were stolen. On January 11, R1 determined that the breached data contained names, contact details, birth dates, service location, clinical and/or diagnosis data, medical record and/or patient account numbers, and Social Security numbers. R1 has advised the impacted persons directly and has provided them with free credit monitoring and identity theft protection services for 2 years.

Philips Respironics Breach Impacts 1,125 Individuals

Philips Respironics recently submitted a breach report to the HHS’ Office for Civil Rights that affected the PHI of 1,125 persons. Although the breach was reported to OCR, the exploitation of a zero-day vulnerability in the MOVEit Transfer solution of Progress Software happened on May 31, 2023. Philips Respironics uncovered the data breach on June 5, 2023.

Forward Healthcare LLC and Rotech Healthcare, clients of Philips Respironics, had been impacted by the breach. Forward Healthcare mentioned it received notification from Philips Respironics on December 20, 2023 about the unauthorized access to the Care Orchestrator and Encore Anywhere software programs through the MOVEit vulnerability. Personal and medical data were likely exposed affecting 3,999 Forward Healthcare patients. Rotech Healthcare stated it became aware of the incident on December 26, 2024, and got a listing of the impacted individuals. The exposed data included names, contact details, birth dates, medical data associated with the therapy provided, and medical insurance data. It is presently uncertain how many Rotech patients were impacted.

Up to 100,000 Individuals Affected by Egyptian Health Department Cyberattack

Egyptian Health Department (EHD) located in Eldorado, IL, recently announced a data breach that affected around 100,000 patients. EHD encountered a cyberattack on December 21, 2023, and although the forensic investigation is not yet finished, evidence shows that an unauthorized individual accessed folders on its network. Those folders contained files with patients’ protected health information (PHI) and worker data.

The compromised patient information included names, birth dates, medical data, and health insurance claims data. The breached employee information included names, driver’s license numbers/ other government-issued IDs, Social Security numbers, financial account information, and/or insurance details. EHD is still looking into the incident to find out the possibly impacted workers and patients and will mail notifications when that process is completed.

EHD implemented several steps to enhance security, which include creating new domain controllers, transferring the SMB network shares of the domain controllers to a dedicated virtual machine, limiting Sharepoint Server to internal access only, performing permission audits on shared folders, equipment installed with Sentinel One and Huntress, and using password protection on spreadsheets that have PHI.

Email Account Breach at McKenzie County Healthcare System

McKenzie County Healthcare System based in North Dakota has determined unauthorized access to the email account of an employee. The breach was discovered on or around October 5, 2023, and the forensic investigation revealed that an unauthorized person viewed a single email account between October 2 and October 5, 2023.

An evaluation was done of all emails and file attachments in the account. It revealed that the PHI of 21,000 individuals was exposed. The breached data included names, addresses, medical details, and medical insurance data. No proof was discovered that suggests the misuse of any of that information.

MOVEit Hack Impacts Forward Healthcare’s Business Associate

Forward Healthcare has stated that the PHI of 3,999 patients was exposed in a cyberattack on Philips Respironics, its business associate. On December 20, 2023, Philips Respironics informed Forward Healthcare that information was breached in a May 31, 2023, cyberattack that permitted access to its Care Orchestrator and Encore Anywhere applications, exploitation of a zero-day vulnerability in the MOVEit Transfer solution. The information likely stolen in the attack contained names, personal data, and medical data.

Email Account Exposed at Maryville Addiction Treatment Centers

Maryville Addiction Treatment Centers located in New Jersey have started announcing to 155,03 individuals concerning a breach of an employee email account. The security breach was noticed on or approximately August 22, 2023, and the forensic investigation confirmed the unauthorized access to the email account from August 21, 2023 to August 22, 2023.

The evaluation of the account affirmed the exposure of the following data: full names, medical treatment details, health insurance data, Social Security numbers, dates of birth, financial account details, and government identification. Maryville stated there are no clues that any compromised data was misused.

Cencora Announces Cyberattack with Data Exfiltration

The Fortune 500 pharmaceutical company, Cencora, mentioned in a filing with the Securities and Exchange Commission (SEC) that it had encountered an intrusion and data was stolen from its system. Cencora stated the attack did not have a material impact on its operations, however, it is quite early to tell if the incident will have any material effect on its financial situation.

Cencora mentioned it identified unauthorized activity inside its systems, took quick action to control the threat, and submitted an incident report to HIPAA law enforcement. Third-party cybersecurity specialists were called in to help in the investigation. Data extraction was established on February 21, 2024, nevertheless, there is still no announcement regarding the nature of the breached records.

California Department of State Hospitals Notifies Patients Regarding the SSN Breach

The State of California Department of State Hospitals Atascadero (DSH-A) has commenced advising selected patients concerning a security incident identified on February 15, 2024, that resulted in the exposure of Leave and Activity Balance (LAB) reports. The reports were given to DSH-A staff for timesheet approval and included confidential data like names and Social Security numbers. DSH has begun an investigation to determine if the reports were incorrectly accessed and plans to provide complimentary identity theft protection services to the affected persons. At this stage, it is uncertain how many people have been impacted.

Russian National Sanctioned for Medibank Ransomware Attack

A Russian national who took part in a ransomware attack on Medibank, an Australian medical insurance company, in 2022 was sanctioned by the U.S., U.K., and Australian governments.

Alexander Ermakov (also known as blade_runner, GustaveDore, JimJones, or GistaveDore), 33 years old, is identified as a member of the already-disbanded ransomware group REvil. This well-known cybercriminal group ceased operations and disappeared in July 2021. Before that, this ransomware-as-a-service group encrypted roughly 175,000 computers and got around $200 million in ransom payments.

In October 2022, REvil acquired access to the network of Medibank and stole the information of around 9.7 million customers after which utilized ransomware for file encryption. The stolen information contained names, Medicare numbers, birth dates, and highly sensitive medical data such as sexual health, mental health, and drug use information.

Russian national Ermakov is not likely to face trial before a court for the Revil attacks because there’s no extradition treaty with the United States, the United Kingdom, or Australia. Ermakov is also not likely to go to any nation where he is at risk of arrest. The U.S. Department of the Treasury criticized Russia for letting ransomware groups to operate inside its borders and openly execute attacks all over the world, and for letting ransomware attacks create and co-opt criminal hackers. The Treasury has required Russia to do something to stop cyber criminals from conducting operations within its area.

The sanctions signify that it is a criminal offense to give assets to Ermakov or to utilize or manage any of his assets, which includes paying ransom via cryptocurrency wallets. Australia first sanctioned Ermakov, then the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and lastly the UK government. OFAC stated Ermakov’s property including interests that are within the U.S. or in the custody or management of U.S. individuals should be blocked and reported to OFAC. Entities that are at least 50% owned directly or indirectly by Ermakov are likewise blocked. Anyone breaching the sanctions can be punished by as much as 10 years’ imprisonment.

Under Secretary of the Treasury, Brian E. Nelson stated that Russian cyber actors still launch disruptive ransomware attacks against the U.S. and allied nations, focusing on companies, including critical infrastructure, to steal sensitive information. The trilateral attack on Australia, the U.S. and the U.K. is a first of such synchronized action, highlighting the need to make these criminals accountable.

Missing Fred Hutchinson Cancer Center Laptop with PHI

Fred Hutchinson Cancer Center has informed 544 patients about the potential exposure of some of their sensitive information. A provider advised Fred Hutch on October 27, 2023 about the loss of their laptop computer while traveling. The laptop was utilized to gain access to Microsoft Outlook software where patient data is stored. The provider stated the laptop has password protection and was already set up to start a remote deletion of the hard drive when it connects online. Fred Hutchinson did a review to determine what types of information were accessed from the laptop and confirmed the exposure of names, addresses, telephone numbers, birth dates, dates of service, medical record numbers, patient account numbers, and some clinical data. The Social Security numbers of a few patients were also exposed.

The cancer center sent notification letters on December 26, 2023, and offered free credit monitoring services to those whose Social Security numbers were exposed. Fred Hutch has given employees supplemental education about protecting mobile devices. This is Fred Hutchinson Cancer Center’s second data breach report in the last couple of weeks. A lot more serious breach happened from November 19 to November 25, 2023, when a cybercriminal group hacked its system and stole patient information. Fred Hutch hasn’t confirmed yet the number of patients that were impacted though the hackers professed to have accessed the information of about 800,000 patients. Because the center did not pay the ransom, the threat actors began contacting the patients directly.

Approximately 569,000 Patients Affected by the Plaza Radiology Data Breach

Plaza Radiology, which is also known as Chattanooga Imaging in several areas in North Georgia and Tennessee, has encountered a cyberattack resulting in a data breach that has impacted around 569,000 patients.

Plaza Radiology discovered the attack on October 21, 2023, but didn’t say any information about the nature of the cyberattack, except for saying that the preliminary outcomes of the forensic investigation established the unauthorized access to a few files on its system that comprised patient data.

The results of the forensic investigation are still under review and, at this time, there were no reports received of actual or attempted patient data misuse. Plaza Radiology submitted the data breach report to the HHS’ Office for Civil Rights on December 20, 2023, and stated it’s going to be sending breach notification letters after identifying those affected by the breach and the types of information exposed.

Plaza Radiology’s legal counsel stated that several steps were undertaken to improve cybersecurity and stop identical breaches later on. Those measures include modifying passwords on accounts, activating multi-factor authentication, changing the desktop computers and network servers, and training employees on enhanced security awareness.

Plaza Radiology will offer free credit monitoring and identity theft protection services to those who had their sensitive data exposed in the attack and urges all patients to be on the alert against identity theft and fraudulent activity involving their information.

Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit

Novant Health decided to resolve a class action lawsuit associated with its usage of tracking pixels on its patient website. The pixel code on the patient website gathered the personally identifiable information of website users to enhance access to care using virtual visits and to give more access to deal with the restrictions of in-person care. The problem is the transfer of the collected data to third-party tech firms that were not permitted to access the information.

The first report of a pixel-associated HIPAA violation to the HHS Office for Civil Rights (OCR) is by the North Carolina Health System. In 2022, Novant Health stated the PHI of about 1,362,296 persons was shared with third parties, including Meta (Facebook) from May 1, 2020 to Aug. 12, 2022. The HIPAA breach report was submitted a few months before OCR published guidance about HIPAA and the use of tracking pixels and before it was confirmed that the use of pixel codes disclosed PHI to third parties.

Novant Health, including many health systems, put the pixel code on its patient website. Based on a study, 99% of U.S. hospitals put pixels or other tracking codes on their web pages, applications, or patient websites that collected visitor information and transmitted that information to third parties.

The Novant Health lawsuit was filed on behalf of 10 patients of Novant Health and individuals with similar situations who utilized the patient portal when the Meta Pixel code was installed. Allegedly, the health system committed an invasion of privacy, breach of contract, and violation of the HIPAA. Novant Health did not admit any wrongdoing and just decided to resolve the lawsuit to end the litigation and avoid the uncertainty of trial and legal expenses.

Novant Health values the privacy of patients’ personal data and is transparent in giving information to patients. The proposed settlement does not mean an admission of wrongdoing, as the court has cleared Novant Health of any wrongdoing.

As per the conditions of the settlement, class members or those who accessed the MyChart portal from May 1, 2020 to Aug. 12, 2022, are qualified to file claims. There is a $6.6 million settlement fund created by Novant Health. Claims are going to be paid pro rata after paying legal expenses, and attorneys’ fees. Another healthcare provider sued for using pixels or other tracking tools is Advocate Aurora Health, which paid $12.225 million to settle the lawsuit.

ReproSource Fertility Diagnostics Class Action Data Settled for $1.25 Million

ReproSource Fertility Diagnostics has offered a settlement to take care of litigation arising from a 2021 ransomware attack that likely led to the stealing of the sensitive health information of approximately 350,000 patients. The fertility testing laboratory based in Marlborough, MA under the ownership of Quest Diagnostics had its system breached on August 8, 2021. The ransomware attack was discovered on August 10. The forensic investigation revealed that the attackers could access the sections of the system containing files with sensitive health data.

The breached data included names, telephone numbers, addresses, email addresses, birth dates, billing, and health data like test requisitions and results, medical history data and/or test reports, CPT codes, diagnosis codes, medical insurance or group plan ID names and numbers, and other data given by patients or by treating doctors, and for some individuals, financial account numbers, Social Security numbers, passport numbers, driver’s license numbers, and/or credit card data.

Though there is no proof of data extraction found, data theft cannot be excluded. ReproSource informed around 350,000 persons on October 21, 2023, and was immediately sued. Two class action lawsuits were combined into one lawsuit because they have the same allegations about the negligence of ReproSource in failing to employ reasonable and proper cybersecurity procedures to stop unauthorized access to patient information. The lawsuits claimed violations of consumer protection legislation in Massachusetts, the Health Insurance Portability and Accountability Act (HIPAA), and the data breach notification law.

ReproSource decided to negotiate the litigation without admitting wrongdoing. Based on the conditions of the settlement, class members could file claims for as much as $3,000 to pay for up to 8 hours of lost time, out-of-pocket, unreimbursed costs that can be traced to the data breach, credit monitoring services for three years, and an identity theft insurance policy worth $1 million. Alternatively, class members could file a cash payment claim of $50. There is $1.25 million in funding set aside to pay for claims, which are paid pro rata of the total claims. Class members who lived in California during the breach are eligible to receive an extra $50 payment.

The combined lawsuit likewise wanted injunctive relief, including major upgrades to data security to avoid the same ransomware attacks and data breaches later on. The settlement additionally requires ReproSource to improve its data security program including its monitoring and detection applications. A Massachusetts judge is set to give final approval to the settlement.

New York AG Resolves HIPAA Case with Home Health Company Resolved for $350,000

New York Attorney General Letitia James reported a settlement it had with Personal Touch Holding Corp. about a ransomware attack and data breach in January 2021 wherein the personal data and protected health information (PHI) of 753,107 people were stolen, which include the PPH of 316,845 New York locals.

Personal Touch Holding Corp (PTHC) is a corporation in Delaware that mainly operates business in Lake Success, NY. PTHC offers its subsidiaries administrative services, like human resources as well as other back-office solutions. On January 20, 2021, a PTHC worker got a phishing email that included a malicious Microsoft Excel file. Upon opening that file, the malware allowed the threat actor to get access to the laptop computer and account of the employee. The threat actor acquired the credentials of the domain administrator and breached 5 accounts. The threat actor extracted 4,383 files, and then used ransomware to encrypt 35 PTHC servers. PTHC found out about the attack on January 27, 2023, and sent breach notifications to the impacted people on March 24, 2023.

AG James started an investigation into the ransomware attack to find out whether proper data security procedures were implemented and whether PTHC complied with state legislation and the Health Insurance Portability and Accountability Act (HIPAA). It was confirmed by the investigation that PTHC had employed a managed service provider (MSP) in 2016 to give private cloud and system management solutions, and with the guidance of PTHC, managed the requirements of technical security. The MSP additionally offered PTHC advice and tips about data security.

During the attack, PTHC set up two antivirus solutions: Symantec Endpoint Protection and Microsoft Windows Defender. Although these solutions discovered a number of the tools and the threat actor’s activities and stopped some of them, there was no main record of the activities meaning the malicious activities were not visible apart from the local files. The threat actor extracted information from a PTHC file share server that included data from all ranges of business, such as files that included the personal data and ePHI of present and past patients and present and previous workers of PTHC and its subsidiaries. The information on that device was not encrypted.

In the year that led to the ransomware attack, PTHC’s MSP discovered a number of data security problems and advised security steps to deal with these, which include an endpoint detection and response (EDR) program, a security information and event management (SIEM) tool, and IT governance enhancements, along with risk analysis, scanning vulnerability, and a learning management system for training users.

A risk analysis was carried out in March 2020 that discovered insufficient constant monitoring, control gaps with its MSP, an insufficient business continuity and disaster recovery plan, inadequate observance of data retention policies, not having multifactor authentication for email and remote and EMR access, and insufficient IT vendor management procedures.

AG James found out that PTHC just had an informal data security program, there were inadequate access controls, no constant monitoring system, and insufficient employee training. AG James discovered that 16 provisions of the HIPAA Privacy Rule and Security Rule and the New York General Business Law were violated. PTHC was penalized $350,000 and PTHC had to make a number of improvements to its data security program to better safeguard worker and patient information.

At the time of the investigation, AG James found out PTHC was informed of a third-party breach that impacted its workers’ personal data, which included Social Security numbers. PTHC had given the information to its insurance agent, who shared that data with Falcon Technologies, Inc., an enrollment software seller. Falcon was found to have kept the information on an unsecured site. PTHC didn’t sign any contracts with its insurance agent regarding data security requirements that applied to personal data not regulated by HIPAA. AG James resolved this separate case with Falcon, requiring a $100,000 penalty payment and making security enhancements, such as using encryption and appropriate access controls.

New York AG Resolves Data Breach Investigation of U.S. Radiology Specialists

New York Attorney General, Letitia James, reported that U.S. Radiology Specialists Inc. paid a $450,000 penalty to settle allegations that it did not protect patients’ personal and health data. U.S. Radiology Specialists is one of the country’s biggest private radiology groups and service providers for medical facilities all through the U.S. It likewise works with other radiology groups, such as the Windsong Radiology Group that manages 6 medical facilities in Western New York. Windsong, just like other partner organizations, depends on U.S. Radiology Specialists for many services, such as network management and security. The Office of the Attorney General of the State of New York investigated U.S. Radiology Specialists because of a big data breach in 2021 to find out if it was the result of a failure to adhere to the Health Insurance Portability and Accountability Act (HIPAA) and state legislation.

U.S. Radiology Specialists secured its partner networks using a SonicWall firewall. SonicWall notified its clients on January 22, 2021 about a synchronized cyberattack on its internal networks. Threat actors were believed to have taken advantage of a zero-day vulnerability identified in SonicWall products that are employed for remote access. On January 31, 2021, NCC Group researchers discovered the vulnerability and SonicWall released a patch after three days.

U.S. Radiology Specialists employed SonicWall components that are nearing end-of-life and, consequently, SonicWall didn’t offer a patch that can be used on its hardware. The hardware must be improved before the patch can be used to correct the vulnerability. Though the vulnerability was used in attacks on SonicWall clients, U.S. Radiology Specialists slated the hardware update for July 2021, and postponed the hardware replacement project because of contending priorities and resource limitations.

On December 8, 2021, an unauthorized person acquired access to US Radiology’s SonicWall gadget using legit credentials, used the VPN, and then used 101 more credentials to get into different system data folders the next week. Whilst the breach investigation did not determine how the theft of credentials occurred, the SQL injection vulnerability discovered by NCC Group and patched by SonicWall might have been taken advantage of to acquire the required credentials to get into the SonicWall VPN.

The third-party attack investigation was complex and needed considerable analysis and was completed in August 2022. The investigation proved that the threat actor acquired access to the PHI of 198,260 individuals, which include 92,540 patients of Windsong, residents of New York, and it was affirmed that sensitive information was extracted by the attackers. The exposed PHI contained names, birth dates, patient IDs, provider names, dates of service, types of radiology examinations, diagnoses, and medical insurance ID numbers, and the private data of 82,478 New York residents, including names, passport numbers, driver’s license numbers, and Social Security numbers.

The New York Attorney General’s Office confirmed that U.S. Radiology Specialists did not use reasonable and proper data security procedures to safeguard patient data when it did not deal with a known vulnerability in an acceptable time frame. The investigation was resolved without admitting liability and U.S. Radiology Specialists consented to pay $450,000 as a financial penalty, upgrade its IT structure, ensure the security of its networks, revise its data security guidelines, and use and keep an information security program.

The New York Attorney General has enforced financial penalties on several companies in the last couple of months for data security problems. Personal Touch lately resolved supposed HIPAA and state legislation violations for $350,000, the New York Attorney General took part in a multi-state investigation of Blackbaud and got a part of the $49.5 million settlement, and PracticeFirst Medical Management Solutions resolved the investigation with the New York AG by paying a $550,000 fine.

The HHS’ Office for Civil Rights has released new guidance for medical care companies to enable them to teach patients about privacy and security issues when utilizing remote communication systems for telehealth consultations and advice for patients on protecting and securing their health data.

At the time of the pandemic, healthcare companies massively extended their telehealth services to provide patients with medical services while minimizing the chance of getting COVID-19. OCR released a Notice of Enforcement Discretion to cover healthcare providers offering telehealth services in good faith during the pandemic by employing non-public-facing communication systems that aren’t totally HIPAA compliant, for example, platforms where providers wouldn’t sign business associate agreements. Currently, the end of the COVID-19 public health emergency has been proclaimed. Hence, OCR’s telehealth Notice of Enforcement Discretion has also expired. Nevertheless, OCR still allows telehealth services, which have become popular among healthcare providers and patients.

Privacy and Security Risks with Telehealth Services

Healthcare companies need to make sure that the communication systems they employ for delivering telehealth services are HIPAA compliant. Even though ‘HIPAA-compliant’ systems are employed for telehealth, there are privacy and security problems that need to be dealt with and minimized to a low and appropriate level. In the summer of 2022, before telehealth flexibilities ended, OCR released guidance for healthcare companies about HIPAA and audio-only telehealth services.

Although HIPAA doesn’t require healthcare companies to teach patients about the privacy and security problems linked to telehealth, a Government Accountability Office (GAO) analyzed the Medicare telehealth services provided throughout the COVID-19 pandemic. In its report “Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks,” GAO suggested that OCR publish guidance to help healthcare companies talk with patients about the privacy and security issues linked to telehealth services.

In the review, GAO learned about many complaints that were made concerning the use of non-compliant systems at the time of the pandemic, over 3 dozen complained about the presence of third parties in the course of the consultation, and there were cases where companies disclosed PHI without acquiring patient permission. GAO figured additional training is necessary to help companies make clear to patients the privacy and security risks connected with telehealth to ensure that those issues are completely understood. OCR agreed with the suggestion and decided to release new guidance.

OCR Publishes New Telehealth Privacy and Security Resources

OCR published two guidance resources on October 18, 2023. The first resource is created to help healthcare providers instruct patients regarding the privacy and security issues linked to remote communication systems, and the second resource is for patients and gives advice on privacy and security if availing telehealth services.

The provider resource called Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth, provides recommendations for healthcare companies to enable them to speak about the telehealth solutions provided, the potential threats to protected health information (PHI) related to remote communications systems, the privacy and security tactics of vendors telehealth communication resources, and the use of civil rights regulations.

The patient resource called Telehealth Privacy and Security Tips for Patients, provides tips for patients on how to protect their PHI, including the benefits of doing telehealth consultations in private settings, enabling multi-factor authentication, utilizing encryption, and not using public Wi-Fi connections.

Telehealth is a great tool that could give patients access to medical care and enhance health care results. Healthcare companies can improve telehealth services by telling patients about privacy and security issues and the effective cybersecurity tactics that patients can adopt to keep their health data private.

OCR Video Shows How to Enhance Cybersecurity Protection By HIPAA Security Rule Compliance

The HHS’ Office for Civil Rights has published a video during this National Cybersecurity Awareness Month that talks about how HIPAA Security Rule compliance can aid HIPAA-covered entities in protecting against cyberattacks. In the video, Senior Advisor for Cybersecurity for the Health Information Privacy, Data, and Cybersecurity Division of the HHS’ Office for Civil Rights, Nick Heesters, covers cyberattack trends in the real world that OCR identified from the breach reports.

Healthcare data breaches increased since the enactment of the HIPAA Breach Notification Rule. In 2010, OCR got 199 reports of healthcare data breaches involving 500 and up breached records. Over 700 data breach reports were submitted in 2021 and 2022. It seems 2023 will become the third year that will have over 700 data breach reports.

From January to September 30, 2023, 77% of the big data breaches are due to hacking and other IT incidents. In comparison to 2009, only 49% of the breaches are due to hacking and IT incidents. There are also over 79 million breached healthcare records until September 30 this year. Hacking-related data breaches increased by 239% since 2018 and ransomware incidents increased by 278% over the same period.

OCR investigates all data breaches involving 500 and up healthcare records to find out the HIPAA compliance problems that triggered or led to breaches. According to Heesters, a few of the prevalent HIPAA compliance problems and security flaws that were taken advantage of by malicious actors to acquire access to internal systems, centering on the most typical attack vectors like phishing, unpatched vulnerabilities, and compromised accounts.

Heesters points out how particular terms of the HIPAA Security Rule can support HIPAA-covered entities in protecting against cyberattacks, identifying ongoing attacks, and mitigating the most typical types of cyberattack, for instance, security awareness and training, access control, authentication, and risk management/risk analysis.

The video is available on the YouTube Channel of OCR in the English and Spanish languages.

OSHA is important because of its role in driving the execution and reinforcement of security and health standards, resulting in a significant decline in workplace fatalities, accidents, and health problems. Furthermore, OSHA’s Outreach Training initiatives have efficiently heightened awareness concerning workplace threats, their identification, and the precautionary measures required to mitigate them.

• Established under the OSH Act, OSHA came into existence in 1971 with the aim of addressing the rising occurrences of workplace injuries, illnesses, and fatalities.
• Since the formation of the Administration, OSHA has reached notable achievement, reportedly decreasing workplace injuries and health issues by 40% and fatalities by 60%. OSHA’s primary objective is to minimize human and economic costs linked to avoidable workplace injuries and health problems.
• OSHA’s preliminary standards were taken from established security guidelines used by organizations including the National Fire Protection Administration.
• Compliance with OSHA requirements was at first voluntary however these were later modified to penalize recurrent offenders and organizations known to put workers in danger.
• OSHA offers training, education, and support to employers, ensuring security and health-associated activities among employees.
• Within the healthcare sector, OSHA’s standards are important in safeguarding workers from potential risks such as exposure to infectious illnesses, injuries resulting from patient handling, and incidents of violence in the workplace.
• States are allowed to implement their own OSHA programs as long as the safety and health standards meet or exceed federal standards.
• States have the liberty to implement their OSHA programs, provided they meet or surpass the safety and health standards of the federal government.
• OSHA standards are applicable to all employers in the private sector and federal government organizations, besides those subject to regulation by other government agencies, for example, the Department of Energy.
• OSHA has the authority to issue financial penalties for violations of any standard, irrespective of whether it results in an injury, sickness, or death. This underscores the importance of keeping OSHA compliance requirements.

A Quick Guide to OSHA

President Nixon signed the Occupational Safety and Health Act (OSH Act) in December 1970. OSHA’s primary objective is to curtail the human and economic toll stemming from avoidable mishaps and ailments in the workplace. OSHA’s preliminary standards were drawn from established safety guidelines originally issued by agencies such as the National Fire Protection Administration. Later, these standards were adapted to address well-documented causes of health concerns, for instance, the risks linked to exposure to asbestos.

Initially, adherence to OSHA standards was a voluntary endeavor, with inspections reserved for instances of serious accidents and recognized threats. Nevertheless, the enforcement approach gradually transformed to focus on repeat violators and enterprises that deliberately exposed their employees to risks. OSHA’s role extends beyond establishing standards; it also includes offering training, outreach, schooling, and support to companies, all while motivating workers to engage in safety and health-associated projects.

The standards set up by OSHA are applicable to all employers in the private sector and all federal government institutions, except in cases where workplace security is controlled by another federal agency like the Department of Energy. Employees working for state and local government agencies may not always be subject to federal OSHA regulations. However, in states with an approved OSHA program meeting or surpassing federal safety and health standards, these employees may benefit from the protection of OSHA programs.

Why the Healthcare Sector Needs OSHA

In the healthcare industry, OSHA’s standards include most injury and sickness cases – from protected walking areas to radiation exposure. A lot of OSHA safety and health regulations align with those released by state and federal government bodies such as the Department of Health and Human Services, making it simpler for healthcare companies to concurrently adhere to OSHA and CMS specifications in terms of subjects like emergency readiness organizing and protecting employees against violence in the workplace.

Nevertheless, there are likewise certain areas of OSHA that could make compliance with OSHA difficult for healthcare companies. For instance, OSHA is only applicable to workers, while a lot of healthcare safety and health guidelines are applicable to all workforce members (which include volunteers). Certainly, healthcare companies striving for Joint Commission accreditation not just have to create health and security guidelines for all members of the labor force but also for patients and visitors.

Hence, while it isn’t impossible for healthcare companies to balance several compliance specifications, it’s rather a challenge. Healthcare companies having difficulty overcoming ought to get expert advice from a compliance expert having OSHA knowledge, the CMS specifications for Medicare companies, the Joint Commission accreditation specifications, and state regulations wherever appropriate that preempt government laws.

Pension Benefit Information Reports Theft of PHI of 371,359 Persons in MOVEit Transfer Hack

Pension Benefit Information, LLC, also known as PBI Research Services (PBI), has lately reported the theft of the protected health information (PHI) of 371,359 persons by the Clop ransomware hackers during an attack exploiting a zero-day vulnerability identified in the MOVEit Transfer file transfer program on or about May 31, 2023.

PBI discovered the breach on June 2, 2023, and immediately applied the patch to correct the vulnerability. The forensic investigation showed that Clop hackers accessed one of PBI’s MOVEit Transfer servers from May 29 to May 30, 2023. The stolen files stolen contained names, incomplete mailing addresses, birth dates, and Social Security numbers. PBI stated it doesn’t know of any attempted or actual misuse of the stolen data; nevertheless, as a safety measure, impacted persons received two years of free credit monitoring and identity theft protection services. PBI began sending notifications to the impacted persons on June 4, 2023.

LockBit Ransomware Attack on Panorama Eyecare

Panorama Eyecare was added to the LockBit ransomware group data leak website. The ransomware group claims to have extracted 798 GB of data from the physician management organization based in Colorado. The stolen information includes data from Panama Eyecare’s clients Denver Eye Surgeons, Eye Center of Northern Colorado, 2020 Vision Center, and Cheyenne Eye Clinic & Surgery Center. There was no acknowledgment yet from Panorama Eyecare about the data breach and it is presently uncertain how much patient data was affected.

8Base Ransomware Group Leaks Kansas Medical Center Data

A physician-owned hospital known as Kansas Medical Center located in Andover, KS, was recently included in the 8Base ransomware group’s data leak site. The threat group states the attack happened on June 18, 203, and stole sensitive patient and worker information including names, registration details, addresses, and other data. Kansas Medical Center has made no public announcement about the attack and the number of affected patients is uncertain.

PHI of 168,000 Patients Exposed in Henry Ford Health Phishing Attack

Henry Ford Health based in Detroit, MI recently informed 168,000 patients about an unauthorized person gaining access to worker email accounts that held some of their PHI. A representative of Henry Ford Health stated the unauthorized access happened on March 30, 2023, due to employees responding to phishing emails. The company discovered the attack quickly and secured the accounts; nevertheless, access to patient information was probable. An evaluation of the email accounts showed on May 16, 2023, that they included these patient data: name, birth date, gender, age, phone number, internal tracking number/medical record number, laboratory results, procedure type, date(s) of service, and diagnosis. Henry Ford Health is employing extra security measures to secure against other email account breaches and supplemental training is given to employees.

2022 Malware Incident at IMX Medical Management Services

The medical consulting firm, IMX Medical Management Services based in Malvern, PA, recently announced that malware was discovered on a laptop that possibly permitted unauthorized persons to access the PHI of 7,594 persons. Based on the notification letters, the company detected the malware on September 1, 2022. The forensic investigation showed that the malware was present since June 2022. More malware indicators were likewise discovered on its system in October 2022.

IMX stated the malware was taken away and no more indicators of malware were found since October 2022. The late issuance of notifications was because of the substantial and complex evaluation of the impacted data. IMX stated the malware allowed access to email messages however attachments were not extracted. The exposed data contained names or other personal identifiers together with driver’s license numbers as well as other identification cards. Affected individuals received offers of identity theft protection services.

Storage Unit Bought at Auction Included Boxes of Patient Files

A storage unit that was just bought at an auction was found to contain over 200 boxes of patient documents. The unit was auctioned when no more rental payments were made. The buyer placed a blind bid for the unit and found the boxes of patient documents after buying the unit. The data was associated with patients of East Houston Medicine and Pediatric Center who got treatment from 2009 to 2019. The records contained data like names, driver’s license photos, Social Security numbers, medical backgrounds, and insurance details. The buyer is presently trying to request the healthcare provider to collect the files.

PHI Compromised in Mismailing Incident by Charles George VA Medical Center

Charles George VA Medical Center based in Asheville, NC, reported the exposure of the personal data of 1,541 veterans because of an email mismailing incident. The data compromise was discovered on May 12, 2023, and prompt action was taken to erase the emails that were not opened; nevertheless, the messages had been seen by three veterans. The emails have an attachment that included minimal PHI. Impacted persons were offered free identity theft protection and credit monitoring services.

Hackers Exfiltrated the Information of 1.2 Million Tampa General Hospital Patients

Tampa General Hospital recently reported that hackers acquired access to its system and stole data that include the PHI of around 1.2 million patients. The hospital detected a security breach on May 31, 2023 upon noticing suspicious activity within its system. The impacted systems were quickly taken off the internet to avoid continuing unauthorized access. A third-party digital forensics company investigated the occurrence to find out the nature and extent of the attack.

Based on the investigation, unauthorized persons got access to its system for three weeks from May 12 to May 30, 2023, at that time they extracted files that contain patient data. The data breached in the incident differed from one person to another and might have contained names, telephone numbers, addresses, birth dates, Social Security numbers, patient account numbers, health record numbers, dates of service, medical insurance data, and limited treatment details. Tampa General Hospital stated that the hackers failed to access its electronic medical record system.

Tampa General Hospital mentioned that this attack was an attempted ransomware attack. Although data theft happened, its security systems stopped the encryption of files. More technical security procedures are now put in place to stiffen its systems and stop more data breaches. Network monitoring was also improved to make sure that any potential security breaches are discovered quickly.

The hospital mailed notification letters to impacted persons as soon as contact details were confirmed. Tampa General Hospital stated that impacted persons will be provided free credit monitoring and identity theft protection services.

Data Breach at Claims Processor Affects Idaho Medicaid Recipients

The Idaho Department of Health and Welfare reported the potential access or theft of the personal data of 2,501 Medicaid recipients in a data breach that occurred at Gainwell Technologies, its claims processor. An unauthorized person acquired credentials that permitted access to the Gainwell website and to information including names, billing codes, ID numbers, and treatment data.

The breach was uncovered on May 12, 2023, and after an investigation and evaluation, impacted persons were informed on June 9, 2023. The affected persons received credit monitoring and identity theft protection services.

Utah Department of Health and Human Services Informs 5,800 Health Plan Members About Mailing Error

The Utah Department of Health and Human Services (DHHS) has reported the impermissible disclosure of the protected health information (PHI) of 5,800 Medicaid recipients because of a mailing error. The error resulted in the accidental grouping of the benefit letters together and sent to the wrong persons. Upon discovery of the error on May 8, 2023, the mailing process was stopped to avoid continuing impermissible disclosures.

The benefit letters contained Medicaid benefit details, however, just about 200 of the 5,800 persons impacted had either their Social Security number or Medicare health insurance claim number (HICN) exposed. Those people received free credit monitoring services. The DHHS stated that together with its business associate, Client Network Services (CNSI), they are making sure the error is fixed and system screening and quality standards are improved.

Data Breach Impacts 33,800 Patients at Atlanta Women’s Health Group

Atlanta Women’s Health Group, P.C. lately announced the exposure and potential theft of the PHI of around 33,839 present and past patients as a result of a cyberattack in April 2023. The health group detected a security breach on April 12, 2023, and engaged third-party cybersecurity specialists to find out the nature and extent of the breach. The investigation affirmed that patient data had been accessed, however, the breach report didn’t say if that data was extracted from its systems. As per the Atlanta Women’s Health Group, during the issuance of the notification letters, there was no proof found that suggests the misuse of patient information.

For most patients, the data compromised in the attack only included names, dates of birth, patient ID numbers, and other data that could have been a part of medical files. Third-party cybersecurity specialists helped to apply extra cybersecurity procedures to stop more data breaches. Impacted patients are being urged to keep track of their credit statements, health account reports, and explanation of benefit forms for dubious transactions.

16,000 Blue Cross Vermont Members Impacted by January Cyberattack

Around 16,000 members of Blue Cross Vermont health plans had their PHI exposed in a January 2023 cyberattack. Attackers accessed its systems by exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT file transfer solution and stole sensitive information including names, dates of birth, addresses, medical data, and insurance details. About 5% of the impacted persons likewise had their financial data stolen.

Around 13,700 of the impacted persons were Vermont Blue Advantage Health Insurance Plans members, about 2,250 persons were Vermont Blue Advantage Plans members, and the rest of the impacted persons were members of other insurance programs. NationsBenefits, the business associate that used the GoAnywhere MFT solution, sent the notification letters to impacted persons. NationsBenefits has provided 24 months of free credit monitoring services to affected individuals.

12,317 New Horizons Medical Patients Affected by Data Breach

New Horizons Medical, Inc. based in Massachusetts, a psychiatry, mental health, and substance use treatment services provider, has lately submitted a data breach report to the Maine Attorney General indicating that up to 12,317 patients were affected. The provider detected unauthorized network access on April 19, 2023, and launched a third-party forensic investigation to find out the nature and extent of the breach of patient information. The investigation showed that unauthorized persons accessed its network from February 12, 2023 to April 23, 2023 and potentially viewed or exfiltrated patient data.

The review of the impacted files showed they included names together with at least one of these types of data: address, birth date, Social Security number, financial account data, driver’s license number, medical insurance plan member ID, medical records number, claims information, diagnosis, and prescription details. New Horizons Medical sent notification letters to impacted persons on June 16, 2023 and offered free credit monitoring and identity protection services to qualified persons. The provider likewise confirmed that extra security and technical measures were implemented to further secure and keep track of its data systems.

CareNet Medical Group Announces Data Security Incident

CareNet Medical Group located in New York has begun informing 3,359 patients about the theft of some of their PHI in a security breach. The breach notice doesn’t mention when the security incident was discovered but the investigation showed on April 26, 2023, that an unauthorized person accessed its network from May 9, 2022 to June 4, 2022. At this time period, the hacker copied files from its network.

The breached data included complete names, addresses, bank account numbers/routing numbers, driver’s license numbers, birth dates, Medicare numbers, medical reference numbers, mobile phone numbers, residence telephone numbers, medical insurance details, Social Security numbers, and email addresses. CareNet sent notification letters to impacted persons on June 2, 2023, and offered free credit monitoring services to those who had their Social Security numbers exposed. The medical provider did not explain why it took about 11 months to know which patient data were compromised.

Vincera Institute Encounters Ransomware Attack

Vincera Institute based in Philadelphia, PA has reported that it encountered a ransomware attack last April 29, 2023. It took quick action to protect its systems to avoid further unauthorized network access and patient data compromise. Cybersecurity experts were called in to look into the incident. Vincera Institute stated in its June 20, 2023 press release that the data breach investigation is in progress, however, it has been confirmed that the attackers got access to sections of its network that held patient data; nevertheless, there is no unauthorized access to patient data or misuse discovered.

The files possibly accessed in the attack included complete names, telephone numbers, addresses, email addresses, birth dates, Social Security numbers, medical backgrounds and treatment data, insurance details, and other data given by patients. Security measures were improved as prompted by the incident, and tracking procedures were enhanced.

The four breach reports submitted to the HHS’ Office for Civil Rights last June 20, 2023 covered Vincera Imaging LLC with 5,000 affected individuals, Vincera Surgery Center with 5,000 affected individuals, Vincera Rehab LLC with 5,000 affected individuals, and Core Performance Physicians, also known as Vincera Core Physicians with 10,000 affected individuals.

 

Hacking incidents in healthcare organizations are escalating. New regulatory and compliance requirements are implemented as a result of the Dobbs and Pixel use. Lawsuits filed against healthcare companies are rising because of privacy violations. The data security strategies and compliance programs of HIPAA-covered entities and other healthcare companies are currently under increased scrutiny, and in the next 12 months there will probably be more enforcement actions and legal cases associated with privacy violations.

The lately publicized BakerHostetler Data Security Incident Response Report (DSIR) discusses these problems and gives information regarding the threat landscape to enable companies to know how to prioritize what they do and invest. This 9th-year report looked at 1,160 security incidents handled by BakerHostetler’s Digital Assets and Data Management Practice Group in 2022.

Following a spike in ransomware attacks in 2021, attacks in 2022 declined. However, ransomware activity increased at the end of 2022 and that spike has carried on in 2023. That spike happened together with more ransom demands, paid ransoms, and ransomware recovery times. In 2022, 6 out of the 8 industries tracked have increased average ransom demand and payment. In healthcare, the average ransom demand in 2022 was $3,257,688, and the average payment grew by 78% to $1,562,141. Over all industries, paid ransoms grew by 15% to $600,688.

There is also an increase in network intrusions. About 50% of all data incidents reviewed in the report involved network intrusions. BakerHostetler remarks that companies are becoming better at identifying and controlling these incidents, with dwell time going down from about 66 days (2021) to 39 days (2022). The time used for controlling dropped from 4 days to 3 days, and investigation time dropped from 41 days (2021) to 36 days (2022).

The upsurge in hacking and ransomware attacks has prompted organizations to spend more money in cybersecurity. Although security protection was improved, cybercriminals have discovered how to avoid those defenses and attack systems. Strategies such as social engineering, MFA bombing, EDR-evading malware, and SEO poisoning have proven successful in 2022.

The cost of cyberattacks grew considerably in 2022. The cost of forensic investigation increased by 20% from 2021 aside from the increased costs of business disruption, data assessments, notification, and indemnity claims. Legal costs associated with data breaches also grew considerably since multiple lawsuits are commonly filed following data breaches.

Data breaches involving 10,001 to 500,000 records have had 12-13 lawsuits filed on average. Even for small data breaches involving below 1,000 records have had 4 lawsuits filed on average. As per BakerHostetler, the number of lawsuits doubled since 2021 and it is now common to see legal action taken following a data breach. Lawsuits for violations of state privacy rules increased as 4 more states passed new privacy laws in 2022. There is one more new privacy law to be introduced in 2023.

In 2022, a Markup/STAT report explained the use of pixels (tracking technologies) on hospital web pages. These snippets of code are usually added to websites to monitor the activity of site visitors to enhance websites and services, however, the code additionally sends identifiable visitor data to third parties. The extent of using these tools without the website visitors’ knowledge got the attention of the HHS’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC), The two agencies issued guidance on using these tools. OCR and the FTC have stated that Pixel-linked violations of HIPAA and the FTC Act are currently an enforcement top priority. The FTC already took action against entities regarding the use of these monitoring tools. Law companies are quick to file suits against healthcare organizations following these privacy breaches. Over 50 lawsuits were filed against healthcare companies because of Pixel-related breaches from June 2022.

Another study involving the use of Pixels by healthcare companies indicates that about 99% of US non-federal acute care hospital websites use pixels and could send out sensitive information. However, only a few healthcare companies have reported Pixel-linked data breaches to OCR to date. HIPAA enforcement actions by OCR may likely increase and many lawsuits will be filed as a result of these breaches over the next months.

HIPAA-regulated entities and non-HIPAA-regulated entities involved in healthcare will additionally likely face enforcement actions for reproductive health information privacy violations since the FTC and OCR have made reproductive health information privacy an enforcement priority. OCR is still active in its HIPAA Right of Access enforcement initiative, and compliance is still a priority.

BakerHostetler has additionally released an alert concerning HIPAA compliance for non-healthcare organizations, emphasizing that HIPAA is applicable to company-sponsored health plans. Data breaches at employer health plans increased in 2022 and will likely be under greater regulatory scrutiny, not only by OCR but by the Department of Labor as well. State attorneys general have also increased investigations into violations involving HIPAA and state laws in 2022.

BakerHostetler likewise saw a big increase in snooping cases in 2022. These cases involve healthcare workers snooping on healthcare files and trying to reroute controlled substances. The increase shows how crucial it is to make and keep track of logs of system activity to identify malicious insider activity immediately. BakerHostetler remarks that having systems for monitoring system activity anomalies is crucial to quickly discover hacking and ransomware cases.

Protecting an organization is a major challenge. With all the risks involved, spending more money doesn’t necessarily mean more efficient security, stated BakerHostetler’s National Digital Risk Advisory and Cybersecurity team co-leader Craig Hoffman. There are many things to consider including what permitted the security incidents to happen and what was done to deal with the issue. Considering that organizations have limited budgets and employees to implement and manage new solutions, sharing objective information about security incidents, from causes to solutions to effects, can help clients to know which undertakings to prioritize.

Washington is about to enact new legislation that will substantially increase privacy protections for consumer health information in the state and will resolve the existing gap in privacy protections for health information that the Health Insurance Portability and Accountability Act (HIPAA) do not cover.

Representative Vandana Slatter (D-WA) proposed the My Health My Data Act (HB1155). The Act has already passed through the House as well as the Senate with a 27-21 vote. The bill is now back in the House so the Senate amendments can be reviewed. If the bill passes a second vote, it will most likely be signed into law by Washington Governor Jay Inslee.

The My Health, My Data Act seeks to protect the freedom and self-respect of persons whenever they make medical decisions. It avoids vulnerabilities in this technological age that targets and exploits consumers who are not aware of the huge volume of information that are collected.

Data Protected by the Washington My Health My Data Act

The My Health My Data Act is applicable to health information gathered by non-HIPAA-covered entities, such as mobile and web publishers. The extensive definition of health data employed in this Act includes diagnoses, medical conditions, treatment data, and biometric details, together with other information that will allow the identification of a state resident’s past, present or upcoming physical or mental health.

Health data is defined as any information that relates to the following:

• Patient’s medical condition, treatment, health status, diagnoses or diseases
• social, behavioral, psychological, and medical interventions
• health-associated operations or procedures
• usage or purchase of medicines
• physical functions, vital signs, and symptoms
• diagnoses or diagnostic tests, treatment or medicines
• data on gender-affirming care
• sexual or reproductive health data
• biometric data
• genetic data
• exact location details that can reasonably show a consumer’s effort to get or receive medical services or goods
• data that is taken or extrapolated from non-medical information

The bill protects location information, when that information is used for making inferences associated with health. Many companies collect location data, even if the data is not used in relation to health. Location data can provide details about when a person has gone to a hospital, pharmacy, reproductive health clinic, or other medical facility. It is required for any company that gathers location data for targeted marketing purposes to follow the My Health My Data Act requirements. The My Health My Data Act is applicable to any entity that conducts business in Washington and collects health data, irrespective of revenue or size.

How Consumer Consent Help Protect Health Data

If approved, state locals can exercise more control over the collection and use of their health data. Before any company could use health data, it must get a person’s consent through an opt-in procedure. There will be restrictions on the use of health data according to the specifics of the consent.

When getting consent, it must be clearly explained to the consumer what they are agreeing to, and consent should be acquired voluntarily. The same consent requirements apply to the sharing of health data and when the collecting company plans to sell the information to a third party, it must get written authorization from the consumer. The entity must state the reason for selling the data when getting consent and the details of the entity or entities buying the data. It must provide the contact information of those entities to the consumer. Consumers can withdraw their authorization, halt any processing of their information, and have that information deleted. Entities should also give a clear privacy policy to consumers and follow a methodology for processing consumer information requests, which include requests for data access, withdrawal of permission, and data deletion.

Legal Action on My Health My Data Act Violations

Before the approval of privacy legislation, usually, businesses are being protected from consumers who take legal action over privacy violations. There are no such restrictions in the My Health My Data Act. Consumers are allowed to take legal action against violators of the My Health My Data Act. As long as a Washington resident could show proof of harm due to a violation of the My Health My Data Act, taking legal action to get damages is allowed under the general consumer protection regulations in the state.

Changes to the American Data Privacy and Protection Act

Last March, the U.S. House of Representatives’ Committee on Energy and Commerce conducted its third meeting before releasing a new version of the American Data Privacy and Protection Act (ADPPA). ADPPA is about to become the first, all-inclusive federal privacy law in the United States.

Greater privacy protection is needed for people in the U.S. Big tech companies collect big volumes of sensitive information and there is little control over the collection, use, and sharing of consumer data. There is increasing concern about the collected data on minors and their usage, the serving of targeted ads to teens and children depending on the personal data gathered by tech companies, and the sheer volume of data that is being accumulated on all U.S. citizens.

Presently, privacy policies are enforced at the state level and could vary from state to state. ADPPA wants to address this by putting limitations on the collection and usage of consumer information at the federal level and changing the present patchwork of state privacy legislation. The Committee on Energy and Commerce approved ADPPA on July 20, 2022, with a 53-2 vote. However, the bill was not approved by the House or Senate floors in the most recent Congress. There is strong support for the bill, but not strong enough in its present form to be signed into law.

Last March 1, 2023, the Committee hearing began discussing about federal privacy legislation again. Subcommittee Chair Gus Bilirakis (R-FL) and Ranking Member Jan Schakowsky (D-IL) stated there is a great need to pass this federal privacy. There was an agreement among subcommittee members on the need for federal privacy legislation and the answer could well be the ADPPA. However, views differ on what should be included in the privacy legislation. Substantial changes are necessary before signing ADPPA into law.

The Committee conducted one more hearing on March 23, 2023 that looked at immensely popular applications and how Congress could protect American data, deal with data-sharing issues, and keep children safe online. TikTok CEO, Shou Zi Chew, spoke in front of the Committee for hours but seemed unable to convince the Committee that TikTok was a  safe platform and that it was not gathering information and sharing that data with the Chinese government. The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act was proposed in March 2023 particularly to deal with this threat. It would authorize the government to prohibit IT products like TikTok should they pose a risk to national security. Although the Biden Administration supports the RESTRICT Act, it does not tackle domestic data privacy concerns and the present digital system where only a few rules apply to the collection, use, and sharing of consumer data.

A new ADPPA draft is expected soon, as Chair Cathy McMorris Rodgers (R-WA) of the Committee on Energy and Commerce reportedly penned the last few significant changes to the bill. One of the main points is the preemption of state legislation, which backers say is important for small companies that are disproportionately loaded by the present patchwork of state legislation. Nevertheless, progressive states with stricter privacy policies like California would likely have weakened consumer privacy policies because of ADPPA. Since the privacy law sets protections in stone, improving protections, later on, would be difficult once ADPPA is approved. Nancy Pelosi, (D-CA) stated that she would not support ADPPA as it is today for this reason.

It’s still uncertain whether the new version of ADPPA will be signed into law, but the changes are necessary to get ADPPA through Congress and the Senate.

The Secretary of the Department of Health and Human Services (HHS) made an announcement that the COVID-19 Public Health Emergency that will expire on May 11, 2023 will not be renewed. According to the HHS’ Office for Civil Rights (OCR), the issued Notifications of Enforcement Discretion as a response to the COVID-19 Public Health Emergency are due to expire on May 11, 2023.

The OCR issued four Notifications of Enforcement Discretion in 2020 and 2021 as a response to the COVID-19 Public Health Emergency and to support the healthcare industry during the pandemic. With the Notices of Enforcement Discretion, financial penalties are not imposed by OCR when certain provisions of the HIPAA Security, Privacy and Breach Notification Rules are violated. The leniency allowed by OCR is applicable to the following:

• Community-based COVID-19 testing areas
• uses and disclosures of protected health information (PHI) by business associates for public health monitoring activities
• the usage of online or web-based booking apps for getting   appointments for COVID-19 vaccinations
• usage of telehealth services that would not normally be HIPAA-compliant.

OCR stated before that enough time will be given to healthcare companies to  comply with the HIPAA Rules with respect to telehealth. When the notice of enforcement discretion expires on May 11, 2023, there will be a 3-month or 90-day transition period, during which time  HIPAA-covered entities will not be issued financial penalties for non-compliance with the HIPAA Rules associated with the provision of telehealth services. The transition period is from May 12, 2023 to August 9, 2023.

The transition period given to healthcare companies is to allow them to apply necessary changes to their operations to make their telehealth service private,  secure, and compliant with HIPAA regulations.

From the time the telehealth Notice of Enforcement Discretion became effective, healthcare companies could utilize any non-public-facing remote communication platform for video and audio communication to offer telehealth services, even when those platforms aren’t HIPAA compliant.  For example, when a healthcare provider uses a communication platform without signing a business associate agreement (BAA) with the owner of the communication platform, the latter will not be issued a financial penalty.

Since the Notice of Enforcement Discretion will be expiring soon, healthcare companies should now sign a HIPAA-compliant BAA with the owner of the communication platform if they want to continue using the service after August 9, 2023. Healthcare providers must do what is necessary to get a BAA or shift to a HIPAA-compliant communications platform immediately to avoid interruption to their telehealth services and to avert the risk of financial penalties for non-compliance.

Read the OCR announcement here.

Microsoft, Fortra, and Health-ISAC Join Forces to Disrupt Malicious Use of Cobalt Strike

The Health Information Sharing and Analysis Center (Health-ISAC), Microsoft’s Digital Crimes Unit, and the cybersecurity company Fortra are working together to stop malicious actors from illegally using Cobalt Strike, the legit red team post-exploitation tool, for sending ransomware and malware.

Cobalt Strike consists of tools utilized for adversary simulation that may be employed for duplicating the tactics and techniques of advanced threat actors in a system and copying silent, long-term threat actors with continuing access to systems. The tool was used first in 2012 and it quickly became a  widely used tool by penetration testers. Cobalt Strike has become more sophisticated and has improved functionality. It has become part of the cybersecurity portfolio of Fortra.

Although the tool helps in red team operations, there are cracked copies of the tool circulating within the cybercriminal community. More cybercriminals are using the tool for malicious purposes. Several ransomware groups use Cobalt Strike including Lockbit and Conti. According to Microsoft reports, Cobalt Strike was used in over 68 ransomware attacks on healthcare companies located in over 19 countries.

Cobalt Strike attacks resulted in:

• blocked access to electronic health records
• critical patient care services disruption
• Delays to diagnosis and treatment
• Million-dollar cost to healthcare companies for recovery and repair

Cobalt strike was likewise employed in the damaging attack on the Health Service Executive in Ireland and the recent ransomware attack on the Costa Rica Government.

To avoid the illegal usage of Cobalt Strike, Fortra applied strict vetting processes for new clients. Still, malicious actors use older, cracked versions of Cobalt Strike to get backdoor access to systems for installing malware and hastening the use of ransomware. Microsoft states the malicious actors using the tool aren’t identified, however, malicious infrastructure employed by those malicious actors was discovered in China, Russia, and the U.S. Besides the financially driven cybercriminals misusing the tool, there are advanced persistent threat actors from China, Russia, Iran, and Vietnam that utilized cracked versions of Cobalt Strike.

Together, Microsoft, Health-ISAC and Fortra have increased their efforts to stop the use of cracked, legacy copies of Cobalt Strike and misuse Microsoft programs. Microsoft is trying to fight cybercrime by altering the malware families’ command-and-control infrastructure and removing illegal, older copies of Cobalt Strike to stop malicious actors from further usage.

The U.S. District Court for the Eastern District of New York released a court order on March 31, 2023 permitting Microsoft, Health-ISAC and Fortra to mess up the infrastructure utilized by criminals to launch attacks in over 19 countries. Associated Internet Service Providers (ISPs) will get notifications regarding the malicious use of the tool.   Computer emergency readiness teams (CERTs) will help take down the infrastructure from the web and disrupt cracked legacy Cobalt Strike copies and breached Microsoft software programs. Fortra, Microsoft, and Health-ISAC will additionally be joining forces with the National Cyber Investigative Joint Task Force (NCIJTF), the FBI Cyber Division, and Europol’s European Cybercrime Centre (EC3) to stop Cobalt Strike misuse.

Hindering the use of cracked legacy  Cobalt Strike versions will substantially stop these illegal copies and limit their use in cyberattacks, compelling criminals to re-assess and alter their tactics. Microsoft and Fortra also filed Copyright claims against misuse of altered software code for intended harm.

Two reports published by the Department of Health and Human Services’ Office for Civil Rights (OCR) had been submitted to Congress. The reports offer information about data breaches, the status of HIPAA Privacy and Security Regulation compliance, and HIPAA enforcement activity for 2021.

As per OCR, in 2021, OCR got 609 reports of big data breaches involving 500 or more persons and those data breach incidents impacted 37,182,558 persons. OCR likewise got 63,571 data breach reports involving less than 500 persons, which are not reported to the public. These smaller breaches affected 319,215 persons. So, there were a total 64,180 data breaches in 2021 impacting 37,501,772 persons.

The number of data breaches reported to OCR using the OCR HIPAA Breach Web Site is just 714 data breaches for 2021. This number is very different from the abovementioned data breach statistics. That is because eventhough OCR investigates all reported breaches, it only reported to Congress the data breaches that happened in 2021 and went on into 2021. There were 105 data breaches reported to OCR in 2021 that happened and ended in 2021.

All data breaches involving at least 500 records are investigated by OCR. HIPAA compliance audits are done on all of the breaches to find out if there was noncompliance with the HIPAA Rules that resulted in the breach. In 2021, OCR started investigating all 609 data breaches and the 22 data breaches affecting less than 500 persons. OCR marked 554 data breach investigations as completed in 2021 because the investigations were closed without additional action since OCR did not find any HIPAA violations, or if there were HIPAA violations found, they were settled by means of voluntary compliance, technical support, or corrective action plans and resolution agreements.

The tweaked information indicate there was a 7% yearly decrease in data breaches involving at least 500 records in 2021 when compared with 2020, and a 4% decrease in smaller data breaches. In contrast, large data breaches increased by 61% in 2020 while small data breachesa increased by 6%. From 2017 to 2021, there was a 5.4% increase in small data breaches and 58.2% increase in large data breaches.

In 2021, 75% of big data breaches were due to hacking/IT incidents with 95% of the impacted persons had their breached data mostly saved on network servers. 19% of breaches and 4% of affected persons were due to unauthorized access/disclosure cases, 3% of breaches were due to theft (with less than 1% of impacted persons), 1% were due to loss of PHI (with less than 1% of impacted persons), and 1% were due to improper disposal of PHI (with 1% of impacted persons). Unauthorized access/disclosure cases caused almost all small breaches and those breaches usually concern paper documents.

Healthcare providers submitted 72% (437) of the data breach reports in 2021 with 24,389,630 impacted persons. Health plans submitted 15% (93) of the breach reports with 3,236,443 impacted persons. Business associates submitted 13% (977) of the breach reports with 9,554,023 impacted persons. Healthcare clearinghouses submitted less than 1% (2) of the breach reports impacting 2,462 persons.

Biggest Data Breaches in 2021 Per Breach Category

Hacking/IT Incident (Hacked Network Server) – 3,253,822 individuals affected
Unauthorized Access/Disclosure (Software Misconfiguration Exposed ePHI) – 326,417 individuals affected
Improper Disposal (of hard drives with ePHI) – 122,340 individuals affected
Theft (of laptops and paper documents in burglary) – 21,601 individuals affected
Loss of PHI (missing medical records) – 14,532 individuals affected

Lessons Realized from 2022 Data Breaches

According to OCR reports, its investigations found that the most prevalent vulnerabilities were noncompliance with the HIPAA Security Rule standards and enforcement requirements. Regulated entities need to reinforce their compliance with the HIPAA Rules, particularly, the Security Rule requirements. OCR’s 2021 breach investigations identified the implementation guidelines of risk management, risk analysis, information system activity assessment, audit management, and access control as requiring improvements.

The most typical remedial steps to breaches involving at least 500 records were:

• Employing multi-factor authentication for remote access
• Modifying guidelines and procedures
• Training or retraining employees with access to PHI
• Giving complimentary credit monitoring and identity theft protection services to clients
• Using encryption technologies
• Imposing sanctions on employees who violated guidelines and procedures for getting PHI from facilities or who wrongly viewed PHI
• Altering passwords
• Carrying out a new risk analysis
• Changing business associate agreements to add more specific terms for the safety of health data

Whenever serious HIPAA violations are discovered and/or corrective action was not proactively taken to address data breaches, OCR will enforce corrective action plans and issue financial penalties. In 2021, OCR had two data breaches resolved with a total of $5.1 million of financial penalties paid and corrective action plans implemented. The settlement with Excellus Health Plan resulted in the payment of a $5,100,000 financial penalty to settle the HIPAA violations that caused a data breach in 2015 impacting 9.3 million persons. Peachstate Health Management (dba AEON Clinical Laboratories) paid $25,000 in penalties to settle HIPAA Security Rule violations.

Read OCR’s Annual Report to Congress on Breaches of Unsecured Protected Health Information (PDF) here 

Insufficient Funding Impede OCR’s Capability to Implement HIPAA

The HHS’ Office for Civil Rights (OCR) has sent a report to Congress detailing its 2021 HIPAA enforcement activities, which gives information into the status of compliance with the HIPAA Security, Privacy, and Breach Notification Regulations. The report states that the resources of OCR are under strain, and if Congress does not increase its funding, OCR will have difficulty fulfilling its task to implement HIPAA compliance, considering the rise in reported data breaches and HIPAA problems.

OCR reports substantial growth in data breach reports and HIPAA complaints, with data breaches involving 500 and up records escalating by over 58% from 2017 to 2021. HIPAA complaints grew by 25% from 2020 to 2021, though from 2017 to 2021, OCR did not get higher appropriations, with Congress merely adding funding consistent with inflation.

In case Congress cannot increase OCR’s funds, the financial strain can be eased by means of enforcement actions; nevertheless, OCR has seen funding by way of a drop in enforcement after re-evaluating the terms of the HITECH Act and identifying its being misinterpreted in 2009, leading to the highest penalty amounts in three of the four penalty tiers being considerably lowered. To deal with this and raise funding, OCR requested Congress last September 2021 (HHS FY 2023 Discretionary A-19 Legislative Supplement) to increase HITECH civil monetary penalty limits, because, without such a raise, OCR’s employees and resources will be seriously strained, particularly in a time of considerable increase in cyberattacks on the healthcare industry.

25% Yearly Increase in Complaints Regarding HIPAA Violations

Complaints on potential violations of the HIPAA and HITECH Act grew by 25% year-over-year in 2021. 26,420 of the 34,077 complaints or 77.5% were settled in 2021. 20,611 of the complaints or 78% were closed even without starting an investigation. OCR mentioned that action on complaints can only be taken

• when the HIPAA violation happened following the deadline of compliance
• when the complaint involves a HIPAA-covered entity, where a HIPAA violation seems to have happened
• when the complaint is filed within 180 days after the complainant knew about the violation (except if the complainant shows good faith in not reporting the violation within 180 days).

The following are typical reasons for closing complaints without conducting any investigation:

• the complainee is not a HIPAA-regulated entity
• allegations didn’t involve HIPAA violations (3%)
• due to untimely complaints (1%)

OCR stated that complaints against HIPAA-regulated entities were settled through

• offering technical support instead of an investigation – 4,139 complaints
• taking corrective action – 714 complaints
• taking technical support after starting an investigation – 789 complaints

Initiated compliance investigations decreased by 10% year-over-year. There were only 1,620 compliance investigations begun due to complaints. 50% of the complaints were resolved because there was no violation found. 44% of the complaints were settled by taking corrective action, 6% of the complaints were settled by getting technical support after investigation. 13 complaints were settled after paying a total of $815,150 in penalties and taking a corrective action plan. Two complaints were settled by paying civil monetary penalties of $150,000.

There were 674 compliance investigations started that did not have any complaints involved. 609 were because of big data breaches, 22 were because of small data breaches, and 43 were because of incidents that caught OCR’s attention through other means, for example, media reports.

In 2021, OCR resolved 573 (83% of the) compliance investigations by means of corrective actions or paying civil monetary penalties. Two compliance investigations led to a resolution settlement after issuing $5,125,000 in financial penalties and imposing corrective action plans. The other 17% of compliance investigations were resolved by means of technical assistance (3%), lacking proof of HIPAA violations (11%), or jurisdiction to investigate was lacking (3%). OCR stated its HIPAA compliance review program has stalled because of insufficient financial sources.