25% Yearly Increase in HIPAA Violation Complaints and the Need for HIPAA-Regulated Entities to Enhance HIPAA Security Rule Compliance

Two reports published by the Department of Health and Human Services’ Office for Civil Rights (OCR) had been submitted to Congress. The reports offer information about data breaches, the status of HIPAA Privacy and Security Regulation compliance, and HIPAA enforcement activity for 2021.

As per OCR, in 2021, OCR got 609 reports of big data breaches involving 500 or more persons and those data breach incidents impacted 37,182,558 persons. OCR likewise got 63,571 data breach reports involving less than 500 persons, which are not reported to the public. These smaller breaches affected 319,215 persons. So, there were a total 64,180 data breaches in 2021 impacting 37,501,772 persons.

The number of data breaches reported to OCR using the OCR HIPAA Breach Web Site is just 714 data breaches for 2021. This number is very different from the abovementioned data breach statistics. That is because eventhough OCR investigates all reported breaches, it only reported to Congress the data breaches that happened in 2021 and went on into 2021. There were 105 data breaches reported to OCR in 2021 that happened and ended in 2021.

All data breaches involving at least 500 records are investigated by OCR. HIPAA compliance audits are done on all of the breaches to find out if there was noncompliance with the HIPAA Rules that resulted in the breach. In 2021, OCR started investigating all 609 data breaches and the 22 data breaches affecting less than 500 persons. OCR marked 554 data breach investigations as completed in 2021 because the investigations were closed without additional action since OCR did not find any HIPAA violations, or if there were HIPAA violations found, they were settled by means of voluntary compliance, technical support, or corrective action plans and resolution agreements.

The tweaked information indicate there was a 7% yearly decrease in data breaches involving at least 500 records in 2021 when compared with 2020, and a 4% decrease in smaller data breaches. In contrast, large data breaches increased by 61% in 2020 while small data breachesa increased by 6%. From 2017 to 2021, there was a 5.4% increase in small data breaches and 58.2% increase in large data breaches.

In 2021, 75% of big data breaches were due to hacking/IT incidents with 95% of the impacted persons had their breached data mostly saved on network servers. 19% of breaches and 4% of affected persons were due to unauthorized access/disclosure cases, 3% of breaches were due to theft (with less than 1% of impacted persons), 1% were due to loss of PHI (with less than 1% of impacted persons), and 1% were due to improper disposal of PHI (with 1% of impacted persons). Unauthorized access/disclosure cases caused almost all small breaches and those breaches usually concern paper documents.

Healthcare providers submitted 72% (437) of the data breach reports in 2021 with 24,389,630 impacted persons. Health plans submitted 15% (93) of the breach reports with 3,236,443 impacted persons. Business associates submitted 13% (977) of the breach reports with 9,554,023 impacted persons. Healthcare clearinghouses submitted less than 1% (2) of the breach reports impacting 2,462 persons.

Biggest Data Breaches in 2021 Per Breach Category

Hacking/IT Incident (Hacked Network Server) – 3,253,822 individuals affected
Unauthorized Access/Disclosure (Software Misconfiguration Exposed ePHI) – 326,417 individuals affected
Improper Disposal (of hard drives with ePHI) – 122,340 individuals affected
Theft (of laptops and paper documents in burglary) – 21,601 individuals affected
Loss of PHI (missing medical records) – 14,532 individuals affected

Lessons Realized from 2022 Data Breaches

According to OCR reports, its investigations found that the most prevalent vulnerabilities were noncompliance with the HIPAA Security Rule standards and enforcement requirements. Regulated entities need to reinforce their compliance with the HIPAA Rules, particularly, the Security Rule requirements. OCR’s 2021 breach investigations identified the implementation guidelines of risk management, risk analysis, information system activity assessment, audit management, and access control as requiring improvements.

The most typical remedial steps to breaches involving at least 500 records were:

  • Employing multi-factor authentication for remote access
  • Modifying guidelines and procedures
  • Training or retraining employees with access to PHI
  • Giving complimentary credit monitoring and identity theft protection services to clients
  • Using encryption technologies
  • Imposing sanctions on employees who violated guidelines and procedures for getting PHI from facilities or who wrongly viewed PHI
  • Altering passwords
  • Carrying out a new risk analysis
  • Changing business associate agreements to add more specific terms for the safety of health data

Whenever serious HIPAA violations are discovered and/or corrective action was not proactively taken to address data breaches, OCR will enforce corrective action plans and issue financial penalties. In 2021, OCR had two data breaches resolved with a total of $5.1 million of financial penalties paid and corrective action plans implemented. The settlement with Excellus Health Plan resulted in the payment of a $5,100,000 financial penalty to settle the HIPAA violations that caused a data breach in 2015 impacting 9.3 million persons. Peachstate Health Management (dba AEON Clinical Laboratories) paid $25,000 in penalties to settle HIPAA Security Rule violations.

Read OCR’s Annual Report to Congress on Breaches of Unsecured Protected Health Information (PDF) here 

Insufficient Funding Impede OCR’s Capability to Implement HIPAA

The HHS’ Office for Civil Rights (OCR) has sent a report to Congress detailing its 2021 HIPAA enforcement activities, which gives information into the status of compliance with the HIPAA Security, Privacy, and Breach Notification Regulations. The report states that the resources of OCR are under strain, and if Congress does not increase its funding, OCR will have difficulty fulfilling its task to implement HIPAA compliance, considering the rise in reported data breaches and HIPAA problems.

OCR reports substantial growth in data breach reports and HIPAA complaints, with data breaches involving 500 and up records escalating by over 58% from 2017 to 2021. HIPAA complaints grew by 25% from 2020 to 2021, though from 2017 to 2021, OCR did not get higher appropriations, with Congress merely adding funding consistent with inflation.

In case Congress cannot increase OCR’s funds, the financial strain can be eased by means of enforcement actions; nevertheless, OCR has seen funding by way of a drop in enforcement after re-evaluating the terms of the HITECH Act and identifying its being misinterpreted in 2009, leading to the highest penalty amounts in three of the four penalty tiers being considerably lowered. To deal with this and raise funding, OCR requested Congress last September 2021 (HHS FY 2023 Discretionary A-19 Legislative Supplement) to increase HITECH civil monetary penalty limits, because, without such a raise, OCR’s employees and resources will be seriously strained, particularly in a time of considerable increase in cyberattacks on the healthcare industry.

25% Yearly Increase in Complaints Regarding HIPAA Violations

Complaints on potential violations of the HIPAA and HITECH Act grew by 25% year-over-year in 2021. 26,420 of the 34,077 complaints or 77.5% were settled in 2021. 20,611 of the complaints or 78% were closed even without starting an investigation. OCR mentioned that action on complaints can only be taken

  • when the HIPAA violation happened following the deadline of compliance
  • when the complaint involves a HIPAA-covered entity, where a HIPAA violation seems to have happened
  • when the complaint is filed within 180 days after the complainant knew about the violation (except if the complainant shows good faith in not reporting the violation within 180 days).

The following are typical reasons for closing complaints without conducting any investigation:

  • the complainee is not a HIPAA-regulated entity
  • allegations didn’t involve HIPAA violations (3%)
  • due to untimely complaints (1%)

OCR stated that complaints against HIPAA-regulated entities were settled through

  • offering technical support instead of an investigation – 4,139 complaints
  • taking corrective action – 714 complaints
  • taking technical support after starting an investigation – 789 complaints

Initiated compliance investigations decreased by 10% year-over-year. There were only 1,620 compliance investigations begun due to complaints. 50% of the complaints were resolved because there was no violation found. 44% of the complaints were settled by taking corrective action, 6% of the complaints were settled by getting technical support after investigation. 13 complaints were settled after paying a total of $815,150 in penalties and taking a corrective action plan. Two complaints were settled by paying civil monetary penalties of $150,000.

There were 674 compliance investigations started that did not have any complaints involved. 609 were because of big data breaches, 22 were because of small data breaches, and 43 were because of incidents that caught OCR’s attention through other means, for example, media reports.

In 2021, OCR resolved 573 (83% of the) compliance investigations by means of corrective actions or paying civil monetary penalties. Two compliance investigations led to a resolution settlement after issuing $5,125,000 in financial penalties and imposing corrective action plans. The other 17% of compliance investigations were resolved by means of technical assistance (3%), lacking proof of HIPAA violations (11%), or jurisdiction to investigate was lacking (3%). OCR stated its HIPAA compliance review program has stalled because of insufficient financial sources.

DNA Testing Lab Pays $400,000 Fine and Regal Medical Group Faces Multiple Lawsuits

State attorneys general in Ohio and Pennsylvania fined DNA Diagnostics Center (DDC) with $400,000 for violating state legislation on personal data privacy. This U.S. private DNA testing laboratory encountered a breach of the personal data of approximately 46,000 residents in Pennsylvania and Ohio, and around 2.1 million people throughout the U.S.

DDC discovered the data breach on August 6, 2021 upon noticing suspicious activity in its archived databases. The investigation confirmed that unauthorized individuals accessed the databases from May 24 to July 28, 2021. Selected folders and files were extracted. The databases included the sensitive data of 33,300 Pennsylvania residents and 12,600 Ohio residents, who had gotten DNA testing services from 2004 to 2012. The data included sensitive customer data such as names, payment details, and Social Security numbers.

The databases were acquired from a firm named Orchid Cellmark, which DDC obtained in 2012. The archived databases were not utilized for business and, as per DDC, were unintentionally moved as included in the acquisition, without DDC’s knowledge. After nine years, DDC still did not know that the databases remained in its systems. DDC stated it had performed penetration tests and a stock review before the data breach happened, however, those checks and tests simply identified active consumer information and didn’t show the existence of the archived information on its systems.

Before the data breach, DDC hired a third-party company to perform data breach tracking. That company found the data breach and tried to get in touch with DDC on several instances through automated email notifications, however, employees did not answer for two months. Throughout those two months, Cobalt Strike malware had been installed on the system, and information was extracted. The breach investigation affirmed that an unauthorized third party had signed in by using a VPN on May 24, 2021, making use of a DDC user credential. Active Directory information was collected from a Domain Controller that supplied password data for every account in the system. The threat actor used VPN that DDC doesn’t use because DDC had moved to a different VPN. The unauthorized third party employed a trial account having administrative privileges to attain continued access and implement Cobalt Strike inside its system. Five compromised servers that stored backups of 28 directories and a decommissioned server were employed to extract the information. The threat actor then told DDC to pay the ransom in exchange for the restoration and deletion of the stolen information. DDC paid the ransom.

The state attorneys general’s investigation found that DDC was involved in misleading or unjust business by means of material misrepresentations in its client-facing privacy policy relating to the protection of its clients’ personal data. It was additionally supposed that DDC did not take reasonable actions to identify and stop unauthorized access to its computer systems. Therefore, involved unjust and fake cybersecurity strategies which exposed client information to unauthorized access and stealing. The state AGs decided that those problems constituted unjust trading procedures and violated state Consumer Protection Legislation.

DDC opted to resolve the investigations without admitting any wrongdoing. Considering the stipulations of the settlement, DDC decided to pay Pennsylvania and Ohio $200,000 each, carry out and maintain extensive information, and security data, execute detailed threat examination annually, assign risk-appropriate resources to protect the personal information of consumers, and perform an I.T. security program evaluation yearly to analyze the usefulness of the data security plan.

Acting Attorney General Henry states that when criminals get access to more personal data, the person’s data becomes more prone to stealing. Hence, the Attorney General’s Office did something with the help of Attorney General Yost in Ohio. I am proud of the work our agents and attorneys do every day to protect Pennsylvanians’ most sensitive information.

Regal Medical Group Facing Multiple Lawsuits Over 3.3 Million-Record Ransomware Attack

Regal Medical Group and affiliated healthcare providers are facing several class action lawsuits as announced on February 1, 2023. A ransomware attack in December 2022 resulted in the potential theft of the protected health information (PHI) of approximately 3,300,638 people.

The attack impacted the Heritage Provider Network, Regal Medical Group, and a number of affiliated healthcare companies, such as A Medical Group, Inc., Lakeside Medical Organization, ADOC Acquisition Co., Affiliated Doctors of Orange County, and Greater Covina Medical Group Inc. The attack was discovered on December 2, when staff members began having problems accessing information.

The forensic investigation showed the ransomware attack began on or before December 1 and the attackers exfiltrated sensitive data from its servers. The compromised files contained PHI including names, telephone numbers, addresses, birth dates, diagnosis and treatment data, lab test data, prescription information, radiology reports, Social Security numbers, and medical plan member numbers. Impacted persons received a membership to a credit monitoring service for 12 months.

Filing multiple lawsuits is now common following healthcare data breaches. Hence, it is not surprising that a lot of lawsuits were filed following an attack of this size. One of the major issues brought up in the lawsuits was the way the attackers had acquired access to a great deal of information, a lot of which was highly sensitive information and could be misused in a variety of ways. The lawsuits had been filed against Regal Medical Group and the Heritage Provider Network in the California superior state court and federal court. The lawsuits’ claims include unjust enrichment, negligence, negligence per se, unfair business practices, and breach of implied contract. The lawsuits allege violating the following legislation: the California Confidentiality of Medical Information Act, the California Consumer Privacy Act of 2018, the FTC Act, the Health Insurance Portability and Accountability Act, and the Unfair Competition Law.

The lawsuits furthermore raise the issue of the delay in issuing notifications concerning the breach. The data breach happened on December 1, 2022, but notifications were sent starting on February 1, 2022. Although the notifications were sent within the period of time permitted by the HIPAA Breach Notification Rule, that Rule additionally says that notifications must be distributed with no unnecessary delay. One lawsuit additionally disputes the details given in the breach notifications, which did not give complete details about the breach, for instance, the length of time the attackers got access to the stolen information.

The Timothy Head vs. Regal Medical Group Inc, Heritage Provider Network Inc. (Cole & Van Note) lawsuit allege the defendants deliberately, willfully, recklessly, or negligently didn’t take and apply sufficient and reasonable steps to make sure to protect representative plaintiff(s)’ and class members PHI/PII. The lawsuit also alleges the defendants failed to encrypt information.

The same claims are presented in these lawsuits: David Rodriguez v. Regal Medical Group and Sam Abedi And Farnaz Doroodian v. Heritage Provider Network, Inc. and Regal Medical Group, Inc. The defendants knew very well the high incidence of data breaches and acquired the tools to secure information but did not invest enough in data protection, vulnerability remediation, employee training, and testing security settings.

The Lynn Austin vs. Regal Medical Group, Inc. (Parker & Minnie, LLP & Mason LLP) lawsuit alleges the plaintiffs have dealt with actual and tangible harm, which include out-of-pocket expenditures, loss of invaluable rights and protections, increased stress, anxiety, fear, and risk of future violations of privacy, and emotional and mental distress.

The lawsuits want a jury trial, class action certification, injunctive relief, and actual and punitive damages, which include a court order to forbid the defendants from doing unlawful acts and misleading business practices and to make sure that a detailed information security program is applied to safeguard against potential data breaches.

Multiple Privacy Violations and Health Breach Notification Rule Violation Cases

As per the Federal Trade Commission’s Health Breach Notification Rule, vendors of personal health information and similar entities need to notify consumers in case of a breach of unsecured personal data. The rule was approved in 2009, however, compliance was not fully enforced. Recently, the FTC penalized GoodRx Holdings Inc for its noncompliance with the Health Breach Notification Rule. The prescription drug company, GoodRx Holdings Inc, is to pay $1.5 million as a financial penalty.

In September 2021, the FTC released a policy statement stating its intent to begin actively implementing the Health Breach Notification Rule with an emphasis on health applications. HIPAA typically does not cover health apps and so data breaches are not governed by the requirements of the HIPAA Breach Notification Regulation.

The following guidance documents were published in January 2022:

  • Health Breach Notification Rule: The Basics for Business
  • Complying with FTC’s Health Breach Notification Rul

The two documents clearly discussed the following:

  • which entities are governed by the Health Breach Notification Rule
  • what events necessitate the notification of consumers
  • how to issue notifications

The first financial penalty was enforced more or less a year after the guidance was approved for the failure to inform consumers regarding unauthorized personal health information (PHI) disclosures to Facebook, Criteo, Google, and others for marketing use.

Telemedicine platform provider, GoodRx is based in Santa Monica, CA. It allows consumers to freely use its website and mobile app to monitor prescription drug costs and get coupons to avail of discounts on medicines. Consumers can also book telehealth consultations and access other healthcare services using the platform. When using the services, consumers give GoodRx their personal and health data. Their data is also collected from pharmacy benefit managers whenever users shop utilizing GoodRx coupons. Over 55 million consumers have already utilized the GoodRx website and mobile application since January 2017.

GoodRx Multiple Privacy Violations and Deceitful Businesses Tactics

A complaint that was filed with the FTC stated that GoodRx violated the FTC Act as well as its own privacy policy because it shared the sensitive personal and medical data of its users with tech companies and social media sites without informing users regarding those disclosures or acquiring permission to do so.

GoodRx advised users of its webpage and mobile application that it will never share their personal health information (PHI) with advertising companies or other entities; nonetheless, the FTC confirmed that from 2017 GoodRx consistently violated that policy and disclosed PHI with third parties like Google, Facebook, Criteo, Twilio, Branch, etc for marketing purposes. Details about users’ medical conditions and their prescribed drugs were disclosed.

The PHI of users was monetized and the information disclosed to Facebook was utilized to send targeted ads to its own users on Meta platforms like Instagram and Facebook. The FTC reported one particular instance from 2019 where GoodRx put together listings of users that bought specific medicines for blood pressure and heart disease, then shared their email, telephone numbers, and advertising IDs to FB to enable the identification of those users to send them targeted health-linked ads.

GoodRx likewise allowed third parties like Facebook to utilize the shared information for their own business. It is making false claims of compliance with Digital Advertising Alliance principles because it doesn’t get consent from users prior to using their health data for marketing reasons. GoodRx additionally displayed a seal of HIPAA compliance on its telehealth services webpage when it is not in compliance with the HIPAA Regulations. The provider also did not follow appropriate policies and procedures to secure the personal and medical data of its users, and simply used formal, written, privacy, and data-sharing guidelines when a consumer watchdog exposed its data practices in February 2020.

The FTC stated that GoodRx violated the Health Breach Notification Rule for not alerting consumers about the impermissible disclosures of their PHI, not to mention the seriousness of those violations called for a financial penalty. The federal court is about to approve the proposed penalty. Besides the financial penalty, GoodRx is

  • forbidden from sharing the medical records of its users for marketing purposes
  • instructed to get users’ consent before sharing any data and should direct the third parties to delete health information shared with them
  • required to carry out an extensive privacy program.

Cedars-Sinai Medical Center Faces Lawsuit for Privacy Violations by Using Website Tracking Technology

Cedars-Sinai Medical Center has a lawsuit filed against it for allegedly impermissibly disclosing patient information to Meta, Google, and other third parties as a result of using website tracking technologies without entering into a business associate agreement (BAA) with the code vendors or getting patient authorization. In 2022, there was an investigation conducted on the use of website tracking technologies. The results showed nearly 33% of the United States’ top 100 hospitals added pixels or another tracking code on their web pages, enabling the code providers to collect and transmit sensitive information The Cedars-Sinai lawsuit is just one of the many filed cases against healthcare companies and other health-associated firms last year because of tracking technologies used on websites and mobile applications without getting user permission.

The extensive usage of tracking technologies led the HHS’ Office for Civil Rights to publish guidance last December 2022 about using such technologies. The guidance affirmed the capability of any tracking technologies to access data secured by HIPAA using a valid, HIPAA-compliant BAA acquired from the code provider or when patient consent to share HIPAA-covered information is obtained.

On December 30, 2022, the Cedars-Sinai Medical Center case was filed in the California state court. However, it was transferred to the U.S. District Court for Central California in Los Angeles last February 3, 2023. The John Doe v. Cedars-Sinai Health System and Cedars-Sinai Medical Center lawsuit claim privacy violation, intrusion upon seclusion, breach of implied contract, negligence, breach of contract, and breach of the California Invasion of Privacy Act, the California Confidentiality of Medical Information Act, and California Unfair Competition Law.

The lawsuit states the sensitive personal data and medical data of the plaintiff and other patients of Cedars-Sinai were impermissibly shared with Meta, Google, and Microsoft Bing because of the tracking code put on its web page. The lawsuit says that Cedars-Sinai asks patients to check out its website to study medical signs and health conditions, find physicians that can handle particular health issues, and book appointments on the internet. This calls for patients to share their signs or symptoms and send highly sensitive medical data. This the plaintiff did because he thought that privacy was certain.

The tracking technologies put on the website documented individually identifiable information according to user activities and sent that data to firms, such as Microsoft Bing, Meta/Facebook, Google, and social media sites or companies. Based on the lawsuit, this tracking code is like real-time wiretaps on patients’ devices. It enabled marketing firms to use patient data without consent and send them ads related to their medical conditions. The patients were neither advised regarding those uses nor disclosures.

The plaintiff is someone that uses Facebook with the ‘Keep Me Logged In’ function activated. He observed a rise in health-related ads since going to the Cedars-Sinai website for additional data on his ailment. A few of the ads were particularly connected to the health condition he looked at the website of Cedars-Sinai.

The focus of the lawsuit is Cedars-Sinai, and not the pixels or code providers. The terms and conditions of the code providers specifically mention that using the code with health information is not allowed. As an example, HIPAA-regulated entities and their business associates cannot use the Google Analytics code on their websites that involve PHI. The lawsuit states that adding the tracking code violates patients’ privacy and additionally comprises a HIPAA Rules violation. The lawsuit seeks class-action status, a jury trial, punitive damages, compensation, as well as injunctive relief.

PHI of Patients Exposed at Satellite Healthcare, Rundle Eye Care and DCH Health System Data Breaches

Satellite Healthcare Breach Impacted 95,000 Individuals

Satellite Healthcare based in San Jose, CA has just reported a breach of the PHI of 95,128 patients to the Texas Attorney General. 22 Texas locals were affected. There are a few facts available concerning the breach at this point because the incident is not yet published on the website of the California attorney general and there’s no note on the healthcare provider’s webpage.

The breach impacted protected health information including names, medical data, health insurance details, and financial details. Notifications were released to affected patients by mail. Satellite Healthcare was contacted for additional data regarding the breach, nevertheless, no instant response was obtained.

Patient Information Exposed in Hacking Incident at Rundle Eye Care

Drs. Keith and Herman Rundle lately reported that unauthorized individuals accessed and potentially stole the protected health information (PHI) of some Rundle Eye Care patients. Based on the breach notification letters, the breach happened “lately” and affected patient names, dates of birth, and treatment data.

Although data theft could have happened, there are no hints of misuse of patient information. As a safety measure against the improper use of patient information, impacted patients have been provided free single-bureau credit monitoring services for A year. Safety precautions were undertaken to reinforce system security.

Although there was no mention of ransomware in the breach notice, the Everest Ransomware Group claimed accountability for the attack and states 30 GB of information was taken, which include tax records, clinical records, and prescription forms.

DCH Health System Detects Insider Data Breach

DCH Health System based in Tuscaloosa, AL lately reported that an ex-employee got access to the medical files of patients with no permission. DCH Health discovered the unauthorized medical record access on December 9, 2022, at the time of a regular privacy review. The review showed that the employee had seen the health records of a patient on December 5, 2022, even without a valid work reason to do so. In the following investigation, DCH Health learned this wasn’t the first occasion that the employee accessed the medical records since the privacy violations were happening starting September 2021. At that time, the information of around 2,530 patients was impermissibly viewed. The types of data compromised included names, dates of birth, addresses, Social Security numbers, diagnoses, dates of consultation, vital signs, prescription drugs, test findings, and clinical/provider notes.

DCH Health stated the employee was promptly suspended when the initial unauthorized access was found and was consequently laid off due to privacy violations. Free identity theft protection services were provided to impacted patients, though DCH Health stated there are no hints that any patient data was or will be misused. DCH Health stated workers will continue to be provided HIPAA and privacy training on suitable access, and the occurrence will be employed to enhance privacy tracking tools and procedures.


Data Breach at Insulet Corporation and Minnesota Department of Human Services

29,000 Insulet Corporation Customers Affected by Tracking Code Privacy Incident

The medical device company Insulet Corporation based in Massachusetts has just informed 29,000 of its Omnipod DASH clients concerning a new privacy breach. The company already sent a Medical Device Correction letter to customers. Because it is important to apply the update, Insulet Corporation emailed a follow-up receipt acknowledgment request on December 1, 2022.

The email messages contained a clickable hyperlink that brought clients to a web page for verifying receipts, but there was a mistake in the configuration of that web page resulting in an impermissible disclosure of the protected health information (PHI) of customers. Every client was emailed a unique web link that contained each one’s IP address, to note if the client was a user of Omnipod DASH and if they are given a Personal Diabetes Manager.

The MDC acknowledgment pages had cookies and trackers embedded in them that transmitted specifics of the web addresses to third-party website performance and advertising partners. Insulet stated the privacy violation was detected on December 6, 2022. The company disabled all tracking technologies on the web pages to stop further exposure of PHI and sent requests to Insulet’s advertising partners to delete the records of the IP addresses and unique web addresses.

4,307 Individuals Affected by Error of Minnesota Department of Human Services Employee

A Minnesota Department of Human Services (DHS) employee made a mistake that led to the impermissible disclosure of the PHI of 4,307 residents of Minnesota. On November 18, 2022, while responding to a client’s request for a copy of their own information, the employee inadvertently provided the billing statements of 4,307 persons who signed up for Medical Assistance.

The investigation did not find any evidence that indicate the download or misuse of information. The patient who received the information informed DHS concerning the mistake and stated the email would be erased. The DHS affirmed that the statements did not contain highly sensitive data, for example, banking data, credit card numbers, and Social Security Numbers. All affected persons received notification letters on January 11, 2023.

Plastic Surgery Provider Sued for HIPAA Violations and Wrongly Inflating Online Reviews

Washington Attorney General Bob Ferguson is charging a plastic surgery company for wrongly inflating online review scores, bribing, and frightening patients, and claims the activities of the practice did not comply with the Health Insurance Portability and Accountability Act (HIPAA) Regulations.

The plastic surgery clinic Allure Esthetic based in Seattle and its owner Dr. Javad Sajan are facing a lawsuit filed in the U.S. District Court for the Western District of Washington. Patients and ex-employees submitted multiple complaints alleging that the practice was bribing and threatening patients to keep them from leaving bad reviews on websites like Google and Yelp, and that patients asked to sign non-disclosure agreements (NDAs) prior to getting treatment forbidding them from posting online comments that can hurt the practice by any means. The practice viewed any rating below 4 stars to be a bad review. Attorney General Ferguson stated these practices wrongly inflated its online evaluations.

Based on the lawsuit, over 10,000 patients signed the NDAs that state legal action will be taken against those posting negative reviews. Patients who published bad reviews were purportedly threatened to delete the ratings because if they do not, they will be sued for monetary. In a number of instances, patients were given bribes for deleting negative comments, such as cash and free treatments. Patients that agreed to the payments or free treatments signed another NDA that stated they would pay $250,000 in damages should they post any more bad reviews. Patients had to pay a $100 consultation fee prior to being informed they need to sign an NDA.

The lawsuit additionally claims employees were instructed to post bogus positive feedback online that contained modified before and after photos that showed their treatments were considerably more successful than they really were. When posting bogus reviews, a VPN was utilized to hide the IP addresses of the computers used. The practice is additionally alleged to have requested patients’ rebates without getting their permission, then held on to the rebates. The practice created hundreds of bogus email accounts to sign up for rebate programs meant for actual patients. As a result, the practice got paid thousands of dollars of fake rebates every month.

The lawsuit states that from 2017 to 2019, because of the NDAs, the patients had to get in touch with the practice before posting online any review under 4 stars as the NDAs require the patients to pay the practice monetary damages for any losses when negative ratings were not deleted. The NDAs additionally mentioned that patients should waive their HIPAA privacy rights, saying patients should permit a reply [to the review] from the practice that contains any personal health information (PHI) in case they publish a bad review. The HIPAA Privacy Rule forbids covered entities from giving conditions for treatment, payment, enrollment, or basing eligibility to benefits on a person approving an authorization to disclose PHI. That wording was altered in 2019, however, the NDAs still required it up to March 2022.

Besides the claimed HIPAA violations, it is alleged that the practice and owner have not complied with the Consumer Review Fairness Act (CRFA) and the Washington State Consumer Protection Act (CPA). The lawsuit requests the court to void the NDAs, require the practice to send a notification to all patients that the NDAs are void, and prohibit the practice from using NDAs down the road. The practice is to pay monetary damages of around $7,500 per violation and the court has been requested to require the practice to pay $100 to patients as compensation for the consultation fees and give back the rebates that are due to the consumers.

Patients depend on reviews to know whether a healthcare provider is suitable for them. Using legal threats and bribes for manipulating reviews is misleading and causes harm to Washingtonians. AG Ferguson states that these unethical and illegal practices must be stopped.

Life Hope Labs Settles Medical Record Access Case by Paying $16,500

The HHS’ Office for Civil Rights (OCR) reported its first HIPAA enforcement action of 2023. The agency is reminding HIPAA-regulated entities of their obligation to provide patients and their personal representatives with prompt access to their health documents. Life Hope Labs, LLC, has consented to pay the $16,500 penalty to resolve the case.

43 Enforcement Actions Issued Due to HIPAA Right of Access Failures

The HIPAA Right of Access calls for covered entities to give a copy of an individual’s protected health information (PHI) that is kept in a specified record set in 30 days of receiving that request. In particular instances, it is permitted to delay up to 30 days, as long as the person is informed concerning the cause for the delay and simultaneously advised when the request is going to be fulfilled.

OCR announced a new HIPAA compliance initiative in 2019 focusing on companies that weren’t giving people and their personal representatives a copy of the medical records they asked for promptly, and companies that were billing irrational fees for giving those records. Including the most recent settlement, OCR has charged financial penalties on 43 healthcare companies for probable violations of HIPAA Right of Access.

Life Hope Labs Enforcement Action

Life Hope Labs located in Sandy Springs, GA offers diagnostic lab services. On August 24, 2021, the personal representative of a patient’s estate submitted a complaint with the OCR. The complainant claimed that it filed a request for a copy of the health documents of the deceased with Life Hope Labs on July 7, 2021, however, the provider didn’t give the files. It took Life Hope Labs seven months from the preliminary request to deliver those documents. The complainant, who is the decedent’s daughter, obtained a complete copy of the records on February 16, 2022. OCR established that the delay in delivering the needed information violated the HIPAA Right of Access, as specified in 45 C.F.R. § 164.524.

Life Hope Labs decided to settle the case and paid OCR a $16,500 penalty for the likely violation of the HIPAA Right of Access, without confessing to any wrongdoing. As per the conditions of the settlement, Life Hope Labs needs to undertake a corrective action plan that consists of the need to create, maintain, and modify, as required, written guidelines concerning the HIPAA Privacy Rule, such as the right of patients to get access to and acquire a copy of their PHI and to send those policies to all employees. HIPAA training on those guidelines must additionally be provided to all new staff members within 30 days of starting work. The settlement likewise includes 24 months of supervision.

Access to medical records, including laboratory results, allows patients to better take care of their health, connect with their treatment groups, and follow their treatment plans. The HIPAA Privacy Rule provides individuals and personal reps a right to timely access to their health documents from all covered entities, for instance, laboratories. HIPAA-regulated laboratories should stick to the law and make sure that they are responding promptly to requests for medical records access.

Omnibus Appropriations Bill Includes Medical Device Cybersecurity Provisions

The House and Senate Appropriations Committees has released information about a $1.7 trillion omnibus appropriations bill, which if approved, will make sure that the government stays financed up to September 30, 2023. The Senate has actually begun deliberating the bill and this week, the House will decide on the bill. The bill needs to be approved by the president before the government funding expires.

The 4,155-page bill includes the following healthcare provisions that would enable hospitals and health systems to offer better patient care:

  • the prohibition of the 4% Medicare PAYGO slashes to providers
    financial assistance for rural hospitals to ensure their continuous operations
  • steps to help states get ready for Medicaid eligibility when the COVID-19 Public Health Emergency concludes
  • extensions and broadening of telehealth flexibilities up to December 31, 2024 to ensure that patients get accessible medical treatment through the telehealth and hospital-at-home programs.

The bill will likewise give money for important behavioral health programs and a number of conditions that will grow the medical care staffing.

The bill recommends funding of $120.7 billion for the Department of Health and Human Services. It increases the HHS funds by $9.9 billion more than in 2021. Here are the other changes in funding amounts:

  • $100 million more for the Centers for Medicare and Medicaid Services
  • $2.5 billion more for the National Institutes of Health to be spent on research on a variety of diseases and medical problems
  • $760 million more for the Centers for Disease Control and Prevention, mostly to finance basic public health activities and emergency readiness
  • $970 million more for the Substance Abuse and Mental Health Services Administration to fund mental health programs and expanded service access

The Food and Drug Administration (FDA) appropriations bill was approved in September to make sure the FDA would get funds continuously, however, to ensure the bill is approved, the FDA had to remove its recommended medical device cybersecurity requirements, a lot of of which were obtained from The Protecting and Transforming Cyber Health Care (PATCH) Act. The Senate Republican leadership blocked those requirements.

But the good news is that the omnibus appropriations bill contains new requirements in the approval of devices created by medical device manufacturers making sure they satisfy particular minimum standards for cybersecurity. Those conditions will be effective 90 days after passing the bill.

The requirements include presenting a plan to the Secretary of the FDA to check, identify, and handle postmarket cybersecurity flaws and exploits. There must be coordinated disclosure of a vulnerability and relevant processes. The devices and related systems must be safe and include postmarket software and firmware updates and patches. Medical device producers will additionally need to present a Software Bill of Materials (SBOM) to the Secretary of the FDA that consists of all existing, open source, and critical elements utilized by the devices.

The bill requires the FDA to give extra resources and facts on enhancing the cybersecurity of medical devices in 180 days, and yearly afterward, which include details on determining and dealing with cyber vulnerabilities for healthcare companies, health systems, and device producers. In one year, the Government Accountability Office needs to give a report that pinpoints the challenges encountered by health systems, healthcare providers, patients, and device producers in handling vulnerabilities, and how federal organizations can reinforce coordination to boost device cybersecurity.

HIPAA required the development of a unique patient identifier (UPI), however, there is no funding provided to date. The appropriations bill still prohibits financing for a national patient identifier, although a UPI could help to make sure that patients are correctly related to the proper medical records.


Lawsuit Fails to Claim Property Insurance Coverage for Ransomware Attack

Cyber insurance policies could help pay for the expense of losses due to ransomware attacks, however, these policies are harder to lay claim to. Insurance companies are tightening up their prerequisites for getting policies and a lot of insurance companies are putting restrictions on underwriting sums. Premiums are likewise rising, making policies too expensive for a lot of healthcare providers, when insurance may even be acquired. There have been more negative news this week for healthcare companies that cannot get cyber insurance, since the Ohio Supreme Court has lately decided that ransomware attacks are not tantamount to physical damage, meaning claims against property insurance plans are not possible.

This decision concludes the 3-year court case between the insurance provider, Owners Insurance Company, and medical billing software company, EMOI. EMOI encountered a ransomware attack last September 2019 and paid the $35,000 ransom demand to recover files access to its files. EMOI additionally bought upgrades to its security facilities to stop more attacks. The ransomware group gave the data decryption keys and the majority of files were retrieved; nevertheless, the automated phone call system cannot be decrypted and needed to be replaced.

EMOI filed a claim with its property insurance plan seeking to recuperate the losses, however, the claim was declined. EMOI subsequently filed a lawsuit against Owners since the insurance policy included direct physical damage to digital files. Owners stated that the ransomware attack didn’t have a physical aspect, thus it was not covered by the insurance plan, and the policy doesn’t include losses due to ransomware.

Last November 2021, an Ohio Appellate Court decided in support of EMOI and permitted a claim against the insurance provider for dealing with EMOI in bad faith, by not completely considering the different types of damage that could happen to media like software programs; nevertheless, all seven justices of the Ohio Supreme Court took Owners’ side and released a summary judgment dropping the EMOI legal case.

EMOI had contended that computer software program is categorized under “media” that could be destroyed. Although the software program is non-physical, the insurance policy must still cover the losses even if the hardware is not damaged. The Supreme Court justices were not convinced by that point, deciding that the phrase “direct physical loss of or damage to” is to mean direct physical damage to its media.

Although the phrase “computer software” is included in the meaning of “media”, the justices decided that computer software was just included insofar as the software program is included in covered media, and that covered media indicates the media has a physical presence. Because there was no direct physical loss or physical damage to the protected media that contain the computer software, the policy does not cover the losses. Additionally, computer software can’t have a direct physical loss or physical damage since it doesn’t have a physical presence.

Privacy Breaches Reported by Blue Shield of California, Pediatrics West & Allergy West , Medstar Mobile Healthcare and Louis A. Johnson VA Medical Center

A summary of data breaches that were just reported to the HHS’ Office for Civil Rights and state attorneys general.

Blue Shield of California

Blue Shield of California has commenced informing selected health plan members concerning a privacy violation by one of its staff members. The employee emailed a spreadsheet comprising plan members’ names, phone numbers, Social Security numbers, addresses, email addresses, and/or Taxpayer ID numbers from his/her work account to a personal email address on June 17, 2022. Privacy Officer David Keystone of Blue Shield of California stated it discovered the privacy breach on October 30, 2022, and the staff member was assessed and advised to remove the email and any spreadsheet copy.

Because of the incident, Blue Shield of California strengthened its system detection tools to stop other impermissible disclosures of PHI. As a safety measure against identity theft, affected people were provided free one-year access to a credit monitoring and identity theft protection service.

The number of persons impacted is not yet certain.

Pediatrics West & Allergy West

Pediatrics West & Allergy West located in Massachusetts have advised 1,364 patients about the unauthorized access to their PHI that was saved on its system. The provider discovered the breach on October 17, 2022 and the forensic investigation affirmed that unauthorized access took place between August 19, 2021, and August 15, 2022. The data records on the system involved names, contact data, dates of birth, demographic data, diagnosis and treatment information, prescription details, medical record numbers, dates of service, provider names,
and/or health insurance details. Pediatrics West mentioned it has enforced extra safety measures and technical security steps to further safeguard and keep an eye on its IT infrastructure.

Medstar Mobile Healthcare

The emergency and nonemergency ambulance service of Medstar Mobile Healthcare operating in Tarrant County, TX lately publicized that it encountered a cyberattack resulting in the potential compromise of patient information. Suspicious network activity was seen on October 20, 2022, and it was eventually established that an unauthorized third party had obtained access to sections of the network that saved patient data. It cannot be determined if the files were accessed or exfiltrated. The analysis of the files indicated they largely included non-financial billing data only; nonetheless, several persons additionally had their complete name, date of birth, contact details, and limited medical details revealed. The incident investigation is continuing.

The number of affected individuals stays uncertain.

Mailing Error at The Louis A. Johnson VA Medical Center

The Louis A. Johnson Veterans’ Administration Medical Center based in West Virginia has just reported a privacy breach regarding the PHI of 736 people. There was a mistake in a mailing to veterans making the full Social Security numbers visible on the letters. Affected veterans were informed via mail and were given complimentary access to credit monitoring services. The VA has furthermore made a work group to take a look at the mailing processes to check likely vulnerabilities, and more managers will be employed to steer clear of identical difficulties down the road.

Florida Primary Care Service Provider Pays $20,000 Penalty for HIPAA Right of Access Violation

The primary care service provider, Health Specialists of Central Florida Inc. (HSCF), based in Orlando, FL paid the HHS’ Office for Civil Rights a $20,000 financial penalty to resolve a HIPAA Right of Access violation.

On November 22, 2019, OCR started an investigation after receiving a complaint from a lady who was not furnished with a copy of her departed father’s health records. The preliminary written request was submitted on August 29, 2019. She provided HSCF with an Authorization for Release of Medical Record Information form together with a photocopy of the original Letters of Administration. After several requests and about 5 months, HSCF provided all of the needed health records. The entire set of information was obtained by the lady on January 27, 2020.

As per the HIPAA Right of Access, healthcare companies must provide a copy of the requested health records within 30 days of getting the request. In particular instances, there may be a 30-day extension. OCR established that the late provision of the requested documents violated the HIPAA Right of Access. Besides having to pay a $20,000 financial penalty, HSCF decided to carry out the following corrective action plan:

creating, implementing, and sustaining HIPAA Privacy Rule guidelines and procedures regarding the HIPAA Right of Access
disseminating those guidelines and procedures to employees
giving training about those guidelines and procedures.

HSCF is going to be supervised by OCR for a two-year period starting on the day of the negotiation.

A person’s right to access their health data is one of the foundations of HIPAA, and it is taken seriously by OCR. OCR will keep on ensuring that health plans and health care providers are serious to adhere to the regulation. The report of the HHA echoes the value of accessing data and that covered entities are doing something to enforce the procedures and employees are training to make sure that they are carrying out almost all they can to assist patients’ access.

OCR started the HIPAA Right of Access enforcement in the fall of 2019. After that, healthcare providers already paid $2,423,650 to settle HIPAA Right of Access violations within 42 enforcement activities. The fines vary from $3,500 up to $240,000.

Amazon Ends Support for Third Party HIPAA-Eligible Alexa Skills

Amazon made an announcement that it is going to end support for third-party HIPAA-covered skills for its Alexa products, meaning developers won’t be able to make Alexa skills that gather information protected by the Health Insurance Portability and Accountability Act (HIPAA).

Amazon released its HIPAA-compliant Alexa function in April 2019, with skills included for patients of Boston Children’s Hospital, Atrium Health, Cigna, Livongo, Swedish Health Connect, and Express Scripts. The HIPAA compliance support is supposed to enable healthcare providers to use Alexa skills that gathered HIPAA-protected information and could send that data in a HIPAA-compliant manner. The decision to end that support is now going to take effect. HIPAA-covered skills are now included in the Alexa Smart Properties for Healthcare business devices, and those Alexa skills may only be created together with first-party support.

Amazon reviews its experiences on a regular basis to make sure it is providing services that will please its consumers. It is investing to a great extent in creating healthcare experiences together with first and third-party product developers, such as Alexa Smart Properties for Healthcare.

Amazon has already sent a letter to all third-party product developers advising them that it is ending the support for Alexa 3P HIPAA-covered skills this week and has instructed them to delete their HIPAA-covered skills from the skills store. Any skill that is not removed from the store by the developer will be deleted automatically on December 9, 2022, and the usage of that skill is going to be restricted. Any protected health information (PHI) linked to that skill will be erased and if any person tries to utilize a HIPAA-covered skill after it has been restricted, they will get a note that the skill is not supported. Amazon has stated that it is not going to directly notify users of the skills that support is stopping.

The stopping of third-party HIPAA-covered skills support doesn’t mean that Amazon is restricting all healthcare-associated Alexa skills. Just those Alexa skills that collect PHI will be restricted. Any healthcare-associated Alexa skill that does not collect information covered by HIPAA won’t be affected.

Using Tracking Technologies on Websites Without a BAA Violates HIPAA

The HHS’ Office for Civil Rights has issued an announcement stating that adding third-party tracking technologies on websites, web programs, and mobile apps without signing a business associate agreement (BAA) violates HIPAA in case the tracking technology gathers and transfers individually identifiable health data. Despite having a BAA, using tracking technology could still mean HIPAA violation.

The announcement was given after discovering at the beginning of this year the extensive use of the Meta Pixel tracking code on the websites of hospitals and the transfer of data to Meta, which include sensitive patient information. An investigation by The Markup and STATT exposed these privacy breaches involving the use of Meta Pixel on the websites of a third of the top 100 U.S. hospitals. In 7 cases, the code was put in password-protected patient websites. The study was restricted to the top 100 hospitals, therefore most likely hundreds of hospitals have utilized the code and have unknowingly transmitted sensitive information to Meta/Facebook without a signed business associate agreement and without getting patient permission.

After the report was published, healthcare companies faced a number of lawsuits because of these impermissible disclosures. A number of plaintiffs said the data exposed on the healthcare providers’ websites was transmitted to Meta and was utilized to show them targeted ads associated with their health conditions. The news shocked healthcare companies, prompting investigations and the latest data breach notifications; nonetheless, even with the prevalent usage of the tracking code, only a few hospitals and health centers have submitted breach reports and have issued notifications to date. The announcement from the HHS will probably cause a number of breach notifications as companies learn that the usage of Meta Pixel and different tracking codes point to a HIPAA violation.

What are Tracking Technologies?

Tracking technologies are generally snippets of code that are put on websites, web programs, and mobile apps for monitoring user activity, typically for determining the activities of end users while utilizing websites and checking their on-site activities. The data gathered by these technologies may be reviewed and utilized to enhance the services offered by the websites and apps and improve the user experience, which is beneficial to patients. Although using this code has advantages for people because the HIPAA-covered entity gets useful information, there is a big possibility of causing harm, as the data gathered via these technologies is often sent to the vendor.

For example, when a female patient booked an appointment on a healthcare provider’s website to consult a pregnancy issue, the tracking technology on the website could transmit the information to the vendor, and eventually share it with other third parties. That data can be given to authorities or other third parties. Data shared by a person on a website or web app may be transmitted to a third party and be employed for fraudulence, identity theft, extortion, harassment, or to disseminate false information.

In a lot of instances, these tracking technologies are put on websites and apps without the users’ awareness, and it is frequently uncertain how any shared data will be utilized by a vendor and to whom it will be transmitted. Tracking technologies usually employ cookies and web beacons that enable the tracking of persons online, enabling the collection of even more data about them to create complete profiles. If tracking codes are used in web apps, they can gather device-associated data, such as demographic data which is linked to a distinct identifier for that unit to identify a user.

Tracking Technologies Should Comply With HIPAA

The HIPAA does not prohibit using tracking technologies, however, the HIPAA Rules are applicable when using third-party tracking technologies:

  • in case the tracking technology gathers individually identifiable data that is covered by HIPAA if the information is transmitted to a third party, whether to the tracking technology vendor or another third-party
  • in case the tracking technology gathers any identifiers, they are categorized as protected health information (PHI) since the information links the person to the regulated entity, showing the person has gotten or will get medical care services or benefits from the covered entity, and that pertains to the person’s past, present, or future health care or payment for medical care.

There is an increased possibility of an impermissible PHI disclosure when tracking code is used on patient websites or any other webpages that demand authentication since these webpages normally have PHI access. In case the tracking code is put on these pages, it should be set up in a way that ensures the code uses and discloses PHI according to the HIPAA Privacy Rule, and that any data gathered is according to the HIPAA Security Rule.  The same rule should be followed when using tracking technologies in a HIPAA-covered entity’s mobile applications when it gathers and sends PHI. OCR states that only mobile applications used by healthcare companies are under HIPAA. HIPAA is not applicable to third-party applications that individuals voluntarily download, even when the applications gather and transfer health data.

The OCR announcement states that when tracking technologies are employed, the code provider, such as Google (Google Analytics) and Meta Platforms (Meta Pixel), would be categorized as a business associate and should have a business associate agreement (BAA) signed together with the HIPAA-covered entity prior to adding the code to a web page or application. The BAA should state the vendor’s responsibilities regarding the PHI and define the allowed uses and disclosures of that data. In case the vendor does not have a signed BAA, the PHI provided to the vendor is illegal, thus the code should not be used or should be set up in a way that PHI is not collected or transmitted. OCR additionally stated that when a vendor claims that they will remove any identifiable information before keeping or utilizing the transferred information, the vendor still needs a signed BAA and only if the disclosure is permitted by the HIPAA Privacy Rule.

Other possible HIPAA violations could happen. When any PHI is shared with a vendor, it should be consistent with the company’s privacy policy and be stated in their Notice of Privacy Practices. It is not enough to merely mention the use of tracking technology in a notice of privacy practices. Aside from a BAA, any PHI disclosure of PHI for a purpose not specifically allowed by the HIPAA Privacy Rule needs authorization from a patient, stating their consent to share that data. Website banners that ask a website guest to agree to cookies and the usage of web tracking technologies is not considered valid HIPAA authorization.

Actions that HIPAA-Regulated Entities Must Undertake Right Away

HIPAA-covered entities must read the bulletin very carefully to ensure they fully grasp the application of HIPAA to tracking technologies. They must additionally perform an evaluation of any tracking technologies that they add on their web pages, web programs, or mobile applications to make sure the use of the technologies is HIPAA compliant. When they are not yet evaluated, website tracking technologies should be added to a HIPAA-covered entity’s risk evaluation and risk management procedures.

It is essential to mention that a tracking technology vendor is categorized as a business associate as per HIPAA, even when there’s no BAA. Consequently, any disclosures to that vendor are categorized as impermissible PHI disclosure when there’s no BAA in place. The HIPAA-covered entity may be issued fines and other sanctions when PHI is sent with no signed BAA.

In case the review indicated that a HIPAA-regulated entity used tracking technologies in a HIPAA non-compliant way now or in the past, the HIPAA Breach Notification Rule is applicable. The entity must send notifications to OCR and those who had their PHI impermissibly disclosed.

Breach of CommonSpirit Health Patient Data in October 2022 Cyberattack

CommonSpirit Health has updated its October 2022 ransomware attack and affirmed that the threat actors responsible for the attack viewed files that contain patient data.

CommonSpirit Health detected the attack on October 2, 2022, and took immediate action to protect its network. The attack disrupted its healthcare services because systems were taken off the internet to limit the impact of the incident. Nevertheless, the incident did not affect patient care, clinic, and associated systems at Virginia Mason Medical Center, Dignity Health, Centura Health and TriHealth facilities. The forensic investigation affirmed that the threat actors accessed its network from September 16, 2022, to October 3, 2022.

CommonSpirit Health has already confirmed that the threat actors acquired access to sections of its network that contain files with the protected health information (PHI) of patients from Franciscan Medical Group and Franciscan Health located in Washington state. Patients that received healthcare services from these hospitals were also affected:

  • St. Anne Hospital (previously Highline Hospital)
  • St. Michael Medical Center (previously Harrison Hospital)
  • St. Anthony Hospital
  • St. Elizabeth Hospital
  • St. Clare Hospital
  • St. Joseph Hospital
  • St. Francis Hospital

Those facilities are currently recognized collectively as Virginia Mason Franciscan Health, which is CommonSpirit Health’s affiliate.

ComnmonSpirit Health has stated that the impacted files included the following data of patients along with their loved ones and caregivers: names, telephone numbers, dates of birth, addresses, and unique internal patient identifiers. To date, there is no proof found that indicates attempted or actual misuse of the information kept on its systems.

CommonSpirit Health stated most of the EHRs throughout the CommonSpirit Health system and patient portals are already accessible online. The analysis of impacted files is still in progress and the number of affected individuals is not yet confirmed. CommonSpirit Health has advised patients to review their account statements for correctness and to report any services or transactions that were not charged to their healthcare provider or insurance company.

District of Massachusetts Rejects Data Breach Lawsuit for Insufficiency of Injury

Nowadays, it is typical to file class action lawsuits because of a healthcare data breach. Although sensitive healthcare data theft can certainly create a lot of trouble for a data breach victim, the plaintiffs need to allege they have sustained an injury as a direct consequence of the breach in order for a lawsuit to stand in court. Last October, the District of Massachusetts dropped a class action lawsuit against Injured Workers’ Pharmacy, LLC, because the plaintiffs and class members did not show an injury in fact enough to have Article III standing.

Injured Workers’ Pharmacy is a pharmaceutical home delivery service provider. In May 2021, it found out that unauthorized individuals accessed parts of its system and potentially viewed or acquired the personally identifiable information (PII) of over 75,000 of its clients.

On behalf of Alexsis WebbMarsclette Charley, the lawsuit – Webb v. Injured Workers’ Pharmacy, LLC – was filed. Allegedly, the pharmacy failed to enforce proper data security procedures and committed unjust enrichment, breach of implied contract, and other charges. Webb and other persons likewise impacted by the breach claimed they had sustained an injury because of the data breach such as loss of sleep, anxiety, stress, and fear, and had expended a lot of time and effort checking their financial accounts and safeguarding themselves versus identity theft and fraudulence. Charley claimed she had consumed many hours handling the IRS as a result of a bogus tax return that was submitted in her name. The plaintiffs additionally claimed that because their personally identifiable information was accessible on the dark web, they had sustained harm to and diminution of the value of their PII, which costs around $1,000.

IWP wanted to disregard the lawsuit for insufficiency of standing because the plaintiffs didn’t assert a claim, and the lawsuit didn’t claim any tangible and specified injuries that are actual or certain. The District of Massachusetts decided and refused the factual accusations of the complaint since the plaintiffs didn’t allege they had sustained any particular harm due to the data breach.

The only claimed injury was the substantial time and effort that was expended checking accounts and dealing with the IRS since there weren’t any claims of financial loss, misuse of data, or even claims of theft of the plaintiffs’ PII. Although Charley got a bogus tax return submitted under her name, the court decided that there was no admissible allegation that linked the bogus tax return to the data breach. Concerning the assertion of diminution of the plaintiffs’ PII value, the court stated it was not clear how the decrease of PII black market value can cause an injury to the plaintiffs.

The Supreme Court had earlier decided that in a lawsuit for damages, the simple risk of future injury, could not confirm Article II standing, with the District of Massachusetts decision that [Plaintiffs] cannot establish standing simply by imposing harm on themselves based upon… theoretical future harm.

PHI Possibly Exposed in Data Breach at Stern Cardiovascular Foundation, University Medical Center of Southern Nevada, and PrimeCare Medical

The Stern Cardiovascular Foundation (SCF) has lately reported that it encountered a data security incident last September 6, 2022, resulting in an interruption to some parts of its computer system. The healthcare provider based in Germantown, TN stated it strongly responded to the occurrence and called in third-party technical professionals to help in responding to the breach, mitigating and investigating the attack.

SCF had quickly re-established access to all computer networks and no patient service was disrupted. On September 13, 2022, SCF found out that the people responsible for the attack initially acquired access to its networks on September 4, 2022, and got access to the system up to September 6. In that time period, they might have accessed and/or extracted information, which includes the personal and health information of patients and other persons linked to SFC.

The incident investigation is in progress, however, there is no evidence that suggests gaining access to the electronic medical record system. At this point, it is not yet confirmed how many persons were impacted or the specific types of data that might have been exposed. The breach submitted to the HHS’ Office for Civil Rights indicated that 501 persons were impacted – a placeholder until the confirmation of the full scope of the data breach. SFC stated it was working with external cybersecurity specialists to address the attack and strengthen its defenses.

Patients Notified About the University Medical Center of Southern Nevada Insider Data Breach

University Medical Center (UMC) of Southern Nevada has lately notified 1,861 patients that an ex-employee has obtained access to their medical records without legit work reason. UMC discovered the HIPAA breach while reviewing medical record access in September 2022.

The investigation affirmed that the worker got access to patient files on the electronic medical record system from May 19, 2021 to September 22, 2022. The records included demographic, clinical, and insurance data. UMC stated that the person is not employed by UMC and there was no proof was found that indicates the copying, misuse, or disclosure of any information. Policies were updated as needed to avoid the same incidents later on. Employees also received additional training.

PrimeCare Medical Impacted by CorrectCare Integrated Health Data Breach

PrimeCare Medical based in Pennsylvania provides inmates of correctional facilities with healthcare services. It has reported that some of its patients were impacted by a breach that happened at CorrectCare Integrated Health, its third-party administrator. A web server misconfiguration led to the exposure online of two file directories that contained patient information like full names, dates of birth, Social Security numbers, DOC IDs, and some health data, like CPT codes and diagnosis.

PrimeCare Medical detected the breached files on July 6, 2022 and secured them in 9 hours. Unauthorized individuals may have accessed the exposed files from January 2022. Third-party specialists were helping CorrectCare strengthen the protection of its systems to keep client data secured.

PrimeCare Medical states the PHI of 22,254 persons was compromised. Those people got healthcare services from July 1, 2018 to July 7, 2022.

New York Administrative Anesthesiology Services Provider Faces Multiple Class Action Data Breach Lawsuits

A physician-owned company offering administrative services to anesthesiology companies in New York is facing multiple class action lawsuits because of a cyberattack and data breach, which has impacted about 24 entities. The incident led to the exposure and possible theft of over 450,000 patients’ protected health information (PHI).

The Department of Health and Human Services’ Office for Civil Rights began receiving data breach reports from Anesthesiology companies in September 2022. The notification letters sent to patients mentioned the occurrence of a data breach at their anesthesia management services provider but without giving the name of the company.

Based on the notification letters, the management services provider discovered the cyberattack around July 11, 2022, or July 15, 2022. The affected companies used two templates with varied dates. The forensic investigation confirmed the attackers got access to areas of its system that held the PHI of patients, such as names, birth dates, driver’s license numbers, Social Security numbers, financial account details, medical insurance policy numbers, Medicaid/Medicare IDs, medical record numbers, and medical data, which includes diagnosis and treatment details.

The management firm Somnia Inc is currently facing around five complaints that were filed in the U.S. District for Southern New York because of the data breach. Allegedly, Somnia was negligent for not implementing proper safety measures to protect the integrity, confidentiality, and availability of patient data. It did not comply with FTC rules and HIPAA Regulations and hadn’t adopted industry requirements for data security.

A few of the lawsuits likewise complain about how the breach was reported, that is, failing to bring up the name of Somnia Inc. in the notification letters. Also, in certain instances, to completely make known precisely what data was exposed. One lawsuit alleged that Somnia Inc. only reported the breach as impacting 1,326 patients, when the fact is there were over 400,000 individuals that were affected by the breach. Somnia is attempting to entirely escape any and all accountability for the security breach and is utilizing its local tactics to hide the identity of the accountable entity and to downplay the seriousness of the data breach.

The lawsuits claim people impacted by the breach currently face a sudden and increased risk of identity theft and fraud due to the disregard of Somnia, and want class-action status, compensation for loss, injunctive relief, sufficient credit monitoring and identity theft protection services, and a court order that calls for Somnia to employ better security procedures to make sure patient data is adequately secured.

Security Awareness Training Doesn’t Seem to Enhance Password Hygiene

Security awareness training is an important component of any security tactic; nevertheless, one area where it’s having a minimal impact is enhancing password hygiene. Workers can be trained to know what a strong password is and how it must be made, however even if the theory is known it isn’t being practiced. Workers may know the value of following good cyber hygiene with regard to passwords, however making strong, unique passwords for each account is hard, and recalling those passwords is almost not possible.

Every year, LastPass does its Psychology of Passwords survey. This year, there were 3,750 professional respondents, who were asked about how they create passwords for their individual and work accounts. The survey showed there was a high degree of confidence in current password management practices, however, in a lot of instances, there was a false perception of safety because good password hygiene wasn’t always followed.

The greatest disconnect concerns Gen Z, which had the highest level of confidence in their password management practices, but the lowest scores for password hygiene. Gen Z participants were the most likely to identify password problems, for example using the same passwords on several accounts, however, this age group used the same passwords 69% of the time. On the whole, 62% of survey participants confessed to nearly always or mostly utilizing similar passwords or variants of them for their accounts.

The survey revealed that 65% of the participants had obtained some kind of cybersecurity awareness training and 79% stated their education was good. On the whole, 89% of participants stated they are aware that utilizing the same password or variants of it was a security threat, however, only 12% stated they make use of a unique password for every account. When questioned about modifications to their password practices after getting security awareness training, merely 31% of participants stated they adjusted their password habits and stopped using the same password for several accounts, and merely 25% of participants began utilizing a password manager.

The majority of respondents utilized a risk-based strategy when making passwords. 69% said they use stronger passwords for fiscal accounts and 52% said they utilize more complicated passwords for their email accounts. Comfort is preferred over safety for other accounts. 35% used stronger passwords for their health data, 32% for social media accounts, 18% for business or online shopping accounts, and 14% for streaming service accounts, for example, Netflix. 13% of participants stated they make passwords in the same manner, no matter what account the password is for. Just 33% of respondents mentioned they use stronger passwords for their accounts at work.

One way that employers could enhance password security is to give their staff a password manager. A password manager will recommend strong, unique passwords randomly, will save them safely in an encrypted space, and will autofill forms when required so there’s no need to remember passwords. To motivate employees to utilize a password manager, employers can give an account to employees to be used at work and for personal purposes and to emphasize its advantages during security awareness training sessions. The Bitwarden Password Decisions survey released last October showed that 71% of respondents are likely to utilize a password manager when it is provided by the company for personal use. Only 5% said they will probably not use it.

This latest research shows that even if approximately 66% of respondents are equipped with some cybersecurity education, it’s not being practiced for different reasons. If both individuals and businesses would use a password manager, accounts can be kept safe and secure.

St. Luke’s Health, Tift Regional Health System and Wenco Management Report Data Breach

St. Luke’s Health has just informed 16,906 patients about the exposure of some of their protected health information (PHI) because of a security breach that happened at its consulting services vendor. On November 5, 2021, an unauthorized individual accessed the email accounts of two Adelanto Healthcare Ventures (AHCV) employees.

AHCV launched an investigation of the security incident, which at first stated no patient data were exposed; nevertheless, a succeeding review revealed that the data of some St. Luke’s Health patients were included in the email accounts. The attackers may have accessed or obtained the information. The compromised data included names, birth dates, addresses, Social Security numbers, dates of service, Medicaid numbers, medical record numbers, and a few clinical data, for example, treatment and diagnosis codes. AHCV notified St. Luke’s Health concerning the breach on September 1, 2022

Based on the breach notification letters posted on St. Luke’s Health website, no report was received that indicates the misuse of any patient data; nevertheless, as a preventative measure, AHCV is giving impacted persons free identity theft and credit monitoring services.

Presently, St. Luke’s Health is just getting back up from a ransomware attack over a month ago on CommonSpirit Health, its parent company. CommonSpirit Health is still dealing with company operation disruptions due to the attack. However, the MyChart patient portal has been restored and companies can already access the electronic health records of patients.

Cyberattack and Data Breach at Tift Regional Health System

Tift Regional Health System (TRHS) located in Tifton, GA, has lately reported the compromise of its systems and the potential access and theft of some patients’ PHI by the attackers. The unauthorized network access happened around August 16, 2022. Immediate action was undertaken to keep its systems secure. TRHS launched an investigation to find out the nature and extent of the attack.

TRHS mentioned that even if the files on its systems were not encrypted, there was no reported access to its electronic medical record system. Still, the forensic investigation cannot exclude the possibility of unauthorized access and theft of patient data files. The following types of information are found in the files on the breached section of the network: patient ID numbers, Social Security numbers, driver’s license numbers, medical data, treatment data, diagnosis data, medical insurance details, and birth dates.

TRHS stated it is going over its current guidelines and procedures concerning cybersecurity and extra safety measures are being assessed to avoid this type of occurrence later on. The breach report submitted to the HHS’ Office for Civil Rights indicated that 500 persons were affected. That number is frequently utilized as a placeholder until everything about the breach is understood.

Health and Welfare Benefit Plan Member Data Exposed Due to Wenco Management Breach

The PHI of 20,526 workers of Wenco Management, LLC, was compromised and possibly stolen by unauthorized persons. Wenco Management manages Wendy’s fast-food chain. The employees affected by the breach were Health and Welfare Benefit Plan members.

Wenco Management discovered the breach last August 21, 2022. After securing its systems, it launched a forensic investigation to find out the nature and extent of the breach. It was confirmed that an unauthorized person got access to its network and possibly viewed and stole employee files that contained names, plan selection data, and Social Security numbers. The breach happened on the same day Wenco Management discovered and blocked it. Impacted persons were provided free credit monitoring services. Wenco Management stated it is improving the safety of its systems to avoid more data breaches down the road.


Data Breaches at CorrectCare Integrated Health and Regions Hospital

CorrectCare Integrated Health, a medical claims processor, recently informed its clients about the accidental exposure of the protected health information (PHI) of some patients online and unauthorized persons may have accessed them. CorrectCare discovered on July 6, 2022 the misconfiguration of two file directories on its web server. Anyone online could access these file directories without the need for authentication.

The data breach impacted patients served by Health Net Federal Services (HNFS) in California and Mediko, Inc. in Virginia. HNFS is a business associate of the California Department of Corrections and Rehabilitation (CDCR) / California Correctional Health Care Services (CCHCS), while Mediko is Virginia’s biggest provider of medical care services to persons in correctional facilities. Approximately 80,000 persons imprisoned in facilities managed by the Louisiana Department of Public Safety and Corrections were also affected by the data breach.

CorrectCare stated that it secured the web server 9 hours after discovering the wrong configuration. The forensic investigation affirmed the exposure of the files starting January 22, 2022. The data of persons treated from January 1, 2012 to July 7, 2022 were exposed.

The information included in the exposed file directories were: names, birth dates, inmate numbers, and some health data, such as CPT codes, diagnosis codes, treatment companies, dates of treatment, and, the Social Security numbers for some persons.

Hacking Incident at Regions Hospital

Regions Hospital based in St. Paul, MN recently reported that unauthorized people acquired access to the PHI of 978 patients. It is believed that the attacker’s objective in accessing its secure system is not to steal patient information but to steal payments from a health insurance provider.

Nevertheless, because a file on the network was viewed and it contained patient data, such as first and last names and Social Security numbers, Regions Hospital decided to notify the affected individuals by mail. The hospital also offered the patients membership to an identity theft protection service for 12 months.