New Framework for Evaluating the Privacy, Security, and Safety of Digital Health Technologies

The American Telemedicine Association (ATA), the Organization for the Review of Care and Health Applications (ORCHA), and the American College of Physicians (ACP) have joined up to create a new framework for evaluating digital health technologies utilized by healthcare experts and patients.

Presently, over 86 million Americans make use of a fitness or health app. These digital health technologies including more than 365,000 individual products can gather, keep, process, and transfer personal and health information that would be categorized as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA); nevertheless, most of these technologies are not covered by HIPAA and aren’t covered by other rules, federal laws, and government instruction. The absence of guidance in this section blocks the usage of electronic health technologies, which have incredible potential for enhancing condition management, clinical risk evaluation, and decision assistance.

The creators of digital health technologies frequently share user information gathered by their products and apps with third parties however do not always disclose their data-sharing practices with consumers, and their privacy policies are often far from transparent. The use of these applications and technologies can place user privacy in danger. The technologies may additionally lack proper security controls and may be susceptible to cyberattacks that can expose sensitive user information.

The Digital Health Assessment Framework is meant to be an open system that anybody may access to use, to help adopt high-quality digital health technologies and guide healthcare specialists and patients in making better choices regarding which digital health solutions best match their needs, as explained by the ATA in a PR release.

The framework consists of elements that healthcare specialists and consumers could utilize to evaluate data and privacy, clinical assurance and safety, usability and accessibility, and technical security and stability, and was created to help U.S. rules, regulations, and protocols for electronic health practices.

Digital health technologies can provide safe, effective, and engaging access to personalized health and support, give more convenient care, increase patient and healthcare provider satisfaction, and accomplish better clinical outcomes. Ann Mond Johnson, the ATA CEO, further mentioned that there are actually hundreds of health apps and devices for patients and physicians to select from, and our objective is to win the confidence that the health and wellness resources examined in this Framework meet quality, privacy and clinical assurance requirements in the U.S.

ACP is performing a pilot study of health applications that will be analyzed against the system to produce an extensive collection of acceptable digital health solutions. The framework will be updated regularly depending on responses from digital health technology firms, healthcare experts, consumers, and other stakeholders to reveal changes in clinical practice, and the most recent guidelines and recommendations, and best practices.

HHS Information Security Program ‘Not Effective’ According to Audit

The Department of Health and Human Services performed an audit for the HHS’ Office of Inspector General (OIG) to evaluate adherence to the Federal Information Security Modernization Act of 2014 (FISMA) for the 2021 fiscal year. It has rated the security program of the agency as ‘not effective’, just like in fiscal years 2018, 2019, and 2020. Five of the 12 operating divisions of the HHS were subjected to an audit, though OIG didn’t mention which five divisions were selected.

To be given an effective rating, the HHS needs to get to the ‘Managed and Measurable’ maturity level for the function areas of Identify, Protect, Detect, Respond, and Recover. This is a requirement by the FY 2021 Inspector General FISMA Reporting Metrics and the DHS guidance.

It is stated in the OIG report that the HHS is still making adjustments to boost the maturity of its company-wide cybersecurity program and that it is working towards more sustainable cybersecurity in all FISMA domains.

The HHS security program fortified the maturity of controls for a number of  FISMA metrics, though there was no progress in certain areas because full enforcement of Information Security Continuous Monitoring (ISCM) efforts is lacking in its operating divisions. This is crucial as reliable information and metrics are needed in order to make good risk management judgments.

The HHS has partly imposed its Continuous Diagnostics and Mitigation (CDM) method, which has enhanced insight into certain assets, and consciousness of vulnerabilities and threat data is better by using RSA Archer and Splunk. There is the progress made in the implementation of a complete department-wide CDM program to make sure non-stop tracking of HHS networks and systems, give an accurate report of the status of operating divisions, and progress to handle and enforce methods that fight risk, prioritize concerns utilizing tested risk criteria, and enhance its cybersecurity response functions.

The HHS has improved its enforcement of CDM tools and procedures but doesn’t have a specific timetable for completely enforcing the CDM program throughout all operating divisions.  Unless the HHS completely follows its CDM technique, the HHS cannot possibly identify cybersecurity risks on a continuous basis, highlight efforts to deal with risks according to their probable effects and mitigate the most serious vulnerabilities first.

OIG has given a number of recommendations for enhancing the maturity of the HHS information security program. The HHS ought to continue implementing an automated CDM solution to have a centralized, company-wide oversight of risks throughout HHS. The ISCM strategy must be updated to have a more accurate roadmap, having target dates particular for ISCM deployment throughout the HHS operating divisions. A company risk evaluation of identified control weaknesses must be done and a proper risk response ought to be recorded, and the HHS should create a process to keep track of information system contingency plans to make sure they are created, maintained, and incorporated with other continuity criteria by IT systems.

The HHS agreed with all the recommendations of OIG.

WEDI Gives Healthcare-Specific Advice for Enhancing the NIST Cybersecurity Framework

The Workgroup for Electronic Data Interchange (WEDI) has replied to the query for data from the National Institute of Standards and Technology (NIST) and has produced a number of tips for enhancing the NIST cybersecurity framework and supply chain risk management advice to assist healthcare companies to handle a few of the most urgent threats confronting the industry.

Ransomware is considered one of the major threats affecting the healthcare sector, and that will probably not change in the near future. To aid healthcare companies manage the risk, WEDI has advised NIST to give attention to ransomware and deal with the concern of ransomware specifically in the cybersecurity system. NIST released a new ransomware resource in February 2022, which includes important tips on avoiding, detecting, answering, and dealing with ransomware attacks. WEDI feels the introduction of ransomware inside the cybersecurity platform will increase the reach and effect of the resource.

WEDI has additionally advised the addition of particular case studies of healthcare companies that have encountered a ransomware attack, updating the platform to determine contingency planning techniques in line with the kind of healthcare company and giving guidance with emphasis on contingency preparation, setup, and recovery. Ransomware attacks on healthcare companies have risks that do not apply to other entities. More information in this section is of great advantage to healthcare companies and can help reduce interruption and patient safety concerns.

Healthcare companies are creating patient access Application Programming Interfaces (APIs) and applications (apps) that are under HIPAA, and are consequently necessary to integrate safety measures to make sure the privacy and security of any healthcare information they have, however, WEDI has driven attention to the absence of strong privacy requirements that are appropriate to third party health applications that aren’t covered by HIPAA. WEDI states there’s a requirement for a national security framework to make sure that medical information acquired by third-party applications has proper privacy and security criteria.

The amount of risks and vulnerabilities to mobile and implantable healthcare devices has exploded at an unbelievable level lately and those dangers will probably grow significantly in the many years. WEDI has advised NIST to deal with cybersecurity problems associated with these devices specifically in the cybersecurity system, and in addition, tackle the problem of insider threats. Numerous healthcare data breaches are the result of insider threats including missing electronic devices, social engineering, and phishing attacks. WEDI addresses these problems and security awareness training ought to be satisfied in the cybersecurity system.

WEDI has additionally recommended NIST create a version of its cybersecurity system that is directed at smaller healthcare companies, which do not have the means accessible to remain up to date concerning the most recent security improvements and carry out the most recent security steps and protocols. A framework version that is more targeted at the threats experienced by smaller companies will be very beneficial and ought to consist of practical proactive actions that can be undertaken by small healthcare companies to offset risks.

Data Breaches Reported by Smile Brands Ransomware Attack , Arcare and Onehome Health Solutions

Smile Brands based in Irvine, CA provides support services for dental offices. It recently presented an update on the number of people affected by a ransomware attack that was identified on April 24, 2021. The attackers acquired access to areas of its network on April 23, 2021, that kept files that contained the protected health information (PHI) of individuals, including names, telephone numbers, addresses, birth dates, Social Security numbers, financial data, government-issued ID numbers, and health information.

The breach report was initially submitted to the HHS’ Office for Civil Rights last June 2021 as having 1,200 victims, but the breach report was afterward corrected to state as many as 199,683 persons were impacted. Nonetheless, in the most recent notification to the Maine attorney general, the breach was reported as impacting around 2,592,494 individuals. The preliminary notice to the Maine attorney general was sent on October 8, 2021.

Smile Brands stated that affected persons were provided a complimentary 12-month membership to a credit tracking service, which involves identity theft assistance services and coverage of a $1 million identity theft insurance policy.

Malware Possibly Permitted Hackers Access ArCare Patient Information

Arcare, a firm providing primary care and behavioral health services within Kentucky, Arkansas, and Mississippi, has reported that patient information was possibly accessed by unauthorized people in a cyberattack that was identified on February 24, 2022. Because of the malware found on its system, there was a temporary disruption of its services. ArCare took immediate action to stop continuing unauthorized access and launched an investigation to find out the nature and scope of the incident.

The investigation affirmed on March 14, 2022, that the hackers may have accessed sensitive data from January 18, 2022 to February 24, 2022. An analysis of the impacted records was done on April 4, 2022, and established they included names, driver’s license or state ID numbers, Social Security numbers, dates of birth, financial account details, medical treatment data, prescription details, medical diagnosis or condition details, and medical insurance information.

Although data was exposed, there was no evidence found that suggests actual or attempted misuse of patient information. ARcare mentioned it has revised its policies and procedures associated with data protection and security and mailed notification letters to affected persons on April 25, 0222.

The incident is not yet posted on the HHS’ Office for Civil Rights breach portal therefore it is currently uncertain how many people were impacted.

Theft of Unencrypted Laptops from the Home of Onehome Health Solutions Employee

Two unencrypted laptop computers were stolen from the house of a Onehome Health Solutions employee. The healthcare provider based in Miramar, FL discovered the theft on March 3, 2021 and reported the incident to authorities.

A forensic investigation confirmed that the laptop computers stored the PHI of approximately 15,401 patients, such as names, addresses, telephone numbers, health data, medical insurance data, and the last four numbers of Social Security numbers.

Onehome stated all impacted persons were informed regarding the compromise of their data and free identity theft protection services were provided to people who had their Social Security numbers partially exposed.

Solara Medical Supplies Offers to Pay $5 Million to Resolve Class Action Data Breach Lawsuit

A California Federal court recently approved a preliminary settlement to take care of a consolidated class action lawsuit versus Solara Medical Supplies.

Solara Medical Supplies based in Chula Vista, California is a direct-to-consumer company selling medical devices and disposable medical merchandise as well as a registered pharmacy. Solara Medical discovered suspicious activity in the email account of an employee on June 28, 2019. The succeeding investigation affirmed that unauthorized people had acquired access to several Office 365 email accounts from April 2, 2019 to June 20, 2019, due to staff members replying to phishing emails.

Based on forensic investigation, the sensitive data of 114,007 customers wee compromised and possibly stolen, such as names, birth dates, driver’s license numbers, Social Security numbers, medical insurance data, and financial details. Impacted patients received one-year free credit monitoring and identity theft protection services.

Four class-action lawsuits had been submitted on behalf of the impacted clients, and those legal cases were combined into one lawsuit. Solara Medical offered the settlement to take care of the lawsuit to steer clear of regular legal expenses; nonetheless, did not admit any wrongdoing. The settlement terminates the lawsuit with prejudice and doesn’t signify any admission of wrongdoing, fault or liability.

As per the conditions of the settlement, Solar Medical has decided to spend $5,060,000 to handle the plaintiffs’ and class members’ claims and will do what is necessary to enhance data security to avoid other security breaches. The six plaintiffs who filed the lawsuits will get $4,000 each as compensation, and all class members who submit prompt claims will get $100, in addition to a pro-rata payment of approximately $1,000 if there are remaining funds after paying $100 cash payments. Included in the settlement amount are the $2.3 million attorneys’ charges. In case there are funds left, they will be contributed to the Juvenile Diabetes Research Foundation.

In the following two years, Solara Medical will go through a recurrent SOC 2 Type 2 review until it is passed, have a third party conduct a HIPAA IT evaluation, carry out a minimum of one cybersecurity incident response test per year, go through third-party phishing and external-facing vulnerability tests for a minimum of two times a year. Solara Medical will additionally have a security information event and management (SIEM) tool having a 400-day lookback on activity records. Enhanced versions of the remedial actions or similar actions will be done on new industry criteria for the following 3 years.

Over 510,000 Individuals Affected by Adaptive Health Integrations Data Breach

An Adaptive Health Integrations lately reported a data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR) that affected 510,574 individuals’ protected health information (PHI).

Adaptive Health Integrations based in Williston, North Dakota provides LIS software services and billing/revenue services to labs, doctor offices, as well as other healthcare organizations. A copy of the notification letters posted on the Montana Attorney General webpage says that Adaptive Health Integrations recently discovered that an unauthorized person had acquired access to its system on or about October 17, 2021, and potentially accessed some information kept on its network.

The letters mentioned that upon discovery of the unauthorized access, the company immediately controlled the threat, and launched an investigation. A detailed àudit of breached files was performed, and that process ended on February 23, 2022. As per the notification letters, free credit monitoring, fraud assessment, and identity theft restoration services are being provided via Kroll for one year.

The notification letters did not give any details regarding who Adaptive Health Integrations is or the reason why it retains the PHI of individuals. Some people who got a notification letter have published on the internet asking about the genuineness of the breach notification letters, which were penned on paper and having a copied image of the company logo. After looking at the company web page some have commented that maybe this is a fraud.

If searching the company on Google, the search engine results page leads to a two-page site of the company with a placeholder for the contact page including a dummy message. It was not mentioned on the company webpage that there was a data breach during the time of sending notifications.

The law company Migliaccio & Rathod LLP states it is investigating the data breach at Adaptive Health Integrations.

Email Account Breaches Announced by Newman Regional Health and Contra Costa County

Newman Regional Health (NRH) based in Emporia, KS, which operates a 25-bed critical access hospital, has recently started alerting 52,224 people that unauthorized individuals have gotten access to some employee email accounts that contain protected health information (PHI).

NRH stated on its website that unauthorized persons viewed a few employee email accounts in the course of 10 months in 2021 between January 26, 2021 and November 23, 2021. Upon detection of the security breach, quick action was performed to safeguard the email accounts. NRH started an investigation to learn the extent and nature of the occurrence.

NRH stated that a review of the email messages in the compromised accounts affirmed on March 14, 2022 the compromise of these types of patient information: Names, dates of birth, e-mail addresses, addresses, medical record/ID numbers, phone numbers, and certain heath, treatment or insurance details. A few employees’ information acquired involved a person’s acceptance of services from or job with NRH. A few of them similarly had their financial details or Social Security numbers exposed.

The types of patient data exposed varied from one person to another, and there was no evidence of fraudulent activity prompted by the breach identified when issuing notification letters. NRH explained it has put in place additional measures to fortify security.

Contra Costa County Reports Email Account Security Breach

Contra Costa County located in California has reported a breach of staff email accounts and the compromise of sensitive personal data. The forensic investigation of the incident revealed that unauthorized persons gained access to employee email accounts from June 24, 2021 to August 12, 2021.

As per the substitute breach notice on the Contra Costa County site, the email accounts comprised information on workers and people who had earlier gotten in touch with the County’s Employment and Human Services Department. The types of records exposed contained names, Social Security numbers, state-issued I.D. numbers, driver’s license numbers, passport numbers, financial account numbers, health data, and/or medical insurance details.

Even though unauthorized email account access was established, it wasn’t feasible to tell if any email messages or file attachments in the accounts were accessed or exfiltrated. It is uncertain when the breach was discovered; nonetheless, Contra Costa County stated the breach investigation finished on March 11, 2022, and notification letters were mailed to impacted individuals on April 15, 2022. Free credit monitoring services were provided to qualified persons.

The breach is not yet posted on the HHS’ Office for Civil Rights breach site, thus it is uncertain how many persons were impacted.

PHI Breach at Urgent Team Holdings, The Guidance Center and MetroHealth

Urgent Team Holdings Reports Breach of the PHI of 166,600 People

Urgent Team Holdings, which runs more than 70 urgent care and walk-in facilities in Alabama, Arkansas, Georgia, Tennessee, and Mississippi, has lately informed 166,601 patients that unauthorized individuals potentially obtained some of their protected health information (PHI) in a November 2021 cyberattack.

Urgent Team stated it uncovered that the compromise of its network occurred from November 12, 2021 to November 18, 2021. Helped by third-party cybersecurity specialists, Urgent Team found out that the files potentially exfiltrated from its systems contained the PHI of patients. An extensive analysis of the files was finished on January 31, 2022, and affirmed the inclusion of patients’ full names, medical record numbers, and birth dates.

Although data theft may have happened, there is no evidence of data exfiltration identified and there was no report received of any misuse of patient data. To enhance security, Urgent Team has enforced multi-factor authentication and has included additional layers of security in its networks to minimize the danger of unauthorized access. A new antivirus solution was also employed which generates notifications if there are attempts of unauthorized access to its systems.

Email Account Breach at The Guidance Center

The Guidance Center, Inc. has recently found out that unauthorized people acquired access to some personnel’s email accounts for a short time period. When the breach was discovered, the email accounts were promptly made safe, and an investigation was commenced to know the nature and scope of the incident.

Third-party cybersecurity experts assisted with the investigation to validate the protection of its computer networks and supplemental security procedures have now been used to avoid other attacks. An evaluation of the affected email accounts revealed they included patients’ protected health information. The types of compromised information varied from one individual to another and might have contained names along with one or more of these data elements: medical treatment or diagnosis data, patient record numbers, and/or health insurance details.

The Guardian Center already submitted the breach report to the HHS’ Office for Civil Rights as affecting 23,104 persons. Complimentary identity protection and credit monitoring services were provided to selected persons, based on the types of details that were breached.

MetroHealth Announces Compromise of 1,700 Patients’ PHI

MetroHealth System located in Cleveland, OH, has advised roughly 1,700 patients regarding the impermissible disclosure of some of their PHI to other patients because of an error that happened during the modernizing of its electronic health record (EHR) system.

A misconfiguration meant that whenever patient records were generated to be provided to patients, information pertaining to other individuals was inadvertently included in the records, for instance, patient names, visit data, and the healthcare providers they visited. No other personal, financial, or medical data was impacted.

The EHR provider discovered the issue and notified MetroHealth concerning the data breach on February 10, 2022. Notification letters had been delivered to impacted individuals on April 11.

Resources for Human Development, WellStar Health and Central Vermont Eye Care Announce Data Breaches

Resources for Human Development Reports Breach Affecting 46,673 People

Resources for Human Development (RHD), a national human services nonprofit organization based in Philadelphia, PA, has recently announced the theft of a hard drive containing the protected health information (PHI) of 46,673 people. The theft happened on or approximately January 27, 2022, and was uncovered by RHD on February 16, 2022.

The hard drive was utilized for its Point-to-Point program in Exton, PA, and included information like names, drivers’ license numbers, Social Security Numbers, financial account data, payment card details, birth dates, prescription details, diagnosis data, treatment details, treatment providers, health insurance data, medical details, Medicare/Medicaid ID numbers, employer identification numbers, electronic signatures, usernames and passwords of clients and employees.

RHD stated forensics experts investigated the magnitude of the breach and ensured the safety of its offices and computer servers. The employees also received training on best practices for safeguarding confidential data.

Email Breach at Wellstar Health

Wellstar Health based in Atlanta, GA has lately affirmed that unauthorized people accessed personnel email accounts or acquired patient data. Wellstar Health found out about the security incident on February 7, 2022, with the confirmation by a forensic investigation that the breach affected only two email accounts. Other systems were not affected by the breach.

The email accounts were identified to have been breached from December 6, 2021, to January 3, 2022. Upon identification of the breach, the email accounts were quickly deactivated and secured. An assessment of the accounts affirmed the inclusion of PHI like worker names, Internal account numbers, medical record numbers, and laboratory details. No proof was discovered to reveal any patient data was misused.

It is presently uncertain how many patients were impacted.

Central Vermont Eye Care Hacking Incident Affects 30,000 Patients

The Ophthalmology practice Central Vermont Eye Care located in Rutland, VT reported lately a hacking incident. The exact nature of the hacking incident is not clear at this time; nevertheless, it was confirmed that unauthorized persons possibly acquired access to the PHI of as many as 30,000 patients. Notification letters were mailed to those persons on April 6, 2022.

OCR Wants Feedback on Recognized Security Practices and the Distribution of HIPAA Settlements with Victims

The Department of Health and Human Services’ Office for Civil Rights has published a Request for Information (RFI) associated with two particular specifications of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

Based on the revisions by the HIPAA Safe Harbor Act in the 2021 HITECH Act, the HHS should take into account the security procedures that were enforced by HIPAA-regulated entities when considering to enforce financial penalties and other remedies to handle potential HIPAA violations identified in the course of investigations and reviews.

The goal of the HIPAA Safe Harbor Act is to urge HIPAA-regulated entities to use cybersecurity strategies. The incentive for companies that have implemented industry-standard security guidelines for one year before a data breach happens is reduced financial penalties for security breaches and less critique by the HHS.

Another particular requirement that dates back to the time the HITECH Act was approved into law, is for the HHS to share a portion of the civil monetary penalties (CMPs) and settlement payments with people who experienced harm due to the violations for which the fines were put on. The HITECH Act requires a strategy to be set up by the HHS for identifying proper amounts to be shared, according to the nature and scope of the HIPAA violation and the nature and degree of the hurt that results.

At the beginning of this year, the newly designated Lisa J. Pino as Director of the HHS’ Office for Civil Rights (OCR) affirmed that these two prerequisites of the HITECH Act were being dealt with this year. Yesterday, OCR publicized the RFI in the Federal Register requesting a public opinion on these two conditions of the HITECH Act.

Particularly, OCR is asking for comments on what makes up “Recognized Security Practices,” the acknowledged security procedures that are being executed to secure electronic protected health information (ePHI) by HIPAA-compliant entities, and how those entities are prepared sufficiently by setting up recognized security practices. OCR would additionally like to know any implementation problems that those entities wish to be cleared up by OCR, either by means of additional rulemaking or guidance, and recommendations on the action that ought to start the start of the 12-month look-back time, as that isn’t mentioned in the HIPAA Safe Harbor Act.

One of the primary concerns with the prerequisite to share CMPs and settlements with impacted persons is that the HITECH Act does not have a definition of harm. OCR wants feedback on the kinds of “harms” that must be regarded when giving a percent of SMPs and settlements and recommendations on possible strategies for sharing and distributing funds to harmed persons.

This request for data has always been anticipated, and feedback from the public and concerned industry is welcome. People who are historically underserved, marginalized, or vulnerable to discrimination or systemic disadvantage must give feedback on this RFI, so their interests in later rulemaking and guidance will be taken into consideration.

To be counted, responses need to be sent to OCR by June 6, 2022.

The Protecting and Transforming Cyber Health Care (PATCH) Act Presented to Enhance Medical Device Cybersecurity

Two bipartisan senators have presented the Protecting and Transforming Cyber Health Care (PATCH) Act which aspires to strengthen the safety of medical devices.

Vulnerabilities are frequently found in medical devices that can possibly be used by threat actors to modify the efficiency of the devices, make them inoperable, or use the devices as a means for more comprehensive attacks on healthcare systems. Throughout the pandemic, there was a spike in cyberattacks on healthcare companies, and medical devices, and the systems to which they link up were impacted by ransomware attacks. These cyberattacks have impacted patients, hospitals, and the medical device market.

U.S. Senators Tammy Baldwin (D-WI) and Bill Cassidy, M.D. (R-LA) unveiled the PATCH Act to make sure that the cyberinfrastructure of the American healthcare system stays safe and protected. The PATCH Act will revise the Federal Food, Drug, and Cosmetic Act to call for all premarket submissions for medical devices to have information on the cybersecurity features that were applied.

If approved, the Food and Drug Administration (FDA) can only allow a medical device for use once the manufacturers make sure that critical cybersecurity specifications were integrated. The PATCH Act additionally requires companies of medical devices to design, create, and keep processes and procedures to update and patch the units and associated systems all through the lifecycle of the unit. A Software Bill of Materials for every device should likewise be given to end consumers which will make it less difficult to discover vulnerabilities that have an effect on the devices, such as vulnerabilities in open source parts and dependencies.

The Patch Act additionally calls for medical device producers to establish a plan for tracking, identifying, and dealing with post-market cybersecurity issues, and a Coordinated Vulnerability Disclosure will be necessary to show the safety and performance of a device.

New medical technologies offer great potential to enhance the health and quality of life, stated Dr. Cassidy. If Americans are unable to depend on the protection of their personal data, this potential won’t be achieved.

With the PATCH Act, modern medical technologies are better secured from cyber threats and personal health information is safe while seeking new ways to enhance care at the same time.

Reps. Michael C. Burgess (R-TX) and Angie Craig (D-MN) presented a companion bill in the House of Representatives.

Data Breaches at CSI Laboratories and Christie Clinic; Scripps Health Issues More Notification Letters

Conti Ransomware Gang Says It is Responsible for CSI Laboratories Cyberattack

Cytometry Specialists, Inc. also known as CSI Laboratories in Alpharetta, GA, has just reported that it experienced a cyberattack that was uncovered on February 12, 2022. An investigation was started which established that files comprising some patient information were copied from its systems, which for the most part comprised patient names and case numbers employed for tagging patients. Nevertheless, addresses, birth dates, medical record numbers, and health insurance data were likewise included for a number of patients.

CSI Laboratories mentioned in its website notice that at this phase of the investigation there appears to be no sign of any misuse of patient records. Though CSI Laboratories didn’t make known the nature of the attack, the Conti ransomware group has professed responsibility for the cyberattack and has posted a sample of the stolen information on its data leak webpage. CSI Laboratories stated it has already re-established its system on the web and it is keeping track of its network carefully for abnormal activity. No statement was made concerning payment of any ransom demand.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach site, thus it is uncertain how many people were affected.

Email Account Breach Announced by Christie Clinic

Christie Business Holdings Company, P.C., dba Christie Clinic, has lately reported that is had a security incident regarding the email account of a worker. The firm’s breach notice didn’t state when the breach was uncovered, nonetheless, the forensic investigation affirmed on January 27, 2022, that an unauthorized person accessed the email account between July 14, 2021 and August 19, 2021.

Christie Clinic stated the reason for the attack seemed to be to intercept a business deal between the company and a third-party seller, instead of to get sensitive data from the email account, nevertheless, it was impossible to determine to what level emails inside the account were viewed. Christie Clinic mentioned the investigation affirmed that the breach just impacted one email account. No other parts or accounts were affected. On March 10, 2022, the assessment of information in the account showed that the emails involved protected health information (PHI) for instance names, Social Security numbers, addresses, health data, and medical insurance details. Notification letters were issued to impacted persons on March 24, 2022.

Christie Clinic claimed it currently employs industry-leading network security tools, conducts regular training on data security and privacy and has enforced supplemental safety measures.

Scripps Health Issues More Notification Letters Regarding 2021 Ransomware Attack

On June 1, 2021, Scripps Health based in San Diego informed the HHS’ Office for Civil Rights concerning a ransomware attack that resulted in the potential compromise of the PHI of 147,267 patients. Hackers had acquired access to its system from April 26, 2021 to May 1, 2021, and likely copied files made up of patient information. The attack ended in class action lawsuits and the healthcare company had lost over 113 million.

About a year after the breach of its network, a patient contacted NBC 7. The patient got a notification letter dated March 15, 2021, telling her about the potential compromise of her PHI in the attack, which includes her name, address, birth date, medical insurance data, patient account number, medical record number, and clinical data like diagnosis or treatment details. The patient did not get any notification regarding the ransomware attack before.

NBC 7 called Scripps Health, which affirmed that the manual document assessment just finished, and it was identified that more patient information was potentially breached in the attack, however, did not say how many more patients were impacted.

OCR Announced Financial Penalties for Violations of HIPAA Right of Access

Dental Practitioner Fined $30,000 for Noncompliance with the HIPAA Right of Access

OCR investigated Dr. Donald Brockley D.D.M, who is a solo dental practitioner based in Butler, PA, because of a complaint submitted by a patient who did not get a copy of the requested health records in the time frame set by the HIPAA Privacy Rule. OCR confirmed that Dr. Brockley had violated the HIPAA Right of Access but gave the dental practitioner the chance to present written evidence of any mitigating issues in an August 27, 2019, letter. There was no response given.

OCR then informed Dr. Brockley of its intent to issue a $104,000 financial penalty, and Dr. Brockley sought a hearing with an Administrative Law Judge to dispute the financial charges. On October 8, 2021, the parties submitted a joint proposal to stay proceedings for 60 days, where both parties had an agreement and the case was resolved.

Dr. Brockley agreed to settle the case by paying a $30,000 financial penalty and implementing a corrective action plan that involved updating guidelines and procedures to make sure to comply with the HIPAA Right of Access.

California Psychiatric Medical Services Pays $28,000 Financial Penalty to Resolve HIPAA Right of Access Case

OCR investigated Jacob & Associates, a provider of psychiatric medical services in California, because of a complaint filed by a patient who stated that Jacob & Associates failed to provide a copy of the medical records, which was requested on July 1, 2018. The complainant stated that since 2013 such a request was made every July 1, but the requested records were never provided.

After filing the complaint with OCR, the patient sent again the record request. A complete copy of the requested health records was provided on May 16, 2019 via electronic mail. Nevertheless, before the patient received those records, she needed to go to the practice to fill out a record access form personally. She was additionally asked to pay $25 for the requested copy of records, and at first only received a partial, one-page copy and needed to send another request to get her complete records.

OCR confirmed that Jacob & Associates committed a violation of the HIPAA Right of Access by not delivering prompt access to the patient’s health records, had billed the patient an unfair non-cost-based price, and didn’t have guidelines and procedures regarding the right of patients to obtain their protected health information (PHI).

In the course of the investigation, OCR additionally confirmed that Jacob & Associates had no assigned HIPAA Privacy Officer and lacked the required content for its notice of privacy practices. The case was resolved after Jacob & Associates paid $28,000 and agreed to implement a corrective action plan to deal with all issues of non-compliance.

Arkansas AG Filed Legal Action Against Eastern Ozarks Regional Health for Patient Data Breach

Arkansas Attorney General Leslie Rutledge reported about the legal action filed against Country Medical Services Inc. for mishandling the sensitive personal data and protected health information (PHI) of a large number of individuals. Country Medical Services is the previous operator of Eastern Ozarks Regional Health System located in Cherokee Village. The company owners were Robert Becht from Hartsville, TN, and Theresa Hanson from Deland, FL.

The 40-bed hospital of Eastern Ozarks Regional Health was permanently shut down in December 2004. Country Medical Services managed the hospital for 9 years, but an investigation conducted by the state Department of Health discovered about 3 dozen potential Emergency Medical Treatment and Labor Act violations because the hospital cannot deliver emergency services. In 2004, instead of facing financial fines, the hospital quickly ended its hospital license.

After 6 years, the property was given to the state because the owners did not pay the taxes. The office of the Attorney General assessed the property and discovered boxes of documents in the property that included sensitive personal information. Unauthorized persons had acquired access to the property as well as files kept in the facility seemed to have been looking at, possibly by persons trying to find sensitive personal information. At this point, it is uncertain how many previous patients’ sensitive data were compromised and possibly stolen. Files left unsecured at the facility included a variety of sensitive worker and patient data, such as names, contact details, driver’s license numbers, Social Security numbers, financial account data, medical data, and biometric information.

Based on the legal action, which was filed in Sharp County Circuit Court, the investigation discovered no proof that indicates the hospital had taken any acceptable measures to permanently remove or protect sensitive documents. The inability to protect the confidentiality of patient information violates the Health Insurance Portability and Accountability Act (HIPAA); nevertheless, as is normally the case, legal action is being undertaken for comparable state laws violations. The lawsuit claims the defendants violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act (PIPA). Therefore, Country Medical Services and its owners are currently facing civil penalties of as much as $10,000 per violation of the ADTPA and PIPA.

People must have confidence in their healthcare companies and employers to secure their personal data. Eastern Ozarks Regional Health System betrayed that confidence and left patients and workers susceptible to fraud and identity theft. So, the hospital along with its owners are accountable.

80K Records Breached at Central Indiana Orthopedics & Duncan Regional Hospital

Duncan Regional Hospital based in Oklahoma and Central Indiana Orthopedics reported cyberattacks that impacted a total of 170,084 persons.

Duncan Regional Hospital

Duncan Regional Hospital just reported that it suffered a cyberattack last January. It discovered the incident on January 20, 2022 because of suspicious activity noticed in certain parts of its IT systems. The IT team took all systems offline immediately to avert continuing unauthorized access. A third-party computer forensics agency investigated the incident to find out the nature and extent of the security breach.

Duncan Regional Hospital stated the attackers failed to acquire access to its electronic medical record system however got access to sections of the network that keep files with patient information. Those files included patient names, telephone numbers, addresses, birth dates, Social Security numbers, appointment data, for instance, dates of service and healthcare company names, and some treatment data.

The hospital has taken steps to enhance security and avoid more attacks, such as a company-wide password reset and applying new endpoint risk recognition and response tracking software and tougher firewall standards. Impacted persons received notification and offers of free credit monitoring and identity protection services.

The hospital already reported the incident to the HHS’ Office for Civil Rights indicating that 86,379 patients were affected.

Central Indiana Orthopedics

At the beginning of this month, Central Indiana Orthopedics reported it encountered a cyberattack that was discovered on October 16, 2021. Action was promptly taken to protect its system and a third-party computer forensics agency was called in to look into the incident.

The investigation showed that files that unauthorized persons accessed files with patient data, however, there was no report received that indicate the misuse of any patient data. The types of data contained in the files were different from one patient to another and might have contained names, Social Security numbers, addresses, and some medical data.

Central Indiana Orthopedics stated a few steps were undertaken as a response to the breach to strengthen security, avoid other cyberattacks, and mitigate the possibility of future damage. All persons impacted by the incident received notifications and offers of free dark web monitoring,
credit monitoring, and identity theft protection services.

The hospital already reported the incident to the HHS’ Office for Civil Rights indicating that 83,705 persons were affected.

Breach Barometer Report Reveals 2021 Had More Than 50 Million Healthcare Records Breached

Protenus has published its 2022 Breach Barometer Report which reveals that 2021 was a notably awful year for healthcare sector data breaches. There were over 50 million breached healthcare records in 2021.

The report counts healthcare data breach reports submitted to regulators, and data breaches reported via the media, cases not yet disclosed by the breached entity, and data breaches that involve healthcare information at non-HIPAA-regulated entities. provided the data for the report.

Protenus started publishing yearly Breach Barometer reports in 2016. The number of healthcare data breaches and breached records continue to increase each year. In 2021, it was confirmed that about 50,406,838 people were impacted by healthcare data breaches, increasing by 24% from the prior year. The report included 905 incidents are, which increased by 19% from 2020.

The biggest healthcare data breach of 2021 impacted children’s health plan Florida Healthy Kids Corporation based in Tallahassee, FL. Vulnerabilities in its website were not resolved by its business associate starting 2013 and hackers exploited those vulnerabilities and obtained access to the sensitive information of 3,500,000 people who requested medical insurance from 2013 to 2020.

Hacking incidents went up for the 6th consecutive year. There were 678 breaches traced to hacking incidents involving ransomware, malware, phishing and email incidents that resulted in the exposure or theft of 43,782,811 individual records.

The number of insider incidents dropped but increased in 2020. In 2021, there were 111 insider incidents and 110 incidents in 2019. The incidents increased by 26% in 2020 likely due to the increase of pandemic-related insider curiosity or company detection of impropriety.

There were 32 breaches involving theft impacting about 110,6656 records and 11 incidents of lost or missing devices or documents that contain the records of about 30,922 people. 73 incidents are not classified because of a lack of data.

Healthcare providers are the worst impacted type of HIPAA-covered entity, however business associate data breaches increased by twice the level in 2019. The incidents were 75% hacking-related, 12% insider error, and 1% insider wrongdoing. There were 20.986,509 records breached in those incidents. Protenus states that the average number of breached records in business associate data breaches is greater than other breaches.

The discovery time of a data breach dropped by 30% starting 2020. The average time to discover a breach from when it occurred is now 132 days; nevertheless, it is taking a long time for companies to report data breaches compared to 2020. The average time to report a data breach in 2021 was 118 days, beyond the 60 days set by the HIPAA Breach Notification Rule. It was 85 days in 2020.

The demand for proactive patient privacy tracking is greater than ever. The threats today are a lot more distressing than before and can be through various sources like a random staff snooping or an advanced cybersecurity hacker that acquires access via an employee channel. If a breach destroys patient trust in a company, that’s very hard to recover from.

HC3 Report on Cyberattack Trends and Insights to Enhance Healthcare Cybersecurity

The HHS’ Health Sector Cybersecurity Coordination Center has published a new report called Health Sector Cybersecurity: 2021 – Retrospective and 2022 Look Ahead. The report gives a retrospective view of healthcare cybersecurity in the last 30 years, showing a few of the big cyberattacks to strike the healthcare sector.

In 1989, Biologist Joseph Popp gave 20,000 floppy disks at the Stockholm World Health Organization AIDS conference. When the disks were utilized, malicious code that counted reboots is installed. Upon reaching 90 reboots, there is a ransom note shown that stated the software program lease had ended and a $189 payment was needed to get access to the system again.

The report reveals how adversaries amplified their attacks on the healthcare sector from 2014 to 2017.

  • In 2014, Boston Children’s Hospital experienced a serious Distributed Denial of Service (DDoS) attack.
  • In 2015, there was a big cyber attack on Anthem Inc. where the records of 80 million health plan subscribers had been accessed without authorization.
  • In 2016, Hollywood Presbyterian Medical Center paid a $17,000 ransom after a ransomware attack.
  • In 2017, the WannaCry exploits impacted over 200,000 systems.

In 2019, ransomware began to be widely employed in attacks on healthcare companies with the Ryuk ransomware group as one of the well-known ransomware operators. One of the group’s attacks was done on a managed service provider and impacted about 400 dental clinics. Attacks persisted, and more actors began utilizing ransomware to attack businesses. In 2020, cybercriminals exploited the COVID-19 pandemic and employed COVID-19 baits in their phishing attacks which extended all through 2021. McAfee noticed 375 COVID-themed threats on average per minute in 2020.

2020 had substantial cyberattacks reported by Scripps Health, Accellion, SolarWinds, CaptureRX, and Universal Healthcare Services. Emsisoft reported that $18.6 billion in ransoms had been paid globally to ransomware groups, though it was approximated that the exact total was about $75 billion.

The popular Maze ransomware group de-activated its operation in 2020, however, attacks were conducted by a lot of other cyber actors such as REvil, BlackMatter and Abaddon. In 2021, the Conti ransomware gang conducted a huge ransomware attack on the Health Service Executive in Ireland. The attack affected 54 public hospitals along with others that relied on HSE infrastructure. It took 4 months to restore all online systems.

The report shows that cyberattacks on the healthcare industry have been ongoing for several years and it will continue for years ahead. HC3 advises healthcare companies to continue to enhance their defenses to prevent the most common threats like phishing, ransomware, and malware. Security teams ought to have regular security awareness training for workers, conduct phishing simulation activities to check the efficiency of training, use gateway/mail server filtering, whitelisting, and blacklisting, as well as operationalize indicators of compromise.

It is additionally essential to secure remote access technologies, which are often exploited to obtain systems access. Virtual Private Networks and technologies using the Remote Desktop Protocol must be operationally reduced, services must be switched off if not in use, and records of activity must be preserved and routinely checked.

Vulnerability management is important and must be methodical, extensive, and repeatable, and there should be systems of enforcement. It is essential to keep situational knowledge of appropriate vendor updates and notifications and to create a repeatable assessment, patching, and update deployment processes.

It is essential for healthcare companies to know the importance of what the company is losing — protected health information, which holds a high cost on the black market, and intellectual property, which is frequently desired by foreign nations. Once resources were identified, steps should be taken to make sure that those resources are secured.

Besides employing safety measures to secure against attacks, it is essential to know that there will continue to be a high likelihood of compromise and to get ready for an attack and plan and check the reaction ahead of time to make sure that the business can keep operating.

It is likewise advised that healthcare companies look at comparatively new-ish ways of planning on defense, and take into account that adversaries are currently thinking in relation to increasing the number of victims and are attacking managed service providers and also the supply chain. Healthcare companies must consider how they could stop and abate attacks on third parties.

HC3 states situational awareness will always be important. New threats will come; the tactics, techniques, and procedures of cyber actors will change, and new vulnerabilities will come up. It is essential to stay updated with new threats and vulnerabilities and the way to correct and mitigate them.

It is critical to maintain reliable defense measures and to protect against distributed attacks as well as other channels of compromise. HC3 has mentioned a number of resources in the report that healthcare companies can utilize to create their defenses and prohibit present and upcoming attack methods.

OCR Director Tells HIPAA-Regulated Entities to Reinforce Their Cybersecurity Posture

In a new blog post, Director Lisa J. Pino of the HHS’ Office for Civil Rights urged HIPAA-regulated entities to do something to reinforce their cybersecurity posture in 2022 considering the upsurge in cyberattacks on the healthcare sector.

2021 was a specifically bad year for healthcare providers. The number of healthcare data breach reports reached record levels. 714 healthcare data breaches involving 500 and up records were noted by the HHS’ Office for Civil Rights in 2021 and over 45 million records were exposed.

Most of the breach reports involved hacking and other IT cases that led to the exposure or theft of the healthcare information of above 43 million persons. In 2021, hackers targeted healthcare companies handling the COVID-19 pandemic and carried out a number of attacks that had a strong impact on patient care and prompted canceled surgical procedures, medical assessments, and other services due to IT systems being taken down and network access being deactivated.

Pino additionally noted the critical vulnerability discovered in the logging utility Log4J, which was integrated into a lot of healthcare apps. The vulnerability was identified in December 2021 and cyber attackers and other threat groups were swift to take advantage of it to obtain access to servers and networks for a selection of malicious uses.

The vulnerabilities and data breaches demonstrate how essential it is for healthcare providers to be cautious of risks and take quick action whenever new risks to the integrity, confidentiality, and availability of protected health information (PHI) are determined.

Pino explained OCR investigations and audits have found numerous instances of noncompliance with the risk analysis and risk management demands of the HIPAA Rules. Oftentimes, risk assessments only cover the electronic health record. It is important to do an enterprise-wide risk analysis. Risk management tactics must be extensive in scope – including all electronic protected health information (ePHI) that exists throughout the company – from the software program to connected devices, legacy systems, and other places throughout your network.

OCR’s investigations of data breaches in 2020 revealed several areas where HIPAA-regulated entities have to take action to enhance compliance with the requirements of the HIPAA Security Rule, particularly in the following aspects:

  • Risk analysis
  • Risk management
  • Audit controls
  • Information system activity assessment
  • Security awareness and training

Pino had a number of recommendations, which include reviewing risk management policies and procedures, making sure data are routinely backed up (and examining backups to make sure data recovery is doable), performing routine vulnerability scans, patching and updating applications and operating systems right away, training the employees how to identify phishing scams and other typical attacks, and exercising good cyber hygiene.

CISA and the Office for Civil Rights have made available resources to help safeguard against prevalent threats to ePHI.

Bipartisan Legislation Proposed to Upgrade Health Data Privacy Regulations

Healthcare privacy regulations in the U.S. need an update to usher them into the contemporary age to make certain individually identifiable health data is safeguarded irrespective of how it is gathered and shared. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is now over 20 years old, and although the Department of Health and Human Services (HHS) has recommended upgrades to the HIPAA Privacy Rule that will be finished this 2022, even though the planned HIPAA Privacy Rule modifications are approved, there will still be regulatory breaks that put health information at stake.

The usage of technology for healthcare and health information has developed in a manner that cannot be envisioned when the Privacy Rule was made into law. Health data is currently being compiled by health programs and other systems, and individuals’ sensitive health information is being disclosed with and bought by technology corporations. The HIPAA Privacy and Security Rules presented conditions to safeguard the privacy and security of health data, nevertheless, HIPAA is merely applicable to HIPAA-covered entities – medical care providers, healthcare clearinghouses, and health plans – as well as their business associates. A number of the surfacing technologies today being utilized to document, store, and transfer health information are not protected by HIPAA and its protections and safety measures are not applicable. Additionally, the suggested changes to the HIPAA Privacy Rule will make it less complicated for people to acquire access to their health data and tell covered entities to transmit that data to unregulated personal health programs.

There is new bipartisan legislation released recently that strives to commence the process of determining and closing the present privacy holes connected with surfacing technologies to ensure health information is better secured, such as health data that aren’t presently secured by HIPAA. The Health Data Use and Privacy Commission Act was introduced by Sens. Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) and aspires to establish a new commission that is going to be assigned to analyze present federal and state rules covering health data privacy and make proposals for upgrades to include the present technology landscape.

The opportunity of new technology to enhance patient care looks boundless. Nevertheless, Americans need to have confidence that their personal health information is safeguarded when this technology can reach its 100 % potential, mentioned Dr. Cassidy. It is necessary to upgrade HIPAA for the contemporary day. This law commences this process on a path to be sure it is done properly.

The Comptroller General is assigned with recruiting committee members who need to send their report, findings, and suggestions to Congress and the President in six months. The commission must examine existing privacy regulations and find out their usefulness and limits, any possible risks to individual health privacy and genuine business and policy interests, and the uses for which the disclosing of health data is proper and helpful to individuals.

The commission must report on whether or not more federal laws are needed and, if present privacy rules should be updated, offer ideas on the best strategies to reform, improve, coordinate, unify, or complement existing laws and regulations pertaining to personal health privacy. That advice could include revisions to HIPAA to cover a larger array of entities or new state or federal regulations covering medical information. When updates are suggested, the commission needs to give specifics of the probable costs, burdens, and prospective accidental outcomes, and whether there’s a risk to health results if privacy regulations are too rigid.

The Health Data Use and Privacy Commission Act has attracted support from a couple of medical associations and technology companies, which include the College of Cardiology, National Multiple Sclerosis Society Federation Of American Hospitals, Epic Systems, IBM, and Association Of Clinical Research Organizations.

Due date for Reporting 2021 PHI Breaches Impacting Less Than 500 Persons

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule sets a tough time period on distributing notices to persons whose protected health information (PHI) was compromised or impermissibly disclosed. The utmost time frame is 60 days since discovering the security breach, even though notification letters must be sent “without unreasonable delay.”

Aside from mailing notification letters to persons affected by a data breach, the HIPAA Breach Notification Rule additionally necessitates the Secretary of the Department of Health and Human Services (HHS) to be advised concerning a data breach. The time frame for mailing that notification is based on the number of people impacted by the information breach.

If a data breach is suffered that impacts 500 and up persons, the Secretary of the HHS should be informed with no unreasonable delay also and not later than 60 calendar days right after the discovery of a breach. When all data is not available regarding the breach in 60 days, the HHS must still be notified concerning the breach, and it could be changed at a later date when more details are identified.

If a data breach has affected less than 500 people, HIPAA-regulated entities get more time to submit the breach report to the HHS. N.B. the time period for individual communication continues to be 60 days from the time of discovering the breach, no matter how many persons were impacted.

The deadline for reporting breaches involving the PHI of fewer than 500 people to the HHS is 60 days beginning with the end of the calendar year during which the breach was uncovered. So all PHI breaches found in 2021 that affected the PHI of less than 500 persons needs to be reported to the Secretary of the HHS on or before 11:59:59 p.m. on March 1, 2022. Every breach ought to be reported to the HHS independently using the breach reporting program on the HHS portal.

Numerous HIPAA-regulated entities won’t complete their breach reporting until near the reporting due date, thus the breach reporting site will probably see high amounts of traffic while the deadline approaches, which can likely cause accessibility concerns. It is therefore a good idea to report any breaches earlier than the breach reporting deadline.

You ought to remember that various states have approved laws addressing the submission of data breach reports, and the time period for reporting breaches can be less than those of the HIPAA Breach Notification Rule. In a number of cases, HIPAA-regulated entities are not covered by state breach notification regulations as long as they follow the reporting prerequisites of HIPAA. If they do not comply with the Breach Notification Rule, state attorneys general could choose to investigate, and civil monetary penalties may be enforced for breach of HIPAA or state rules.