Category: HIPAA News

Compliancy Group made an announcement that Eyeward inc. has put in place an efficient HIPAA compliance program, thus achieving HIPAA compliance.

EyeWard is a peer-to-peer consulting platform made for iOS that healthcare professionals can freely use to get in touch with colleagues and safely talk and share medical photos. The app is supposed to help doctors share medical knowledge and confer with other healthcare professionals. Using the application enables doctors to have better workflow and give proper health care to patients.

Eyeward CEO, Stephen Atallah, stated that Eyeward is committed to helping doctors give the highest quality of care to patients. Knowing that this quality of care may need the usage of sensitive health care data, Eyeward wanted to make sure to implement the proper measures to effectively protect PHI.

To make certain that Eyeward complies with all the conditions of the HIPAA, the company partnered with the Compliancy Group. The Compliancy Group’s HIPAA compliance monitoring program called The Guard, together with its compliance coaches, were a big help in ensuring that Eyeward’s platofr, policies and procedures fully complied with the requirements of HIPAA.

Eyeward additionally finished Compliancy Group’s 6-stage HIPAA Risk Analysis and remediation process. Because of the company’s diligent and honest effort toward HIPAA compliance, Eyeward received the Compliancy Group’s HIPAA Seal of Compliance award.

The Seal of Compliance proves to HIPAA-covered entities and business associates that the platform of Eyeward has indeed complied with all the requirements of the HIPAA rules and has implemented an efficient HIPAA compliance program. Therefore, entities can used the platform securely for patient data communication.

Doctors that use the Eyeward platform know that they can rely on the company to protect all healthcare information. Eyeward certainly wants all platform users to know that it is doing its best to keep them and their patients safe.

Tandem Diabetes Care Inc., the San Diego medical device maker, is dealing with a class-action lawsuit in California in relation to a January 2020 data breach that caused the compromise and probable theft of the protected health information (PHI) of over 140,000 persons.

Unauthorized people got access to an employee’s email account from January 17 to January 20, 2020 as a result of a phishing attack. The email account contained information that varied from one patient to another. The range of private and confidential information included names, dates of birth, insurance details, billing details, healthcare information, and Social Security numbers.

Tandem Diabetes Care reported the incident to the HHS’ Office for Civil Rights on March 17, 2020 indicating that there were 140,781 individuals affected. At the same time, the company sent notification letters to the affected individuals.

The lawsuit was filed in the United States District Court in the Southern District of California and claims that Tandem Diabetes Care committed violations of the Confidentiality of Medical Information Act (CMIA). The plaintiff and class members want damages for the negligent disclosure of their personal and healthcare data and injunctive relief.

CMIA mandates healthcare service providers to enforce safety measures to keep individually identifiable medical information confidential and prohibit the disclosure of that data without prior patient consent. As opposed to HIPAA, CMIA implements a private cause of action which permits patients to take legal action with regards to the negligent disclosure of their confidential medical data.

The plaintiff is named C.H. and the putative class is split up into two subclasses: All California citizens who had their identities, personal data, and medical data contained in the email account and all other people whose data were exposed.

The legal action alleges negligence for not protecting individually identifiable health information. Because the Defendant’s email account was accessible to third parties, the Defendant negligently generated, maintained, saved, kept, and then disclosed the individual identifiable medical information of the Plaintiff and the Class members.

The lawsuit claims that Tandem Diabetes Care failed to sustain sufficient technological safeguards, which directly and proximately brought about the foreseeable risk of patient data loss and hurt, such as identity theft as well as other economic ruin.

The lawsuit claims that patients have endured damages due to the unauthorized disclosure of their private and protected medical information and seeks nominal damages of $1,000 for each class member, repayment for actual damages sustained, damages provided by the common law, and legal charges.

Joshua B. Swigart of the Swigart Law Group filed the lawsuit and is trying to get class action status as well as a jury trial

On April 1, 2020, Zoom CEO Eric S. Yuan mentioned in a blog post that Zoom is going through some growing pains because the platform has substantially increased in popularity this year. Yuan responded to the criticism of Zoom’s security problems by recognizing that they have fallen short of the privacy and security expectations. He apologized and wanted to share what the company is doing about it.

The company did not anticipate the huge increase in recognition of the platform nor the lockdown of a quarter of the planet’s population that prompted working and socializing from home. Because of the bigger variety of users using Zoom in a number of unexpected ways, the company is confronted with challenges that were never anticipated since the creation of the platform.

It ought to be mentioned that there are vulnerabilities in all software solutions. The disclosure of Zoom’s vulnerabilities to the public recently did not allow Zoom to respond first and fix the problems. Zoom reacted immediately and resolved some of the concerns recently but a number of privacy and security issues stay unresolved.

Zoom expressed to the public its commitment to correct privacy and security problems and proactively check the platform if there are other vulnerabilities. Zoom will stop all work on development in the next 90 days and will use engineering resources to aim at addressing trust, security, and privacy concerns. The company will enhance the bug bounty program and conduct penetration tests to evaluate platform security.

Using Zoom for Communications in Healthcare

Enterprise-class communication platforms need to provide enterprise-level of privacy and security. This is particularly essential in healthcare because of HIPAA compliance. Zoom provides an enterprise plan for healthcare providers called Zoom for Healthcare. It was developed to include the required safety measures for compliance with the HIPAA Privacy and Security Laws; nonetheless, the most recent security vulnerabilities and privacy problems of Zoom instigated doubt on the quality of protection it provides.

While the COVID-19 public health emergency is in force, the HHS’ Office for Civil Rights will exercise enforcement discretion and won’t issue sanctions or fines for providing good faith telehealth services. OCR will also allow at this time the use of applications that might not meet all HIPAA requirements. Though there’s no indication that OCR would give Zoom an exception, healthcare organizations should still take careful attention because Zoom is not a public-facing platform.

There are some other teleconferencing platforms that healthcare companies can utilize when providing telehealth services. Many of the platforms do provide real end-to-end encryption and have no security problems similar to those identified in Zoom. There are free to use solutions offering secure and HIPAA compliant messaging platform. TigerConnect offers free use of its platform to healthcare organizations after the announcement of the COVID-19 public health emergency.

Because there are available safe videoconferencing and communications platforms, it is highly recommended to employ a substitute option for telehealth and other healthcare communication throughout the COVID-19 outbreak until Zoom completely fixes its privacy and security problems and concludes its platform review.

Last April 2, 2020, the Department of Health and Human Services gave an announcement that is effective immediately. HHS is exercising discretion in enforcement and won’t enforce sanctions or issue financial penalties to healthcare organizations or their business associates with regard to good faith uses and disclosures of protected health information (PHI) for public health and health monitoring activities throughout the COVID-19 public health emergency, or until the public health emergency is declared over by the Secretary of the HHS.

The issuance of the Notice of Enforcement Discretion supports the Federal public health authorities and health oversight institutions, for instance, the Centers for Disease Control and Prevention (CMS), the Centers for Medicare and Medicaid Services (CMS), state and local health divisions, and other emergency operation centers which need quick access to COVID-19 related information.

Although the HIPAA Privacy Rule allows PHI disclosures by HIPAA-covered entities for purposes of public health and health oversight, at present business associates of HIPAA covered entities can only disclose PHI for purposes of public health and health oversight when it is particularly stated in their business associate agreement (BAA) with a HIPAA covered entity. If the Notice of Enforcement discretion was not issued, business associates can suffer financial penalties for disclosing PHI for purposes of public health and health oversight.

The Notice of Enforcement Discretion is applicable to the following HIPAA Privacy Rule Provisions but only for good faith uses or disclosures of PHI in relation to public health activities by a business associate in accordance with 45 CFR 164.512(b), or health monitoring activities in accordance with 45 CFR 164.512(d). A business associate needs to notify the covered entity concerning the use or disclosure of PHi within 10 calendar days.

• 45 CFR 164.502(a)(3)
• 45 CFR 164.502(e)(2)
• 45 CFR 164.504(e)(1) and (5)

The Notice of Enforcement Discretion is not applicable to any other conditions of HIPAA Rules. The HIPAA Security Rule continues to be enforced. When PHI disclosure to a public health authority or health oversight agency occurs, the business associate should make sure that the HIPAA Security Rule requirements are satisfied, There must be reasonable safety measures implemented to protect the confidentiality, availability and integrity of ePHI and information must be transmitted securely.

OCR Director, Roger Severino, stated that the CMS, CDC, including state and local health departments need to have fast access to COVID-19 related health information in order to combat this pandemic. In allowing HIPAA business associates to have more freedom to work and exchange data with public health and oversight institutions, there is better potential to flatten the curve and save people’s lives.

The OCR Notice of Enforcement Discretion can be viewed on this page.

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) made an announcement that there will be a set of sweeping regulatory adjustments and waivers to give maximum flexibility to healthcare providers when treating patients during the 2019 Novel Coronavirus pandemic. The new changes will enable healthcare professionals to take action as healthcare delivery coordinators in their locations.

The temporary changes to relieve restrictions are meant to create hospitals and health systems without walls. Thus, hospitals and health systems will have less difficulty handling an expected huge increase in COVID-19 patients throughout the coming weeks.

Under regular circumstances, federal limitations require hospitals to give medical services within their present facilities, but this will not be practical with an increase in patient numbers. As the number of COVID-19 cases increases, hospitals will eventually reach capacity. If they don’t develop more sites to provide treatment to patients, they could be weighed down.

To make sure that all patients can get treatment and not one person is left behind, the CMS has eased restrictions and has issued non-permanent new rules that will allow the provision of treatment in other locations. A lot of ambulatory surgery centers have decided to cancel elective procedures throughout the public health emergency. Hospitals and health systems will be allowed to use those places together with inpatient rehabilitation hospitals, and even dormitories and hotels, and would still be qualified to get reimbursement for services under Medicare. The new places may be used when providing healthcare services to non-COVID-19 patients so that there will be additional inpatient beds for COVID-19 patients in need of intensive care and respirators.

The CMS mentioned that ambulatory surgery centers have two alternatives. They can either contract with local healthcare systems to give services on behalf of the hospital or they could enroll and bill CMS as hospitals for the duration of the public health emergency announcement, provided that is not in conflict with their State’s Emergency Preparedness or Pandemic Program. Healthcare organizations will not be allowed to operate outside of prepared plans at the local level.

To further raise capacity, the CMS has released a waiver that will permit doctor-owned hospitals to increase the number of beds without facing sanctions. Hospitals are granted to set up drive-through screening facilities for COVID-19, utilize off-campus testing sites, and coverage will be provided to laboratory specialists who need to travel to a Medicare beneficiary’s house to get samples to do COVID-19 testing. CMS is budgeting extra reimbursement for ambulances, which are needed for transferring patients to and from healthcare facilities and doctor’s surgeries to make sure they get the needed treatment. Medicare coverage for respiratory-associated devices and apparatus has now been lengthened to cover any medical reason.

Adjustments were furthermore made to aid the quick expansion of the healthcare workers. These changes consist of making Medicare enrollment simpler for providers and permitting teaching hospitals to allow medical residents to deliver services under the guidance of a teaching physician. The CMS has additionally given a blanket waiver to permit hospitals to give more benefits to aid their medical workforce, including multiple daily meals, laundry service for personal clothing, or child care services when the physicians and other personnel are at the hospital giving patient care.

Changes were likewise made to relieve the administrative burden on healthcare professionals with the CMS giving patients more importance than paperwork by getting rid of paperwork requirements to ensure that physicians have more time for managing patients.

The CMS has recently declared that there is additional flexibility for the availability of telehealth services, with repayment now being offered for all Medicare beneficiaries in all locations. Coverage is currently included for over 80 additional services offered through telehealth, so long as those services are given by physicians allowed to give telehealth services.

These new changes and waivers are merely temporary and effective during the national public health emergency for COVID-19, and after that the CMS will assess how best to return to the present system.

Vulnerabilities were identified in the Insulet Omnipod Insulin Management System and the Systech NDS-5000 Terminal Server and pertinent advisories were issued.

Inappropriate Access Control Discovered in Insulet Omnipod Insulin Management System

ThirdwayV Inc. has identified a high severity vulnerability present in the Omnipod Insulin Management System which an attacker could exploit to access the Pod of a vulnerable insulin pump and intercept and alter information, adjust insulin pump settings, and manipulate insulin delivery.

The vulnerable insulin pumps correspond with an Insulet built Personal Diabetes Manager device utilizing wireless RF. The researchers found that the RF communication protocol doesn’t enforce authentication or authorization appropriately.

The vulnerability affected the following versions:

• UDI/Model/NDC number: ZXP425 (10-Pack) and ZXR425 (10-Pack Canada)
• Omnipod Insulin Management System Product ID/Reorder number: 19191 and 40160

The vulnerability is monitored as CVE-2020-10597 and has a designated CVSS v3 base rating of 7.3 of 10. No incidents of vulnerability exploitation were reported.

Patients must not link any third-party devices or utilize the unapproved software program and must be mindful of pump signals and alarms. Patients ought to keep track of their blood glucose levels properly and any unintentional boluses must be canceled immediately. Insulet advises updating to the most recent version of the insulin pump with more cybersecurity protections.

Patients utilizing a vulnerable product were cautioned to get in touch with Insulet Customer Care or a healthcare professional for more information regarding the risk presented by the vulnerability.

Systech NDS-5000 Terminal Server Found With Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability was discovered in NDS-5000 Terminal Server that an attacker could exploit to carry out privileged action for the users, view sensitive information, restrict system accessibility, and possibly remotely implement arbitrary code. An attacker with a low level of skill can exploit the vulnerability remotely.

The vulnerability is monitored as CVE-2020-7006 and has a designated CVSS v3 base rating of 6.8 of 10 (medium severity). The vulnerability impacts NDS/5008 (8 Port, RJ45), DS-5000 Terminal Server and firmware Version 02D.30. The vulnerability has been fixed in firmware version 02F.6.

Consumers of the vulnerable product must get in touch with Systech Technical Support for more information on upgrading the software to avoid exploitation.

Critical Infrastructure Penetration Test Specialist Murat Aydemir of Biznet Bilisim A.S. identified the vulnerability.

All through the 2019 Novel Coronavirus pandemic, prompt, fast, and enterprise-wide communication is necessary for delaying the propagation of the virus and making sure of the continuity of service.

Not everything is understood about the Novel Coronavirus including how it is passed on. It is a rapidly-changing situation and new data is continually being circulated by scientists and public health experts. That data and revisions to policies and protocols must be quickly conveyed across healthcare institutions. It is additionally essential for healthcare experts to keep track of the status of patients who are on self-quarantine at home after showing signs of COVID-19.

The 2019 Novel Coronavirus pandemic is subjecting health systems to great stress and it is crucial to have speedy, efficient, and reliable internal and external communication.

TigerConnect, the prominent provider of a safe healthcare communication platform, will conduct a free webinar featuring the company’s healthcare communication specialists who will talk about the best practices in communication and collaboration to facilitate organizational readiness, efficient response, and service continuity for the duration of the 2019 Novel Coronavirus pandemic, and for other similar instances of crisis.

The following will be discussed by TigerConnect during the webinar:

• guidelines for workflow readiness
• ways to speed up internal and external communication
• efficient broadcasting of essential updates to personnel and external partners
• how to expedite patient diagnosis and quarantine workflows
• the most effective way to prioritize monitoring of critical patients
• how to keep the staff safe
• how to take advantage of text messaging to keep track of patients who are on self-quarantine at home

Over 6,000 healthcare organizations have adopted the TigerConnect platform to work and communicate with others effectively. Singapore Health is one healthcare organization that is using the TigerConnect platform for enabling improved enterprise-wide communication and coordination during the COVID-19 crisis. Singapore Health received a commendation for the productivity and efficiency of its response to the COVID crisis. TigerConnect is going to share facts about the lessons realized to give U.S. healthcare providers assistance on how to better deal with the COVID-19 crisis.

The Chief Medical Information Officer of TigerConnect, Dr. Will O’Connor, and its Nurse Executive, Julie Grenuk, will host the webinar in a live presentation and a Q&A session. The webinar will held on Thursday, March 19th, 2020, 2 p.m. ET / 11 a.m. PT. Visit this page to register for the free webinar.

Mailing Error at Kaiser Permanente

Kaiser Permanente found out that they accidentally mailed letters to patients’ past addresses. Kaiser Permanente had started a project to enhance mailing addresses for communication with members in Southern California. On November 1, 2019, the error that prompted the sending of the letters to wrong addresses was discovered. According to the investigation findings, the error started on October 6, 2019 and the wrong addresses were fixed on December 20, 2019.

The mailings that were sent in error included surveys, referral letters, appointment reminders, care reminders, and Explanation of Benefits statements. The information contained those letters included demographic data, medications information, diagnoses, billing data, and medical insurance data. There was no financial data or Social Security numbers exposed.

Kaiser Permanente has given more training to the employees to avoid more errors later on. Letters were resent to the appropriate addresses. About 500 patients were affected by this mailing error according to the HHS’ Office for Civil Rights (OCR) breach portal.

Breach Due to the Error of Riverview Health’s Mailing Vendor

The mailing vendor of Riverview Health based in Noblesville, IN made a printing error, which caused a breach of the names of 2,610 patients.

The mailing vendor was directed to mail patient notification letters about the plan to switch to two primary care providers. However, the error caused the sending of the letters to the wrong recipients on January 6, 2020. Riverview discovered the mailing vendor error on January 14, 2020.

The recipients of the letters were identified as patients of either of the two primary care providers of Riverview Health. No other data was exposed.

Riverview Health has taken steps to avoid identical errors from happening later on, such as the inclusion of more review methods before mailing notification letters to patients.

Abandoned Mental Health Records in Chicago Street

Physical health records originating from the Community Mental Health Council were found abandoned in a street in West Englewood, Chicago. The Community Mental Health Council closed down its clinics for good after losing its funding in 2012.

The sensitive data of hundreds of past patients were exposed. The information contained in the records included names, addresses, diagnosis data, health records, Social Security numbers, and other sensitive data. A local resident saw the physical records scattered all over an alley from Hermitage Avenue when she brought out her garbage. City officials were informed and already collected and secured the records. They are currently trying to find out who was at fault for throwing the documents.

A federal judge has finalized the approval of a settlement involving Quest Diagnostics Inc. to resolve a class-action lawsuit over its 2016 data breach. The medical laboratory firm based in New Jersey will pay a $195,000 settlement, which gives every breach victim up to $325 compensation.

On November 26, 2016, hackers accessed the Care360 MyQuest mobile app which patients use to store and share their electrical test results and book consultations. The health app stored names, telephone numbers, dates of birth, and lab test results which, for a number of patients, included their HIV test results. The breach affected 34,000 patients.

According to the class-action lawsuit filed on behalf of breach victims in 2017, Quest Diagnostics was negligent in protecting the sensitive data of app users. The lawsuit states that even though Quest Diagnostics knew that it was storing sensitive Private Information making it valuable and vulnerable to cyber attackers, it failed to take enough measures that could have secured the information of users. The plaintiffs additionally stated that Quest Diagnostics didn’t give timely, accurate, and enough notification regarding the breach.

Last fall of 2019, Quest Diagnostics submitted a settlement proposal that provides compensation to the breach victims so as to avoid further legal expenses and the problem of ongoing litigation. The proposal will give as much as $325 per breach victim, which reflected the pros and cons of the claims and defenses in the legal case. Quest Diagnostics, as well as the other defendants, involved in the case did not admit any wrongdoing.

A federal court judge gave preliminary approval of the settlement obtained in October 2019. The final approval was released on February 25, 2020.

Each class member may claim around $325, which is made up of around $250 to pay for provable out-of-pocket costs sustained because of the breach. Another $75 may be claimed by each patient whose HIV test results were exposed, even though patients didn’t get any losses. Plaintiffs have to submit a claim so as to get a share of the settlement and they should submit the claims by May 22, 2020.

One more class-action lawsuit was filed against Care360 and Quest Diagnostics regarding the theft of roughly 12 million patient data from the American Medical Collection Agency (AMCA), its business associate in 2019. The plaintiffs in that legal case likewise claim the negligence of the defendants thus failing to safeguard their personal and protected health information (PHI) and failed to give timely and appropriate notifications.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reported the first HIPAA penalty for 2020. The settlement cost the practice of Steven A. Porter, M.D. a $100,000 financial penalty to take care of potential HIPAA Security Rule violations and will undertake a corrective action plan to tackle all aspects of noncompliance identified during the compliance investigation.

Dr. Porter’s practice in Ogden, UT offers gastroenterological treatment to over 3,000 patients. OCR started an investigation after receiving a data breach report on November 13, 2013. The breach involved Dr. Porter’s electronic medical record (EHR) firm’s business associate, which was purportedly impermissibly utilizing the electronic medical records of patients by blocking the PHI access of the practice until Dr. Porter paid it $50,000.

The breach investigation revealed the following serious HIPAA Security Rule violations of the practice:

• Dr. Porter had not carried out a risk analysis to determine risks to the integrity, confidentiality, and availability of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(i)
• The practice had not minimized risks to a fair and suitable level
• The practice had not enforced policies and procedures to stop, identify, control, and correct security violations.

From 2013, the practice had permitted Dr. Porter’s EHR company to generate, receive, keep or transmit ePHI for the practice, without initially obtaining acceptable assurances that the firm would enforce safety measures to make certain the integrity, confidentiality, and availability of ePHI, which violates 45 C.F.R. § 164.308(b)

During the investigation, OCR made available substantial technical support, yet there was no risk analysis carried out after the breach and no proper security measures enforced to lessen risks to a rational and suitable level.

The financial penalty highlights the importance that healthcare companies of all sizes need to consider their duties under HIPAA very seriously. The inability to comply with fundamental HIPAA requirements, for example having a correct and comprehensive risk analysis and risk management plan, remains an unsatisfactory and troubling trend within the health care sector.

The National Institute of Standards and Technology (NIST) has issued a cybersecurity education and development roadmap according to the information gathered from five pilot Regional Alliances and Multistakeholder Partnerships (RAMPS) to promote Cybersecurity Education and Workforce Improvement programs.

There is presently a worldwide scarcity of cybersecurity experts and the issue is becoming worse. Information from CyberSeek.org reveals that from September 2017 to August 2018, 313,735 cybersecurity jobs were available and statistics from the 2017 Global Information Security Workforce Study show that 1.8 million cybersecurity specialists will be needed to occupy available positions by 2022.

To help deal with the deficiency, the National Initiative for Cybersecurity Education (NICE), headed by NIST, granted funds for the September 2016 pilot programs. The RAMPS cybersecurity education and development pilot programs were involved in energizing and pushing for a strong network and ecosystem of developing cybersecurity education, training, and workforce.

The pilot programs consist of

• creating regional alliances, by which the labor force requirements of businesses and non-profit companies are in-line with the learning goals of education and training companies
• growth of the pipeline of students going into cybersecurity careers
• more people in America are educated and got middle-class work opportunities in cybersecurity
• assistance is given for local economic development to promote job expansion

The principal aim of the programs is to facilitate the alliances of companies having cybersecurity skill deficiencies and educators who could assist in developing a skilled labor force to satisfy industry requirements. The following alliances helped run the pilot programs:

• Arizona Statewide Cyber Workforce Consortium
• the Cyber Prep Program in Southern Colorado
• Cincinnati-Dayton Cyber Corridor
• the Hampton Roads Cybersecurity Education
• the Partnership to Advance Cybersecurity Education and Training in New Your City and the Capital District
• Workforce and Economic Development Alliance in Southeast Virginia

Each one of the pilot programs followed a unique technique to deal with the lack of competent cybersecurity workers in their particular areas. Some of the typical difficulties encountered by the program were

• the employers that cannot ascertain their cybersecurity requirements
• a disconnection between labor force supply and demand
• no coordination of resources for education and labor force development programs
• difficulty in small communities to retain skilled cybersecurity workers

The roadmap was made in accordance with the positive results of each program and consists of advice on how usual challenges could be dealt with and the recommendations and lessons realized from doing the pilot programs.

The four main components required to develop successful alliances to promote and develop the cybersecurity labor force are:

• Knowing program targets and metrics
• Developing techniques and tactics
• Computing impact and results
• Maintaining the effort

The document gives examples of every activity that turned out productive in the pilot programs.

The document isn’t supposed to be a how-to guide for establishing profitable regional alliances, however it will be helpful to those looking for guidance on how to manage and facilitate regional attempts to enhance cybersecurity education and workforce development. So as to develop a profitable cybersecurity education and workforce development plan, local and regional specialists must give their insight as they are going to be knowledgeable about the cybersecurity requirements of their communities.

Download the document – A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce –  from NIST on this page (PDF).

The latest lawsuit filed in King County Superior Court was against the University of Washington Medicine for a data breach that resulted in the exposure of the protected health information (PHI) of patients.

The legal action was filed because a misconfigured server resulted in a data breach in December 2018 and the exposure of the PHI of 974,000 patients over the web. An accounting of disclosures database was stored in the misconfigured server. The information potentially exposed included the names of patients, medical record numbers, a listing of entities who were given patient data, and the purpose of information disclosure. A number of people also had compromised their data associated with a research study they took part in, their health problem, and the name of the laboratory test done. For selected patients, there was sensitive information compromised, such as the HIV test-taking record of a patient and, in certain instances, the HIV standing of patients. There were no Social Security numbers, financial data, medical insurance data, and medical files exposed.

The server misconfiguration happened on December 4, 2018. UW Medicine was informed about the breach after a patient found a file that contains their medical information indexed by Google. On December 26, 2018, UW Medicine identified and fixed the misconfiguration.

UW Medicine stated in a press release given on February 20, 2019 that access to the database was not secured for three weeks. UW Medicine collaborated directly with Google to have all indexed data removed from Google’s servers, which was completed on January 10, 2019.

The lawsuit alleges that UW Medicine neglected and failed to appropriately secure the PHI of its patients and didn’t notify patients immediately after the breach of PHI. Allegedly, patients suffered injury, distress, and damage of reputation because of the breach, and had a greater risk of identity theft, abuse, and fraud.

The lawsuit likewise mentions a previous UW Medicine data breach as additional evidence of ineffective data security practices. The previous data breach in 2013 was a malware infection that happened after an employee clicked open an infected email attachment. That malware attack affected 90,000 patients.

The HHS’ Office for Civil Rights investigated the breach and found UW Medicine’s violation of the HIPAA Security Rule. UW Medicine failed to employ sufficient policies and procedures to stop, identify, control, and resolve security violations. UW Medicine resolved the case in 2015 by paying OCR $750,000 and agreeing to follow a corrective action plan, which involved doing a comprehensive analysis of security risks and vulnerabilities and create a company-wide risk management plan.

The plaintiffs in the lawsuit alleged that UW Medicine’s ineffective security practices have already exposed the PHI of about one million patients, far exceeding the impact of the 2013 breach, in infringement of its statutory and expert standard of care responsibilities, in infringement of Plaintiffs and the Class’ reasonable expectations when they made a decision to create a patient-doctor partnership with UW Medicine, and thus reducing the worth of the services UW Medicine given and that its patients spent for.

The lawsuit seeks total disclosure concerning the data that was exposed, statutory damages and legal service fees, and demands UW Medicine to follow enough safe practices and measures to stop more data breaches later on.

Hackensack Meridian Health in New Jersey is facing a lawsuit in relation to the December 2, 2019 ransomware attack which impacted 17 of its hospitals.

The ransomware attack momentarily interfered with healthcare services when hospital staff could not access the medical records because its systems were offline. Systems stayed offline while data was being recovered for a few days until systems were restored. Staff continued to provide medical services although pen and paper were used to record patient data. Some non-urgent medical treatments were canceled.

Immediate measures were taken to protect its systems and restore data and doctors, nurses, and clinical staff worked 24 / 7 to maintain patient safety throughout the attack and data recovery process. So as to restore systems in the quickest time and avert continuous disruption to healthcare services, Hackensack Meridian Health decided to pay the ransom. The health system’s comprehensive insurance policy helped pay for the price of the ransom payment, as well as its remediation and recovery expenses.

Forensic specialists were hired to help investigate and ascertain if patient information was compromised. There is no evidence found that indicate the attackers stole any patient information.

Although it would seem that Hackensack Meridian Health did what it could to restrict the harm brought on patients and reestablish systems and data in the quickest time, it did not stop legal action.

A proposed class-action lawsuit was filed in a Newark district court. The two plaintiffs want compensation, statutory damages and penalties, the return of out-of-pocket expenditures, and injunctive relief necessitating Hackensack Meridian Health to improve its security systems, undertake yearly data security audits, and give breach victims three years of free credit monitoring services.

The plaintiffs claim Hackensack Meridian Health recklessly managed its network leaving its systems susceptible to attack and so the health system was unsuccessful to sufficiently secure patient data. The lawsuit additionally alleges the attack resulted in serious disruption to the health care given to patients, compelling them to find alternate care and treatment.

According to Hackensack Meridian Health’s investigation findings, there is no evidence found that indicate data theft, yet the plaintiffs claim that the attackers stole their personal and protected health information (PHI) and exposed to other unidentified thieves, so that they face an increased and impending risk of identity theft and fraud.

Moreover, the plaintiffs allege that Hackensack Meridian Health did not report the ransomware attack to the Department of Health and Human Services’ Office for Civil Rights, and did not notify the affected patients about the breach.

As of February 19, 2020, the OCR breach portal has not published the incident yet, though that doesn’t automatically mean the incident was not reported. There is generally a delay between the submission of a report to OCR and the posting of the incident on the breach portal.

Breach notifications may also be delayed when the breach investigation is still ongoing. It could take time to find out who are patients affected and to get updated contact details so as to mail notices. Patient notifications are typically necessary for ransomware attacks as per prior OCR guidance, however, they aren’t obligatory, as long as covered entities can show there was a low possibility of PHI compromise.

It is becoming more and more prevalent for patients to file a lawsuit against covered entities in relation to ransomware attacks. A number of lawsuits were filed recently on behalf of patients who were impacted by ransomware attacks. Considering the number of threat groups attempting to steal data before encrypting files, more lawsuits is to be expected.

Senator Kirsten Gillibrand has presented a new Senate bill called the Data Protection Act. It aims to make new data privacy standards and increase consumers’ rights over their personal information. At present, a big number of companies collect and use consumer data. And in many instances, companies use the consumer’s personal data without their knowledge for profit.

Under the California Consumer Privacy Act (CCPA), Californian consumers are granted more rights with regards to their private information. A lot of U.S. consumers can’t do much regarding the collection, usage, and sale of their personal information.

Sen. Gillibrand’s Data Protection Act is meant to provide consumer privacy protection and freedom into the electronic age. The Data Protection Act requires the development of a new consumer watchdog organization named the Data Protection Agency (DPA). DPA’s task involves protecting consumer data and privacy, as well as making sure of fair and transparent data practices. The President will appoint the Director of the DPA with confirmation by the Senate. The DPA Director will have a 5-year service term.

The DPA would possess the authority to define, arbitrate, and implement data protection regulations that Congress or the DPA itself creates. It would have the authority to issue civil monetary penalties on organizations that violate consumer privacy and give injunctive relief and fair treatments.

The DPA would accept consumer complaints, carry out investigations, and notify the public regarding data protection concerns, such as sharing the results of investigated entities that commit consumer data misuse. The DPA would likewise be assigned to inform Congress regarding arising privacy and technology problems and would be the United States’ representative in forums about international data privacy.

The DPA would encourage data protection and privacy development throughout the private and public sector, help with the creation of Privacy Enhancing Technologies (PETs) to restrict or get rid of personal data collection, and do something to stop “take-it-or-leave-it” and “pay-for-privacy” conditions in service contracts.

The Data Protection Act would likewise help take care of privacy gaps for health information not protected by HIPAA, for instance, the health information accumulated by fitness trackers and wellness applications. The company that developed the apps collect data for varied reasons. It could sell the data to a medical insurance firm. In turn, the health company could charge you a higher premium if you don’t do enough physical activities.

Sen. Gillibrand stated that the U.S. is the only member of OECD without a federal data protection agency that makes sure consumer personal data is not misused and do something in case it is. Companies are exploiting data, ignoring rules, putting profits on top of responsibility, and looking at consumers as dollar signs. They give little consideration to long-term effects.

The Data Protection Act is supported by a number of technology, privacy, and civil rights organizations, such as Color of Change, Public Citizen, Center for Digital Democracy, Consumer Action, Consumer Federation of America, and the Electronic Privacy Information Center.

The eHealth Initiative (eHI) has partnered with the Center for Democracy & Technology (CDT) to create a new consumer privacy system for health information not protected by the Health Insurance Portability and Accountability Act (HIPAA) Rules.

Personally identifiable health data obtained, stored, retained, processed, or sent by HIPAA-covered entities as well as their business associates is protected by the HIPAA Privacy and Security Rules. In case the same data is obtained, stored, retained, processed, or sent by a non-HIPAA covered entity, the law does not require those protections.

At present health information is collected, kept, and transmitted by wearable devices, health and wellness applications and educational health sites. If there are no HIPAA-like protections, the privacy of consumer health data is put in danger.

The Robert Wood Johnson Foundation gave eHI and CDT funding for the Building a Consumer Privacy Framework for Health Data project. A Steering Committee for Consumer Health Privacy has been formed with specialists and kings from healthcare, technology, consumer groups, and privacy advocacy groups. The Steering Committee will go over the essential steps to protect the privacy of health information not protected by HIPAA privacy rules and will evaluate different strategies to take care of the complexities of securing non-HIPAA-covered health information.

Chief Executive Officer of eHI, Jennifer Covich Bordenick, explained that their focus is analyzing ‘health-ish’ data not protected by HIPAA or other health privacy regulations. It is vital to bring together a broad and comprehensive variety of collaborators to work on some major issues.

The Steering Committee’s first meeting was held on February 11, 2019 in Washington DC. The group of participants that attended the meeting included 23andMe, Ascension, Change Healthcare, American Hospital Association, American College of Physicians, American Medical Association, Electronic Frontier Foundation, Fitbit, Elektra Labs, Future of Privacy Forum, Hogan Lovells, Hispanic Technology and Telecom Partnership, Microsoft, Salesforce, National Partnership for Women & Families, Under Armour, Waldo Law Offices, UnitedHealth Group, Yale University, Wellmark Blue Cross and Blue Shield.

There will be more Steering Committee meetings throughout 2020. There will also be smaller workgroups formed to focus on particular areas of the privacy framework. CDT and eHI are telling privacy experts, consumer organizations, and businesses that manage genomic, wearable, and social media information to join the project.

Interim Co-Chief Executive Officer of CDT, Lisa Hayes, said that consumers are more cynical with regards to the use of their data especially sensitive health-related data. Hopefully, this framework can provide more privacy rights and protections to consumers who use modern digital health and wellness services.

Health Share of Oregon, the Medicaid coordinated-care provider in Oregon, began informing around 654,000 present and past members about the stolen laptop computer from GridWorks, its transportation vendor. The laptop computer contained some of their protected health information (PHI).

GridWorks was hired to handle the Ride to Care program of Health Share. This program by Health Share provided non-emergent means of transport for its members.

It is the policy of Health Share to require business associates to have encryption on all portable devices containing patient data. However, for some reason, GridWorks did not encrypt its laptop. The PHI that was stored on the laptop included names, contact phone numbers, addresses, birth dates, Medicaid numbers, Health Share ID numbers, and Social Security numbers.

The laptop computer was stolen in November 2019 during a burglary at the office of GridWorks. On January 2, 2020, GridWorks informed Health Share about the stolen laptop. On February 5, Health Share began mailing notification letters to all people who had their PHI saved on the laptop computer. Health Share also offered 12-months free complimentary credit monitoring and identity theft protection services to the affected people.

Health Share subjects its vendors to security audits. The last audit of GridWorks was in March 2019. Because of the breach, Health Share is going to increase its vendor security audit program and take measures to make sure that vendors only get the minimum amount of patient data. Health Share also improved its policies on training employees.

In October 2019, Health Share made an announcement about CareOregon’s take over of the administration of the Ride to Care program. CareOregon is a nonprofit health plan. GridWorks did not pay a number of transportation providers that supplied transportation according to the Ride to Care program. In December 2019, GridWorks went into receivership and is going to stop operations after the full transfer of the administration of the Ride to Care program to CareOregon.

Stacey Lavette Hendricks, a 49-year-old resident of Leesburg, FL was a former medical clinic employee who has pleaded guilty to wire fraudulence and aggravated identity theft. He was found to have impermissibly accessed patients’ protected health information (PHI) and contacted identity thieves to sell the information.

As a former administrative employee at a number of Florida state medical clinics, Hendricks was given access to the PHI of patients, which she used to steal patient data from the unnamed medical clinics. The stolen information comprised names, birth dates, and Social Security numbers. Hendricks sold the data to identity thieves and used the information to deceive businesses as well.

The United States Secret Service looked into the incident and apprehended Hendricks after she tried to sell stolen patient data to an undercover agent. Law enforcement officers obtained a warrant to search her house and car and they found 113 different patients’ information that Hendricks stole from the medical clinics.

The United States District Court located in the Middle District of Florida in Ocala charged Hendricks who pleaded guilty to the following charges:

• two counts of fraud with identification documents: Aggravated identity theft and possession of means of identification with the intention to perpetrate felony.
• one count of wire fraud

Though the date for sentencing has not yet been set, Hendricks currently faces a jail term of a maximum of 20 years for the wire fraud charge. For aggravated identity theft, Hendricks faces a mandatory 2-year consecutive jail term.

A cyberattack on Manchester Ophthalmology in Connecticut allowed attackers to gain access to patient data. On November 25, 2019, the eye care provider discovered the cyberattack when employees detected strange activity on its system. A third-party technology company helped investigate the incident and found later that day the system access by hackers who tried to deploy ransomware. The hackers gained network access from November 22, 2019 to November 25, 2019. Manchester Ophthalmology was able to immediately terminate remote access and prevent data encryption.

There is no evidence found that indicates the attackers accessed or downloaded any patient data, however, the investigators confirmed that some patient data were not backed up and cannot be retrieved. Manchester Ophthalmology lost the following types of information: patient names, medical histories, and information on the care received by patients at Manchester Ophthalmology.

Patients were instructed to be careful and keep track of their explanation of benefits statements and accounts for any indication of data fraud. Manchester Ophthalmology gave employees further training on the proper backing up of all data.

The breach summary sent to the Department of Health and Human Services’ Office for Civil Rights states that the security breach impacted around 6,846 patients.

Mailing Error at Cook County Health

Cook County Health based in Chicago, IL began informing 2,713 people regarding the error in sending some of their protected health information (PHI) to a third-party vendor. The information pertaining to people taking part in a #keepingitLITE research was forwarded to a vendor who was supposed to help mail research data.

The listing of research participants, including their names, physical and email addresses, was mailed to the vendor prior to signing a business associate agreement (BAA). A BAA is proof of a vendor’s agreement to employ safety measures to protect data privacy and security. Without having a BAA, Cook County Health is not assured that the vendor has satisfactory safeguards in place.

Steps were already taken to make certain the same error won’t happen again in the future.

Data Breach at UnitedHealthcare

On January 31, 2020, the health insurance provider, UnitedHealthcare in Minnetonka, MN, reported a data breach in 2019 which resulted in the potential compromise of the private data of some of its clients in South Carolina.

UnitedHealthcare knew about the data security breach on December 10, 2019 and learned that an unauthorized person accessed members’ health information via its member portal sometime on July 30, 2019 to Nov 13, 2019. The compromised information only included the members’ first and last names, medical plan data, and medical claims information.

UnitedHealthcare reported the incident to law enforcement and is helping with the investigation. The health insurer already took steps to stop other similar breaches in the future. The breach was published in HHS’ Office for Civil Rights breach portal indicating that 934 people were impacted.

Two draft cybersecurity practice guides about ransomware and other harmful incidents were published by the National Cybersecurity Center of Excellence at NIST (NCCoE). The first guide is about identifying and protecting assets (SP 1800-25)  while the second guide is about identifying and responding to cyberattacks that jeopardize data integrity (SP 1800-26).

The guides are meant to be utilized by executives, system administrators, chief Information security officials, or people who have a role in securing the information, privacy, and overall operational security of their organizations. It is made up of the following three volumes:

• an executive summary
• approach, architecture and security characteristics
• how-to guides

The first guide talks about the first two primary functions of Identify and Protect of the NIST Cybersecurity Framework. Businesses must do something to secure their assets against ransomware, damaging malware, accidental data loss, and malicious insiders. So as to secure their assets, businesses should first determine their location and then take the required steps to secure those assets against a data damaging event.

To create the first guide, NCCoE investigated several strategies that could be utilized to discover and secure assets from various kinds of data integrity attacks in a variety of conditions. One sample solution was developed in the NCCoE laboratory using commercially accessible solutions to offset attacks prior to their occurrence. The sample solution utilizes solutions such as having safe storage, creating data backups, VMs, and file systems, generating activity logs, helping with asset inventory, and offering integrity monitoring mechanisms.

By utilizing the cybersecurity guide, businesses could identify their assets, evaluate vulnerabilities as well as the reliability and activity of systems to get ready for any attack. Backups may then be made and secured to assure data integrity. The guide additionally helps businesses manage their conditions by evaluating machine posture.

The second guide talks about the primary functions Detect and Respond of the NIST Cybersecurity Framework. The guide explains how organizations could keep track of data integrity and take action immediately to a security event in real-time. A quick response is essential to deal with a data integrity incident to limit the problems created. A quick response could significantly limit the damages and ensure a fast recovery.

The guide addresses event discovery, vulnerability control, reporting functions, mitigation, and containment, and gives comprehensive data on techniques, toolsets to employ, and methods to choose to support the security team’s reaction to a data integrity incident. The sample solution includes several systems working jointly to identify and respond to data corruption incidents in regular enterprise components like databases, mail servers, endpoints, file share servers, and VMs.

NCCoE is looking forward to receiving industry stakeholders’ feedback on the new guides on or before February 26, 2020.

The Iowa Department of Human Services sent notification letters to 4,784 people regarding the potential compromise of their protected health information (PHI).

On November 25, 2019, a member of the department staff threw away documents that contain the PHI of Dallas County customers in a regular garbage dumpster. The records should have been shredded prior to disposal. The improper disposal was discovered late as the dumpster was already emptied. An investigation of the incident revealed that the custodial employee who threw away the paperwork did not know that the content of the documents were confidential data.

It was impossible to identify the names of the patients affected, and so the Iowa Department of Human Services sent notification letters to all people potentially affected by the breach. The information contained in the documents likely included names, birth dates, mailing addresses, Social Security numbers, driver’s license numbers, disability data, medical details, banking and wage data, receipt of Medicaid, mental health data, names of provider, prescription medications, and data on substance abuse and illegal drug use.

Impermissible Disclosure of Prescription Data of Cedarbrook Nursing Home Residents

Cedarbrook nursing home in Lehigh County, PA sent notification letters to 688 residents because their prescription data was inadvertently shared with firms wanting to tender for the pharmacy contract of the nursing home.

Cedarbrook nursing home sent an email with the wrong file attachment to 16 firms in December 2018. The correct file included invoice data showing the medicines prescribed from October to November. The attached file also listed the names of the patients who were given those prescribed medicines.

The mistake was uncovered immediately. Cedarbrook nursing home requested all 16 companies to delete the file. All 16 HIPAA-covered companies confirmed that they have deleted the file.

As a precautionary measure, all affected persons received a notification regarding the privacy breach. It is believed that there is a low risk of patient data misuse. The nursing home has updated its procurement procedures and necessitate supervisory inspection of the outgoing contract information prior to dispatch.