Category: HIPAA News

A federal judge has finalized the approval of a settlement involving Quest Diagnostics Inc. to resolve a class-action lawsuit over its 2016 data breach. The medical laboratory firm based in New Jersey will pay a $195,000 settlement, which gives every breach victim up to $325 compensation.

On November 26, 2016, hackers accessed the Care360 MyQuest mobile app which patients use to store and share their electrical test results and book consultations. The health app stored names, telephone numbers, dates of birth, and lab test results which, for a number of patients, included their HIV test results. The breach affected 34,000 patients.

According to the class-action lawsuit filed on behalf of breach victims in 2017, Quest Diagnostics was negligent in protecting the sensitive data of app users. The lawsuit states that even though Quest Diagnostics knew that it was storing sensitive Private Information making it valuable and vulnerable to cyber attackers, it failed to take enough measures that could have secured the information of users. The plaintiffs additionally stated that Quest Diagnostics didn’t give timely, accurate, and enough notification regarding the breach.

Last fall of 2019, Quest Diagnostics submitted a settlement proposal that provides compensation to the breach victims so as to avoid further legal expenses and the problem of ongoing litigation. The proposal will give as much as $325 per breach victim, which reflected the pros and cons of the claims and defenses in the legal case. Quest Diagnostics, as well as the other defendants, involved in the case did not admit any wrongdoing.

A federal court judge gave preliminary approval of the settlement obtained in October 2019. The final approval was released on February 25, 2020.

Each class member may claim around $325, which is made up of around $250 to pay for provable out-of-pocket costs sustained because of the breach. Another $75 may be claimed by each patient whose HIV test results were exposed, even though patients didn’t get any losses. Plaintiffs have to submit a claim so as to get a share of the settlement and they should submit the claims by May 22, 2020.

One more class-action lawsuit was filed against Care360 and Quest Diagnostics regarding the theft of roughly 12 million patient data from the American Medical Collection Agency (AMCA), its business associate in 2019. The plaintiffs in that legal case likewise claim the negligence of the defendants thus failing to safeguard their personal and protected health information (PHI) and failed to give timely and appropriate notifications.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reported the first HIPAA penalty for 2020. The settlement cost the practice of Steven A. Porter, M.D. a $100,000 financial penalty to take care of potential HIPAA Security Rule violations and will undertake a corrective action plan to tackle all aspects of noncompliance identified during the compliance investigation.

Dr. Porter’s practice in Ogden, UT offers gastroenterological treatment to over 3,000 patients. OCR started an investigation after receiving a data breach report on November 13, 2013. The breach involved Dr. Porter’s electronic medical record (EHR) firm’s business associate, which was purportedly impermissibly utilizing the electronic medical records of patients by blocking the PHI access of the practice until Dr. Porter paid it $50,000.

The breach investigation revealed the following serious HIPAA Security Rule violations of the practice:

• Dr. Porter had not carried out a risk analysis to determine risks to the integrity, confidentiality, and availability of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(i)
• The practice had not minimized risks to a fair and suitable level
• The practice had not enforced policies and procedures to stop, identify, control, and correct security violations.

From 2013, the practice had permitted Dr. Porter’s EHR company to generate, receive, keep or transmit ePHI for the practice, without initially obtaining acceptable assurances that the firm would enforce safety measures to make certain the integrity, confidentiality, and availability of ePHI, which violates 45 C.F.R. § 164.308(b)

During the investigation, OCR made available substantial technical support, yet there was no risk analysis carried out after the breach and no proper security measures enforced to lessen risks to a rational and suitable level.

The financial penalty highlights the importance that healthcare companies of all sizes need to consider their duties under HIPAA very seriously. The inability to comply with fundamental HIPAA requirements, for example having a correct and comprehensive risk analysis and risk management plan, remains an unsatisfactory and troubling trend within the health care sector.

The National Institute of Standards and Technology (NIST) has issued a cybersecurity education and development roadmap according to the information gathered from five pilot Regional Alliances and Multistakeholder Partnerships (RAMPS) to promote Cybersecurity Education and Workforce Improvement programs.

There is presently a worldwide scarcity of cybersecurity experts and the issue is becoming worse. Information from CyberSeek.org reveals that from September 2017 to August 2018, 313,735 cybersecurity jobs were available and statistics from the 2017 Global Information Security Workforce Study show that 1.8 million cybersecurity specialists will be needed to occupy available positions by 2022.

To help deal with the deficiency, the National Initiative for Cybersecurity Education (NICE), headed by NIST, granted funds for the September 2016 pilot programs. The RAMPS cybersecurity education and development pilot programs were involved in energizing and pushing for a strong network and ecosystem of developing cybersecurity education, training, and workforce.

The pilot programs consist of

• creating regional alliances, by which the labor force requirements of businesses and non-profit companies are in-line with the learning goals of education and training companies
• growth of the pipeline of students going into cybersecurity careers
• more people in America are educated and got middle-class work opportunities in cybersecurity
• assistance is given for local economic development to promote job expansion

The principal aim of the programs is to facilitate the alliances of companies having cybersecurity skill deficiencies and educators who could assist in developing a skilled labor force to satisfy industry requirements. The following alliances helped run the pilot programs:

• Arizona Statewide Cyber Workforce Consortium
• the Cyber Prep Program in Southern Colorado
• Cincinnati-Dayton Cyber Corridor
• the Hampton Roads Cybersecurity Education
• the Partnership to Advance Cybersecurity Education and Training in New Your City and the Capital District
• Workforce and Economic Development Alliance in Southeast Virginia

Each one of the pilot programs followed a unique technique to deal with the lack of competent cybersecurity workers in their particular areas. Some of the typical difficulties encountered by the program were

• the employers that cannot ascertain their cybersecurity requirements
• a disconnection between labor force supply and demand
• no coordination of resources for education and labor force development programs
• difficulty in small communities to retain skilled cybersecurity workers

The roadmap was made in accordance with the positive results of each program and consists of advice on how usual challenges could be dealt with and the recommendations and lessons realized from doing the pilot programs.

The four main components required to develop successful alliances to promote and develop the cybersecurity labor force are:

• Knowing program targets and metrics
• Developing techniques and tactics
• Computing impact and results
• Maintaining the effort

The document gives examples of every activity that turned out productive in the pilot programs.

The document isn’t supposed to be a how-to guide for establishing profitable regional alliances, however it will be helpful to those looking for guidance on how to manage and facilitate regional attempts to enhance cybersecurity education and workforce development. So as to develop a profitable cybersecurity education and workforce development plan, local and regional specialists must give their insight as they are going to be knowledgeable about the cybersecurity requirements of their communities.

Download the document – A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce –  from NIST on this page (PDF).

The latest lawsuit filed in King County Superior Court was against the University of Washington Medicine for a data breach that resulted in the exposure of the protected health information (PHI) of patients.

The legal action was filed because a misconfigured server resulted in a data breach in December 2018 and the exposure of the PHI of 974,000 patients over the web. An accounting of disclosures database was stored in the misconfigured server. The information potentially exposed included the names of patients, medical record numbers, a listing of entities who were given patient data, and the purpose of information disclosure. A number of people also had compromised their data associated with a research study they took part in, their health problem, and the name of the laboratory test done. For selected patients, there was sensitive information compromised, such as the HIV test-taking record of a patient and, in certain instances, the HIV standing of patients. There were no Social Security numbers, financial data, medical insurance data, and medical files exposed.

The server misconfiguration happened on December 4, 2018. UW Medicine was informed about the breach after a patient found a file that contains their medical information indexed by Google. On December 26, 2018, UW Medicine identified and fixed the misconfiguration.

UW Medicine stated in a press release given on February 20, 2019 that access to the database was not secured for three weeks. UW Medicine collaborated directly with Google to have all indexed data removed from Google’s servers, which was completed on January 10, 2019.

The lawsuit alleges that UW Medicine neglected and failed to appropriately secure the PHI of its patients and didn’t notify patients immediately after the breach of PHI. Allegedly, patients suffered injury, distress, and damage of reputation because of the breach, and had a greater risk of identity theft, abuse, and fraud.

The lawsuit likewise mentions a previous UW Medicine data breach as additional evidence of ineffective data security practices. The previous data breach in 2013 was a malware infection that happened after an employee clicked open an infected email attachment. That malware attack affected 90,000 patients.

The HHS’ Office for Civil Rights investigated the breach and found UW Medicine’s violation of the HIPAA Security Rule. UW Medicine failed to employ sufficient policies and procedures to stop, identify, control, and resolve security violations. UW Medicine resolved the case in 2015 by paying OCR $750,000 and agreeing to follow a corrective action plan, which involved doing a comprehensive analysis of security risks and vulnerabilities and create a company-wide risk management plan.

The plaintiffs in the lawsuit alleged that UW Medicine’s ineffective security practices have already exposed the PHI of about one million patients, far exceeding the impact of the 2013 breach, in infringement of its statutory and expert standard of care responsibilities, in infringement of Plaintiffs and the Class’ reasonable expectations when they made a decision to create a patient-doctor partnership with UW Medicine, and thus reducing the worth of the services UW Medicine given and that its patients spent for.

The lawsuit seeks total disclosure concerning the data that was exposed, statutory damages and legal service fees, and demands UW Medicine to follow enough safe practices and measures to stop more data breaches later on.

Hackensack Meridian Health in New Jersey is facing a lawsuit in relation to the December 2, 2019 ransomware attack which impacted 17 of its hospitals.

The ransomware attack momentarily interfered with healthcare services when hospital staff could not access the medical records because its systems were offline. Systems stayed offline while data was being recovered for a few days until systems were restored. Staff continued to provide medical services although pen and paper were used to record patient data. Some non-urgent medical treatments were canceled.

Immediate measures were taken to protect its systems and restore data and doctors, nurses, and clinical staff worked 24 / 7 to maintain patient safety throughout the attack and data recovery process. So as to restore systems in the quickest time and avert continuous disruption to healthcare services, Hackensack Meridian Health decided to pay the ransom. The health system’s comprehensive insurance policy helped pay for the price of the ransom payment, as well as its remediation and recovery expenses.

Forensic specialists were hired to help investigate and ascertain if patient information was compromised. There is no evidence found that indicate the attackers stole any patient information.

Although it would seem that Hackensack Meridian Health did what it could to restrict the harm brought on patients and reestablish systems and data in the quickest time, it did not stop legal action.

A proposed class-action lawsuit was filed in a Newark district court. The two plaintiffs want compensation, statutory damages and penalties, the return of out-of-pocket expenditures, and injunctive relief necessitating Hackensack Meridian Health to improve its security systems, undertake yearly data security audits, and give breach victims three years of free credit monitoring services.

The plaintiffs claim Hackensack Meridian Health recklessly managed its network leaving its systems susceptible to attack and so the health system was unsuccessful to sufficiently secure patient data. The lawsuit additionally alleges the attack resulted in serious disruption to the health care given to patients, compelling them to find alternate care and treatment.

According to Hackensack Meridian Health’s investigation findings, there is no evidence found that indicate data theft, yet the plaintiffs claim that the attackers stole their personal and protected health information (PHI) and exposed to other unidentified thieves, so that they face an increased and impending risk of identity theft and fraud.

Moreover, the plaintiffs allege that Hackensack Meridian Health did not report the ransomware attack to the Department of Health and Human Services’ Office for Civil Rights, and did not notify the affected patients about the breach.

As of February 19, 2020, the OCR breach portal has not published the incident yet, though that doesn’t automatically mean the incident was not reported. There is generally a delay between the submission of a report to OCR and the posting of the incident on the breach portal.

Breach notifications may also be delayed when the breach investigation is still ongoing. It could take time to find out who are patients affected and to get updated contact details so as to mail notices. Patient notifications are typically necessary for ransomware attacks as per prior OCR guidance, however, they aren’t obligatory, as long as covered entities can show there was a low possibility of PHI compromise.

It is becoming more and more prevalent for patients to file a lawsuit against covered entities in relation to ransomware attacks. A number of lawsuits were filed recently on behalf of patients who were impacted by ransomware attacks. Considering the number of threat groups attempting to steal data before encrypting files, more lawsuits is to be expected.

Senator Kirsten Gillibrand has presented a new Senate bill called the Data Protection Act. It aims to make new data privacy standards and increase consumers’ rights over their personal information. At present, a big number of companies collect and use consumer data. And in many instances, companies use the consumer’s personal data without their knowledge for profit.

Under the California Consumer Privacy Act (CCPA), Californian consumers are granted more rights with regards to their private information. A lot of U.S. consumers can’t do much regarding the collection, usage, and sale of their personal information.

Sen. Gillibrand’s Data Protection Act is meant to provide consumer privacy protection and freedom into the electronic age. The Data Protection Act requires the development of a new consumer watchdog organization named the Data Protection Agency (DPA). DPA’s task involves protecting consumer data and privacy, as well as making sure of fair and transparent data practices. The President will appoint the Director of the DPA with confirmation by the Senate. The DPA Director will have a 5-year service term.

The DPA would possess the authority to define, arbitrate, and implement data protection regulations that Congress or the DPA itself creates. It would have the authority to issue civil monetary penalties on organizations that violate consumer privacy and give injunctive relief and fair treatments.

The DPA would accept consumer complaints, carry out investigations, and notify the public regarding data protection concerns, such as sharing the results of investigated entities that commit consumer data misuse. The DPA would likewise be assigned to inform Congress regarding arising privacy and technology problems and would be the United States’ representative in forums about international data privacy.

The DPA would encourage data protection and privacy development throughout the private and public sector, help with the creation of Privacy Enhancing Technologies (PETs) to restrict or get rid of personal data collection, and do something to stop “take-it-or-leave-it” and “pay-for-privacy” conditions in service contracts.

The Data Protection Act would likewise help take care of privacy gaps for health information not protected by HIPAA, for instance, the health information accumulated by fitness trackers and wellness applications. The company that developed the apps collect data for varied reasons. It could sell the data to a medical insurance firm. In turn, the health company could charge you a higher premium if you don’t do enough physical activities.

Sen. Gillibrand stated that the U.S. is the only member of OECD without a federal data protection agency that makes sure consumer personal data is not misused and do something in case it is. Companies are exploiting data, ignoring rules, putting profits on top of responsibility, and looking at consumers as dollar signs. They give little consideration to long-term effects.

The Data Protection Act is supported by a number of technology, privacy, and civil rights organizations, such as Color of Change, Public Citizen, Center for Digital Democracy, Consumer Action, Consumer Federation of America, and the Electronic Privacy Information Center.

The eHealth Initiative (eHI) has partnered with the Center for Democracy & Technology (CDT) to create a new consumer privacy system for health information not protected by the Health Insurance Portability and Accountability Act (HIPAA) Rules.

Personally identifiable health data obtained, stored, retained, processed, or sent by HIPAA-covered entities as well as their business associates is protected by the HIPAA Privacy and Security Rules. In case the same data is obtained, stored, retained, processed, or sent by a non-HIPAA covered entity, the law does not require those protections.

At present health information is collected, kept, and transmitted by wearable devices, health and wellness applications and educational health sites. If there are no HIPAA-like protections, the privacy of consumer health data is put in danger.

The Robert Wood Johnson Foundation gave eHI and CDT funding for the Building a Consumer Privacy Framework for Health Data project. A Steering Committee for Consumer Health Privacy has been formed with specialists and kings from healthcare, technology, consumer groups, and privacy advocacy groups. The Steering Committee will go over the essential steps to protect the privacy of health information not protected by HIPAA privacy rules and will evaluate different strategies to take care of the complexities of securing non-HIPAA-covered health information.

Chief Executive Officer of eHI, Jennifer Covich Bordenick, explained that their focus is analyzing ‘health-ish’ data not protected by HIPAA or other health privacy regulations. It is vital to bring together a broad and comprehensive variety of collaborators to work on some major issues.

The Steering Committee’s first meeting was held on February 11, 2019 in Washington DC. The group of participants that attended the meeting included 23andMe, Ascension, Change Healthcare, American Hospital Association, American College of Physicians, American Medical Association, Electronic Frontier Foundation, Fitbit, Elektra Labs, Future of Privacy Forum, Hogan Lovells, Hispanic Technology and Telecom Partnership, Microsoft, Salesforce, National Partnership for Women & Families, Under Armour, Waldo Law Offices, UnitedHealth Group, Yale University, Wellmark Blue Cross and Blue Shield.

There will be more Steering Committee meetings throughout 2020. There will also be smaller workgroups formed to focus on particular areas of the privacy framework. CDT and eHI are telling privacy experts, consumer organizations, and businesses that manage genomic, wearable, and social media information to join the project.

Interim Co-Chief Executive Officer of CDT, Lisa Hayes, said that consumers are more cynical with regards to the use of their data especially sensitive health-related data. Hopefully, this framework can provide more privacy rights and protections to consumers who use modern digital health and wellness services.

Health Share of Oregon, the Medicaid coordinated-care provider in Oregon, began informing around 654,000 present and past members about the stolen laptop computer from GridWorks, its transportation vendor. The laptop computer contained some of their protected health information (PHI).

GridWorks was hired to handle the Ride to Care program of Health Share. This program by Health Share provided non-emergent means of transport for its members.

It is the policy of Health Share to require business associates to have encryption on all portable devices containing patient data. However, for some reason, GridWorks did not encrypt its laptop. The PHI that was stored on the laptop included names, contact phone numbers, addresses, birth dates, Medicaid numbers, Health Share ID numbers, and Social Security numbers.

The laptop computer was stolen in November 2019 during a burglary at the office of GridWorks. On January 2, 2020, GridWorks informed Health Share about the stolen laptop. On February 5, Health Share began mailing notification letters to all people who had their PHI saved on the laptop computer. Health Share also offered 12-months free complimentary credit monitoring and identity theft protection services to the affected people.

Health Share subjects its vendors to security audits. The last audit of GridWorks was in March 2019. Because of the breach, Health Share is going to increase its vendor security audit program and take measures to make sure that vendors only get the minimum amount of patient data. Health Share also improved its policies on training employees.

In October 2019, Health Share made an announcement about CareOregon’s take over of the administration of the Ride to Care program. CareOregon is a nonprofit health plan. GridWorks did not pay a number of transportation providers that supplied transportation according to the Ride to Care program. In December 2019, GridWorks went into receivership and is going to stop operations after the full transfer of the administration of the Ride to Care program to CareOregon.

Stacey Lavette Hendricks, a 49-year-old resident of Leesburg, FL was a former medical clinic employee who has pleaded guilty to wire fraudulence and aggravated identity theft. He was found to have impermissibly accessed patients’ protected health information (PHI) and contacted identity thieves to sell the information.

As a former administrative employee at a number of Florida state medical clinics, Hendricks was given access to the PHI of patients, which she used to steal patient data from the unnamed medical clinics. The stolen information comprised names, birth dates, and Social Security numbers. Hendricks sold the data to identity thieves and used the information to deceive businesses as well.

The United States Secret Service looked into the incident and apprehended Hendricks after she tried to sell stolen patient data to an undercover agent. Law enforcement officers obtained a warrant to search her house and car and they found 113 different patients’ information that Hendricks stole from the medical clinics.

The United States District Court located in the Middle District of Florida in Ocala charged Hendricks who pleaded guilty to the following charges:

• two counts of fraud with identification documents: Aggravated identity theft and possession of means of identification with the intention to perpetrate felony.
• one count of wire fraud

Though the date for sentencing has not yet been set, Hendricks currently faces a jail term of a maximum of 20 years for the wire fraud charge. For aggravated identity theft, Hendricks faces a mandatory 2-year consecutive jail term.

A cyberattack on Manchester Ophthalmology in Connecticut allowed attackers to gain access to patient data. On November 25, 2019, the eye care provider discovered the cyberattack when employees detected strange activity on its system. A third-party technology company helped investigate the incident and found later that day the system access by hackers who tried to deploy ransomware. The hackers gained network access from November 22, 2019 to November 25, 2019. Manchester Ophthalmology was able to immediately terminate remote access and prevent data encryption.

There is no evidence found that indicates the attackers accessed or downloaded any patient data, however, the investigators confirmed that some patient data were not backed up and cannot be retrieved. Manchester Ophthalmology lost the following types of information: patient names, medical histories, and information on the care received by patients at Manchester Ophthalmology.

Patients were instructed to be careful and keep track of their explanation of benefits statements and accounts for any indication of data fraud. Manchester Ophthalmology gave employees further training on the proper backing up of all data.

The breach summary sent to the Department of Health and Human Services’ Office for Civil Rights states that the security breach impacted around 6,846 patients.

Mailing Error at Cook County Health

Cook County health based in Chicago, IL began informing 2,713 people regarding the error in sending some of their protected health information (PHI) to a third-party vendor. The information pertaining to people taking part in a #keepingitLITE research was forwarded to a vendor who was supposed to help mail research data.

The listing of research participants, including their names, physical and email addresses, was mailed to the vendor prior to signing a business associate agreement (BAA). A BAA is proof of a vendor’s agreement to employ safety measures to protect data privacy and security. Without having a BAA, Cook County Health is not assured that the vendor has satisfactory safeguards in place.

Steps were already taken to make certain the same error won’t happen again in the future.

Data Breach at UnitedHealthcare

On January 31, 2020, the health insurance provider, UnitedHealthcare in Minnetonka, MN, reported a data breach in 2019 which resulted in the potential compromise of the private data of some of its clients in South Carolina.

UnitedHealthcare knew about the data security breach on December 10, 2019 and learned that an unauthorized person accessed members’ health information via its member portal sometime on July 30, 2019 to Nov 13, 2019. The compromised information only included the members’ first and last names, medical plan data, and medical claims information.

UnitedHealthcare reported the incident to law enforcement and is helping with the investigation. The health insurer already took steps to stop other similar breaches in the future. The breach was published in HHS’ Office for Civil Rights breach portal indicating that 934 people were impacted.

Two draft cybersecurity practice guides about ransomware and other harmful incidents were published by the National Cybersecurity Center of Excellence at NIST (NCCoE). The first guide is about identifying and protecting assets (SP 1800-25)  while the second guide is about identifying and responding to cyberattacks that jeopardize data integrity (SP 1800-26).

The guides are meant to be utilized by executives, system administrators, chief Information security officials, or people who have a role in securing the information, privacy, and overall operational security of their organizations. It is made up of the following three volumes:

• an executive summary
• approach, architecture and security characteristics
• how-to guides

The first guide talks about the first two primary functions of Identify and Protect of the NIST Cybersecurity Framework. Businesses must do something to secure their assets against ransomware, damaging malware, accidental data loss, and malicious insiders. So as to secure their assets, businesses should first determine their location and then take the required steps to secure those assets against a data damaging event.

To create the first guide, NCCoE investigated several strategies that could be utilized to discover and secure assets from various kinds of data integrity attacks in a variety of conditions. One sample solution was developed in the NCCoE laboratory using commercially accessible solutions to offset attacks prior to their occurrence. The sample solution utilizes solutions such as having safe storage, creating data backups, VMs, and file systems, generating activity logs, helping with asset inventory, and offering integrity monitoring mechanisms.

By utilizing the cybersecurity guide, businesses could identify their assets, evaluate vulnerabilities as well as the reliability and activity of systems to get ready for any attack. Backups may then be made and secured to assure data integrity. The guide additionally helps businesses manage their conditions by evaluating machine posture.

The second guide talks about the primary functions Detect and Respond of the NIST Cybersecurity Framework. The guide explains how organizations could keep track of data integrity and take action immediately to a security event in real-time. A quick response is essential to deal with a data integrity incident to limit the problems created. A quick response could significantly limit the damages and ensure a fast recovery.

The guide addresses event discovery, vulnerability control, reporting functions, mitigation, and containment, and gives comprehensive data on techniques, toolsets to employ, and methods to choose to support the security team’s reaction to a data integrity incident. The sample solution includes several systems working jointly to identify and respond to data corruption incidents in regular enterprise components like databases, mail servers, endpoints, file share servers, and VMs.

NCCoE is looking forward to receiving industry stakeholders’ feedback on the new guides on or before February 26, 2020.

The Iowa Department of Human Services sent notification letters to 4,784 people regarding the potential compromise of their protected health information (PHI).

On November 25, 2019, a member of the department staff threw away documents that contain the PHI of Dallas County customers in a regular garbage dumpster. The records should have been shredded prior to disposal. The improper disposal was discovered late as the dumpster was already emptied. An investigation of the incident revealed that the custodial employee who threw away the paperwork did not know that the content of the documents were confidential data.

It was impossible to identify the names of the patients affected, and so the Iowa Department of Human Services sent notification letters to all people potentially affected by the breach. The information contained in the documents likely included names, birth dates, mailing addresses, Social Security numbers, driver’s license numbers, disability data, medical details, banking and wage data, receipt of Medicaid, mental health data, names of provider, prescription medications, and data on substance abuse and illegal drug use.

Impermissible Disclosure of Prescription Data of Cedarbrook Nursing Home Residents

Cedarbrook nursing home in Lehigh County, PA sent notification letters to 688 residents because their prescription data was inadvertently shared with firms wanting to tender for the pharmacy contract of the nursing home.

Cedarbrook nursing home sent an email with the wrong file attachment to 16 firms in December 2018. The correct file included invoice data showing the medicines prescribed from October to November. The attached file also listed the names of the patients who were given those prescribed medicines.

The mistake was uncovered immediately. Cedarbrook nursing home requested all 16 companies to delete the file. All 16 HIPAA-covered companies confirmed that they have deleted the file.

As a precautionary measure, all affected persons received a notification regarding the privacy breach. It is believed that there is a low risk of patient data misuse. The nursing home has updated its procurement procedures and necessitate supervisory inspection of the outgoing contract information prior to dispatch.

Southfield, MI-based Beaumont Health, which is a non-profit 8-hospital health system, discovered the unauthorized access to its patients’ medical records by a former employee who potentially shared protected health information (PHI) with someone else.

Upon discovery of the unauthorized access to medical records, the hospital system launched an internal investigation. The access logs of the former employee were reviewed and revealed the unauthorized access first happened on February 1, 2017 and persisted until October 22, 2019. Then, the provider discovered the breach in December 2018.

Beaumont Health started its internal investigation confirmed on December 10, 2019 that the former employee had access to the medical records of 1,182 patients in a span of 20 months. The information potentially obtained and disclosed included names, email addresses, addresses, contact telephone numbers, birth dates, Social Security numbers, medical insurance information, and reason for getting medical care.

The individual with whom the employee disclosed the information was affiliated with a personal injury lawyer. The majority of the patients whose information was accessed had received treatment for injuries suffered in motor vehicle mishaps.

As soon as unauthorized access was ascertained, Beaumont Health fired the employee for hospital policies and HIPAA law violations. The breach report has been submitted to law enforcement and Beaumont Health mentioned it will aid law enforcement if of prosecution. The breach was likewise reported to the Michigan Health and Hospital Association.

Beaumont Health mailed notification letters to all affected patients. Patients who had their Social Security numbers compromised also received offers of credit monitoring and identity theft protection services. Patients were advised to stay alert to the threat of identity theft and fraud and were told to look at their explanation of benefits statements and accounts with care and to report in case of suspicious activity.

To prevent the occurrence of similar breaches, Beaumont Health updated its internal policies and procedures.

Ex-VA Employee Received Sentence for Leaking Medical Records of Former Army Major

Jeffrey Miller, 40, of Huntington, WV, a Department of Veteran Affairs’ Benefits Administration former employee, got his sentence for the unauthorized access of the healthcare records of veterans and for disclosing the health records of a former U.S. Army major who sought a position in Congress in West Virginia.

Miller pleaded guilty to getting the healthcare data of 6 veterans, which include the ex-Army Major, Richard Ojeda. Pictures of the records were taken and sent to an associate. The photo of Ojeda’s health records was later passed to high-ranking Republicans to try to sway his 2018 campaign for the 3rd Congressional District in West Virginia.

The federal court sentenced Miller on January 21, 2020 and will remain in jail for 6 months.

The House Energy and Commerce Committee published a draft of the discourse regarding a new bipartisan data privacy bill. The draft bill was about the national criteria for privacy and security and the recommendations to set limitations on U.S. organizations that collect, utilize, and hold on to consumer information.

The draft legislation calls for the creation of a privacy program by all companies and the introduction of a privacy policy, written using simple language, which makes clear what data the company collects, how long it is utilized and kept, and who gets access to the information.

There must likewise be data security measures put in place, which are best suited to the size of the business and the nature of its data activities. In case of a breach of consumer information, businesses ought to submit a report to the Federal Trade Commission (FTC).

The FTC will create a Bureau of Privacy to make rules, provide guidance, and execute compliance. The FTC will put a data retention time frame and create regulations that deal with the disclosure of personal data to third parties.

The bill will give consumers more control over their private data and the way it is used by businesses. Consumers could exercise their right to data access and correction; right to control who is able to access their personal information, and right to tell businesses to remove their personal information.

So that consumers would know which organizations have their personal information, the draft bill calls for the creation of a consolidated repository of data brokers. Consumers can access this repository to know who holds a copy of their data and know how to access that data, make changes, and demand the removal of their personal data.

An Energy and Commerce Committee representative said that the purpose of this draft is to take care of consumers and make transparent rules for data collectors. It took a few months of hard work and close collaboration between the Democratic and Republican Committee staff.

The draft release became available after hearing of the Senate Commerce Committee on the two data privacy bills proposed by Senate Commerce Committee Chairman, Roger Wicker (R-Miss) and Senator Maria Cantwell (D-Wash). There’s no agreement yet on what to put in the bill, but a bipartisan legislation was agreed upon.

The two vital points from the rival bills are the following:

• Should the federal privacy bill preempt state regulations
• Should there be a private cause of action

Sen. Cantwell’s bill recommended a private cause of action allowing consumers to sue companies that violate their privacy. Congressman Wicker does not agree with this. Wicker’s bill recommended the replacement of state laws with the new federal privacy law. Sen. Cantwell proposed to maintain the state laws to give consumers more protection. The bill discussion draft moves away from tackling the two concerns.

Industry stakeholders can submit their feedback on the draft legislation until mid-January 2020.

The Department of Health and Human Services Office for Civil Rights (OCR) reached a settlement with West Georgia Ambulance, Inc. where the latter will pay $65,000 to resolve multiple Health Insurance Portability and Accountability Act Rules violations.

OCR started investigating the ambulance company in Carroll County, GA after receiving breach notification on February 11, 2013 regarding the loss of an unencrypted laptop computer that contains the protected health information (PHI) of 500 patients. The breach report indicated that the company failed to recover the laptop computer, which dropped from the rear end bumper of the ambulance.

The investigation discovered the company’s longstanding noncompliance with several HIPAA Rules. OCR found the following violations of West Georgia Ambulance:

• did not perform a comprehensive, company-wide risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A))
• did not provide its employees with a security awareness training program (45 C.F.R. § 164.308(a)(5))
• did not enforce HIPAA Security Rule policies and procedures (45 C.F.R. § 164.316)

OCR gave technical support to West Georgia Ambulance to enable the company to deal with its compliance setbacks, but in spite of that support, OCR reported that the company took no meaningful steps to correct the areas of noncompliance. Therefore, a financial penalty was issued.

Besides having to pay the $65,000 financial penalty, West Georgia Ambulance needs to undertake a corrective action plan to deal with all areas of noncompliance identified by OCR. For two years, OCR will be inspecting West Georgia Ambulance’s HIPAA compliance program to make sure it follows the HIPAA Rules.

Patients being transported in the back of an ambulance shouldn’t worry about their medical data privacy and security. All providers, both big and small, should seriously consider their HIPAA obligations.

This is the number 10 OCR HIPAA financial penalty issued in 2019. OCR received a total of $12,274,000 in financial penalties in 2019 for the settlement of noncompliance problems.

November 2019 saw the issuance of three financial penalties on HIPAA-covered entities to settle HIPAA violations.

University of Rochester Medical Center (URMC) paid $3,000,000 to OCR to resolve its HIPAA violation case. OCR started investigating URMC after getting two breach notifications involving missing or stolen devices. In 2010, OCR investigated URMC after losing the first device and offered the medical center technical support. Back then, URMC knew that keeping ePHI on devices entails a high risk and so encryption is deemed necessary. However, there was no implementation of needed controls by URMC and the center continued using unencrypted portable electronic devices. The next time OCR investigated URMC was after the laptop computer theft, the investigators determined that URMC failed in 3 things: to perform a company-wide risk analysis, to reduce risks to a reasonable and proper level, and to implement the required device media controls.

Sentara Hospitals decided to resolve its HIPAA violations by paying OCR $2,175,000. OCR started a compliance investigation after getting a patient’s complaint in April 2017. The complaint was about a bill the patient received from Sentara that contains the protected health information (PHI) of another patient. Sentara Hospitals’ breach report stated that the breach only affected 8 persons, however, OCR learned that 577 letters were erroneously sent to 16,342 different guarantors. Sentara Hospitals declined to correct its breach report with the new figure. OCR additionally discovered Sentara Hospitals’ failure to sign a business associate agreement with one vendor.

The Texas Department of Aging and Disability Services (DADS) was issued a sizeable financial penalty. In 2015, DADS reported to OCR a breach affecting 6,617 patients’ ePHI. A problem in a web app allowed unauthorized people to view the patients’ ePHI over the internet. The ePHI as exposed for about 8 years. Upon investigation, OCR learned that DADS did not conduct a company-wide risk analysis, did not have adequate access controls, and did not monitor information system activity. The penalty paid by DADS to settle the HIPAA violation case amounted to $1.6 million.

Amazon recently made an announcement that the Amazon Lex chatbot service is now supporting Health Insurance Portability and Accountability Act (HIPAA) compliance so healthcare organizations can use it without violating the HIPAA Rules.

Amazon Lex provides a service that lets users create conversational interfaces into apps by means of text and voice. It enables making chatbots that use lifelike, normal language to interact with users, ask questions, gather and provide information, and do a variety of tasks including booking appointments. Amazon Alexa also uses this conversational engine powering Amazon Lex.

Until recently, the potential of using Amazon Lex in healthcare is limited because it wasn’t HIPAA-compliant. It is not allowed to use the solution in association with electronic protected health information (ePHI). Amazon’s business associate agreement (BAA) does not cover this service as well.

Amazon affirmed on December 11, 2019 that the AWS business associate agreement (BAA) addendum now includes Amazon Lex. Hence, the service can now be used with workloads in connection with ePHI, as long as there is a BAA in place. Amazon Lex has been put through third-party security checks under several AWS compliance programs. It is not only HIPAA eligible, but it is likewise compliant with SOC and PCI.

Just like with any software program, a BAA doesn’t ensure compliance. Amazon has made certain of the implementation of proper safety measures to protect the integrity, confidentiality, and availability of ePHI. However, it is the obligation of users to implement the solution the right way and to use it in compliance with HIPAA Rules.

Amazon has published a whitepaper on Architecting for HIPAA Security and Compliance on AWS. This provides guidelines for setting up AWS services that hold, process, and transfer ePHI. Instructions on the management of Amazon Lex were also published.

October saw a 44.44% month-over-month rise in healthcare data breaches. The HHS’ Office for Civil Rights received 52 breach reports having 661,830 healthcare records exposed, stolen or impermissibly disclosed.

Including this month’s report, the total figure of breached healthcare records for 2019 is over 38 million. That translates to 11.64% of the United States population.

October 2019 Largest Healthcare Data Breaches

1. Betty Jean Kerr People’s Health Centers with 152,000 individuals affected due to hacking/IT Incident
2. Kalispell Regional Healthcare with 140,209 individuals affected due to hacking/IT Incident
3. The Methodist Hospitals, Inc. with 68,039 individuals affected due to hacking/IT Incident
4. Children’s Minnesota with 37,942 individuals affected due to unauthorized access/disclosure
5. Tots & Teens Pediatrics with 31,787 individuals affected due to hacking/IT Incident
6. University of Alabama at Birmingham with 19,557 individuals affecte due to hacking/IT Incident
7. Prisma Health – Midlands with 19,060 individuals affected due to hacking/IT Incident
8. South Texas Dermatopathology Laboratory with 15,982 individuals affected due to hacking/IT Incident
9. Central Valley Regional Center with 15,975 individuals affected due to hacking/IT Incident
10. Texas Health Harris Methodist Hospital Fort Worth with 14,881 individuals affected due to unauthorized access/disclosure

Causes of Healthcare Data Breaches in October 2019

• In October, the following incidents were reported:
  18 hacking/IT incident reports involved 501,847 individual healthcare records. The average breach size and median breach size were 27,880 records and 9,413 records, respectively.
• 28 breach reports due to unauthorized access/disclosure incidents involved 134,775 records. The mean breach size and median breach size were 4,813 records and 2,135 records, respectively. Those breaches consist of 15 different reports from Texas Health Resources.
• 5 loss/theft incidents involved 13,454 records. The mean breach size and median breach size were 2,350 records and 2,752 records, respectively. There was one improper disposal incident, which involved 11,754 records.

Location of Breached Health Data

Phishing still causes challenges for healthcare companies. Healthcare providers struggle in blocking phishing attacks and not detecting them quickly. A number of phishing attacks were reported that took weeks to identify.

Though multi-factor authentication could help to lower the risk of cybercriminals stealing and using credentials o gain access to corporate email accounts, a lot of healthcare companies simply use this vital security control after the occurrence of a phishing attack.

This increased number of “other” breaches is because of the mailing error incident at Texas Health, which resulted in 15 of the 19 breach incidents belonging to the other category.

Most of the network server breaches were because of ransomware attacks, including the biggest healthcare data breach in October. That breach shows how crucial it is to have a backup copy of all data, which is tested to ensure data recovery and to have one backup copy kept on a device that is not networked or exposed online.

Data Breaches by Covered Entity Type

There were 45 data breaches reported by healthcare providers. Health plans reported three breaches, and business associates of HIPAA-covered entities reported four breaches. Four breaches were also tainted by business associate involvement though the covered entity reported them.

Healthcare Data Breaches by State
There were 24 states where healthcare providers and business associates reported data breaches. The following is the tally of breach reports by state:

• Texas reported 17 incidents with 15 breach reports from Texas Health
• Ohio reported 4 breaches
• California reported 3 breaches
• Arkansas, Florida, Maryland, Louisiana, South Carolina, New Mexico, and Virginia reported two breaches each
• Arizona, Alabama, Georgia, Indiana, Illinois, Kentucky, Minnesota, Mississippi, Missouri, Montana, Oregon, New York, South Dakota, and Washington reported 1 breach each

HIPAA Enforcement Actions in October 2019

The HHS’ Office for Civil Rights announced two financial penalties for HIPAA violations in October – One was a settlement and one was a civil monetary penalty.

OCR investigated Elite Dental Associates after receiving a complaint from a patient whose PHI was publicly disclosed in a Yelp review. OCR discovered that her PHI wasn’t the only one disclosed in that way. OCR likewise found out that the practice does not provide sufficient information in its notice of privacy practices and therefore did not comply with the HIPAA Privacy Regulation. Elite Dental Associates settled this HIPAA violation case by paying OCR $10,000.

OCR investigated Jackson Health System after the media disclosure of PHI. A photo of an operating room containing the health data of two people including a popular NFL star was published. The OCR investigation revealed several violations of the Security Rule, Privacy Rule, and Breach Notification Rule in a span of several years. OCR charged Jackson Health System with a civil monetary penalty worth $2,154,000.

Eagle Consulting Group, a provider of managed services in Anchorage, AK, received HIPAA Compliance certification from Compliancy Group.

Eagle Consulting Group has many clients belonging to the healthcare sector and provides them with proactive IT services. While managing infrastructure and software solutions, the group is allowed access to electronic protected health information (ePHI). An organization like Eagle Consulting Group is deemed as a business associate under the Health Insurance Portability and Accountability Act and must be HIPAA compliant.

Eagle Consulting Group collaborated with Compliancy Group in order to demonstrate to its clients that it has a trusted HIPAA compliance plan.

Eagle Consulting Group employed the cutting edge HIPAA compliance software solution of Compliancy Group, which is popularly known as The Guard. This software program is handy for monitoring progress towards achieving HIPAA compliance. Once an efficient compliance program is established, The Guard functions as a very valuable tool to manage compliance.

Compliancy Group’s HIPAA experts advised Eagle Consulting Group in finishing the 6-stage HIPAA Risk analysis and remediation plan. After completing the program, the company was confirmed as effectively satisfying the minimum data privacy and security criteria mandated by HIPAA. The company has put in place policies and procedures that ensure the maintenance of HIPAA compliance. Employees perfectly understand their responsibilities in securing ePHI.

Because Eagle Consulting Group had successfully verified its risk analysis and remediation program, Compliancy Group awarded the HIPAA Seal of Compliance to the company.

The HIPAA Seal of Compliance proves to existing and upcoming clients in the healthcare industry that Eagle Consulting Group has satisfactorily complied with the minimum standards under the HIPAA Privacy, Security, and Breach Notification Rules. It is therefore identified as a managed service provider that is HIPAA-compliant.

In the event of being selected for a compliance audit, Eagle Consulting Group can show regulators its confidence that it is in full compliance of HIPAA. The company could similarly help its healthcare clients merge all the necessary technical safety procedures to safeguard their digital networks and keep all ePHI secure.

Amazon’s Alexa now offers a new healthcare skill that patients could utilize in managing their prescribed medications and buying prescription refills.

At the start of this year, Amazon said that it has created a HIPAA-eligible setting for skill developers that integrates the required safety measures to comply with the specifications of the HIPAA Privacy and Security Regulations. Amazon created an invite-only platform for a select team of skill developers to make new skills that can be beneficial to patients.

The new skill is a product of a joint effort of Amazon and Omnicell, a medicine management firm. Amazon approached Omnicell and proposed to the company to generate the new skill after noticing that numerous Alexa users used their tools to create medication reminders. Amazon had obtained responses from a number of users who asked for enhancements to be made to the reminders feature to permit them to put several reminders a day for taking their medicines.

At first, the new Alexa feature will be accessible to clients of the Giant Eagle pharmacy, which manages more than 200 pharmacies all through the Midwest and Mid-Atlantic. With the new skill, patients can place reminders for taking their prescription drugs, look at their present prescription medications, and buy prescription refills from Giant Eagle just by giving voice commands to their Alexa devices.

The new skill comes with a selection of privacy and security protections to avert unauthorized access and improper use. After allowing the Giant Eagle Pharmacy skill and associating their account, users must create a voice profile and input a PIN. Alexa will identify a user through their voice profile, however, it is required that they provide their PIN before relaying any information. Healthcare associated information is also censored in the app to keep privacy. Voice recordings are reviewed and deleted at any time via the Alexa app, Privacy Settings, or by giving voice commands following authentication.

According to VP and general manager of Omnicell, Danny Sanchez, this recent technology is only the start, as we keep on identifying easy to use pharmacy steps that voice-powered devices can execute in real life to keep the patient at the heart of care and improve pharmacy workflow.

With the initial skill release, Amazon will have useful data that can be employed to enhance the customer experience. More pharmacy chains will be added in the New Year.