Fertility App Provider Sued for Disclosing User Data with Chinese Firms Without Permission

A lawsuit was filed against Easy Healthcare Corp. based in Burr Ridge, IL because of the alleged disclosure of sensitive user data with third-party companies situated in China.

Easy Healthcare Corp is the programmer of Premom, a well-known smartphone fertility app for monitoring users’ ovulation cycles to know the days they are most fertile. The legal action states that a variety of sensitive user information was shared with at least three Chinese firms without getting users’ permission. Because the data is kept on servers in China, the lawsuit claims sensitive data could possibly be accessed or taken by the Chinese government.

The data sent to the Chinese organizations consists of sensitive healthcare details, geolocation information, user and advertiser IDs, device activity data, and device hardware identifiers. Considering that the identifiers don’t change, merging them with the information where it was found would permit data collectors to re-create app users’ activities.

Identifiers given to the Chinese organizations consist of MAC addresses or Wi-Fi media access controls, which are specific identifiers for network interface controllers; MAC/BSSID addresses of routers, which details geographical location; and SSID (Service Set IDs) of routers, which offer Wi-Fi networks data. It is additionally possible for the information to be collected about users’ interests, health, religion, political perspectives, and other sensitive information.

The lawsuit states user data was shared with Jiguang (Aurora Mobile Ltd), Umeng, and UMSNS, which provide activity analysis, precision marketing, financial risk management, and location-based analysis services to their customers.

Based on the legal action, the Premom privacy policy says that it will not share or sell your personal data to data brokers, marketing platforms, or data resellers, therefore the distribution of the information is in direct violation of those policies. Although the privacy policy does express that non-identifiable user data may be gathered, users are advised that the information would not be shared with third parties without user authorization.

The plaintiff found out that her personal information was disclosed to the three Chinese firms for three years without her permission or knowledge. She states Easy Healthcare deceived her as she was not told that her information would be given to the Chinese entities. The lawsuit likewise claims Easy Healthcare shared the data to get money and that the company was misrepresenting its data-sharing policies. The lawsuit likewise claims user data is logged each time users unlock or use their phone, even when they aren’t using the application, which breaches Google Play’s developer policies.

The lawsuit was filed a couple of months following a bipartisan group of senators wrote to the Federal Trade Commission (FTC) to ask for scrutiny of the data security and privacy policies of the Premom app, after discovering the unauthorized information sharing by International Digital Accountability Council.

The legal action was filed in the US Northern District Court of Illinois, Eastern Division and wants class-action status and damages for application users. The lawsuit additionally requires Easy Healthcare to stop sharing user data with organizations without first acquiring authorization from app end users. Easy Healthcare has denied any wrongdoing.

Premom is not the only health application found to be sharing user information without acquiring informed permission from software users. The FTC recently settled a data privacy and security case with Flo Health in January 2021 for misrepresenting privacy practices for its fertility app and shared user data with a data analytics firm without authorization. Flo Health was instructed to evaluate and modify its privacy policies and acquire permission from app users prior to sharing their information.

Public Health Emergency Privacy Act Approved to Make sure Privacy and Security of COVID-19 Information

Last January 28, 2021, democratic senators presented the Public Health Emergency Privacy Act to secure the privacy of Americans and make sure there are information security measures implemented to safeguard COVID-19 related health information obtained for public health uses.

Sens. Richard Blumenthal, D-Conn., Mark Warner, D-Va., and U.S. representatives Suzan DelBene, D-WA, Jan Schakowsky, D-IL., and Anna Eshoo, D-CA., introduced the Public Health Emergency Privacy Act. The Act calls for solid and enforceable privacy and information security rights in order to establish health information.

Sen. Blumenthal mentioned that technologies such as contact tracing, home screening, and online appointment scheduling are absolutely vital to prevent the propagation of this disease, however, Americans are rightly cautious about the safety of their sensitive health information. Legal safety measures that secure consumer privacy could not match up with technology, and that affecting the struggle against COVID-19.

The Public Health Emergency Privacy Act is going to make certain that tight privacy protections are put in place so that any health information gathered for public health purposes will just be employed to accomplish the public health reason for which it was gathered.

The Public Health Emergency Privacy Act confines the usage of the information gathered for public health reasons to public health uses, forbids the usage of the information for discriminatory, unconnected, or invasive purposes, and inhibits government agencies that are not part of public health services from misusing the information.

The Act calls for the application of data security and data integrity protection to secure health information, for the data gathered to be limited to the minimum required data to accomplish the purpose for which it is gathered, and mandates tech companies to delete the data as soon as the public health emergency has concluded.

Americans’ voting rights are safeguarded by not conditioning the right to vote on any health condition or usage of contact tracing applications. The Act will likewise provide Americans control over public health efforts by ensuring transparency and demanding opt-in authorization. The Act additionally demands regular reports on the effect of digital collection resources on civil rights.

The Public Health Emergency Privacy Act won’t replace the prerequisites of the Privacy Act of 1974, the HIPAA, or federal and state medical record retention and health data privacy rules.

According to Sen. Warner, having strong privacy protections for COVID health information becomes more important with the ongoing vaccination efforts and firms get started tinkering with things such as ‘immunity passports’ to protect access to facilities and services. Without the appropriate health privacy laws, it’s possible that privacy violations and discriminatory usage of health information could turn out to be common in medical care and public health.

This isn’t the first proposal of this type of legislation. An identical bill was presented in 2020, however, it did not earn the support of congress.

Employee Terminated by Montefiore Medical Center and Bethesda Hospital for HIPAA Breaches

Baptist Health’s Bethesda Hospital located in Boynton Beach, FL has terminated a worker because of impermissibly accessing the protected health information (PHI) of a patient and modifying a home health order that was used to give home care services to a patient.

The hospital discovered the HIPAA breach on December 1, 2020 and conducted an internal investigation. The employee involved in the breach ended up being dismissed. The hospital already informed law enforcement about the incident.

The investigation showed that the former employee also accessed other patient records from June 1, 2019 to December 2, 2020. The types of data possibly accessed included names, birth dates, addresses, medical insurance details, Social Security numbers, and clinical records.

All affected persons received notification and offers of free identity theft protection and credit monitoring services. Baptist Health is looking for more ways to protect patients’ PHI and avoid the same breaches later on.

The HHS’ Office for Civil Rights’ website has not listed the incident yet so the number of patients affected is presently uncertain.

Montefiore Medical Center TerminatesTerminates Employee for Unauthorized Access of Medical Records

Montefiore Medical Center located in New York found out that an unauthorized worker accessed the PHI of patients in a span of 5 months last 2020. Upon becoming aware of the unauthorized access, Montefiore quickly blocked the employee from accessing the electronic medical record system and started an investigation to know the magnitude of the HIPAA violation.

Following the comprehensive investigation, the medical center terminated the employee and reported the breach to law enforcement for probable criminal prosecution. The former employee viewed types of information that varied from one patient to another and may have included first and last names, birth dates, addresses, medical record numbers, the last four numbers of Social Security numbers, and clinical data like examination results, consultation histories, and diagnoses.

There is no reason given regarding the person’s motive for accessing the information. There is also no evidence found that suggests the use of patient data for identity theft or fraudulence. Montefiore Medical Center already notified all affected patients and offered them free identity theft protection services.

This is Montefiore Medical Center’s second incident that involved inappropriate access of medical records in the last 5 months. The first was in September 2020 when the medical center reported the theft of approximately 4,000 patients’ PHI by a former employee from January 2018 to July 2020.

HHS Gives $20 Million to Expand COVID-19 Vaccine Information Sharing

The U.S. Department of Health and Human Services has made $20 million readily available to make data sharing between health information exchanges (HIEs) and immunization information systems better.

The funding was from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) fund that President Trump signed on March 27, 2020 to help vaccination initiatives to combat the COVID-19 pandemic.

The funds expand the Office of the National Coordinator for Health Information Technology (ONC)’s Strengthening the Technical Advancement and Readiness of Public Health Agencies via Health Information Exchange (STAR HIE) Program and can support communities in their health information sharing regarding COVID-19 vaccinations.

Public health agencies could get extra help to monitor and recognize persons who have not yet gotten a second dose of the COVID-19 vaccine. The extra money will help physicians identify and get in touch with high-risk individuals who have not acquired their first vaccination.

The added investment will be allocated countrywide and will be utilized to support communities that have been hit hard by COVID-19. The HHS will additionally be giving funding to the Association of State and Territorial Health Officials (ASTHO) as well as the Colorado Regional Health Information Organization (CORHIO) to boost HIE immunization collaborations.

These CARES Act funds are going to help doctors better get access to information of their patients from their community immunization registries by utilizing the sources of their local health information exchanges. Using this collaborative work, public health departments and physicians will be ready to more effectively give immunizations to at-risk patients, fully grasp undesirable events, and better monitor long lasting health outcomes as more Americans receive immunizations.

The success of vaccination programs depends on properly identifying patients and making sure patients get two doses of the appropriate vaccine. That means hospitals, pharmacists, and public health authorities must have access to patient information and vaccine data. Good data exchange and patient matching can likewise help to provide insights into the efficiency of the vaccines and monitoring long term health outcomes. STAR HIE has plans to present statistics to determine vaccination outcomes.

There are roughly 100 HIEs in the US which reach about 92% of Americans. There are 63 immunization information systems in the United States, one for each state, 8 in territories, and five in cities. The immunization information systems have funds, partly from the Centers for Disease Control and Prevention’s National Center for Immunization and Respiratory Diseases (NCIRD).

OCR to Have Enforcement Discretion Concerning the Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

The Department of Health and Human Services’ Office for Civil Rights has announced that it will exercise enforcement discretion and will not issue financial fines on HIPAA-covered entities or business associates in case of violations of the HIPAA Rules connected with the good faith use of online or web-based scheduling applications (WBSAs) for making individual sessions for COVID-19 vaccinations.

The notice of enforcement discretion covers the use of WBSAs for the limited role of booking individual visits for COVID-19 shots for the duration of the COVID-19 public health emergency. The notification is in force right away, is retroactive to December 11, 2020, and will continue to be in effect throughout the COVID-19 national public health emergency.

A WBSA is a non-public facing internet or web-based app that enables individual meetings to be booked in connection with large scale COVID-19 vaccination. The goal of a WBSA is to permit covered healthcare companies to quickly timetable huge numbers of appointments for COVID-19 vaccinations.

A WBSA, and the information created, obtained, kept, or transmitted by the WBSA, will just be accessible to the intended parties, such as the healthcare organization or pharmacy giving the vaccinations, an authorized person booking sessions, or a WBSA staff member that must have access to the solution and/or records for delivering technical assistance.

The notice of enforcement discretion will not apply to an appointment scheduling program that connects directly to electronic health record (EHR) systems.

A WBSA may not fulfill all specifications of the HIPAA Guidelines and would consequently not be allowed for use in association with electronic protected health information (ePHI) under standard situations. It is additionally probable that the vendor of a WBSA may not know that their application is being utilized by healthcare organizations in correlation with ePHI, which would hence categorize the vendor as a business associate under HIPAA.

Although the notice of enforcement discretion is in force, OCR is not going to charge penalties against HIPAA covered entities, their business associates, and WBSA vendors that satisfy the description of a business associate as per the HIPAA Policies for good faith uses of WBSAs for booking COVID-19 vaccination schedules.

Though penalties will not be issued, OCR encourages using acceptable safeguards to protect the privacy of individuals and the protection of ePHI. It means the ePHI gathered and inputted into the WBSA must be restricted to the minimum required information, encryption technology ought to be employed in case available, and all privacy configurations ought to be enabled. That includes modifying the calendar display to hide names or just display initials. If a vendor saves ePHI, the storage must only be short-term and ePHI must be destroyed no later than 30 days after the scheduled appointment. The WBSA vendor must be directed not to expose any ePHI in a manner that is not in line with the HIPAA Rules.

These sensible safety measures are advised by OCR, although not implementing the suggested reasonable safeguards won’t, in itself, mean a covered health care provider or its business associate failed to act in good faith in view of this Notification.

Bad faith uses that are not covered by the notification are listed below:

  • Use of a WBSA where the vendor does not allow its usage for managing healthcare services.
  • Utilizing the WBSA for arranging appointments apart from COVID-19 vaccinations.
  • Employing a solution that does not feature access controls to restrict access to ePHI to permitted people.
  • Screening persons for COVID-19 prior to personal healthcare appointments.
    Using public-facing WBSAs.

OCR is utilizing all available ways to make the administration of COVID-19 vaccines efficient and safe to all people as much as possible.

Vulnerabilities Discovered in Innokas Yhtymä Oy Vital Signs Monitors

There are two medium-severity vulnerabilities discovered in Innokas Yhtymä Oy vital signs monitors that permit hackers to modify communications between downstream devices and to disable certain functions of the monitors. The vulnerabilities have an impact on all versions of VC150 patient monitors with software version earlier than version 1.7.15.

Affected patient monitors contain a cross-site scripting (XSS) vulnerability that permits the injection of a web script or HTML by means of the filename parameter to change several administrative web interface endpoints. The vulnerability is caused by incorrect neutralization of input at the time of web page creation. The vulnerability is monitored as CVE-2020-27262 with an assigned severity score of 4.6 out of 10.

The second vulnerability, monitored as CVE-2020-27260, is caused by incorrect neutralization of special components in the output utilized by downstream elements. HL7 v2.x injection vulnerabilities enable attackers in close proximity and have a linked barcode reader to input HL7 v2.x segments into HL7 v2.x messages through a variety of expected parameters. This vulnerability was given a severity score of 5.3 out of 10.

The people credited with the identification of the vulnerabilities were: Julian Suleder, Birk Kauer, and Nils Emmerich of ERNW Research GmbH; and Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

Innokas Yhtymä Oy already issued a computer software update to fix the vulnerabilities and advises the use of software version 1.7.15b or newer versions only. To date, there are no reported incidents of vulnerabilities exploitation in the wild.

It is additionally recommended to follow the following network best practices:

  • Segment networks
  • Use VLANs
  • Isolate patient monitors
  • Implement physical restrictions to prevent the unauthorized access of patient monitors
  • Clinical personnel must report any instances of unauthorized persons trying to sign in or tinker with the patient monitors

New Capabilities to CC&C Platform Added With TigerConnect’s Acquisition of Critical Alert

TigerConnect is going to have a variety of new features added to its clinical communication and collaboration program after the purchase of Critical Alert, a healthcare middleware provider. This is the second big purchase by TigerConnect in Santa Monica, CA in 2020, after purchasing Call Scheduler last fall.

Critical Alert provides hospitals and health systems with a cloud-based and mobile business-quality middleware. Hospitals make use of the middleware solutions for management of nurse call, alarm and events, clinical workflow analysis and medical device interoperability. Besides the selection of middleware solutions, Critical Alert delivers conventional nurse call equipment to over 200 hospitals all over North America.

The purchase will lead to the incorporation of the suite of middleware products with the TigerConnect system and will include many new functionality and power a broad range of alert styles and alarm management improvements. The incorporation of the middleware is estimated to be finished in Q1 of 2021.

Critical Alert middleware seamlessly works with clinical systems to send alarms, activities, and values and offers virtualized nurse call which includes contextual patient information to enable nurses to choose with requests to prioritize. By means of centralized response to of nurse call notifications and the supervision of workflows and tasks, there is lesser noise and clinical disruptions and better responsiveness.

Real-time Location Systems (RTLS) integrations aid to enhance caregiver efficiency and simplify workflows and allow real-time monitoring of personnel location and time expended on assignments. These integrations offer information about resource planning, workflow efficiency, and continuing process development endeavours.

The integration of Critical Alert with TigerConnect will permit quick integrations with smart bed alerts for efficient fall deterrence and enhanced patient security. When the safe bed setting is jeopardized, alerts will be delivered instantly to mobile devices permitting nurses to easily respond.

By means of an incorporation with the TigerFlow care team collaboration solution, notifications will be wisely sent to the appropriate caregivers, controlling unwanted noise and enhancing performance. The context supplied with these notifications assists nurses to prioritize properly. Critical Alert additionally provides innovative analytics that give ideas regarding patient conduct and assist with the optimization of employee work load.

With the integration of Critical Alert middleware into the TigerConnect platform, it gives more value to clients and aids to relieve the stress on nurses especially at this time when nurse burnout is quite prevalent. The enhancements on efficiency and effectiveness will probably benefit hospitals, especially considering the present shortage on nurses.

The acquisition of Critical Alert is very strategic and it is a natural development of TigerConnect’s already-powerful collaboration system, according to TigerConnect CEO and co-founder Brad Brooks. Now, all the nurses that use TigerConnect, these new functionalites will send real-time, contextual data to their mobile units or desktop so they could work more intelligently, prioritize actions, and successfully coordinate care using just one platform every day for business messaging.

Critical Alert CEO John Elms is going to join the team of TigerConnect as Chief Product Officer/ Elms and will have a crucial role in combining the technologies of two companies and will direct future product developments. VP Wil Lukens of Critical Alert Sales will likewise join TigerConnect and will be the General Manager of Critical Alert’s traditional Nurse Call hardware section and will proceed with operations using the same standalone business unit name.

The merging of the two companies is perfect timing, according to John Elms. Together, the company will be able to resolve a few of the serious challenges that nurses face such as alarm fatigue, resource optimization and action prioritization.

Breaches At Northwestern Memorial Hospital, Five Points Eye Care, and Apex Laboratory

Northwestern Memorial Hospital in Chicago found out that an old temporary employee may have viewed the medical records of selected patients without proper authorization while doing work at the hospital.

The hospital detected unauthorized data access on December 2, 2020. An analysis of access logs revealed the staff accessed patient information without a work-connected purpose for doing so from October 27, 2020 to December 2, 2020. The data probably accessed only included names of patients, addresses, and treatment details. The person did not get access to financial data or Social Security numbers.

Northwestern Memorial Hospital gave a report regarding the privacy breach stating that the data of 682 patients might have been viewed and said that the non-permanent staff is not working at the hospital any longer. It is not clear why the information was accessed. The hospital is notifying all affected patients about the privacy breach through the mail and has reported the incident to the appropriate authorities.

Potential Breach of Patient Information at Athens Optometrist

Five Points Eye Care located in Athens, GA has learned that an unauthorized individual acquired access to its network and possibly viewed/obtained patient data. The breach happened on October 27, 2020 and was identified and remediated the same day.

The breach just impacted the email system that contained communication routed to the optometrist from other treating physicians. The information in the email messages included names, birth dates, Social Security numbers, addresses, prescription drugs, and treatment plans. A forensic investigation established that the unauthorized individual did not access any other data.

Five Points Eye Care reported the security breach to law enforcement, mailed notifications to affected individuals, and offered free credit monitoring services for one year.

Apex Laboratory Encountered a DoppelPaymer Ransomware Attack

In July 2020, Apex Laboratory, a home laboratory services provider in New York and South Florida, encountered a DoppelPaymer ransomware attack. The DoppelPaymer ransomware gang uploaded thousands of records recently to its data leak site. Many of the information contained the protected health information (PHI) of patients and sensitive employee information.

Databreaches.net reports that after getting in touch with Apex Laboratory concerning the data breach, the dumped information was deleted from the DoppelPaymer leak website. Apex Laboratory posted a breach notice on its website on December 31, 2020 confirming that it experienced a ransomware attack on July 25, 2020, but the encrypted information was restored on July 27, 2020.

It is presumed that the data uploaded to the leak site was obtained in the July cyberattack. Apex Laboratory stated that after getting notification regarding the dumped files, it took steps immediately to make sure the attackers deleted the data files from the leak website. The dumped records are believed to have patient names, dates of birth, lab test results, and the phone numbers and Social Security numbers of some patients. The breach investigation is in progress and the provider will mail breach notification letters to victims in a couple of days.

OCR Issued the 19th HIPAA Penalty of 2020

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a settlement with Peter Wrobel, M.D., P.C., also known as Elite Primary Care, over a HIPAA Right of Access compliance violation.

Elite Primary Care in Georgia provides primary health services. OCR started a compliance investigation after receiving a complaint from one of its patients on April 22, 2019. Allegedly, he had been refused access to his medical records. On May 2, 2019, OCR got in touch with the provider and offered technical support on the HIPAA Right of Access. OCR instructed the practice to evaluate the specifics of the request and give the requested information if the request satisfied the HIPAA Privacy Rule requirements.

The patient later sent a written request for access to the practice on June 5, 2019. The patient submitted to OCR another complaint on October 9, 2019, since the practice still refused to provide access to the medical records he requested.

On November 21, 2019, Elite Primary Care provided the patient’s health information to his new healthcare company and also gave the patient his copy of the information on May 8, 2020.

Because of the delayed provision of the requested records to the patient, OCR judged that the practice violated the HIPAA Right of Access (45 C.F.R. § 164.524).

Under the conditions of the settlement, Elite Primary Care is going to pay a $36,000 financial penalty and undertake a corrective action plan which includes creating, enforcing, maintaining, and updating, as required, its written policies and guidelines associated with the HIPAA Right of Access condition of the HIPAA Privacy Rule. As soon as OCR has checked those policies and guidelines, pertinent members of its staff will be given proper training.

The practice agreed to the settlement without admission of liability. OCR is going to supervise Elite Primary Care for two years to make sure that it follows the required compliance.

This is OCR’s 13th settlement announcement under the HIPAA Right of Access enforcement initiative and the 19th HIPAA financial penalty issued in 2020.

OCR established the Right of Access Initiative to deal with the numerous instances that patients were denied prompt access to their health records. Health care companies, big or small, should make sure to give prompt access to patients’ health records, and for a fair fee, according to OCR Director Roger Severino.

Atlantic.Net Back-Office Upgrade Significantly Enhances Performance and Overall Customer Service

Atlantic.net based in Orlando, FL made announcements about major changes that will considerably enhance performance, make certain of more accurate billing, and will aid the company provide better overall customer support.

The HIPAA-compliant hosting provider now offers the Ubersmith business management software suite to its clients. This innovative back-office software package makes it possible to use over 50 various programs on subscription, customer support, billing, and device management to be merged into just one system. Business procedures that took 7-14 days in the past can now be done in one day.

Simplifying internal processes will make sure customer support concerns can be handled a lot more quickly. The new system made it possible for Atlantic.net to cut the time in half to resolve support issues and to improve the billing for customers’ overall usage by 55%. Employees now simply need training on one system, instead of many different systems. That would save many hours and streamline products and resources. The removal of repetitive systems and enhancement in operational proficiency will give a net positive effect on the growth of revenue.

The Ubersmith system’s quick to customize integrated software program can manage subscription payment, infrastructure management, order management, and ticketing. The modular software program is very flexible and may be extended and built-in with software utilized by other areas of the business by using the Ubersmith-supplied API and software development kit.

Atlantic uses Ubersmith APIs to merge with other systems used to manage payments, accounting, security certificates domain registration, and more. Ubersmith is presently adding Salesforce so that Atlantic.net could connect its sales, prospecting activities, and customer quotes in one system.

The full integration of the Ubersmith software program will allow Atlantic.net to attain high levels of operational performance, worker productivity, and provide a better quality of customer support.

Atlantic.Net has completed an outstanding job at using the functionalities provided in Ubersmith’s business management, operations and infrastructure software program. Ubersmith is happy to be a part of the Atlantic business’ growth and expansion in the field of cloud services and hosting.

Breaches at Tufts Health Plans, Tennessee Proton Radiation Therapy Centers, Liv-On Family Care Center and Presbyterian Health Plan

A phishing attack on Tufts Health Plan led to the exposure of the protected health information (PHI) of 60,545 members’ of EyeMed, a vision benefits management company.

EyeMed discovered the phishing attack on July 1, 2020, but the phishing attack happened in June 2020. On the day of discovering the breach, the firm terminated access to the breached account. In September 2020, EyeMed advised Tufts Health Plan regarding the breach.

The following types of protected health information were included in the compromised email account: Names, birth dates, email addresses, physical addresses, phone numbers, birth or marriage certificates,government ID or driver’s license numbers, vision insurance account/identification numbers, Medicaid or Medicare numbers, and health insurance account numbers. The medical diagnoses and issues, partial or full social security numbers and/or financial information,  treatment details, and/or passport numbers were compromised for some people.

EyeMed offered the affected persons a complimentary membership to credit monitoring and identity protection services for two years.
.

Security Incident Affects Tennessee Proton Radiation Therapy Centers

Two proton radiation therapy centers located in Tennessee encountered a security incident that affected MTPC, LLC in Nashville and Proton Therapy Center, LLC in Knoxville. The incident transpired in the early morning of October 28, 2020.

The attack resulted in continued disturbance to a number of clinical and financial processes, nevertheless, the centers continued to deliver safe and effective patient services. Action is underway to counteract the attack. At this time, the centers adopted the established back-up procedures such as offline recording techniques.

So far, there is no evidence found that indicates the copying, access and misuse of patient or employee details.

Liv-On Family Care Center Patients Notified of PHI Theft

Liv-On Family Care Center located in St. Paul, MN is sending a notification to 1,580 patients concerning the theft of computer equipment that contains their PHI during a burglary on October 25, 2020.

The burglars stole computers, laptops, and tablets that comprised info such as patients’ names, dates of birth, addresses, health records, social security numbers, and other data. The devices were password-protected, however not encrypted, therefore it may be possible to access the PHI. The center already reported the break-in to the police, however, there are no stolen computer gadgets recovered yet.

More Than 3,500 Presbyterian Health Plan Members Affected By Mailing Error

Presbyterian Health Plan based in Albuquerque, NM is notifying 3,557 plan members concerning a mailing error that caused the misdirection of letters to other health plan members. On October 1, 2020, letters were sent to plan members telling them about recommended health screenings for taking care of their healthcare treatment and offered contact details for care coordination. The letters addressed to patients were delivered to some other addresses of members. The mailing did not have any of the following information: Social Security numbers, financial or credit card data, or any data included in medical systems or any other health data.

Xavier Becerra Appointed as New Secretary of the Department of Health and Human Services

President-elect Joe Biden made the decision to give California Attorney General Xavier Becerra the position of Secretary of the Department of Health and Human Services. Becerra’s appointment is still awaiting’ the transition team’s announcement.

Biden is determined to establishing the most diversified administration ever and although there is some development, Biden has been criticized about the number of appointed Latinos thus far. Should the Senate confirm the appointment of Becerra, he will be the Department of Health and Human Services’ very first Latino Secretary. The Congressional Hispanic Caucus has praised the selection of Sec. Becerra.

Becerra supports the Affordable Care Act and served to have this legislation pass through the 2009 and 2010 Congress. The previous Los Angeles area congressman was also the leader of the coalition of Democratic states that protected the Affordable Care Act and opposed efforts by the Trump Administration to overturn it. Becerra is going to be responsible for broadening the Affordable Care Act and will probably immediately recall changes done by the Trump government.

Becerra has partnered with the Louisiana Attorney General to improve the drug Remdesivir’s availability within the state and with a lot of Republican Attorneys General in taking legal action versus opioid makers. His achievements in working together with Republicans helped safeguard the position of Secretary of the HHS. Becerra is going to have the job of supervising the HHS action team’s fight against the coronavirus pandemic, which includes the mass vaccination program that is going to start throughout the United States at the beginning 2021.

Biden has selected Dr. Rochelle Walensky to head the Centers for Disease Control and Prevention. Walensky is recognized at Massachusetts General Hospital as an infectious disease expert with substantial experience in fighting against HIV/AIDS. The current director of the nationwide Institute of Allergy and Infectious Diseases and chief medical consultant on COVID-19, Dr. Anthony Fauci, will continue in those 2 roles.

Biden chose Jeff Zients, President Barack Obama’s then economic advisor, to be the White House coronavirus coordinator. On the other hand, Vivek Murthy, the co-chairman of the coronavirus task force, will take again the Surgeon General position he had’ during the Obama government.

Biden also nominated the Yale School of Medicine professor Dr. Marcella Nunez-Smith to become the COVID-19 Equity Task Force chairperson. Deputy campaign manager Natalie Quillian will take the responsibility of being deputy coordinator of the COVID-19 Response. President Biden will announce the other appointees of his health care team in the next couple of days.

HHS Releases Final Rules Regarding Safe Harbors for Cybersecurity Donations

On November 20, 2020, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) released the final rules to help improve the coordination of care and minimize regulatory obstructions. Both final rules include safe harbor terms that permit hospitals and healthcare delivery systems to contribute cybersecurity technology to physician practices.

The CMS introduced the 627-page final edition of the Modernizing and Clarifying the Physician Self-Referral Regulations, often referred to as Stark Law, and the OIG finalized changes to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Concerning Beneficiary Inducements.

Physician practices frequently have restricted resources, making it hard for them to carry out solutions to deal with cybersecurity threats. Without the required protections, unauthorized individuals can access, steal, delete or encrypt sensitive healthcare data. Threat actors can additionally carry out attacks on small doctor practices and use them to get access to exploited healthcare systems.

When the regulations were first proposed, commenters stressed the value of a safe harbor to enable non-abusive, advantageous arrangements between doctors and other healthcare organizations, such donations of cybersecurity solutions to help protect the healthcare ecosystem. The CMS first suggested the improvements in October 2019 for the Regulatory Sprint to Coordinated Care.

The CMS final rule explains the Stark Law exclusions regarding contributions of electronic health record donations to doctors, broadening the EHR exemption to include cybersecurity software programs and services. One exception was likewise offered for expanding cybersecurity donations that include donations of cybersecurity hardware.

CMS explained that the finalized exemptions offer new freedom for specific arrangements, for example, contributions of cybersecurity technology that secure the integrity of the healthcare ecosystem, whether or not the parties employ a fee-for-service or value-based payment system.

The changes acknowledge the risk of cyberattacks on the healthcare industry and make a secure harbor for cybersecurity technology and services to safeguard cybersecurity-associated hardware, and will make sure that cybersecurity software programs and hardware are available to all healthcare companies of all sizes.

The safe harbor is applicable to, but is not limited to, software security procedures to protect endpoints that permit network access control, an application that offers malware prevention, business continuity application, data protection, and encryption and email traffic control. The exception likewise includes the hardware that is needed and used mainly to implement, preserve or re-establish cybersecurity” and a big range of cybersecurity services like update and maintenance of software and cybersecurity training services. There is no differentiation in the rule between local and web-based cybersecurity solutions.

Under the cybersecurity exception, recipients do not need to contribute to the cost of the donated cybersecurity technology or services. With the EHR exception, the cost required for donations of EHR items or solutions is retained.

HHS said that allowing entities to donate cybersecurity technology and related services to physicians will result in fortifying the entire health care ecosystem.

The final rules are intended to be printed in the federal register on December 2, 2020 and are estimated to take effect starting January 19, 2021.

$65,000 Fine Issued for University of Cincinnati Medical Center Due to HIPAA Right of Access Failure

The HHS’ Office for Civil Rights issued its 18th HIPAA financial penalty of 2020 – the 12th fine issued under its HIPAA Right of Access enforcement initiative.

In 2019, OCR introduced a new effort to make sure people get timely access to their health information, at a fair cost, as mandated by the HIPAA Privacy Rule. This is because healthcare organizations were not generally fully following this crucial HIPAA Privacy Rule provision and some patients were having difficulty getting a copy of their medical files.

The most recent $65,000 financial penalty was charged to the University of Cincinnati Medical Center, LLC (UCMC). It was prompted by a complaint filed to OCR on May 30, 2019 by a patient who requested an electronic copy of health records from UCMC on February 22, 2019 to be sent to her lawyer.

Under the HIPAA Right of Access, medical providers must give copies of medical records, on request, no later than 30 days after receiving the request. 45 C.F.R. § 164.524 additionally says that an individual can have the requested records be sent to a chosen third party, if he or she so wish.

OCR received the complaint more than 13 weeks after the patient submitted a request. OCR intervened and UCMC eventually furnished the lawyer the requested files on August 7, 2019, 5 months after submitting the initial request.

After the investigation of the patient complaint, OCR established UCMC was unable to act on the patient’s request for a copy of her medical records promptly. Therefore, a financial penalty was judged as appropriate.

Besides the financial penalty, UCMC needs to follow a corrective action plan that consists of developing, maintaining, and changing, as needed, written policies and processes to make certain it complies with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. OCR will review those policies and implementation is necessary within 30 days of the approval of OCR.

The policies must be provided to all people in the workforce and relevant business associates. The policies should be evaluated and updated, as required, at least yearly. Training materials must moreover be produced and provided to OCR for approval, then training must be given to employees concerning the new policies.

UCMC must give OCR the data of all business associates and/or vendors that obtain, provide, bill for, or deny access to copies or check up of records together with copies of business associate agreements, and UCMC need to state all cases where requests for information have been refused. OCR is going to keep track of UCMC closely for 2 years from the date of the resolution agreement to check compliance.

OCR is committed to making sure that patients enjoy their right to access their health data, including the right to direct digital copies to a third party of their choosing. HIPAA covered entities ought to evaluate their policies and training packages to make sure they know and can meet all their HIPAA obligations whenever a patient requests access to his or her data.

Private Practitioner Issued $15,000 Penalty over HIPAA Right of Access Failure

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued its 11th financial penalty in association with its HIPAA Right of Access enforcement effort to Dr. Rajendra Bhayani. Dr. Bhayani who is a private practitioner in Regal Park, NY with a specialty in otolaryngology consented to pay a $15,000 financial fine to resolve the case and implement a corrective action plan to correct areas of non-compliance identified by OCR at the time of the investigation.

OCR investigated the doctor after receiving a patient complaint in September 2018 claiming that Dr. Bhayani was unable to give her a copy of the requested health records. The patient requested from the otolaryngologist last July 2018, however she did not receive a copy of medical records two months after.

OCR made contact with Dr. Bhayani and offered technical support regarding the HIPAA Right of Access and shelved the patient complaint; then again, OCR got a second complaint from the previous patient in July 2019, which is one year later, saying that she hasn’t gotten her health records. OCR intervened once again and eventually, the patient received her medical records in September 2020, after 26 months of submitting the first request. Under HIPAA, medical providers ought to deliver requested health records within 30 days of getting a request.

OCR saw Dr. Bhayani’s inability to produce the medical records as a breach of the HIPAA Right of Access (45 C.F.R. § 164.524) requirements. He additionally failed to answer the letters given by OCR on August 2, 2019 and October 22, 2019 inquiring about information. Not cooperating with OCR’s inquiry of a complaint was a breach of 45 C.F.R. §160.310(b). OCR made a decision to issue a penalty for the violations. Dr. Bhayani consented to resolve the case without admitting liability.

Physician’s offices, whether big or small, need to deliver requested health records to patients promptly. OCR Director Roger Severino stated that it will keep on putting first the HIPAA Right of Access cases for enforcement until healthcare companies get the message.

Dr. Bhayani likewise ought to follow a corrective action plan. Policies and procedures ought to be re-evaluated to give people access to their PHI in accordance with 45 C.F.R. § 164.524. The policies ought to specify the techniques employed to estimate an acceptable, cost-based charge for giving access. Those guidelines should be sent to OCR for critique, and any adjustments asked for by OCR ought to be enforced in 30 days. Dr. Bhayani likewise should give privacy training to workers concerning protected health information (PHI) access. The training resources ought to be sent to OCR also for assessment and approval.

Every three months, Dr. Bhayani is instructed to give OCR a listing of all access requests, which include the fees charged for providing the requests, in conjunction with information of any requests that were rejected. OCR must obtain reports of any cases of personnel not submitting to access requests.

OCR is going to keep an eye on Dr. Bhayani for two years since the start of the resolution agreement to make certain of continuing compliance with the HIPAA Right of Access.

Data Security Incident at Lawrence General Hospital, Mary Rutan Hospital and Tri-State Specialists

Lawrence General Hospital in Massachusetts reported a data security incident where unauthorized people likely gained access to some patient information. A security breach was discovered on September 19, 2020 which disturbed its IT systems. The investigation showed that an unauthorized individual got access to its systems from September 9, 2020 to September 19 when the network was protected.

The compromised systems kept patient names, insurance type, internal visit ID numbers, internal patient ID and, some clinical data for very few patients, . The Social Security numbers belonging to 5 patients were likewise probably compromised.

On November 5, 2020, Lawrence General Hospital already sent notifications to affected persons. Lawrence General Hospital additionally said it is enhancing its security systems as prompted by the breach.

Limited Patients’ PHI Exposed at Mary Rutan Hospital Patients Due to Spreadsheet Error

Mary Rutan Hospital located in Bellefontaine, OH uncovered the exposure of a limited amount of patient data as a result of a spreadsheet error. The hospital’s website displayed a link that provided data on Diagnosis Related Groups (DRG) or a patient categorization system that systematizes potential payment to hospitals. Such payments consist of charges connected with inpatient hospital stays.

The website link directed people to a spreadsheet that has several tabs showing limited patient data. Two tabs comprised patient names, birth dates, patient account numbers, dates of service, the purpose for visitation, DRG codes, visit expenses, insurance payment sums, adjusted amounts, and due balances for 1,677 patients. There are no high-risk data contained on the spreadsheet.

There is no information that indicates unauthorized individuals viewed the information. The website link was made inactive on the same day it was identified.

Tri-State Specialists Informs 17,500 Patients Regarding Email Error

Tri-State Specialists, a community of orthopedic surgery clinics located in Iowa, Nebraska, and South Dakota, is informing 17,050 patients regarding an incident that impermissibly disclosed their names and email addresses to a few existing and past patients.

Tri-State Specialists discovered on September 16, 2020 that an employee sent an email with a file attachment that contained patients’ names and email addresses. The file did not have any other patient information. Patients were instructed to watch out for spam emails that might result from the exposure of their email addresses.

Because of the breach incident, Tri-State Specialists have modified policies and procedures associated with the delivery of emails to avoid the same breaches later on. The employees also received re-eduction emphasizing the importance of data privacy.

Wakefern Food Corporation Pays $235,000 to Resolve HIPAA Breach Case with NJ Attorney General

Wakefern Food Corporation is going to pay $235,000 in civil financial fines to settle accusations of violations of federal and state regulations associated with a data breach that involve the protected health information (PHI) of 9,700 clients of two ShopRite supermarkets located in Kingston, New York and Millville, New Jersey. Besides paying the financial penalties, the company is required to make improvements to its data security practices.

Wakefern Food Corporation is the holding company of ShopRite Supermarkets, Inc. and Union Lake Supermarket, LLC. ShopRite Supermarkets, Inc. is the owner of the ShopRite store in Kingston, NY while Union Lake Supermarket, LLC is the owner of the Millville ShopRite store.

In 2016, Wakefern changed the electronic devices employed to collect consumer signatures and purchase data at the two stores. The old units were not disposed of properly. They were put in regular dumpsters without first wrecking the devices or deleting the stored information to make sure sensitive data are irrecoverable. The devices stored the PHI of 9,700 consumers of the two stores such as names, contact data, birth dates, zip codes, driver’s license numbers, prescription types, prescription numbers, and dates of pickup and delivery.

The New Jersey Division of Consumer Affairs started an investigation after getting reports concerning the inappropriate disposal of ePHI. It confirmed that the way the devices were disposed of violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule as well as the state’s fraud act. Employees at the stores did not receive proper training on how to handle and dispose of sensitive data.

According to New Jersey Attorney General Gurbir S. Grewal, pharmacies have the legal obligation to secure the privacy of collected patient data and to correctly dispose of that data when necessary. There are serious consequences for those who compromise the private health data of consumers.

Wakefern is going to pay $209,856.50 as civil penalty and is going to reimburse $25,143.50 of attorneys’ fees and investigative expenses. Further, it needs to implement protective procedures to make sure to avoid future data branches. The measures consist of

  • designating a chief privacy officer
  • signing a business associate agreement with ShopRite Supermarkets, Union Lake, and every member that run pharmacies inside the supermarkets
  • implementing proper measures to secure PHI

Every ShopRite store that operates a pharmacy must designate a HIPAA privacy officer and HIPAA security officer to supervise compliance and they must undergo online training about their privacy and security functions.

Acting Director of the Division of Consumer Affairs Paul R. Rodríguez stated that consumers in New Jersey who buy prescription medicine at the neighborhood supermarket should know that their most private data are fully protected by law and must not be carelessly handled. The settlement of this case makes sure that ShopRite supermarket pharmacies will undergo training and monitoring for HIPAA compliance to prevent future incidents that put consumers in danger of identity theft and privacy invasion.

ONC Stretches Deadline for Information Blocking and Interoperability Rule Compliance

The deadline for compliance with the mandated information blocking and health IT certification of the 21st Century Cures Act was moved further due to the current coronavirus pandemic.

The US Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) introduced on October 29, 2020 the release of an interim final rule with the period for commenting prolonged the compliance dates and time frames for achieving specific information blocking and Conditions and Maintenance of Certification (CoC/MoC) prerequisites.

The ONC’s Cures Act Final Rule, introduced on March 9, 2020, described exceptions to the information blocking provision of the 21st Century Cures Act and used new Health IT certification requirements which, by means of the usage of application programming interfaces (APIs), would improve patients’ access to their own medical data using their smartphones without spending a dime.

Compliance deadlines were dated for 2020, but health IT stakeholders indicated concern regarding satisfying the due dates because of the COVID-19 pandemic. On April 21, 2020, ONC made an announcement that it is going to exercise enforcement discretion with regard to the compliance deadlines and offered another three months after the preliminary compliance dates for satisfying all of the new prerequisites under the ONC Health IT Certification Program.

Because of the continuing COVID-19 crisis, ONC now provided the healthcare ecosystem with more flexibility and time to take action on the COVID-19 public health emergency and has additionally lengthened the compliance due dates specified in its April 2020 enforcement discretion announcement.

Though there is solid support for improving patient access and clinician coordination through the terms in the final rule, stakeholders likewise need to take care of the needs being experienced throughout the ongoing pandemic, as per the national coordinator for health IT
Don Rucker, MD. ONC is not eliminating the requirements to advance patient access to their health records that are stated in the Cures Act Final Rule. Rather, ONC is giving more time to let every person in the health care ecosystem focus on the COVID-19 response.

The new compliance deadlines are currently as follows:

April 5, 2021

  • Information Blocking CoC/MoC requirements (§ 170.401)
  • Information blocking provisions (45 CFR Part 171)
  • API CoC/MoC requirement (§ 170.404(b)(4)) – compliance for present API standards
  • Assurances CoC/MoC requirements (§ 170.402, except for § 170.402(b)(2) as it relates to § 170.315(b)(10))
  • Communications CoC/MoC requirements (§ 170.403) (not including § 170.403(b)(1) – where we took out the 2020 notice requirement)

December 31, 2022

  • New standardized API functionality (§ 170.315(g)(10))
  • 2015 Edition health IT certification criteria updates (not including § 170.315(b)(10) – EHI export, which is moved until December 31, 2023)

The due date for submission of initial attestations (§ 170.406) and submitting initial plans and results of real-world assessment (§ 170.405(b)(1) and (2)) was prolonged by one calendar year.

Failure of New Haven, CT to Terminate Ex- Employee’s Access Rights Brought About $202,000 HIPAA Fine

The City of New Haven, Connecticut has decided to settle a HIPAA violation case with the Department of Health and Human Services’ Office for Civil Rights by paying $202,400 as a financial penalty.

OCR made an investigation in May 2017 after receiving New Haven’s data breach notification on January 24, 2017. OCR investigated whether the security breach was connected to possible violations of HIPAA Rules.

During OCR’s investigation, it was discovered that the New Haven Health Department had terminated a worker on July 27, 2016 while in her probationary period. The previous employee went to the New Haven Health Department on July 27, 2016 together with her union representative and used her work key to get to her old office and locked herself inside along with her union representative.

While in her office, the past employee logged into her old computer utilizing her username and password and cloned information from her PC onto a USB drive. She additionally took personal stuff and papers from the office, and then left the property. A file on the computer included the protected health information (PHI) of 498 patients, which include names, birth dates, addresses, race/ethnicity, gender, and sexually transmitted disease test results. That file was saved onto the USB drive. An intern saw what the ex-employee did.

OCR investigators furthermore confirmed that the past employee had given her access credentials to an intern, who kept on using those credentials to access PHI on the network even after the worker was dismissed.

If the New Haven Health Department removed the ex – employee’s sign-in credentials on her termination, a data breach could have been avoided. If all users were provided their own, exclusive login credentials, it would be possible to correctly identify the system activity of every individual and identify their use of electronic PHI.

OCR came to the conclusion that from December 1, 2014 to December 31, 2018, HIPAA Privacy Rule policies and procedures were not implemented, New Haven did not enforce procedures for deactivating ePHI access when the job of, or other relationship with, an employee stops, and New Haven did not provide unique usernames and passwords to track user ID.

A correct organization-wide risk evaluation was not done to know the prospective risks and vulnerabilities to the integrity, confidentiality and availability of ePHI and the PHI of 498 people was impermissibly disclosed.

Besides the financial fine, the City of New Haven consented to take up a corrective action plan to deal with all areas of noncompliance. OCR will oversee the HIPAA compliance of the City of New Haven for two years from the time of the resolution agreement.

Medical providers must know who in their company can access patient data at all times. Whenever a person’s employment ends, access to patient records likewise ends.

The settlement is the 4th that OCR announced in October 2020, and the 15th HIPAA financial penalty of 2020.

FDA Approves Tool for Rating Medical Device Vulnerability Scores

The FDA has accepted a new rubric that MITRE Corporation has developed for determining Common Vulnerability Scoring System (CVSS) scores for medical device vulnerabilities.

The CVSS was made for setting scores for vulnerabilities in IT systems depending on their severity, and though the system works nicely for numerous IT systems, it is less suited for scoring vulnerabilities in medical devices.

When vulnerabilities are identified in medical devices, the makers of the device employ the CVSS as a constant and standardized system of speaking about the vulnerability’s severity to the National Cybersecurity and Communications Integration Center (NCCIC), the Department of Homeland Security (DHS) and other institutions. IT teams in hospitals and clinics utilize the scores for putting emphasis on patching and software program updates. In case a vulnerability obtains a score of 9.0, it normally is given priority over a vulnerability that has a 3.0 CVSS score, for example. Nonetheless, CVSS base scores don’t properly represent the clinical conditions and probable patient safety effects.

To tackle this matter, the FDA engaged with the MITRE Corporation to produce a different rubric exclusively for medical devices to make it possible to correctly score vulnerabilities. Recently, the FDA stated that the new rubric is now qualified as a Medical Device Development Tool (MDDT). An MDDT has to provide scientifically viable measurements and need to work as designed within the chosen context of application.

The new rubric to be employed for the CVSS on medical devices, combined with CVSS v3, produces a system for evaluating risk and interacting between all parties engaged in security vulnerability disclosure, particularly regarding the seriousness of vulnerabilities and to express urgency so that responses are prioritized.

One of the issues with the CVSS is that the base score given to a vulnerability is designed to offer a general sense of the risk involved with that vulnerability, however, the base score metric fails to take into account the environment that the device or IT software is employed. It is crucial to adapt the score relative to the specified case where a device or IT program is utilized, as this may considerably increase the danger presented by a vulnerability.

This is specifically vital in the medical field, where there are instances when the base score is comparatively low although the risk is in fact high, for instance when patient safety is impacted. There are already various incidents where vulnerabilities in medical devices were designated a somewhat low severity score by applying CVSS v3, even though exploitation of the vulnerability poses a direct and critical threat to patients.

The new rubric offers precise recommendations for setting CVSS scores to healthcare device vulnerabilities, points out the base metric group and looks at the temporary metric group and the environmental metric group, with close to half of the rubric committed to the latter and its value for changing scores to perfectly indicate risk as a portion of a risk review for a medical device.