Category: HIPAA News

University of Pittsburgh Medical Center has decided to negotiate a class action data breach lawsuit. It will reserve $450,000 to take care of claims from men and women who have sustained losses because of the theft and wrong use of their protected health information (PHI).

The data breach impacted roughly 36,000 individuals and an unauthorized third party viewed and stole their protected health information between April 2020 and June 2020. The breach took place at Charles J. Hilton PC, (CJH), UPMC’s legal counsel that offered billing-related services. The exposed records were located in the provider’s email system and comprised names, dates of birth, Social Security numbers, financial details, ID numbers, signatures, insurance data, and medical records. The data breach was identified in June 2020; nonetheless, notification letters were dispatched to affected persons only in December 2020.

Though lots of speculative legal cases are filed versus medical companies and their business associates regarding the compromise of patient information, in this instance, the plaintiff was conned immediately after the breach, which was as a result of his data being stolen during the data breach that occurred at CJH. The hacker created an Amazon credit card account under his name. The plaintiff reported he had to expend a substantial amount of time handling the misuse of his personal information and PHI. The legal case claimed UPMC and CJH did not do their duty to secure patient records and hadn’t enforced fair and suitable safety measures to protect their private details.

UPMC and CJH did not admit any wrongdoing or liability yet decided to resolve the case. Under the stipulations of the negotiation, class members could submit a claim for a $250 cash as payment for recorded out-of-pocket costs associated with the security breach and could file claims for around $2,500 to retrieve fake charges and expenses linked to identity theft, in addition to $30 for the undocumented time used for handling the breach. 12 months of free credit monitoring, identity theft, and dark web monitoring services will likewise be given to class members. Claims need to be sent in on or before September 3, 2022.

In 2021, UPMC resolved a long-running lawsuit by paying $2.65 million. The lawsuit was submitted on behalf of 27,000 staff members impacted by a data breach in February 2014.

Meta is confronting a legal action alleging the social media company is knowingly getting patient data from hospital web pages by means of the Meta Pixel tracking application, and as a result has committed the privacy violation of millions of individuals.

The lawsuit was filed in the U.S. Northern District of California and states violations of state and federal government rules associated with the acquisition of patient details without permission. Last week, The Markup/STAT’s report on research regarding the 100 leading hospitals in the U.S.A. showed that a third employed the Meta Pixel code on their sites. The Meta Pixel tool is a bit of JavaScript code that is utilized to keep tabs on visitor behavior on websites, for example, the buttons they click and the choices they pick from dropdown menus. If the tool is integrated on healthcare organizations’ websites, it’s likely for the tool to send protected health information (PHI) to Meta/Facebook, for instance, IP address, whenever a patient has reserved a consultation and any details picked from menus, for instance, the health condition that the consultation is about.

The study found 7 hospital systems that had integrated Meta Pixel on their patient sites behind password security and the tool was transferring sensitive information for example patient ailments, which may be connected to the patients by means of their IP addresses. The research did not get any proof that Meta had signed a business associate agreement with the healthcare providers. There was likewise no permission to disclose patient information with Meta acquired from patients by the medical centers and healthcare networks that employed Meta Pixel.

The lawsuit was submitted on behalf of patient John Doe, who uses Facebook as well as a Maryland-based Medstar Health System patient. The plaintiff stated he utilizes the patient site for booking appointments, sending messages to providers, and checking laboratory examination results, and didn’t authorize the sharing of data with Meta/Facebook. Medstar Health mentioned all patient details are safe and it doesn’t employ any Facebook/Meta tech on its web pages. As per the lawsuit, no less than 664 healthcare systems in America have incorporated the Meta Pixel tool into their sites, which transmits sensitive information to Meta.

Meta claims on its site that whenever Meta’s signals filtering process finds Business Tools data that is classified as likely sensitive health-associated data, the filtering system is made to keep that information from being taken into our ads ranking and optimization models. Nonetheless, the lawsuit asserts that regardless of knowingly obtaining health-connected data from medical companies, Facebook failed to do anything to impose or verify its requirement that healthcare providers get enough authorization from patients prior to sharing patient data with Facebook. The legal action claims the usage of the tool on hospital web pages without acquiring permission violates the Health Insurance Portability and Accountability Act (HIPAA), as the information is obtained with no business associate agreement. It should be mentioned that HIPAA Rules do not limit Meta/Facebook; nonetheless, the hospitals that use the tool may violate HIPAA by disclosing the data with no authorization.

The lawsuit states a violation of the duty of good faith and fair dealing, and not complying with federal and state legislation, which include the federal Electronic Communications Privacy Act, Unfair Competition Law, and California’s Invasion of Privacy Act. The lawsuit wishes punitive and compensatory damages, class-action status, and attorneys’ service fees.

This isn’t the first legal action to be filed against Facebook due to the acquisition of details from hospital sites. The same lawyers got a case against Facebook sacked in 2018 – Smith et al v. Facebook – about the gathering of browsing information from hospital web pages. The judgment was upheld by the U.S. Court of Appeals for the 9th Circuit, which decided that the plaintiffs cannot file a case against Facebook because they had accepted Facebook’s contract terms.

Reclaim the Net obtained a copy of the legal case and shared it on this page.

A study of hospitals’ websites has shown that 33% of the top 100 hospitals in America are sharing patient information with Facebook through a tracker known as Meta Pixel, without seemingly getting patient consent.

Meta Pixel is a JavaScript code snippet that is employed to trace the activity of a visitor on a website. According to Meta, tracked activity shows up in the Ads Manager and is used to gauge the performance of ads, determine custom viewers for ad targeting, for active ads campaigns, and to evaluate the performance of your site’s conversion funnels.

Meta Pixel can gather various information, such as details concerning the buttons clicked as well as the pages visited with the click of those buttons, and the information obtained is associated with the person through their IP address, which determines the device used by the visitor. That data is then instantly provided to Facebook. On the website of a hospital, the tracker can acquire a user’s IP address and associate it with sensitive information, for example when that person had clicked to book a consultation.

The Markup conducted the study and co-published the report with STAT. The Markup discovered that Meta Pixel tracking is used in one-third of the appointment scheduling pages of the hospital. For example, the researchers found that when visitors to the University Hospitals Cleveland Medical Center click on the ‘Schedule Online’ button on a physician’s page, Meta Pixel routed the text of the button to Meta, together with the physician’s name and the search phrase, which for that individual was pregnancy termination. It was the same story with a number of other websites, which provided details obtained from the choice made from dropdown menus that furnished data concerning the patient’s condition, for example, Alzheimer’s disease.

A lot more worrisome is that for 7 hospital networks, Meta Pixel was set up within password-protected patient websites. The researchers discovered that five of the hospitals were transmitting information to Meta regarding real patients who agreed to take part in the Pixel Hunt project, which The Markup and Mozilla Rally manage. Involvement in that project required sending the data to The Markup regarding the websites they visited, which exposed the information being sent to Meta such as patients’ prescription drugs, descriptions of their allergic responses, and details about their forthcoming physician’s consultations.

The Markup stated there seemed to be no business associate agreements signed by the hospitals and Meta, which is required to permit the data sharing as per the HIPAA Rules. Also, it seemed that permission from patients allowing the transmitting of information to Meta was not acquired, meaning probable HIPAA violations.

The 7 hospital systems affected were Edward-Elmhurst Health, Community Health Network, FastMed, Piedmont, Renown Health, Novant Health, and WakeMed. All except Renown Health and FastMed had taken away the Meta Pixel after knowing about the data transfer by The Markup when the report was published, together with 6 hospitals from the 33 that were found to have the Meta Pixel on their appointment reservation pages.

The Markup stated in its report that the 33 hospitals that got Meta Pixel installed on their appointment webpages have jointly reported over 26 million patient admissions and outpatient appointments in 2020, and this research just looked at the top 100 hospitals. More may likewise be sharing information with Facebook via Meta Pixel.

The Markup mentioned it could not figure out how Meta/Facebook utilized the information transmitted using Meta Pixel, including for giving targeted advertisements. Meta representative, Dale Hogan, released a statement based on the results of the study. When Meta’s indicators filter systems identify that a company is transmitting potentially sensitive health information from their application or website by using Meta Business Tools, which in some instances can occur by mistake, that potentially sensitive information will be taken out before it could be saved in their adverts systems.

The HHS’ Health Sector Cybersecurity Coordination Sector (HC3) has issued guidance for healthcare companies to aid them to strengthen their cyber posture. Cyber posture is the phrase used to refer to the overall toughness of an company’s cybersecurity, practices for forecasting and stopping cyber threats, and the capability to proceed to work while addressing cyber threats.

To abide by the HIPAA Security Rule, companies must employ safety measures to protect the integrity, availability, and confidentiality of electronic protected health information (ePHI), and minimize threats to a low and tolerable level.

Technical safety measures are necessary to keep ePHI secure and private and will make sure that ePHI could be retrieved in case of a detrimental cyberattack. A strong cybersecurity plan can assist to reduce the problems prompted in case of an attack, can stop the stealing of sensitive data like ePHI and intellectual property, restrict the chance of misuse of patient information, and will assist in improving customer trust.

HC3 specifies the number of steps that could be taken to enhance cyber posture for instance performing frequent security posture checks, constantly tracking networks and software programs for vulnerabilities, identifying which departments have problems and designating managers to particular challenges, and routinely examining breaks in security measures, identifying key security metrics, and making incident response and disaster rescue programs.

HC3 additionally advises adopting the cybersecurity protocols specified in CISA Insights for avoiding cyber threats. These guidelines can help limit the probability of a detrimental cyber intrusion from occurring, will help companies quickly identify attacks that are happening, will make it quicker to perform an effective breach response and increase the company’s toughness to detrimental cyberattacks.

HC3 focuses on the safety risk analysis, which is an element of compliance with the HIPAA Security Rule that continues to be troublesome for a lot of healthcare companies. The safety risk assessment involves figuring out sources of threat, dangerous events, and vulnerabilities, identifying the possibilities of exploitation and the potential effect, and assessing threat as a mix of chance and impact.

Healthcare companies can then utilize the data supplied by risk analysis to prioritize the management of risks. The Office for Civil Rights has lately launched a different version of its Security Risk Assessment program, to help small- and medium-sized healthcare companies do their safety risk analysis.

Software company Aesto Health based in Birmingham, AL provides services to assist healthcare companies and medical providers in sharing, organizing, and securing patient data. It has been reported that the company just encountered a cyberattack that resulted in disruption to some internal information technology systems.

Aesto Health discovered the security breach on March 8, 2022, and took steps right away to stop the unauthorized person from further accessing its systems. A third-party computer forensics firm helped with the investigation and confirmed that an unauthorized person acquired access to the impacted systems starting December 25, 2021 until March 8, 2022.

Throughout that time frame, selected files had been extracted from a backup storage unit that contain radiology reports originally from Osceola Medical Center (OMC) in Wisconsin. An evaluation of the impacted records affirmed they comprised the protected health information (PHI) of patients, such as names, birth dates, doctor names, and reports of results associated with radiology imaging done at OMC. There were no Social Security numbers or financial records accessed or stolen. The systems and electronic medical records of OMC were not affected. Aesto Health mentioned it implemented additional safety measures and technical security measures to give added protection and monitoring of its systems.

The breach report has been submitted to the HHS’ Office for Civil Rights indicating that 17,400 patients were affected.

Motion Picture Industry Health Plan Notifies Members Regarding Unauthorized Disclosure of PHI

The Motion Picture Industry Health Plan (MPIHP) has reported an impermissible disclosure of the PHI of 16,838 plan members because of a mismailing incident. MPIHP discovered a mailing error on March 31, 2022. Because of that incident, the information of plan members was mailed to the wrong addresses. In all cases, the letter supposed to be received by one MPIHP member was mailed to the wrong MPIHP member.

The letters did not include any medical data or health claims data. They only included the name, address, hours worked, the last four numbers of the Social Security number of a member, and the latest dates of eligibility. MPIHP already sent the notification letters to inform all the impacted persons to the previous address given by those members. Impacted persons received offers of free one-year identity monitoring services. MPIHP mentioned that it found the specific cause of the error and took steps to avoid the same mismailing incident from happening again.

The protected health information (PHI) of around 2 million people was potentially compromised in a cyberattack on Shields Health Care Group. Shields Health Care Group based in Massachusetts provides ambulatory surgical center management and medical imaging services all over New England. The group detected suspicious activity within its network on March 28, 2022. Fast action was done to secure its system and stop continuing unauthorized access. Third-party forensics professionals assisted with the investigation and confirmed the nature and magnitude of the security breach.

The forensic investigation revealed that an unauthorized individual got access to some Shields systems from March 7, 2022 to March 21, 2022. Shields stated that a security advisory was activated on March 18, 2022, which upon investigation did not appear to have been a data breach at the time. Since then, it was confirmed that throughout that period of access, selected data was taken from its systems. Shields mentioned it didn’t know of any instances of attempted or actual patient data misuse.

An analysis of the files that were extracted from its systems or may have been accessed by unauthorized persons revealed that the following types of information were impacted: Full name, Social Security number, birth date, home address, provider data, diagnosis, billing details, insurance number and details, medical record number, patient ID, and other medical or treatment data. Shields is still reviewing the affected data and will issue breach notifications to impacted people on behalf of all affected facility partners after that review is finished.

After the discovery of the attack, quick action was undertaken to protect its network and records, selected systems were rebuilt, and more safeguards were put in place to better secure patient information. Cybersecurity steps will be evaluated and improved for better, continuing information safety.

The breach is already listed on the HHS’ Office for Civil Rights Breach website as affecting 2,000,000 persons. Shields stated that those people had received treatment at the 56 facility partners listed below:

• Cape Cod Imaging Services, LLC (a Falmouth Hospital Association, Inc business associate)
• Cape Cod Radiation Therapy Service, LLC
• Cape Cod PET/CT Services, LLC
• Central Maine Medical Center
• Emerson Hospital
• Falmouth Hospital Association, Inc.
• Fall River/New Bedford Regional MRI Limited Partnership
• Franklin MRI Center, LLC
• Lahey Clinic MRI Services, LLC
• Mercy Imaging, Inc.
• Massachusetts Bay MRI Limited Partnership
• MRI/CT of Providence, LLC
• Newton-Wellesley Imaging, PC
• Newton Wellesley Orthopedic Associates, Inc.
• Newton-Wellesley MRI Limited Partnership
• NW Imaging Management Company, LLC (a Newton Wellesley Orthopedic Associates, Inc. business associate)
• Northern MASS MRI Services, Inc.
• PET-CT Services by Tufts Medical Center and Shields, LLC
• Radiation Therapy of Winchester, LLC
• Radiation Therapy of Southeastern Massachusetts, LLC
• Shields CT of Brockton, LLC
• Shields and Sports Medicine Atlantic Imaging Management Co, LLC (a
• SportsMedicine Atlantic Orthopaedics P.A. business associate)
• Shields Imaging at Anna Jaques Hospital, LLC
• Shields Healthcare of Cambridge, Inc.
• Shields Imaging at University Hospital, LLC
• Shields Imaging Management at Emerson Hospital, LLC (an Emerson Hospital business associate)
• Shields Imaging at York Hospital, LLC
• Shields Imaging of Eastern Mass, LLC
• Shields Imaging of North Shore, LLC
• Shields Imaging of Lowell General Hospital, LLC
• Shields Imaging of Portsmouth, LLC
• Shields Management Company, Inc.
• Shields Imaging with Central Maine Health, LLC (a Central Maine Medical Center business associate)
• Shields PET/CT at CMMC, LLC
• Shields MRI & Imaging Center of Cape Cod, LLC
• Shields PET-CT at Cooley Dickinson Hospital, LLC
• Shields MRI of Framingham, LLC
• Shields PET_CT at Berkshire Medical Center, LLC
• Shields PET-CT at Emerson Hospital, LLC
• Shields Signature Imaging, LLC
• Shields Radiology Associates, PC
• Shields Sturdy PET-CT, LLC
• Shields-Tufts Medical Center Imaging Management, LLC (a Tufts Medical Center, Inc. business associate)
• South Shore Regional MRI Limited Partnership
• Southeastern Massachusetts Regional MRI Limited Partnership
• South Suburban Oncology Center Limited Partnership
• SportsMedicine Atlantic Orthopaedics P.A.
• Tufts Medical Center, Inc.
• UMass Memorial MRI – Marlborough, LLC
• UMass Memorial HealthAlliance MRI Center, LLC
• UMass Memorial MRI & Imaging Center, LLC
• Winchester Hospital / Shields MRI, LLC

A New York Federal Judge dismissed a class-action lawsuit filed against Alliance HealthCare Services and NorthEast Radiology PC because of a data breach that exposed the protected health information (PHI) of over 1.2 million people for lack of standing.

The lawsuit was submitted in July 2021 on behalf of plaintiffs Lisa Rosenberg and Jose Aponte II, whose PHI was compromised due to a wrong configuration of the firms’ Picture Archiving Communication System (PACS), which included medical images and related patient data. In late 2019, security researchers found the compromised information and informed the affected organizations — Northeast Radiology along with its vendor, Alliance HealthCare Services.

Based on the lawsuit, more than 61 million medical photos were exposed along with the sensitive data of 1.2 million individuals. Northeast Radiology submitted the breach report to the HHS’ Office for Civil Rights indicating that 298,532 persons were impacted. The lawsuit alleged the defendants had applied insufficient security safeguards to keep the privacy of patient information safe, which enabled unauthorized persons to access the medical pictures and other PHI from April 14, 2019 to January 7, 2020. The plaintiffs claimed that they are facing an ongoing and imminent danger of identity theft and fraud since protected health information cannot be canceled. They state they now have to continually keep track of their accounts and utilize credit and identity theft monitoring services, and expend more time and effort to avoid and mitigate against possible future losses.

It is common nowadays for lawsuits to be filed against healthcare companies subsequent to data breaches, however, the lawsuits usually do not succeed because of the failure to present proof of harm resulting from the compromise or theft of personal data, just like the case here. Federal Judge for the Southern District of New York, Judge Vincent L. Bricetti, dropped the legal case because the plaintiffs did not claim a cognizable injury. The judge made a decision that the mere exposure of sensitive information could not establish that the plaintiffs were harmed by the incident and that the threat of future harm from the exposure of their sensitive data was very assuming to make standing.

Although the data breach report was filed with the HHS’ Office for Rights stating that about 298,532 individuals were affected, NorthEast Radiology was just able to affirm that the information of 29 patients had certainly been subjected to unauthorized access, and the two victims named in the legal action were not included in that small group.

Judge Bricetti used as reference the decision of the Second Circuit Court’s decision in McMorris v. Carlos Lopez & Associates, LLC. He used the three-factor test established for figuring out if allegations of harm related to a data breach resulted to a cognizable Article III injury-in-fact:

1. whether the plaintiffs’ information was exposed because of a targeted attempt to acquire that data;
2. whether any part of the dataset was misused, even though the plaintiffs themselves haven’t encountered identity theft or fraud; and
3. whether the type of exposed information is sensitive such that the risk of identity theft or fraud is high.

Judge Bricetti turned down all of the plaintiffs’ claims for breach of contract, breach of implied contract, negligence, negligence per se, intrusion upon seclusion, and violations of New York General Business Law Section 349.

An information technology consultant who worked as a contractor at a suburban healthcare organization in Chicago has been charged with illegally getting access to the firm’s network and deliberately causing harm to a protected computer.

Aaron Lockner, age 35, resident of Downers Grove, IL, worked for an IT organization that had a contract with a healthcare firm to offer security and technology services. Lockner was given access to the network of the healthcare organization’s clinic in Oak Lawn, IL, to perform the contracted IT solutions.

In February 2018, Lockner applied for a work position with the healthcare company, however his application was rejected. Lockner was then laid off from the IT company in March 2018. A month afterwards, on or about April 16, 2018, Lockner is alleged to have remotely obtained access to the computer system of the healthcare organization without consent. Based on the indictment, Lockner intentionally brought on the transmission of a program, material, code, and command, and because of his actions, purposefully prompted ruin to a protected PC. The computer intrusion impaired medical tests, treatment, and the care of several people.

Locker is indicted on one count of deliberately causing ruin to a protected computer. The scheduled arraignment will be held on May 31, 0222 in the U.S. District Court in the Northern District of Illinois, Eastern Division. In case convicted, Lockner might serve around 10 years in federal jail.

This case illustrates the dangers posed by insiders. The newly published 2022 Verizon Data Breach Investigations Report shows the danger of attacks by external hackers, which surpass insider attacks by 4 to 1, however, safeguards additionally must be put in place to safeguard against insider threats.

In this situation, the supposed access happened two months following the rejection of the application for employment and one month after termination from the IT firm. When people leave work, voluntarily or if dismissed, access rights to systems should be promptly terminated and tests of systems performed to identify any malware or backdoors that could have been installed.

There were several instances of dissatisfied IT contractors keeping remote access to networks after dismissal, with one particular case at a law firm finding an ex-IT worker setting up a backdoor and consequently accessing the system and purposefully causing harm after leaving work. In that instance, the individual was sentenced to 115 months in a federal penitentiary and was instructed to pay $1.7 million in reparation.

Parker-Hannifin Corporation based in Cleveland, OH, a maker of motion and control technologies, lately reported that unauthorized persons have acquired access to parts of its IT systems and might have gotten files that contain the sensitive data of present and past employees, their dependents, and other persons associated with the organization.

The company detected suspicious activity inside its IT environment on March 14, 2022. It was confirmed by the forensic investigation that unauthorized individuals accessed its systems from March 11, 2022 to March 14, 2022. A thorough evaluation of the impacted files confirmed they included data like names, dates of birth, addresses, driver’s license numbers, Social Security numbers, passport numbers, financial account data like online account usernames and security passwords, bank account and routing numbers. The enrollment information of present and past members of the Parker Group Health Plan, as well as those of a health plan sponsored by an entity obtained by Parker, may have been exposed. Compromised information may include medical insurance dates of coverage and plan member ID number.

The breach report submitted to the HHS’ Office for Civil Rights indicated that 119,513 group health plan members were affected. The company already notified the affected persons and provided a free membership to Experian’s IdentityWorks identity theft protection and monitoring services for two years.

Data Theft Incident Reported by Behavioral Health Partners of Metrowest

Behavioral Health Partners of Metrowest (BHPMW) based in Framingham, MA has informed 11,288 persons that an unauthorized person copied some of their protected health information (PHI) from its systems. BHPMW discovered the data breach on October 1, 2022, and confirmed through the forensic investigation that the unauthorized person got access to its systems and extracted information from September 14 to September 18, 2021.

The stolen information pertained to the Behavioral Health Community Partner Program that BHPMW manages as per the agreement with MassHealth, together with the SMOC, Advocates, Family Continuity, Wayside Youth and Family Support provider agencies and Spectrum Health Systems. The compromised information included names, Social Security numbers, addresses, dates of birth, client ID numbers, medical insurance data, and medical diagnosis/treatment details. BHPMW did not receive any information regarding any actual or attempted misuse of the stolen data.

BHPMW sent notification letters to impacted persons on May 11, 2022, and those persons received offers of free credit monitoring and identity protection services.

17,000 Patients Affected by Vail Health Services Data Security Incident

Vail Health in Colorado experienced a data security incident that led to the compromise and possible theft of the PHI of 17,039 individuals. Vail Health stated when it began having trouble with its network systems, it started an investigation that showed on April 5, 2022 that an unauthorized person had acquired access to its network on February 11, 2022.

The breached systems had a limited number of files such as data regarding persons who got COVID-19 tests from Vail Health, including names, dates of birth, contact details, encounter numbers, and COVID-19 test data. There was no compromise of financial data, medical insurance data, or Social Security numbers.

The systems currently had controls that limited access to a small number of persons. Extra security measures were enforced to additionally limit access.

Refuah Health Center located in New York has lately begun sending notifications to 260,740 patients regarding a security breach that happened about one year ago. Based on the April 29, 2022 notice on the healthcare company’s webpage, it recently found unauthorized access to its system took place from May 31, 2021 to June 1, 2021. Upon being aware of the breach, the health center started an investigation to find out the nature and extent of the cyberattack, and a thorough review was then performed on all files that were possibly accessed.

Refuah Health Center stated it found out on March 2, 2022, that the attackers had exfiltrated a number of files from its network that included “a limited amount” of patients’ protected health information (PHI), which include names and at least one of these data types: driver’s license numbers, state ID numbers, birth dates, Social Security numbers, bank/financial account data, debit/credit card details, healthcare treatment/diagnosis details, Medicaid/Medicare numbers, patient account numbers, medical record numbers, and/or health insurance policy numbers. The health center began sending notification letters to affected people on April 29, 2022 and offered free credit monitoring services to persons whose Social Security numbers were probably exposed.

Although Refuah Health Center didn’t make known more data concerning the character of the attack, databreaches.net stated that the attack seems to have been performed by the Lorenz ransomware group, which included Refuah Health Center to its listing of victims on its data leak website on June 11, 2021, though that entry is already deleted.

Quantum Imaging Therapeutic Associates Patients’ PHI Compromised

Specialized diagnostic radiology services provider Quantum Imaging Therapeutic Associates based in Lewisberry, PA just sent breach notification letters to patients telling them about the compromise of their PHI. The data security breach was discovered and obstructed on October 7, 2021.

During the time of giving notification letters, there was no proof received that shows the viewing or theft of any patient information by the attackers, even though it wasn’t possible to exclude the probability. The breached areas of its system comprised patient information like names, dates of birth, addresses, Social Security numbers, and data associated with the radiology services given.

After preventing the attack, Quantum commenced an investigation with the assistance of third-party IT professionals, and has now analyzed its network setting and made enhancements to security. Quantum will additionally be tracking the threat landscape carefully and will take proactive steps to deal with new threats. Impacted people have been given complimentary identity theft protection services.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website, therefore it is not clear how many persons were impacted.

The American Telemedicine Association (ATA), the Organization for the Review of Care and Health Applications (ORCHA), and the American College of Physicians (ACP) have joined up to create a new framework for evaluating digital health technologies utilized by healthcare experts and patients.

Presently, over 86 million Americans make use of a fitness or health app. These digital health technologies including more than 365,000 individual products can gather, keep, process, and transfer personal and health information that would be categorized as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA); nevertheless, most of these technologies are not covered by HIPAA and aren’t covered by other rules, federal laws, and government instruction. The absence of guidance in this section blocks the usage of electronic health technologies, which have incredible potential for enhancing condition management, clinical risk evaluation, and decision assistance.

The creators of digital health technologies frequently share user information gathered by their products and apps with third parties however do not always disclose their data-sharing practices with consumers, and their privacy policies are often far from transparent. The use of these applications and technologies can place user privacy in danger. The technologies may additionally lack proper security controls and may be susceptible to cyberattacks that can expose sensitive user information.

The Digital Health Assessment Framework is meant to be an open system that anybody may access to use, to help adopt high-quality digital health technologies and guide healthcare specialists and patients in making better choices regarding which digital health solutions best match their needs, as explained by the ATA in a PR release.

The framework consists of elements that healthcare specialists and consumers could utilize to evaluate data and privacy, clinical assurance and safety, usability and accessibility, and technical security and stability, and was created to help U.S. rules, regulations, and protocols for electronic health practices.

Digital health technologies can provide safe, effective, and engaging access to personalized health and support, give more convenient care, increase patient and healthcare provider satisfaction, and accomplish better clinical outcomes. Ann Mond Johnson, the ATA CEO, further mentioned that there are actually hundreds of health apps and devices for patients and physicians to select from, and our objective is to win the confidence that the health and wellness resources examined in this Framework meet quality, privacy and clinical assurance requirements in the U.S.

ACP is performing a pilot study of health applications that will be analyzed against the system to produce an extensive collection of acceptable digital health solutions. The framework will be updated regularly depending on responses from digital health technology firms, healthcare experts, consumers, and other stakeholders to reveal changes in clinical practice, and the most recent guidelines and recommendations, and best practices.

The Department of Health and Human Services performed an audit for the HHS’ Office of Inspector General (OIG) to evaluate adherence to the Federal Information Security Modernization Act of 2014 (FISMA) for the 2021 fiscal year. It has rated the security program of the agency as ‘not effective’, just like in fiscal years 2018, 2019, and 2020. Five of the 12 operating divisions of the HHS were subjected to an audit, though OIG didn’t mention which five divisions were selected.

To be given an effective rating, the HHS needs to get to the ‘Managed and Measurable’ maturity level for the function areas of Identify, Protect, Detect, Respond, and Recover. This is a requirement by the FY 2021 Inspector General FISMA Reporting Metrics and the DHS guidance.

It is stated in the OIG report that the HHS is still making adjustments to boost the maturity of its company-wide cybersecurity program and that it is working towards more sustainable cybersecurity in all FISMA domains.

The HHS security program fortified the maturity of controls for a number of  FISMA metrics, though there was no progress in certain areas because full enforcement of Information Security Continuous Monitoring (ISCM) efforts is lacking in its operating divisions. This is crucial as reliable information and metrics are needed in order to make good risk management judgments.

The HHS has partly imposed its Continuous Diagnostics and Mitigation (CDM) method, which has enhanced insight into certain assets, and consciousness of vulnerabilities and threat data is better by using RSA Archer and Splunk. There is the progress made in the implementation of a complete department-wide CDM program to make sure non-stop tracking of HHS networks and systems, give an accurate report of the status of operating divisions, and progress to handle and enforce methods that fight risk, prioritize concerns utilizing tested risk criteria, and enhance its cybersecurity response functions.

The HHS has improved its enforcement of CDM tools and procedures but doesn’t have a specific timetable for completely enforcing the CDM program throughout all operating divisions.  Unless the HHS completely follows its CDM technique, the HHS cannot possibly identify cybersecurity risks on a continuous basis, highlight efforts to deal with risks according to their probable effects and mitigate the most serious vulnerabilities first.

OIG has given a number of recommendations for enhancing the maturity of the HHS information security program. The HHS ought to continue implementing an automated CDM solution to have a centralized, company-wide oversight of risks throughout HHS. The ISCM strategy must be updated to have a more accurate roadmap, having target dates particular for ISCM deployment throughout the HHS operating divisions. A company risk evaluation of identified control weaknesses must be done and a proper risk response ought to be recorded, and the HHS should create a process to keep track of information system contingency plans to make sure they are created, maintained, and incorporated with other continuity criteria by IT systems.

The HHS agreed with all the recommendations of OIG.

The Workgroup for Electronic Data Interchange (WEDI) has replied to the query for data from the National Institute of Standards and Technology (NIST) and has produced a number of tips for enhancing the NIST cybersecurity framework and supply chain risk management advice to assist healthcare companies to handle a few of the most urgent threats confronting the industry.

Ransomware is considered one of the major threats affecting the healthcare sector, and that will probably not change in the near future. To aid healthcare companies manage the risk, WEDI has advised NIST to give attention to ransomware and deal with the concern of ransomware specifically in the cybersecurity system. NIST released a new ransomware resource in February 2022, which includes important tips on avoiding, detecting, answering, and dealing with ransomware attacks. WEDI feels the introduction of ransomware inside the cybersecurity platform will increase the reach and effect of the resource.

WEDI has additionally advised the addition of particular case studies of healthcare companies that have encountered a ransomware attack, updating the platform to determine contingency planning techniques in line with the kind of healthcare company and giving guidance with emphasis on contingency preparation, setup, and recovery. Ransomware attacks on healthcare companies have risks that do not apply to other entities. More information in this section is of great advantage to healthcare companies and can help reduce interruption and patient safety concerns.

Healthcare companies are creating patient access Application Programming Interfaces (APIs) and applications (apps) that are under HIPAA, and are consequently necessary to integrate safety measures to make sure the privacy and security of any healthcare information they have, however, WEDI has driven attention to the absence of strong privacy requirements that are appropriate to third party health applications that aren’t covered by HIPAA. WEDI states there’s a requirement for a national security framework to make sure that medical information acquired by third-party applications has proper privacy and security criteria.

The amount of risks and vulnerabilities to mobile and implantable healthcare devices has exploded at an unbelievable level lately and those dangers will probably grow significantly in the many years. WEDI has advised NIST to deal with cybersecurity problems associated with these devices specifically in the cybersecurity system, and in addition, tackle the problem of insider threats. Numerous healthcare data breaches are the result of insider threats including missing electronic devices, social engineering, and phishing attacks. WEDI addresses these problems and security awareness training ought to be satisfied in the cybersecurity system.

WEDI has additionally recommended NIST create a version of its cybersecurity system that is directed at smaller healthcare companies, which do not have the means accessible to remain up to date concerning the most recent security improvements and carry out the most recent security steps and protocols. A framework version that is more targeted at the threats experienced by smaller companies will be very beneficial and ought to consist of practical proactive actions that can be undertaken by small healthcare companies to offset risks.

Smile Brands based in Irvine, CA provides support services for dental offices. It recently presented an update on the number of people affected by a ransomware attack that was identified on April 24, 2021. The attackers acquired access to areas of its network on April 23, 2021, that kept files that contained the protected health information (PHI) of individuals, including names, telephone numbers, addresses, birth dates, Social Security numbers, financial data, government-issued ID numbers, and health information.

The breach report was initially submitted to the HHS’ Office for Civil Rights last June 2021 as having 1,200 victims, but the breach report was afterward corrected to state as many as 199,683 persons were impacted. Nonetheless, in the most recent notification to the Maine attorney general, the breach was reported as impacting around 2,592,494 individuals. The preliminary notice to the Maine attorney general was sent on October 8, 2021.

Smile Brands stated that affected persons were provided a complimentary 12-month membership to a credit tracking service, which involves identity theft assistance services and coverage of a $1 million identity theft insurance policy.

Malware Possibly Permitted Hackers Access ArCare Patient Information

Arcare, a firm providing primary care and behavioral health services within Kentucky, Arkansas, and Mississippi, has reported that patient information was possibly accessed by unauthorized people in a cyberattack that was identified on February 24, 2022. Because of the malware found on its system, there was a temporary disruption of its services. ArCare took immediate action to stop continuing unauthorized access and launched an investigation to find out the nature and scope of the incident.

The investigation affirmed on March 14, 2022, that the hackers may have accessed sensitive data from January 18, 2022 to February 24, 2022. An analysis of the impacted records was done on April 4, 2022, and established they included names, driver’s license or state ID numbers, Social Security numbers, dates of birth, financial account details, medical treatment data, prescription details, medical diagnosis or condition details, and medical insurance information.

Although data was exposed, there was no evidence found that suggests actual or attempted misuse of patient information. ARcare mentioned it has revised its policies and procedures associated with data protection and security and mailed notification letters to affected persons on April 25, 0222.

The incident is not yet posted on the HHS’ Office for Civil Rights breach portal therefore it is currently uncertain how many people were impacted.

Theft of Unencrypted Laptops from the Home of Onehome Health Solutions Employee

Two unencrypted laptop computers were stolen from the house of a Onehome Health Solutions employee. The healthcare provider based in Miramar, FL discovered the theft on March 3, 2021 and reported the incident to authorities.

A forensic investigation confirmed that the laptop computers stored the PHI of approximately 15,401 patients, such as names, addresses, telephone numbers, health data, medical insurance data, and the last four numbers of Social Security numbers.

Onehome stated all impacted persons were informed regarding the compromise of their data and free identity theft protection services were provided to people who had their Social Security numbers partially exposed.

A California Federal court recently approved a preliminary settlement to take care of a consolidated class action lawsuit versus Solara Medical Supplies.

Solara Medical Supplies based in Chula Vista, California is a direct-to-consumer company selling medical devices and disposable medical merchandise as well as a registered pharmacy. Solara Medical discovered suspicious activity in the email account of an employee on June 28, 2019. The succeeding investigation affirmed that unauthorized people had acquired access to several Office 365 email accounts from April 2, 2019 to June 20, 2019, due to staff members replying to phishing emails.

Based on forensic investigation, the sensitive data of 114,007 customers wee compromised and possibly stolen, such as names, birth dates, driver’s license numbers, Social Security numbers, medical insurance data, and financial details. Impacted patients received one-year free credit monitoring and identity theft protection services.

Four class-action lawsuits had been submitted on behalf of the impacted clients, and those legal cases were combined into one lawsuit. Solara Medical offered the settlement to take care of the lawsuit to steer clear of regular legal expenses; nonetheless, did not admit any wrongdoing. The settlement terminates the lawsuit with prejudice and doesn’t signify any admission of wrongdoing, fault or liability.

As per the conditions of the settlement, Solar Medical has decided to spend $5,060,000 to handle the plaintiffs’ and class members’ claims and will do what is necessary to enhance data security to avoid other security breaches. The six plaintiffs who filed the lawsuits will get $4,000 each as compensation, and all class members who submit prompt claims will get $100, in addition to a pro-rata payment of approximately $1,000 if there are remaining funds after paying $100 cash payments. Included in the settlement amount are the $2.3 million attorneys’ charges. In case there are funds left, they will be contributed to the Juvenile Diabetes Research Foundation.

In the following two years, Solara Medical will go through a recurrent SOC 2 Type 2 review until it is passed, have a third party conduct a HIPAA IT evaluation, carry out a minimum of one cybersecurity incident response test per year, go through third-party phishing and external-facing vulnerability tests for a minimum of two times a year. Solara Medical will additionally have a security information event and management (SIEM) tool having a 400-day lookback on activity records. Enhanced versions of the remedial actions or similar actions will be done on new industry criteria for the following 3 years.

An Adaptive Health Integrations lately reported a data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR) that affected 510,574 individuals’ protected health information (PHI).

Adaptive Health Integrations based in Williston, North Dakota provides LIS software services and billing/revenue services to labs, doctor offices, as well as other healthcare organizations. A copy of the notification letters posted on the Montana Attorney General webpage says that Adaptive Health Integrations recently discovered that an unauthorized person had acquired access to its system on or about October 17, 2021, and potentially accessed some information kept on its network.

The letters mentioned that upon discovery of the unauthorized access, the company immediately controlled the threat, and launched an investigation. A detailed àudit of breached files was performed, and that process ended on February 23, 2022. As per the notification letters, free credit monitoring, fraud assessment, and identity theft restoration services are being provided via Kroll for one year.

The notification letters did not give any details regarding who Adaptive Health Integrations is or the reason why it retains the PHI of individuals. Some people who got a notification letter have published on the internet asking about the genuineness of the breach notification letters, which were penned on paper and having a copied image of the company logo. After looking at the company web page some have commented that maybe this is a fraud.

If searching the company on Google, the search engine results page leads to a two-page site of the company with a placeholder for the contact page including a dummy message. It was not mentioned on the company webpage that there was a data breach during the time of sending notifications.

The law company Migliaccio & Rathod LLP states it is investigating the data breach at Adaptive Health Integrations.

Newman Regional Health (NRH) based in Emporia, KS, which operates a 25-bed critical access hospital, has recently started alerting 52,224 people that unauthorized individuals have gotten access to some employee email accounts that contain protected health information (PHI).

NRH stated on its website that unauthorized persons viewed a few employee email accounts in the course of 10 months in 2021 between January 26, 2021 and November 23, 2021. Upon detection of the security breach, quick action was performed to safeguard the email accounts. NRH started an investigation to learn the extent and nature of the occurrence.

NRH stated that a review of the email messages in the compromised accounts affirmed on March 14, 2022 the compromise of these types of patient information: Names, dates of birth, e-mail addresses, addresses, medical record/ID numbers, phone numbers, and certain heath, treatment or insurance details. A few employees’ information acquired involved a person’s acceptance of services from or job with NRH. A few of them similarly had their financial details or Social Security numbers exposed.

The types of patient data exposed varied from one person to another, and there was no evidence of fraudulent activity prompted by the breach identified when issuing notification letters. NRH explained it has put in place additional measures to fortify security.

Contra Costa County Reports Email Account Security Breach

Contra Costa County located in California has reported a breach of staff email accounts and the compromise of sensitive personal data. The forensic investigation of the incident revealed that unauthorized persons gained access to employee email accounts from June 24, 2021 to August 12, 2021.

As per the substitute breach notice on the Contra Costa County site, the email accounts comprised information on workers and people who had earlier gotten in touch with the County’s Employment and Human Services Department. The types of records exposed contained names, Social Security numbers, state-issued I.D. numbers, driver’s license numbers, passport numbers, financial account numbers, health data, and/or medical insurance details.

Even though unauthorized email account access was established, it wasn’t feasible to tell if any email messages or file attachments in the accounts were accessed or exfiltrated. It is uncertain when the breach was discovered; nonetheless, Contra Costa County stated the breach investigation finished on March 11, 2022, and notification letters were mailed to impacted individuals on April 15, 2022. Free credit monitoring services were provided to qualified persons.

The breach is not yet posted on the HHS’ Office for Civil Rights breach site, thus it is uncertain how many persons were impacted.

Urgent Team Holdings Reports Breach of the PHI of 166,600 People

Urgent Team Holdings, which runs more than 70 urgent care and walk-in facilities in Alabama, Arkansas, Georgia, Tennessee, and Mississippi, has lately informed 166,601 patients that unauthorized individuals potentially obtained some of their protected health information (PHI) in a November 2021 cyberattack.

Urgent Team stated it uncovered that the compromise of its network occurred from November 12, 2021 to November 18, 2021. Helped by third-party cybersecurity specialists, Urgent Team found out that the files potentially exfiltrated from its systems contained the PHI of patients. An extensive analysis of the files was finished on January 31, 2022, and affirmed the inclusion of patients’ full names, medical record numbers, and birth dates.

Although data theft may have happened, there is no evidence of data exfiltration identified and there was no report received of any misuse of patient data. To enhance security, Urgent Team has enforced multi-factor authentication and has included additional layers of security in its networks to minimize the danger of unauthorized access. A new antivirus solution was also employed which generates notifications if there are attempts of unauthorized access to its systems.

Email Account Breach at The Guidance Center

The Guidance Center, Inc. has recently found out that unauthorized people acquired access to some personnel’s email accounts for a short time period. When the breach was discovered, the email accounts were promptly made safe, and an investigation was commenced to know the nature and scope of the incident.

Third-party cybersecurity experts assisted with the investigation to validate the protection of its computer networks and supplemental security procedures have now been used to avoid other attacks. An evaluation of the affected email accounts revealed they included patients’ protected health information. The types of compromised information varied from one individual to another and might have contained names along with one or more of these data elements: medical treatment or diagnosis data, patient record numbers, and/or health insurance details.

The Guardian Center already submitted the breach report to the HHS’ Office for Civil Rights as affecting 23,104 persons. Complimentary identity protection and credit monitoring services were provided to selected persons, based on the types of details that were breached.

MetroHealth Announces Compromise of 1,700 Patients’ PHI

MetroHealth System located in Cleveland, OH, has advised roughly 1,700 patients regarding the impermissible disclosure of some of their PHI to other patients because of an error that happened during the modernizing of its electronic health record (EHR) system.

A misconfiguration meant that whenever patient records were generated to be provided to patients, information pertaining to other individuals was inadvertently included in the records, for instance, patient names, visit data, and the healthcare providers they visited. No other personal, financial, or medical data was impacted.

The EHR provider discovered the issue and notified MetroHealth concerning the data breach on February 10, 2022. Notification letters had been delivered to impacted individuals on April 11.

Resources for Human Development Reports Breach Affecting 46,673 People

Resources for Human Development (RHD), a national human services nonprofit organization based in Philadelphia, PA, has recently announced the theft of a hard drive containing the protected health information (PHI) of 46,673 people. The theft happened on or approximately January 27, 2022, and was uncovered by RHD on February 16, 2022.

The hard drive was utilized for its Point-to-Point program in Exton, PA, and included information like names, drivers’ license numbers, Social Security Numbers, financial account data, payment card details, birth dates, prescription details, diagnosis data, treatment details, treatment providers, health insurance data, medical details, Medicare/Medicaid ID numbers, employer identification numbers, electronic signatures, usernames and passwords of clients and employees.

RHD stated forensics experts investigated the magnitude of the breach and ensured the safety of its offices and computer servers. The employees also received training on best practices for safeguarding confidential data.

Email Breach at Wellstar Health

Wellstar Health based in Atlanta, GA has lately affirmed that unauthorized people accessed personnel email accounts or acquired patient data. Wellstar Health found out about the security incident on February 7, 2022, with the confirmation by a forensic investigation that the breach affected only two email accounts. Other systems were not affected by the breach.

The email accounts were identified to have been breached from December 6, 2021, to January 3, 2022. Upon identification of the breach, the email accounts were quickly deactivated and secured. An assessment of the accounts affirmed the inclusion of PHI like worker names, Internal account numbers, medical record numbers, and laboratory details. No proof was discovered to reveal any patient data was misused.

It is presently uncertain how many patients were impacted.

Central Vermont Eye Care Hacking Incident Affects 30,000 Patients

The Ophthalmology practice Central Vermont Eye Care located in Rutland, VT reported lately a hacking incident. The exact nature of the hacking incident is not clear at this time; nevertheless, it was confirmed that unauthorized persons possibly acquired access to the PHI of as many as 30,000 patients. Notification letters were mailed to those persons on April 6, 2022.

The Department of Health and Human Services’ Office for Civil Rights has published a Request for Information (RFI) associated with two particular specifications of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

Based on the revisions by the HIPAA Safe Harbor Act in the 2021 HITECH Act, the HHS should take into account the security procedures that were enforced by HIPAA-regulated entities when considering to enforce financial penalties and other remedies to handle potential HIPAA violations identified in the course of investigations and reviews.

The goal of the HIPAA Safe Harbor Act is to urge HIPAA-regulated entities to use cybersecurity strategies. The incentive for companies that have implemented industry-standard security guidelines for one year before a data breach happens is reduced financial penalties for security breaches and less critique by the HHS.

Another particular requirement that dates back to the time the HITECH Act was approved into law, is for the HHS to share a portion of the civil monetary penalties (CMPs) and settlement payments with people who experienced harm due to the violations for which the fines were put on. The HITECH Act requires a strategy to be set up by the HHS for identifying proper amounts to be shared, according to the nature and scope of the HIPAA violation and the nature and degree of the hurt that results.

At the beginning of this year, the newly designated Lisa J. Pino as Director of the HHS’ Office for Civil Rights (OCR) affirmed that these two prerequisites of the HITECH Act were being dealt with this year. Yesterday, OCR publicized the RFI in the Federal Register requesting a public opinion on these two conditions of the HITECH Act.

Particularly, OCR is asking for comments on what makes up “Recognized Security Practices,” the acknowledged security procedures that are being executed to secure electronic protected health information (ePHI) by HIPAA-compliant entities, and how those entities are prepared sufficiently by setting up recognized security practices. OCR would additionally like to know any implementation problems that those entities wish to be cleared up by OCR, either by means of additional rulemaking or guidance, and recommendations on the action that ought to start the start of the 12-month look-back time, as that isn’t mentioned in the HIPAA Safe Harbor Act.

One of the primary concerns with the prerequisite to share CMPs and settlements with impacted persons is that the HITECH Act does not have a definition of harm. OCR wants feedback on the kinds of “harms” that must be regarded when giving a percent of SMPs and settlements and recommendations on possible strategies for sharing and distributing funds to harmed persons.

This request for data has always been anticipated, and feedback from the public and concerned industry is welcome. People who are historically underserved, marginalized, or vulnerable to discrimination or systemic disadvantage must give feedback on this RFI, so their interests in later rulemaking and guidance will be taken into consideration.

To be counted, responses need to be sent to OCR by June 6, 2022.