Category: HIPAA News

Two bipartisan senators have presented the Protecting and Transforming Cyber Health Care (PATCH) Act which aspires to strengthen the safety of medical devices.

Vulnerabilities are frequently found in medical devices that can possibly be used by threat actors to modify the efficiency of the devices, make them inoperable, or use the devices as a means for more comprehensive attacks on healthcare systems. Throughout the pandemic, there was a spike in cyberattacks on healthcare companies, and medical devices, and the systems to which they link up were impacted by ransomware attacks. These cyberattacks have impacted patients, hospitals, and the medical device market.

U.S. Senators Tammy Baldwin (D-WI) and Bill Cassidy, M.D. (R-LA) unveiled the PATCH Act to make sure that the cyberinfrastructure of the American healthcare system stays safe and protected. The PATCH Act will revise the Federal Food, Drug, and Cosmetic Act to call for all premarket submissions for medical devices to have information on the cybersecurity features that were applied.

If approved, the Food and Drug Administration (FDA) can only allow a medical device for use once the manufacturers make sure that critical cybersecurity specifications were integrated. The PATCH Act additionally requires companies of medical devices to design, create, and keep processes and procedures to update and patch the units and associated systems all through the lifecycle of the unit. A Software Bill of Materials for every device should likewise be given to end consumers which will make it less difficult to discover vulnerabilities that have an effect on the devices, such as vulnerabilities in open source parts and dependencies.

The Patch Act additionally calls for medical device producers to establish a plan for tracking, identifying, and dealing with post-market cybersecurity issues, and a Coordinated Vulnerability Disclosure will be necessary to show the safety and performance of a device.

New medical technologies offer great potential to enhance the health and quality of life, stated Dr. Cassidy. If Americans are unable to depend on the protection of their personal data, this potential won’t be achieved.

With the PATCH Act, modern medical technologies are better secured from cyber threats and personal health information is safe while seeking new ways to enhance care at the same time.

Reps. Michael C. Burgess (R-TX) and Angie Craig (D-MN) presented a companion bill in the House of Representatives.

Conti Ransomware Gang Says It is Responsible for CSI Laboratories Cyberattack

Cytometry Specialists, Inc. also known as CSI Laboratories in Alpharetta, GA, has just reported that it experienced a cyberattack that was uncovered on February 12, 2022. An investigation was started which established that files comprising some patient information were copied from its systems, which for the most part comprised patient names and case numbers employed for tagging patients. Nevertheless, addresses, birth dates, medical record numbers, and health insurance data were likewise included for a number of patients.

CSI Laboratories mentioned in its website notice that at this phase of the investigation there appears to be no sign of any misuse of patient records. Though CSI Laboratories didn’t make known the nature of the attack, the Conti ransomware group has professed responsibility for the cyberattack and has posted a sample of the stolen information on its data leak webpage. CSI Laboratories stated it has already re-established its system on the web and it is keeping track of its network carefully for abnormal activity. No statement was made concerning payment of any ransom demand.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach site, thus it is uncertain how many people were affected.

Email Account Breach Announced by Christie Clinic

Christie Business Holdings Company, P.C., dba Christie Clinic, has lately reported that is had a security incident regarding the email account of a worker. The firm’s breach notice didn’t state when the breach was uncovered, nonetheless, the forensic investigation affirmed on January 27, 2022, that an unauthorized person accessed the email account between July 14, 2021 and August 19, 2021.

Christie Clinic stated the reason for the attack seemed to be to intercept a business deal between the company and a third-party seller, instead of to get sensitive data from the email account, nevertheless, it was impossible to determine to what level emails inside the account were viewed. Christie Clinic mentioned the investigation affirmed that the breach just impacted one email account. No other parts or accounts were affected. On March 10, 2022, the assessment of information in the account showed that the emails involved protected health information (PHI) for instance names, Social Security numbers, addresses, health data, and medical insurance details. Notification letters were issued to impacted persons on March 24, 2022.

Christie Clinic claimed it currently employs industry-leading network security tools, conducts regular training on data security and privacy and has enforced supplemental safety measures.

Scripps Health Issues More Notification Letters Regarding 2021 Ransomware Attack

On June 1, 2021, Scripps Health based in San Diego informed the HHS’ Office for Civil Rights concerning a ransomware attack that resulted in the potential compromise of the PHI of 147,267 patients. Hackers had acquired access to its system from April 26, 2021 to May 1, 2021, and likely copied files made up of patient information. The attack ended in class action lawsuits and the healthcare company had lost over 113 million.

About a year after the breach of its network, a patient contacted NBC 7. The patient got a notification letter dated March 15, 2021, telling her about the potential compromise of her PHI in the attack, which includes her name, address, birth date, medical insurance data, patient account number, medical record number, and clinical data like diagnosis or treatment details. The patient did not get any notification regarding the ransomware attack before.

NBC 7 called Scripps Health, which affirmed that the manual document assessment just finished, and it was identified that more patient information was potentially breached in the attack, however, did not say how many more patients were impacted.

Dental Practitioner Fined $30,000 for Noncompliance with the HIPAA Right of Access

OCR investigated Dr. Donald Brockley D.D.M, who is a solo dental practitioner based in Butler, PA, because of a complaint submitted by a patient who did not get a copy of the requested health records in the time frame set by the HIPAA Privacy Rule. OCR confirmed that Dr. Brockley had violated the HIPAA Right of Access but gave the dental practitioner the chance to present written evidence of any mitigating issues in an August 27, 2019, letter. There was no response given.

OCR then informed Dr. Brockley of its intent to issue a $104,000 financial penalty, and Dr. Brockley sought a hearing with an Administrative Law Judge to dispute the financial charges. On October 8, 2021, the parties submitted a joint proposal to stay proceedings for 60 days, where both parties had an agreement and the case was resolved.

Dr. Brockley agreed to settle the case by paying a $30,000 financial penalty and implementing a corrective action plan that involved updating guidelines and procedures to make sure to comply with the HIPAA Right of Access.

California Psychiatric Medical Services Pays $28,000 Financial Penalty to Resolve HIPAA Right of Access Case

OCR investigated Jacob & Associates, a provider of psychiatric medical services in California, because of a complaint filed by a patient who stated that Jacob & Associates failed to provide a copy of the medical records, which was requested on July 1, 2018. The complainant stated that since 2013 such a request was made every July 1, but the requested records were never provided.

After filing the complaint with OCR, the patient sent again the record request. A complete copy of the requested health records was provided on May 16, 2019 via electronic mail. Nevertheless, before the patient received those records, she needed to go to the practice to fill out a record access form personally. She was additionally asked to pay $25 for the requested copy of records, and at first only received a partial, one-page copy and needed to send another request to get her complete records.

OCR confirmed that Jacob & Associates committed a violation of the HIPAA Right of Access by not delivering prompt access to the patient’s health records, had billed the patient an unfair non-cost-based price, and didn’t have guidelines and procedures regarding the right of patients to obtain their protected health information (PHI).

In the course of the investigation, OCR additionally confirmed that Jacob & Associates had no assigned HIPAA Privacy Officer and lacked the required content for its notice of privacy practices. The case was resolved after Jacob & Associates paid $28,000 and agreed to implement a corrective action plan to deal with all issues of non-compliance.

Arkansas Attorney General Leslie Rutledge reported about the legal action filed against Country Medical Services Inc. for mishandling the sensitive personal data and protected health information (PHI) of a large number of individuals. Country Medical Services is the previous operator of Eastern Ozarks Regional Health System located in Cherokee Village. The company owners were Robert Becht from Hartsville, TN, and Theresa Hanson from Deland, FL.

The 40-bed hospital of Eastern Ozarks Regional Health was permanently shut down in December 2004. Country Medical Services managed the hospital for 9 years, but an investigation conducted by the state Department of Health discovered about 3 dozen potential Emergency Medical Treatment and Labor Act violations because the hospital cannot deliver emergency services. In 2004, instead of facing financial fines, the hospital quickly ended its hospital license.

After 6 years, the property was given to the state because the owners did not pay the taxes. The office of the Attorney General assessed the property and discovered boxes of documents in the property that included sensitive personal information. Unauthorized persons had acquired access to the property as well as files kept in the facility seemed to have been looking at, possibly by persons trying to find sensitive personal information. At this point, it is uncertain how many previous patients’ sensitive data were compromised and possibly stolen. Files left unsecured at the facility included a variety of sensitive worker and patient data, such as names, contact details, driver’s license numbers, Social Security numbers, financial account data, medical data, and biometric information.

Based on the legal action, which was filed in Sharp County Circuit Court, the investigation discovered no proof that indicates the hospital had taken any acceptable measures to permanently remove or protect sensitive documents. The inability to protect the confidentiality of patient information violates the Health Insurance Portability and Accountability Act (HIPAA); nevertheless, as is normally the case, legal action is being undertaken for comparable state laws violations. The lawsuit claims the defendants violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act (PIPA). Therefore, Country Medical Services and its owners are currently facing civil penalties of as much as $10,000 per violation of the ADTPA and PIPA.

People must have confidence in their healthcare companies and employers to secure their personal data. Eastern Ozarks Regional Health System betrayed that confidence and left patients and workers susceptible to fraud and identity theft. So, the hospital along with its owners are accountable.

Duncan Regional Hospital based in Oklahoma and Central Indiana Orthopedics reported cyberattacks that impacted a total of 170,084 persons.

Duncan Regional Hospital

Duncan Regional Hospital just reported that it suffered a cyberattack last January. It discovered the incident on January 20, 2022 because of suspicious activity noticed in certain parts of its IT systems. The IT team took all systems offline immediately to avert continuing unauthorized access. A third-party computer forensics agency investigated the incident to find out the nature and extent of the security breach.

Duncan Regional Hospital stated the attackers failed to acquire access to its electronic medical record system however got access to sections of the network that keep files with patient information. Those files included patient names, telephone numbers, addresses, birth dates, Social Security numbers, appointment data, for instance, dates of service and healthcare company names, and some treatment data.

The hospital has taken steps to enhance security and avoid more attacks, such as a company-wide password reset and applying new endpoint risk recognition and response tracking software and tougher firewall standards. Impacted persons received notification and offers of free credit monitoring and identity protection services.

The hospital already reported the incident to the HHS’ Office for Civil Rights indicating that 86,379 patients were affected.

Central Indiana Orthopedics

At the beginning of this month, Central Indiana Orthopedics reported it encountered a cyberattack that was discovered on October 16, 2021. Action was promptly taken to protect its system and a third-party computer forensics agency was called in to look into the incident.

The investigation showed that files that unauthorized persons accessed files with patient data, however, there was no report received that indicate the misuse of any patient data. The types of data contained in the files were different from one patient to another and might have contained names, Social Security numbers, addresses, and some medical data.

Central Indiana Orthopedics stated a few steps were undertaken as a response to the breach to strengthen security, avoid other cyberattacks, and mitigate the possibility of future damage. All persons impacted by the incident received notifications and offers of free dark web monitoring,
credit monitoring, and identity theft protection services.

The hospital already reported the incident to the HHS’ Office for Civil Rights indicating that 83,705 persons were affected.

Protenus has published its 2022 Breach Barometer Report which reveals that 2021 was a notably awful year for healthcare sector data breaches. There were over 50 million breached healthcare records in 2021.

The report counts healthcare data breach reports submitted to regulators, and data breaches reported via the media, cases not yet disclosed by the breached entity, and data breaches that involve healthcare information at non-HIPAA-regulated entities. Databreaches.net provided the data for the report.

Protenus started publishing yearly Breach Barometer reports in 2016. The number of healthcare data breaches and breached records continue to increase each year. In 2021, it was confirmed that about 50,406,838 people were impacted by healthcare data breaches, increasing by 24% from the prior year. The report included 905 incidents are, which increased by 19% from 2020.

The biggest healthcare data breach of 2021 impacted children’s health plan Florida Healthy Kids Corporation based in Tallahassee, FL. Vulnerabilities in its website were not resolved by its business associate starting 2013 and hackers exploited those vulnerabilities and obtained access to the sensitive information of 3,500,000 people who requested medical insurance from 2013 to 2020.

Hacking incidents went up for the 6th consecutive year. There were 678 breaches traced to hacking incidents involving ransomware, malware, phishing and email incidents that resulted in the exposure or theft of 43,782,811 individual records.

The number of insider incidents dropped but increased in 2020. In 2021, there were 111 insider incidents and 110 incidents in 2019. The incidents increased by 26% in 2020 likely due to the increase of pandemic-related insider curiosity or company detection of impropriety.

There were 32 breaches involving theft impacting about 110,6656 records and 11 incidents of lost or missing devices or documents that contain the records of about 30,922 people. 73 incidents are not classified because of a lack of data.

Healthcare providers are the worst impacted type of HIPAA-covered entity, however business associate data breaches increased by twice the level in 2019. The incidents were 75% hacking-related, 12% insider error, and 1% insider wrongdoing. There were 20.986,509 records breached in those incidents. Protenus states that the average number of breached records in business associate data breaches is greater than other breaches.

The discovery time of a data breach dropped by 30% starting 2020. The average time to discover a breach from when it occurred is now 132 days; nevertheless, it is taking a long time for companies to report data breaches compared to 2020. The average time to report a data breach in 2021 was 118 days, beyond the 60 days set by the HIPAA Breach Notification Rule. It was 85 days in 2020.

The demand for proactive patient privacy tracking is greater than ever. The threats today are a lot more distressing than before and can be through various sources like a random staff snooping or an advanced cybersecurity hacker that acquires access via an employee channel. If a breach destroys patient trust in a company, that’s very hard to recover from.

The HHS’ Health Sector Cybersecurity Coordination Center has published a new report called Health Sector Cybersecurity: 2021 – Retrospective and 2022 Look Ahead. The report gives a retrospective view of healthcare cybersecurity in the last 30 years, showing a few of the big cyberattacks to strike the healthcare sector.

In 1989, Biologist Joseph Popp gave 20,000 floppy disks at the Stockholm World Health Organization AIDS conference. When the disks were utilized, malicious code that counted reboots is installed. Upon reaching 90 reboots, there is a ransom note shown that stated the software program lease had ended and a $189 payment was needed to get access to the system again.

The report reveals how adversaries amplified their attacks on the healthcare sector from 2014 to 2017.

• In 2014, Boston Children’s Hospital experienced a serious Distributed Denial of Service (DDoS) attack.
• In 2015, there was a big cyber attack on Anthem Inc. where the records of 80 million health plan subscribers had been accessed without authorization.
• In 2016, Hollywood Presbyterian Medical Center paid a $17,000 ransom after a ransomware attack.
• In 2017, the WannaCry exploits impacted over 200,000 systems.

In 2019, ransomware began to be widely employed in attacks on healthcare companies with the Ryuk ransomware group as one of the well-known ransomware operators. One of the group’s attacks was done on a managed service provider and impacted about 400 dental clinics. Attacks persisted, and more actors began utilizing ransomware to attack businesses. In 2020, cybercriminals exploited the COVID-19 pandemic and employed COVID-19 baits in their phishing attacks which extended all through 2021. McAfee noticed 375 COVID-themed threats on average per minute in 2020.

2020 had substantial cyberattacks reported by Scripps Health, Accellion, SolarWinds, CaptureRX, and Universal Healthcare Services. Emsisoft reported that $18.6 billion in ransoms had been paid globally to ransomware groups, though it was approximated that the exact total was about $75 billion.

The popular Maze ransomware group de-activated its operation in 2020, however, attacks were conducted by a lot of other cyber actors such as REvil, BlackMatter and Abaddon. In 2021, the Conti ransomware gang conducted a huge ransomware attack on the Health Service Executive in Ireland. The attack affected 54 public hospitals along with others that relied on HSE infrastructure. It took 4 months to restore all online systems.

The report shows that cyberattacks on the healthcare industry have been ongoing for several years and it will continue for years ahead. HC3 advises healthcare companies to continue to enhance their defenses to prevent the most common threats like phishing, ransomware, and malware. Security teams ought to have regular security awareness training for workers, conduct phishing simulation activities to check the efficiency of training, use gateway/mail server filtering, whitelisting, and blacklisting, as well as operationalize indicators of compromise.

It is additionally essential to secure remote access technologies, which are often exploited to obtain systems access. Virtual Private Networks and technologies using the Remote Desktop Protocol must be operationally reduced, services must be switched off if not in use, and records of activity must be preserved and routinely checked.

Vulnerability management is important and must be methodical, extensive, and repeatable, and there should be systems of enforcement. It is essential to keep situational knowledge of appropriate vendor updates and notifications and to create a repeatable assessment, patching, and update deployment processes.

It is essential for healthcare companies to know the importance of what the company is losing — protected health information, which holds a high cost on the black market, and intellectual property, which is frequently desired by foreign nations. Once resources were identified, steps should be taken to make sure that those resources are secured.

Besides employing safety measures to secure against attacks, it is essential to know that there will continue to be a high likelihood of compromise and to get ready for an attack and plan and check the reaction ahead of time to make sure that the business can keep operating.

It is likewise advised that healthcare companies look at comparatively new-ish ways of planning on defense, and take into account that adversaries are currently thinking in relation to increasing the number of victims and are attacking managed service providers and also the supply chain. Healthcare companies must consider how they could stop and abate attacks on third parties.

HC3 states situational awareness will always be important. New threats will come; the tactics, techniques, and procedures of cyber actors will change, and new vulnerabilities will come up. It is essential to stay updated with new threats and vulnerabilities and the way to correct and mitigate them.

It is critical to maintain reliable defense measures and to protect against distributed attacks as well as other channels of compromise. HC3 has mentioned a number of resources in the report that healthcare companies can utilize to create their defenses and prohibit present and upcoming attack methods.

In a new blog post, Director Lisa J. Pino of the HHS’ Office for Civil Rights urged HIPAA-regulated entities to do something to reinforce their cybersecurity posture in 2022 considering the upsurge in cyberattacks on the healthcare sector.

2021 was a specifically bad year for healthcare providers. The number of healthcare data breach reports reached record levels. 714 healthcare data breaches involving 500 and up records were noted by the HHS’ Office for Civil Rights in 2021 and over 45 million records were exposed.

Most of the breach reports involved hacking and other IT cases that led to the exposure or theft of the healthcare information of above 43 million persons. In 2021, hackers targeted healthcare companies handling the COVID-19 pandemic and carried out a number of attacks that had a strong impact on patient care and prompted canceled surgical procedures, medical assessments, and other services due to IT systems being taken down and network access being deactivated.

Pino additionally noted the critical vulnerability discovered in the logging utility Log4J, which was integrated into a lot of healthcare apps. The vulnerability was identified in December 2021 and cyber attackers and other threat groups were swift to take advantage of it to obtain access to servers and networks for a selection of malicious uses.

The vulnerabilities and data breaches demonstrate how essential it is for healthcare providers to be cautious of risks and take quick action whenever new risks to the integrity, confidentiality, and availability of protected health information (PHI) are determined.

Pino explained OCR investigations and audits have found numerous instances of noncompliance with the risk analysis and risk management demands of the HIPAA Rules. Oftentimes, risk assessments only cover the electronic health record. It is important to do an enterprise-wide risk analysis. Risk management tactics must be extensive in scope – including all electronic protected health information (ePHI) that exists throughout the company – from the software program to connected devices, legacy systems, and other places throughout your network.

OCR’s investigations of data breaches in 2020 revealed several areas where HIPAA-regulated entities have to take action to enhance compliance with the requirements of the HIPAA Security Rule, particularly in the following aspects:

• Risk analysis
• Risk management
• Audit controls
• Information system activity assessment
• Security awareness and training
  Authentication

Pino had a number of recommendations, which include reviewing risk management policies and procedures, making sure data are routinely backed up (and examining backups to make sure data recovery is doable), performing routine vulnerability scans, patching and updating applications and operating systems right away, training the employees how to identify phishing scams and other typical attacks, and exercising good cyber hygiene.

CISA and the Office for Civil Rights have made available resources to help safeguard against prevalent threats to ePHI.

Healthcare privacy regulations in the U.S. need an update to usher them into the contemporary age to make certain individually identifiable health data is safeguarded irrespective of how it is gathered and shared. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is now over 20 years old, and although the Department of Health and Human Services (HHS) has recommended upgrades to the HIPAA Privacy Rule that will be finished this 2022, even though the planned HIPAA Privacy Rule modifications are approved, there will still be regulatory breaks that put health information at stake.

The usage of technology for healthcare and health information has developed in a manner that cannot be envisioned when the Privacy Rule was made into law. Health data is currently being compiled by health programs and other systems, and individuals’ sensitive health information is being disclosed with and bought by technology corporations. The HIPAA Privacy and Security Rules presented conditions to safeguard the privacy and security of health data, nevertheless, HIPAA is merely applicable to HIPAA-covered entities – medical care providers, healthcare clearinghouses, and health plans – as well as their business associates. A number of the surfacing technologies today being utilized to document, store, and transfer health information are not protected by HIPAA and its protections and safety measures are not applicable. Additionally, the suggested changes to the HIPAA Privacy Rule will make it less complicated for people to acquire access to their health data and tell covered entities to transmit that data to unregulated personal health programs.

There is new bipartisan legislation released recently that strives to commence the process of determining and closing the present privacy holes connected with surfacing technologies to ensure health information is better secured, such as health data that aren’t presently secured by HIPAA. The Health Data Use and Privacy Commission Act was introduced by Sens. Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) and aspires to establish a new commission that is going to be assigned to analyze present federal and state rules covering health data privacy and make proposals for upgrades to include the present technology landscape.

The opportunity of new technology to enhance patient care looks boundless. Nevertheless, Americans need to have confidence that their personal health information is safeguarded when this technology can reach its 100 % potential, mentioned Dr. Cassidy. It is necessary to upgrade HIPAA for the contemporary day. This law commences this process on a path to be sure it is done properly.

The Comptroller General is assigned with recruiting committee members who need to send their report, findings, and suggestions to Congress and the President in six months. The commission must examine existing privacy regulations and find out their usefulness and limits, any possible risks to individual health privacy and genuine business and policy interests, and the uses for which the disclosing of health data is proper and helpful to individuals.

The commission must report on whether or not more federal laws are needed and, if present privacy rules should be updated, offer ideas on the best strategies to reform, improve, coordinate, unify, or complement existing laws and regulations pertaining to personal health privacy. That advice could include revisions to HIPAA to cover a larger array of entities or new state or federal regulations covering medical information. When updates are suggested, the commission needs to give specifics of the probable costs, burdens, and prospective accidental outcomes, and whether there’s a risk to health results if privacy regulations are too rigid.

The Health Data Use and Privacy Commission Act has attracted support from a couple of medical associations and technology companies, which include the College of Cardiology, National Multiple Sclerosis Society Federation Of American Hospitals, Epic Systems, IBM, and Association Of Clinical Research Organizations.

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule sets a tough time period on distributing notices to persons whose protected health information (PHI) was compromised or impermissibly disclosed. The utmost time frame is 60 days since discovering the security breach, even though notification letters must be sent “without unreasonable delay.”

Aside from mailing notification letters to persons affected by a data breach, the HIPAA Breach Notification Rule additionally necessitates the Secretary of the Department of Health and Human Services (HHS) to be advised concerning a data breach. The time frame for mailing that notification is based on the number of people impacted by the information breach.

If a data breach is suffered that impacts 500 and up persons, the Secretary of the HHS should be informed with no unreasonable delay also and not later than 60 calendar days right after the discovery of a breach. When all data is not available regarding the breach in 60 days, the HHS must still be notified concerning the breach, and it could be changed at a later date when more details are identified.

If a data breach has affected less than 500 people, HIPAA-regulated entities get more time to submit the breach report to the HHS. N.B. the time period for individual communication continues to be 60 days from the time of discovering the breach, no matter how many persons were impacted.

The deadline for reporting breaches involving the PHI of fewer than 500 people to the HHS is 60 days beginning with the end of the calendar year during which the breach was uncovered. So all PHI breaches found in 2021 that affected the PHI of less than 500 persons needs to be reported to the Secretary of the HHS on or before 11:59:59 p.m. on March 1, 2022. Every breach ought to be reported to the HHS independently using the breach reporting program on the HHS portal.

Numerous HIPAA-regulated entities won’t complete their breach reporting until near the reporting due date, thus the breach reporting site will probably see high amounts of traffic while the deadline approaches, which can likely cause accessibility concerns. It is therefore a good idea to report any breaches earlier than the breach reporting deadline.

You ought to remember that various states have approved laws addressing the submission of data breach reports, and the time period for reporting breaches can be less than those of the HIPAA Breach Notification Rule. In a number of cases, HIPAA-regulated entities are not covered by state breach notification regulations as long as they follow the reporting prerequisites of HIPAA. If they do not comply with the Breach Notification Rule, state attorneys general could choose to investigate, and civil monetary penalties may be enforced for breach of HIPAA or state rules.

The Government Accountability Office (GAO) just introduced a quick response survey involving healthcare providers and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) to get responses about their experiences in sending data breach reports to the Secretary of the Department of Health and Human Services (HHS). The set of questions was at first due to stay available until 4 p.m. EST on Friday, February 4, 2022., however, the deadline is prolonged by one week until February 11, 2022. The survey is being done using Survey Monkey and is accessible on this link https://www.surveymonkey.com/r/GBFQGTP.

Congress asked the GAO to examine the volume of data breach reports submitted to the HHS starting 2015, and the survey wishes to determine the problems if any, encountered by covered entities and business associates while complying with the requirements of the data breach reporting to the HHS. The GAO will additionally find out what the HHS has done to deal with any breach reporting problems and enhance the process of data breach reporting.

Health-ISAC, the American Hospital Association (AHA), and the Health Sector Coordinating Council (HSCC) are distributing the survey on behalf of the GAO. Survey responses will be aggregated before giving them to GAO.

GAO has asked for just one survey to be filled up by every covered entity and business associate. GAO mentioned it won’t attribute particular responses to certain individuals and/or companies when it generates the report, and there is just one individually identifiable information that will be handed to GAO, which is the email address given in the survey together with any individually identifiable information given by the respondents voluntarily in answering open-ended questions.

According to John Riggi, the national advisor for cybersecurity and risk of the AHA, this quick survey is necessary for GAO to do its work and help determine the positive aspects of the HHS Office for Civil Rights audit and investigation procedure, along with the numerous matters of concern stated through the years by victims of cyberattacks on hospitals and health system.

The Hospital Authority of Valdosta and Lowndes County Georgia lately announced a data breach where an old employee of South Georgia Medical Center copied patient information without authorization.

On November 12, 2021, the hospital’s security software program created a notice showing that an employee copied information from the hospital’s systems to a USB drive. As per the investigation, it was confirmed that the downloaded information contained patients’ names, birth dates, and test data. The breach report was recently submitted to the Department of Health and Human Services’ Office for Civil Rights indicating that the incident affected the protected health information (PHI) of 41,692 persons.

The employee had been given access to patient information so as to accomplish work responsibilities, however, no permission was granted to copy patient information and take it away from the hospital. The worker quit work at the healthcare facility on November 11, 2021.

South Georgia Medical Center stated no information was deleted from its computer systems and the stolen files had been retrieved. The report of this data theft incident has been forwarded to law enforcement, therefore the Lowndes County Sheriff’s Office conducted an investigation of the breach and the retrieved files.

The CEO of South Georgia Medical Center, Ronald Dean, stated that it is believed that no copied data was misused in whatever way, and no financial information nor Social Security numbers were taken from the hospital’s system. Nevertheless, those who had their PHI removed from the hospital had been provided with membership to a credit monitoring and identity theft restoration service for free.

According to the sheriff’s office, as published in the Valdosta Daily Times, a 43-year-old ex-employee of South Georgia Medical Center was accused of felony computer invasion of privacy and felony computer theft in connection with the incident. The reason why she copied the information is not clear.

South Georgia Medical Center stated modifications had been applied after the incident to strengthen security, which includes restricting the usage of USB drives and giving additional training to the employees.

The Government Accountability Office (GAO) has conducted a rapid response survey of healthcare providers and business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) to get responses on their experiences submitting data breach reports to the Secretary of the Department of Health and Human Services (HHS). The questionnaire will be open on or before 4 p.m. EST on February 4, 2022. Survey Monkey is conducting the survey that is accessible here.

Congress asked the GAO to evaluate the number of data breach reports submitted to the HHS starting 2015, and the survey seeks to find out a few of the difficulties, if any, experienced by covered entities and business associates in satisfying the data breach reporting demands of the HHS. The GAO will additionally figure out what the HHS has done to deal with any breach reporting problems and enhance the process of data breach reporting.

The Health-ISAC, Health Sector Coordinating Council (HSCC) and the American Hospital Association (AHA) are distributing the survey on behalf of the GAO, and the aggregated responses will be presented to GAO.

GAO has required just one survey to be accomplished by an individual covered entity and business associate. GAO stated it will not attribute certain feedback to specific individuals and/or companies when it generates the report, and the only individually identifiable information that will be sent to GAO is the email address used in the survey together with any individually identifiable data voluntarily given by the respondents in the open-ended questions.

This is a crucial opportunity to notify the work of the GAO and help determine the advantages of, together with the various concerns over the years by cyberattack victims of hospitals and health systems, concerning the ensuing HHS Office for Civil Rights audit and investigation process, according to John Riggi, who is the AHA national advisor for cybersecurity and risk.

Excellus Health Plan Inc., its affiliated firms, and the Blue Cross Blue Shield Association (BCBSA) have arrived at a settlement of a class-action lawsuit that was filed with regards to a cyberattack uncovered in 2015. The attack affected the protected health information (PHI) and personally identifiable information (PII) of over 10 million subscribers, members, insureds, patients, and clients.

A cybersecurity company that was employed to evaluate Excellus’s IT system discovered the cyberattack on August 5, 2015. Excellus and cybersecurity company Mandiant conducted an investigation and confirmed that hackers had initially acquired access to its networks on or prior to December 23, 2013. The proof was found that showed the hackers were active in its system up to Aug. 18, 2014, after which no footprints of activity were discovered; nevertheless, the malware was installed which allowed the attackers to access its system up to May 11, 2015. That time, something occurred that stopped the hackers from getting access to its system. Excellus took 17 months from the preliminary attack to identify the security breach.

The HHS’ Office for Civil Rights (OCR) started to investigate the data breach and found a number of potential HIPAA Rules violations, which include security problems and the impermissible disclosure of PHI. In January 2021, Excellus decided to pay $5.1 million in financial penalties to resolve the HIPAA violations and to carry out a corrective action plan to deal with the security problems and the claimed HIPAA non-compliance concerns.

The lawsuit was filed against Excellus, Lifetime Benefit Solutions Inc., Lifetime Healthcare Inc., MedAmerica Inc., Genesee Region Home Care Association Inc., the Blue Cross Blue Shield Association, and Univera Healthcare, on behalf of all people impacted by the data breach. At first, the lawsuit wanted monetary compensation and injunctive relief; but for a number of legal reasons, the court could not approve classes requesting monetary compensation, and only approved a class for injunctive relief.

The plaintiffs claimed the defendants were unable to carry out proper security measures to assure the privacy of PII and PHI, did not discover the security breach within 17 months, and at the time the breach was discovered, waited a long time to alert impacted persons and then did not give enough details regarding how victims can keep themselves from damage. The lawsuit demanded the Excellus defendants and BCBSA to alter their data security strategies with regard to PII and PHI and to spend money on data security. The Excellus defendants and BCBSA dismissed any wrongdoing and, thus far, no court has found the defendants had done anything inappropriate.

The Excellus defendants and BCBSA have consented to pay for acceptable attorneys’ charges, costs, and expenditures as authorized by the courts. The expenses consist of up to $3.3 million to take care of attorneys’ charges and the compensation of expenses of at most $1,000,000. Service awards of as much as $7,500 will likewise be given to class representatives.

Improvements will be made to company guidelines concerning the protection of PII and PHI which will include the 3 years from the final settlement or the two years following the implemented changes. The data security requirements specified in the settlement call for the Excellus defendants and BCBSA to:

• Raise and keep a minimum data security budget
• Create a plan and engage vendors to make sure records comprising PII or PHI are disposed of in a year from the initial retention period
• Take action to enhance the security of its system, which include using tools for uncovering suspicious activity, authenticating users, reacting to and controlling security occurrences, and documenting storage
• Engage in a comprehensive data archiving plan and give plaintiffs documentation verifying the extent, range, and exhaustiveness of the archiving work
• Give the plaintiffs copies of files given to OCR that show compliance with the OCR settlement deal and corrective action plan
• Make a yearly statement confirming compliance with every facet of the items in the settlement deal, which include the magnitude to which it was not possible to follow any of the requirements

In case the settlement is approved by the court – a hearing is slated for April 13, 2022 – all plaintiffs and class members need to let go of all claims versus the Excellus defendants and BCBSA for injunctive and declaratory relief. With the settlement, no claim against the Excellus defendants and BCBSA for monetary compensation will be released.

QRS, a healthcare technology services company and EHR vendor based in Tennessee, is facing a class-action lawsuit because of a cyberattack in August 2021 that resulted in the exposure and potential theft of the protected health information (PHI) of about 320,000 patients.

The data breach investigation confirmed that a hacker had acquired access to one dedicated patient portal server between August 23 and August 26, 2021, and read and likely took files that contain patients’ PHI. Sensitive information kept on the server contained patients’ names, birth dates, addresses, usernames, medical data, and Social Security numbers. QRS started mailing notification letters to affected people in late October and provided identity theft protection services to those who had their Social Security number compromised.

Matthew Tincher, a resident in Frankfurt, KY, filed a class action complaint in the U.S. District Court for the Eastern District of Tennessee against QRS on January 3, 2022. Allegedly, QRS was at fault for not being able to reasonably secure, keep track of, and preserve the PHI and personally identifiable information (PII) saved on its patient website.

Due to those failures, the lawsuit claims Tincher and class members

• have sustained actual, concrete, and impending injury, which include present injury and damages associated with identity theft, loss or diminished value of their PHI and PII
• have suffered out-of-pocket expenditures from trying to remedy the breach of their sensitive information
• had to spend time taking care of the outcomes of the unauthorized data access
• they additionally face a continued and greater risk to their PHI and PII, which were unencrypted and stay available to unauthorized parties to access and abuse.

The lawsuit additionally takes issue with the speed at which QRS released breach notification letters, which were given about 2 months after discovering the breach. In those two months, the plaintiffs and class embers were not aware they were placed at substantial risk of identity theft, fraudulence, and personal, financial, and social harm.

The lawsuit states QRS had an obligation to make sure the PHI and PII in its patient website were properly protected, and the breach of its responsibilities to secure that data amounts to negligence and/or recklessness, which is a violation of federal and state legislation. The lawsuit alleges QRS signed business associate agreements (BAAs) with its healthcare provider clients, therefore was informed or should have been advised of its duties to ensure PHI was secured against cyberattacks. The lawsuit likewise lists cybersecurity measures proposed by the Cybersecurity and Infrastructure Security Agency (CISA) which should be enforced in that regard and states that QRS should have known the substantial risk of being attacked because of the large number of healthcare data breaches that were reported recently.

Lawsuits are usually filed versus healthcare providers because of data breaches that exposed sensitive information. Whether the legal action succeeds usually is determined by whether the plaintiffs could show they have endured an actual injury as a direct result of the data breach. Tincher says to have been informed regarding the breach on October 22, 2021, and within 3 days was the victim of real identity theft, and that it is very likely than not that his sensitive details were exfiltrated from the QRS patient portal during the data breach.

The lawsuit claims the total damages sustained by the plaintiff and class members go over the minimum $5 million jurisdictional sum mandated by the Court. The Court has control over the defendant since QRS operates and is integrated with the district. The plaintiff and class members desire unspecified damages, a jury trial, and injunctive and equitable relief.

Two HIPAA enforcement actions in 2021 were not because of HIPAA Right of Acess violations.

1. Excellus Health Plan paid $5,100,000 as settlement

Excellus Health Plan based in Rochester, New York is a member of the Blue Cross Blue Shield Association. It was investigated because of a potential issue in HIPAA compliance after a 2015 data breach involving 9,358,891 records was reported. That data breach was one of 3 mega data breaches that health plans reported that year. Anthem Inc and Premera Blue Cross reported other two mega data breaches. The two had resolved their cases by paying big penalties.

Excellus found out about the breach in August 2015. Investigation of the breach confirmed that hackers got access to its networks from December 23, 2013 to May 11, 2015. Excellus reported the breach to OCR on September 9, 2015. The hackers installed malware enabling them to exfiltrate the information of about 7 million Excellus Health Plan members and roughly 2.5 million Lifetime Healthcare members. The data included names, contact details, birth dates, Social Security numbers, claims information, financial account details, health plan ID numbers, and clinical treatment data.

OCR’s investigation revealed several HIPAA violations, which included

• the failure to perform a correct and complete company-wide risk analysis
• the failure to minimize ePHI risks and vulnerabilities to an acceptable and proper level
• an insufficiency of technical guidelines and procedures to restrict access to data and software programs to authorized individuals

Excellus decided to resolve the case and compensated a $5,100,000 fine and agreed to employ a complete Corrective Action Plan to deal with all sections of non-compliance.

2. Peachstate Health Management LLC, dba AEON Clinical Laboratories paid $25,000 as settlement

The enforcement action versus Peachstate Health Management is well known since this was the very first OCR investigation that ended in a financial penalty for HIPAA violations discovered in a firm that wasn’t the first issue of the investigation.

OCR started an investigation following the receipt of a report from the Department of Veteran Affairs in 2015 regarding a data breach of Authentidate Holding Corporation (AHC), its business associate. AHC handled the VA’s Telehealth Services Program and experienced a data breach. When investigating, OCR found out that on January 27, 2016, AHC had gotten into a reverse merger with Peachstate Health Management, which resulted in Peachstate being obtained by AHC. Peachstate is a CLIA-accredited lab that offers clinical and genetic testing services by means of its publicly traded parent firm, AEON Global Health Corporation (AGHC).

OCR subsequently started an investigation of Peachstate to evaluate its HIPAA Privacy and Security Rule compliance and discovered several HIPAA Rules violations. OCR discovered several HIPAA Security Rule problems, which include risk assessment, risk management, audit control problems, along with the failure to have HIPAA Security Rule policies and procedures documentation. AEON resolved the case by paying $25,000 and agreeing to a corrective action plan to mend its HIPAA violations.

In 2020, the Department of Health and Human Services’ Office for Civil Rights (OCR) resolved 19 HIPAA violation cases. There were more financial penalties issued in 2020 compared to previous years. The OCR received $13,554,900 as payment to resolve HIPAA violation cases. In 2021, OCR announced 14 enforcement actions, which shows a small decrease in the number of HIPAA violation settlements and penalties. In spite of this, the number of HIPAA fines in 2021 is the second-highest of any year ever since OCR began enforcing HIPAA Rules compliance.

Although the number of penalties remains high in 2021, there was a big decrease in fine amounts which was $5,982,150. $5,100,000 of that amount was from only one enforcement action. The majority of the penalties involved HIPAA Right of Access violations, which were investigated due to complaints submitted by patients who did not receive prompt access to their health care records. They were not penalties for multiple HIPAA Rules violations that affected big numbers of people. The $5,100,000 penalty paid by Excellus Health Plan was very big because there were several HIPAA Rules violations, covering several years, that resulted in a breach affecting the ePHI of 9,358,891 people.

Fines for HIPAA Right of Access Noncompliance

At the end of 2019, OCR introduced a new HIPAA enforcement initiative for non-compliance with the Right of Access standard of the HIPAA Privacy Rule. From then on, OCR has been strongly enforcing HIPAA Right of Access compliance. Since December 2021, OCR has issued 25 penalties for violations of the HIPAA Right of Access amounting to $1,564,650. The penalties vary from $3,500 to $200,000. 24 settlements and one civil monetary penalty, with a lot of the penalties issued on small healthcare companies.

The HIPAA Right of Access standard (45 C.F.R. § 164.524(a)) offers patients the right to access, check, and get a copy of their own protected health information (PHI) in a specified file set. Upon receipt of a request from a person or their own representative, the documents should be given in 30 days. A fair, cost-based price can be billed for giving a copy of the requested documents. A person’s request for access to his/her health records could be refused, however just in very few cases.

OCR checks complaints from people who assert they were refused access to their medical records, did not get records in 30 days or were billed high amounts for copies of their documents. The financial penalties enforced by OCR in 2020 for violations of the HIPAA Right of Access varied from $15,000 to $160,000 and were a result of refusals to give copies of documents or long delays. In numerous instances, records were just presented after OCR’s intervention.

2021 HIPAA Right of Access Enforcement Actions

1. Banner Health paid $200,000 as settlement
2. Rainrock Treatment Center LLC (dba monte Nido Rainrock) paid $160,000 as settlement
3. Dr. Robert Glaser paid $100,000 as Civil Monetary Penalty
4. Children’s Hospital & Medical Center paid $80,000 as settlement
5. Renown Health paid $75,000 as settlement
6. Sharpe Healthcare paid $70,000 as settlement
7. Arbour Hospital paid $65,000 as settlement
8. Advanced Spine & Pain Management paid $32,150 as settlement
9. Denver Retina Center paid $30,000 as settlement
10. Village Plastic Surgery paid $30,000 as settlement
11. Wake Health Medical Group paid $10,000 as settlement

Other HIPAA Violation Penalties in 2021

Only two HIPAA enforcement actions in 2021 were not caused by HIPAA Right of Acess violations.

1. Excellus Health Plan paid $5,100,000 as settlement
2. AEON Clinical Laboratories (Peachstate) paid $25,000 as settlement

The Department of Health and Human Services’ Office for Civil Rights is the primary HIPAA compliance enforcer; nevertheless, state Attorneys General likewise perform a part in implementing Health Insurance Portability and Accountability Act Rules.

The Health Information Technology for Clinical and Economic Health (HITECH) Act granted state attorneys general the power to take civil actions for state locals who were affected by HIPAA Privacy and Security Rules violations and could get damages for the sake of state residents.

The first to exercise this right is the Connecticut Attorney General in 2010 versus Health Net Inc. with regard to the missing unencrypted hard drive that contains the electronic protected health information (ePHI) of 1.5 million persons and deferred breach notices. The case was resolved for $250,000. The Vermont Attorney General next filed a suit having the same action versus Health Net in 2011 that was resolved for $55,000, and Indiana took a civil action versus Wellpoint Inc. in 2011, which was resolved for $100,000.

State Attorney HIPAA cases were fairly unusual incidences. There were just 11 settlements with covered entities and business associates that take care of HIPAA violations from 2010 to 2015. There were 5 HIPAA enforcement cases by state attorneys general in 2017 and 12 cases in 2018 resulting in financial penalties for HIPAA Rules violations.

From 2019 to 2020, there were 5 cases resulting in sizeable penalties. Four of the five cases were multistate actions versus HIPAA-covered entities and business associates, meaning a number of state attorneys general took part in the enforcement actions. These multistate actions permit state attorneys general to gather their resources and look into likely violations of HIPAA and state regulations more effectively.

If state Attorneys General take civil actions versus covered entities or business associates, they are distinct from any OCR actions.

A number of data breaches have led to settlements at the state and federal levels. University of Rochester Medical Center, Community Health Systems/CHSPSC, Premera Blue Cross, Anthem Inc., Aetna, Cottage Health System, and Medical Informatics Engineering have all resolved cases with OCR and state attorneys general to take care of likely HIPAA violations.

In a lot of the state AG enforcement actions listed below, violations of federal (HIPAA) and state regulations were resolved by financial penalties. Through the years, a number of cases had violated HIPAA Regulations, however, the decision was made to take action against violations of comparable terms in state regulations.

HIPAA Enforcement by State Attorneys General in 2021

New Jersey was especially busy in HIPAA enforcement in 2021. It was the sole state to start its very own investigations and give financial penalties to settle HIPAA violations in 2021. New Jersey likewise took part in a joint analysis of the information breach at American Medical Collection Agency (AMCA). It was one of the biggest breaches of healthcare information ever. The AMCA HIPAA case resulted in the imposition of a $21 million financial penalty; nevertheless, because of the big costs sustained from the breach, AMCA submitted bankruptcy protection. Because of the financial status of the firm, the financial penalty was revoked and will just be paid when AMCA fails on the conditions of the settlement deal.

1. New Jersey – Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) paid $425,000 financial penalty in relation to a phishing attack and a data breach affecting 105,000 individuals.
2. New Jersey – Command Marketing Innovations, LLC and Strategic Content Imaging LLC paid $130,000 (Plus $65,000 suspended) in relation to Printing and mismailing incident affecting 55,715 individuals
3. New Jersey – Diamond Institute for Infertility and Menopause paid $495,000 in relation to the Hacking incident and data breach affecting 14,663 individuals.
4. Multi-state (41 state attorneys general) – American Medical Collection Agency – settlement amount of $21 million (suspended) in relation to hacking incident and data breach affecting 21 million

HIPAA Enforcement by State Attorneys General in 2020

1. Multistate (28 states) – Community Health Systems / CHSPSC LLC – paid $5,000,000 in relation to Hacking by a Chinese APT group affecting 6.1 million people.
2. Multistate (43 states) – Anthem Inc paid $39.5 million in relation to Phishing attack and a major data breach affecting 78.8 million people.

3. California – Anthem Inc paid $8.7 million in relation to a Phishing attack and a major data breach affecting 78.8 million people.

HIPAA Enforcement by State Attorneys General in 2019

1. Multistate (30 states) – Premera Blue Cross paid $10,000,000 in relation to the hacking incident and major data breach affecting 10.4 million.
2. Multistate (16 states) – Medical Informatics Engineering paid $900,000 in relation to Breach of NoMoreClipboard data affecting 3.5 million
3. California – Aetna paid $935,000 in relation to 2 mailings that exposed PHI (Afib, HIV) of 1,991 individuals

HIPAA Enforcement by State Attorneys General in 2018

1. Massachusetts – McLean Hospital paid $75,000 in relation to the loss of backup tapes affecting 1,500 people
2. New Jersey – EmblemHealth paid $100,000 in relation to a Mailing error that exposed SSNs impacting 6,443 (81,000) people.
3. New Jersey – Best Transcription Medical paid $200,000 for Exposure of ePHI in the Internet affecting 1,650 people.
4. Multistate (CT, NJ, DC) – Aetna paid $640170.59 in relation to two mailings that exposed PHI (Afib, HIV) and Impermissible disclosure of sensitive health information of 13,160 persons
5. Massachusetts – UMass Memorial Medical Group / UMass Memorial Medical Center paid $230,000 for Multiple data breaches affecting 15,000 individuals.
6. New York – Arc of Erie County paid $200,000 in relation to breach of ePHI on the Internet affecting 3,751 individuals
7. New Jersey – Virtua Medical Group paid $417,816 in relation to a breach of ePHI on the internet affecting 1,654 individuals
8. New York – EmblemHealth paid $575,000 in relation to Mailing error exposed SSNs affecting 81,122 individuals
9. New York – Aetna paid $1,150,000 in relation to 2 mailings that exposed PHI (Afib, HIV) affecting 12,000 individuals

HIPAA Enforcement by State Attorneys General in 2017

1. California – Cottage Health System paid $2,000,000 in relation to the exposure of PHI online affecting over 54,000 individuals
2. Massachusetts – Multi-State Billing Services paid $100,000 in relation to the theft of unencrypted laptop computer affecting 2,600 individuals
3. New Jersey – Horizon Healthcare Services Inc paid $1,100,000 in relation to the theft of 2 unencrypted laptop computers affecting 3.7 million individuals
4. Vermont – SAManage USA, Inc. paid $264,000 in relation to the exposure of PHI on the Internet affecting 660 individuals
5. New York – CoPilot Provider Support Services, Inc paid $130,000 in relation to delayed breach notification affecting 221,178 individuals

HIPAA Enforcement by State Attorneys General in 2015

1. New York – University of Rochester Medical Center paid $15,000 in relation to a nurse that disclosed its list of patients to a new employer, which affected 3,403 individuals
2. Connecticut – Hartford Hospital/ EMC Corporation paid $90,000 in relation to the theft of an unencrypted laptop with PHI affecting 8,883 individuals

HIPAA Enforcement by State Attorneys General in 2014

1. Massachusetts – Women & Infants Hospital of Rhode Island paid $150,000 in relation to the loss of backup tapes with PHI affecting 12,000 individuals
2. Massachusetts – Boston Children’s Hospital paid $40,000 in relation to the loss of a laptop with PHI affecting 2,159 individuals
3. Massachusetts – Beth Israel Deaconess Medical Center paid $100,000 in relation to the loss of laptop with PHI affecting 3,796 individuals

HIPAA Enforcement by State Attorneys General in 2013

1. Massachusetts – Goldthwait Associates paid $140,000 in relation to the mishandling of PHI affecting 67,000 individuals

HIPAA Enforcement by State Attorneys General in 2012

2. Minnesota – Accretive Health paid $2,500,000 in relation to the mishandling of PHI affecting 24,000 individuals
3. Massachusetts – South Shore Hospital paid $750,000 in relation to the loss of backup tapes with PHI affecting 800,000

HIPAA Enforcement by State Attorneys General in 2011

1. Vermont – Health Net Inc. paid $55,000 in relation to the loss of unencrypted hard drive/overdue breach notifications affecting 1,500,000 individuals
2. Indiana – WellPoint Inc. paid $100,000 to resolve its violation of breach notification requirements affecting 32,000 individuals.

HIPAA Enforcement by State Attorneys General in 2010

1. Connecticut – Health Net Inc. paid $250,000 in relation to the loss of an unencrypted hard drive affecting 1,500,000 individuals

The certified public accounting company in Chicago, IN, Bansley & Kiener LLP, is looking at a class-action lawsuit in relation to a data breach that was reported to federal regulators this December 2021.

The breach happened in the second half of 2020. The investigation suggested that hackers gained access to its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener found out about the breach on December 10, 2020, when attackers used ransomware to encrypt files. Bansley & Kiener revealed in its breach notification letters that on May 24, 2021, the hackers had exfiltrated information from its systems prior to encrypting data files.

Bansley & Kiener manages health insurance, payroll, and pension plans for its customers. In total, the sensitive information of 274,000 people was breached, including names, dates of birth, passport numbers, Social Security numbers, driver’s license numbers, tax IDs, military IDs, financial account data, payment card numbers, medical data, and complaint reports.

Although the attack was identified in December 2020, Bansley & Kiener issued the notification letters only on December 2021 to affected persons and notified the state attorneys general and the HHS’ Office for Civil Rights about the breach, 6 months after the confirmation of the theft of sensitive data.

Mason Lietz & Klinger LLP filed the lawsuit in the Circuit Court, First Judicial Circuit of Cook County, Illinois on behalf of plaintiff Gregg Nelson. According to the lawsuit, Bansley & Kiener was unable to protect the sensitive information of its clients and didn’t provide timely, sufficient, and accurate notice of the data breach to persons whose sensitive information was stolen.

Based on the lawsuit, Bansley & Kiener without need deferred the sending of notifications regarding the data breach, even if the people whose data was stolen were placed at substantial danger of identity theft and various other types of personal, social, and financial ruin. When the notifications were provided, they did not completely explain the nature of the breach. They did not state that this was a ransomware attack and called the incident as an unauthorized person acquiring access to its network that led to the file encryption.

The legal action additionally takes up the data breach response. After knowing about the attack, files were restored from backups and regular business operations were started again, and it was solely when it was found out that information was exfiltrated from its systems, 5 months following the attack, that cybersecurity specialists were hired to investigate the breach.

The lawsuit claims Bansley & Kiener experienced a data breach because of “negligent and/or careless acts and omissions” associated with the securing of sensitive data, and did not keep track of its systems for security issues. The lawsuit states victims of the breach have sustained out-of-pocket expenditures associated with the prevention, discovery, and resolution of identity theft and/or unauthorized use of their information, have spent time attempting to offset the results of the data breach, and have suffered from the lost or reduced value of their personal data.

The lawsuit wants actual, nominal, and consequential damages, punitive compensation, injunctive relief, legal charges, as well as a jury trial.

In 2019, the rate of more than 1 healthcare data breach report per day was scary. In 2021, some months had healthcare data breaches happening at a rate of over 2 per day. With data breaches happening so frequently and ransomware attacks affecting healthcare offerings, it is not surprising that a lot of patients don’t fully trust their healthcare companies when it comes to securing sensitive personally identifiable information (PII).

According to a new survey done by Dynata for Semafone, 56% of patients at private practices stated they don’t believe their healthcare providers could safeguard PII and payment data. Smaller healthcare companies have little budget to spend for cybersecurity compared to bigger healthcare organizations, yet belief in big hospital networks is considerably less. Just 33% of patients of big hospital systems believed in them to be capable of protecting their PII.

The HHS’ Office for Civil Rights, the primary body that enforces HIPAA compliance, has increased the enforcement of HIPAA compliance in recent years and is more and more issuing financial fines for violations of the HIPAA Privacy and Security Rule. The survey affirmed that patients would like healthcare companies to deal with financial penalties when they do not make sure the privacy of healthcare information. Of 10 patients, 9 approve penalizing healthcare companies that do not employ proper protections to avert healthcare data breaches.

Additionally, when data breaches happen, patients are happy to switch companies. 66% of patients mentioned they would switch to another healthcare provider in case their PII or payment data was exposed in a data breach that happened because of the inability to carry out proper security procedures. One more 2021 survey, carried out on behalf of Armis, got the same results. 49% of patients stated they will change healthcare providers in case their PHI was exposed to a ransomware attack.

The pandemic has heightened the risk patients deal with because of healthcare data breaches. Prior to the pandemic, a lot of patients settled their hospital bills personally or by mail, however, the Semafone survey revealed a decline in both payment methods, as a lot of patients are now opting to y electronically. In-person payments decreased by 28% and mail-in payments decreased by 17%. As financial data is more likely to be saved by healthcare companies, the risk of financial problems due to a data breach has gone up considerably.

Semafone showed in its 2021 State of Healthcare Payment Experience and Security Report that because of a lot more healthcare data breaches, patients have an increased sense of awareness and attention to what their providers do to safeguard their data. Semafone advises healthcare companies, and particularly big hospital networks, to give more focus on the digital transformation steps they do to secure sensitive data.

Irrespective of size, the whole healthcare sector should do better at managing and avoiding data breaches, stated Gary E. Barnett, Semafone’s CEO. The large number of healthcare data breaches is a problem. Thankfully, there are options that offer security and assistance to satisfy compliance requirements, however many organizations nowadays continue to depend on obsolete processes for day-to-day operations. It is not acceptable to assert they do not know that very efficient, effective, and automated solutions are available to help save time, money, and trouble. Healthcare companies need to seek the appropriate technologies and operations to safeguard the patient experience.

Although the majority of patients (75%) claimed they feel assured that their healthcare companies are doing well at sharing how payment data is protected, only 50% stated they are aware of where their payment information was kept. Considering the big number of people who do not know where their information is kept, providers have a chance to educate and communicate with patients more to, subsequently, enhance the experience and general confidence on the providers from here onwards.