Ciitizen HIPAA Right of Access Study Shows Substantial Improvement in Compliance

Healthcare providers’ compliance with the HIPAA Right of Access has significantly improved, according to the most recent Ciitizen’s Patient Record Scorecard Report.

To make the report, Ciitizen performed a study involving 820 healthcare providers to evaluate each one’s response to the request of patients to get copies of their healthcare data. A wide selection of healthcare providers was assessed for the study including single physician practices and large integrated healthcare delivery systems.

Under the HIPAA Privacy Rule, patients have the right to access a copy of their healthcare data from their providers. The request should be sent in writing. The healthcare provider should provide the patient with a copy of the health data in a specified record set within 30 days from the submission of the request. The data should be made available in the format the patient requested if the PHI can be readily produced in that format. If it is not possible to provide the data in the requested format, the provider must give the patient the healthcare data in print or in an alternative format agreed to by the patient.

For the study, Ciitizen users sent requests for copies of their healthcare data to the healthcare providers. The provider then gets a rating from 1-5 according to their response. A 1-star score represents a non-HIPAA-compliant response. 2-stars are awarded if requests are sooner or later settled satisfactorily, however it took multiple escalations to supervisors. A 3-star rating is awarded when the request is fulfilled with minimal intervention, and a 4-star rating is provided to providers that are completely compliant and gave a seamless response. A 5-star rating is given for providers with a patient-focused procedure who surpass the requirements of HIPAA.

Previous studies revealed that most providers (51%) do not comply with the HIPAA Right of Access. The most recent study saw an improvement of 27%. The percentage of healthcare providers awarded 4-star ratings increased from 40% to 67% and the percentage of healthcare providers awarded 5-star scores increased from 20% to 28%.

Further good news from this year’s study showed that only 6% of the 820 healthcare providers charged patients reasonable fees for producing the records.

In earlier studies, a lot of healthcare providers required patients to sign a standard form, however this year, the majority of providers accepted any kind of written request and did not ask patients to fill up a specific form before processing the request.

The current study had a significant increase in assessments, which may partly be due to the improvements in compliance. There were 51 providers assessed for the Patient Record Scorecard report for the first time, 210 providers for the second time, and 820 for the third time. Ciitizen notes that the percent of non-compliant providers in those studies did correlate with a separate study performed on 3,000 providers, , which indicates that the improvements made are real.

Ciitizen attributes the better compliance rates to three primary factors:

  1. More focus has been placed on the right of people to get copies of their healthcare information following the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT published new rules, making it less difficult for patients to request copies of their healthcare information.
  2. There is a positive impact on the release of information (ROI) vendors who process the patient data requests on behalf of covered entities so that they comply with the HIPAA Right of Access.
  3. The HHS’ Office for Civil Rights started a HIPAA Right of Access enforcement effort a year ago. Since then, two covered entities were issued penalties of $85,000 for failing to comply.

It is also probably because the Ciitizen set up a website that displays the scores of each provider encouraging healthcare providers to follow this vital aspect of HIPAA.

Shareholder Sues LabCorp to Recover Losses Due to Data Breaches

A shareholder of LabCorp is taking legal action against the company and its executives and directors over losing share value that was due to two cyberattacks suffered by the LapCorp in the past 12 months.

LabCorp was badly affected by the data breach that happened in 2019 at American Medical Collection Agency (AMCA), a medical debt collection company. Hackers infiltrated AMCA’s systems and obtained the data of 10,251,784 patients who received LabCorp’s services. The breach affected around 24 of AMCA’s clients.

TechCrunch reported a second data breach at LabCorp in January 2020 that involved 10,000 LabCorp records, which allegedly was not openly disclosed by the firm nor brought up in any SEC filings. The breach was because of a website misconfiguration and allowed the documents to be accessed by anybody. The breach was additionally not reported to the HHS’ Office for Civil Rights, although TechCrunch researchers verified that the data files included patient data.

Raymond Eugenio has shares in LabCorp which lost value due to the data breaches and filed the lawsuit on April 23, 2020 to get back those and other losses. As per the lawsuit, the defendants are LabCorp together with 12 of the company’s executives and directors, such as LabCorp CIO Lance Berberian, director Adam Schechter and CFO Glenn Eisenberg.

The lawsuit claims that previous to the AMCA breach and after, LabCorp was unable to employ appropriate cybersecurity processes and didn’t have adequate oversight of cybersecurity, which directly led to the two data breaches.

In an SEC filing, LabCorp mentioned the company spent $11.5 million for the AMCA data breach in 2019 including remediation fees, however, the lawsuit explains that the amount is simply a fraction of the total losses and does not cover the price of litigation that followed. A number of class-action lawsuits were filed by the AMCA data breach victims named LabCorp hence the shareholders didn’t know about the total losses. The lawsuit additionally states that the second breach has not been recognized publicly or in any SEC filings. Therefore, Eugenio claims that LabCorp was unable to deliver its accountability to its shareholders and breached its responsibilities of loyalty, care, and good faith.

The lawsuit claims LabCorp

  • did not put into action efficient internal policies, processes, and controls to safeguard patient information
  • there was inadequate oversight of federal and state regulations compliance and its internal policies and procedures
  • didn’t have an adequate data breach response plan in place
  • offered PHI to AMCA without assurance the company had enough cybersecurity measures set
  • did not make sure that the people and entities affected by the breach were found on a regular basis
  • did not make enough public disclosures regarding the data breaches

The lawsuit seeks for repayment for damages suffered due to the breaches and public acknowledgment of the January 2020 data breach. The lawsuit likewise requires a reform of corporate governance and internal measures and demands a board-level committee to be created and the assignment of an executive officer to make sure sufficient oversight of data security.

PHI Breaches at Ambry Genetics and Arizona Endocrinology Center

Ambry Genetics, a genetic testing laboratory based in Aliso Viejo, CA, is notifying 232,772 people regarding the exposure of some of their protected health information (PHI) as a result of a recent email security breach. With about 233,000 records, this healthcare data breach is the second largest reported in 2020.

Ambry Genetics identified an unauthorized individual who got access to the email account of an employee between January 22 and January 24, 2020 and most likely viewed and copied the protected health information of its clients. The security staff and third-party computer forensics specialists cannot ascertain the access or theft of any data in the compromised accounts, however, no report was received that suggest the misuse of any personal information.

A review of the email accounts revealed that they contain information such as names, medical data, and other information associated to the services provided by Ambry Genetics. The Social Security numbers of a small number of people were also exposed.

Ambry Genetics took steps to improve security and provided employees further training about email security.

Former Arizona Endocrinology Center Physician Takes PHI of 74,000 Patients to New Boss

Arizona Endocrinology Center is notifying 74,122 patients regarding the impermissible disclosure of some of their PHI to another medical group by a physician who left the practice.

Just before Dr. Dwivedi left Arizona Endocrinology Center, he copied patient data and gave away the information to More MD, his new boss. The doctor downloaded from the EHR the following information: patient names, addresses, telephone numbers, medical record numbers, and the primary doctor of patients. Dr. Dwivedi did not obtain any Social Security number, health insurance information, or financial data.

Arizona Endocrinology Center became aware of the incident on February 17, 2020 when patients began reporting that they received text messages from More MD telling them that Dr. Dwivedi had transferred to the medical group. More MD additionally offered its services in the text messages. The breach investigation revealed the data was downloaded on January 12, 2020.

Arizona Endocrinology Center informed its patients that it does not have any business partnership with More MD and that Dr. Dwivedi is not working with the practice anymore. Thus, it has been difficult to get assurances that patient information was already removed and won’t be used. The practice mentioned on its website that their patients and their families can contact Dr. Dwivedi and More MD directly to inquire from them regarding their personal information.

Eyeward Inc. Receives the HIPAA Seal of Compliance Award

Compliancy Group made an announcement that Eyeward inc. has put in place an efficient HIPAA compliance program, thus achieving HIPAA compliance.

EyeWard is a peer-to-peer consulting platform made for iOS that healthcare professionals can freely use to get in touch with colleagues and safely talk and share medical photos. The app is supposed to help doctors share medical knowledge and confer with other healthcare professionals. Using the application enables doctors to have better workflow and give proper health care to patients.

Eyeward CEO, Stephen Atallah, stated that Eyeward is committed to helping doctors give the highest quality of care to patients. Knowing that this quality of care may need the usage of sensitive health care data, Eyeward wanted to make sure to implement the proper measures to effectively protect PHI.

To make certain that Eyeward complies with all the conditions of the HIPAA, the company partnered with the Compliancy Group. The Compliancy Group’s HIPAA compliance monitoring program called The Guard, together with its compliance coaches, were a big help in ensuring that Eyeward’s platofr, policies and procedures fully complied with the requirements of HIPAA.

Eyeward additionally finished Compliancy Group’s 6-stage HIPAA Risk Analysis and remediation process. Because of the company’s diligent and honest effort toward HIPAA compliance, Eyeward received the Compliancy Group’s HIPAA Seal of Compliance award.

The Seal of Compliance proves to HIPAA-covered entities and business associates that the platform of Eyeward has indeed complied with all the requirements of the HIPAA rules and has implemented an efficient HIPAA compliance program. Therefore, entities can used the platform securely for patient data communication.

Doctors that use the Eyeward platform know that they can rely on the company to protect all healthcare information. Eyeward certainly wants all platform users to know that it is doing its best to keep them and their patients safe.

Class Action Lawsuit Filed Against Tandem Diabetes Care Over January 2020 Phishing Attack

Tandem Diabetes Care Inc., the San Diego medical device maker, is dealing with a class-action lawsuit in California in relation to a January 2020 data breach that caused the compromise and probable theft of the protected health information (PHI) of over 140,000 persons.

Unauthorized people got access to an employee’s email account from January 17 to January 20, 2020 as a result of a phishing attack. The email account contained information that varied from one patient to another. The range of private and confidential information included names, dates of birth, insurance details, billing details, healthcare information, and Social Security numbers.

Tandem Diabetes Care reported the incident to the HHS’ Office for Civil Rights on March 17, 2020 indicating that there were 140,781 individuals affected. At the same time, the company sent notification letters to the affected individuals.

The lawsuit was filed in the United States District Court in the Southern District of California and claims that Tandem Diabetes Care committed violations of the Confidentiality of Medical Information Act (CMIA). The plaintiff and class members want damages for the negligent disclosure of their personal and healthcare data and injunctive relief.

CMIA mandates healthcare service providers to enforce safety measures to keep individually identifiable medical information confidential and prohibit the disclosure of that data without prior patient consent. As opposed to HIPAA, CMIA implements a private cause of action which permits patients to take legal action with regards to the negligent disclosure of their confidential medical data.

The plaintiff is named C.H. and the putative class is split up into two subclasses: All California citizens who had their identities, personal data, and medical data contained in the email account and all other people whose data were exposed.

The legal action alleges negligence for not protecting individually identifiable health information. Because the Defendant’s email account was accessible to third parties, the Defendant negligently generated, maintained, saved, kept, and then disclosed the individual identifiable medical information of the Plaintiff and the Class members.

The lawsuit claims that Tandem Diabetes Care failed to sustain sufficient technological safeguards, which directly and proximately brought about the foreseeable risk of patient data loss and hurt, such as identity theft as well as other economic ruin.

The lawsuit claims that patients have endured damages due to the unauthorized disclosure of their private and protected medical information and seeks nominal damages of $1,000 for each class member, repayment for actual damages sustained, damages provided by the common law, and legal charges.

Joshua B. Swigart of the Swigart Law Group filed the lawsuit and is trying to get class action status as well as a jury trial

CEO Reacts to Complaint on Zoom Security Problems

On April 1, 2020, Zoom CEO Eric S. Yuan mentioned in a blog post that Zoom is going through some growing pains because the platform has substantially increased in popularity this year. Yuan responded to the criticism of Zoom’s security problems by recognizing that they have fallen short of the privacy and security expectations. He apologized and wanted to share what the company is doing about it.

The company did not anticipate the huge increase in recognition of the platform nor the lockdown of a quarter of the planet’s population that prompted working and socializing from home. Because of the bigger variety of users using Zoom in a number of unexpected ways, the company is confronted with challenges that were never anticipated since the creation of the platform.

It ought to be mentioned that there are vulnerabilities in all software solutions. The disclosure of Zoom’s vulnerabilities to the public recently did not allow Zoom to respond first and fix the problems. Zoom reacted immediately and resolved some of the concerns recently but a number of privacy and security issues stay unresolved.

Zoom expressed to the public its commitment to correct privacy and security problems and proactively check the platform if there are other vulnerabilities. Zoom will stop all work on development in the next 90 days and will use engineering resources to aim at addressing trust, security, and privacy concerns. The company will enhance the bug bounty program and conduct penetration tests to evaluate platform security.

Using Zoom for Communications in Healthcare

Enterprise-class communication platforms need to provide enterprise-level of privacy and security. This is particularly essential in healthcare because of HIPAA compliance. Zoom provides an enterprise plan for healthcare providers called Zoom for Healthcare. It was developed to include the required safety measures for compliance with the HIPAA Privacy and Security Laws; nonetheless, the most recent security vulnerabilities and privacy problems of Zoom instigated doubt on the quality of protection it provides.

While the COVID-19 public health emergency is in force, the HHS’ Office for Civil Rights will exercise enforcement discretion and won’t issue sanctions or fines for providing good faith telehealth services. OCR will also allow at this time the use of applications that might not meet all HIPAA requirements. Though there’s no indication that OCR would give Zoom an exception, healthcare organizations should still take careful attention because Zoom is not a public-facing platform.

There are some other teleconferencing platforms that healthcare companies can utilize when providing telehealth services. Many of the platforms do provide real end-to-end encryption and have no security problems similar to those identified in Zoom. There are free to use solutions offering secure and HIPAA compliant messaging platform. TigerConnect offers free use of its platform to healthcare organizations after the announcement of the COVID-19 public health emergency.

Because there are available safe videoconferencing and communications platforms, it is highly recommended to employ a substitute option for telehealth and other healthcare communication throughout the COVID-19 outbreak until Zoom completely fixes its privacy and security problems and concludes its platform review.

Business Associates Allowed to Disclose PHI in Relation to COVID-19 Public Health and Health Oversight Activities

Last April 2, 2020, the Department of Health and Human Services gave an announcement that is effective immediately. HHS is exercising discretion in enforcement and won’t enforce sanctions or issue financial penalties to healthcare organizations or their business associates with regard to good faith uses and disclosures of protected health information (PHI) for public health and health monitoring activities throughout the COVID-19 public health emergency, or until the public health emergency is declared over by the Secretary of the HHS.

The issuance of the Notice of Enforcement Discretion supports the Federal public health authorities and health oversight institutions, for instance, the Centers for Disease Control and Prevention (CMS), the Centers for Medicare and Medicaid Services (CMS), state and local health divisions, and other emergency operation centers which need quick access to COVID-19 related information.

Although the HIPAA Privacy Rule allows PHI disclosures by HIPAA-covered entities for purposes of public health and health oversight, at present business associates of HIPAA covered entities can only disclose PHI for purposes of public health and health oversight when it is particularly stated in their business associate agreement (BAA) with a HIPAA covered entity. If the Notice of Enforcement discretion was not issued, business associates can suffer financial penalties for disclosing PHI for purposes of public health and health oversight.

The Notice of Enforcement Discretion is applicable to the following HIPAA Privacy Rule Provisions but only for good faith uses or disclosures of PHI in relation to public health activities by a business associate in accordance with 45 CFR 164.512(b), or health monitoring activities in accordance with 45 CFR 164.512(d). A business associate needs to notify the covered entity concerning the use or disclosure of PHi within 10 calendar days.

  • 45 CFR 164.502(a)(3)
  • 45 CFR 164.502(e)(2)
  • 45 CFR 164.504(e)(1) and (5)

The Notice of Enforcement Discretion is not applicable to any other conditions of HIPAA Rules. The HIPAA Security Rule continues to be enforced. When PHI disclosure to a public health authority or health oversight agency occurs, the business associate should make sure that the HIPAA Security Rule requirements are satisfied, There must be reasonable safety measures implemented to protect the confidentiality, availability and integrity of ePHI and information must be transmitted securely.

OCR Director, Roger Severino, stated that the CMS, CDC, including state and local health departments need to have fast access to COVID-19 related health information in order to combat this pandemic. In allowing HIPAA business associates to have more freedom to work and exchange data with public health and oversight institutions, there is better potential to flatten the curve and save people’s lives.

The OCR Notice of Enforcement Discretion can be viewed on this page.

CMS Declared Sweeping Regulatory Changes Due to the Spike in COVID-19 Patients

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) made an announcement that there will be a set of sweeping regulatory adjustments and waivers to give maximum flexibility to healthcare providers when treating patients during the 2019 Novel Coronavirus pandemic. The new changes will enable healthcare professionals to take action as healthcare delivery coordinators in their locations.

The temporary changes to relieve restrictions are meant to create hospitals and health systems without walls. Thus, hospitals and health systems will have less difficulty handling an expected huge increase in COVID-19 patients throughout the coming weeks.

Under regular circumstances, federal limitations require hospitals to give medical services within their present facilities, but this will not be practical with an increase in patient numbers. As the number of COVID-19 cases increases, hospitals will eventually reach capacity. If they don’t develop more sites to provide treatment to patients, they could be weighed down.

To make sure that all patients can get treatment and not one person is left behind, the CMS has eased restrictions and has issued non-permanent new rules that will allow the provision of treatment in other locations. A lot of ambulatory surgery centers have decided to cancel elective procedures throughout the public health emergency. Hospitals and health systems will be allowed to use those places together with inpatient rehabilitation hospitals, and even dormitories and hotels, and would still be qualified to get reimbursement for services under Medicare. The new places may be used when providing healthcare services to non-COVID-19 patients so that there will be additional inpatient beds for COVID-19 patients in need of intensive care and respirators.

The CMS mentioned that ambulatory surgery centers have two alternatives. They can either contract with local healthcare systems to give services on behalf of the hospital or they could enroll and bill CMS as hospitals for the duration of the public health emergency announcement, provided that is not in conflict with their State’s Emergency Preparedness or Pandemic Program. Healthcare organizations will not be allowed to operate outside of prepared plans at the local level.

To further raise capacity, the CMS has released a waiver that will permit doctor-owned hospitals to increase the number of beds without facing sanctions. Hospitals are granted to set up drive-through screening facilities for COVID-19, utilize off-campus testing sites, and coverage will be provided to laboratory specialists who need to travel to a Medicare beneficiary’s house to get samples to do COVID-19 testing. CMS is budgeting extra reimbursement for ambulances, which are needed for transferring patients to and from healthcare facilities and doctor’s surgeries to make sure they get the needed treatment. Medicare coverage for respiratory-associated devices and apparatus has now been lengthened to cover any medical reason.

Adjustments were furthermore made to aid the quick expansion of the healthcare workers. These changes consist of making Medicare enrollment simpler for providers and permitting teaching hospitals to allow medical residents to deliver services under the guidance of a teaching physician. The CMS has additionally given a blanket waiver to permit hospitals to give more benefits to aid their medical workforce, including multiple daily meals, laundry service for personal clothing, or child care services when the physicians and other personnel are at the hospital giving patient care.

Changes were likewise made to relieve the administrative burden on healthcare professionals with the CMS giving patients more importance than paperwork by getting rid of paperwork requirements to ensure that physicians have more time for managing patients.

The CMS has recently declared that there is additional flexibility for the availability of telehealth services, with repayment now being offered for all Medicare beneficiaries in all locations. Coverage is currently included for over 80 additional services offered through telehealth, so long as those services are given by physicians allowed to give telehealth services.

These new changes and waivers are merely temporary and effective during the national public health emergency for COVID-19, and after that the CMS will assess how best to return to the present system.

Vulnerabilities Found in Insulet Omnipod and Systech NDS-5000 Terminal Server

Vulnerabilities were identified in the Insulet Omnipod Insulin Management System and the Systech NDS-5000 Terminal Server and pertinent advisories were issued.

Inappropriate Access Control Discovered in Insulet Omnipod Insulin Management System

ThirdwayV Inc. has identified a high severity vulnerability present in the Omnipod Insulin Management System which an attacker could exploit to access the Pod of a vulnerable insulin pump and intercept and alter information, adjust insulin pump settings, and manipulate insulin delivery.

The vulnerable insulin pumps correspond with an Insulet built Personal Diabetes Manager device utilizing wireless RF. The researchers found that the RF communication protocol doesn’t enforce authentication or authorization appropriately.

The vulnerability affected the following versions:

  • UDI/Model/NDC number: ZXP425 (10-Pack) and ZXR425 (10-Pack Canada)
  • Omnipod Insulin Management System Product ID/Reorder number: 19191 and 40160

The vulnerability is monitored as CVE-2020-10597 and has a designated CVSS v3 base rating of 7.3 of 10. No incidents of vulnerability exploitation were reported.

Patients must not link any third-party devices or utilize the unapproved software program and must be mindful of pump signals and alarms. Patients ought to keep track of their blood glucose levels properly and any unintentional boluses must be canceled immediately. Insulet advises updating to the most recent version of the insulin pump with more cybersecurity protections.

Patients utilizing a vulnerable product were cautioned to get in touch with Insulet Customer Care or a healthcare professional for more information regarding the risk presented by the vulnerability.

Systech NDS-5000 Terminal Server Found With Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability was discovered in NDS-5000 Terminal Server that an attacker could exploit to carry out privileged action for the users, view sensitive information, restrict system accessibility, and possibly remotely implement arbitrary code. An attacker with a low level of skill can exploit the vulnerability remotely.

The vulnerability is monitored as CVE-2020-7006 and has a designated CVSS v3 base rating of 6.8 of 10 (medium severity). The vulnerability impacts NDS/5008 (8 Port, RJ45), DS-5000 Terminal Server and firmware Version 02D.30. The vulnerability has been fixed in firmware version 02F.6.

Consumers of the vulnerable product must get in touch with Systech Technical Support for more information on upgrading the software to avoid exploitation.

Critical Infrastructure Penetration Test Specialist Murat Aydemir of Biznet Bilisim A.S. identified the vulnerability.

Free Webinar on Communication Best Practices During a Pandemic

All through the 2019 Novel Coronavirus pandemic, prompt, fast, and enterprise-wide communication is necessary for delaying the propagation of the virus and making sure of the continuity of service.

Not everything is understood about the Novel Coronavirus including how it is passed on. It is a rapidly-changing situation and new data is continually being circulated by scientists and public health experts. That data and revisions to policies and protocols must be quickly conveyed across healthcare institutions. It is additionally essential for healthcare experts to keep track of the status of patients who are on self-quarantine at home after showing signs of COVID-19.

The 2019 Novel Coronavirus pandemic is subjecting health systems to great stress and it is crucial to have speedy, efficient, and reliable internal and external communication.

TigerConnect, the prominent provider of a safe healthcare communication platform, will conduct a free webinar featuring the company’s healthcare communication specialists who will talk about the best practices in communication and collaboration to facilitate organizational readiness, efficient response, and service continuity for the duration of the 2019 Novel Coronavirus pandemic, and for other similar instances of crisis.

The following will be discussed by TigerConnect during the webinar:

  • guidelines for workflow readiness
  • ways to speed up internal and external communication
  • efficient broadcasting of essential updates to personnel and external partners
  • how to expedite patient diagnosis and quarantine workflows
  • the most effective way to prioritize monitoring of critical patients
  • how to keep the staff safe
  • how to take advantage of text messaging to keep track of patients who are on self-quarantine at home

Over 6,000 healthcare organizations have adopted the TigerConnect platform to work and communicate with others effectively. Singapore Health is one healthcare organization that is using the TigerConnect platform for enabling improved enterprise-wide communication and coordination during the COVID-19 crisis. Singapore Health received a commendation for the productivity and efficiency of its response to the COVID crisis. TigerConnect is going to share facts about the lessons realized to give U.S. healthcare providers assistance on how to better deal with the COVID-19 crisis.

 

PHI Potentially Compromised Due to Breaches at 3 Healthcare Organizations

Mailing Error at Kaiser Permanente

Kaiser Permanente found out that they accidentally mailed letters to patients’ past addresses. Kaiser Permanente had started a project to enhance mailing addresses for communication with members in Southern California. On November 1, 2019, the error that prompted the sending of the letters to wrong addresses was discovered. According to the investigation findings, the error started on October 6, 2019 and the wrong addresses were fixed on December 20, 2019.

The mailings that were sent in error included surveys, referral letters, appointment reminders, care reminders, and Explanation of Benefits statements. The information contained those letters included demographic data, medications information, diagnoses, billing data, and medical insurance data. There was no financial data or Social Security numbers exposed.

Kaiser Permanente has given more training to the employees to avoid more errors later on. Letters were resent to the appropriate addresses. About 500 patients were affected by this mailing error according to the HHS’ Office for Civil Rights (OCR) breach portal.

Breach Due to the Error of Riverview Health’s Mailing Vendor

The mailing vendor of Riverview Health based in Noblesville, IN made a printing error, which caused a breach of the names of 2,610 patients.

The mailing vendor was directed to mail patient notification letters about the plan to switch to two primary care providers. However, the error caused the sending of the letters to the wrong recipients on January 6, 2020. Riverview discovered the mailing vendor error on January 14, 2020.

The recipients of the letters were identified as patients of either of the two primary care providers of Riverview Health. No other data was exposed.

Riverview Health has taken steps to avoid identical errors from happening later on, such as the inclusion of more review methods before mailing notification letters to patients.

Abandoned Mental Health Records in Chicago Street

Physical health records originating from the Community Mental Health Council were found abandoned in a street in West Englewood, Chicago. The Community Mental Health Council closed down its clinics for good after losing its funding in 2012.

The sensitive data of hundreds of past patients were exposed. The information contained in the records included names, addresses, diagnosis data, health records, Social Security numbers, and other sensitive data. A local resident saw the physical records scattered all over an alley from Hermitage Avenue when she brought out her garbage. City officials were informed and already collected and secured the records. They are currently trying to find out who was at fault for throwing the documents.

Quest Diagnostics Settlement of 2016 Data Breach Gets Final Approval

A federal judge has finalized the approval of a settlement involving Quest Diagnostics Inc. to resolve a class-action lawsuit over its 2016 data breach. The medical laboratory firm based in New Jersey will pay a $195,000 settlement, which gives every breach victim up to $325 compensation.

On November 26, 2016, hackers accessed the Care360 MyQuest mobile app which patients use to store and share their electrical test results and book consultations. The health app stored names, telephone numbers, dates of birth, and lab test results which, for a number of patients, included their HIV test results. The breach affected 34,000 patients.

According to the class-action lawsuit filed on behalf of breach victims in 2017, Quest Diagnostics was negligent in protecting the sensitive data of app users. The lawsuit states that even though Quest Diagnostics knew that it was storing sensitive Private Information making it valuable and vulnerable to cyber attackers, it failed to take enough measures that could have secured the information of users. The plaintiffs additionally stated that Quest Diagnostics didn’t give timely, accurate, and enough notification regarding the breach.

Last fall of 2019, Quest Diagnostics submitted a settlement proposal that provides compensation to the breach victims so as to avoid further legal expenses and the problem of ongoing litigation. The proposal will give as much as $325 per breach victim, which reflected the pros and cons of the claims and defenses in the legal case. Quest Diagnostics, as well as the other defendants, involved in the case did not admit any wrongdoing.

A federal court judge gave preliminary approval of the settlement obtained in October 2019. The final approval was released on February 25, 2020.

Each class member may claim around $325, which is made up of around $250 to pay for provable out-of-pocket costs sustained because of the breach. Another $75 may be claimed by each patient whose HIV test results were exposed, even though patients didn’t get any losses. Plaintiffs have to submit a claim so as to get a share of the settlement and they should submit the claims by May 22, 2020.

One more class-action lawsuit was filed against Care360 and Quest Diagnostics regarding the theft of roughly 12 million patient data from the American Medical Collection Agency (AMCA), its business associate in 2019. The plaintiffs in that legal case likewise claim the negligence of the defendants thus failing to safeguard their personal and protected health information (PHI) and failed to give timely and appropriate notifications.

The First HIPAA Penalty of 2020 Announced By the HHS’ Office for Civil Rights

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reported the first HIPAA penalty for 2020. The settlement cost the practice of Steven A. Porter, M.D. a $100,000 financial penalty to take care of potential HIPAA Security Rule violations and will undertake a corrective action plan to tackle all aspects of noncompliance identified during the compliance investigation.

Dr. Porter’s practice in Ogden, UT offers gastroenterological treatment to over 3,000 patients. OCR started an investigation after receiving a data breach report on November 13, 2013. The breach involved Dr. Porter’s electronic medical record (EHR) firm’s business associate, which was purportedly impermissibly utilizing the electronic medical records of patients by blocking the PHI access of the practice until Dr. Porter paid it $50,000.

The breach investigation revealed the following serious HIPAA Security Rule violations of the practice:

  • Dr. Porter had not carried out a risk analysis to determine risks to the integrity, confidentiality, and availability of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(i)
  • The practice had not minimized risks to a fair and suitable level
  • The practice had not enforced policies and procedures to stop, identify, control, and correct security violations.

From 2013, the practice had permitted Dr. Porter’s EHR company to generate, receive, keep or transmit ePHI for the practice, without initially obtaining acceptable assurances that the firm would enforce safety measures to make certain the integrity, confidentiality, and availability of ePHI, which violates 45 C.F.R. § 164.308(b)

During the investigation, OCR made available substantial technical support, yet there was no risk analysis carried out after the breach and no proper security measures enforced to lessen risks to a rational and suitable level.

The financial penalty highlights the importance that healthcare companies of all sizes need to consider their duties under HIPAA very seriously. The inability to comply with fundamental HIPAA requirements, for example having a correct and comprehensive risk analysis and risk management plan, remains an unsatisfactory and troubling trend within the health care sector.

NIST Issues a Roadmap for Regional Alliances and Partnerships to Develop the Cybersecurity Workforce

The National Institute of Standards and Technology (NIST) has issued a cybersecurity education and development roadmap according to the information gathered from five pilot Regional Alliances and Multistakeholder Partnerships (RAMPS) to promote Cybersecurity Education and Workforce Improvement programs.

There is presently a worldwide scarcity of cybersecurity experts and the issue is becoming worse. Information from CyberSeek.org reveals that from September 2017 to August 2018, 313,735 cybersecurity jobs were available and statistics from the 2017 Global Information Security Workforce Study show that 1.8 million cybersecurity specialists will be needed to occupy available positions by 2022.

To help deal with the deficiency, the National Initiative for Cybersecurity Education (NICE), headed by NIST, granted funds for the September 2016 pilot programs. The RAMPS cybersecurity education and development pilot programs were involved in energizing and pushing for a strong network and ecosystem of developing cybersecurity education, training, and workforce.

The pilot programs consist of

  • creating regional alliances, by which the labor force requirements of businesses and non-profit companies are in-line with the learning goals of education and training companies
  • growth of the pipeline of students going into cybersecurity careers
  • more people in America are educated and got middle-class work opportunities in cybersecurity
  • assistance is given for local economic development to promote job expansion

The principal aim of the programs is to facilitate the alliances of companies having cybersecurity skill deficiencies and educators who could assist in developing a skilled labor force to satisfy industry requirements. The following alliances helped run the pilot programs:

  • Arizona Statewide Cyber Workforce Consortium
  • the Cyber Prep Program in Southern Colorado
  • Cincinnati-Dayton Cyber Corridor
  • the Hampton Roads Cybersecurity Education
  • the Partnership to Advance Cybersecurity Education and Training in New Your City and the Capital District
  • Workforce and Economic Development Alliance in Southeast Virginia

Each one of the pilot programs followed a unique technique to deal with the lack of competent cybersecurity workers in their particular areas. Some of the typical difficulties encountered by the program were

  • the employers that cannot ascertain their cybersecurity requirements
  • a disconnection between labor force supply and demand
  • no coordination of resources for education and labor force development programs
  • difficulty in small communities to retain skilled cybersecurity workers

The roadmap was made in accordance with the positive results of each program and consists of advice on how usual challenges could be dealt with and the recommendations and lessons realized from doing the pilot programs.

The four main components required to develop successful alliances to promote and develop the cybersecurity labor force are:

  • Knowing program targets and metrics
  • Developing techniques and tactics
  • Computing impact and results
  • Maintaining the effort

The document gives examples of every activity that turned out productive in the pilot programs.

The document isn’t supposed to be a how-to guide for establishing profitable regional alliances, however it will be helpful to those looking for guidance on how to manage and facilitate regional attempts to enhance cybersecurity education and workforce development. So as to develop a profitable cybersecurity education and workforce development plan, local and regional specialists must give their insight as they are going to be knowledgeable about the cybersecurity requirements of their communities.

Download the document – A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce –  from NIST on this page (PDF).

Class Action Lawsuit Filed Against UW Medicine Over 974,000-Record Data Breach

The latest lawsuit filed in King County Superior Court was against the University of Washington Medicine for a data breach that resulted in the exposure of the protected health information (PHI) of patients.

The legal action was filed because a misconfigured server resulted in a data breach in December 2018 and the exposure of the PHI of 974,000 patients over the web. An accounting of disclosures database was stored in the misconfigured server. The information potentially exposed included the names of patients, medical record numbers, a listing of entities who were given patient data, and the purpose of information disclosure. A number of people also had compromised their data associated with a research study they took part in, their health problem, and the name of the laboratory test done. For selected patients, there was sensitive information compromised, such as the HIV test-taking record of a patient and, in certain instances, the HIV standing of patients. There were no Social Security numbers, financial data, medical insurance data, and medical files exposed.

The server misconfiguration happened on December 4, 2018. UW Medicine was informed about the breach after a patient found a file that contains their medical information indexed by Google. On December 26, 2018, UW Medicine identified and fixed the misconfiguration.

UW Medicine stated in a press release given on February 20, 2019 that access to the database was not secured for three weeks. UW Medicine collaborated directly with Google to have all indexed data removed from Google’s servers, which was completed on January 10, 2019.

The lawsuit alleges that UW Medicine neglected and failed to appropriately secure the PHI of its patients and didn’t notify patients immediately after the breach of PHI. Allegedly, patients suffered injury, distress, and damage of reputation because of the breach, and had a greater risk of identity theft, abuse, and fraud.

The lawsuit likewise mentions a previous UW Medicine data breach as additional evidence of ineffective data security practices. The previous data breach in 2013 was a malware infection that happened after an employee clicked open an infected email attachment. That malware attack affected 90,000 patients.

The HHS’ Office for Civil Rights investigated the breach and found UW Medicine’s violation of the HIPAA Security Rule. UW Medicine failed to employ sufficient policies and procedures to stop, identify, control, and resolve security violations. UW Medicine resolved the case in 2015 by paying OCR $750,000 and agreeing to follow a corrective action plan, which involved doing a comprehensive analysis of security risks and vulnerabilities and create a company-wide risk management plan.

The plaintiffs in the lawsuit alleged that UW Medicine’s ineffective security practices have already exposed the PHI of about one million patients, far exceeding the impact of the 2013 breach, in infringement of its statutory and expert standard of care responsibilities, in infringement of Plaintiffs and the Class’ reasonable expectations when they made a decision to create a patient-doctor partnership with UW Medicine, and thus reducing the worth of the services UW Medicine given and that its patients spent for.

The lawsuit seeks total disclosure concerning the data that was exposed, statutory damages and legal service fees, and demands UW Medicine to follow enough safe practices and measures to stop more data breaches later on.

Legal Case Filed Against Hackensack Meridian Health Over December Ransomware Attack

Hackensack Meridian Health in New Jersey is facing a lawsuit in relation to the December 2, 2019 ransomware attack which impacted 17 of its hospitals.

The ransomware attack momentarily interfered with healthcare services when hospital staff could not access the medical records because its systems were offline. Systems stayed offline while data was being recovered for a few days until systems were restored. Staff continued to provide medical services although pen and paper were used to record patient data. Some non-urgent medical treatments were canceled.

Immediate measures were taken to protect its systems and restore data and doctors, nurses, and clinical staff worked 24 / 7 to maintain patient safety throughout the attack and data recovery process. So as to restore systems in the quickest time and avert continuous disruption to healthcare services, Hackensack Meridian Health decided to pay the ransom. The health system’s comprehensive insurance policy helped pay for the price of the ransom payment, as well as its remediation and recovery expenses.

Forensic specialists were hired to help investigate and ascertain if patient information was compromised. There is no evidence found that indicate the attackers stole any patient information.

Although it would seem that Hackensack Meridian Health did what it could to restrict the harm brought on patients and reestablish systems and data in the quickest time, it did not stop legal action.

A proposed class-action lawsuit was filed in a Newark district court. The two plaintiffs want compensation, statutory damages and penalties, the return of out-of-pocket expenditures, and injunctive relief necessitating Hackensack Meridian Health to improve its security systems, undertake yearly data security audits, and give breach victims three years of free credit monitoring services.

The plaintiffs claim Hackensack Meridian Health recklessly managed its network leaving its systems susceptible to attack and so the health system was unsuccessful to sufficiently secure patient data. The lawsuit additionally alleges the attack resulted in serious disruption to the health care given to patients, compelling them to find alternate care and treatment.

According to Hackensack Meridian Health’s investigation findings, there is no evidence found that indicate data theft, yet the plaintiffs claim that the attackers stole their personal and protected health information (PHI) and exposed to other unidentified thieves, so that they face an increased and impending risk of identity theft and fraud.

Moreover, the plaintiffs allege that Hackensack Meridian Health did not report the ransomware attack to the Department of Health and Human Services’ Office for Civil Rights, and did not notify the affected patients about the breach.

As of February 19, 2020, the OCR breach portal has not published the incident yet, though that doesn’t automatically mean the incident was not reported. There is generally a delay between the submission of a report to OCR and the posting of the incident on the breach portal.

Breach notifications may also be delayed when the breach investigation is still ongoing. It could take time to find out who are patients affected and to get updated contact details so as to mail notices. Patient notifications are typically necessary for ransomware attacks as per prior OCR guidance, however, they aren’t obligatory, as long as covered entities can show there was a low possibility of PHI compromise.

It is becoming more and more prevalent for patients to file a lawsuit against covered entities in relation to ransomware attacks. A number of lawsuits were filed recently on behalf of patients who were impacted by ransomware attacks. Considering the number of threat groups attempting to steal data before encrypting files, more lawsuits is to be expected.

Senator Gillibrand’s Data Protection Act Proposal and the Creation of Federal Data Protection Agency

Senator Kirsten Gillibrand has presented a new Senate bill called the Data Protection Act. It aims to make new data privacy standards and increase consumers’ rights over their personal information. At present, a big number of companies collect and use consumer data. And in many instances, companies use the consumer’s personal data without their knowledge for profit.

Under the California Consumer Privacy Act (CCPA), Californian consumers are granted more rights with regards to their private information. A lot of U.S. consumers can’t do much regarding the collection, usage, and sale of their personal information.

Sen. Gillibrand’s Data Protection Act is meant to provide consumer privacy protection and freedom into the electronic age. The Data Protection Act requires the development of a new consumer watchdog organization named the Data Protection Agency (DPA). DPA’s task involves protecting consumer data and privacy, as well as making sure of fair and transparent data practices. The President will appoint the Director of the DPA with confirmation by the Senate. The DPA Director will have a 5-year service term.

The DPA would possess the authority to define, arbitrate, and implement data protection regulations that Congress or the DPA itself creates. It would have the authority to issue civil monetary penalties on organizations that violate consumer privacy and give injunctive relief and fair treatments.

The DPA would accept consumer complaints, carry out investigations, and notify the public regarding data protection concerns, such as sharing the results of investigated entities that commit consumer data misuse. The DPA would likewise be assigned to inform Congress regarding arising privacy and technology problems and would be the United States’ representative in forums about international data privacy.

The DPA would encourage data protection and privacy development throughout the private and public sector, help with the creation of Privacy Enhancing Technologies (PETs) to restrict or get rid of personal data collection, and do something to stop “take-it-or-leave-it” and “pay-for-privacy” conditions in service contracts.

The Data Protection Act would likewise help take care of privacy gaps for health information not protected by HIPAA, for instance, the health information accumulated by fitness trackers and wellness applications. The company that developed the apps collect data for varied reasons. It could sell the data to a medical insurance firm. In turn, the health company could charge you a higher premium if you don’t do enough physical activities.

Sen. Gillibrand stated that the U.S. is the only member of OECD without a federal data protection agency that makes sure consumer personal data is not misused and do something in case it is. Companies are exploiting data, ignoring rules, putting profits on top of responsibility, and looking at consumers as dollar signs. They give little consideration to long-term effects.

The Data Protection Act is supported by a number of technology, privacy, and civil rights organizations, such as Color of Change, Public Citizen, Center for Digital Democracy, Consumer Action, Consumer Federation of America, and the Electronic Privacy Information Center.

eHI and CDT Collaboration in Developing a Consumer Privacy Framework for Health Data not Protected by HIPAA

The eHealth Initiative (eHI) has partnered with the Center for Democracy & Technology (CDT) to create a new consumer privacy system for health information not protected by the Health Insurance Portability and Accountability Act (HIPAA) Rules.

Personally identifiable health data obtained, stored, retained, processed, or sent by HIPAA-covered entities as well as their business associates is protected by the HIPAA Privacy and Security Rules. In case the same data is obtained, stored, retained, processed, or sent by a non-HIPAA covered entity, the law does not require those protections.

At present health information is collected, kept, and transmitted by wearable devices, health and wellness applications and educational health sites. If there are no HIPAA-like protections, the privacy of consumer health data is put in danger.

The Robert Wood Johnson Foundation gave eHI and CDT funding for the Building a Consumer Privacy Framework for Health Data project. A Steering Committee for Consumer Health Privacy has been formed with specialists and kings from healthcare, technology, consumer groups, and privacy advocacy groups. The Steering Committee will go over the essential steps to protect the privacy of health information not protected by HIPAA privacy rules and will evaluate different strategies to take care of the complexities of securing non-HIPAA-covered health information.

Chief Executive Officer of eHI, Jennifer Covich Bordenick, explained that their focus is analyzing ‘health-ish’ data not protected by HIPAA or other health privacy regulations. It is vital to bring together a broad and comprehensive variety of collaborators to work on some major issues.

The Steering Committee’s first meeting was held on February 11, 2019 in Washington DC. The group of participants that attended the meeting included 23andMe, Ascension, Change Healthcare, American Hospital Association, American College of Physicians, American Medical Association, Electronic Frontier Foundation, Fitbit, Elektra Labs, Future of Privacy Forum, Hogan Lovells, Hispanic Technology and Telecom Partnership, Microsoft, Salesforce, National Partnership for Women & Families, Under Armour, Waldo Law Offices, UnitedHealth Group, Yale University, Wellmark Blue Cross and Blue Shield.

There will be more Steering Committee meetings throughout 2020. There will also be smaller workgroups formed to focus on particular areas of the privacy framework. CDT and eHI are telling privacy experts, consumer organizations, and businesses that manage genomic, wearable, and social media information to join the project.

Interim Co-Chief Executive Officer of CDT, Lisa Hayes, said that consumers are more cynical with regards to the use of their data especially sensitive health-related data. Hopefully, this framework can provide more privacy rights and protections to consumers who use modern digital health and wellness services.

PHI of 654,000 Members of Health Share of Oregon Potentially Compromised in a Business Associate Data Breach

Health Share of Oregon, the Medicaid coordinated-care provider in Oregon, began informing around 654,000 present and past members about the stolen laptop computer from GridWorks, its transportation vendor. The laptop computer contained some of their protected health information (PHI).

GridWorks was hired to handle the Ride to Care program of Health Share. This program by Health Share provided non-emergent means of transport for its members.

It is the policy of Health Share to require business associates to have encryption on all portable devices containing patient data. However, for some reason, GridWorks did not encrypt its laptop. The PHI that was stored on the laptop included names, contact phone numbers, addresses, birth dates, Medicaid numbers, Health Share ID numbers, and Social Security numbers.

The laptop computer was stolen in November 2019 during a burglary at the office of GridWorks. On January 2, 2020, GridWorks informed Health Share about the stolen laptop. On February 5, Health Share began mailing notification letters to all people who had their PHI saved on the laptop computer. Health Share also offered 12-months free complimentary credit monitoring and identity theft protection services to the affected people.

Health Share subjects its vendors to security audits. The last audit of GridWorks was in March 2019. Because of the breach, Health Share is going to increase its vendor security audit program and take measures to make sure that vendors only get the minimum amount of patient data. Health Share also improved its policies on training employees.

In October 2019, Health Share made an announcement about CareOregon’s take over of the administration of the Ride to Care program. CareOregon is a nonprofit health plan. GridWorks did not pay a number of transportation providers that supplied transportation according to the Ride to Care program. In December 2019, GridWorks went into receivership and is going to stop operations after the full transfer of the administration of the Ride to Care program to CareOregon.

Florida Clinic Worker Pleads Guilty for Wire Fraud and Aggravated Identity Theft

Stacey Lavette Hendricks, a 49-year-old resident of Leesburg, FL was a former medical clinic employee who has pleaded guilty to wire fraudulence and aggravated identity theft. He was found to have impermissibly accessed patients’ protected health information (PHI) and contacted identity thieves to sell the information.

As a former administrative employee at a number of Florida state medical clinics, Hendricks was given access to the PHI of patients, which she used to steal patient data from the unnamed medical clinics. The stolen information comprised names, birth dates, and Social Security numbers. Hendricks sold the data to identity thieves and used the information to deceive businesses as well.

The United States Secret Service looked into the incident and apprehended Hendricks after she tried to sell stolen patient data to an undercover agent. Law enforcement officers obtained a warrant to search her house and car and they found 113 different patients’ information that Hendricks stole from the medical clinics.

The United States District Court located in the Middle District of Florida in Ocala charged Hendricks who pleaded guilty to the following charges:

  • two counts of fraud with identification documents: Aggravated identity theft and possession of means of identification with the intention to perpetrate felony.
  • one count of wire fraud

Though the date for sentencing has not yet been set, Hendricks currently faces a jail term of a maximum of 20 years for the wire fraud charge. For aggravated identity theft, Hendricks faces a mandatory 2-year consecutive jail term.