$65,000 Fine Issued for University of Cincinnati Medical Center Due to HIPAA Right of Access Failure

The HHS’ Office for Civil Rights issued its 18th HIPAA financial penalty of 2020 – the 12th fine issued under its HIPAA Right of Access enforcement initiative.

In 2019, OCR introduced a new effort to make sure people get timely access to their health information, at a fair cost, as mandated by the HIPAA Privacy Rule. This is because healthcare organizations were not generally fully following this crucial HIPAA Privacy Rule provision and some patients were having difficulty getting a copy of their medical files.

The most recent $65,000 financial penalty was charged to the University of Cincinnati Medical Center, LLC (UCMC). It was prompted by a complaint filed to OCR on May 30, 2019 by a patient who requested an electronic copy of health records from UCMC on February 22, 2019 to be sent to her lawyer.

Under the HIPAA Right of Access, medical providers must give copies of medical records, on request, no later than 30 days after receiving the request. 45 C.F.R. § 164.524 additionally says that an individual can have the requested records be sent to a chosen third party, if he or she so wish.

OCR received the complaint more than 13 weeks after the patient submitted a request. OCR intervened and UCMC eventually furnished the lawyer the requested files on August 7, 2019, 5 months after submitting the initial request.

After the investigation of the patient complaint, OCR established UCMC was unable to act on the patient’s request for a copy of her medical records promptly. Therefore, a financial penalty was judged as appropriate.

Besides the financial penalty, UCMC needs to follow a corrective action plan that consists of developing, maintaining, and changing, as needed, written policies and processes to make certain it complies with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. OCR will review those policies and implementation is necessary within 30 days of the approval of OCR.

The policies must be provided to all people in the workforce and relevant business associates. The policies should be evaluated and updated, as required, at least yearly. Training materials must moreover be produced and provided to OCR for approval, then training must be given to employees concerning the new policies.

UCMC must give OCR the data of all business associates and/or vendors that obtain, provide, bill for, or deny access to copies or check up of records together with copies of business associate agreements, and UCMC need to state all cases where requests for information have been refused. OCR is going to keep track of UCMC closely for 2 years from the date of the resolution agreement to check compliance.

OCR is committed to making sure that patients enjoy their right to access their health data, including the right to direct digital copies to a third party of their choosing. HIPAA covered entities ought to evaluate their policies and training packages to make sure they know and can meet all their HIPAA obligations whenever a patient requests access to his or her data.

Private Practitioner Issued $15,000 Penalty over HIPAA Right of Access Failure

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued its 11th financial penalty in association with its HIPAA Right of Access enforcement effort to Dr. Rajendra Bhayani. Dr. Bhayani who is a private practitioner in Regal Park, NY with a specialty in otolaryngology consented to pay a $15,000 financial fine to resolve the case and implement a corrective action plan to correct areas of non-compliance identified by OCR at the time of the investigation.

OCR investigated the doctor after receiving a patient complaint in September 2018 claiming that Dr. Bhayani was unable to give her a copy of the requested health records. The patient requested from the otolaryngologist last July 2018, however she did not receive a copy of medical records two months after.

OCR made contact with Dr. Bhayani and offered technical support regarding the HIPAA Right of Access and shelved the patient complaint; then again, OCR got a second complaint from the previous patient in July 2019, which is one year later, saying that she hasn’t gotten her health records. OCR intervened once again and eventually, the patient received her medical records in September 2020, after 26 months of submitting the first request. Under HIPAA, medical providers ought to deliver requested health records within 30 days of getting a request.

OCR saw Dr. Bhayani’s inability to produce the medical records as a breach of the HIPAA Right of Access (45 C.F.R. § 164.524) requirements. He additionally failed to answer the letters given by OCR on August 2, 2019 and October 22, 2019 inquiring about information. Not cooperating with OCR’s inquiry of a complaint was a breach of 45 C.F.R. §160.310(b). OCR made a decision to issue a penalty for the violations. Dr. Bhayani consented to resolve the case without admitting liability.

Physician’s offices, whether big or small, need to deliver requested health records to patients promptly. OCR Director Roger Severino stated that it will keep on putting first the HIPAA Right of Access cases for enforcement until healthcare companies get the message.

Dr. Bhayani likewise ought to follow a corrective action plan. Policies and procedures ought to be re-evaluated to give people access to their PHI in accordance with 45 C.F.R. § 164.524. The policies ought to specify the techniques employed to estimate an acceptable, cost-based charge for giving access. Those guidelines should be sent to OCR for critique, and any adjustments asked for by OCR ought to be enforced in 30 days. Dr. Bhayani likewise should give privacy training to workers concerning protected health information (PHI) access. The training resources ought to be sent to OCR also for assessment and approval.

Every three months, Dr. Bhayani is instructed to give OCR a listing of all access requests, which include the fees charged for providing the requests, in conjunction with information of any requests that were rejected. OCR must obtain reports of any cases of personnel not submitting to access requests.

OCR is going to keep an eye on Dr. Bhayani for two years since the start of the resolution agreement to make certain of continuing compliance with the HIPAA Right of Access.

Data Security Incident at Lawrence General Hospital, Mary Rutan Hospital and Tri-State Specialists

Lawrence General Hospital in Massachusetts reported a data security incident where unauthorized people likely gained access to some patient information. A security breach was discovered on September 19, 2020 which disturbed its IT systems. The investigation showed that an unauthorized individual got access to its systems from September 9, 2020 to September 19 when the network was protected.

The compromised systems kept patient names, insurance type, internal visit ID numbers, internal patient ID and, some clinical data for very few patients, . The Social Security numbers belonging to 5 patients were likewise probably compromised.

On November 5, 2020, Lawrence General Hospital already sent notifications to affected persons. Lawrence General Hospital additionally said it is enhancing its security systems as prompted by the breach.

Limited Patients’ PHI Exposed at Mary Rutan Hospital Patients Due to Spreadsheet Error

Mary Rutan Hospital located in Bellefontaine, OH uncovered the exposure of a limited amount of patient data as a result of a spreadsheet error. The hospital’s website displayed a link that provided data on Diagnosis Related Groups (DRG) or a patient categorization system that systematizes potential payment to hospitals. Such payments consist of charges connected with inpatient hospital stays.

The website link directed people to a spreadsheet that has several tabs showing limited patient data. Two tabs comprised patient names, birth dates, patient account numbers, dates of service, the purpose for visitation, DRG codes, visit expenses, insurance payment sums, adjusted amounts, and due balances for 1,677 patients. There are no high-risk data contained on the spreadsheet.

There is no information that indicates unauthorized individuals viewed the information. The website link was made inactive on the same day it was identified.

Tri-State Specialists Informs 17,500 Patients Regarding Email Error

Tri-State Specialists, a community of orthopedic surgery clinics located in Iowa, Nebraska, and South Dakota, is informing 17,050 patients regarding an incident that impermissibly disclosed their names and email addresses to a few existing and past patients.

Tri-State Specialists discovered on September 16, 2020 that an employee sent an email with a file attachment that contained patients’ names and email addresses. The file did not have any other patient information. Patients were instructed to watch out for spam emails that might result from the exposure of their email addresses.

Because of the breach incident, Tri-State Specialists have modified policies and procedures associated with the delivery of emails to avoid the same breaches later on. The employees also received re-eduction emphasizing the importance of data privacy.

Wakefern Food Corporation Pays $235,000 to Resolve HIPAA Breach Case with NJ Attorney General

Wakefern Food Corporation is going to pay $235,000 in civil financial fines to settle accusations of violations of federal and state regulations associated with a data breach that involve the protected health information (PHI) of 9,700 clients of two ShopRite supermarkets located in Kingston, New York and Millville, New Jersey. Besides paying the financial penalties, the company is required to make improvements to its data security practices.

Wakefern Food Corporation is the holding company of ShopRite Supermarkets, Inc. and Union Lake Supermarket, LLC. ShopRite Supermarkets, Inc. is the owner of the ShopRite store in Kingston, NY while Union Lake Supermarket, LLC is the owner of the Millville ShopRite store.

In 2016, Wakefern changed the electronic devices employed to collect consumer signatures and purchase data at the two stores. The old units were not disposed of properly. They were put in regular dumpsters without first wrecking the devices or deleting the stored information to make sure sensitive data are irrecoverable. The devices stored the PHI of 9,700 consumers of the two stores such as names, contact data, birth dates, zip codes, driver’s license numbers, prescription types, prescription numbers, and dates of pickup and delivery.

The New Jersey Division of Consumer Affairs started an investigation after getting reports concerning the inappropriate disposal of ePHI. It confirmed that the way the devices were disposed of violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule as well as the state’s fraud act. Employees at the stores did not receive proper training on how to handle and dispose of sensitive data.

According to New Jersey Attorney General Gurbir S. Grewal, pharmacies have the legal obligation to secure the privacy of collected patient data and to correctly dispose of that data when necessary. There are serious consequences for those who compromise the private health data of consumers.

Wakefern is going to pay $209,856.50 as civil penalty and is going to reimburse $25,143.50 of attorneys’ fees and investigative expenses. Further, it needs to implement protective procedures to make sure to avoid future data branches. The measures consist of

  • designating a chief privacy officer
  • signing a business associate agreement with ShopRite Supermarkets, Union Lake, and every member that run pharmacies inside the supermarkets
  • implementing proper measures to secure PHI

Every ShopRite store that operates a pharmacy must designate a HIPAA privacy officer and HIPAA security officer to supervise compliance and they must undergo online training about their privacy and security functions.

Acting Director of the Division of Consumer Affairs Paul R. Rodríguez stated that consumers in New Jersey who buy prescription medicine at the neighborhood supermarket should know that their most private data are fully protected by law and must not be carelessly handled. The settlement of this case makes sure that ShopRite supermarket pharmacies will undergo training and monitoring for HIPAA compliance to prevent future incidents that put consumers in danger of identity theft and privacy invasion.

ONC Stretches Deadline for Information Blocking and Interoperability Rule Compliance

The deadline for compliance with the mandated information blocking and health IT certification of the 21st Century Cures Act was moved further due to the current coronavirus pandemic.

The US Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) introduced on October 29, 2020 the release of an interim final rule with the period for commenting prolonged the compliance dates and time frames for achieving specific information blocking and Conditions and Maintenance of Certification (CoC/MoC) prerequisites.

The ONC’s Cures Act Final Rule, introduced on March 9, 2020, described exceptions to the information blocking provision of the 21st Century Cures Act and used new Health IT certification requirements which, by means of the usage of application programming interfaces (APIs), would improve patients’ access to their own medical data using their smartphones without spending a dime.

Compliance deadlines were dated for 2020, but health IT stakeholders indicated concern regarding satisfying the due dates because of the COVID-19 pandemic. On April 21, 2020, ONC made an announcement that it is going to exercise enforcement discretion with regard to the compliance deadlines and offered another three months after the preliminary compliance dates for satisfying all of the new prerequisites under the ONC Health IT Certification Program.

Because of the continuing COVID-19 crisis, ONC now provided the healthcare ecosystem with more flexibility and time to take action on the COVID-19 public health emergency and has additionally lengthened the compliance due dates specified in its April 2020 enforcement discretion announcement.

Though there is solid support for improving patient access and clinician coordination through the terms in the final rule, stakeholders likewise need to take care of the needs being experienced throughout the ongoing pandemic, as per the national coordinator for health IT
Don Rucker, MD. ONC is not eliminating the requirements to advance patient access to their health records that are stated in the Cures Act Final Rule. Rather, ONC is giving more time to let every person in the health care ecosystem focus on the COVID-19 response.

The new compliance deadlines are currently as follows:

April 5, 2021

  • Information Blocking CoC/MoC requirements (§ 170.401)
  • Information blocking provisions (45 CFR Part 171)
  • API CoC/MoC requirement (§ 170.404(b)(4)) – compliance for present API standards
  • Assurances CoC/MoC requirements (§ 170.402, except for § 170.402(b)(2) as it relates to § 170.315(b)(10))
  • Communications CoC/MoC requirements (§ 170.403) (not including § 170.403(b)(1) – where we took out the 2020 notice requirement)

December 31, 2022

  • New standardized API functionality (§ 170.315(g)(10))
  • 2015 Edition health IT certification criteria updates (not including § 170.315(b)(10) – EHI export, which is moved until December 31, 2023)

The due date for submission of initial attestations (§ 170.406) and submitting initial plans and results of real-world assessment (§ 170.405(b)(1) and (2)) was prolonged by one calendar year.

Failure of New Haven, CT to Terminate Ex- Employee’s Access Rights Brought About $202,000 HIPAA Fine

The City of New Haven, Connecticut has decided to settle a HIPAA violation case with the Department of Health and Human Services’ Office for Civil Rights by paying $202,400 as a financial penalty.

OCR made an investigation in May 2017 after receiving New Haven’s data breach notification on January 24, 2017. OCR investigated whether the security breach was connected to possible violations of HIPAA Rules.

During OCR’s investigation, it was discovered that the New Haven Health Department had terminated a worker on July 27, 2016 while in her probationary period. The previous employee went to the New Haven Health Department on July 27, 2016 together with her union representative and used her work key to get to her old office and locked herself inside along with her union representative.

While in her office, the past employee logged into her old computer utilizing her username and password and cloned information from her PC onto a USB drive. She additionally took personal stuff and papers from the office, and then left the property. A file on the computer included the protected health information (PHI) of 498 patients, which include names, birth dates, addresses, race/ethnicity, gender, and sexually transmitted disease test results. That file was saved onto the USB drive. An intern saw what the ex-employee did.

OCR investigators furthermore confirmed that the past employee had given her access credentials to an intern, who kept on using those credentials to access PHI on the network even after the worker was dismissed.

If the New Haven Health Department removed the ex – employee’s sign-in credentials on her termination, a data breach could have been avoided. If all users were provided their own, exclusive login credentials, it would be possible to correctly identify the system activity of every individual and identify their use of electronic PHI.

OCR came to the conclusion that from December 1, 2014 to December 31, 2018, HIPAA Privacy Rule policies and procedures were not implemented, New Haven did not enforce procedures for deactivating ePHI access when the job of, or other relationship with, an employee stops, and New Haven did not provide unique usernames and passwords to track user ID.

A correct organization-wide risk evaluation was not done to know the prospective risks and vulnerabilities to the integrity, confidentiality and availability of ePHI and the PHI of 498 people was impermissibly disclosed.

Besides the financial fine, the City of New Haven consented to take up a corrective action plan to deal with all areas of noncompliance. OCR will oversee the HIPAA compliance of the City of New Haven for two years from the time of the resolution agreement.

Medical providers must know who in their company can access patient data at all times. Whenever a person’s employment ends, access to patient records likewise ends.

The settlement is the 4th that OCR announced in October 2020, and the 15th HIPAA financial penalty of 2020.

FDA Approves Tool for Rating Medical Device Vulnerability Scores

The FDA has accepted a new rubric that MITRE Corporation has developed for determining Common Vulnerability Scoring System (CVSS) scores for medical device vulnerabilities.

The CVSS was made for setting scores for vulnerabilities in IT systems depending on their severity, and though the system works nicely for numerous IT systems, it is less suited for scoring vulnerabilities in medical devices.

When vulnerabilities are identified in medical devices, the makers of the device employ the CVSS as a constant and standardized system of speaking about the vulnerability’s severity to the National Cybersecurity and Communications Integration Center (NCCIC), the Department of Homeland Security (DHS) and other institutions. IT teams in hospitals and clinics utilize the scores for putting emphasis on patching and software program updates. In case a vulnerability obtains a score of 9.0, it normally is given priority over a vulnerability that has a 3.0 CVSS score, for example. Nonetheless, CVSS base scores don’t properly represent the clinical conditions and probable patient safety effects.

To tackle this matter, the FDA engaged with the MITRE Corporation to produce a different rubric exclusively for medical devices to make it possible to correctly score vulnerabilities. Recently, the FDA stated that the new rubric is now qualified as a Medical Device Development Tool (MDDT). An MDDT has to provide scientifically viable measurements and need to work as designed within the chosen context of application.

The new rubric to be employed for the CVSS on medical devices, combined with CVSS v3, produces a system for evaluating risk and interacting between all parties engaged in security vulnerability disclosure, particularly regarding the seriousness of vulnerabilities and to express urgency so that responses are prioritized.

One of the issues with the CVSS is that the base score given to a vulnerability is designed to offer a general sense of the risk involved with that vulnerability, however, the base score metric fails to take into account the environment that the device or IT software is employed. It is crucial to adapt the score relative to the specified case where a device or IT program is utilized, as this may considerably increase the danger presented by a vulnerability.

This is specifically vital in the medical field, where there are instances when the base score is comparatively low although the risk is in fact high, for instance when patient safety is impacted. There are already various incidents where vulnerabilities in medical devices were designated a somewhat low severity score by applying CVSS v3, even though exploitation of the vulnerability poses a direct and critical threat to patients.

The new rubric offers precise recommendations for setting CVSS scores to healthcare device vulnerabilities, points out the base metric group and looks at the temporary metric group and the environmental metric group, with close to half of the rubric committed to the latter and its value for changing scores to perfectly indicate risk as a portion of a risk review for a medical device.

OCR Issues 9th Financial Penalty Associated With the HIPAA Right of Access Initiative

The HHS’ Office for Civil Rights (OCR) is moving forward with its effort to penalize healthcare providers that fail to comply with the HIPAA right of access. A week ago, OCR reported its 9th enforcement action against the failure of a HIPAA-covered entity to promptly deliver to patients their requested medical records at an affordable fee.

Under the HIPAA, patients have the right to access or obtain a copy of their health records. Whenever a request to access medical records is submitted, HIPAA-covered entities are required to deliver the requested copy of medical records as quickly as possible. Delivery of the medical records should not be later than 30 days following the filing of the request.

By getting a copy of their health records, patients are able to share that information with their chosen healthcare providers, research institutions, or persons. Patients are able to look at their medical records and check for errors and file requests for error correction. In case of a ransomware attack and the medical records become inaccessible, patients possessing a copy of their medical records are assured that their health records are not lost.

As per the OCR HIPAA Right of Access Initiative, whenever there are complaints received from persons who have been refused medical records access or have experienced delays in obtaining a copy of their medical records, the incidents are investigated. If the HIPAA right of access is found to have been violated, financial penalties are given. The purpose of penalties is to persuade compliance by setting a very high price for noncompliance.

The most recent financial penalty was charged on NY Spine, a privately owned medical practice located in New York and Miami that offers specializations in pain management and neurology. In July 2019, OCR got a patient complaint about having sent multiple requests for a copy of her protected health information (PHI) to NY Spine in June 2019.

NY Spine responded to the patient requests but only furnished some of her medical records, which did not include the specifically requested diagnostic films. It took the involvement of OCR for NY Spine to give those data. In October 2020, the patient eventually got a complete copy of all the requested records. She first submitted her request 16 months ago.

NY Spine agreed to settle the violation by paying OCR $100,000. NY Spine is additionally mandated to undertake a two-year corrective action plan under the monitoring of OCR for compliance.

OCR Director Roger Severino stated that nobody should wait more than a year to obtain copies of their health records. HIPAA gives patients the right to prompt access to their medical records. OCR will keep on enforcing the right of access until finally covered entities catch the message.

CISA Publishes Telework Toolkit to Assist Companies Move to a Long-Term Telework Environment

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a Telework Essentials Toolkit to assist market leaders, IT workers, and end-users move to long-term teleworking settings.

The COVID-19 pandemic compelled companies to quickly change from having predominately office-based employees to practically letting all personnel to work from home to minimize the probability of disease. The rate at which the change was made possibly brought in security flaws that allowed the organizational cybersecurity defenses to be vulnerable. The CISA Toolkit is supposed to give support to companies to assist them to re-examine and reinforce their cybersecurity defenses and completely move into a permanent teleworking setup.

The Toolkit contains three individualized modules which consist of best practices for IT specialists, executive leaders, and teleworkers, and detail the security factors suitable to every position.

Executive leaders are given information to assist them to push for a cybersecurity tactic, investment, and create a cyber secure hybrid setup in their company. Resources are offered to help company leaders create organizational guidelines and procedures for remote employment, provide cybersecurity training to enhance understanding of threats and hazards when opening organizational systems and data via a network, and moving organizational resources outside of the standard perimeter where they can’t be available to the organization’s tracking and response functions. Advice is given on responding to the fundamentals of cyber hygiene with the employees and giving clear and frequent updates on cybersecurity guidelines.

Guidance for IT experts is centered on the guidelines, procedures, and resources that must be integrated to make sure teleworkers could do the job and access the resources required via a network. The guidance details the value of patching immediately and employing efficient vulnerability management procedures, the requirement for zero trust architecture, frequent data backups, multi-factor authentication, and DMARC validation to deal with the threats of phishing and business email compromise with regards to remote working conditions. IT leaders should additionally state the tools and software that ought to be employed when working wirelessly and give training on using those tools safely.

Everybody has a part to play in the change from short-term to long term remote employment, which include end-users. The third module is focused on teleworkers and gives suggestions on the activities that must be undertaken to work safely from home. For example, making certain that home networks are correctly set up and hardened, adhering to organizational safety procedures and policies, raising familiarity with phishing and social engineering threats, and quickly reporting any suspicious things to the IT security team.

The CISA Telework Essentials Toolkit is available for download on this link.

Anthem Inc. Pays $48.2 Million in Fines to Settle Multi-State Lawsuits

Health insurance company Anthem Inc. from Indianapolis, IN has resolved its multi-state lawsuits filed by state attorneys general due to its 78.8 M record data breach in 2014. One negotiation for $39.5 million was concluded with Attorneys General in 41 states along with Washington D.C. A separate $8.7 million settlement deal was arranged with the California Attorney General. The settlements concerned Federal and state laws that contributed to the largest healthcare data breach in the United States.

The cyberattack on Anthem took place in 2014. Hackers hit the health insurance company with phishing emails. Responses to the emails allowed the attackers to get a foothold in the system. Following that, the hackers had months of access to Anthem’s network and exfiltrated data from its consumer listings. The stolen information comprised of the names, contact details, dates of birth, Social Security numbers and health insurance ID numbers of current and past health plan members and personnel. Anthem reported the breach in February 2015. A Chinese individual and an unnamed participant were charged in relation to the cyberattack.

A breach on that enormity of course pulled in the notice of the HHS’ Office for Civil Rights (OCR), which looked into the breach and uncovered a number of potential HIPAA rules violations. Anthem settled the HIPAA violation case by giving to OCR $16 million in October 2018. The HIPAA violation fine was and still is, the highest ever financial fine required on a covered entity or business associate for violating the HIPAA Rules.

A lot of legal cases were filed on behalf of data breach victims because of stolen protected health information (PHI). Anthem paid the penalties of the merged class-action lawsuit for $115 million in 2018.

State Attorneys General reviewed the breach to find out whether or not HIPAA and state rules were violated. It had taken the multi-state investigation 5 years to arrive at a conclusion. Anthem has paid $179.2 M to take care of lawsuits and legal actions associated with the 2014 cyberattack.

Aside from the $48.2 million financial charges, Anthem accepted to do a few corrective actions to enhance data security methods. These include employing a detailed data security program using the guidelines of zero trust architecture. Security reports are sent regularly to the board of directors at this time and major security occurrences are reported quickly to the CEO.

Anthem has carried out network segmentation, data encryption, multi-factor authentication, access controls, logging and tracking information system activity. Anthem is doing frequent penetration tests and security risk assessments and provides security awareness training to its staff routinely. The corrective action plan likewise includes the necessity to go through third-party security reviews and assessments for three years and to give the findings of those audits to an independent assessor.

Anthem gave a statement in connection with the settlements expressing that Anthem does not admit to liabilities. Further, Anthem mentioned as well that there was no evidence found that suggest the use of any stolen data in connection with fraud or identity theft.

California Attorney General Xavier Becerra expressed that whenever people should disclose confidential personal data to health insurance companies, these firms are required to secure their customers’ personal information. Anthem was unable to accomplish that obligation to its clients. Anthem’s inadequate security and oversight impacted a lot of Americans. Now Anthem has to pay, in the millions, consequently.

Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Prison

The U.S. Department of Justice released an announcement that a member of the infamous hacking group, The Dark Overlord, received his sentence to 5 years in prison and has been directed to pay $1.4 million in damages.

The Dark Overlord hacking group began attacking U.S. institutions in 2016. The hackers acquired access to the systems of organizations through brute force attacks on Remote Desktop Protocol, and then stole information from victim firms and threatened to peddle the stolen data files on criminal marketplaces in case there is no ransom payment. The cybercriminals asked for ransom payments of $75,000 to $350,000 in Bitcoin and released several threats in case there is no ransom payment. In several situations, people in the victim organizations got personal threats along with their loved ones through email, phone, and SMS.

The Dark Overlord’s attacked victims were accounting companies, healthcare organizations, and other firms. Healthcare company victims included Farmington, Swansea, IL-based Quest Records, MO-based Midwest Orthopedic Group, Athens, GA-based Athens Orthopedic Clinic, and Prosthetics & Orthotics Care located in St. Louis. The HHS’ Office for Civil Rights recently penalized Athens Orthopedic Clinic a total of $1.5 million for its HIPAA violations, which was uncovered while investigating The Dark Overlord hacking episode.

The British national, Nathan Wyatt, 39 years old, was detained by UK police force in September 2017 in connection with the hacking of the iCloud account of Pippa Middleton, the sibling of the Cambridge’s Duchess. About 3,000 photos were stolen and the hacker issued a ransom demand of £50,000. He was set free but was later on charged on 20 counts of fraudulence by false representation, 2 counts of blackmail, and one count of having an identity document with the intention to deceive. One attack was the blackmailing of a law agency in the United Kingdom in connection with the Dark Overlord hacking group. Nathan will serve a sentence of 3 years imprisonment in the UK for his crimes.

In November 2017, Wyatt was subsequently charged by a grand jury for his association in the Dark Overlord attacks involving 5 victim firms in the USA and was deported to America in December 2019 where he stayed in custody.

Wyatt was charged on 6 counts. 1 count of conspiracy, 2 counts of aggravated identity theft, and 3 counts of threatening to harm a protected computer. Wyatt applied for a plea bargain and decided to plead guilty to the conspiracy case in exchange for the discharge of the remaining five counts.

Wyatt confessed to being part of The Dark Overlord hacking group. He also said that he and his co-conspirators got sensitive information from victim organizations, such as patient healthcare information, and threatened to expose or sell the data files when no ransom is paid.

The Department of Justice stated that Wyatt didn’t direct the attacks and wasn’t a leader of the group. Wyatt’s function was creating, confirming, and keeping payment, virtual private network, and communication accounts that were employed in the process of the strategy to deliver intimidating and extortionate communications to victims.

U.S. District Judge Ronnie White, from the Eastern District of Missouri, passed a sentence on Wyatt to serve 5 years in prison minus the time previously served and instructed Wyatt to give $1,467,048 in compensation to the victim firms.

Nathan Wyatt employed his technical skills to target the private data of Americans and manipulate the sensitive nature of their medical and financial data for his own personal profit. The Department of Justice Criminal Division Acting Assistant Attorney General Brian C. Rabbit said that the guilty plea and sentence show the department’s dedication to making sure that attackers who strive to benefit by illegally prying the privacy of US citizens will be discovered and held responsible, regardless of where they may be situated.

Athens Orthopedic Clinic Pays $1.5 Million Financial Penalty for Systemic Noncompliance with HIPAA

The HHS’ Office for Civil Rights reported a settlement it has gotten to with Athens Orthopedic Clinic PA to deal with multiple Health Insurance Portability and Accountability Act (HIPAA) regulations violations.

OCR investigated a data breach that Athens, GA-based healthcare company reported on July 29, 2016. On June 26, 2026, Dissent of Databreaches.net informed Athens Orthopedic Clinic that a database comprising the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients was shown to be on sale on the net by a group of hackers well-known as The Dark Overlord. The hackers are famous for infiltrating systems, stealing information, and issuing ransom demands. If no payment is made, the stolen data is of posted for sale.

Athens Orthopedic Clinic inspected the breach and established that the hackers accessed its systems on June 14, 2016 by means of vendor credentials and copied information from its EHR system. The information of 208,557 patients was compromised in the attack, such as names, Social Security numbers, dates of birth, procedures completed, test results, clinical data, billing details, and medical insurance details.

OCR agrees that it’s impossible to avert all cyberattacks, however, when data breaches happen because of the failure to abide by the HIPAA Rules, financial penalties are just right.

Hacking is the main cause of large healthcare data breaches. If healthcare companies do not comply with the HIPAA Security Rule, their patients’ health records become an attractive target for cybercriminals.

The OCR review of the breach showed the following systemic non-compliance with the HIPAA policies.

Athens Orthopedic Clinic hadn’t performed a complete and audit of the potential risks and flaws to the availability, confidentiality, and integrity of ePHI, which infringes 45 C.F.R. § 164.308(a)(1)(ii)(B).

Security processes were not enforced to lessen the potential risks to ePHI to an acceptable and proper level, which violates 45 C.F.R. § 164.308(a)(1)(ii)(A).

From September 30, 2015 to December 15, 2016, Athens Orthopedic Clinic neglected to use the suitable hardware, applications, and methods for logging and tracking information system activity, which infringes 45 C.F.R. §§ 164.312(b).

The company took until August 2016 for HIPAA policies and procedures to be followed, which violates
45 C.F.R. § 164.530(i) and (j), and previous to August 7, 2016, the clinic hadn’t signed business associate agreements with three vendors, which infringes 45 C.F.R. § 164.308(b)(3).

Before January 15, 2018, Athens Orthopedic Clinic hadn’t given HIPAA Privacy Rule training to its whole staff, which violates 45 C.F.R. § 164.530(b).

Because of the inability to comply, Athens Orthopedic Clinic failed to stop hackers from getting unauthorized access to the ePHI of 208,557 patients, which infringes 45 C.F.R. §164.502(a)).

Besides the financial charges, Athens Orthopedic Clinic has accepted to undertake a corrective action plan addressing all facets of non-compliance identified in the OCR investigation. The clinic settled the case with no admission of liability.

This is OCR’s sixth HIPAA settlement announced in September and the ninth HIPAA penalty in 2020. Prior to this month, OCR reported reaching five settlements with HIPAA-covered entities as per its HIPAA Right of Access initiative for not providing patients with their health data copy.

Court of Appeals Dismissed Express Scripts HIPAA-Based Lawsuit

In 2019, five independent pharmacies filed a lawsuit against Express Scripts alleging inappropriate use of patient data, which violates of HIPAA.

Express Scripts is the biggest pharmacy benefits manager in the USA that has its own retail pharmacies and pharmacy service. The five independent pharmacies joined the Express Scripts network and had to submit complete claims to Express Scripts for processing and payment before releasing drugs. The pharmacies additionally had to include details with regards to the medicines in their claims, together with the contact data of their clients.

In the lawsuit, the pharmacies claimed that Express Scripts violated the contract and good-faith and fair-dealing covenant, and in that way violated the HIPAA and the HITECH Act. The pharmacies needed to give Express Scripts details regarding their consumers, which it is claimed was then employed to transition the clients to the mail order service of Express Scripts. The pharmacies stated it was not needed to give that data to validate coverage and for compensation.

The Pharmacies state that Express Scripts is utilizing their confidential client details with no consent to transfer their consumers to [Express Scripts] own mail-order service when Express Scripts ought to merely utilize the data to verify clients’ coverage and to compensate the Pharmacies. The pharmacies additionally claimed the pharmacy benefits manager was involved in the unjust competition and disclosed the Pharmacies’ trade secrets with its associates to be able to swipe the Pharmacies’ clients.

The district court closed the lawsuit saying the data given was not secured and the contracts the pharmacies agreed upon with Express Scripts permitted the pharmacy benefits manager to engage in mail-order prescription arrangements with no infringement of any good faith agreements. The district court likewise made a decision that the pharmacies can’t file suit for a HIPAA violation since there’s no private cause of action under HIPAA.

In their plead against the ruling of the district court to close the case, the pharmacies mentioned that the judgment to disregard the lawsuit for inadequate standing was wrong because they were not seeking to file a claim for a HIPAA violation. They furthermore requested the courts substitute reasoning that HIPAA simply permits the Pharmacies’ consumers, not the Pharmacies, to grant the usage of their confidential health data be dismissed. Express Scripts contended that even when it was possible to express a claim under HIPAA, the pharmacies did not present adequate facts to show past or continuing HIPAA violations.

The pharmacies furthermore stated in their plead that Express Scripts was just eligible to obtain information following claims were processed, and that the gathering of consumer details was not necessary and was merely being obtained due to self-interest.

The 8th U.S. Circuit Court of Appeals confirmed the lower court’s decision that it isn’t feasible to sue for a HIPAA violation, that the data given to Express Scripts were not protected, and the conditions of the pharmacies agreements with Express Scripts granted the pharmacy benefits manager to provide mail-order prescription arrangements to the pharmacies’ consumers. The contracts signed by the pharmacies expressed they agreed to partner with Express Scripts for managing their clients’ benefits, and mail service distribution – even via Express Script’s own service – is classified as benefits offered to any member.

The Court of Appeals additionally established the lower courts discharge of the pharmacies attempted monopolization allegation, mentioning that the Pharmacies failed to plead enough details to satisfy their “burden of alleging a pertinent market so as to point out a possible antitrust claim.

Potential Legal Action Against Hennepin County Medical Center Due to Employees Snooping on George Floyd’s Health Records

Hennepin County Medical Center based in Minneapolis is likely to face legal action following the discovery that a number of employees have snooped on the medical records of George Floyd. Attorney Antonio Romanucci of the law agency Romanucci & Blandin in Chicago stated he received a notice that some Hennepin County Medical Center employees got access to George Floyd’s medical files on several instances even if they had no legit reason to do so, which clearly violates the policies of the hospital and the Health Insurance Portability and Accountability Act (HIPAA).

Lawyers representing Hennepin County Medical Center informed George Floyd’s family that certain employees inappropriately accessed selected records associated with George Floyd. There were no specifics disclosed regarding the types of records accessed by the employees, the persons involved, and their job positions at Hennepin County Medical Center.

Attorney Antonio Romanucci and Floyd’s legal team released a statement to the Star Tribune stating they are presently looking into all possible options to make the situation right and make the entire family united for this unbelievable invasion of privacy. The privacy of health records and personal data is of vital importance in Minnesota and throughout the country.

George Floyd’s family have not decided yet if legal action will be taken against Hennepin County Medical Center. At this point, there are no subpoenas issued to get more details from Hennepin County Medical Center regarding the number of persons involved and which types of data were accessed.

Regarding the privacy breach, Hennepin Healthcare stated that the medical center takes any breach of patient confidentiality seriously and carefully investigates it. No other comment about the privacy breach was given because of patient confidentiality. Hennepin Healthcare also stated that the persons who snooped on George Floyd’s protected health information (PHI) are not employed at Hennepin County Medical Center any more. It is not clear if those persons were dismissed from work or if they resigned from their job positions voluntarily.

Poll Reveals Consumers Do Not Know the Extent of the Collection and Use of Consumer-Generated Data by Insurance Providers

Health insurance providers are gathering online information about customers and using the details to estimate a person’s likely medical care expenses. Consumer-generated information is gathered and employed to make profiles, which may be employed to find out best-suited premiums.

Consumer-generated information is different from protected health information (PHI) and pertains to a person’s standard of living, interests, and attitude and arise from varied private and public sources. Health insurance providers may search online resources for data or get information from data brokers. Certain data brokers are actively selling their data to insurance providers and assert the data contains social determinants of wellness, like online shopping practices, subscriptions to organizations, TV streaming patterns, and data published on social networks. Data are blended and algorithms could be employed to forecast the probable cost of offering insurance.

ProPublica in 2018 highlighted what health insurance providers and their business associates do with consumer-generated data. The general public is generally uninformed about the extent of collecting and using data.

MITRE recently mandated a Harris Poll to look into the attitude towards the usage of consumer-generated information. The Harris Poll was performed in June 2020 and 2,065 people in the US participated.

The Harris Poll showed that consumers are mostly uninformed of the magnitude to which their data is being gathered and used, and the kinds of data that health insurance providers and employers might be aware of people. 89% of poll participants thought health insurance providers don’t know their online shopping and streaming practices when this data is being gathered and utilized.

Most of the respondents consider the usage of personal information by employers and health insurance providers acceptable, although just for particular reasons. 60% of poll participants considered it acceptable for their insurance provider to make use of personal information to create health campaign activities, with 54% thinking it to be okay for companies to do the same. But, 66% of poll participants stated it wasn’t acceptable for a company or health insurance provider to collect or buy outside data about their workers or health plan members.

The results of the poll show a substantial gap between what people think insurance providers and companies know about their personal information and what they in fact do. Americans must be educated more with regards to the ways third parties are obtaining and utilizing their consumer-generated information. Companies have a responsibility to let consumers know about the data they collect from third parties.

There is already a wide acceptance of lax digital privacy in today’s community. 77% of poll participants stated that there is no data privacy. Participants to the Harris Poll stated they were ready to give their personal data if they get something in exchange, for instance, better security (65%) or convenience (48%).

Although 70% of participants think that sharing personal health data to prevent the spread of disease is a responsibility, the same participants seemed unwilling to disclose their personal information for that reason. When asked in case personal data would be included in a nationwide database to address the spread of COVID-19, merely 44% of participants stated they’re willing to disclose their personal data. 36% stated they will disclose their temperature data, 29% would disclose their location, and just 25% would disclose details concerning chronic illnesses.

In relation to sharing data, there is skepticism of social communities. 59% of participants stated they are not comfortable with disclosing any PHI with a social media platform, though consumers may still disclose health data through those networks.

Companies may have good-hearted intentions and use the data in productive things that eventually benefit the health of consumers. However, consumers could be hurt when information is used wrongly or unethically.

MITRE has created an Ethical Framework for Using Consumer-Generated Data in Health Care which sets ethical values, guidelines, and recommendations to assist in the usage of consumer-generated information for healthcare reasons.

The framework is meant to guide companies seeking to establish policies that promote the ethical usage of consumer-generated information for healthcare reasons and to propel companies to talk about the ethical risks of utilizing machine learning systems to evaluate consumer-generated information and create suitable governance processes to support the ethical usage of those systems.

Download the framework from MITRE here.

GitHub Healthcare Data Leaks Impact Credentials, Company Data and 150,000+ Patients’ PHI

A new report showed that the personal and protected health information (PHI) of patients and other sensitive information had been exposed on the internet via the public GitHub repositories without the covered entities and business associates’ knowledge about it.

Security researcher Jelle Ursem from the Netherlands, uncovered around 9 entities in the US – which include HIPAA-covered entities and business associates – were leaking sensitive information through GitHub. The 9 leaks had around 150,000 to 200,000 patient records. The scanning for exposed information was stopped to make sure the entities involved may be contacted and to create the report to emphasize the risks to the healthcare community.

Although your provider doesn’t use GitHub, you may still be affected. The activities of one employee or a third-party contracted provider might have permitted unauthorized people to get access to sensitive information.

PII and PHI in Public GitHub Repositories Exposed

Jelle Ursem had identified a lot of data leaks on GitHub in the past. Some of the data leaks involved Fortune 500 companies, publicly traded firms, and government institutions. Ursem conducted a search to see if medical information was also leaked on GitHub. In just 10 minutes, he found something to confirm that and it wasn’t an isolated instance.

Ursem performed queries like “medicaid password FTP” and “companyname password” and found a number of hard-coded usernames and passwords uploaded to GitHub. He was able to use the usernames and passwords to sign in to Google G Suite and Microsoft Office 365 accounts and could access a variety of sensitive data including user information, contracts, activities, internal records, group chats, and patients’ PHI. GitHub search is a very dangerous hacking tool because it’s possible to find leaked company data on GitHub.

Ursem tried to contact the companies involved to notify them about the exposed data and make sure the data was protected, however contacting those companies to get the data secured was difficult, therefore Ursem approached databreaches.net.

DataBreaches.net’s Dissent Doe and Ursem tried to contact and notify the companies involved. With some companies, they succeeded, but others still have their data unsecured.

9 Data Leaks Identified

According to the report, the U.S. entities affected by data leaks were MedPro Billing, Xybion, Texas Physician House Calls, MaineCare, VirMedica, Waystar, AccQData, Shields Health Care Group – and one unknown entity because the data remains accessible.

The following were the common reasons for the GitHub data leaks:

  • The developers uploaded the embedded hard-coded credentials into public GitHub repositories
  • The usage of public repositories rather than private ones
  • The developers left the repositories instead of deleting them when they were not needed anymore

For instance, Ursem discovered that one developer at Xybion left hard-coded credentials in a public GitHub repository in February 2020. The data enabled Ursem to access Xybion’s billing back-office systems containing 7,000 patients’ PHI and over 11,000 insurance claims since October 31, 2018.

The same thing happened with MaineCare. The leaked hard-coded credentials allowed Ursem to have administrative access to the website, access its internal server infrastructure, the MaineCare SQL data sources, and 75,000 persons’ PHI.

The Typhoid Mary of Data Leaks

The report focused on one developer, whose GitHub practices affected a big number of its healthcare companies’ clients. The credentials and PHI of about 200,000 clients were exposed. That is why the developer was labeled as the “Typhoid Mary of Data Leaks.”

The developer committed a lot of mistakes that led to the exposure of client data on GitHub, including leaving the credentials of 5 employers fully accessible in the GitHub repositories after concluding its work. In one instance, the developer’s actions had permitted access to a large debt collection provider’s central telephone system and gave access to very sensitive data of individuals with a background of substance abuse.

Though it wasn’t possible to get in touch with that person directly, it seems that DataBreaches.net and Ursem’s message has reached the developer. The repositories were already gone or made private, however, not prior to the cloning of the data by one third-party.

This was only an example of a few outsourced or contracted developers whose practices exposed information unknown to the HIPAA-covered entities and business associates.

The joint report of Jelle Ursem and DataBreaches.net details how the leaks happened, why they were not noticed for such a long time and gave a number of recommendations on preventing data breaches on GitHub or addressing the issue quickly.

Data Breaches at Behavioral Health Network and Rite Aid Corporation

Behavioral Health Network (BHN) in Western Massachusetts, a provider of behavioral health services, submitted a breach report involving a malware attack that resulted in the inaccessibility of files on its computer systems.

BHN became aware of the data breach on May 28, 2020 when its personnel were unable to access its files. The incident was investigated right away to figure out the extent of the attack and the probability of data exfiltration by the attacker. Around July 17, 2020, BHN affirmed the unauthorized access of its systems by someone two days before the malware attack on May 26.

The investigators cannot confirm any data theft prior to malware deployment, however, the odds of it cannot be ruled out. BHN did not receive any report to date of any patient data misuse.

The breached systems audit confirmed the potential exposure of 129,571 current and former patients’ protected health information (PHI). The attacker may have accessed patient information such as names, addresses, birth dates, health insurance claim information and/or medical/diagnosis/treatment records, and Social Security numbers.

As a security measure, BHN provided the affected patients with free credit monitoring and identity theft protection services. In order to avoid the same data breaches from happening again, the provider looked over its policies and procedures, provided its staff further training about data privacy and security, and enforced added safety measures to prevent unauthorized systems access in the future.

Potential Exposure of PHI of 9,200 Rite Aid Clients

Rite Aid Corporation reported that 9,200 of its clients’ PHI was potentially compromised during a civil unrest period that happened in May. Rite Aid pharmacies had a few break-ins on May 27 and after that day. The intruders stole the prescription medication orders which are about to be collected; they also took the hard copies of prescription details with some customer information such as their names and addresses and the details of prescribed medications.

Aside from Rite Aid, other pharmacies, such as Walmart, Walgreens, Cub, CVS, and Kroger pharmacies, had encountered break-ins and burglary.

Breaches at Ashley County Medical Center and San Antonio Hospital

Ashley County Medical Center discovered that a former employee accessed the healthcare records of 722 patients with no authorization.

Ashley County Medical Center started an investigation into the HIPAA violation and found out that the nurse was only able to view some patient information that is not associated with patient care or treatment. It is the belief of Ashley County Medical Center that no patient data was disclosed to a third party or accessed by the employee with the intention to misuse it. The medical center believes that the employee accessed patient information only out of curiosity.

As per the sanctions policy of Ashley County Medical Center with regards to unauthorized medical record access, the nurse who committed the HIPAA violation was terminated from work.

ACMC Chief Executive Officer Phillip Gilmore stated that the healthcare organization treats patient privacy as a very serious issue and anyone who fails to keep patient information secure will be subject to disciplinary action. ACMC already took the necessary steps concerning the incident, such as submitting a report on the wrongdoing of this employee, informing all the patients who had their information exposed, continuing to be vigilant in tracking and safeguarding patient data, and providing more training to its employees.

Data of San Antonio Hospital Patients Exposed Over the Web

The protected health information (PHI) of 1,237 Foundation Surgical Hospital of San Antonio patients was accidentally exposed online.

It happened on January 29, 2020 that the Texas-based hospital published a link on its web page pointing to a file that was intended to display the average hospital fees; but, the file associated with the link displayed the names of patients, patient account numbers, diagnosis codes, dates of the procedure, bills and amount paid, and whether the expenses were settled, was due, or were written off. After receiving a report about the wrong file posted, the hospital removed the link on May 27, 2020.

President Trump Approves Executive Order for Expanding Telehealth Services

On August 3, 2020, President Trump approved an executive order to give 57 million Americans residing in under-served rural communities access to telehealth services. The Improving Rural and Telehealth Access executive order will make sure that the expanded telehealth services because of the COVID-19 pandemic will proceed even after the end of the nationwide public health emergency.

In 2019, Medicare began covering virtual check-ins with physicians to find out whether a face-to-face consultation was necessary, however, the pandemic resulted in the significant expansion of access to virtual visits to help stop COVID-19 from spreading. Geographic limitations were removed, and telehealth services were given to Medicare beneficiaries throughout the country. The Centers for Medicare and Medicaid Services (CMS) likewise added 135 medical services to the catalog of virtual services that Medicare covers.

Statistics from the CMS demonstrate that virtual visits through telephone or video went up to around 1.7 million at the end of April, in comparison to only 14,000 consultations prior to COVID-19. From the middle of March to the middle of July, telehealth limitations were laid back. 10.1 million beneficiaries of Medicare got a Medicare telehealth virtual consultation. Although May had a drop in the number of virtual consultations, as soon as face-to-face visits started again, the number of patients choosing virtual visits stayed high, showing that patients are satisfied with virtual medical services.

People residing in rural areas will be more likely to die because of the top 5 causes of death in the U.S.A. than people residing in urban locations, and the gap has increased from 2010 to 2017. Before the pandemic, telehealth wasn’t raging, but because of the pandemic telehealth has increased. The purpose of the executive order is to increase access, quality, and financial economics of healthcare in rural areas, which include increasing access to excellent care via telehealth.

President Trump likewise required officials to create a plan in just 30 days to raise capital for the communication infrastructure to enhance medical care in rural locations. Within 30 days, the Secretary of the HHS will introduce a new plan for new payment systems to make sure that rural areas will get the required level and quality of patient care from healthcare companies in rural locations. Under the new plan, healthcare companies in rural locations will be given more flexible Medicare rules, and the plan will set up foreseeable financial payments and inspire the change to excellent quality, value-based caution. The HHS Secretary will also submit a report on policy initiatives to provide more rural healthcare access by removing regulatory burdens that restrict available doctors, stop disease and mortality by means of rural-specific projects to enhance health results, decrease maternal mortality, and better mental health in rural areas.

Soon after the signing of the Executive Order, the CMS announced its proposed changes that will permanently give telehealth services for Medicare beneficiaries. The proposed CMS ruling likewise includes a multiple-year program that seeks to decrease the burden on doctors through its Patients Over Paperwork initiative and will make certain to give applicable reimbursement for the time physicians devoted to patients. The CMS is likewise proposing that Medicare would continue to pay for some of the extra medical services paid for by Medicare during the public health emergency, such as virtual visits for particular assessment and management services and several services for patients having cognitive problems.

The CMS wants public suggestions on which services Medicare should continue to cover when the public health emergency ends. The CMS likewise would like to proceed with telehealth services for E.R. visits to provide the industry time to assess if they should be fixed. CMS will accept inputs on the proposed changes until October 5, 2020.

CMS Administrator Seema Verma said telemedicine cannot take the place of face-to-face care, however, it can complement and improve face-to-face care by providing one more potent clinical tool to give America’s seniors more access and choices. The Trump Administration’s unrivaled expansion of telemedicine throughout the pandemic presents a trend in healthcare delivery, which was adopted immediately and effectively by the healthcare system.

OCR Issues $1 Million HIPAA Penalty on Lifespan Because of Lack of Encryption and Other HIPAA Failures

The HHS’ Office for Civil Rights has charged Lifespan Health System Affiliated Covered Entity (Lifespan ACE) a $1,040,000 HIPAA penalty subsequent to determining the entity’s systemic noncompliance with the HIPAA Regulations.

Lifespan is a not-for-profit health system established in Rhode Island and has numerous healthcare provider affiliates within the state. Lifespan Corporation filed a breach report with OCR on April 21, 2017, which involved the theft of an unencrypted laptop computer on February 25, 2017. Lifespan Corporation is Lifespan ACE’s parent company and a business associate.

The laptop was left in an employee’s vehicle, which was located in a public parking lot when it was broken into. The thief stole a laptop that stored information which includes patient names, medical record numbers, prescribed medication data, and demographic data of 20,431 patients of its healthcare provider affiliates.

OCR looked into the breach and learned about its systemic noncompliance with the HIPAA Regulations. Lifespan ACE employs a range of mobile devices and had performed a risk analysis to determine possible risks to the integrity, confidentiality and availability of ePHI. Because of the risk analysis, Lifespan ACE learned the importance of using encryption on mobile devices which include laptops given the level of risk and yet did not implement encryption. With no encryption, Lifespan ACE was violating 45 C.F .R. § I 64.312(a)(2)(iv).

OCR additionally found out that Lifespan ACE did not enforce policies and procedures that necessitated the monitoring of mobile devices having access to a network keeping ePHI, nor was there an extensive inventory of those gadgets, which breaks 45 C.F.R. § 164.310(d)(1).

There is additionally no business associate agreement (BAA) signed between Lifespan Corporation and Lifespan ACE. Lifespan ACE also did not get a signed BAA from its healthcare provider affiliates, which breaks 45 C.F.R. § 164.502(e).

Due to compliance violations, Lifespan ACE was accountable for the compromise of the ePHI of 20,431 people when the portable computer was ripped off – See 45 C.F.R. § 164.502(a).

Lifespan ACE consented to settle the case, pay off the financial penalty, and follow a thorough corrective action plan (CAP). The CAP requires a BAA to be entered into by Lifespan ACE with its healthcare affiliates and parent firm, generate an inventory of all electronic gadgets, employ encryption and set up access controls, and evaluate and modify its policies and procedures regarding device and media regulators. Those policies and procedures should be given to the workforce and there must be training provided on the new guidelines. Lifespan ACE’s compliance initiatives will be monitored by OCR throughout the two-year CAP.

Roger Severino, OCR Director stated that laptops, mobile phones, and other mobile devices get stolen every day, that’s the unfortunate truth. Covered entities can best protect their patients’ data by encrypting mobile devices to combat identity thieves.

This is the second HIPAA penalty to be published by OCR last week. On July 23, 2020, OCR said that Metropolitan Community Health Services also known as Agape Health Services was fined $25,000 for persistent, systemic noncompliance with the HIPAA Security Law.