Attacks on Healthcare Industry Web Application Increased by 51% in the Last Two Months

Cybersecurity company Imperva published a new report that revealed a considerable increase of attacks on healthcare industry web apps. Imperva Research Labs recorded a 51% increase in web app attacks from November 2020 to December 2020, the same time when COVID-19 vaccines rolled out.

Imperva SVP Terry Ray stated that 2020’s cyber activity was unmatched with healthcare web app attacks increased by 10% year-over-year. Each month in 2020, there was an average of 187 million web app attacks on healthcare targets. Each company monitored by Imperva encountered 498 attacks on average per month. The leading targets were based in the United States, Brazil, United Kingdom, and Canada.

In December, Imperva Research Labs saw four types of attacks that considerably increased. The biggest increase was observed in protocol manipulation attacks. There was a 76% increase from last month and this type of attack was the third most popular attack type. Remote code execution / remote file inclusion attacks increased by 68%, though this type of attack only accounted for a comparatively small number of attacks.

The most common attack type, which was cross-site scripting (XSS) attacks, increased by 43% from last month. SQL injection attacks, the second most common attack type increased by 44% starting November.

Although the number of web app attacks increased, there was a decrease in the reported actual data breaches globally. According to Ray, a lot of organizations probably do not know the magnitude or effect of these attacks yet. Since for the majority of the year, healthcare was centered on making remote work possible while taking care of the frontline logistics of a worldwide pandemic. Therefore, researchers spent less time on threat exploration, incident response and analysis.

Healthcare companies will probably only find out the effect those attacks after the first couple of weeks of 2021. Imperva noticed that healthcare data leakage increased by 43% in the first three days of 2021. The leakage involved unauthorized data transmission from within a company to an external recipient. This is typically the consequence of a security breach.

2020 has definitely been a difficult year with significant acceleration of IT transformation. Ray mentioned that in healthcare the pace of transformation was outstanding. IT projects that generally take 10 years were completed in just three, while a number of digital projects had a time frame of just weeks or months.

Although the acceleration is remarkable, it has brought in risks. A lot of healthcare companies depended on third-party apps, instead of creating their own, because of convenience, minimized IT development risks and costs and greater collaboration. Although third-party applications offer certain business advantages, the risks consist of: patching merely on the vendor’s timeline, identified exploits that are commonly publicized and continual zero-day research on extensively used third-party apps and APIs.

The greater dependence on JavaScript APIs and third-party programs had created a threat landscape of complicated, programmed, and opportunistic cybersecurity problems, which are hard for companies to identify and stop.

The increase in attacks is definitely not so good news, however healthcare companies can take steps to minimize risk. Systems must be upgraded. Money spent on application and data security must be increased. Instead of utilizing point solutions to deal with every unique risk, an integrated system must be applied that can improve web performance at the same safeguard against all the major web app threats.

Federal Task Force States the Likely Russian Origin of the SolarWinds Supply Chain Attack

The Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) issued a joint statement with the approval of the Trump Administration saying that Russian threat actors are behind the supply chain attack on SolarWinds Orion software.

Soon after the attack, the National Security Council organized a task force also known as the Cyber Unified Coordination Group (UCG) with the responsibility of investigating the breach. The task force is composed of the FBI, CISA, and ODNI, with NSA as a support. The task force is still checking out the extent of the data security incident nevertheless has reported that an Advanced Persistent Threat (APT) actor having probable Russian origins conducted the attack.

There are plenty of evidence indicating that the attack on the SolarWinds software was part of the intelligence getting operation performed by Russia. Though various media outlets have earlier noted the security breach as being led by Russia, the first formal public attribution announced by the Trump administration was issued by and Secretary of State Mike Pompeo and previous Attorney General Bill Barr. President Trump had earlier expressed China could have a participation has yet given any remark on the attribution to Russia. once again, Russia dissmissed any engagement in the incident.

The hackers jeopardized the software update feature of SolarWinds Orion software and integrated a backdoor called Sunburst/Solarigate to gain remote access to the systems of institutions that downloaded the compromised program update. The investigation verified the fact that the activity has been active for 9 months, when the systems of hundreds of institutions were affected. The attackers then selected targets of interest to compromise. In the second level of the attack, additional malware was added and the hackers make an effort to get access to victims’ online environments. Microsoft mentioned that getting access to the online environments of victims was the main objective of the attack.

The UCG feels that the systems of close to 18,000 public and private sector organizations were breached through the SolarWinds Orion program update; even so, a much smaller number encountered other activity on their programs. Amazon and Microsoft have began investigating the security breach and were evaluating their web environments for indicators of compromise. Based upon their information, it looks like that the web environments of close to 250 of the 18,000 victims were impacted. That number may well go up as the investigation of the attack proceeds.

Another malware variant known as Supernova web shell was likewise discovered on the systems of selected victims. This malware variant was incorporated by exploiting a zero-day vulnerability in the SolarWinds Orion program and will not turn up to have been brought about by the same attackers.

Under 10 U.S. government organizations had their systems affected. lately, the Department of Justice announced that it was impacted. Though the hackers obtained access to its systems, the DOJ stated the breach only impacted its Microsoft Office 365 email environment and merely around 3% of its mailboxes were impacted. The DOJ mentioned that none of its identified systems appear impacted by the breach.

Data Breaches Reported by Northwestern Memorial Hospital, Apex Laboratory, and Five Points Eye Care

Northwestern Memorial Hospital in Chicago learned that an ex – temporary employee may have accessed the health records of a number of patients without valid authorization while doing work at the hospital.

The hospital discovered the unauthorized information access on December 2, 2020. An evaluation of access records showed the person looked at patient data with no a job-related reason to do so between October 27, 2020 and December 2, 2020. The records likely viewed only contained names of patients, addresses, and treatment details. The person didn’t obtain access to financial data or Social Security numbers.

Northwestern Memorial Hospital released an announcement regarding the privacy breach saying that the information of 682 patients might have been accessed and affirmed that the non permanent staff is not working at the hospital anymore. It is uncertain why the data were accessed. The provider is informing all impacted patients about the privacy breach via mail and has reported the breach to the proper authorities.

Apex Laboratory Suffered a DoppelPaymer Ransomware Attack

Last July 2020, Apex Laboratory, a home laboratory services company in New York and South Florida, encountered a DoppelPaymer ransomware attack. The DoppelPaymer ransomware group uploaded a huge number of data files lately to its data leak site. The majority of the material included protected health information (PHI) of patients and sensitive worker details. states that after calling Apex Laboratory concerning the data breach, the dumped data files were taken off from the DoppelPaymer leak website. Apex Laboratory published a breach notification on its webpage on December 31, 2020 stating that it experienced a ransomware attack on July 25, 2020, however, the encrypted information was recovered on July 27, 2020.

It is assumed that the information uploaded to the leak site was acquired during the July cyberattack. Apex Laboratory affirmed that obtaining information regarding the dumped files, it took steps right away to make certain the attackers took down the information from the leak website. The dumped information is thought to have contained patient names, birth dates, laboratory test data, and the telephone numbers and Social Security numbers of a few patients.

The incident investigation is still continuing and the provider is going to send notification letters to affected individuals in a day or two.

Potential Breach of Patient Records at Five Points Eye Care

Five Points Eye Care based in Athens, GA has found that an unauthorized person obtained access to its system and likely viewed/got patient data. The breach took place on October 27, 2020 and was discovered and resolved the same day.

The breach just affected the email system that stored messages mailed to the optometrist from different treating doctors. The information in the messages included names, dates of birth, Social Security numbers, addresses, medicines, and treatment options. A forensic inspection affirmed that the unauthorized individual did not see any other data.

Five Points Eye Care submitted the data breach report to authorities, sent notifications to impacted persons and made available complimentary credit monitoring services for 12 months.

Data Breaches at EyeMed, Midwest Geriatric Management and Premier Kids Care, Inc.

Aetna has made an announcement that around 484,000 of its members were impacted by a data breach that happened at a business associate providing services for its vision benefits plan members. In July 2020, an unauthorized man or women acquired access to an email account of a personnel of EyeMed in Cincinnati and used it for sending more phishing emails to persons listed in the mailbox’s contacts.

EyeMed’s investigation of the breach confirmed that the mailbox held the protected health information (PHI) of about 1,300 members of Blue Cross Blue Shield of Tennessee, 484,157 Aetna members and 60,545 members of Tufts Health Plan. There is no information found that suggests the theft or misuse of PHI, though data theft cannot be ruled out with 100% confidence. EyedMed notified the affected health plans regardig the breach in September.

The compromised email account held information including members’ names, dates of birth, health insurance ID numbers, and vision insurance ID numbers. The birth certificates, Social Security numbers, diagnoses, and financial information of a number of members were also compromised. The breach merely affected existing and past members of the health plans mentioned above that obtained vision benefits with EyeMed.

An EyeMed spokesperson reported that it has taken prompt action to improve security and provided security awareness training to help avoid the same breach from taking place again.

Midwest Geriatric Management BEC Attack Has Impacted 4,800 Persons

Midwest Geriatric Management (MGM) Healthcare has sent notifications to 4,814 people that some of their PHI were likely breached due to a business email compromise attack. The attacker impersonated the CFO and emailed a message to an MGM staff requiring a file to be sent by means of email. Assuming the request to be legitimate, the staff responded and mailed the file.

Email security features were established that should obstruct attacks like this, yet in this situation those security features were avoided. The spreadsheet comprised names, account balances, and the name of the applicable facility. No other details was affected.

MGM’s investigation pointed out that this was a remote incident and no other systems were impacted. More training was given to personnel regarding email security and, as a precaution, all affected persons received a complimentary myTrueIdentity identity theft protection services.

PHI Patients of Premier Kids Care, Inc. of Georgia Patients

Premier Kids Care, Inc. (PKC) of Georgia found out that an unauthorized person had accessed its networks and acquired some patient information. The breach was first detected on April 6, 2020. It is unknown why the issuance of breach notifications was delayed for 8 months.

The types of data kept on the breached computer included names, addresses, phone numbers, birth dates, treatment data, and medical insurance data. Affected persons received a free membership to identity theft protection and credit monitoring services for 12 months.

NSA Alerts of Authentication System Abuse to Get Access to Cloud Resources

The U.S. National Security Agency (NSA) has released an advisory about two hacking tactics that threat groups are using presently to obtain access to cloud resources filled with protected records. These strategies take advantage of authentication mechanisms and let attackers to steal credentials and get persistent access to systems.

Threat actors who breached the SolarWinds Orion program are utilizing these tactics. The hackers responsible for the attacks are not yet identified, nevertheless some signs have appeared that indicate this attack was by a nation state Russian threat group, probably APT29 (Cozy Bear). Secretary of State Mike Pompeo stated in a radio interview that the activity was carried out by Russians, however President Trump downplayed the attack and mentioned there is a chance that China is liable.

The SolarWinds Orion platform supply chain attack was employed to generate malware out to users by means of the SolarWinds application update process, however that is one of a few techniques now being employed to compromise public and private segment establishments and government organizations.

NSA’s alert detailed that the preliminary access may be established by means of several ways, which include known and unknown vulnerabilities. A case in point was the the newest SolarWinds Orion code compromise. On-premises systems was compromised, bringing about the misuse of federated authentication and malicious cloud access.

When first access had been obtained, the strategies identified in the alert are utilized to acquire extra privileges via the forging of credentials to keep persistent access. The NSA has presented guidance on identifying and mitigating attacks, irrespective of how the preliminary access is acquired. The NSA notices that these strategies aren’t different and threat actors have used it since 2017 and continue to be successful.

The methods detailed in the advisory require using compromised authentication tokens and abuse of compromised system administration accounts in Microsoft Azure and many other cloud programs when a local network has been breached.

The first tactic entails breaching an on-premises federated identity provider or single sign-on (SSO) system. These techniques enable organizations to employ the authentication system they currently own to allow access to resources, such as cloud services. These systems make use of cryptographically signed automatic messages – declaration – which are provided by Security Assertion Markup Language (SAML) to exhibit that users were identified. Threat actors are abusing the authentication process to get questionable access to a lots of assets held by businesses.

The attackers either steal private keys or credentials from the SSO system that permit them to sign claims and double as a valid user and acquire enough privileges to make their own keys and identities, and even their own SSO system. The second way consists of compromising administrator accounts to allocate credentials to cloud software solutions, then the attackers necessitate the app’s credentials to obtain programmed access to cloud assets.

The NSA has alerted that threat actors keep on exploiting the recently shared command injection vulnerability in VMware solutions (CVE-2020-4006). In one scenario mentioned by the NSA, exploitation of this vulnerability granted first local network access to be acquired, as opposed to the SolarWinds technique. The methods explained in the notice were then utilized to get access to cloud assets. A patch was already released to repair the vulnerability impacting VMware products. The patch ought to be employed right away. SolarWinds Orion users must stick to the preceding published mitigations.

These attack methods to get access to cloud sources do not take advantage of vulnerabilities in cloud system, federated identity management, the SAML protocol, or on-premises and cloud identity solutions, rather they abuse trust in the identity federation.

However, since the protection of identity federation in any cloud environment is dependent on trust in the on-premises elements that carry out authentication, delegate privileges, and sign SAML tokens. In case any of these elements is compromised, the trust in the federated identity system could be abused for unsanctioned access.

To avoid the success of employing the new strategies to obtain access to cloud resources, the NSA advises carrying out the following:

  • Secure SSO setup and service principle usage
  • Solidify systems running on-premises identity and federation services
  • Check records for suspicious tokens that don’t complement the firm’s baseline for SAML tokens.
  • Examine tokens to locate issues
  • Look at logs for suspicious utilization of service principles
  • Search for unexpected trust relationships that were included in the Azure Active Directory

Serious Vulnerabilities Found in Medtronic MyCareLink Smart Patient Readers

Three serious vulnerabilities were discovered in Medtronic MyCareLink (MCL) Smart Patient Readers, which can possibly be taken advantage of to acquire access to and alter patient information from the paired implanted cardiac product. Remote code execution on the MCL Smart Patient Reader can be done when exploiting the vulnerabilities together, enabling an attacker to seize control of matched cardiac gadgets. An attacker could only take advantage of the vulnerabilities if within Bluetooth signal distance to the target product.

All models of the MCL Smart Model 25000 Patient Reader are impacted by the listed vulnerabilities.

Vulnerability CVE-2020-25183 is a weakness that takes advantage of the authentication protocol. The method utilized to validate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile application may be bypassed. An attacker that has another mobile device or malicious app on the patient’s smartphone may authenticate the patient’s MCL Smart Patient Reader, fooling it into thinking it is connecting with the patient’s smartphone application. The vulnerability has a designated CVSS v3 base score of 8.0 of 10.

With vulnerability CVE-2020-27252, an authenticated attacker performing a debug command can prompt a heap-dependent buffer overflow event in the MCL Smart Patient Reader software stack. The moment it is triggered, an attacker could then wirelessly execute code on the vulnerable MCL Smart Patient Reader, possibly letting the attacker to have control of the gadget. This vulnerability has an assigned CVSS v3 base rating of 8.8.

Vulnerability CVE-2020-27252 is discovered in the software update program of MCL Smart Patient Readers. An attacker taking advantage of this vulnerability can upload and implement unsigned firmware on the Patient Reader. This vulnerability can likewise make remote execution of arbitrary code possible on the MCL Smart Patient Reader and may permit an attacker to have control of the product. This vulnerability has a designated CVSS v3 base score of 8.8.

The researchers that identified the device vulnerabilities were from the Israeli company Sternum. Researchers at the University Of Michigan Uc Santa Barbara and University of Florida also separately discovered the inappropriate authentication vulnerability.

Medtronic has already introduced a software update to resolve the vulnerabilities after getting a notification regarding the vulnerabilities. The firmware update could be employed by updating the MyCareLink Smartapp through the connected mobile application store. By updating the mobile app to version v5.2, it will make sure to implement the update on next use; but, the patch will only work when the user’s smartphone has Android 6.0 or above or iOS 10 or later version.

Users were additionally instructed to have good physical control on their devices at home and to minimize the use of home monitors to private settings. Patients must just utilize home devices that were secured direct from their healthcare center or a Medtronic consultant.

Medtronic likewise did something to strengthen security, such as using Sternum’s enhanced integrity validation (EIV) technology that offers early identification and real-time blocking of recognized vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which permits device-level recording and checking of all device activity and actions.

Kalispell Regional Healthcare Offers to Pay 4.2 Million to Settle Data Breach Lawsuit

Kalispell Regional Healthcare located in Montana has made a proposal to pay a $4.2 million to settle a legal action filed on behalf of patients affected by a data breach that was published in October 2019.

The lawsuit was filed right after the notification that the protected health information (PHI) of around 130,000 patients were impermissibly exposed because of a phishing attack. Unauthorized persons acquired access to a number of email accounts after workers clicked hyperlinks in phishing emails and exposed their login information. The attackers initially got access to the email accounts on May 24, 2019 and got access to the accounts for a few months. The breached email accounts kept sensitive data that include names, phone numbers, addresses, dates of birth, Social Security numbers, health record numbers, medical background, and medical insurance details. The hackers stole approximately 250 Social Security numbers.

The legal case alleged that Kalispell Regional Healthcare didn’t use suitable procedures to safeguard the privacy of patient records, had not instructed its employees on sufficient security awareness, and wasn’t efficiently keeping track of potential compromises. If it did, it would have been able to identify the breach a lot more immediately. The lawsuit furthermore claimed Kalispell Regional Healthcare did not send breach victims prompt notices, did not comply with industry-accepted criteria and cybersecurity guidelines and violated the Montana Uniform Health Care Information Act.

Before the data breach, Kalispell Regional Healthcare mentioned it had carried out various cybersecurity measures to maintain the privacy and confidentiality of PHI of patients. During the breach, a top-rated cybersecurity consulting company stated that Kalispell Regional Healthcare placed in the top 9% of healthcare companies for cybersecurity conformity, however the measures applied were still not adequate to avert the breach.

Kalispell Regional Healthcare determined to resolve the lawsuit to conclude the lawsuit and avert recurring legal charges. The organization didn’t admit doing any mistake or have any liability because of the data breach.

As perAs per the conditions of the settlement, Kalispell Regional Healthcare will give a $4.2 million funding to pay for diverse forms of relief for impacted persons, which include return for out-of-pocket costs, compensation for time spent attending to identification restoration services and credit-monitoring services, free membership to Experian credit monitoring services for three years, and complimentary identity theft restoration services for five years. Plaintiffs are eligible to claim around $15,000 for out-of-pocket expenditures and as much as $75 reimbursement for time used up responding the breach.

The proposed settlement is due to be approved by the Eighth Judicial District Court Judge Elizabeth Best. The final acceptance hearing is slated for January 5, 2021. When the settlement is accepted, plaintiffs will have up to February 25, 2021 to file their claims.

UVM Health Electronic Health Record System is Now Operational a Month After Cyber Attack

University of Vermont Health Network made an announcement that its electronic health record (EHR) system is again back online, one month after experiencing a ransomware attack. The ransomware attack transpired on October 25, 2020 and resulted in a substantial disruption in six of its hospitals. Over the past month, staff members had no option but to write patient information, orders, and prescribed medicines using pen and paper since its computer network was down.

UVM continued to deliver care to patients during the attack and recovery procedure, nevertheless the restoration of its EHR will considerably raise productivity. The attack prompted serious disruption, specially at University of Vermont Medical Center located in Burlington, however the attack impacted the whole network. Since important patient information can’t be accessed, the schedule of a lot of elective procedures were rebooked and the radiology department based on the main campus suffered serious delays, and was just partially open.

In a November 24, 2020 news, UVM Health stated it had a big milestone in the restoration process, when its Epic EHR system is eventually accessible on the web for its outpatient and inpatient websites, which include UVM Medical Center and the Central Vermont Medical Center ambulatory clinics, Porter Medical Center And Champlain Valley Physicians Hospital.

Though electronic patient data is currently accessible and personnel could log patient data digitally, the recovery process is not yet done and a lot of work still should be completed. The UVM Health teams keep on working 24 / 7 to completely reestablish everything rapidly and securely.

The phone system is re-established, nevertheless patients still cannot access the MyChart patient site so patients can’t view their health data on the web yet. There are many other patient care applications employed by the health network that stays unavailable. UVM Health is working very hard to bring back those systems and they are going to be systematically regained in time, with the primary emphasis on patient-facing systems.

Some other healthcare sites encountered ransomware attacks about the same time as the UVM Health attack. St Lawrence Health System in New York successfully restored its EHR systems two weeks after the ransomware attack, however Sky Lakes Medical Center had no choice but to change the most part of its systems and workstations due to the attack.

Ashtabula County Medical Center (ACMC) located in Ohio was remarkably badly affected by a ransomware attack on September 24, 2020. Aside from the medical center, the attack also impacted five health centers. Two months right after the attack, the EHR is still not yet accessible. A complete restoration may be realized in late 2020.

$65,000 Fine Issued for University of Cincinnati Medical Center Due to HIPAA Right of Access Violation

The HHS’ Office for Civil Rights reported its 18th HIPAA financial penalty for 2020 – the 12th penalty given under the HIPAA Right of Access enforcement initiative.

In 2019, OCR launched a new initiative to make certain folks have quick access to their medical records, at a sensible fee, as governed by the HIPAA Privacy Rule. This is to address the fact that healthcare companies were not consistently fully adhering to this vital HIPAA Privacy Rule provision and a number of patients were having problems acquiring a copy of their medical documents.

The newest $65,000 financial fine was issued to the University of Cincinnati Medical Center, LLC (UCMC). It was brought about by a complaint submitted to OCR on May 30, 2019 by a patient who submitted a request for an electronic copy of health records from UCMC on February 22, 2019 to be delivered to her attorney.

As per the HIPAA Right of Access, healthcare companies need to produce copies of medical records, upon request, within 30 days of getting the request. 45 C.F.R. § 164.524 furthermore declares that a person is allowed to have the requested records be sent to a selected third party, when they so desire.

OCR got the complaint over 13 weeks following the patient filed a request. OCR got involved and UCMC at last gave the attorney the requested data on August 7, 2019, 5 months right after filing the preliminary request.

After looking into the patient complaint, OCR confirmed UCMC did not provide the patient’s requested copy of her medical records punctually. Hence, a financial penalty was deemed necessary.

Aside from the financial penalty, UCMC needs to undertake a corrective action plan that comprises creating, maintaining, and modifying, as required, written policies and operations to make sure it is compliant with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. OCR will evaluate those policies and enactment is required in 30 days of OCR’s approval.

The policies ought to be handed out to all individuals in the organization and relevant business associates. The policies have to be assessed and refreshed, as needed, at least every year. Training resources should likewise be developed and given to OCR for authorization, afterward training must be made available to staff regarding the new policies.

UCMC must present to OCR the information of all business associates and/or vendors that acquire, provide, pay for, or deny access to copies or evaluation of records coupled with copies of business associate agreements, and UCMC should record all occasions where requests for data were declined. OCR is going to keep an eye on UCMC closely for 2 years since the signing of the resolution agreement to ensure compliance.

OCR is determined to making certain that patients get their right to access their health data, such as the right to direct digital copies to a third party of their preference. HIPAA covered entities must analyze their policies and training systems to make certain they know and can accomplish all their HIPAA responsibilities when a patient wants access to his or her information.

Private Practitioner to Pay $15,000 Penalty for HIPAA Right of Access Failure

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) reported the 11th financial penalty in connection with its HIPAA Right of Access enforcement initiative to Dr. Rajendra Bhayani. Dr. Bhayani who is a private practitioner based in Regal Park, NY specializing in otolaryngology is going to pay a $15,000 financial penalty to settle the case and undertake a corrective action plan to fix areas of noncompliance found by OCR in the course of the investigation.

OCR investigated the practitioner after receiving a patient complaint in September 2018 claiming that Dr. Bhayani did not give her copy of requested medical records. The patient submitted a request to the otolaryngologist last July 2018, but she did not get the copy of health records two months later.

OCR got in touch with Dr. Bhayani and gave technical assistance concerning the HIPAA Right of Access and closed the issue; however, OCR received a second complaint from the same patient in July 2019, that is a year after, saying that she hasn’t received her medical records. OCR intervened once more and finally the patient got her health records in September 2020, after 26 months of filing the initial request. Under HIPAA, healthcare providers need to provide requested medical records within 30 days of getting a request.

OCR confirmed Dr. Bhayani’s failure to deliver the health records as a violation of the requirements of the HIPAA Right of Access (45 C.F.R. § 164.524) . He also failed to reply to the letters from OCR on August 2, 2019 and October 22, 2019 asking for data. The inability to cooperate with OCR’s investigation of a complaint violates 45 C.F.R. §160.310(b). OCR decided to penalize the violations. Dr. Bhayani agreed to pay and settle the case with no admission of liability.

Doctor’s offices, whether large or small, should deliver requested medical records to patients in a timely manner. OCR Director Roger Severino said that it will continue prioritizing HIPAA Right of Access cases for enforcement until healthcare providers comply.

Dr. Bhayani also needs to undertake a corrective action plan. Policies and procedures must be reviewed providing people access to their PHI as per 45 C.F.R. § 164.524. The policies should detail the strategies utilized to determine a fair, cost-based rate for giving access. Those policies ought to be filed with OCR for evaluation, and any modifications requested by OCR should be executed in 30 days. Dr. Bhayani additionally ought to provide privacy training to employees about protected health information (PHI) access. The training materials should be submitted to OCR as well for evaluation and approval.

Every quarter, Dr. Bhayani is mandated to send OCR a list of all access requests, including the costs charged for handling the requests, together with details of any requests that were declined. OCR should receive reports of any cases of employees not complying with access requests.

OCR will keep track of Dr. Bhayani for two years from the date of the resolution agreement to make sure of continued HIPAA Right of Access compliance.