Limited Waiver of HIPAA Sanctions and Penalties in Louisiana Declared by HHS

A limited waiver of HIPAA sanctions and penalties in Louisiana was announced by the U.S. Department of Health and Human Services (HHS) Secretary to anticipate the likely devastation that Tropical Storm Barry could cause upon hitting the region on July 13. The HHS proclaimed a public health emergency in the state on July 12, 2019.

The waiver applies only to healthcare providers in Louisiana and only until the date stated in the declaration. The waiver just covers certain HIPAA Privacy Rule conditions and is in effect only up to 72 hours after the hospital’s emergency protocol implementation.

The moment the effective time for the waiver ends, healthcare providers have to adhere to all of the HIPAA Privacy regulations once again. This applies to patients placed under the hospital care when the declaration ends, whether or not the 72-hour period is up.

Even with a declared waiver, the Privacy Rule allows protected health information (PHI) sharing during disasters to help patients and make sure they are cared for. Some health data may be disclosed to members of the family, friends and any body who’s engaged in patient care.

The HIPAA Privacy Rule permits sharing of PHI for public health activities and to avoid or lessen a serious and approaching threat to patient safety. HIPAA-covered entities could likewise share information with disaster relief organizations that are sanctioned to do disaster relief projects without the need to have patient consent.

During natural disasters, the HIPAA Privacy and Security Rules remain enforcible. But with the declaration of the HHS secretary, sanctions and penalties against HIPAA covered entities are waived for these HIPAA Privacy Rule provisions:

  • 45 CFR 164.510(b) – Obtaining patient consent before talking to members of the family or friends involved in patient care
  • 45 CFR164.510(a) – The requirement to recognize a request to be taken out of the provider’s directory
  • 45 CFR 164.520 – The need to dispatch a notification of privacy practices
  • 45 CFR 164.522(a) – The right of patient to demand privacy restrictions
  • 45 CFR 164.522(b) – The right of patient to demand private communications

The HHS Secretary Azar stated that the department is preparing to meet the medical needs of the communities with the help of state health and emergency management authorities. Find out about the HHS emergency proclamation and partial HIPAA waiver on this page.

1,000+ Patients of Essential Health Also Impacted by the Nemadji Research Corporation Breach

Essentia Health notified more than 1,000 of its patients about the exposure of some of their protected health information (PHI). Essentia Health integrated health system provides services to the states of Minnesota, North Dakota, Wisconsin and Idaho.

Like many other healthcare providers, Essentia Health contracts the billing services of a third-party vendor in order to retrieve lost revenue. The business associate providing billing services to Essentia Health was Nemadji Research Corportion in Bruno, MN.

Essentia Health allowed Nemadji to access specific types of PHI in order to perform its contracted services. Essentia Health did not say in its substitute breach notice that was posted on its webpage what types of information were exposed.

Nemadji observed odd activity in the employee’s email account on March 28, 2019. According to the investigation findings, the employee fell victim to a phishing scam and disclosed his login credentials to the attacker. Nemadji’s IT department already deactivated the account but the attacker had unauthorized access to it for a few hours.

The following investigation confirmed the presence of PHI of a number of patients of Nemadji’s clients in the compromised email account. The L.A. Times reported previously about the exposure of the PHI of 14,591 Los Angeles Department of Health Services (DHS) patients as a result of the phishing attack. The latest report from Essentia Health reveals that other entities had been impacted by the breach.

It is uncertain at the moment how many clients of Nemadji were impacted by the data breach. This incident is not yet posted on the Department of Health and Human Services’ Office for Civil Rights breach portal. Hence, there’s no updated report yet about the magnitude of the breach.

Penobscot Community Health Center Also Impacted by AMCA Breach

It was discovered that the security breach at American Medical Collection Agency (AMCA) affected another healthcare provider. The AMCA breach involved the unauthorized access of its systems that contain the protected health information (PHI) of clients. The unauthorized access of AMCA’s systems first occurred on August 1, 2018 and the breach continued up to March 30, 2019.

Penobscot Community Health Center (PCHC), a non-profit health center located in Bangor, ME, hired AMCA as its billing collection service provider. On May 15, 2019, AMCA informed PCHC about the potential compromise of the PHI of about 13,000 of its patients.

AMCA had access to a limited number of PHI so that it can work on its billing collection services. AMCA received some PHI of patients whose accounts were due for debt collection. In all of these cases, the information disclosed to AMCA only included the minimum required data.

For 8 months, the unauthorized person had access to AMCA’s systems and could have viewed or copied the following types of information: names, birth dates, names of referring medical provider, and other medical data associated with the services obtained at PCHC. The credit card information for some patients may also have been exposed.

PCHC has ended its business connection with AMCA and is at the moment trying to get back and secure all of the patient information provided to the company.

PCHC is now confirmed to have become a victim of the AMCA breach along with Quest Diagnostics, LabCorp and BioReference Laboratories. There may be other healthcare organizations that were affected by the breach. At this point, over 20 million persons are identified to have been impacted by the AMCA breach.

The parent company of AMCA already filed for bankruptcy and is trying to liquidate assets in order to pay for the cost of the breach response.

ICO Intends to Fine Marriott $123 Million for its GDPR Violation

Just a couple of days after announcing the intent to penalize British Airways £183 million or $230 million for a breach that affected 383 million records, the United Kingdom’s Information Commissioner’s Office (ICO) is about to announce another financial penalty involving the violation of GDPR.

ICO announced its intent to penalize Marriott the amount of £99 million or $123 million for a breach discovered in 2018 that involved about 339 million customer records.

The ICO is the GDPR supervisory authority in the U.K. In case of a data breach that affected EU citizen’s information, it is required to report the breach to ICO within 72 hours after discovery. ICO is tasked to investigate data breaches to find out if there was a violation of GDPR rules. ICO likewise investigates consumer complaints related to GDPR violations.

ICO received Marriott’s breach report in September 2018 and investigated the incident. While companies cannot prevent all data breaches, the GDPR requires companies to implement reasonable and proper security measures to lower the risk of a breach to a minimal and tolerable level.

In the case of Marriott’s breach, it occurred at Starwood Hotels & Resorts Worldwide. Hackers were able to access a guest reservation database in 2014. Marriott took over the hotel chain in September 2016, but was unable to identify the compromised database right up until September 8, 2018.

ICO confirmed Marriott did not do adequate research on Starwood Hotels during the negotiation of its acquisition. Marriott ought to have done far more to protect its systems and secure the personal data of its clients.

Information Commissioner Elizabeth Denham said that the GDPR is clear on its regulations that organizations are responsible for the personal information they keep. This entails carrying out the proper research before a corporate acquisition, and having the right accountability measures to evaluate what personal information has been collected, and how it is safeguarded.

Marriott gave its full cooperation with the ICO investigation. It has already re-evaluated its security system and has upgraded its security posture. There are 28 days left for Marriott to appeal the £99,200,396 penalty proposal before ICO finalizes it.

Invitation to Join the Emergency Preparedness and Security Trends in Healthcare Survey

Every year, Rave Mobile Safety surveys the healthcare industry to determine the trends in healthcare security and find out the condition of the industry’s emergency preparedness.

For the report entitled “2020 Emergency Preparedness and Security Trends in Healthcare,” RAVE Mobile Safety is seeking insight from leaders in the healthcare industry.

Many already took part in the survey last year and gave information regarding the security measures they had implemented to enhance their organization’s protection in emergency situations. Answers to the survey are going to be used for understanding the status of the entire United States in terms of emergency preparedness.

To all those who have not yet participated in the survey, Rave Mobile Safety is extending the invitation to anonymously share their responses to the survey that can be accessed here.

This survey gives the opportunity for you to learn how your colleagues in the healthcare industry across the country respond in emergency preparedness and security issues and what can be expected next in relation to these issues.

Participation in the survey is completely anonymous.

Those who complete the survey will have the chance to join a raffle and win a $200 gift card courtesy of the survey sponsor.

Only participants who provide their email address can enter the raffle. In addition, they get to know the anonymized survey results prior to being published.

Note: HIPAA Coach is not compensated to share this news.

14,591 DHS Patients Affected by Phishing Attack on California Business Associate

Nemadji Research Corporation, operating under the name of California Reimbursement Enterprises, has made an announcement about the unauthorized access of an individual to the email account of one of its employees. The protected health information (PHI) of the company’s clients may have been viewed or copied.

California Reimbursement Enterprises provides patient eligibility and billing services as a business associate to a number of healthcare facilities and hospitals based in California. The company is also a Los Angeles County Department of Health Services (DHS) service provider.

On March 28, 2019, an IT staff noticed strange activity in an employee’s email account and so discovered the potential email account breach. A third-party computer forensics specialist assisted in the investigation of the breach. Nemadji confirmed that the attacker accessed the email account several hours after the employee responded to a phishing email.

An analysis of all messages in the email account on June 5, 2019 confirmed the exposure of patient information. Nemadji sent notifications to all impacted business partners.

The breached email account was used by California Reimbursement Enterprises for correspondence with DHS regarding the services it provided. Some emails contained the PHI of some individuals. On June 26, 2019, Nemadji informed DHS about the breach and stated that 14,591 DHS patients were impacted.

The potentially breached information included names along with one or more of these information: address, phone number, birth date, patient account number, medical record number, Medi-Cal ID number, admission date(s), discharge date(s), month and year of service. The diagnostic codes of four patients were exposed and the Social Security numbers of two patients were also exposed.

Nemadji sent breach notification to the affected patients on July 8, 2019 and offered them free credit monitoring and identity theft protection services.

Nemadji also evaluated its cybersecurity defenses and implemented additional security measures to lower the risk of other breaches occurring again. Employees received extra training and the IT department enhanced the email security protections.

Consumers Attitude Concerning Medical Device Security According to nCipher Security Survey

A new nCipher Security survey looked into the value consumers give to the privacy and security of their health information. There were 1,300 U.S. consumers who participated in the survey. The survey looked at the attitudes of consumers toward online personal privacy, sensitive data disclosure, and data breaches.

The survey results revealed that the respondents are more worried that hackers steal their financial data as opposed to their health information. With regards to the biggest security concern of respondents, 42% answered financial data theft and 14% answered health data theft.

It’s easy to understand why consumers have a big concern for financial data theft as it could have really serious repercussions. Theft of health data is likewise a considerable problem as there is the potential of a protected health information (PHI) breach.

More than 33% were worried about hackers tampering their information. 44% were worried that identity theft would follow a data breach. 22% were worried that a linked device could be hacked putting their health data at risk.

The survey explored the leading privacy and security concerns connected with the sharing of private information. These are the list of concerns with the corresponding percentage of respondents:

  • 46% – sharing of SSNs or credit card numbers via phon
  • 35% – internet banking
  • 34% – shopping online
  • 16% – downloading medical records or accessing a health device linked to a network

The individuals presently using personal devices to track the progress of their movements and health are growing in number. Only 37% of study respondents have not used internet-linked device to track their health measurements. 23% have smartphones for documenting health metrics and 135 have their own internet-linked scales. 12% have fitness trackers, 10% own an Apple Watch or matching device and 19% link to their provider’s website to check and record their health information.

The study shows a great deal of consumers have strong opinions about healthcare device security.

  • 52% of respondents considered encryption as a good way to protect personal information in case a cyberattack impacts healthcare devices
  • 35% of consumers think that devices must be checked regularly to ensure privacy
  • 31% of participants agree to independent certification of healthcare devices
  • 18% agree to government-controlled healthcare devices
  • 17% concur that executives, as well as medical device company executives, should be laid off when personal medical data is exposed

British Airways’ £183 Million GDPR Penalty Associated to a 2018 Data Breach

The GDPR supervisory authority, UK Information Commissioners Office (ICO), issued to British Airways the biggest GDPR penalty thus far. British Airways can submit an appeal, however while it stands, the ICO will penalize the airline an amount of £183.39 million ($228 million) for failing to implement security controls that brought about a cyberattack on its website in 2018.

The penalty exceeds the earlier record of £500,000 ($623,000) that Facebook paid in relation to the Cambridge Analytica scandal. The breach at British Airways took place after May 25, 2018, which was the EU’s General Data Protection Regulation effective date.

GDPR modified an earlier EU directive and besides introducing a variety of new privacy and security rules, higher penalties for failures in privacy and data security were implemented. For a serious GDPR violation, the maximum penalty is currently €20 million ($22.4 million) or 4% of global annual revenues, whichever is greater.

The £183 million penalty issued by ICO is equivalent to 1.5% of British Airway’s global annual revenues for 2017. The maximum penalty issued could have been approximately £500 million if BA is a holding company like International Airlines Group (IAG). IAG’s global annual revenues in 2017 amounted to €2.27 billion.

The GDPR requires entities that had a breach affecting EU citizens’ data to report the breach up to 72 hours of discovering it. British Airways publicised its breach and submitted a breach report to ICO on September 6, 2018, 24 hours after the discovery of the breach.

ICO investigated the breach and discovered security failures that allowed hackers to exploit and access BA’s website. The hackers inserted a code, which redirected site visitors to a fake website used to steal their personal data and credit/debit card information. ICO stated that approximately 500,000 customers’ personal and financial data were stolen. The breach happened from around June 2018 until September 5.

ICO did not issue the penalty for the breach itself. The fine highlights the significance of security failures, which had allowed hackers unauthorized access.

Only a ‘Notice of Intent’ was issued by ICO to fine BA. There are 28 days for BA to file an appeal. Willie Walsh, International Airlines Group’s chief executive stated their intent to take all necessary steps to protect the airline’s position, which include filing an appeal.

Phishing Attack on Alive Hospice and Flexcare LLC Potentially Compromised Sensitive Data

Alive Hospice is a provider of palliative care, end-of-life care, bereavement support and community education in Nashville, TN. It publicly announced the unauthorized access of an employee’s email account in May 2019.

Alive Hospice noticed the suspicious activity in the email account of an employee around May 6, 2019. This triggered the change of the account password immediately and the beginning of an investigation into the reason for the breach.

According to the investigation findings, the hackers first accessed only one email account on May 4, 2019 and had access to it for two days. Though there was unauthorized access of the account, there was no evidence that suggest the access or theft of any patient information.

There was varying types of patient information contained in the email messages and email attachments, which may have included PHI, such as the patient’s name, birth date, Social Security number, financial account number, driver’s license number, medical history, treatment data, prescription details, treating or referring doctor data, Medicare or Medicaid number, medical record number, medical insurance information, username/email and password details.

Alive Hospice has reviewed its security protections and additional safety measures will be implemented to stop further attacks. Affected persons received free credit monitoring and identity theft protection services.

Alive Hospice already reported the breach to the Department of Health and Human Services’ Office for Civil Rights. However, the incident is not yet published on the OCR breach website, thus the number of affected individuals is currently unknown.

Another phishing attack on a Californian Medical Staffing Agency called Flexcare LLC was discovered. The email account of just one employee was compromised because of responding to a phishing email. Unusual activity in the email account was detected shortly after the receipt of phishing email. The email security team automatically shut down the account.

Computer forensic professionals helped assess the breach and figure out if the attacker viewed or copied any PHI after accessing the employee’s email account. In spite of the immediate shut down of the account, the investigation affirmed the unauthorized access of the account. Even if there is no proof of data access or theft, the forensics investigators determined that that the attacker could have viewed or copied patients’ PHI.

A detailed email account analysis revealed that the following PHI of the affected patients were exposed: name together with one or more information such as address, birth date, Social Security number, driver’s license number, medical data for instance vaccination history, drug test findings, and answers to yearly health questionnaire.

Flexcare employees will receive further training about email and network security. The agency also implemented multi-factor authentication and provided affected persons with complimentary membership to CyberScout credit monitoring and identity theft protection services for 12 months.

PHI Exposed Due to Pardee UNC Health Care Break In and Addison County Home Health & Hospice Email Breach

Pardee UNC Health Care is informing a number of patients concerning the potential compromise of some of their protected health information (PHI) when thieves broke into the basement of a building in its facility and stole electronic equipment. The break-in at the 2029 Asheville Hwy, Hendersonville, NC facility was discovered on May 9, 2019.

It is believed that there was no exposure of electronic PHI because the computers did not come with hard drives. However, there was a stack of 590 Federal Drug Testing Custody Control forms found in the basement. The forms contained information such as names, telephone numbers, birth dates, employers’ name, driver’s license numbers, social security numbers, and drug screening test results conducted from October 2003 to December 2004.

Pardee Officials stated that no evidence was found to indicate the viewing or theft of patient information. But the possibility of PHI compromise cannot be ruled out because the stack of files were in a place that the theives can completely see as they came inside the basement.

Pardee UNC has already moved all files from the basement into a secure storage area. Previously, the company paperwork were stored in a number of locations but now they’re all in one secure storage area.

Pardee UNC Health Care is reviewing the current employee training program and the record retention protocols and policies. These will be revised as needed for reinforcement. Affected patients will be provided with one year credit monitoring protection services. The number of affected patients is still unclear.

In another report, an email security breach at Addison County Home Health & Hospice in Vermont resulted to the potential PHI exposure of 758 patients. On April 26, 2019, the center discovered the breach and had it investigated. The investigators confirmed that unauthorized access of the account first happened on February 19, 2019.

The email account analysis revealed that information such as names, clinical data, and medical record numbers were compromised. The Social Security numbers (for some patients) may have been compromised as well.

Patients who had their Social Security numbers exposed received offers of 12-month membership to credit monitoring and identity protection services for free. The hospice will further boost its technical security controls and give further training to employees concerning phishing emails identification.