Category: HIPAA News

The physician staffing firm EmCare based in Dallas, Texas announced a data breach that affected about 60,000 people. Of the 60,000, 31,000 were patients.

The compromised data was specified in messages and attachments in the email accounts of employees that an unauthorized person accessed after a number of employees replied to phishing emails and shared their email credentials. Emcare’s breach notice did not clearly state when the breach took place and the amount of time the attackers accessed the email accounts.

EmCare discovered the breach on February 19, 2019 and started an investigation. The third-party computer forensics firm found out that there were data of patients, employees, and contractors in the compromised email accounts, including names, birth date, demographic data, clinical data, driver’s license numbers and Social Security numbers, which the attackers potentially accessed or copied.

The investigators did not find any proof that suggest that attackers accessed or exfiltrated patient or employee data, but the risk cannot be ruled out. To date, there is no report received that indicate the misuse of patient or employee data.

Emcare is providing complimentary one year of credit monitoring and identity theft protection services to those who had their Social Security numbers or driver’s license numbers potentially compromised.

Emcare sent notifications letters to affected persons on April 19, 2019, that is 59 days after discovering the breach. The issuance of breach notification was just one day before the deadline of the HIPAA Breach Notification Rule reporting.

In response to the breach, EmCare implemented a variety of “advanced IT solutions” and provided additional training to employees about email security.

An office computer that Oregon Endodontic Group used was attacked by malware and possibly the attackers stole email data. The group spotted suspicious activity happening in email accounts on November 13, 2018 and started an investigation.

A third -party forensic firm assisted with the investigation to identify the data breach’s nature and magnitude. The investigators claimed that the malware variant that infected the office computer was Emotet. It is a banking Trojan that could exfiltrate information from email accounts. The investigators did not get any evidence that suggest the attackers stole email data, but data theft could have been possible.

The investigators looked into the compromised email account to figure out the type of protected health information (PHI) were exposed. The investigation was concluded on February 11, 2019.

The email account comprised limited types of data, which include names combined with one or more data elements, such as birth date, diagnosis information, treatment information, and health insurance data. The following information were also exposed: Social Security numbers of 41 individuals, the driver’s license numbers of two individuals and financial data of seven individuals.

Oregon Endodontic Group engaged an IT security firm to evaluate security controls and carry out additional controls to reinforce its email system security.

Humana reported another data breach that affected residents in Texas. Unauthorized individuals signed up on a website used by Availity, a Humana authorized service provider. The website is used for checking the eligibility and perks of a number of health plan members. The unauthorized individuals tried to obtain plan members’ eligibility and benefit verification details.

The scammers posed as physician provider groups and probably obtained a limited amount of plan members’ data since January 15, 2016 until February 14, 2019. The names, benefit information, Humana ID numbers, healthcare reminders and members’ plan effective dates were accessed. As a security measure, Humana offered credit monitoring and identity theft protection services to impacted members and cautioned them to keep track of their explanation of benefits statements for indications of fraudulent transactions. Thus far, no report was acquired with regards to PHI misuse.

Humana mentioned in its breach notification letters the fact that Availity has got policies and procedures for the safety of customer information, however, there were further measures implemented since the occurrence of the breach. There were 522 Texas residents who were members of Humana plans that were impacted by the breach.

Baystate Health in Massachusetts had a phishing attack, which led to the exposure of the protected health information (PHI) of roughly 12,000 patients.

Baystate Health discovered the phishing attack that occurred from February 7 to March 7, 2019. Every instance that the email account of several employees were compromised, the accounts were immediately secured. A computer forensics firm helped in the investigation of the breach. Analysis of the email messages and attachments contained in the email accounts were undertaken to know if the accounts contained PHI and if the attackers accessed the information.

The investigation affirmed that email accounts contained patient data such as names, birth dates, medications, diagnoses and treatment information. The email messages and attachments also included the health insurance information, Social Security numbers and Medicare numbers of a number of patients.

Baystate Health sent by mail breach notification letters to patients affected by the breach on April 5. Patients who had compromised Social Security number received free one year credit monitoring and identity theft protection services for extra security. There was no proof indicating the attackers viewed, copied or misused patient information.

All affected patients were advised to keep a close watch over the explanation of benefits statements from their insurance companies and statements from medical providers in case there are medical services billed to their account that they have not received.

Baystate Health reset all passwords of the compromised email accounts to block further access and enforced extra security measures to stop the unauthorized persons from accessing the email accounts.

Improvements in email logging and log monitoring were made to detect breaches more rapidly. Employees had additional training on security awareness to help them distinguish phishing emails.

Gulf Coast Pain Consultants, also known as Clearway Pain Solutions Institute, discovered that an unauthorized person accessed its EMR system.

An investigation of the breach began on February 20, 2019. It revealed that the unauthorized person accessed a variety of patient data, which included names, phone numbers, home addresses, email addresses, birth dates, Social Security numbers, health insurance details, name of referring provider, and demographic data. Clinical data contained in medical documents were not accessible and financial information was not exposed.

Clearway Pain Solutions Institute already blocked unauthorized access to the system and conducted a complete review of all EMR accounts. All user accounts’ access levels and EMR system activities were validated. After reviewing policies and procedures, the institute will also update the access of patient information as appropriate.

Clearway Pain Solutions Institute sent notifications to all affected patients and offered them free membership to Experian IdentityWorks for one year. The incident is not yet listed on the HHS’ Office for Civil Rights breach portal and so there is no clear information yet regarding the exact number of patients affected.

A phishing attack on the physician group, Questcare Medical Services in Dallas, TX resulted to the compromise of an employee’s email account on February 13, 2019. The investigators found protected health information (PHI) in the compromised account. Affected patients received breach notifications on April 12, 2019.

The people affected by the breach acquired medical services from different Questcare centers — in Dallas, Fort Worth, or Arlington, Texas. The attacker potentially accessed patient information such as, names, birth dates and some clinical data. There was no sensitive financial data or Social Security numbers exposed.

Questcare employees received further training to improve security consciousness and will also get regular reminders concerning phishing. The group installed Microsoft’s Advanced Threat Protection to enhanced its defenses against phishing attacks. There’s no report about the number of persons impacted by the breach yet.

A phishing attack on Metrocare Services in North Texas, a mental health service provider, resulted to the access of several employees’ email accounts by an unauthorized person.

Metrocare Services detected the breach on February 6, 2019 and immediately blocked access to the affected email accounts. But the investigators stated that the hackers first accessed the accounts in January 2019.

A review of the affected email accounts confirmed that the protected health information (PHI) of 5,290 patients were potentially compromised. The affected patients were informed about the potential access of their PHI because of the phishing attack on April 5, 2019. The following patients’ PHI were included: names, birth dates, driver’s license data, health insurance details, health information associated to the services given by Metrocare, and the Social Security numbers for some patients.

The breach investigators did not find any evidence that indicate the access or copying of emails containing ePHI. However, it is not possible to completely rule out ePHI access and theft. Metrocare Services offered the persons whose Social Security number were exposed free identity theft protection and credit monitoring services for one year.

As a response to the breach, Metrocare Services is going to employ extra security measures, such as multifactor authentication, to strengthen its email system security and to stop access to the accounts when credentials are compromised in cyberattacks.

This is the second phishing attack on Metrocare Services. In November 2018, a similar phishing attack on the entity caused the compromise of 1,800 patients’s PHI. After that phishing attack, Metrocare Services talked about strengthening its email system security and providing its employees additional training on identifying potential phishing attacks.

Clearly, the security measures were not enough to stop other attacks. If multifactor authentication was implemented after the first phishing attack, the second attack could have been stopped.

Health Recovery Services in Athens, OH, which provides alcohol and drug addiction services, notified 20,485 patients about the potential access of an unauthorized person to some of their protected health information (PHI).

An unauthorized IP address that got remote access to Health Recovery Services’ computer network was discovered on February 5, 2019. To stop further unauthorized access, they took the network and data systems offline and retained a forensic expert to investigate and find out the nature and extent of the breach.

According to the investigation findings given on March 15, 2019, the IP address accessed the network starting on November 14, 2018 until February 5, 2019. There was no evidence found which indicate the access or copying of any patient information. But it’s still possible that data was accessed or stolen.

Patients who had their protected health information (PHI) compromised received notifications by mail. The following types of patient data were found on the compromised server: names, addresses, phone numbers, and birth dates. The medical data, health insurance details, diagnoses, treatment details, and Social Security numbers of Health Recovery Services patients who received treatment after 2014 were also exposed.

Health Recovery Services made sure its entire network is totally secure and free from security risks. The entity also re-evaluated its policies, procedures, and cybersecurity controls and will improve them to stop other data breaches. Health Recovery Services will also take some action on limiting the damage that can be suffered if a network server breach happens again in the future.

March 2019 had a rate of about one reported healthcare data breach per day. The HHS’ Office for Civil Rights received 30 healthcare data breach reports from HIPAA-covered entities and their business associates. The total of healthcare data breaches is 11% higher in March than the average over the last 60 months.

Month over month, the number of reported breaches dropped by 6.67% and breached healthcare records was 58% lower. The healthcare records of 883,759 people were exposed, stolen or impermissibly disclosed in March because of healthcare data breaches.

Causes of Healthcare Data Breaches in March 2019

The top cause of healthcare data breaches in March were hacking and other IT incidents for instance ransomware and malware. There were 19 hacking / IT incidents reported in March accounting for 83.69% of 739,635 exposed records; 8 unauthorized access/impermissible disclosure incidents with 81,904 healthcare records accessed or impermissibly disclosed; and 4 theft incidents with 23,960 records compromised.

Biggest Healthcare Data Breaches Reported in March 2019

Navicent Health reported the biggest data breach, which involved a phishing attack that resulted to the potential access and copying of 278,016 patient records by the attackers. ZOLL Services reported a data breach of about the same size with 277,319 healthcare records exposed. The breach at ZOLL Services’ business associate, an email archiving company, was due to the accidental removal of its network server’s protection. It is unknown if unauthorized persons accessed the records when the data was accessible.

Location of Breached PHI

March 2019 saw 12 healthcare data breaches involving email incidents, mostly due to phishing attacks. There were 7 hacking/IT incidents, such as hacks, ransomware attacks, and the accidental security solutions deactivation involving network servers.

Healthcare Data Breaches by Covered Entity in March 2019

In March, healthcare providers reported 21 incidents; health plans reported 4 incidents while HIPAA business associates reported 5 data breaches; three breaches additionally involved business associate agreements.

Healthcare Data Breaches by State

There were 18 states that reported data breaches to healthcare organizations/business associates in March 2019. California, Ohio, and Pennsylvania reported three data breaches each. Arizona, Idaho, Masachusetts, Maryland, Minnesota, Oregon, and South Carolina reported two breaches each. Arizona, Connecticut, Georgia, Florida, Indiana, Mississippi, Oklahoma and New York reported one breach each.

HIPAA Enforcement Activities in March 2019

The HHS’ Office for Civil Rights has not issued any fines or settlements in March 2019; but, the Texas Department of Aging and Disability Services has issued a financial penalty over a data breach that transpired in 2015.

Texas approved a settlement of $1.6 million to cover alleged HIPAA violations found while investigating an 8-year data breach reported in June 2015. The settlement is not yet confirmed publicly.

State attorneys general also did not agree with the HIPAA-related financial penalties.

BakerHostetler has published its 5th yearly Data Security Incident Response Report, which features an evaluation of the 750+ data breaches that it helped handle in 2018.

BakerHostetler shows there happens to be a collision of data security, privacy, and compliance. Companies were compelled to adjust the way they take action in cases of security breaches.

U.S. companies needed to comply with federal and state data breaches and notifications regulations as well as the global privacy laws, including the EU’s General Data Protection Regulation (GDPR). The response to breaches has become a complex process because of the differences in personal information and breach response definitions and reporting requirements for GDPR, HIPAA all across 50 states. Non-compliance with any of the regulations can result to financial penalties. It is hence very important to be ready for breaches and respond appropriately when a breach is identified.

Because of the above-mentioined scenario, many companies have created committees with the help of stakeholders with the required expertise for managing data breaches.

Causes of Data Breaches

According to BakerHostetler’s report for 2018, the most common cause of data breaches is still phishing, which accounted for 37% of the incidents the law firm managed in 2018. Phishing attacks most commonly seek Office 365 credentials, which accounted for 34% of phishing attacks in 2018.

Other causes of data breaches include: Network intrusions (30%), accidental disclosures (12%); lost/stolen devices and records (10%) and system misconfiguration (4%).

In 30% of successful phishing attacks, the attackers exploited network to get accessible information. 12% of intrusions led to ransomware deployment, and 8% led to a fraudulent wire transfer. In 1% of incidents, a successful phishing attack deployed malware besides ransomware.

Of all successful attacks, 55% happened because of employee mistake, 27% were because of a third-party non-vendor, 11% were caused by a vendor, 5% were because of a malicious insider, 3% were because of a third-party non-vendor, and 2% were because of an unrelated third party.

Breach Response, Investigation and Recovery

In 2018, 74% of breaches were identified internally while 26% were discovered by a third-party.

On average, it took 66 days to detect a breach throughout all industry sectors, 8 days to respond, 28 days to complete a forensic investigation and 56 days to issue notifications.

in the healthcare industry, it took an average of 36 days to discover daya breaches, 10 days to respond, 32 days to finish a forensic investigation, and 49 days to send notification letters. Healthcare data breaches typically sends an average of 5,751 notification letters.

The investigations conduced by OCR and state Attorneys General increased in 2018. State Attorneys General investigated 34% of breaches and OCR also investigated another 34%. There were 4 lawsuits filed of the 397 breach notifications issued.

The use of forensic firms to investigate a breach also increased, from 41% in 2017 to 65% of breaches in 2018. The average expense for engaging a forensic investigation was $63,001. The average cost was $120,732 for network intrusion cases.

On average, the ransom payment made was $28,920 with a maximum of $250,000. 91% of the cases where ransom payment was made, the attacker gave valid decryption keys.

70% of breaches required the company to offer credit monitoring services mostly because of Social Security numbers exposure.
BakerHostetler additionally remarks that after a data breach, access right requests often increase. Hence, companies should have established and scalable access right request processes to cope with the increase in work after a security breach.

Interactive Data Breach Notification Map

Healthcare organizations must comply with the HIPAA Breach Notification Rule that requires the issuance of breach notification letters to affected persons within 60 days of the identifying a breach.

States that have their own breach notification laws, in some cases, demand notification letters to be issued more quickly. BakerHostetler has put together an interactive data breach notification map to assist companies in knowing the breach notification requirements per state.

With this interactive data breach notification map, healthcare organizations can learn the breach reporting requirements per state. This tool is available here.

Cybersecurity company Morphisec recnetly published the results of a survey on healthcare cybersecurity from the viewpoint of over 1,000 consumers. Questions were asked about the healthcare threat landscape, the way personal health data is being targeted, and how they feel about the protection of their health data.

The change from paper to electronic health records improved patient care efficiency by allowing easier sharing of health information. However, there are vulnerabilities introduced that hackers can exploit.

Morphisec remarks that the rate of cyberattacks on the healthcare industry is double the rate in other industries. Since 2009, there were over 190 million healthcare records exposed or stolen, that is equal to 59% of the U.S. population. Yet 54% off consumers did not know that their providers have suffered a data breach. 40% said they know there was no breach that occurred and only 6% mentioned one of their healthcare providers were affected. HIPAA requires the issuance of breach notifications to consumers in case of a health records breach. But it seems that many consumers are not notified.

Regarding the question on who is responsible for securing health data, 51% of respondents said it was a joint responsibility of the providers and consumers. 29% said only the provider is responsible for it and 8% said it was the consumers’ own responsibility.

Since healthcare providers now provide patients copies of their health information or access to it through patient portals, many consumers feel they are responsible for protecting the health data they share. In the past year, the use of patient portals increased by 14%. Regarding the security of stored data, 55% of respondents said it is more secure when kept by providers. 45% said it is more secure on personal electronic devices. There is no clear input from the consumers regarding

• their confidence in their providers to protect data,
• the likelihood of a cyberattack on a provider or on them personally
• the difference between their own security defenses or their providers’

What is very clear is the agreement of consumers to address the weak links. 21.4% of respondents think web browser protection was the weakest link in security. 21% think endpoint defenses was the weakest point, 20% think it was email phishing defenses and another 20% think it was patient portal defenses. Only 13.8% think medical device security was the weakest point.

Under HIPAA, healthcare organizations need to employ security measures to protect health data privacy. Providers that fail to implement appropriate defenses may be issued heavy fines in case of a data breach. The healthcare industry has indeed improved the standard of security since the introduction of the HIPAA, but many healthcare organizations only implement the minimum required security defenses for HIPAA compliance.

HIPAA compliance help reduce security risks, it does not guarantee that cyberattacks will be thwarted or hackers will be dissuaded. Many healthcare organizations stop improving their defenses after meeting the minimum HIPAA requirements for cybersecurity defenses. That isn’t enough protection against advanced and zero-day attacks from FIN6 and other innovative attackers.

A number of stakeholders have recommended establishing a safe harbor for healthcare providers who satisfy HIPAA security standards to make sure they are immune from monetary fines. With that in place, it is believed that healthcare organizations would be willing to invest more on cybersecurity defenses.

Medical devices using artificial intelligence (AI) may be employed to identify illnesses and persons at risk of developing medical conditions. They can do many time-consuming tasks on behalf of physicians and radiologists in order to quicken the diagnosis of conditions. Quicker diagnoses allows patients to get treatment quickly while it is most effective. They could also help to determine the most helpful treatments including personalized medicine.

At present, the U.S. Food & Drug Administration (FDA) reviews medical devices before granting market authorization. In general, the algorithms the medical devices use must be locked and should not be learning every time they are employed to pass the market authorization process.

Because of the locked algorithms, developers need to update them eventually at intervals using new information. Nonetheless the updated devices will still be manually reviewed to validate the updated algorithm.

In 2018, the FDA certified two medical devices using AI: one can identify diabetic retinopathy and the other can alert providers when patients will possibly have a stroke. The FDA foresees the development of more devices to be used in healthcare which demands the finalization of the review process.

In healthcare, the potential is tremendous if adaptive algorithms are continuously updated instead of being periodically updated. With adaptive algorithms, medical devices learn from new information as they are used in the real world and get better as time passes. For example, algorithms may be used to recognize cancerous lesions. Adaptive algorithms can learn to enhance the level of confidence in discovering cancerous lesions and can potentially recognize several sub-types of cancer depending on real-world reviews.

The FDA is trying to create a regulatory framework so that AI-based medical devices can be approved for use which integrate machine learning and is thinking about reducing prohibitions on adaptive algorithms. To begin that process, the FDA published a discussion paper about the brand new framework for the medical devices using AI on April 2, 2019.

The framework is influenced by the

• benefit-risk framework of FDA
• International Medical Device Regulators Forum risk classification
• risk management guidelines of the software
• device manufacturer’s complete product life cycle

In some instances, it would be essential for the device manufacturers to make a new submission to the FDA to get further approval, however generally speaking, the framework will not require further reviews for updates to be done via their adaptive algorithms.

The discussion paper only outlines the FDA’s plans and is not considered as guidance. It talks about medical devices using adaptive algorithms and shows the appreciation of the FDA on the present software regulatory framework that seeks to improve medical devices.

See the FDA’s PDF document entitled Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device for which the FDA is requesting feedback.