Providence Medical Institute Ransomware Fine: Providence Medical Institute has been fined $240,000 by OCR for HIPAA violations in connection with a ransomware attack that exposed the PHI of over 80,000 individuals. Interestingly, OCR only noted 2 HIPAA violations warranting the fine: lack of an appropriate BAA, and lack of policy restrictions on the people and programs who can access PHI. OCR did NOT note a lack of a sufficient risk assessment (but maybe that's implied since a good risk assessment would have noted the access problem and lack of BAAs?).
Offshore Outsourcing of Tech Services Can Be Problematic: A few weeks ago, HHS removed two Obamacare enrollment companies from accessing the ACA Marketplace based on concerns that the companies potentially allowed consumers' personal information to be accessed in India. The companies operate the BenefitAlign and TrueCoverage websites, and use an Indian data center.
US privacy law does not generally prohibit the use of offshore companies as business associates, as long as a business associate agreement is in place. However, even with a BAA in place, HIPAA covered entities still have an obligation to vet their contractors and cannot turn a blind eye to whether their offshore business associates will abide by their BAA obligations. There's always a question of whether a rogue business associate can be dragged into a US court if they violate the BAA.
Additionally, some federal and state payment programs (including some state Medicaid programs) specifically limit the ability to use offshore contractors, if they will have access to PHI.
Some tech companies set up elaborate systems to limit the transmission of PHI outside the US, including systems where theoretically the data never leaves the US and the offshore consultant does not technically receive the data, but is merely able to "see" it from afar (although that seems like a convenient fiction). Certainly, most legitimate Indian, Philippine, and Pakistani tech companies have elaborate systems in place to ensure that their human staff can't take data with them (employees are not allowed to bring cameras or cell phones into the workspace and are searched coming and going, there are no USB ports or other ways to access the data system, etc.).
It's almost impossible to obtain any tech services where no aspect of the service is done outside the US. However, you should be aware of these concerns and especially careful if you are bound by Federal Acquisition Regulations or other obligations that might restrict the offshoring of personal data.
Great Write-Up on OCR's 3rd Ransomware Settlement: Theresa Defino of Report on Patient Privacy has an excellent article on the recently-announced settlement Heritage Valley Health System entered into with OCR. Heritage Valley got hit by the NotPetya ransomware attack back in 2017 through no real fault of their own -- they used Dictaphone transcription software as part of iChart, and that was the vector of the attack. Dictaphone had been acquired by Nuance Communications, which aggressively expanded overseas; the ransomware originated in the Ukraine, and entered Heritage Valley's system through a trusted VPN they had with Nuance. Unfortunately for Heritage Valley, they never signed a new contact with Nuance, so their suit against Nuance was dismissed.
It's hard to imagine how Heritage Valley could've protected itself and prevented this attack; they had a contract with Dictaphone, but their failure to sign a new agreement with Nuance wasn't the cause of the attack. Regardless, OCR hit Heritage Valley with the biggest ransomware-related fine yet, almost $1 million.
Baim Institute for Clinical Research Suffers Ransomware event and Data Disclosure: According to this analysis by Safety Detectives, Baim Institute for Clinical Research was a victim of a ransomware event, did not pay the ransom, and some of the data was subsequently posted on the internet.
There are many interesting aspects to this breach. First, it's unclear whether HIPAA is implicated; Baim is not a covered entity, but it could be a business associate, depending on who it contracts with and provides services to. To the extent the incident was caused by Baim's lack of sufficient security, it could be a contractual breach by Baim. The data disclosed contains little that would be PHI, and that which is PHI is not likely to be useful for identity theft, since it only includes very limited information about adverse events, and it's unclear if even patient names are included (age and gender are data points that can remain in de-identified PHI); however, the data could potentially be useful for blackmail, public embarrassment of the study participants, etc. The disclosed data seems to have 3 value points: (i) reputational damage to Baim by exposing them as potentially bad data stewards; (ii) possible disclosures of Baim's business relationships that a competitor might exploit; and (iii) information about particular studies that could indicate whether a drug in development might be a blockbuster or flop (and therefore potentially affect the stock price of the sponsor).
It is yet one more message to the industry: it's not a question of if, but of when, and if you are not prepared for a ransomware attack, you deserve what you get. Good backups, good perimeter security, good testing of your systems and staff, and good mapping of your systems can go a long way to preventing most attacks, and allowing you to recover from those lucky dogs that get through.
Good work by Safety Detectives.
2024 Will Be Big: I have a feeling 2024 will be a record year for data breaches, both in number of breaches overall and the size of the breaches (given the AT&T and Change breachs).
Change Healthcare Updates its Breach Notice. They added a timeline, apparently, and are going to finally start sending notices to affected individuals.
I expect that most of us will get a letter, since I expect at least 3/4 of all Americans had data passing through Change one way or another. I am also still expecting a record fine from OCR on this, perhaps 9 figures.
Geisinger data breach impacted 1.2 million people: This breach is interesting because it's a disgruntled former employee of a vendor who accessed the data for 2 days, so the spread of it might be more limited than a general hacking attack.
OCR settles ransomware and cybersecurity investigation involving Heritage Valley Health for $950,000: This is the 3rd settlement of a ransomware incident by OCR and may indicate a focus by OCR specifically on cyberattacks. OCR cited Heritage Valley for the usual problems, including failure to do a sufficient risk analysis, failure to implement a contingency plan, and failure to implement appropriate HIPAA policies and procedures.
New Social Engineering Schemes Target Healthcare: The FBI and HHS are warning healthcare industry participants warning healthcare industry participants about increased phising and other schemes targeting the healthcare industry. Ransomware and cyberattacks are up, protect yourself.
Federal Court Blocks HHS Rule Prohibiting Use of Web Tracking Technologies Such as Google Pixel: As you probably know, HHS has issued guidance to HIPAA Covered Entities that they cannot use web-tracking technology if the tech provides any possible PHI to the tech provider. Most websites have tracking technology; it tells the site owner what pages attract viewers and how they act when they get there (i.e., which buttons they click and how they respond to certain elements on the site). These allow the site owner to know what's working, what customers are looking for, where they should provide more or less services, etc.
The problem is that the tech provider usually also wants the data generated by the tracking tech. The tech provider can use the greater amount of consumer action data to make the technology better, improve their algorithms, etc. The problem is that the tech providers generally don't sign BAAs; they are not really getting PHI (the information may be entirely random, such as when a student is looking at a site for information on types of clinical treatment for a particular type of cancer). However, in some instances, such when people with that type of cancer are looking for treatment for themselves, the fact that the person looked up treatment options could be evidence that the person has that condition, which would be PHI.
In most instances, the websites have Terms of Use and Privacy Policies that note that tracking technologies are used, so website visitors are forewarned of the potential disclosures. However, those warnings certainly don't meet the requirements of a HIPAA authorization.
There have been class action lawsuits (one even settled with a large payout!) claiming that the use of the technology by a HIPAA-covered Entity is a HIPAA violation because of those instances where it is a person with the condition; the Covered Entity has disclosed that website visitor's PHI (the visitor's IP address linked to the cancer diagnosis) to the technology provider for a non-HIPAA-permitted purpose without a BAA.
The American Hospital Association sued HHS over the guidance, and a Federal District Court in the Northern District of Texas has ruled that HHS overstepped its legal authorityruled that HHS overstepped its legal authority in attempting to enforce HIPAA in that fashion.
For now, providers can go back to using trackers, but keep an eye out, HHS might appeal.
HHS, ARPA-H announce UPGRADE program to automate cybersecurity for healthcare entities: The Advanced Research Projects Agency for Health (a technology funding agency in HHS) has announced that it will put $50 million toward finding ways to enhance and automate cybersecurity in the healthcare arena through a new program called UPGRADE (Universal PatchinG and Remediation for Autonomous DEfense -- yes, like most clinical research trials, it's a tortured acronym). If they can actually set up a program that sets automatic patching and recognized-security-practices-type policies that the average healthcare entity can easily adopt, that would be great. I have a feeling that instead they'll produce hour-long videos and 1,000-page white papers that spend WAY too much time rationalizing the agency's people and processes, such that the end product will be a huge waste of time for users.
We'll see. . . .
AHA and H-ISAC Issue Black Basta Warning: The American Hospital Association and the Health Information Sharing and Analysis Center (H-ISAC) have jointly issued a warning to health systems about a Russian hacker group known as Black Basta that is specifically attacking the US health sector. The warning comes on the heels of the Ascension cybersecurity incident that is still snarling that system's ability to provide care.
Grab a printout of your last Security Risk Assessment and look at any cyber-defenses that you are lacking; if there's anything that a hacker could exploit, fix it now (or at least put warning bells and buzzers around it. If you can't put your hands on your last SRA, you don't have one (basically in violation of HIPAA). You should also be (i) auditing access and data transfer flows (your staff should be accessing data and you should be moving it around -- transferring to other providers and payors, etc. -- but if people are accessing data they shouldn't, or large data files are being transferred to a Nigerian IP address at 3 am on Saturday, something's probably wrong); (ii) regularly backing up your data to serial, secure, and encrypted data backup sites that are disconnected from the internet; (iii) implementing MFA; (iv) mapping your data systems, which will allow you to close unused data ports and shut down internet access to any parts of your computing environment that don't need it; implementing encryption where possible; (v) using firewalls and virus scanning tech; and (vi) testing your people and systems to keep your most vulnerable line of defense sharp (penetration testing from the outside in, phish testing and training from the inside out).
If you aren't taking a serious look at your cyber defenses, you'll have no one to blame but yourself if you get caught by one of these bandits.
Ascension Hit With Ransomware Attack: The story is still breaking, but Ascension Health was the victim of a cyberattack that affected its EMR and MyChart, in addition to disrupting service at hospital, clinics, and emergency rooms.
Size Matters: Just how big is the Change Healthcare breach? Over 100 million Americans may be affected.
I rode in a 150-mile bike ride between Houston and College Station, Texas last weekend; the Bike MS 150 raises money for research into a cure for multiple sclerosis. There were several thousand riders, of all shapes, sizes, athleticism and biking skills. No matter who you are, odds are there's someone faster than you and someone slower than you. That gives you the opportunity to find a rider (or more likely a group of riders) who are slightly faster than you, upon whom you can "draft" as they ride past. One thing you learn while riding in a large group is the benefit of numbers and the concept of the Peloton: the lead rider cuts a path through the air molecules such that trailing riders can exert less energy to keep up the same speed; likewise, the riders close behind the lead rider cut the aerodynamic "drag" on that rider by disrupting the backdraft that would normally happen.
So when you are riding by yourself and a group passes you by a couple miles per hour faster, you can drop into the air behind them and ride at their speed with the same level of effort (or less) than you were exerting by yourself. The pack of riders create a "wind shadow" that hides you from the mass of air you would otherwise be riding into (as if against the wind).
I bring this up because something occurred to me this morning: the Change breach may end up creating a "wind shadow" for other providers who are dealing with data breaches over the next few years, at least with respect to lawsuits for breach damages: how can a plaintiff prove that his damages were caused by Dr. Smith's data breach when the plaintiff's data was already exposed via the Change breach?
United Healthcare: It's been a bad spring for UHC: their pharmacy order and clearinghouse subsidiary Change Healthcare suffered one of the most impactful cybersecurity events in healthcare, resulting in delayed prescription deliveries and payment processing for providers and plans. We are now learning that hackers from the AlphV hacker group (also referred to as BlackCat) apparently accessed Change's systems February 12 and began stealing data. On February 21, AlphV detonated a ransomware bomb that encrypted and froze the bulk of Change's system, basically shutting down Change's claims processing and clearinghouse function, along with its Optum affiliate that processes pharmacy orders. UHC has now announced that the data was stolen and is now being disclosed by the hackers.
Wired magazine reported that Change paid $22,000,000 in ransom to get the hackers to return or destroy the data. Now, UHC is announcing that the hackers are disclosing the data anyway. Who would've thought hackers wouldn't honor their promises?
Tracking Technologies: In the latest news on the use of website tracking technologies such as Google Pixel, Monument Health has entered into a settlement agreement with the FTC to not use the technology in a way that could leak its patient's PHI to advertisers.
Technically, the pixels allow technology companies to track behavior of website visitors, such as by tracking where they go on a website. It helps the website owner know what services people are interested in, what web page language seems to attract visitors, and other information that can help the website owner improve its business.
A user's behavior on a website is not always PHI, but it could be: someone could look at a website for a particular disease because they are curious about it, are researching it, or have a friend or family member who has the disease; however, it's also fairly likely that when someone clicks on a link that says, "if you have health condition X and are interested in treatment options, click here," clicking on the link is at least closely correlated to the person having the condition, which is PHI.
The company offering Pixels and other tracking technology helps the website owner improve its own website and business; however, the technology company also might use the information to direct advertisers (including its own advertising options). If someone using a particular computer, phone, or other internet-accessing devise visits a particular website that is associated with a particular subject matter, type of product, or activity, then the user of that computer is much more likely to be someone interested in related products and services; knowing who those people are is valuable to advertisers.
Let's assume a particular smartphone web browser regularly searches for images and information on deer hunting. If a business sells deer hunting supplies and puts together game hunts, that business would really want to advertise to whoever is using that smartphone. On the other hand, a business involved in animal rights and veganism would not want to waste its marketing dollars contacting that smartphone user.
The effect to the customer can be creepy: it looks like the website is spying on me. And when the subject matter is healthcare, it becomes a question: did the company hosting the tracking technology disclose PHI from the user who was searching the healthcare matter?
Not necessarily; the fact that person X looks up healthcare service Y does not mean that person X has condition Y. HOWEVER, there is definitely a correlation, and in some cases a direct connection.
More will come from this.
Anyway, that's the reason these tracking technologies are such a hot-button issue.
Another "Right of Access" Settlement: OCR has entered into its 47th settlement with a HIPAA covered entity or business associate accused of failing to grant an individual access to his/her PHI. As you know, in addition to 5 other rights specifically granted to individuals under HIPAA, except for a few specific types of data, covered entities and business associates must allow individuals to access and get a copy of their PHI, if it's in a designated record set. A few years ago, OCR started vigorously enforcing this, and it doesn't look like they're going to stop any time soon. This time, the fine is $35,000, in line with recent right-of-access settlements.
There are a few reasons why a covered entity won't give an individual access to their PHI, but many times it's not a good reason (the covered entity doesn't want to make it easy for a patient to find another provider). Take this as fair warning -- if the patient asks, give them the data, unless you have a VERY good reason.
Do Healthcare Organizations Cheap Out on Cybersecurity Spending? That's the question Modern Healthcare asks (subscription required). Based on a survey from last year, healthcare is one of the chintziest industries when it comes to spending on cybersecurity. It kinda shows, doesn't it?
HHS steps in: HHS has started its own investigation into the Change hack; expect a record-setting fine. I'll predict at least $25 million, possibly over $100 million to break the 9-digit barrier.
Change Cyberattack: I guess everyone's finally going to learn what a "health care clearinghouse" is. They've always been the "other" entity that's a covered entity under HIPAA
HHS Statement on Change Healthcare Cyberattack: In HIPAA-adjacent news, . . .
Unless you've been buried in a snowbank somewhere, you've probably heard that United Healthcare's technology/service/clearinghouse unit Change Healthcare suffered a cybersecurity incident that has severely affected its timely processing of data and claims. HHS has issued a statement, outlining that it is in contact with Change and has instructed MACs and other entities to try to assist those whose cash-flow has been adversely affected.
The key take-away from the entire Change fiasco is that the system is not so interconnected that an incident at a single point can nearly destroy the entire system. This is the proverb, "but for a nail, the kingdom was lost" brought to life. The fact that it comes on the heels of the pandemic, where we saw how that implementing efficiencies such as offshoring and just-in-time inventory may save money, but they add a great risk that widespread disruption could be caused by any type of problem.
LaFourche Medical Group pays $480,000 to settle ransomware attack affecting 35.000 patients: An emergency and occupational medicine practice in Louisiana was a ransomware victim in 2021, the result of a successful email phishing attack. While it does not appear that the attack involved encryption, it did allow the hacker to access patient information, which gave the attacker the ability to seek a ransom payment for the return of the PHI.
Unsurprisingly, OCR cited lack of risk analysis and lack of sufficient policies and procedures as the basis of the fine.
[Note: This should have been posted early January -- I just noticed it was still in Draft]
HHS announces data blocking penalties: The information blocking rule (IBR) is part of the 21st Century Cures Act, which itself is sort of a hodge-podge of a law addressing a bunch of different healthcare research and IT related matters. Of course, the Cures Act itself follows in a long line of healthcare policymaking that is both omnibus in presentation and reactive and/or deductive in focus.
Remember, HIPAA started out as a law intended to force insurance companies to provide coverage to an applicant who had similar insurance in the immediate months prior. One way to "scam" insurance is to not participate when you are healthy and only buy it when you are sick, which it the practical equivalent of not buying fire insurance until your house is on fire. If you can do so, you avoid paying into the insurance risk pool when you'd lose money, and only pay in when you'll get more back. In other words, you're "free-riding" on other insurance purchasers.
It's understandable that insurers want to prevent free-riders, and one way to do it is by refusing to cover pre-existing conditions. If you don't buy insurance until you're sick, and then show up at the insurer's door with an expensive illness, the insurer will say, "OK, you're covered, but not for what you already got." That's fair. However, what if you didn't game the system, you weren't a free-rider: you had insurance previously, but you just need new insurance because (e.g.) you got a new job. For the insurance company, it's still a pre-existing condition, but it's not fair to the insured. Ultimately, for a lot of people, the pre-existing condition hurdle meant they were stuck in their current job and couldn't take a better one. That's "job-lock."
HIPAA was originally drafted to target job-lock: if you had "creditable" health insurance coverage within the last 6 months, a new insurer can't deny you for a pre-existing condition. Remember, the first 2 letters of HIPAA don't stand for health information privacy, but for health insurance portability. It's a great idea that every politician could support. However, great ideas get other ideas attached to them, ideas that might not pass into law on their own, but would pass if they were attached to a great idea.
Several new foci got attached to HIPAA's portability provision, some with merit but none universally supported. First, regulators wanted the healthcare industry to be more efficient. At that time, healthcare was a laggard in adopting information technology; most healthcare providers used primarily paper records, and a large portion of billing was done on paper (and that done electronically was done using multiple systems with no coherent or consistent programming logic). The drafters of HIPAA thought that if all electronic transactions in healthcare were standardized, more people would bill and pay electronically, and the system would be more efficient. Thus, the transactions and code sets (T&CS) rule was adopted.
However, if all that data is going to be digitized and sent electronically, the data would be at much greater risk in electronic format than in paper format (you can't make money trying to steal paper records, and a breach of a physical paper storage room is a lot easier to catch and prevent). If we're going to encourage electronic data interchange in healthcare, we also need to ramp up data privacy and security practices. Thus, the privacy and security rule were adopted.
You see, Portability begat T&CS standards, which in turn begat Privacy and Data Security standards. And you know that the HITECH Act contains a lot of HIPAA updates and revisions, including the data breach reporting standards.
One of the main foci of the HITECH act (remember, the title is "Health Information Technology for Economic and Clinical Health") was the "meaningful use" rule: the encouragement/forcing of healthcare providers to adopt electronic medical records (EMRs); this was actually a follow-on to the genesis of HIPAA's transaction and code sets, as well as the data privacy and security requirements. While the T&CS rule was intended to entice the industry to become more digital, not enough providers moves in that direction, particularly small health providers. Many continued their paper ways. Congress knew that one way to get them to move would be to give them money to do so: if a healthcare provider uses electronical technology in a meaningful way (i.e., becomes a "meaningful user" of it, i.e. adopts an EMR), CMS will pay it money; if it does not, CMS will reduce what it pays for Medicare and Medicaid patients.
The IBR is intended to address an issue that has come up with regard to EMR companies intentionally designing their systems to be less-than-fully compatible with other EMRs.
Hospitals, medical groups push back against penalties
Second OCR Ransomware Incident Settlement Announced: OCR has entered into a settlement agreement relating to a ransomware incident, this time a fine of $40,000 for Green Ridge Behavioral Health.
Lack of a Risk Analysis, lack of sufficient security measures, and a failure to monitor system activity were cited as reasons for the fine, which is a pretty common theme for OCR fines.
OCR's press release on the matter included specific actions it expects HIPAA covered entities to take to prevent incidents (and avoid fines if they do happen). These align with the recommended security practices that Section 405(d) of the Cybersecurity Act considers "mitigating factors" when regulatory action is taken"
"OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyber-threats:
- Reviewing all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrating risk analysis and risk management into business processes; and ensuring that they are conducted regularly, especially when new technologies and business operations are planned.
- Ensuring audit controls are in place to record and examine information system activity.
- Implementing regular review of information system activity.
- Utilizing multi-factor authentication to ensure only authorized users are accessing protected health information.
- Encrypting protected health information to guard against unauthorized access.
- Incorporating lessons learned from previous incidents into the overall security management process.
- Providing training specific to organization and job responsibilities and on regular basis; and reinforcing workforce members’ critical role in protecting privacy and security. "
Hospital Cyberattacks Continue to Rise: This should come as a surprise to nobody, but the biggest data risk to pretty much everyone in the healthcare industry is the risk of cyberattacks, particularly ransomware. I have had several clients who have suffered ransomware attacks. These always disrupt care to some extent, and fortunately my clients have not suffered any patient care problems, but others have. However, they all have had to spend extremely large sums to fix the problems, and many have suffered the follow-on effect of the class action lawsuit by patients whose data was involved.
If you aren't focusing on this now, you need to.
OCR Lies. I usually have good things to say about OCR. For the most part, it's full of good people trying to do good things, and the investigators are probably the nicest enforcement people in the entire government: they really want to help healthcare providers get better and often give the benefit of the doubt to healthcare workers who are really trying to do the right thing but don't always get it right.
But whenever the Xavier Becerra hack-machine gets involved, you can count on things going off the rails, and yesterday brought a sterling example.
It is an indisputable fact that good people can disagree on abortion, but it's equally indisputable that people who believe abortion is murder should not be forced to participate in performing abortions. But it happens, or at least it did prior to a 2019 rule from HHS threatening hospitals with removal of federal funding for forcing objecting employees to participate in abortions or other acts that violate their legitimate religious beliefs.
Yesterday, HHS, through OCR, rescinded that rule. I guess you could quibble that the rule might have given employees too much leeway to refuse to do legitimate work that shouldn't be objectionable, or that full removal of federal funding was too big a penalty, and a $100,000 or $1 million fine would do the trick. But rescinding it entirely?
And even worse, bragging that REMOMING those conscience protections is actually INCREASING them? Here's the header of OCR's press release:
And here's the headline and lede of an article in The Hill, which is certainly left-leaning:
New Jersey medical practice Optum Medical Care has settled an OCR investigation regarding Optum's failure to grant patient access to medical records, agreeing to pay $160,000.
ESO, CVC, HEC Disclose Data Breach: ESO, a healthcare software company serving hospitals, EMS entities, and governmental agencies, announced a ransomware-triggered data breach affecting 2.7 million individuals.
Cardiovascular Consultants of Arizona also announced that it suffered a cyberattack that affected almost half a million patients.
Finally, New Jersey based population health management company HealthEC also announced a cybersecurity incident of 112,000 individuals.
All of these are offering credit monitoring to affected individuals.
Norton Healthcare Hack Exposes Data of 2.5 Million Patients. The hackers accessed some of the Louisville hospital system's data storage, but not the EMR or MyChart.
US health officials call for surge in funding and support for hospitals in wake of cyberattacks that diverted ambulances. Of course, some of the "funding and support" is imposing stricter fines for providers who have lax cybersecurity.
Some amount of cybercrime is inevitable. However, there still is a shocking lack of cybersecurity among healthcare providers. Patching (regularly applying software patches when they are issues by the software providers), good data backups, network segmentation (keeping secure parts of your network -- which don't need internet connections -- separated from the parts of the network that do need internet connections), and phishing training can eliminate the vast majority of cybersecurity incidents. If you're not doing that, you probably deserve stricter fines.
St. Joseph's Medical Center Settlement: During the height of Covid, St. Joseph Medical Center allowed a reporter and photojournalist access to its operations as part of a story about hospital overcrowding and St. Joseph's response to swelling numbers of Covid patients. Some pictures of patients apparently made it into the newspaper, and according to OCR, some information about St. Joseph's patients. OCR has now entered into a settlement agreement with St. Joseph's regarding the incident.
St. Joseph has admitted no liability in making the settlement.
The settlement involves an $80,000 fine, a review and possible revision of St. Joseph's HIPAA policies (to be reviewed by OCR, and a 2-year oversight plan by OCR. That's not a big penalty; I'd be extremely surprised if St. Joseph spent less than $80,000 on attorney's fees in conducting its own investigation and response, much less what it might've spent on other consultants to address the investigation. All HIPAA covered entities should be reviewing their policies and procedures regularly, and most would love to have OCR review them and give their blessing or offer tips for useful revisions. The 2-year monitoring could be a bit of a pain, but it's shorter than the usual 3-year plan seen in most settlements.
At this point, I have not seen a response from St. Joseph's, nor have I seen copies of the AP story that made the press, but I suspect that there is a legitimate question about whether PHI was actually disclosed in the article. I suspect the photos do not show patient faces, and any individual information was nearly if not entirely de-identified. However, it is entirely possible that the reporter was exposed to at least a minimal amount of PHI when he/she was allowed access to non-public areas where patients were gathered, and likely that the hospital didn't get consent from all of those patients before allowing the access. Still, that's pretty thin gruel.
However, the case is another reminder of the risks a health care entity takes when dealing with the press. While St. Joseph's probably saw the reporter's request for access and information as an opportunity to tell their story and put on a good face, covered entities must be extremely careful bout what information gets out.
Perry Johnson & Associates, a medical transcription service, has apparently suffered a data breach involving a hacker gaining access to its computer systems. Not much is known at this point, but I'll update you as more information comes in.
AHA sues HHS to stop OCR guidance on web trackers. This is super-inside-baseball HIPAA stuff, folks. And it has a chance of taking hold.
Here's the background: many websites use some type of technology to track user behavior on the website. There are tons of legitimate reasons why you would want to do this: If every visitor to one part of your website clicks the same link, or otherwise acts in a non-random way, you want to know it. For example, lets say you offer weight loss services and have a page with many different choices (exercise programs, diet counseling, Ozempic, psychedelics, etc.), and you have an equal number of staffers working to provide each choice. But you find out from tracking technology that 90% of your visitors all go to the Ozempic page, but nobody ever clicks on exercise. If you're running your business responsibly, you'll switch the exercise employees over to the Ozempic team. But you might never know that website visitors are behaving that way without a tracker.
One of the ways trackers work is by tracking the visitor's choices to the particular visitor, usually by the specific signature of the user's computer or other device that connected to the website (for example, the user's cell phone or iPad). The company that provides the tracking technology also uses the information they gather to fine-tune its algorithms for their healthcare provider customer, but also uses the information for other purposes, such as the marketing services it sells to other customers.
Here's the problem: the device ID isn't necessarily the person who owns it (multiple people could have access to and use the same iPad), and the behavior of the person doesn't necessarily tell you anything specific about the person (I could be looking at information about a particular disease not because I have it, but because I know someone who does and I'm curious). However, it's still a pretty good proxy. If I go to a weight-loss website, I'm probably looking to lose weight; if I go to a diabetes website, the odds are pretty good that I'm a diabetic. And if my computer goes to the website, it's probably because it's me that's operating it. Thus, you can deduce, not with certainty but with some high level of likelihood, that if my cell phone accesses a website for X disease, I have that disease. HOWEVER, is data that's simply indicative of health status PHI? How tight does the connection need to be?
And therein lies the problem -- the information derived from the tracking technology COULD be PHI, and letting the technology company have access to that information would make the vendor a business associate. The vendors don't want to be restricted in how they use that data.
OCR has declared (in a December 2022 bulletin) that providers that use tracking technology must have BAAs with those vendors, but those vendors won't sign BAAs. The end result is that big hospital systems are prevented from using a technology that can streamline their processes, save them money, and allow them to better serve their patients. Hence the AHA's actions.
This will be interesting.
(11/3/23/)
UPDATE 11/9/23: Interesting press release from AHA and other hospital associations relating to its suit against HHS relating to web trackers. According to Bloomberg Law (subscription may be required), HHS uses the same tracking technology on its websites that HHS guidance warns hospitals about as being potentially violative of HIPAA. Interestingly, I also learned in that article that hundreds of class-action lawsuits have already been filed against hospitals for using the technology in violation of HIPAA.
This isn't the end of the story, of course: HHS isn't a HIPAA-covered entity (although Medicare and Medicaid are), and people searching the HHS website usually aren't looking for specific medical conditions or providing the same type of information as a visitor to a hospital site might. However, from a general privacy standpoint, it's an interesting point of hypocrisy.
OCR Fines Ransomware Victim due to HIPAA breaches: Doctors' Management Services (DMS), a management company that serves as a business associate of covered entity physician practices, has been fined $100,000 by OCR for failure to do a sufficient Security Risk Analysis (SRA), lack of policies and procedures, and failure to monitor system activity (all the usual suspects).
DMS was itself a victim: a criminal hacker caused the incident. But DMS still got hit with a big fine because they didn't take the steps needed to avoid being a victim in the first place.
Some covered entities that are ransomware victims get fined, and others don't. Both groups suffer from the incident, but the second group (ones with good SRAs, policies and procedures, and monitoring) is much less likely to get fined. Just ask me -- I have personal experience with this!
UPDATE: Thanks to Theresa Defino at Report on Patient Privacy, DMS has had a chance to tell their side of the story. As I noted in my original post, DMS was a victim here. I noted that "they didn't take the steps," based on OCR's press release. Now, I'm thinking maybe OCR overreacted, but I haven't actually talked to DMS.
The point here, though, is that OCR's stated list of wrongdoing is the same list that's applicable to almost every other case involving a fine (other than the access cases). You want to be able to prove that you have done your SRA, have good policies that you follow, and monitor your system activity.
Did you know HHS has a YouTube channel? Here's a recent posting explaining how your HIPAA Security Rule compliance activities will also help you avoid a cyberattack.
Obviously, if you've read anything on this site, you know that failure to do a Security Risk Analysis (which is specifically required by the Security Rule) is the number one thing that OCR cites when issuing fines. This makes sense, because (i) it's the number one thing that will help prevent you suffering a breach or other incident, (ii) a breach/incident is usually the thing that leads to an OCR investigation, and (iii) an investigation that shows failure to do a SRA will often end up with a fine and a compliance agreement.
Just as importantly, a cyberattack can ruin your business, and it's never good for your patients. Best to take the appropriate steps to avoid them.
Cybersecurity Toolkit for Healthcare: HHS and the Cybersecurity and Infrastructure Security Agency (CISA) have joined forces to publish a toolkit to assist healthcare industry work with governmental agencies to "close gaps in resources and cyber capabilities." The toolkit is here; I haven't reviewed it, but it promises to "contain remedies for health care organizations of all sizes."
Spooky: OCR is hosting a Halloween webinar on the HIPAA Security Rule's risk analysis requirement. At 3:00 Eastern time (the invite says EST, but I think it's EDT) on Tuesday, October 31, an OCR panel will discuss how to conduct a risk analysis. Trust me, you want to be doing what OCR thinks you should be doing; it makes it so much less painful to explain how the breach you suffered wasn't your fault. And there's no better way to find out what OCR thinks you should be doing than listening to them explain what you should be doing.
You can register for the webinar here: Webinar Registration - Zoom
Ransomware: the Biggest Threat. According to research by NCC Group, ransomware attacks were up dramatically in September 2023, both from the preceding year (153%) and, within the healthcare sector, from the preceding month (89%). It's relatively easy to do, and many victims have no option but to pay.
Patching, MFA, and training can prevent ransomware attacks, and good backups can make the ones that get through a lot less painful. Those are all easy things to do. . . .
iHealth/Advantum settles HIPAA FTP server breach for $75,000. I was going through some old emails and came across a HIPAA settlement that I don't think I mentioned earlier. And it's not an access settlement. It involves a business associate and an unsecured storage server (likely an FTP server). Interestingly, the breach was not a "wall of shame" breach.
UHC Takes a Hit for Denying Access to PHI: The ongoing effort of OCR to bring actions against HIPAA covered entities has tallied its 45th fine, this time with insurer United Healthcare paying the price. As with the other 44 instances, the fine is small by comparison to other non-access related HIPAA enforcement actions: $80,000, which roughly equates to UHC's revenue every 8 seconds. The complainant in this case actually filed 3 separate complaints against UHC, so it's likely there was at least a little fire behind that smoke.
The key takeaway: OCR is going to keep going after covered entities who don't give access to individuals who request their records. Access is a right, so give it.
No surprise: Data breaches in the healthcare sector are the most expensive.
Average Cost of a Healthcare Data Breach Continues to Rise: The average cost of a healthcare data breach is now $11 million, according to IBM and the Ponemon Institute. This is up $1 million since last year. Heathcare data breaches are also about 2.5 times as costly as in other industries.
HC3 issues brief on cyber risks of AI and ML: HHS' Health Sector Cybersecurity Coordination Center (HC3) has issued a brief outlining the cybersecurity risks of artificial intelligence and machine learning. If you don't know much about AI and ML, that's fine; most of the brief is background information, explaining how AI and machine learning work.