HIPAA Blog

[ Wednesday, January 17, 2018 ]

 

Your 2018 Privacy and Security "To Do" List: This is a great little checklist from Kirk Nahra at Wiley Rein.  There will be few if any businesses that will have to address each item on this list, but virtually every business will have to deal with at least one of them.  And pay particular attention to the passages in italics, which are most important and nearly universal.

Jeff [4:57 PM]

 

Help Wanted: Amazon is hiring a "HIPAA Compliance Lead."

Jeff [1:42 PM]

[ Monday, January 15, 2018 ]

 

Ransomware in Indiana: Hancock Regional Hospital in Indiana was hit by encryption ransomware.  No word yet on how they are recovering, or what the ransom amount was (the didn't pay, so presumably they were able to recover from backups).  More here.

UPDATE: Apparently, they did pay: $55,000.

Jeff [2:27 PM]

 

OSU Breach: Oklahoma State's Center for Health Sciences in Tulsa got hacked, resulting in about 280,000 names and a limited amount of other information.  Not likely a big risk to those involved.  

Jeff [2:23 PM]

[ Friday, January 12, 2018 ]

 

Coplin Health (West Virginia): Another stolen laptop, another breach notification to 43,000 patients.  They don't even know if the laptop had any PHI on it (it might not have).  And it was password protected, reducing the likelihood of harm even further.  BUT, it was not encrypted.  Hence the report and the bad publicity.  

Jeff [1:34 PM]

 

Connecticut: The CT Supreme Court has established, for the first time in the state, a physician's common law obligation to protect the confidentiality of patient records.  Most states have either a common law right to confidentiality or a statutory one, but a lower court noted that neither had been established in Connecticut until now.

The case involves a HIPAA violation, and a patient's lawsuit against an Ob/Gyn practice for disclosing the patient's records to a probate court pursuant to a subpoena. HIPAA does allow disclosures of PHI under subpoena in certain circumstances, and it's not entirely clear here whether all of the HIPAA requirements were met; however, the plaintiff's claims for a HIPAA violation were immediately tossed out because there is no private cause of action for a HIPAA breach.  In other words, even if a medical practice blatantly breaches HIPAA and discloses the patient's data, the patient cannot sue the medical practice for the HIPAA breach.

The patient can potentially sue the medical practice under some other grounds, specifically for failure to comply with state statutory or common law privacy obligations.  In this case, the lower court correctly noted that there is no established privacy obligation in Connecticut; the supreme court, however, reset the table. 

UPDATE: No, this isn't exactly right.  Connecticut citizens cannot sue for HIPAA breaches.  They can sue for breach of confidentiality of medical records.  There is overlap between those two things, but they are not contiguous or equal.

Jeff [10:45 AM]

[ Wednesday, January 10, 2018 ]

 

Florida Medicaid Agency Data Breach: apparently someone at the Florida Medicaid agency, the Florida Agency for Health Care Administration, got phished, and data for 30,000 Floridians was exposed.  

Jeff [4:19 PM]

 

New Privacy Officer at ONC: After a week or so of news highlighting how long the job has been vacant and whether it's even relevant any more, HHS' Office of the National Coordinator for Health IT has announced Kathryn Marchesini as their new Chief Privacy Officer.

Jeff [2:21 PM]

 

Costs of Producing Medical Records: A medical record document production company has sued HHS to challenge its rules on the ability of a healthcare provider to charge patients for copies of their medical records.  It will be interesting to see how this plays out.  

Jeff [1:04 PM]

 

Charles River Medical Associates (Massachusetts): This radiology group lost a hard drive containing the bone density scan PHI of almost 10,000 people.  Where'd it go?  Who knows.  Will the data fall into the wrong hands (and if it did, would it harm anyone)?  Unlikely.  Will CRMA get fined?  Maybe (especially if, "upon further review," it becomes clear that the group didn't have good HIPAA policies and procedures and didn't do a good risk analysis).  Would we even know about this if the drive was encrypted?  Nope. 

Folks, encrypt data at risk.  Is it required?  No.  Then why should you do it?  To save yourself a report and a fine, not to mention better protecting your patients' data.  Aren't you here to serve them? 

Am I asking too many questions?

Jeff [9:11 AM]

[ Thursday, January 04, 2018 ]

 

EHR News: eClinicalWorks sued again: Another class action lawsuit has been filed against EMR provider eClinicalWorks.  This suit claims that eClinicalWork's EMR system fails to meet the requirements for "meaningful use."  CMS pays providers such as medical practices and hospitals financial benefits if they adopt and implement electronic medical records and other technology in such a manner that the provider becomes a "meaningful user" of electronic medical record technology.  The providers must attest to CMS that they have done the things necessary to meet the "meaningful use" standards.  In this case, the providers claim that eClinicalWorks does not provide all of the necessary services to meet the "meaningful use" standard.  eClinicalWorks paid a $155 million fine last year when the Department of Justice sued directly for its EMR shortcomings.

The earlier class action lawsuit claims that eClinicalWorks' EMR failed to accurately portray a patient's medical record, and the patient died because of the EMR's failure.

Jeff [2:12 PM]

[ Wednesday, January 03, 2018 ]

 

SSM Employee Acting Badly: A customer service employee at SSM Health accessed about 29,000 patient records, apparently looking for St. Louis-area patients who had narcotic prescriptions.  Presumably, he's use those patient's data to get drugs him/herself, either for personal use or for resale.  Clever, really.  But obviously illegal.  

Jeff [1:52 PM]

[ Tuesday, January 02, 2018 ]

 

21st Century Oncology: An oncology practice with offices in 17 states and 7 Latin American countries has paid $2.3 million for HIPAA violations.  The FBI found their patient files on the dark web; apparently someone was able to access their SQL database remotely and extracted data on 2,213,597 patients, including social security numbers.  Not sure if the breach was the cause, but 21st Century Oncology filed for bankruptcy back in May.

What's the actual HIPAA breach?  Lack of a good risk assessment, failure to implement proper safeguards, no regular review of audit logs, and failure to have appropriate BAAs.  The first and last are by far the most common causes of HIPAA breaches, and the 2nd and 3rd could have been prevented in the first had been done reasonably well. 

When was your last serious risk assessment? 

Jeff [10:57 AM]

[ Friday, December 22, 2017 ]

 

Chilton (NJ) Medical Center: Employee steals hard drive and sells it on the internet. 4,600 people impacted.

Jeff [4:58 PM]

 

Banner (Arizona) Breach: You may recall a year and a half ago, Banner Health's Arizona facilities suffered a mostly-non-HIPAA data breach: specifically, hackers got into Banner's point-of-sale payment card processing system at its snack bars and cafeterias.  The hackers eventually got into some Banner servers containing PHI.  But it was really more a Home Depot type breach than an Anthem type breach.

A class action lawsuit was filed against Anthem, based on a handful of causes of action, including breach of contract by Banner for failing to provide protections of employee data as described in Banner's employee handbook.  The class action judge has just thrown out several of those claims, including the employee handbook claims.  But she has let the class action continue of unjust enrichment (Banner didn't spend as much on data security as it should have, and that savings unjustly enriched Banner at the expense of the victims of the hack), negligence (Banner had a duty to protect the data, failed at that duty, and caused damages), and violation of Arizona's Consumer Fraud Act.

The judge did find that at least 2 plaintiffs did suffer damages that "would not have happened but-for" Banner's inadequate data security."  However, the class-action plaintiffs are not out of the woods yet.  Will all the class participants have similar damages?  Are they all similarly situated?  Is the heightened risk of identity theft actual harm, if the identity theft never occurs?  I would guess we will have to have the Supreme Court determine that.

Jeff [4:56 PM]

 

Some Good Breach News: The number of data breaches in the healthcare sector continued to rise in 2017 over prior years, but the number of records impacted fell.  Thus, fewer overall individuals were impacted, and fewer of the massive breaches we've seen in prior years.

Jeff [3:35 PM]

[ Wednesday, December 13, 2017 ]

 

Portland, ME: The city had some sort of program providing services to citizens with HIV, and after the program terminated, the city shared information on 200 HIV patients with the University of Southern Maine to help determine if there were gaps in the way it provided the services, or if it could have operated the program better. 

The city claims the data sharing did not violate HIPAA because it was for research purposes, and it may be right, but probably only if USM had an independent review board determine that the university program had enough protections in place that patient authorization was not required. 

Nevertheless, the city has apologized.  Perhaps not illegal, but perhaps not a good idea either. 

Jeff [7:22 AM]

[ Monday, December 11, 2017 ]

 

NC, KY Breaches: Two breaches, two states, 56,000 patient's records exposed.  A stolen (unencrypted, of course) laptop at a North Carolina dermatology clinic exposed 24,000, while a pulmonology group in Kentucky suffered improper access to EMR, exposing 32,000.

Jeff [5:43 PM]

[ Thursday, December 07, 2017 ]

 

Henry Ford Hospital Breach: Someone apparently phished the email credentials of multiple employees.  No word yet on what was accessed or if any of it was used inappropriately.

Jeff [12:58 PM]

 

An Unintended Consequence of Data Breach Reporting?  Patients are more and more reluctant to share PHI with their own providers.

I've said many times that privacy exists on a continuum, particularly in regards to health information.  On one end, you have perfect privacy, but that means no one (not your doctor, not your spouse, not your friends) has access to your health information.  Obviously, the privacy is perfect, but you won't get healthcare unless you can do it yourself.  At the other end is zero privacy: everyone knows every medical fact about everyone else.  Here, you'd get great healthcare, since you could compare everyone's treatment experience to determine what would be best for you.  And think of how far medical science could go with all that data.

At one end, great privacy and lousy healthcare; at the other, great healthcare but lousy privacy.  I don't know about you, but I don't want to be at either end; I want to find the happy medium.

That's something healthcare regulators need to think about.  Forcing the publicization of inconsequential breaches instills a false sense of risk and danger that is often more dangerous than the risk of harm from the breach itself.

Jeff [10:37 AM]

[ Tuesday, December 05, 2017 ]

 

New from OCR: Five steps to prevent insider data breaches.

Jeff [3:33 PM]

[ Tuesday, November 28, 2017 ]

 

OpenEMR Vulnerability: I'm not technologically knowledgeable to know if this is a big deal or not, but if you use OpenEMR, you should definitely have your IT staff take a look at whether this alleged vulnerability might affect you.

Jeff [11:16 AM]

[ Sunday, November 26, 2017 ]

 

Are Changes Coming to the Wall of Shame?  HHS is considering shortening the listing period, and might make other changes.  The website is a required element of the HITECH Act, so they can't delete it entirely.  But they could (and probably will) make some changes.  In addition to shorter listings, perhaps only including listings where the reporting entity was at fault, or at least allow the entity to defend itself, would be useful improvements.  

Jeff [11:24 AM]

[ Wednesday, November 22, 2017 ]

 

Off Topic: Thanksgiving is a good time to think about cybersecurity.  Some great tips here.

Jeff [11:15 AM]

[ Thursday, November 02, 2017 ]

 

CyberThreat Information Sharing: HHS is publicly urging healthcare industry participants to actively share cybersecurity threat information.  Basically, they're urging healthcare players to utilize the benefits provided by CISA (the Cybersecurity Information Sharing Act of 2015) to allow threat information to be publicized across the industry, so players can respond and protect themselves and others.  Not a bad idea at all.

Jeff [2:32 PM]

[ Thursday, October 26, 2017 ]

 

Medical Device Cybersecurity: I tend to prefer an industry-driven approach, like the House bill, over a top-down approach like the Senate bill.

Jeff [1:30 PM]

[ Thursday, October 12, 2017 ]

 

Cloud-Based Blood Testing Information Breached: An Amazon cloud data repository for blood testing data managed by Patient Home Monitoring was not configured correctly, and a tech security company came across it.  300,000 PDFs accounting for about 150,000 people.  Oops.

Using the cloud is OK, but only if you do it right.  Be careful . . . .

Jeff [12:04 PM]

[ Wednesday, September 27, 2017 ]

 

Don't forget to vote for me for best "niche" legal blog.  You can go vote here

Jeff [12:45 PM]

 

I'm not surprised, actually: This is a frightening headline: 73 Percent of Medical Professionals Share Passwords for EHR Access.  If you're a medical resident, you used the attending's login information with the attending's consent.  

So, it happens.  A lot.  But not a lot of bad comes out of it, since most (maybe virtually all) medical professionals do the right thing: access only what you need, access only for legitimate purposes, etc. 
 
Still, even residents should have their own login information.  You can't audit access if you have password sharing.  And if something does go wrong, it could go very, very wrong, and it would be awfully difficult to fix post-facto.  

Maybe it's really time for two-factor authentication in many more places. 

Jeff [12:36 PM]

[ Tuesday, September 26, 2017 ]

 

Nichey? Or Special? Some of my blog readers nominated me for the Best Legal Blog Contest in the "Niche and Specialty" Category.  If you feel so inclined, you can go vote here

Jeff [2:26 PM]

[ Monday, September 18, 2017 ]

 

PeaceHealth Data Breach: another "employees behaving badly" breach.  Over about 5-6 years, the employee accessed about 2000 records he/she had no need to access.  No apparent social security skimming, so not likely to be ID theft.  Reading between the lines, that probably means your garden variety snooping.  Bad but not horrible.  However, the big question is how it took almost 6 years to notice it.  

Jeff [11:47 AM]

[ Wednesday, September 06, 2017 ]

 

Nurses behaving badly.  I guess "Mr. Big" died.  This is mildly humorous, but somehow I think the reaction would be outrage if the victim were female instead of male.

H/T Ron Holtsford.

Jeff [11:38 AM]

[ Thursday, August 31, 2017 ]

 

More Window Envelope issues: now it's CVS with a problem letting PHI leak out envelope windows.

Jeff [12:19 PM]

[ Tuesday, August 29, 2017 ]

 

Aetna HIV data breach: Well, that was fast.  Those class action lawyers can outrun an ambulance.

Jeff [2:57 PM]

[ Friday, August 25, 2017 ]

 

The Trouble with Window Envelopes: It's nice to use envelopes where the address of the recipient is only printed on the page inserted into the envelope, but is visible through a window in the outer envelope.  It saves costs, as well as reduces the possibility of a mismatch between the information in the insert and the information on the envelope (i.e., the wrong letter gets inserted into the wrong envelope).

However, if you're going to do so, make sure ONLY THE NAME AND ADDRESS show through the window.  I think Aetna's gonna be in trouble for this. . . .

Jeff [2:05 PM]

[ Wednesday, August 23, 2017 ]

 

Cybersecurity Class Action Update: One interesting aspect of data breaches (whether HIPAA-related or not) is the potential for lawsuits from affected parties.  Most times, injured individuals can't show monetary damages from a HIPAA breach, and that particularly true in non-HIPAA breaches such as the Target or Home Depot data breaches, where any credit card fraud was covered by the credit card companies.  (There are exceptions, of course, such as where a HIPAA breach causes harm that can be proven).  But the quest to show that the fear of future ID theft or other harm constitutes actionable damages is the holy grail of class action lawyers, looking to turn the millions of victims (each suffering only minor damages) into a single class so that they can collect on multiplied damages.

So far, it's been tough sledding: most courts deny that there are damages just because you're afraid someone might use your information in the future.  That has been recently upheld in this ScottTrade case.  Some day, a court will allow these damages to constitute sufficient grounds for a class action lawsuit, but not yet.

Jeff [6:17 PM]

[ Monday, August 21, 2017 ]

 

Hospitals are the Number One Target for Hackers: at least for ransomware.

Jeff [8:35 AM]

[ Monday, August 14, 2017 ]

 

Women's Health Care (PA): A large Philadelphia-area ob/gyn practice has notified 300,000 patients of a potential data breach.  Not much news on what happened, but it was apparently a hack that penetrated the group's computer system; they don't know for sure if information was actually viewed or extracted, but the information subject to potential breach did include social security numbers (bur apparently not much medical information).  The report mentions backups, which makes me think this was probably a ransomware incident.  The breach started in January 2017 but wasn't discovered until May 2017, but notifications didn't go out until July 2017 (interestingly, in March the group merged with a NJ group to become the largest ob/gyn group in the country, now known as Axia Women's Health.

Jeff [10:24 AM]

[ Wednesday, July 26, 2017 ]

 

Wall of Shame: OCR is updating its large data breach reporting website.

Jeff [2:07 PM]

[ Thursday, July 20, 2017 ]

 

Peachtree Neurological (Atlanta): Peachtree Neurological was hit with ransomware recently.  Fortunately, (i) they were able to restore their systems without paying the ransom, and (ii) there was no evidence that the ransomware exfiltrated any data, thus likely giving them a good reason to determine that the ransomware incident did not constitute a reportable breach (yes, OCR, I'm talking to you).

However, in the course of investigating and responding to the ransomware attack, Peachtree uncovered a more unfortunate fact: some hacker had been camped out in their data for over a year.  It does not look like they are able to tell what was accessed or if anything untoward was done, or if the hacker just had access and never did anything.  But while the ransomware might not be reportable, this one pretty much definitely is.  

Jeff [10:36 AM]

 

Petya: More on the ransomware virus that disproportionately hit healthcare entities.  

Jeff [10:25 AM]

[ Thursday, July 13, 2017 ]

 

University of Iowa: Seems like a pretty minor breach, but some names, admission dates, and medical records were available online.  

Jeff [12:29 PM]

[ Wednesday, July 12, 2017 ]

 

Employee Snooping Draws Criminal Charges (St. Charles Health System, Oregon): A nursing assistant looked at about 2,500 patients records; no identity theft or fraud, apparently just idle curiosity.  However, she's being charged with misdemeanor computer crimes.  Sounds about right -- nice to make a point of how she's dealt with, but not punishing her unnecessarily harshly.

Jeff [6:16 PM]

[ Friday, June 30, 2017 ]

 

Petya Cyberattack: A rural West Virginia hospital is one of the headline victims of the most recent ransomware iteration, known as Petya (which follows closely on the heels of WannaCry, which had a built-in escape hatch that prevented it from causing too much damage).  How do you protect yourself:

Don't pick up the virus.  Easier said than done, but you can go a long way just through education of your staff.  Almost all of these ransomware attacks come via phishing emails.  Don't click, and teach your staff not to click.

Be prepared in case you get hit.  If you do pick up the virus (and even the best-protected businesses could be a victim), there's still hope, as long as you're prepared in advance.  That means you should do the following ASAP:

  1. Have good, constant, regular and redundant backups.  If you're hit by ransomware and all your data is encrypted, but you can pull an exact second copy of the same data off the shelf, all the cyberattack will cost you is time and a little frustration.  But make sure your backups are structured so that you don't end up deleting a good backup and making a backup of your already-encrypted data.
  2. Practice patch management.  Some viruses are "zero-day" viruses, and you might be unlucky to get hit through a vulnerability that hasn't been patched yet.  That is extremely, extremely unlikely, but if it happens, you should still be OK if you've done good backups.  Most likely, there is a patch available for whatever vector the next ransomware wave exploits, and if you install patches regularly and aggressively, you'll likely avoid being a victim.
  3. Map your network.  If you get hit, you'll need to find out where it came in so you know where to start the cleanup.  But before you get hit, mapping might uncover some breaches in your defenses that you can fix now, and that, in and of itself, might prevent you from being victimized.
Be careful out there, and be prepared.  

Jeff [10:03 AM]

[ Monday, June 26, 2017 ]

 

Anthem Breach: Remember the 2015 Anthem breach?  The one with up to 80 million individuals' information compromised?  The one where we think the Chinese were involved, and they got the IT folks to give up their credentials and got sysadmin privileges, so encryption wouldn't have even mattered?  Yeah, that one.

Well, Anthem has agreed to settle the lawsuit for $115 million.  Of course, that's a private lawsuit, rather than regulatory action, so there could be some additional payments by Anthem, but this is likely the biggest part.  

Jeff [1:22 PM]

[ Wednesday, June 14, 2017 ]

 

Wall of Shame: Apparently OCR is considering some changes to the website listing of all large breaches, based on concerns expressed by a congressman (who also happens to be a doctor) that the listing is too punitive to entities that did no wrong but had to report anyway.

Jeff [2:24 PM]

 

St. Luke's-Roosevelt's Faxing Problem: An NYC hospital has been fined $387,000 for two misdirected faxes.  That's a big fine.  Why?

Three reasons: One, all fines are big these days.  OCR still feels it needs to make an impression, and if you've done wrong and get caught, you're going to pay in a big way.  Two, the PHI that was disclosed, and whom it was disclosed to, were pretty egregious: it was HIV and STD information (and mental health status), and it was faxed to the patients' employer in one case, and to the organization the patient volunteered for in the other.  Three, it happened twice.  The case that generated the complaint was the second time a fax had been misdirected, and St. Luke's didn't fix the issue the first time around.

Doing a risk analysis is the thing everyone must do.  If you never have a problem, good; just keep re-analyzing on a regular basis, and maybe you'll continue to be so fortunate.  But if you do have a problem, treat is seriously and fix it.  Give it the attention it needs.  Deal with it.  Not even OCR expects you to be perfect, and they know mistakes will happen even to the most prepared entity.  But you don't get more than one bite at the apple.

Jeff [11:36 AM]

[ Monday, June 12, 2017 ]

 

Hospital Cybersecurity in Critical Condition: So says a report by HHS' Health Care Industry Cybersecurity Task Force.  Not particularly surprising.

Jeff [7:32 AM]

[ Tuesday, May 30, 2017 ]

 

Molina, AZ Health Dept Breaches: Molina Healthcare, a big player on the insurance exchanges established by the ACA, has reacted to word from Brian Krebs, cybersecurity expert, that their patient portal has some problems.

Additionally, the Arizona Department of Health Services has reported a possible breach due to some lost mail. 

Jeff [11:57 AM]

[ Monday, May 15, 2017 ]

 

Memorial Hermann: Memorial Hermann in Houston had a patient who used a fake ID to get services; the staff called the cops, who arrested the patient.  Apparently, the patient was an illegal immigrant (undocumented alien, if you wish, but being an undocumented alien is against the law, hence the word "illegal").  If I recall correctly, Memorial Hermann got hammered in the press for "reporting" this illegal alien who was only trying to get healthcare (actually, steal healthcare by using someone else's ID, but let's not quibble).  Memorial Hermann responded to the bad press by issuing its own press release, which (again, if I'm remembering correctly) actually was pretty apologetic about calling the cops on someone who was actually committing a crime.

However, Memorial Hermann put the patient's name in the press release.  In fact, they put it in the title of the press release.  Sure, they were responding to news reports that had already identified the patient, so disclosing the patient's name didn't increase the stakes any.  But, that's still a HIPAA no-no.  And they have been fined, big-time: $2,400,000.  As the HHS release notes, providing the name to the police was A-OK.

Lesson here: don't name patients if you don't have to.  Be extremely careful in responding to bad news or bad reviews -- you can make general pronouncements, but you can't identify individuals.


Jeff [12:04 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template