[ Wednesday, June 05, 2019 ]
Now, it's LabCorp.
Jeff [2:14 PM]
Just days after Quest announces a breach of 12 million patients, LabCorp announces a 7 million patient breach of its own
. Well, not really it's own: like the Quest breach, LabCorp is announcing a breach of its billing vendor, who is the same billing vendor that Quest uses.
[ Monday, June 03, 2019 ]
Quest Diagnostics announces a big breach:
Jeff [3:03 PM]
it looks like a billing vendor, AMCA, suffered the breach
, which appears to be a phishing-based email access hack. It does not look like lab test results were accessed, but billing and financial information (which is still PHI, and would also include some indicia of what medical issues the data subject might have, due to an indication of what tests were ordered and conducted).
[ Thursday, May 30, 2019 ]
MIE breach brings state fines as well:
Jeff [11:29 AM]
Yesterday my favorite HIPAA/Privacy reporter tipped me off to the fact that MIE also got fined by state regulators. MIE is an Indiana-based medical records company, and its clients are spread across the Midwest and elsewhere. In addition to the $100,000 fine to OCR, MIE also paid $900,000
to a total of 16 states (Arizona; Arkansas; Connecticut; Florida; Indiana; Iowa; Kansas; Kentucky; Louisiana; Michigan; Minnesota; Nebraska; North Carolina; Tennessee; West Virginia; and Wisconsin) to settle HIPAA and state law breaches.
This is a good reminder: you can't only look at HIPAA to determine your obligations to protect data and report breaches; you also must look at state laws. Specifically, all states have data breach reporting laws, and most have either personal data protection/security laws or general "deceptive trade practices" laws that contain a privacy component. Thus, your data security activities must be HIPAA compliant and
state-law compliant, and if you suffer a breach, you must look at both the applicable state laws as well as HIPAA to determine your reporting obligations (some breaches require reporting under HIPAA only, some under state law only, and some under both).
Additionally, since the HITECH Act, OCR isn't the only show in town as far as HIPAA enforcement specifically. Even if OCR does not fine an entity, a state can do so specifically for a HIPAA violation, but not for a state law violation
In MIE's state law case, MIE paid OCR for violating HIPAA but also paid the 16 states for violations of HIPAA and state laws (i.e., not just state laws). But, it was an agreed order, so it's hard to tell what would've happened if MIE objected to the fact that, since OCR had already fined them, they should not have state law liability under HIPAA. I assume the states would've dropped the HIPAA part and relied on state law exclusively.
The final lesson: there are multiple regulators. Don't forget that.
Recent OCR activity: Touchstone and Medical Informatics Engineering:
Jeff [10:58 AM]
If you've been watching the news, you'd have seen a couple of recent HIPAA enforcement actions, with some striking differences.
First, as I mentioned below
, Touchstone Imaging got tagged for $3,000,000 for a server issue that left FTP files exposed to anyone searching the internet. Then, shortly thereafter, business associate MIE
got tagged with a $100,000 fine because a hacker got access to their patient files. Why the big difference? I'll discuss in a later post. . . .
[ Friday, May 17, 2019 ]
Jeff [11:28 AM]
[ Tuesday, May 14, 2019 ]
Jeff [5:43 AM]
[ Monday, May 13, 2019 ]
Jeff [11:52 AM]
We've heard it over and over, the healthcare industry is the biggest target for data breaches, given the overall value of data, plus the large number of targets with, shall we say, less than stellar defenses. Here's proof
that those indications are right: healthcare leads in total data breaches and total data breached.
Jeff [11:49 AM]
[ Monday, May 06, 2019 ]
Unprotected FTP servers
Jeff [8:49 PM]
can cause problems, since whomever finds them on the internet can access the data in them. They aren't easy to find, but they can be. Of course, when your initial response is that there was no PHI disclosed, when in fact 300,000 people had their PHI exposed, you should expect a fine.
[ Monday, April 29, 2019 ]
Jeff [8:37 AM]
I haven't seen the actual proposed regulatory text yet, but Modern Healthcare is reporting
that OCR will lower the maximum fine level for organizations that violate HIPAA, depending on the organization's level of culpability. Obviously, OCR could have exercised prosecutorial discretion in levying fines, but it can't hurt to encourage organizations to lower their culpability level.
[ Wednesday, April 24, 2019 ]
Brookside ENT and Hearing Center in Battle Creek, Michigan got hit by a ransomware attack. They didn't pay the hackers, their medical records were lost, and they have gone out of business. The two partners have gone into early retirement.
Jeff [5:47 PM]
So, Ransomware can kill you.
[ Monday, April 08, 2019 ]
Jeff [1:20 PM]
[ Friday, March 22, 2019 ]
Jeff [1:59 PM]
This is a big one
. It also not an OCR settlement, but rather a settlement of a class action lawsuit by affected individuals. Class action cases are hard to bring, but they got a big settlement here.
[ Thursday, March 21, 2019 ]
Jeff [7:06 AM]
[ Monday, March 18, 2019 ]
Jeff [12:46 PM]
According to reports from OCR
. Email hijacking and ransomware are the leading trouble-makers.
Jeff [12:43 PM]
Cyber Risk Assessments or Security Risk Assessments ("SRAs") are pretty common in the privacy universe. In fact, doing some form of an SRA (and regularly repeating/updating) is a required activity for any HIPAA covered entity or business associate. How do you know what types of safeguards are reasonable and appropriate for your business if you don't understand what your risks are? However, before you go off and do one, here are 5 questions you should ask
. (One note: I'd add HITRUST to the "frameworks" listed in question 2.)
[ Monday, March 04, 2019 ]
Jeff [7:47 AM]
[ Saturday, March 02, 2019 ]
Jeff [1:06 PM]
[ Wednesday, February 27, 2019 ]
Jeff [10:36 AM]
[ Wednesday, February 20, 2019 ]
Jeff [10:14 AM]
[ Monday, February 04, 2019 ]
Jeff [10:51 AM]
[ Wednesday, January 30, 2019 ]
Discover noted something funny
Jeff [12:38 PM]
that indicated that some of its cardholders' information was out on the web, indicating that there had been a breach somewhere. Discover's notice doesn't contain much information (more on that in a bit), but does indicate that it wasn't their fault. However, they did replace cards for affected individuals and agreed that they wouldn't be responsible for fraudulent charges (both of which would be true regardless of whether the breach was Discover's or someone else.
Two things to note. First, many state data breach notification laws, but most importantly and particularly HIPAA, require covered entities to report breaches; the requirement isn't to report your own breach, but to report any breach you discover. That's the duty of data holders -- if you know someone's data is breached, let them know. Data breach reporting is not an admission of fault, and most data breaches don't result in fines or lawsuits. The point of breach notification is not (or at least shouldn't be) to tattle on yourself, it's to help out the public whose data is leaked and who might not know about it or how to protect themselves.
Secondly, it's not surprising that Discovery's notice didn't say too much, like what they found or how they found it. Why is that? Because you don't want to give up your data security secrets. If the black hats learn how you found out something, they might learn how to hide it better. Especially if you discovered it via some clever means.
Regardless, it's an interesting notice to get in the millions of data breach notifications.
Update: Jon Drummond is no relation (as far as I know), in case you thought so.
[ Wednesday, January 23, 2019 ]
Oregon wants to pass a law
Jeff [4:23 PM]
to prohibit the sale of de-identified
data without the data subject's consent. That is dumb -- de-identified data does not have a data subject. And if it's truly de-identified, there is no downside to its being shared, at least no downside to the data subject (because, again, there is data subject if it's de-identified).
I understand the "property rights" concept, but it really doesn't work with data. Data isn't a thing like that; data is a fact, and you can't own a fact. The exact same data can be possessed by multiple people at the same time, without diminution of the value to any other holder. Plus the data may only connect to a particular subject in a particular situation.
For example, let's say my birthday is January 1, 1960. 1/1/60 is in my medical record at my doctor's office, which means that data ("1/1/60") is PHI. Let's also say I went to my doctor today, January 23, 2019 (1/23/19), for my annual physical. That data ("1/23/19") is also PHI. Do I own 1/1/60 or 1/23/19? If those data are my property, can I keep other people from using them? How about other people who were born on the first day of 1960? Do they own the data and I don't? Tenants in common?
Now, I do have some interest in the connection between those two dates, me, and my doctor's office, but do I own all that data as long as it's connected?
More importantly, what if you de-identified it by HIPAA standards? All you'd know is that some 59-year-old person went to that doctor's office in 2019. In Oregon, I would still own that data, even though you don't know it's me. There will be other people aged 59 who come to that doctor's office in 2019, and that data will belong to them; how can you tell which data is theirs and which is mine once it's de-identified?
Even if it's not de-identified, the doctor's office should have some
right to the data in its own records. It should not have unfettered rights to do with it whatever it wants (and it doesn't, because of HIPAA and other privacy laws), but it surely has the right to use the data to run its business.
I shouldn't complain -- like the Illinois Biometric Privacy Law, this is good for lawyers. But it's unnecessary and dumb.
[ Friday, January 11, 2019 ]
Jeff [8:34 AM]
A Michigan HIV/AIDS and substance abuse provider has suffered a data breach
after a phishing attack. I suspect this is more of an ID theft issue, but bad news anyway. Interestingly, (i) no word on how many were affected, and (ii) the breach occurred in April 2018 but notification only went out recently; that could be because the breach was only discovered in the last month or two, but one wonders if the 60-day time limit in HIPAA was met.
[ Tuesday, January 08, 2019 ]
Jeff [8:24 AM]
Mintz has a good wrap-up of some of the bigger HIPAA goings-on from 2018 here
[ Thursday, January 03, 2019 ]
Jeff [1:16 PM]
As a bit of an analog to yesterday's post about the impact of a breach on stock price, recently breached companies tend to improve their performance against the market, which might indicate that the breach serves as a "wake-up call" for the company's leadership. Going hand in hand with that thought, Health IT Security notes
that recently breached hospitals tend to increase their advertising spend by 64% after a breach.
[ Wednesday, January 02, 2019 ]
Jeff [3:51 PM]
It's not as big or as consistent as you might think, but it's not negligible either. Paul Bischoff and Matthew Dolan have done some research and posted the results here
Interestingly, companies that suffer breaches tend to be underperforming companies anyway. However, their performance improves after the breach, at least compared to market averages. Low point tends to be about 2 weeks post-breach, but for the following 6 months, the companies tend to outperform the market.
Maybe suffering a breach serves as a wake-up call?
It's a relatively small data set, and doesn't relate much to small and non-public businesses, but it's interesting to ponder.
Jeff [12:56 PM]
[ Friday, December 21, 2018 ]
Jeff [1:13 PM]
As Baylor Scott & White-Frisco (a joint venture between BSWH and USPI) is finding out, a credit card breach is also a HIPAA breach
if it's connected to a HIPAA covered entity. The incident is similar to one that happened at Banner Health in Arizona a few years ago (reported here
): a credit card processor vendor suffered a breach, but it involved BSW-Frisco's patients' data.
Hat tip: Taylor Weems, CIO at Midland Health.
[ Thursday, December 13, 2018 ]
CMS has asked for public comment
Jeff [3:55 PM]
on how HIPAA should be changed. Personally, I'm a "Chesterton's Fence" kinda guy, but I actually think it works pretty darned well as is. But I'll be interested in seeing the public commentary.
Jeff [3:40 PM]
When a hospital fails to cut off PHI access
to a former employee, it can be a HIPAA violation. In this case, a relatively inexpensive one (relative being the key word, it's still a lot of money).
[ Friday, December 07, 2018 ]
Jeff [12:43 PM]
[ Thursday, December 06, 2018 ]
Jeff [10:44 AM]
may or may not be a HIPAA breach, but NY's data breach notification law is likely implicated. It's unclear whether the agency would be a HIPAA covered entity; it's described as a health provider, but if it doesn't conduct HIPAA-regulated transactions in electronic format, technically it might not be a HIPAA "covered entity."
[ Wednesday, December 05, 2018 ]
Jeff [12:59 PM]
Here's a case similar to Raleigh Orthopaedic case
: Advanced Care Hospitalists hired a guy who they thought worked for Doctor's First Choice Billing to help them with their billing and coding. Apparently, the guy was a fraud. But that's not important: what's important is that ACH didn't get a BAA with First Choice, and PHI ended up exposed on the First Choice website. ACH notified OCR that at least 400 and as many as 9000 patients potentially had their data exposed.
The breach notification led to an OCR investigation, which revealed a lack of BAA (and, in fact, a lack of a policy to get BAAs). Upon further review, OCR also found out that ACH had never done a risk assessment either.
Net result: a $500,000 fine. And a big black eye.
If ACH had policies and procedures, a decent HIPAA compliance program, and had entered into a BAA with the guy in the first place, but still got snookered because the guy was a fake, they would've still had a reportable breach, but I'm pretty certain they'd be half a million bucks richer (not to mention what they probably spent on lawyers dealing with this, plus the PR hit).
[ Friday, November 30, 2018 ]
This is important, and in my (personal, non-legal) opinion an important piece of news relative to one of the biggest issues affecting HIPAA covered entities.
Jeff [12:20 PM]
The FBI has gotten specific about one of the current strains of ransomware that is plaguing the healthcare industry. Of specific importance to note in the HIPAA arena is the fact that this variant apparently simply encrypts the data it finds, and does not extract, view, or send out the data. That's very important to a ransomware victim, since despite what OCR's guidance has been to date, if there's no viewing or outside transmission of the data, there is not a "breach" as defined in the Breach Notification Rule (45 CFR 164, part D).
To be a "breach," there must be acquisition, access, use, or disclosure. In this type of ransomware, the bad actor inserts virus software onto the computer system of the actor, but the bad actor does not access the data. Any access only happens within the victim's computer system, by the software that is now part of that computer system. If the virus then send out some of that data that includes PHI to a third party, THEN you'd have acquisition by the third party, access by the third party, and disclosure to the third party, all of which WOULD be a breach. Likewise, if the virus opens up a door that allows outside third parties to enter the system, and third parties do enter the system, you'd have access and disclosure, which would likely lead to acquisition and use. However, if the virus does not exfilitrate or allow outside access, then you do not have acquisition, access, use or disclosure.
This is an important distinction.
This is also not legal advice.
[ Tuesday, November 27, 2018 ]
Jeff [12:46 PM]
A patient had a complaint about Allergy Associates of Hartford (CT); he took his complaint to the local TV news station. The reporter called the practice to ask for a response, and the doctor in question spoke with the reporter (despite the fact that his privacy officer told him to say "no comment" or not respond at all). That conversation with the reporter disclosed patient PHI in a manner not permitted by HIPAA. And now, OCR has fined the practice $125,000.
It's not fair: the patient told the reporter all of his information already, it's in the public domain, he put it in the public record, he publicized it, he started it. Yes, all that's true.
But it doesn't matter. The covered entity has the obligation not to use or disclose PHI unless the use or disclosure is permitted by HIPAA. The fact that the information is already public knowledge doesn't matter, even if the patient himself put it out there.
That doesn't mean the provider can't respond to the reporter at all. At the least, the practice should let the reporter know that it can't respond with respect to any specific patient due to the prohibitions of HIPAA (and can't even acknowledge that the patient is a patient), unless the patient specifically authorizes the disclosure. Additionally, the practice can give general information about the practice that doesn't disclose anything about any individual patient. For example, if the patient falsely complains that it took 20 office visits in 2 months to fix the issue, the practice can state that it researched its records for the last 5 years and did not locate any patient with 20 visits scheduled in a 2-month period (since that doesn't provide any information on any particular patient, it's not PHI). But you can't say "this patient didn't have 20 visits" because that is PHI.
The playing field is tilted against providers when it comes to patient complaints. But don't make it worse by responding in a way that violates HIPAA.
UPDATES (other law firms picking up the thread):
Holland & Knight: Eddie Williams III
Drinker Biddle: Sumaya Noush
Jeff [11:16 AM]
Mercy Medical Center-North Iowa in Mason City has notified about 2000 patients
of a potential data breach. Looks like an employee behaving badly. . . .
[ Tuesday, November 20, 2018 ]
Jeff [9:08 AM]
Ohio has decided to issue a standardized form to authorize of the release of PHI. The Texas AG did the same thing a few years ago (as a result of what was then called HB 300). The Ohio regulation is specifically intended to comply both with HIPAA and with the more restrictive "Part 2" rules applicable to federally-supported substance abuse treatment facilities. The form can be found here
; hat tip to Dinsmore & Shohl
for the article.
[ Monday, November 19, 2018 ]
Which is worse,
Jeff [3:57 PM]
theft and improper disclosures of PHI, or hackers? Most HIPAA data breaches are the result of either theft (often done by employees) or simple improper disclosures, such as sending data to the wrong location. While we should all be vigilent against hackers, as far as the number of breaches, they are way fewer.
However, on the other hand, when a hacker hits, he (or she) usually gets a lot more records than your average thief or other recipient of an improper disclosure.
So, quantity of breaches, or quantity of files?
[ Wednesday, November 14, 2018 ]
Jeff [3:32 PM]
- SUNY Upstate in Syracuse notifies a couple thousand patients of an "employee behaving badly." Definitely a lot of that going around.
- The healthcare.gov breach continues in "investigation" mode. Really, folks, how hard can this be? I wouldn't expect OIG to give my clients as much slack as CMS gives CMS. It's 90,000 people, so it's big, but it's been a month. You know it came from broker accounts. Seems like a pretty easy threat vector to hone in on, but I'm no techie.
[ Monday, October 22, 2018 ]
I'm not sure whether this is a HIPAA issue
Jeff [11:17 AM]
: is Healthcare.gov, the website that facilitates the federally-run state insurance exchanges, a covered entity or business associate? It's not a plan or provider, and I don't think it's a clearinghouse because it's not involved in transmitting data in connection with transactions. As far as I can tell, it assists the plans (which are CEs) that sell insurance on the exchanges, so in theory, if it creates, receives, maintains, or transmits PHI in connection with that service, it's a BA. But does it enter into BAAs with those insurers, or is it somehow exempt because it's a governmental entity? HIPAA doesn't include any sort of governmental exemption (Medicare and Medicaid are clearly CEs), but did the ACA or its implementing regulations include any exemption?
[ Monday, October 15, 2018 ]
Jeff [9:44 PM]
It was the biggest HIPAA breach ever, one of the biggest of any sort of breach involving personally-identifiable information: hackers got access to the medical records of almost 80 million people. While it's still unclear what damage was done, OCR has finally weighed in
with how much it'll cost Aetna: $16 million. That's almost 3 times the previous record of $5.5 million.
Update: AP story is here
[ Sunday, October 14, 2018 ]
Jeff [5:06 PM]
Latest development: Aetna pays the NJ Attorney General $365,000
as a fine for the data breach involving the use of window envelopes to send notices to beneficiaries receiving HIV medications. As noted earlier, the window envelopes allowed the potential disclosure of PHI to unintended recipients.
Update: Aetna also has settled
with the AGs of Connecticut, Washington State, and DC.
[ Monday, October 01, 2018 ]
Jeff [2:06 PM]
The SEC has announced an action
against a broker-dealer for a data breach that exposed customer financial data. Not a HIPAA breach, but it's similar in effect and enforcement activities. The $1 million fine is considered "small."
[ Monday, September 24, 2018 ]
Jeff [2:12 PM]
Apparently, 2 employees of UMass Memorial Health Care
improperly accessed PHI of patients, and UMass has been fined $230,000 by the Massachusetts Attorney General for violating HIPAA. Not a whole lot more information there, but it's interesting for 2 points: it's the state AG enforcing the federal HIPAA statute (along with the state Consumer Protection Act and Data Security Law); and it's yet another example of "employees behaving badly" resulting in a big fine for a covered entity.
Jeff [1:37 PM]
I'm sure there are synergies here, but have to agree with the regulators here
. It's not safe to run a microbrewery within the same space as a clinical lab.
[ Friday, September 21, 2018 ]
Jeff [1:07 PM]
Three facilities involved in the production of the "Boston Med" television show have settled with OCR
for just under $1 million over charges that they improperly disclosed patient identity and health information in the course of producing and airing the show. This is a similar situation to a NY hospital drama called NY Med, in which a patient's identity was accidentally disclosed. The show blurred the man's face to de-identify him, but the nature of his injuries made his identity evident to his family, and when they saw the show, they sued ABC and the hospital, NY Presbyterian; NY Pres ended up paying a $2 million HIPAA fine to OCR. On the other hand, Children's Medical Center in Dallas ran a summer-long television series filmed on location at the hospital, and did not violate HIPAA by doing so. How? Solid patient authorizations, including making sure nobody walked through the background in any of the filming sessions, and a healthy bit of HIPAA training for the film crew. Of course, Children's had some pretty good counsel in setting that all up. . . .
[ Thursday, August 16, 2018 ]
Jeff [2:17 PM]
by a great pediatrician. Not exactly on topic, but important.
Interesting question: did the Oklahoma Department of Veterans Affairs breach HIPAA
Jeff [12:04 PM]
when they allowed staffers to use their smartphones to access patient records during an internet outage? Possibly, but I doubt it, and I could certainly argue that, while allowing that type of open access is often improper, in the right circumstance it would not only be proper, but would be the right thing to do. The basis of HIPAA is the imposition of reasonable restrictions to protect privacy and security, while not interfering with the provision of care. If HIPAA is harming patient care, you aren't doing it right. Is there a better, more secure way of doing this? If so, it should have been done. But in an emergency, and when patient care demands it, privacy must give way.
[ Tuesday, August 14, 2018 ]
Jeff [11:02 AM]
A transcription vendor for Orlando Orthopaedic Center left PHI exposed for two months
after a software update -- perhaps an unsecure FTP server issue? Secondary issue will be that it appears OOC failed to notify within the 60-day notice period.
Blogger: HIPAA Blog - Edit your Template