[ Tuesday, January 30, 2018 ]
Ransomware: So, after a weekend of DissentDoe and me talking about how a ransomware attack should not be automatically considered a reportable breach, OCR releases a
Cyber Extortion Newsletter, and doesn't repeat that ransomware is presumably a breach. Maybe they've been listening. . . .
Jeff [10:07 PM]
[ Monday, January 29, 2018 ]
Jeff [2:15 PM]
[ Friday, January 26, 2018 ]
Allscripts Ransomware Update: Now, a
class action lawsuit has been filed. This class action might actually hold water -- Allscripts' 1,500 customers apparently did suffer delays and business interruptions, for which actual damages might be fairly easily provable. In most breach class action cases, most members of the "class" can't show any actual monetary damages: if nobody steals your identity or ruins your credit, even though they might have tried or had the ability to do so, you've got no damages. It's hard to maintain a class action if you can't show damages across the whole class of plaintiffs.
The damages in the Allscripts case might, though, be "consequential," rather than direct. If so, then the Allscripts customer contract might contain a liability limitation that would keep those damages from being recoverable. But that's all just guesswork on my part.
Jeff [12:57 PM]
[ Friday, January 19, 2018 ]
More Ransomware: This time
a bigger target (Allscripts), but apparently not a big impact. Presumably that's because Allscripts was prepared for it.
Take this as a reminder: if you haven't prepared for a ransomware attack, be prepared to be asked why if it happens and you suffer a HIPAA breach. At this point, the possibility of a ransomware attack should be part of your risk analysis.
Jeff [12:33 PM]
[ Wednesday, January 17, 2018 ]
Your 2018 Privacy and Security "To Do" List: This is a
great little checklist from Kirk Nahra at Wiley Rein. There will be few if any businesses that will have to address each item on this list, but virtually every business will have to deal with at least one of them. And pay particular attention to the passages in italics, which are most important and nearly universal.
Jeff [4:57 PM]
Jeff [1:42 PM]
[ Monday, January 15, 2018 ]
Ransomware in Indiana: Hancock Regional Hospital in Indiana was hit by encryption ransomware. No word yet on how they are recovering, or what the ransom amount was (the didn't pay, so presumably they were able to recover from backups). More
here.
UPDATE: Apparently,
they did pay: $55,000.
Jeff [2:27 PM]
OSU Breach: Oklahoma State's Center for Health Sciences in Tulsa
got hacked, resulting in about 280,000 names and a limited amount of other information. Not likely a big risk to those involved.
Jeff [2:23 PM]
[ Friday, January 12, 2018 ]
Coplin Health (West Virginia): Another stolen laptop, another breach notification to 43,000 patients. They don't even know if the laptop had any PHI on it (it might not have). And it was password protected, reducing the likelihood of harm even further. BUT, it was not encrypted. Hence the report and the bad publicity.
Jeff [1:34 PM]
Connecticut: The CT Supreme Court has established, for the first time in the state, a
physician's common law obligation to protect the confidentiality of patient records. Most states have either a common law right to confidentiality or a statutory one, but a lower court noted that neither had been established in Connecticut until now.
The case involves a HIPAA violation, and a patient's lawsuit against an Ob/Gyn practice for disclosing the patient's records to a probate court pursuant to a subpoena. HIPAA does allow disclosures of PHI under subpoena in certain circumstances, and it's not entirely clear here whether all of the HIPAA requirements were met; however, the plaintiff's claims for a HIPAA violation were immediately tossed out because there is no private cause of action for a HIPAA breach. In other words, even if a medical practice blatantly breaches HIPAA and discloses the patient's data, the patient cannot sue the medical practice for the HIPAA breach.
The patient can potentially sue the medical practice under some other grounds, specifically for failure to comply with state statutory or common law privacy obligations. In this case, the lower court correctly noted that there is no established privacy obligation in Connecticut; the supreme court, however, reset the table.
UPDATE: No,
this isn't exactly right. Connecticut citizens cannot sue for HIPAA breaches. They can sue for breach of confidentiality of medical records. There is overlap between those two things, but they are not contiguous or equal.
Jeff [10:45 AM]
[ Wednesday, January 10, 2018 ]
Florida Medicaid Agency Data Breach: apparently someone at the
Florida Medicaid agency, the Florida Agency for Health Care Administration, got phished, and data for 30,000 Floridians was exposed.
Jeff [4:19 PM]
New Privacy Officer at ONC: After a week or so of news highlighting how long the job has been vacant and whether it's even relevant any more, HHS' Office of the National Coordinator for Health IT has announced Kathryn Marchesini as their new Chief Privacy Officer.
Jeff [2:21 PM]
Costs of Producing Medical Records: A
medical record document production company has sued HHS to challenge its rules on the ability of a healthcare provider to charge patients for copies of their medical records. It will be interesting to see how this plays out.
Jeff [1:04 PM]
Charles River Medical Associates (Massachusetts): This radiology group
lost a hard drive containing the bone density scan PHI of almost 10,000 people. Where'd it go? Who knows. Will the data fall into the wrong hands (and if it did, would it harm anyone)? Unlikely. Will CRMA get fined? Maybe (especially if, "upon further review," it becomes clear that the group didn't have good HIPAA policies and procedures and didn't do a good risk analysis). Would we even know about this if the drive was encrypted? Nope.
Folks, encrypt data at risk. Is it required? No. Then why should you do it? To save yourself a report and a fine, not to mention better protecting your patients' data. Aren't you here to serve them?
Am I asking too many questions?
Jeff [9:11 AM]
[ Thursday, January 04, 2018 ]
EHR News: eClinicalWorks sued again: Another
class action lawsuit has been filed against EMR provider eClinicalWorks. This suit claims that eClinicalWork's EMR system fails to meet the requirements for "meaningful use." CMS pays providers such as medical practices and hospitals financial benefits if they adopt and implement electronic medical records and other technology in such a manner that the provider becomes a "meaningful user" of electronic medical record technology. The providers must attest to CMS that they have done the things necessary to meet the "meaningful use" standards. In this case, the providers claim that eClinicalWorks does not provide all of the necessary services to meet the "meaningful use" standard. eClinicalWorks paid a $155 million fine last year when the Department of Justice sued directly for its EMR shortcomings.
The earlier class action lawsuit claims that eClinicalWorks' EMR failed to accurately portray a patient's medical record, and the patient died because of the EMR's failure.
Jeff [2:12 PM]
[ Wednesday, January 03, 2018 ]
SSM Employee Acting Badly: A
customer service employee at SSM Health accessed about 29,000 patient records, apparently looking for St. Louis-area patients who had narcotic prescriptions. Presumably, he's use those patient's data to get drugs him/herself, either for personal use or for resale. Clever, really. But obviously illegal.
Jeff [1:52 PM]
[ Tuesday, January 02, 2018 ]
21st Century Oncology: An oncology practice with offices in 17 states and 7 Latin American countries has
paid $2.3 million for HIPAA violations. The FBI found their patient files on the dark web; apparently someone was able to access their SQL database remotely and extracted data on 2,213,597 patients, including social security numbers. Not sure if the breach was the cause, but 21st Century Oncology filed for bankruptcy back in May.
What's the actual HIPAA breach? Lack of a good risk assessment, failure to implement proper safeguards, no regular review of audit logs, and failure to have appropriate BAAs. The first and last are by far the most common causes of HIPAA breaches, and the 2nd and 3rd could have been prevented in the first had been done reasonably well.
When was your last serious risk assessment?
Jeff [10:57 AM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
