Cloud storage services are a convenient way for people to store and share data. Though people use diverse devices from varied places, they can gain access to the uploaded data files provided that they are hooked up to the internet. Does this technology support HIPAA compliance? Can healthcare organizations utilize iCloud to keep electronic protected … Read more
Seven prominent hospital associations, such as the American Hospital Association (AHA), are striving to have better data sharing throughout the healthcare industry. A new report called “Sharing data, Saving Lives: The Hospital Agenda for Interoperability” tries to enlist and broaden the support of the public and private stakeholder to speed up interoperability and help get … Read more
The U.S. Department of Health and Human Services’ Office for Civil Rights is looking for someone to fill in the position of a permanent Deputy Director for Health Information Privacy. The details of the advertisement was posted on January 14, 2019 on USAJOBS. Deven McGraw was the previous permanent Deputy Director. He decided to leave … Read more
Centerstone Insurance and Financial Services, also known as BenefitMall, started informing around 111,000 individuals about the possible compromise and theft of some protected health information (PHI) because of an email security incident lately. BenefitMall located in Dallas, TX is a business that offer HR, employee benefits, salaries and employer services. It has around 20,000 consultants, … Read more
WebEx is an online video conferencing and collaboration platform that organizations use to facilitate communication among persons and partners from different places so that they are as if meeting all in one place. Can healthcare organizations use WebEx as well? Is it HIPAA compliant? If using resources such as WebEx, healthcare organizations can make connections … Read more
Zoho is a collection of cloud-based tools and applications developed by a Pleasanton, CA-based company since 1996. Zoho products and services include the following: Zoho Mail (email) Zoho CRM (a customer relationship management platform) Zoho Show (presentation program) Zoho Docs (document editor) Zoho Sheet (spreadsheet editor) Zoho Creator ( app builder) Zoho Chat (live chat … Read more
An unencrypted laptop was stolen from the Phoenix, Arizona clinic of Solis Mammography, otherwise known as Ben-Ora, Hansen, Vanesian Imaging Ltd. Solis Mammography learned of the incident on October 17, 2018 and informed law enforcement immediately but the laptop hasn’t been retrieved up to now. A computer forensics company is assisting Solis Mammography in rebuilding … Read more
Sacred Heart Rehabilitation Center located in Memphis, MI offers to HIV/AIDS patients substance abuse treatment and care services. The center learned that an unauthorized individual accessed an employee’s email account because of the phishing email the employee responded to. The email-related breach took place between April 5 and April 7, 2018. It is not known … Read more
On October 28, 2018, a cyber attacker initiated a targeted phishing attack on Kent County Community Mental Health Authority, dba Network180. The employees were not able to identify the phishing emails sent to them because they seemed to come from a reputable source. In the period covering November 2 to 13, three employees responded to … Read more
The National Counterintelligence and Security Center (NCSC) started a new campaign – the “Know the Risk, Raise your Shield” campaign for the Office of the Director of National Intelligence. Its purpose is to boost public awareness regarding cyber threats and to have companies in all industries to improve their data security processes and cyber defenses. … Read more
The Managed Health Services based in Indianapolis, IN, which runs the Hoosier Care Connect Medicaid and Hoosier Healthwise programs, announced to 31,876 plan members on December 2018 that their protected health information (PHI) were potentially disclosed in two different breaches. The first breach was the result of a phishing attack on a Manage Health Services’ … Read more
A phishing attack on Chaplaincy Health Care, a not-for-profit healthcare provider located in Richland, WA caused the exposure of the protected health information (PHI) of 1,080 patients. The phishing attack happened on November 20, 2018 and it was quickly identified within 4 hours. Chaplaincy Health care immediately took action to prevent unauthorized access. A third-party … Read more
Choice Rehabilitation of Creve Coeur, MO learned that an unauthorized person accessed an employee’s email account and set up a mail forwarder, which sent email messages to a personal email account. This mail forwarder was active from July 1, 2018 to September 30, 2018. After a complete analysis of the email account, it was confirmed … Read more
The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) published a notification regarding increased Chinese malicious cyber activity focusing on IT service providers for instance Managed Security Service Providers (MSSPs), Managed Service Provider (MSPs), Cloud Service Providers (CSPs) and their clients. The attacks exploit trust relationships between customers and IT service … Read more
Humana-owned Family Physicians Group in Orlando notified 8,400 patients that a number of their protected health information (PHI) were potentially compromised because of a phishing attack. Family Physicians Group is one of the biggest companies providing healthcare for Medicare and Medicaid beneficiaries situated in Central Florida and manages 22 clinics in the area. The investigation … Read more
Clearwater identified the most typical security flaws in the healthcare industry using the data analyses of IRM done during the last 6 years. There were millions of risk reports examined from hospitals, Integrated Delivery Networks, and business associates of entities to pinpoint the most prevalent security weaknesses in the healthcare industry. According to the data … Read more
Blue Cross Blue Shield of Michigan informed about 15,000 clients that some of their personal information kept on a laptop was compromised as the laptop computer was stolen from a personnel of a business associate of a subsidiary. The laptop was compromised on October 26, 2018. Blue Cross Blue Shield of Michigan became aware about … Read more
Can healthcare companies use HelloFax for sending documents with protected health information (PHI)? Does this fax service support HIPAA compliance? Regular fax machines are not the same as digital fax services. Healthcare companies have been utilizing this piece of equipment to transfer physical documents including those that contain PHI from one fax machine to another. … Read more
A serious phishing attack on the San Diego School District resulted to the compromise of the private data, including health data, of around 500,000 students and staff. The school district became aware of the phishing attack just in October 2018; though, the breach investigators pointed out that the hacker had accessed the network since January … Read more
Massachusetts Attorney General Maura Healey issued to McLean Hospital a HIPAA violation fine amounting to $75,000 in relation to a data breach in 2015 that exposed about 1,500 patients’ protected health information (PHI). McLean Hospital is a psychiatric hospital situated in Belmont, MA, which allowed an employee to bring home 8 backup tapes frequently. In … Read more
A vulnerability (CVE-2018-8340) was discovered in Microsoft’s Active Directory Federation Services (ADFS) which can permit an attacker to very easily circumvent multi-factor authentication (MFA). ADFS is employed by a lot of firms to secure accounts by employing a second factor to a password to protect accounts, such as vendors SecureAuth, Okta and RSA. It was … Read more
The Irish Data Protection Commission (DPC) is investigating one more prospective General Data Protection Regulation (GDPR) violation by Facebook, following the admission of the company that a glitch may have granted the access to the unposted pictures of around 6.8 million Facebook users by unauthorized people. The DPC is about to investigate the incident relating … Read more
An unauthorized person accessed the email account of a nurse at CCRM Dallas Fort Worth. CCRM discovered the breach on October 4, 2018, following the report of patients receiving spam emails originating from the nurse’s email account. CCRM Dallas-Fort Worth immediately deactivated the compromised email account and its IT vendor started to investigate the incident. … Read more
Based on a new Kaspersky Lab report, Cyber Pulse: The State of Cybersecurity in Healthcare, 27% of healthcare workers reported their company had encountered at least one ransomware attack in the last five years and 33% said their company had encountered several ransomware attacks. In its report, Kaspersky lab mentioned that until January 1, 2018, … Read more
About 32,000 patients of the University of Vermont Health Network’s Elizabethtown Community Hospital received notifications that some of their protected health information (PHI) were compromised due to an email account breach. On October 18, 2018, Elizabethtown Community Hospital found out that an unauthorized person accessed the email account of an employee. Immediately, the password for … Read more
Google has announced their final decision to make a few modifications to its terms of service and privacy policy. The major change is the naming of Ireland as the location for its data services in Europe. Anne Rooney, Public Policy Manager for Google Ireland, announced in Google’s blog post the change in data controller location … Read more
A request for information (RFI) issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) is striving to get feedback from the public regarding prospective changes to the Health Insurance Portability and Accountability Act (HIPAA) Rules to boost coordinated, value-based medical care. OCR is collecting recommendations regarding adjustments to the HIPAA … Read more
The University of Maryland Medical System found the unauthorized installation of a malware on its system on December 9, 2018. Because of the speedy response of the UMMS IT department team, the malware infection of the computers were contained and no serious harm happened. Jon P. Burns, the senior VP and chief information officer of … Read more
The latest study by Insights, an enterprise threat management platform provider, unveiled a startling number of healthcare information is openly accessible on the internet due to open and misconfigured databases. Although loads of interest is being centered on the risk of cyberattacks on healthcare devices as well as ransomware attacks, a primary reason why hackers … Read more
New Jersey state attorney general’s office penalized the health insurance provider EmblemHealth the amount of $100,000 for a data breach in 2016 that compromised the protected health information (PHI) of over 6,000 New Jersey plan members. EmblemHealth mailed Medicare Part D Prescription Drug Plan Evidence of Coverage paperwork to its plan members on October 3, … Read more
At the end of November, the Department of Justice charged two Iranians in connection with the SamSam ransomware attacks. However, the attacks are unlikely to let up. Because of the high risk of persistent SamSam ransomware attacks in the USA, the Department of Homeland Security (DHS) and FBI issued a new advise to critical infrastructure … Read more
The HHS’ Office for Civil Rights (OCR) investigated an incident of impermissible PHI disclosure by a business associate of a HIPAA-covered entity and found major HIPAA violation issues, which called for financial charges. Advanced Care Hospitalists (ACH) is a contractor doctors’ group located in Lakeland, FL that deploys internal medicine physicians to hospitals and nursing … Read more
Medical Informatics Engineering and NoMoreClipboard was charged with multi-state federal lawsuit over the 2015 data breach exposing the information of 3.9 million people. Indiana Attorney General Curtis Hill is the lead attorney general of the lawsuit with 11 other participating states – Arizona, Arkansas, Iowa, Florida, Kentucky, Kansas, Louisiana, Minnesota, North Carolina, Nebraska and Wisconsin. … Read more
Georgia Spine and Orthopaedics of Atlanta (GSOA) is informing a number o its patients concerning a phishing attack that caused the possible theft and exposure of some of their protected health information (PHI). The investigation of the data breach showed that an unauthorized person got access to an email account after an employee of GSOA … Read more
Slack is a useful communication and collaboration tool. But the HIPAA compliance of Slack before using in the healthcare industry must be clarified. . Can Slack be used by healthcare organizations for disclosing protected health information (PHI) without breaking the HIPAA? From the time Slack was introduced, it is not regarded as HIPAA compliant, although … Read more
Healthcare billing services provider, AccuDoc Solutions Inc, reported a data breach that caused the compromise of the protected health information (PHI) of 2,650,000 Atrium Health patients. AccuDoc Solutions in Morrisville, NC prepares the bills for Atrium Health’s patients. At the same, AccuDoc Solutions operates the online payment system utilized by Atrium Health and its network … Read more
Mercy Medical Center North Iowa found out that an old employee possibly accessed patients’ healthcare records without appropriate authorization for over 12 months. The medical center conducted an internal investigation of the incident which revealed that a past employee had wrongly accessed patient data from July 2017 to July 2018. The employee had access to … Read more
A laptop computer issued by FHN Healthcare in northwest Illinois was stolen from the vehicle of an employee. The said laptop contained protected health information (PHI) of 4,458 patients. The theft was reported right away to law enforcement, but the laptop hasn’t been found or recovered. By reconstructing the data stored on the missing laptop, … Read more
St. John’s Episcopal Hospital and Episcopal Health Services located in New York have informed former and current patients about the potential compromise of their protected health information (PHI). Episcopal Health Services found the occurrence of suspicious activity in several employees’ e-mail accounts on September 18, 2018. A third-party computer forensics firm quickly looked into the … Read more
A phishing attack on New York Oncology Hematology in Albany, New York resulted to the compromise of 15 employee email accounts and gave the hackers access to the sensitive information contained in the email accounts. A total of about 128,400 present and past patients and employees were affected by the breach. The phishing attack involved … Read more
HealthEquity is informing 190,000 people about the exposure of some of their protected health information (PHI) because of a phishing attack. HealthEquity is a company based in Utah that offers services to clients seeking to obtain tax advantages to counter healthcare expenses, either through employers or health plans. The company provides services such as health … Read more
Inova Health System in Virginia began notifying its 12,331 patients regarding the unauthorized access of some of their protected health information (PHI). On September 5, 2018, law enforcement got in touch with Inova Health System because of an alleged breach of patients’ billing details. A prominent computer forensics firm investigated the breach to find out … Read more
A phishing attack on Metrocare Services, the biggest mental health services provider in North Texas, resulted in the compromise of the protected health information (PHI) of 1,804 patients. A number of email accounts of employees were compromised during the phishing attack and the first breach of account occurred on August 2, 2018. Metrocare only became … Read more
Upstate University Hospital located in Syracuse, NY notified 1,216 of its patients regarding the impermissible access of a former personnel to some of their protected health information (PHI). The hospital became aware of the breach on September 12, 2018. Immediately, the breach was investigated to find out which patients were affected by the privacy violation. … Read more
Altus Hospital located in Baytown, Texas had been attacked by ransomware, which encrypted much of the hospital data records. The attack did not have an impact on the electronic medical record system of the hospital. But some patients’ protected health information (PHI) were contained in the encrypted files. The affected PHI included names, addresses, phone … Read more
Accessing of patient information by healthcare employees who are not authorized to do so is clearly a violation of the Health Insurance Portability and Accountability Act’s Privacy Rule. Are employers also accountable for the privacy breach caused by snooping employees under HIPAA ? A patient of Carilion Healthcare Corp’s Carilion Clinic based in Virginia with … Read more
The protected health information (PHI) of around 40,000 patients of the Jones Eye Clinic and its associate surgery center, CJ Elmwood Partners, L.P, located in Sioux City, IA was potentially compromised. The breach is caused by a ransomware attack that impacted the stored data in an information system employed for booking appointments and invoicing patients. … Read more
Catawba Valley Medical Center (CVMC) based in Hickory, NC discovered on August 13, 2018 the access of an unauthorized person to the email account of a CVMC employee. After knowing about the email breach, CVMC took steps to secure the email account and prevent continuing access. A third-party computer forensics firm helped investigate the email … Read more
There is a flaw in the Employees Retirement System of Texas (ERS) OnLine portal. It was discovered when a number of people entered the portal and saw the information of other ERS members. ERS explained that the coding error first came about on January 1, 2018, which affected the ERS OnLine system’s “Annual Out-of-Pocket Premium” … Read more
MediaPRO is a security awareness training company that has been doing for three years now an annual analysis of employees’ security awareness and knowledge of cybersecurity best practices. The study finds out the employees’ vulnerability to various security threats and evaluates their ability to recognize the phishing threats, prospective malware infections, and hazards of cloud … Read more
The National Ambulatory Hernia Institute based in California had a ransomware attack on September 13, 2018 which resulted to the encryption of files stored on its system. The National Ambulatory Hernia Institute posted a breach notice on its website stating that the attackers possibly viewed 15,974 patients’ demographic information which were recorded prior to July … Read more
Raley’s Pharmacy is notifying about 10,000 patients about the potential compromise of some of their protected health information (PHI). The incident on September 24, 2018 involved the theft of a laptop computer from a Raley’s pharmacy, which possibly contained the PHI of some patients. Raley’s pharmacy had the incident investigated immediately to find out the … Read more
The HIPAA Risk analysis is an essential part of HIPAA compliance, however plenty of healthcare companies and business associates fail at it. Hence they are prone to paying for pricey data breaches and big financial fines for HIPAA noncompliance. HIPAA Risk Analysis – What is it? As per 45 C.F.R. § 164.308(u)(1)(ii)(A), the HIPAA Security … Read more
The U.S. Food and Drug Administration (FDA) along with the Department of Homeland Security (DHS) presented a memorandum of agreement to make use of a new system for better cooperation and improving coordination of their endeavors to increase healthcare device safety. The cybersecurity vulnerabilities in healthcare devices is a rising issue considering that hackers can … Read more
The email accounts of two employees of the Children’s Hospital of Philadelphia (CHOP) were compromised after the successful phishing attacks launched on August 23 and August 29, 2018. CHOP identified the accessing of email account of a doctor by an unauthorized person on August 24. According to investigations, the account was accessed even the day … Read more
The Department of Health and Human Services’ Office of Inspector General (OIG) issued a new report stating that most Medicaid data breaches are rather minor and just impact a very limited quantity of people. For the report, OIG looked at all the breaches that Medicaid agencies and their contractors reported in 2016. Based on the … Read more
A health insurance system connected to the HealthCare.gov website was hacked according to the Centers for Medicaid & Medicare Services (CMS). The sensitive data of about 75,000 people were potentially accessed by the hackers. A CMS personnel identified the anomalous activity going on in the Federally Facilitated Exchanges system and the Direct enrollment pathway that … Read more
Aetna committed two mailing errors in 2017, which caused the impermissible disclosure of the protected health information (PHI) of its members. Because of the data breach, the HIV statuses and AFib diagnoses of plan members were disclosed to the wrong people. A class action lawsuit was filed by the victims of the HIV status breach … Read more
OCR has issued a settlement fine to Anthem for potential HIPAA violations that led to a 78.8 million records breach in 2015. Anthem paid $16 million and took corrective action to resolve the compliance issues that OCR discovered during the breach investigation. Before this settlement, the largest HIPAA breach settlement was with Advocate Health Care … Read more
According to a report in The Wall Street Journal, Google is going to close down Google+ because this social media platform is being investigated by the Data Protection Authority in Ireland for allegedly failing to disclose a bug that potentially affected as much as 500,000 accounts. Internal communications revealed that Google senior management knew about … Read more
Cofense recently revealed in a news report the most typical healthcare phishing emails sent by hackers and which message attracts the most number of clicks. The 2018 Cofense State of Phishing Defense Report gives information about the susceptibility or resiliency to phishing attacks and the responses to phishing emails. It also shows the seriousness of … Read more
The ECRI Institute, a non-profit firm that researches new methods to improve patient care, has recently released an annual listing of the top 10 Health Technology Hazards for 2019. The objective of creating this list is to help healthcare companies in discovering possible sources of danger or issues with technology that can possibly cause problems … Read more
There were two phishing attacks on the Minnesota Department of Human Services (DHS) that impacted 21,000 persons provided with medical assistance. DHS already mailed the patients notification letters regarding the possible breach of their protected health information (PHI). It was confirmed that two of DHS employees’ email accounts were compromised as a result of the … Read more
The Department of Health and Human Services’ Office of Inspector General (HHS OIG) would like the HHS and the healthcare sector to have increased awareness of its work to combat cyberthreats. It is trying to increase the transparency of the department with regards to its activities for enforcing cybersecurity. One project is the new web … Read more
Under the HIPAA Privacy Rule, patients have the right to get a copy of their health records from healthcare providers. When requested, copies of health records must be given as quickly as possible or within 30 days from the day of submitting the request. This particular HIPAA Privacy Rule has been in effect since April … Read more
Michigan Medicine is informing over 3,600 patients that some of their protected health information (PHI) was impermissibly disclosed. The Michigan Medicine Development Office had a fundraising campaign and sent letters to many of its patients in early September 2018. The printing of the letters for mailing was done by a third-party vendor. Most of the … Read more
Lambda Legal filed a lawsuit on behalf of 93 data breach victims who are lower-income HIV positive persons whose highly sensitive protected health information (PHI) were stolen from the California AIDS Drug Assistance Program (ADAP) by unauthorized people. The previous administrator of ADAP, A.J. Boggs & Company, filed a motion to dismiss at the Superior … Read more
On October 1, 2018, the U.S. Food and Drug Administration presented a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook created to assist healthcare delivery organizations be prepared for and take steps to resolve medical device cybersecurity issues. The playbook is meant to guide healthcare delivery organizations in creating a readiness and response framework … Read more
Facebook’s engineers identified a serious data breach on September 25 that affected roughly 50 million Facebook users. A breach notification was sent to affected users. At the same time, all user accounts were automatically signed out. If users would like to access their accounts, they had to log in once again. Facebook shares decreased by … Read more
The National Institute of Standards and Technology (NIST) produced a draft of the guidance that is made to support federal agencies and other firms understand the problems associated with securing Internet of Things (IoT) tools and dealing with the cybersecurity and privacy threats brought in by IoT devices. The first guidance document named Considerations for … Read more
Aspire Health provides in-home services for patients with critical illness residing in Nashville, TN. Aspire Health had a phishing attack resulting to the unauthorized access of the email account of one employee. Using the accessed email account, the attacker emailed 124 messages to a different email account. Many the sent messages contained the patients’ protected … Read more
Healthcare data breaches from 2010 to 2017 increased by 70% as per a study that two doctors at the Massachusetts General Hospital Center for Quantitative Health conducted. The study was publicized in the Journal of the American Medical Association on September 25 and reviewed 2,149 healthcare data breaches that were reported to the Department of … Read more
Claxton-Hepburn Medical Center is a not-for-profit community hospital located in Ogdensburg, NY. A number of its employees were terminated from work for accessing patient medical records even if they were not authorized to do so. The hospital became aware of the PHI breaches while doing an internal investigation. The report did not clearly say if … Read more
Three hospitals paid the Department of Health and Human Services’ Office for Civil Rights (OCR) a fine of $999,000 to settle their HIPAA violation. Because the hospitals allowed ABC film to record a video of patients for its Boston Med TV series and were not able to get the patients’ consent before letting other individuals … Read more
Brooklyn’s Kings County Hospital discovered that one of its former staff in the emergency department has allegedly stolen the protected health information (PHI) of about 100 people and shared the PHI to another guy by using an encrypted mobile phone app. 52-year old Orlando Jemmott was employed for 12 years at Kings County Hospital. Since … Read more
Ohio Living, which is a company that provides life plan communities and home health services, found out that an unauthorized person has accessed the email accounts of a few of its employees. On July 10, 2018, Ohio Living identified the suspicious activity associated with one employee’s email account. It was investigated immediately with the help … Read more
ProPublica published a study in 2015 which presented HIPAA social media violations involving healthcare workers in 2015. If not dealt with, there will possibly be a lot more incidents of HIPAA violation taking place through the social media. Posting content such as listed below on social media are the prevalent violations of HIPAA rules: Pictures … Read more
Blue Cross and Blue Shield of Rhode Island (BCBSRI) is notifying 1,567 plan members about the impermissible disclosure of their protected health information (PHI) by one of its business associates. The business associate was a vendor contracted by BCBSRI to send explanation of benefits statements to its plan members. The explanation of benefits statements contain … Read more
The Fetal Diagnostic Institute of the Pacific (FDIP) located in Honolulu, Hawaii encountered a ransomware attack on June 30, 2018. A file-encrypting software was installed on a server and different types of files which include medical records were encrypted. FDIP appointed a top notch company to look into the breach and find out if the … Read more
Independence Blue Cross in Philadelphia is sending notifications to thousands of its plan members because of the potential exposure of their protected health information (PHI) online and unauthorized individuals may have accessed the data. The Independence Blue Cross privacy office got information about the exposed PHI on July 19. Immediately, a prominent forensics investigation company … Read more
Hopebridge is a network of 28 autism treatment centers located all over the Midwest. It experienced a phishing attack, which potentially resulted in the access of its patients’ protected health information (PHI) by an unauthorized individual. Hopebridge detected the security breach on July 19, 2018 and called in a third-party computer forensics company to investigate … Read more
A nurse working at a Texas children’s hospital was laid off for posting protected health information (PHI) on a social media site, which is a violation of the Health Insurance Portability and Accountability Act (HIPAA) Rules. The nurse worked in the pediatric ICU/ER unit of the Texas Children’s Hospital. Allegedly, the nurse posted comments on … Read more
Acadiana Computer Services Inc., which provides the healthcare industry in Lafayette, LA with software and business solutions, discovered that an unauthorized person accessed an employee’s email account. Upon detecting the security breach on July 6, 2018, Acadiana disabled external access to the email account and retained the services of an independent cybersecurity specialist to investigate … Read more
Reliable Respiratory, which is a respiratory care provider in Norwood, MA experienced a phishing attack that impacted 21,311 patients. A suspected cyberattack was noted on July 3, 2018 after seeing strange activity in the email account of an employee. The account was investigated and it was found that the employee was targeted by a phishing … Read more
In order to comply with the HIPAA password requirements, it is best to understand what they are so you can determine whether they apply to your organization. This is because if an organization uses HIPAA compliant authentication methods other than usernames and passwords to control access to ePHI the HIPAA Password requirements may not apply. … Read more
The Department of Health and Human Services’ Office for Civil Rights released its cybersecurity newsletter for August 2018 and told HIPAA-covered entities to be certain to employ physical, administrative and technical safety measures to keep the privacy, integrity, and accessibility of electronic protected health information (ePHI) protected. A similar care ought to be applied to … Read more
There is a new development in the legal case that the Premera Blue Cross data breach 2015 victims filed. As per the victims, Premera Blue Cross intentionally ruined the proof showing the data theft. Premera Blue Cross experienced a cyberattack in 2015 that led to the access or theft of 11 million plan members’ protected … Read more
Arc of Erie County Pays $200,000 for Security BreachThe New York Attorney General penalized the Arc of Erie County with $200,000 for HIPAA Rules violation because of failing to protect its clients’ electronic protected health information (ePHI). The Arc of Erie County is a non-profit social services firm and one chapter of the Arc Of … Read more
The final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in healthcare delivery organizations prepared by the National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) is already released. Wireless infusion pumps today are not standalone devices. They could be linked to a variety of … Read more
A patient-signed HIPAA release form should be secured before sharing the protected health information (PHI) with other people or providers, except in the event of scheduled disclosures for therapy, payment or healthcare operations allowed by the HIPAA Privacy Rule. Brief summary of the HIPAA Privacy Rule The HIPAA Privacy Rule (45 CFR §164.500-534) was enacted … Read more
There is a code vulnerability discovered in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS). A threat actor could remotely exploit the vulnerability to acquire administrator level rights and remotely implement code. The Datacaptor Terminal Server of Qualcomm Life Capsule is a healthcare gateway device employed by numerous American hospitals to link their healthcare gadgets. The … Read more
Th BD Alaris Plus medical syringe pumps has a crucial wirelessly exploitable vulnerability. When linked to a terminal server through the serial port, the medical syringe pump could be exploited by a threat actor who can change the supposed work of the syringe pump. The vulnerability is an incorrect authentication flaw. The software program falls … Read more
Ovum performed a survey lately for analytics company FICO, which showed there was a significant increase in businesses getting cybersecurity insurance, yet the healthcare sector has been reluctant on the uptake. The last occasion the study was performed in 2017, half U.S. businesses said that they did not take out a cybersecurity insurance coverage. That … Read more
Legacy Health found an unauthorized person has obtained access to its email system as well as the protected health information (PHI) of about 38,000 patients. The Portland, Oregon-based health system manages two regional hospitals, seventy clinics and four local community hospitals in Oregon, Southwest Washington, and in the Mid-Willamette Valley. Legacy Health is the second … Read more
Anthem Inc. offered a $115 million settlement deal in 2017 to take care of the class action legal cases submitted by the victims of a 78.8 million-record security breach in 2015. The proposed settlement was eventually okayed on August 16. The Anthem cyberattack caused the stealing of plan members’ names, birth dates, medical insurance details, … Read more
The Department of Health and Human Services’ Office of Inspector General (OIG) revealed the discoveries of the audit of Maryland’s Medicaid system they carried out. The audit was carried out in line with the HHS OIG’s endeavors to supervise states’ usage of different Federal programs and to figure out if proper security regulations were enforced … Read more
Three Democrat legislators accused the Oklahoma Department of Veteran Affairs of breaking Health Insurance Portability and Accountability Act (HIPAA) Rules. They have likewise called for the termination of two leading Oklahoma VA officials as a result of the incident. The supposed HIPAA violation took place at the time of an appointed web outage. At that … Read more
MedSpring Urgent Care is a group of critical care clinics established in Atlanta, Austin, Chicago, Fort Worth, Dallas, and Houston, which identified an unauthorized individual acquired access to an email account as a consequence of an employee being misled by a phishing scam. The email account was hacked on May 8, 2018 nevertheless MedSpring Urgent … Read more
Approximately 300,000 patients from SSM Health St. Mary’s Hospital based in Jefferson City, Missouri were advised about the exposure of some of their protected health information (PHI) and the potential access of unauthorized individuals. St. Mary’s Hospital transferred to a new space on November 16, 2014. All the patient health records were also transported and … Read more
The HIPAA Security Rule mandates covered entities to consistently safeguard the confidentiality, integrity and availability of protected health information (PHI). The duties of healthcare companies entail maintaining patients’ wellness, safeguarding their personal privacy and not endangering their identities. To protect ePHI saved in web servers or desktop computer systems, there are administrative, physical and technical … Read more
This is a summing up of healthcare data breaches shared as of late to the press and the Department of Health and Human Services’ Office for Civil Rights Pennsylvania Department of Human Services learned that its Compass system seemed to have a system error in its Compass system enabling some persons to look at the … Read more
Geofencing technology creates an electronic fence surrounding a specific location or area online. Going into that invisible boundary triggers the sending of push notifications to the person’s mobile phone. Retailers began using this geofencing technology some time back. Google is likewise using it to alert users based upon location. A digital marketing firm is helping … Read more
A survey conducted by the healthcare marketing agency SCOUT revealed that consumers are not as much concerned about the privacy and safety of their medical data as with the privacy and safety of financial information including credit card numbers. As part of a new study series named SCOUT Rare Insights, the Harris Poll survey was … Read more
The protected health information (PHI) of more than 19,000 patients was compromised as a result of a mistake that a transcription service vendor made while upgrading a software on a server. The patients of Orlando Orthopaedic Center in Orlando, Florida who availed healthcare services before January 2018 were impacted by the data breach. The software … Read more
A data security breach took place at Confluence Health, which is a non-profit health system operating Wenatchee Valley Hospital, Central Washington Hospital and other satellite clinics in North and Central Washington. The breach involved the email account of an employee resulting in the access of patients’ protected health information (PHI) by unauthorized individual. When the … Read more
According to the healthcare data breach report for June 2018, healthcare data breaches increased by 13.8% from last month. However the data breaches were not as serious with 42.48% less exposed or stolen healthcare records compared to in May 2018. There were 33 healthcare data breaches reported in June to the Department of Health and … Read more
Two healthcare providers sent in reports of phishing attacks that granted cyber criminals access to patients’ protected health information (PHI). The attackers in both incidents gained access to a couple of email accounts. Sunspire Health manages a national network of addiction treatment facilities. In the latest incident, several email accounts were accessed by unauthorized persons … Read more
The Golden Heart Administrative Professionals located in Fairbanks, AK serves as a business associate to local healthcare providers by providing invoicing as a service. It suffered a ransomware attack lately and is notifying 44,600 people that unauthorized people possibly accessed certain portions of their protected health information (PHI) due to the attack. The ransomware infected … Read more
LabCorp is a clinical laboratory in the United States that had encountered a cyberattack allowing hackers to possibly view or copy the protected health information (PHI) of patients; however it was affirmed later on that it wasn’t a cyberattack instead a ransomware attack hence data theft isn’t the likely intent of the attacker. The attack … Read more
The email account of doctors at UMC Physicians located in Texas was attacked by hackers which brought about the likely compromise of certain protected health information (PHI) of roughly 18,000 patients. The IT staff of UMC Physicians found out about the breach on May 18, 2015 although the hacking occurred on March 15. Consequently, the … Read more
Entities working in the healthcare industry need access to protected health information (PHI), which is why they need to know what the HIPAA law considers as PHI. PHI confidentiality, integrity and availability are safeguarded by the HIPAA Security Rule, while PHI uses and disclosure are limited by the HIPAA Privacy Rule. If an entity violates … Read more
As per a report publicized in Tennessean, one of Metro Health’s personnel made a mistake causing the exposure of the protected health information (PHI) of patients with HIV or AIDS. The employee copied the data held in a database and loaded it to a server giving all Nashville Metro Public Health Department personnel access to … Read more
Law enforcement investigated the involvement of an employee at Arkansas Children’s Hospital in the theft and improper use of patients’ protected health information (PHI). According to the breach report, the PHI of about 4,521 patients was potentially accessed and copied by the employee. The employee worked at Arkansas Children’s Hospital for 15 months from November 7, … Read more
Intercom is a messaging software-as-a-service solution that is popular among businesses that chat with their clients. There is a potential use for this software in the healthcare industry when healthcare providers and patients chat with each other. Does Intercom comply with HIPAA rules when used in connection with electronic protected health information (ePHI)? Before HIPAA … Read more
Manitowoc County in Wisconsin suffered a phishing attack which resulted to protected health information (PHI) being stolen. The phishing attack most likely took place on January 14, 2018, however Manitowoc County just found out about the incident and security breach on April 24. Steps to secure the email account was quickly undertaken to keep the … Read more
The American Hospital Association (AHA) members are concerned about the proposed rule by HHS — Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system for fiscal year 2019. In relation to this, concern is raised on allowing health apps that a patient selects to link to the healthcare providers’ APIs. Mobile health applications … Read more
An ex-employee at the University of Pittsburgh Medical Center, who is the patient information coordinator, was charged by a federal grand jury with criminal violations of HIPAA policies, as stated in the Department of Justice declaration on June 29, 2018. Linda Sue Kalina, 61, who resides in Butler, Pennsylvania, was charged with a six-count indictment … Read more
ICS-CERT has given an announcement concerning two vulnerabilities recently discovered in Medtronic MyCareLink patient monitors. Patients who have implantable cardiac devices use these devices to send the data of their heart rhythm directly to their physicians. The patients monitors are built with safety controls and transfer data over a protected Web connection, however, there’s a … Read more
A breach involving physical protected health information (PHI) was reported by the Associated Dermatology & Skin Cancer Clinic of Helena, MT. The PHI of 1,254 patients was potentially compromised. The breach was due to the theft of a journal left in the vehicle of an employee of Associated Dermatology on May 26, 2018. The vehicle … Read more
The objective of the Overdose Prevention and Patient Safety Act (H.R. 6082) is to ease limitations on the disclosure of medical records of patients suffering from addictions. This Act aligns 42 CFR Part 2, the Confidentiality of Substance Use Disorder Patient Records, with the HIPAA. Presently, 42 CFR Part 2 only allows the sharing of … Read more
Covered entities reported a total of 41 healthcare data breaches in April and 29 in May. Even though the healthcare data breaches decline by 29.27% month-over-month, the breaches documented last May were equally serious as with April. The sum of compromised or stolen medical records in May was 838,587, which was 56,287 less compared to … Read more
Patients of two HIPAA-covered entities got notification letters that their protected health information (PHI) had been compromised because of burglaries. The first breach incident happened on April 16, 2018 affecting two Christus Spohn Hospitals in Corpus Christi. A Christus Spohn employee was burgled, resulting in the theft of PHI, which included the patients’ names, schedule … Read more
SendGrid is a service that businesses use for sending email messages. It is a very quick and easy way to communicate marketing messages to clients. Even so, can healthcare organizations use SendGrid without breaking HIPAA rules? Does SendGrid comply with HIPAA requirements? The conduit exception rule does not cover businesses that offer cloud-based email marketing … Read more
Apple presented an application programming interface (API) which app developers could use to make health apps combining patients’ EHR data. Using the Apple Health Records app, patients can add their EHR data, then they can share the data with third-party apps. The objective of the new API is to allow developers to make a variety … Read more
Healthcare companies could implement DMARC, the Domain-based Message Authentication, Reporting and Conformance Standard, to identify email spoofing and prevent it. The thing is only some healthcare companies use DMARC, as reported by Valimail, an email authentication vendor. DMARC operates by ensuring that a domain is being used only by authenticated senders. A company that is … Read more
Steward Healthcare System in Boston terminated Psychiatrist Alexander Lipin for purportedly violating HIPAA rules. But, Lipin rejected the accusation and professed that his dismissal was to get back at him for extending his disability leave. Dr. Lipin asked to extend his disability leave as a result of being infected with pneumonia. Steward Healthcare System granted … Read more
Carolina Insurance Data Security Act on May 14, 2018. The law is comparable to the Insurance Data Security Model law which the National Association of Insurance Commissioners (NAIC) created in 2017. South Carolina is the first state to enjoy a cybersecurity law which addresses the needs of the insurance market. The South Carolina Data Security … Read more
There is a provision in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act that HIPAA violations and data breaches victims are to be given a share of the HIPAA settlements received by the Department of Health and Human Services’ Office for Civil Rights. In May, OCR stated its intention to issue … Read more
April was an awful month as the healthcare market got a greater number of health data breaches and individuals affected compared to March 2018. The Department of Health and Human Services got 41 records of healthcare data breach incidents that had 894,874 healthcare data disclosed or stolen. Healthcare data breach incidents had grown month over … Read more
The Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published notices concerning the vulnerabilities in certain medical products manufactured by Silex, GE Healthcare and Phillips. Cyber criminals and unauthorized people could exploit the vulnerabilities and manipulate the devices. Phillips advised the National Cybersecurity and Communications Integration Center (NCCIC) concerning … Read more
The Government Accountability Office (GAO) lately performed an audit which revealed that patients continue to face many difficulties in obtaining copies of their health records. Healthcare companies and insurers are likewise unable to satisfy HIPAA requirements ending up in a breach of HIPAA rules sometimes. The 21st Century Cures Act required the audit to find … Read more
On March 10, 2018, Cerebral Palsy Research Foundation of Kansas (CPRF) found out that the security defense of one of its databases was disabled for 10 months. This vulnerability led to the compromise of 8,300 patients’ protected health information (PHI). After knowing about the unsecure demographic database, CPRF performed the necessary action to secure the … Read more
A HIPAA audit checklist is a list of the HIPAA regulations and standards that apply to a covered entity’s operations which can be used to assess the covered entity’s compliance with HIPAA. Because not all regulations and standards affect covered entities’ operations in the same way, there is no one-size-fits-all HIPAA audit checklist. One of … Read more
Capital Digestive Care, gastroenterology group based in Silver Spring, Maryland, found out the mistake made by its business associate. It seems that the BA uploaded data files to a commercial cloud server which does not have the necessary security setting. This lead to the exposure of 17,639 patients’ protected health information (PHI). Capital Digestive Care … Read more
The Protenus’ quarterly breach barometer report is a collection of data breach info supplied by Databreaches.net and the artificial intelligence program created by Protenus. The collected information enables healthcare organizations to monitor and evaluate employee EHR activities. The report this quarter offers an idea of the magnitude of insider HIPAA Rules violation as well as … Read more
Florida Hospital uses three websites that had been infected with malware. Because of the malware attack, the threat actors potentially had access to the protected health information (PHI) of patients. There is no confirmed report that suggests any PHI access or misuse of PHI. Florida Hospital has informed patients of the breach. Out of an … Read more
Wombat Security recently published Beyond the Phish Report, which revealed the lack of understanding healthcare employees on common security threats. The report was a compilation of data from customers and end users who answered about 85 million questions across 12 categories and 16 industries. The respondents of the Q&A were asked about the best security … Read more
The healthcare industry experiences many insider breaches every year which calls on covered entities and business associates to take steps to reduce the occurrence of these incidents. There are four ways of categorizing the different approaches to mitigate insider threats: Educate: It refers to teaching the workforce about the allowable uses and disclosures of PHI, … Read more
Patients of the Center for Orthopaedic Specialists are being notified because unauthorized individuals potentially accessed some of their protected health information (PHI) when ransomware was installed on its network. The ransomware attack affected the three facilities of the Center for Orthopaedic Specialists located in Simi Valley, West Hills and Westlake Village in California. Databreaches.net reported … Read more
Healthcare organizations easily become victims of cyberattacks because of continually using outdated software and not patching vulnerabilities promptly. This problem is evident in the WannaCry ransomware attacks in May 2017. U.S. healthcare providers were lucky to have escaped unlike their counterparts in the U.K. Symantec recently talked about a threat group that has been attacking … Read more
The medical devices that have come out in the market have increased in the past few years. The devices have been very helpful in allowing healthcare providers manage the health of their patients. But there are concerns being raised on the issue of medical device cybersecurity. When patients use medical devices, sensitive information is … Read more
The protected health information of 582,174 patients of the California Department of Developmental Services (DDS) was potentially compromised. Thieves broke into the legal and audits offices of DDS in Sacramento, CA on February 11, 2018. They had potential access to the PHI of over half a million patients plus the sensitive information of about … Read more
Chief U.S. District Judge Gina M. Groh sentenced Angela Dawn Roberts, a former employee at Berkeley Medical Center, to 5 years’ probation for being involved in an identity theft scam. Aside from the probation, Angela Dawn Roberts of Stephenson, VA needs to settle a $22,000-restitution. Angela Dawn Lee (another name of Roberts) worked for WVU … Read more
Provider group Texas Health Resources based in Arlington is notifying approximately 4,000 patients that an unauthorized person accessed some of their sensitive information. The security breach happened on October 2017, but Texas Health Resources only knew about it on January 17, 2018 when law enforcement notified them. The attacker accessed the email accounts that contained … Read more
The number of SamSam ransomware attacks on government and healthcare organization increased in recent months. These incidents prompted the Department of Health and Human Service’s Healthcare Cybersecurity and Communications Integration Center or HCCIC to publish a report about the SamSam ransomware attacks. There are tips included in the report to spread awareness on what to … Read more
There were 10 SamSam ransomware attacks since December 2017. The attacks were mostly on government and healthcare providers in the United States. There were other attacks reported in India and Canada. One of the attacks occurred in January 2018 on AllScripts. Since the system of this EHR provider was down for several days, 1,500 medical … Read more
A group of 112 hackers, penetration testers and incident responders were surveyed to find out how fast they can access a targeted system. The survey revealed that majority (61%) of them can get access in less than 15 hours, 54% of the hackers can get access to a system in less than 5 hours, identify … Read more
The Department of Health and Human Services filed a motion to dismiss the lawsuit filed by Ciox Health for lack of standing. Early this year, healthcare information management company Ciox Health filed a lawsuit against HHS to challenge the changes to HIPAA in 2013 and the enforcement guidance they issued in 2016. Ciox Health questioned … Read more
Ponemon Institute conducted a study on behalf of Merlin International involving 627 healthcare executives in the United States and found that healthcare organizations are failing to train their employees on security awareness. About 52% of respondents confirm that lack of security awareness is the top reason why healthcare organizations are slow in improving their security … Read more
Oregon state governor Kate Brown just signed Senate Bill (SB 1551) last month to update several regulations including Oregon’s Breach Notification Law (O.R.S. 646A.604) and Information Security Law (O.R.S. 646A.622). The update in the law will take effect on June 2018. What are the updates in the recently signed bill? There were several definition updates. … Read more
Healthcare employees need to be aware of the HIPAA rules and regulations and the possible penalties if they break these rules. This is why covered entities need to conduct HIPAA awareness training for their employees. In case a healthcare employee breaks the HIPAA rules, four outcomes are possible. The employer may opt to deal with … Read more
Uber Health, which beta launched this March, is a platform that is used for arranging cost effective transportation for patients. About 100 healthcare organizations need to try the platform before it is officially launched. However, there are questions raised on the HIPAA compliance of Uber Health. Uber Health features an online dashboard that healthcare providers … Read more
JAMA recently published a study that highlighted the frequent improper disposal of PHI. Although the study was based in Canada, which is a location not covered by HIPAA, the findings show an important aspect of PHI security that is often ignored. The study was conducted by researchers at St. Michael’s Hospital in Toronto. They checked … Read more
WordPress is a popular content management system that anyone can use to create websites quickly. Many businesses use WordPress but is it HIPAA compliant so that healthcare organizations can use the platform in connection with protected health information? The HIPAA compliance requirements for websites are actually a little vague. But with respect to the storage … Read more
If you’re thinking of setting up a business in the healthcare industry that will likely have access to protected health information, it’s necessary to know how to be HIPAA compliant. What does it mean to be HIPAA compliant and how do healthcare organizations achieve this status? It’s not easy to become HIPAA compliant because it … Read more
Google Calendar is one of the products and services offered in Google’s G Suite, which was launched in 2006. It is a tool that is used for time management and scheduling of appointments. Will the use of this tool by healthcare organizations, which may require adding protected health information (PHI), be considered a HIPAA rules … Read more
Google Slides is a web-based presentation editor that can be used to create slide shows, project presentations and training material. It can be used for free by any person who doesn’t have a software program with the same functionality like Microsoft PowerPoint. Is it possible for healthcare organizations to use Google Slides in connection with … Read more
Many healthcare organizations today use cloud platforms like Azure and AWS. In fact, the value of the healthcare cloud computing market was determined to be $4.65 billion in 2016 and would likely rise to over $14.76 billion by 2022. According to KeyBlanc, Amazon AWS is the leading cloud platform with a 62% market share, followed … Read more
When covered entities “knowingly” violate HIPAA Rules, what is the financial penalty and when are fines issued? It is important to know the answers to these questions as these relate to the safety and integrity of people’s healthcare information. The Health Insurance Portability and Accountability Act or HIPAA is a federal law that healthcare organization … Read more
Banner Health issued a financial report mentioning OCR’s investigation of the colossal 2016 Banner Health data breach. In the said breach incident, 27 Banner Health facilities located in Alaska, Arizona, Colorado, California, Nevada, Nebraska, and Wyoming were affected. The protected health information of 3.7 million patients was exposed. Sensitive information such as names, birth dates, … Read more
Finger Lakes Health in Geneva, NY had a ransomware attack that made its computer system inaccessible. The health system did not stop its operations but the staff had to use pen and paper while the IT team worked on removing the malware to restore access to electronic medical data. Finger Lakes Health was attacked on … Read more
Zendesk is a platform offering customer service software and support ticketing system. Over 200,000 companies use Zendesk for handling customer support, managing customer queries and building relationships with clients. Can healthcare organizations in the U.S. also use Zendesk products and services for patient communication and electronic protected health information (ePHI) management? Is Zendesk compliant with … Read more
Anomali and the National Health Information Sharing and Analysis Center (NH-ISAC) have partnered to provide threat intelligence to healthcare organizations. Anomali can help in several ways: It has the tools and infrastructure needed for collaboration and sharing threat intelligence to others. It can provide updated threat intelligence on old and new external threats that are … Read more
Ponemon Institute conducted a survey sponsored by Merlin International which revealed that 62% of healthcare organizations experienced data breaches in the past year resulting to data loss. The survey involved the participation of 627 leaders from hospitals and payer organizations. About 67% of the survey participants were from hospitals that have 100-500 beds and about … Read more
Office 365 is Microsoft’s set of subscription products that includes the following programs: Word, Excel, OneNote, PowerPoint, Outlook, Access and Publisher. Can healthcare organizations use Office 365 without violating the HIPAA and HiTECH Act Rules? If HIPAA covered entities purchase Office 365 through the Volume Licensing Programs or the Dynamics CRM Online Portal, Microsoft is … Read more
Vendors who offer their services to healthcare organizations understand the importance of being recognized as HIPAA compliant. Hence, many service providers often ask if it is possible to get a HIPAA certification? Ideally, a HIPAA certification would serve as proof that a third-party vendor understands and follows all aspects of HIPAA rules. If for example … Read more
When the management or employees in your organization violate the HIPAA rules and you happen to know about, would you report it to the Department of Health and Human Services’ Office for Civil Rights (OCR)? Only HIPAA violation complaints that have been submitted within 180 days of date of discovery of the incident will result … Read more
eFileCabinet is a document management system (DMS) that many businesses have been using for on-site and cloud storage. Is this platform suitable for healthcare organizations to use, too? Is it HIPAA compliant? Document management systems (DMS) help businesses and organizations maintain, manage, and safely store electronic documents in a single location. Systems like this simplify … Read more
The Federal Bureau of Investigation (FBI) warned businesses, educational institutions and healthcare organizations regarding the significant increase in phishing attacks on payroll employees. The phishing attacks aim to copy the W-2 forms of employees and the hackers use the copied data for tax fraud and identity theft. There were also some cases reported that payroll … Read more
Health Net California, a provider of government employees’ benefits, has been marked as not willing to undergo security audits as per the Flash Audit Alert released by the U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG). Over the past 10 years OPM has been assigned to perform security … Read more
Using the cloud as repository of ePHI has certain advantages that prompt many healthcare organizations to transition to the cloud. Here are a number of key benefits of cloud computing: Healthcare organizations can increase data center capacity by linking to a public cloud. This is possible without needing to invest in more hardware. The cloud … Read more
Many healthcare organizations are transitioning to utilizing the cloud for managing patients’ ePHI. But before any HIPAA covered entity does the same thing, it is necessary to understand important matters such as HIPAA compliance and the requirements for cloud computing. In this article, common misconceptions about HIPAA compliance and cloud computing will be discussed to … Read more
Ademero is a document management software (DMS) that businesses use to monitor and manage their documents. The software likewise helps them go paperless and transition to digital. Will using Ademero, however, not violate any HIPAA Rules? The HIPAA Security Rule incorporates required and addressable usage details. These required usage details or implementation specifications, when executed, … Read more
When HIPAA-covered entities along with their business associates stop doing business, the duty to follow HIPAA rules doesn’t stop yet. This simple fact was made very clear by the HHS’ Office for Civil Rights (OCR) when it charged FileFax Inc with penalty amounting to $100,000 for violating HIPAA rule. FileFax is a firm in Northbrook, … Read more
Box is another popular cloud storage and content management service. Anyone can create a Box account and use personally for file-sharing, uploading content and inviting others to view or edit the content. Businesses that want to use Box must sign up for a business, enterprise or elite account. Can healthcare organizations also use Box for … Read more
A long-time hacker was able to access medical records of close to 1,900 patients of the University of Virginia Healthcare System using malware infection. How it was done For over 19 months— from May 3, 2015 to December 27, 2016— the hacker was able to view medical records of 1,882 patients through a malware loaded … Read more
Before answering the question whether FaceTime is HIPAA compliant, it has to be acknowledged at the outset that no communications platform will be completely HIPAA compliant basically because the law deals with users and not technology. That being said, two things need to be considered to be able to tell if the app adheres to … Read more
According to the Protected Health Information Data Breach Report of Verizon, 58% of healthcare data breaches are caused by insiders. The problem is the difficulty of detecting insider breaches. 75% of insider threats go unnoticed. For instance, a healthcare employee at a Massachussetts hospital was accessing healthcare records without authorization for 14 years. When he … Read more
Healthcare organizations can use email to send messages internally. If the email system is protected by a firewall, there’s no need to encrypt messages. But if messages with protected health information will be sent externally beyond the firewall, it is necessary to make sure that only authorized persons will see the messages. The email service … Read more
The January 2018 Healthcare Data Breach report is now available. Based on the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights, there were 21 security breaches in January 2018. The number of incidents this January is lesser compared to December 2017 which recorded 39 incidents. The number … Read more
How many healthcare data breaches occurred in 2017 and how many of those violated HIPAA rules resulted in financial penalties? It’s difficult to get accurate data about HIPAA violations for several reasons. First, many data breaches are not reported. The Department of Health and Human Services’ Office for Civil Rights only publish on its breach … Read more
Can HIPAA-covered entities use G Suite without violating HIPAA Rules? G Suite was developed by Google with privacy and security protection features necessary to safeguard data. It satisfies the required standards of the HIPAA Security Rule. If necessary, Google willingly signs a business associate agreement with a HIPAA-covered entity. Does this mean G Suite is … Read more
Ayal Hassidim, MD of Hadassah Hebrew University Medical Center in Jerusalem conducted a research in collaboration with researchers from Harvard Medical School, Duke University and Ben Gurion University of the Negev. The study involved the survey of 299 medical students, interns, medical residents and nurses regarding the practice of sharing EHR passwords. The results, which … Read more
The Department of Health and Human Services’ Office for Civil Rights (OCR) announced the first case of HIPAA settlement for 2018. For multiple potential HIPAA violations, Fresenius Medical Care North America (FMCNA) agreed to pay a settlement amount of $3.5 million to OCR. The violations involved five separate data breaches that happened way back in … Read more
The Cyber Incident & Breach Trends Report published by Online Trust Alliance considers 2017 as the worst year ever for cybersecurity incidents. The number of breach reports almost doubled in 2017 compared to the previous year. Aside from knowing the data, Online Trust Alliance also investigates the incidents to understand the trends and to know … Read more
A bipartisan team of legislators in Colorado recommended modifying its privacy and data breach notification laws for Colorado residents to obtain better security. If approved, there’ll be substantial adjustments in the existing state regulations. The proposed legislation is going to include these personally identifying information (PII) to the concept of PII. Full name or last … Read more
Nebraska lawmakers voted 34-0 during the first round of voting on a bill introduced by Senator Adam Morfield. The bill seeks to further protect Nebraska residents when their personal information is exposed during a data breach. It was introduced after the massive data breach at Equifax in 2014, which compromised the personal information of over … Read more
Aetna took legal action against Kurtzman Carson Consultants (KCC), the administrative support company that handled the July 2017 mailing for Aetna. That mailing project resulted in a data breach disclosing the details of HIV medications through the envelope’s clear plastic window because the letters inside the envelopes slipped. The Legal Action Center, AIDS Law Project … Read more
Documents containing the sensitive information of 842 patients at Western Washington Medical Group were compromised on November 13, 2017. Apparently, the documents were thrown away with regular trash by mistake. The sensitive documents in the shredding bins were supposed to be permanently destroyed in accordance with HIPAA Rules. However, instead of destroying them, the janitorial … Read more
Many covered entities get confused on the topic of HIPAA medical records retention and other record retention requirements. But the retention requirements of HIPAA are pretty straightforward and will be clarified in this article. The first thing to know is that there is no HIPAA medical records retention period. The Privacy Rule does not specify … Read more
The Department of Health & Human Services (HHS) released a proposed rule that helps small businesses and self-employed workers to get less expensive health coverage. The proposed rule broadens the criteria of the Employee Retirement Income Security Act (ERISA) by partly changing the definition of “employer” to include small businesses and self-employed workers who have … Read more
The Centers for Medicare and Medicaid Services (CMS) sent emails to healthcare providers last November 2017 to explain the prohibited use of text messages in healthcare because of security and patient privacy concerns. SMS messages are not secure and could expose patients’ sensitive data and affect the integrity of medical records. Although there are SMS … Read more
Can healthcare organizations and its employees use Google Voice? Is it HIPAA compliant? Google Voice is a telephony service that provides voicemail and voicemail transcription to text. It can be used for sending text messages for free as well. With its useful features, many healthcare professionals would like to use it not just for work … Read more
Healthcare organizations are not prohibited by HIPAA to use cloud services. Cloud services allow organizations to lower their IT costs. But there are rules to follow before any cloud service can be used to ensure the security and confidentiality of protected health information. One of the cloud service providers out there is Microsoft Azure. So … Read more
Many HIPAA covered entities do not fully understand the HIPAA Conduit Exception Rule. As a result, there are services that are misclassified as conduit when in reality they are business associates. This is a violation of HIPAA rules and attracts financial penalties. The issuance of HIPAA Omnibus Final Rule on January 25, 2014 introduced an … Read more
The Health Insurance Portability and Accountability Act has no private cause of action. Because of this, patients cannot sue healthcare providers for privacy violations. But a number of states, such as New York, Massachusetts and Missouri, have rulings that allow patients to file lawsuits against healthcare organizations for unauthorized disclosures of medical records. The Connecticut … Read more
The healthcare security breaches in Q4 of 2017 decreased by 13%. In Q3, there were 99 data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In Q4, 86 security breaches were reported, which is 13 incidents less than the previous quarter. The number of healthcare security breaches reported per … Read more
The healthcare data breaches in December 2017 significantly increased by 81% from the previous month. Thirty-eight healthcare data breaches that impacted over 500 persons were reported. The number of exposed patient records in December also increased by 219% from the previous month. There were 341,621 records of patients that were exposed or stolen. The pattern … Read more
An unauthorized former nurse in Palomar Medical Center Escondido viewed the medical records of over 1,300 patients. The patient privacy violations happened in a period of 15 months from February 10, 2016 to May 7, 2017. It was discovered during an audit of access logs. The audit report showed a pattern of access that did … Read more
The University of Phoenix College of Health Professions conducted a survey recently that involved 504 full time registered nurses (RNs) and administrative staff across the United States The results show that RNs who had their position for at least two years are confident that their healthcare organization can prevent data breaches. 48% of RNs and … Read more
Kathryn Marchesini is the new appointed chief privacy officer at the Office of National Coordinator for Health IT (ONC). She replaced Acting Chief Privacy Officer Deven McGraw. The need for the ONC to appoint a Chief Privacy Officer is stated in the HITECH Act. The work of the CPO includes advising the National Coordinator on … Read more
The Agency for Health Care Administration in Florida discovered that an employee’s email account was accessed by an unauthorized person. The employee got a malicious phishing email on November 15, 2017. Unfortunately, he/she responded to the email and disclosed his/her login details so the hacker was able to remotely access the email account. The protected … Read more
The non-profit health system SSM Health based in St. Louis, MO discovered the unauthorized access of patient health records by a former employee. The former employee was part of SSM Health’s customer service call center. His access to information was limited to demographic, health and clinical information only. He did not have access to patients’ … Read more
In the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) newsletter issued last December, travelling healthcare professionals were given recommendations to avoid malware infections and potential exposure of patients’ protected health information. When healthcare professionals travel during the holidays, they could be taking work-issued devices, such as laptops, tablets and mobile … Read more
What is PHI? PHI is a commonly used term in healthcare, but some people do not fully understand what it means. Let’s talk about PHI and a few related terms. What are PHI, PII, and IIHI? PHI, PII and IIHI are acronyms for Protected Health Information, Personally Identifiable Information and Individually Identifiable Health Information, respectively. … Read more
HIPAA-covered entities are responsible for making sure that the transmission of protected health information by email is secured. The entity may choose any HIPAA compliant email provider as long as appropriate controls guarantee PHI confidentiality, integrity and availability. A HIPAA compliant email provider must offer end-to-end encryption of messages. It doesn’t matter if the software … Read more
A former physician at the Emory Healthcare (EHC) took the protected health information of thousands of EHC patients without hospital authorization and knowledge. He uploaded the information to a Microsoft Office 365 OneDrive account, where other individuals could potentially access it. The former EMC physician now works at the University of Arizona (UA) College of … Read more
The University of Rochester Medicine’s Jones Memorial Hospital in Wellsville, New York experienced an unexpected downtime because of a cyberattack on December 27, 2017. The cyberattack disrupted some of the hospital’s information services. While the nature of the cyberattack was not disclosed, the public should know that only Jones Memorial Hospital was attacked and other … Read more
The HIPAA Security Rule requires the effective management of information access. Employees who are granted access to protected health information must have proper authorization. But what happens when employees leave their work? The organization needs to make sure that PHI access privileges are terminated immediately. If procedures to terminate access to PHI are not implemented, … Read more
A serious WannaCry ransomware attack occurred in May 2017. The hackers exploited vulnerabilities in the UK’s National Health Service (NHS) systems. They installed their malicious payload into the systems and disrupted services at more than 50 NHS Trusts. The attack resulted in the cancellation of appointments and postponement of operations. It took some time to … Read more
Ponemon Institute conducted a study on current endpoint security trends. Two of the threats that need to be dealt with are ransomware and fileless malware attacks. The healthcare industry spends over $1 billion on endpoint attacks every year. The big money spent on mitigating attacks highlights the importance of endpoint security. Sad to say, healthcare … Read more
Columbus Surgery Center, LLC and Eye Physicians, P.C in Columbus, Nebraska were attacked by ransomware resulting in the potential protected health information exposure of about 10,000 patients. The ransomware attacked on October 7, 2017 and encrypted a range of files on some servers. The attackers demanded a ransom but no ransom was paid. The healthcare … Read more
NYU Langone Health System Data Breach A binder that contained a log of presurgical insurance authorizations from NYU Langone Health System was mistakenly recycled by a cleaning company in October 2017. The binder contained the information of about 2,000 patients’ names, dates of birth, dates of service, diagnosis codes, procedural terminology code, insurance ID numbers … Read more
Twenty one reports of healthcare data breaches with over 500 affected individuals were submitted to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in November 2017. Of the 21 breach reports, seven impacted over 5,000 persons. The number of reported breaches decreased this month but the number of impacted individuals … Read more
HIMSS Analytics conducted a study for email security firm Mimecast. The survey results showed that 78% of healthcare organizations had been attacked by ransomware or malware in the past 12 months. Many of the survey respondents had more than 12 ransomware or malware attacks in the last 12 months. According to 37% of surveyed healthcare … Read more
The Multi-State Billing Services (MBS) based in New Hampshire experienced a data breach that resulted to a financial settlement of $100,000 with Massachusetts attorney general’s office. MBS is the provider of Medicaid processing services for 13 public school districts in Massachusetts. Allegedly, a password-protected, unencrypted laptop computer was stolen from an MBS employee in 2014. … Read more
Chicago’s Sinai Health System was compromised when two of its employees’ email accounts were involved in a phishing attack. The phishing incident that took place on October 2 was immediately discovered and mitigated. Hence, potential access of the compromised accounts was only for a few hours. Cybersecurity experts investigated the matter and believed that the … Read more
The American Hospital Association (AHA) wrote a letter to the House Ways and Means Health Subcommittee concerning how the Congress can help lessen the regulatory burden on hospitals and health systems. The increased regulatory activity on hospitals and health systems is counter-efficient and negatively affects patient care. For example, the Centers for Medicare & Medicaid … Read more
An unsealed complaint against 60 hospitals was filed in a U.S. District Court in Indiana in 2016 for violating the HITECH Act. The 60 hospitals allegedly received the HITECH Act meaningful use incentive payments for transitioning to an electronic health records system without actually satisfying the requirements of the HITECH Act. Before hospitals can receive … Read more
A man was sentenced to serve a three-year jail term for fraud and blackmail offenses. Nathan Wyatt, a 36-year old from Wellingborough, England was allegedly linked to TheDarkOverlord hacking group. But his offenses were not related to TheDarkOverlord gang’s cyberattacks or extortion attempts. Nathan, better known online as Crafty Cockney, pleaded guilty to 20 counts … Read more
As reported by cloud threat defense firm RedLock, the number of misconfigured cloud services is growing. Some of the incidents that had been reported include the widespread misconfigured MongoDB installations. When hackers discovered the misconfigured databases in January 2017, they plundered the databases, deleted the data and demanded ransom. The total number of hijacked MongoDB … Read more
Much of the healthcare industry now use secure cloud storage services to store files of electronic protected health information (ePHI) and to host web applications. But the cloud does not guarantee there won’t be any data breach. It also does not guarantee HIPAA-compliance even with a Business Associate Agreement. When cloud storage services are misconfigured, … Read more
A security breach at Baptist Health in Louisville, Kentucky was discovered on October 3, 2017. Potentially 880 patients had been notified that their sensitive information may have been accessed and stolen by unauthorized persons. According to the report, there was irregular activity detected in an employee’s email account. Prior to that, a third party sent … Read more
Some physical files of medical records from Women’s Health Consultants in South Whitehall Township and Hanover Township, PA were dumped in a recycling center in Allentown, Pennsylvania. The files contained names, medical histories of cancer and HIV patients and Social Security numbers. Women’s Health Consultants is no longer open for business. So, there’s probably no … Read more
It is a common practice today for covered entities to use cloud storage services. Is Microsoft OneDrive HIPAA compliant? Can it be used by covered entities? Many healthcare organizations are actually already using Microsoft Office 365 Business Essentials. They use the included exchange online for email and OneDrive Online for storing and sharing files. Microsoft … Read more
Nurse Dianna Hereford’s employment contract was terminated after a patient of Norton Audubon Hospital complained of a nurse HIPAA violation. Hereford filed an action in the Jefferson Circuit Court against her employer for wrongful termination of her contract because she claimed that she always complied with HIPAA regulations. Here’s how the alleged improper disclosure of … Read more
Tangela Lawson-Brown, a former nurse in a Tallahassee nursing home from October 2011 to December 2012, was convicted of possession of unauthorized access devices, wire fraud, aggravated identity theft and theft of government funds by a court in Tallahassee. She stole the personal information of 26 patients while she was working in the nursing home. … Read more
The SAManage USA data breach in 2016 caused the online exposure of the Social Security numbers of 660 Vermont residents. The Vermont Attorney General required a settlement amount of $264,000 from SAManage USA for its violation of Vermont Security Breach Notice Act. SAManage USA provided business support services for Vermont Health Connect. The problem was … Read more
Another unencrypted laptop got stolen from an employee of Rocky Mountain Health Care Services of Colorado Springs. This is the second time that a similar incident happened in three months. The second theft, which was discovered on September 28, has been reported to law enforcement. The 909 patients whose protected health information has been compromised … Read more
Bill Clinton signed the Health Insurance Portability and Accountability Act or HIPAA on August 21, 1996. The HIPAA ensured the continuity of health insurance coverage for everyone, especially the employees that were between jobs. It also accomplished the following: set standards as to the amount of pre-tax medical savings that could be saved prohibited tax-deduction … Read more
Under certain circumstances, texting Protected Health Information (PHI) can be deemed as a violation of HIPAA. The classification as a violation is dependent upon the message’s content and the recipient. Furthermore, the effort that the sender put into maintaining the integrity of PHI is also considered. If the PHI is well-protected, then texting may be … Read more
The protected health information of 1,200 UPMC Susquehanna patients has potentially been exposed to unauthorized persons. UPMC Susquehanna is a network of hospitals and medical facilities in Muncy, Pennsylvania and Williamsport, Wellsboro. According to the report, an employee responded to a phishing email, which paved the way to unauthorized access of the PHI. No specific … Read more
The state of New York will introduce the SHIELD Act, which stands for Stop Hacks and Improve Electronic Data Security Act. This law requires all businesses that hold sensitive data of New Yorkers to adopt administrative, technical and physical security measures. This applies to all business even those that are not based in New York … Read more
Patients of Cook County Health and Hospitals System received notification of a breach of their protected health information. Two hospitals and about a dozen community health centers in Cook County Illinois are potentially affected. The Experian Health, Cook County Health and Hospital System’s business associate, was responsible for the breach. As an entity contracted to … Read more
The Health Insurance Portability and Accountability Act (HIPAA) is an important piece of legislation, first introduced in 1996. But, why is HIPAA so important? How has HIPAA helped to improve the healthcare industry and the care given to patients? HIPAA was designed to address one issue in particular: Insurance coverage for individuals that are “between … Read more
Florida Blue, the business name of Blue Cross and Blue Shield of Florida, has recently announced that the personally identifiable information of a nearly one thousand insurance applicants has been exposed online following a data breach of their network. The organisation was alerted to the exposure of patient data in late August. They immediately launched … Read more
Following a break-in at a file storage facility in East Brunswick, New Jersey, the Otolaryngology Associates of Central Jersey is in the process of alerting patients to a breach of their protected health information. The files stolen included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the … Read more
Amazon Web Services has announced that new safeguards have been incorporated into its cloud server that reduce the probability that users to misconfigure their S3 buckets. If their S3 buckets are not configured in the correct manner, users risk accidentally leaving the data they store on the server unsecured. Amazon will sign a business associate … Read more
A report covering data breaches in 2017 has recently been released by Risk Based Security (RBS). The report revealed there has been a 305% increase in the number of records exposed in data breaches compared to 2016. RBS- a provider of real time information and risk analysis tools-analyzed breach reports from the first 9 months … Read more
Earlier this month, the Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires. This waiver is like those issued following Hurricanes Irma … Read more
Cook County Health and Hospitals System has recently alerted patients to a breach of their protected health information (PHI). The organisation consists of a health system comprising two hospitals and more than a dozen community health centers in Cook County Illinois, and services many patients. The breach occurred at Experian Health, a business associate of … Read more
In August, the Catholic Charities of the Diocese of Albany (CCDA) performed a routine upgrade of its computer security software. While the technicians were working on the upgrade, they discovered that malware had been installed on one of the computer servers used by its Glens Falls office. This office serves patients in Saratoga, Warren and Washington … Read more
The Department of Health and Human Services’ Office for Civil Rights (OCR) has increased its enforcement operations in recent years, and 2016 HIPAA settlements were at the highest levels ever recorded. Overall, payments of $22,855,300 were submitted to the OCR during 2016 to settle alleged HIPAA breaches. Seven settlements were over the figure of $1,500,000. … Read more
The Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) has recently announced that it experienced a ransomware attack. The attack caused files on one of the agency’s servers to be encrypted, and thus inaccessible to the agency. They announced that the files contained the protected health information (PHI) of 8,750 patients. The attack occurred … Read more
Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies. The patient list was created and used by the company to inform patients of a new practice that was opening in the area. In mid-July this year, one of … Read more
Many dental offices and dental practitioners are self-contained entities. However, HIPAA rules for dentists apply to any dental office that may send claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests electronically. If a dental office transmits any of the above transactions directly to a payer, or uses the services of a business … Read more
The Brevard Physician Associates has announced that they have experienced a breach of protected health information (PHI). They state that the breach occurred due to a desktop computer being stolen in a burglary at one of their sites. They have identified nearly 8,000 affected patients. The incident occurred on Labor Day, 2017. As the offices … Read more
An independent care provider, who provides care to patients of TJ Samson Community Hospital in South Central Kentucky, has recently been discovered to have inappropriately accessed the protected health information (PHI) of 683 patients. The data was all connected to patients of the TJ Samson Community Hospital in Glasgow, KY and the TJ Health Columbia … Read more
FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has recently announced that it has experienced a data breach. They have identified the cause of this breach to be the new, rampant, WannaCry ransomware variant. WannaCry ransomware was used in worldwide attacks in earlier this year. More than 230,000 computers were infected … Read more
Briggs Stratton Corporation, a manufacturer of lawnmower engines, has recently reported that they have experienced a breach of PHI, resulting from a malware attack. It is not obvious that the company is a HIPAA covered entity; the firm does not work in the healthcare industry and does not act as a business associate to provide … Read more
Dropbox is a popular file hosting service used by many organizations to share files. Dropbox claims that it has implemented measures that now make its software both HIPAA and HITECH Act compliant. However, technically no software or file sharing platform can be HIPAA compliant as its compliance depends on how the software or platform is … Read more
Phishing-the act of obtaining sensitive information such as usernames, bank details or other private information, often for malicious reasons, by disguising as a trustworthy entity via electronic communication-has become the biggest data security threat faced by healthcare organizations. Phishing attacks commonly take the form of fake invoices and package delivery notifications, to hide their true … Read more
Protenus-an organisation dedicated to patient privacy monitoring of electronic health records-has released its Breach Barometer report. The report shows there was a significant increase in healthcare data breaches in September in comparison to previous months. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and … Read more
Texas Children’s Health Plan has announced a breach of nearly 1,000 patient’s protected health information (PHI). The organisation said that the breach was discover when they identified the information as having been emailed to the personal email account of a former employee. The incident was discovered on September 21, 2017, although the former employee emailed … Read more
Amida Care-a not-for-profit community healthcare service based in New York-has reported a HIPAA breach to the Office of Civil Rights (OCR). Their initial report reveals that the breach has affected nearly 6,250 of its patients. The organisation specializes in providing health coverage and coordinated care to Medicaid members suffering from chronic health conditions. This includes … Read more
The Advanced Spine & Pain Center (ASPC) has announced that it has experienced a potential breach and unauthorized use of their protected health information. The organisations-based in San Antonio, Texas, has notified as many as 8,362 of their patients that they have been affected by the incident. ASPC became aware of a potential breach … Read more
In 1996, the Health Insurance Portability and Accountability Act of 1996 was introduced. In the two decades since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry. Despite its importance, there still exist many healthcare providers and insurers who are unaware of HIPAA obligations. It has … Read more
The Man-Grandstaff VA Medical Center in Spokane, WA has announced that it has experienced a breach of PHI. The breach was a result of the theft of two USB drives, which contained the protected health information of almost 2,000 veterans. The devices were stolen on July 18, 2017 from a contract employee while on a … Read more
Dr Riaz Baber, M.D.-a Naperville, Illinois-based psychiatrist-has recently admitted to a breach of patient protected health information (PHI). The breach was discovered medical files of more than 10,000 patients of have been found in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored … Read more
In the third quarter of 2017, Q3, 2017, HIPPA covered entities reported 99 breaches of healthcare data, each involving more than 500 records, reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). These figures bring the total number of data breaches reported in 2017 up to 272 incidents. The 99 … Read more
There has been a huge rise in the number of healthcare workers and other HIPAA-covered entities relying on mobile technology in their day-to-day lives. This rise has seen an increasing use of smartphones, tablets and other portable devices in hospitals, clinics and other places of work. These technological advances have allowed for increased efficiency and … Read more
In January 2014, the Department of Health and Human Services proposed a new rule for certification of compliance for health plans to be introduced into HIPAA legislation. The rule was entitled “Certification of Compliance for Health Plans”. This rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS … Read more
Since its implementation two decades ago, there has been much ambiguity in whether the use of SMS is HIPAA compliant. HIPAA does not explicitly prohibit communicating Protected Health Information (PHI) by text, a system of administrative, physical and technical safeguards must be implemented to ensure the confidentiality and integrity of PHI when it is “in … Read more
The radiology center of Mid-Michigan Physicians-managed by McLaren Medical Group-has announced today that they have experienced a breach of protected health information (PHI). They have stated that the PHI of over 100,000 patients has potentially been compromised in the breach. McLaren Medical Group announced earlier this month that the breach affected a system that stored … Read more
Google Drive is becoming an increasingly attractive option for many companies to store information online. It is cheaper than installing costly hardware systems and IT infrastructures, and it is easy to use and train staff in using. However, despite the advantages, the question remains over whether healthcare professionals can use this technology and remain HIPAA … Read more
A decommissioned laptop computer previously used by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has been discovered to be missing. The laptop is thought to have stored protected health information (PHI) of patients of the clinic, and its loss raises the possibility of the exposure of this sensitive patient information. The laptop was … Read more
TheDarkOverlord is a hacking group that has been involved in many high-profile cases in recent months, from allegedly accessing the British Royal family’s healthcare information to accessing private user from medical centres, schools, and even Netflix, the online streaming giant. The primary motivation for their attacks is extortion of those whose data they have stolen. … Read more
Our Lady of the Angels Hospital has announced the discovery of a breach of patient protected health information (PHI). The breach occurred when a former employee accessed the medical records of 1,140 patients without proper authorization to do so. In accordance with the HIPAA Breach Notification Rules, the affected patients have been informed of the … Read more
HIPAA Simplified History Legislators originally proposed HIPAA in 1996 as a means of addressing the concerns regarding the privacy and security of patient healthcare information and risks brought by novel technologies. Since then, the Act has expanded into an act of legislation. Broadly, HIPAA governs health insurance fraud and tax provisions for medical savings accounts, … Read more
Recently, the MS Center of Saint Louis and Mercy Clinic Neurology Town and County have announced that they have breached HIPAA regulations. Over one-thousand patients of the are being informed that they may be contacted for marketing and research purposes by pharmaceutical companies and other third-parties, even though they may not have given their permission … Read more
Skype has been increasingly used by business as a quick and cost-effective form of communication. However, the question remains whether Skype can be used by healthcare professionals in a manner which allows them to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rule. There exists some ambiguity surrounding Skype and … Read more
In response to the devastating Hurricanes Harvey and Irma that hit the United States earlier this year, the U.S. Department of Health and Human Services issued two partial waivers of HIPAA sanctions and penalties in areas affected. Now, following Hurricane Maria’s wreckage of Puerto Rico and the U.S. Virgin Islands, the government department has issued … Read more
Yolanda Farrar-former employee of the Arkansas Department of Human Services (DHS)-has been fired from her position at the state hospital for breaching HIPAA legislation in March 2017. She was discovered to have emailed spreadsheets containing the protected health information of patients to a personal email account. Yolanda Farrar worked as a payment integrity coding analyst … Read more
In is in the interest of HIPAA covered entities, business associates, and healthcare employees to take great care to ensure HIPAA Rules are not violated, lest they wish to incur huge fines and possible criminal prosecution. But in the event of an accidental HIPAA violation, what is the best manner for covered entities and their … Read more
The “cloud”-a network of servers used for data storage-has seen widespread use in recent years. It offers a convenient and flexible way for organisations-including healthcare providers and other covered entities-to store files, in comparison to traditional data storage methods. However, before healthcare organisations can make use of these benefits, the question of is it possible … Read more
The University of Pittsburgh Medical Center’s Bedford Memorial hospital has announced that an incident occurred at the facility which was in violation of HIPAA legislation. The incident, in which photographs and videos of a patient’s genitals were taken by hospital staff, occurred in late December 2016. This media was shared with other individuals, including those … Read more
The American Hospital Association (AHA) recently sent an open letter to the House Ways and Means Health Subcommittee, in which they suggested several steps that Congress can take to immediately reduce the regulatory burden on hospitals and health systems. In the letter, the AHA states the regulatory burden on hospitals and health systems is “substantial … Read more
The Department of Health and Human Services has issued a waiver of sanctions and penalties for violations of HIPAA’s Privacy Rule in the Hurricane Harvey disaster zone area. It is often difficult for hospitals to comply all HIPAA Privacy Rule following a natural disaster. Furthermore, following such limitations can potentially have a negative impact on … Read more
In 1996, the Health Insurance Portability and Accountability Act was introduced into US law. In time since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry, with widespread influence. Despite its importance, many healthcare providers and insurers are still unaware of HIPAA rules, and as a … Read more
Delaware has amended its data breach notification law by introducing some of the strictest requirements of any state. It is the first time in a decade that any change has been made to the law. According to the update, any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or … Read more
The Department of Health and Human Services has recently released data revealing the frequency of the most common types of HIPAA violations. The report concerned itself with HIPAA violations that have resulted in financial penalties against the covered entity. The five most common most common HIPPA violations of this type are; • failure to perform … Read more
Salina Family Healthcare, based in Kansas, has announced that they were subjected to a ransomware attack earlier this year. They stated that the ransomware was installed on servers and workstations at their offices, resulting in the encryption of their patients’ protected health information (PHI). The healthcare organisation expressed uncertainty as to whether the PHI had … Read more
Senators Joe Manchin and Shelley Moore Capito, both of West Virginia, have announced that Jessie’s Law has been passed by the Senate. The legislation was designed to ensure doctors are provided with details of a patient’s previous substance abuse history if the patient has provided consent for the information to be shared. The bill will … Read more
It is the responsibility of HIPAA covered entities to ensure that their employees know the correct procedures for reporting a HIPAA violation. It is then the responsibility of the privacy officers of the organisation to make a judgement whether the incident should be directed to the Department of Health and Human Services’ Office for Civil … Read more
In June 2017, the Department of Health and Human Services (HHS) confirmed it was contemplating updating its data breach portal. This section is commonly referred to as the OCR ‘Wall of Shame’, as all data breaches which have involved 500+ records are listed on the breach portal. This list is maintained due to section 13402(e)(4) … Read more
Women’s Health Care Group of Pennsylvania has announced that they have been subject to a data breach. The organisation states that the breach was noticed in May, and they have notified nearly 300,000 patients that some of their sensitive protected health information has been compromised. The group is one of the largest healthcare networks in … Read more
The Office for Civil Rights’ “Wall of Shame” was established in December 2009. This data portal contained summaries of healthcare data breaches published on the website by OCR. The list only provides a short synopsis of data breaches that involved more than 500 documents. The information includes the name of the covered entity, the state … Read more
Earlier this month, the Mississippi Division of Medicaid (DOM) announced that over 5,000 Medicaid recipients have had some of their protected health information (PHI) exposed. They stated that the breach occurred via email because of an error with an online form service. DOM discovered that the online form service was sending emails containing PHI to … Read more
The Department of Health and Human Services has recently released data revealing the frequency of the most common types of HIPAA violations. The report concerned itself with HIPAA violations that have resulted in financial penalties against the covered entity. The five most common most common HIPPA violations of this type are; • failure to perform … Read more
In addition to having their employment contract terminated, healthcare employees who have been identified as improperly accessing the medical records of patients are also likely to face a criminal investigation into their conduct because of breaching HIPAA rules. This is regardless of the reason why they accessed the medical data in the first place. A … Read more
The Health Information Trust Alliance (HITRUST) is the most widely adopted privacy and security framework in the United States. Earlier this month, it announced that it has updated the HITRUST common security framework (CSF). Furthermore, they also launched a new CSF initiative specifically designed to aid small healthcare organizations protect their PHI against cyberattacks and … Read more
On February 10, 2017, Tom Price was appointed as secretary of the Department of Health and Human Services on February. He has replaced Sylvia Matthews Burwell, who held the post for three years. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities … Read more
After calls from healthcare professionals to clear the ambiguity surrounding allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones, the Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance surrounding these issues. Most healthcare professionals are aware that the HIPAA Privacy Rule permits … Read more