$3 Million Fine Issued for PHI Breach of Over 300, 500 Patients

HIPAA compliance doesn’t care if you’re a small business or a non-profit.  This isn’t said in a disrespectful manner to the laws that govern the policies, but to make you aware that your business status, or identifying structure won’t allow you to be overlooked.

Hefty Fine Imposed

Recently the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services imposed a $2,154,000 penalty against Jackson Health System (JHS) for HIPAA violations.

TWO-MILLION DOLLARS.

This nonprofit academic medical system operates 6 major hospitals, a network of urgent, primary, and specialty care centers, long-term nursing facilities, and corrections health services clinics.  Those facilities provide care for 650,000 patients on an annual basis and employ over 12,000 people.

 

 

The Breaches

JHS submitted the breach report in August of 2013.  In it, they stated that in January of that same year, they had lost paper records which contained the private health information (PHI) of over 700 patients.  An additional loss of patient records from December 2012 was not reported until June of 2016.  Additionally, an investigation was launched in July of 2015 when two employees accessed a patient’s electronic medical record inappropriately, and that patient’s photo was shared by a reporter.  The image contained the patient’s medical information on an operating screen and was shared on social media.

A Compliance Program in Disarray

Add to all of this, that in February of 2016 JHS reported that one employee had been selling PHI.  JHS reported that this employee had accessed over 24,000 patient records since 2011.

12,000 employees mean a lot of monitoring for any company, so a strong HIPAA compliance program isn’t just a necessity, it’s a critical part of this business keeping its doors open.  The OCR investigation found that their HIPAA compliance program had been “in disarray for a number of years” and that the “hospital’s system compliance failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”

A strong HIPAA compliance program needs to be a part of your business from start to finish.  Are you prepared to be accountable for the actions of your employees?

The post OCR Issues $2.15 Million Fine to Jackson Health System appeared first on HIPAA Secure Now!.

When it’s YOU in the Review

Making dinner plans?  Check online for reviews before you spend your money dining out.  Ready to book a vacation?  You’re definitely making sure the pool is as big as they say it is.

How about when it comes to personal care?  Do you check online to see if a medical facility is up to par?

A lot of people do.  Between neighborhood chat groups and online review sites, the information is there for the taking.   So, what happens when it is your business that is affected by a negative review?  You would likely want to respond and perhaps give your side of the story or work to remedy the situation with the consumer.  This seems like a good way to deal with any negative press or feedback.

Unless you’re under HIPAA jurisdiction and requirements.

Recently a dental practice in Dallas, Texas found out the hard way that responding to an online review put them in violation of HIPAA and cost them $10,000 in fines – plus a multitude of other actionable items.

The fine came after a patient found their full name and medical information (among other details) had been disclosed on the Elite Dental Associates Yelp review page. This led to an investigation by the Office for Civil Rights (OCR) which then led to uncovering additional violations in their policies and procedures of HIPAA compliance in accordance with its social media practices.

Social Distortion

Social media is a valuable asset to any business, but just because it is “free” and not monitored by any one entity, for the most part, doesn’t mean it can be overlooked as being a responsibility of the business.  HIPAA was enacted before platforms like Facebook were around, but there are rules in place that apply despite that timing.

Above all, and as is true with nearly all HIPAA regulations, never disclose patient health information (PHI) on social media channels or networks. If a patient is visible in any image or video, they must provide – in writing, their consent to use that media.  The purpose for which that media is to be used must also be explicitly defined in the consent.

Social media can be used for posting health tips, event details, research news, marketing messages that exclude any PHI, and to present staff bios.

As with all HIPAA compliance, you must remember that no one is excluded from regulation or judgment.  This was a small privately-owned practice.  Not only were they affected monetarily with a fine, but they must also now bring their policies and procedures up to par.

HIPAA standards are not created based on visibility or on the size of a healthcare organization, therefore you must rise to meet the standard, not expect to be overlooked when you don’t. Ensure your organization has a social media policy in place that clearly lays out what is acceptable on social and that employees are trained on the policy.

The post Dental Practice’s Response to Yelp Review Leads to $10,000 Fine appeared first on HIPAA Secure Now!.

HIPAA Enforcement is Happening

Enforcement is in action.  That’s what Bayfront Health-St. Petersburg recently learned when they agreed to pay $85,000 in penalties to the Department of Health & Human Services (HHS) Office of Civil Rights for a potential violation of the HIPAA right to access provision.

This is the first enforcement by the OCR since the announcement of their initiative earlier this year.  Officials vowed that the right of the patients to receive access to their records was going to be strictly enforced and that this had to be achieved in a timely fashion without being overcharged.

MedRxiv announced earlier this year (in August) that more than 50% of providers failed to comply with this provision of HIPAA based on a study that they had conducted.

The penalty against Bayfront was a result of a complaint filed by a patient when she had to wait 9 months to receive fetal heart monitor records for her unborn child.  The request had been filed in October of 2017.

The Rules

So, what are the HIPAA guidelines for this?  A patient must be given the requested records within 30 days and only charged a reasonable fee if necessary.  The regulations are also applicable when parents are requesting on behalf of their minor children.

Since Bayfront did not comply with this request in a timely fashion, they are now paying for it with a monetary fine, as well as with other expenses to the business, like damage to their reputation.  A corrective action plan must be created, which includes development, maintenance, and revision of policies and procedures to comply with the HIPAA rule, and they will need to assign (and possibly hire) one or more individuals who will oversee this.  Employees need to be trained and then acknowledge their compliance.  These policies must also be updated annually.

And all of this needs to happen within 60 days to HHS, with subsequent distribution to their workforce and business associates within 30 days of approval by HHS.

The post $85,000 Settlement in OCR’s First HIPAA Right to Access Case appeared first on HIPAA Secure Now!.

Remain Calm, Remain Honest – and Remain in Business

Avoiding the inevitable does not make it go away.

Healthcare patients choose a provider based on the quality of care.  In addition to that, the public will generally assume that their private information is safeguarded and not something that they need to verify or investigate before choosing that specific provider.  By alerting them to something they assumed to be a non-issue, it is understandable to be concerned about the loss of business.  However, credit reporting agency Experian has recently found that this churn can be kept to a minimum with the proper response plan.

In July 2019, Experian surveyed 1,000 adults in the United States and found that 90% of those surveyed would be somewhat forgiving if they were informed promptly as a result of an organized communication plan being in place by their provider.  Previous studies by Experian identify numbers that are more of a red flag to all parties.

It is in these studies that they found that only 34% of all breached response plans include some form of customer notification and that those plans are in place for only 52% of companies.  So, the few that are ideally prepared have a greater chance of survival, and those who aren’t prepared have a full stack of odds against them.

How Can the Risks Be Lowered?

Have a breach response plan in place.  This should be created by someone who knows their way around a breach and is ideally certified to assist with creating such a plan.  Additionally, have cyber insurance as part of your in-place plan.  This will allow you to call upon experts in the event that a (very likely) breach does occur.  And as we identified above, ensure that your breach plan includes client communication.

Even if you don’t have all of the answers immediately, letting them know that you are aware of the breach and will keep them updated will go a long way.  This increases the trust between you and your patients and makes it more likely that they will stay with your business following an incident.

66% of those surveyed would leave a practice due to slow or poor communication – don’t let this happen to your organization. It is better to be truthful up front than have to explain why you were dishonest in the past. People can accept mistakes, but they are less likely to accept being deceived.

The post Does Your Breach Response Plan Include Notification? appeared first on HIPAA Secure Now!.

 

As many of you know, an Electronic Health Record (EHR) is a digital record of a patient’s paper charts, updated in real-time.  This is an incredible option to have in the world of medicine, where information can be exchanged between doctors as well as business associates. It also provides an incredible benefit to the patient, giving them the best and most appropriate care when needed.

Overall, it really is a great thing to have so much information at your fingertips.  Unless that information gets into the wrong hands.  Which is exactly what happened to Allscripts Healthcare, an EHR company used by a variety of businesses in the medical field, including

hospitals, pharmacies and emergency service (ambulance) centers around the world.

Today Allscripts is working with the Department of Justice to pay $145 million in a preliminary settlement in response to an attack that exposed patient records which were thought to be safe in the cloud.   They were in violation of HIPAA, the HITECH Act’s EHR incentive program, and the Anti-Kickback Statute related to Practice Fusion – which was the company acquired by Allscripts in 2018.  This settlement will resolve both companies of all criminal and civil liability related to the investigation surrounding them both.

Unfortunately, they aren’t alone.  With the human component being the big risk factor in any organization, healthcare employs many, many people with patient access.  Each record is a gold mine for hackers, and therefore even one mistake can prove costly to an organization like we’re seeing with Allscripts.

How do we remedy this?  The first and most important step is to cover your assets. Cyber Insurance is going to increase your likelihood of surviving a breach, but once you have the end protection setup, get your employees trained.  And then repeat the training.  Conduct Security Risk Assessments at least annually, not only to comply with HIPAA but to identify security gaps which could leave your organization’s data up for grabs. Then, perform a vulnerability scan and find out if your system is as secure as you hope and believe.

Protection and prevention go hand in hand and in the world of healthcare, you can never have enough.

The post Allscripts to Pay $145 Million for Practice Fusion EHR Investigation appeared first on HIPAA Secure Now!.

 

Approximately 25,000 patients are being notified by Adirondack Health that their protected health information (PHI) may have been obtained by a hacker.

Vermont-based Adirondack Health is part of the Adirondacks Accountable Care Organization (ACO). Adirondacks ACO analyses health data for the entire region and is made up of all the Adirondack region’s hospitals.

The Breach

On March 4, 2019, it was discovered that an unauthorized individual had accessed an employee’s email account for two days. After discovering the unauthorized access, Adirondacks ACO began checking every email and attachment in the affected employee’s account, looking for any PHI that may have been accessed.

Adirondacks ACO discovered that two employees had been discussing information regarding patients who had missed a baby wellness exam and other screenings, as part of their population health analysis. The employees were planning to send the information, contained in a “gap-in-care” spreadsheet, to providers so they could determine how to contact their patients.

That’s when an unauthorized individual from outside the U.S. remotely obtained access to the email account. At this time, no evidence suggests that the email was opened by the unauthorized party, however, the possibility could not be ruled out.

The Exposure

The unauthorized access was not due to a phishing attack, and a spokesperson for Adirondack Health stated he does not believe the employee could have avoided it. The spokesperson also stated that policies are being changed as a result of the incident.

Information contained in the exposed spreadsheet includes patients’ names, dates of birth, Medicare ID numbers, health insurance member numbers, as well as limited treatment and/or clinical information. Some patients also had their Social Security numbers listed.

Adirondacks ACO began notifying patients of the breach in early July. 25,000 letters of notification have been sent to affected patients, with only a few remaining.

For patients who had their Social Security numbers listed on the spreadsheet, free credit monitoring and identity protection will be provided by Adirondacks ACO.

The post 25,000 Patients’ Data Exposed in Email Hack appeared first on HIPAA Secure Now!.

Adirondacks Accountable Care Organization

 

 

Quest Diagnostics, one of the country’s biggest blood testing providers announced upon Monday that nearly 12 mil patients may have had their delicate information compromised in a data break.

 

The breach happened at one of Quest’s billing selections vendors, American Medical Collection Company (AMCA). Quest was notified upon May 14, that between September 1, 2018, and March thirty, 2019, an unauthorized individual got access to AMCA’s systems.

 

The information stored on AMCA’s techniques which may have been compromised includes economic information, medical information, and other personal data (such as Social Security Numbers). Lab test results were not available by AMCA, therefore were not affected in the breach.

 

Comprehensive information regarding the breach has not however been provided to Quest.

 

“ Quest is using this matter very seriously and it is committed to the privacy and safety of our patients’ personal information. Since understanding of the AMCA data security event, we have suspended sending collection demands to AMCA, ” the company mentioned.

 

The post Quest Diagnostics Data Break the rules of Could Impact Nearly 12 Mil Patients appeared 1st on HIPAA Protected Now! .

Data Breach

 

Metrocare Services, a mental health service provider in North Texas, has notified the Department of Health & Human Services (HHS) of a data breach affecting 5,290 patients.

The Breach Discovery

The breach was the result of a phishing attack and was discovered on February 6, 2019, when Metrocare found that an unauthorized third-party accessed some of their employees’ email accounts. According to Metrocare, immediately after learning of the breach, the affected email accounts were secured, and an investigation was launched.  The investigation found that the compromised email addresses were first accessed in January 2019.

Potentially Accessed Information

The investigation revealed that some patient data was in the affected email accounts, including individuals’ names, dates of birth, driver’s license information, health insurance information, health information related to services received at Metrocare, as well as some Social Security numbers.

Patient notification began on April 5, 2019. At this time, Metrocare does not have reason to believe that any of the affected patient information has been misused as a result of the incident. Those individuals who may have had their Social Security numbers exposed are eligible for one year of complimentary identify protection and credit monitoring.

In their notice, Metrocare writes:

We regret any inconvenience or concern this incident may cause our community. To help prevent something like this from happening in the future, we are taking steps to add additional security measures to our current information technology infrastructure, including strengthening the security of our e-mail system and have implemented multi-factor authentication on its system systems.

Not Their First Offense

What sounds like a sincere apology to the community regarding the incident may not be taken as such. This data breach was reported just 5 months after Metrocare reported a previous breach in November 2018. Even worse, this breach was almost identical to the previous, a phishing attack that compromised the PHI of 1,800 patients.

Following the November phishing attack, Metrocare stated they would be strengthening their security measures, including their email system and providing additional training to their employees.

Considering they encountered a very similar breach just months after their first one, it is clear that whatever security/training may have been implemented was not enough. Multi-factor authentication had not been enabled following the first attack, which could have very likely prevented the second from occurring.

The November phishing attack on Metrocare does not have a closing listed on HHS’ public breach website, meaning that first attack may still be under investigation.

 

 

The Department associated with Health and Human Services’ (HHS) Workplace for Civil Rights (OCR) provides announced a settlement with Touchstone Healthcare Imaging (“Touchstone”) for their potential infractions of HIPAA Security and Infringement Notification Rules. Touchstone has decided to pay $3, 000, 000 plus adopt a corrective action plan.

 

Touchstone is a diagnostic healthcare imaging services company based in Franklin, Tennessee, and provides services in Nebraska, Texas, Colorado, Florida, and Illinois.

 

The Infringement

 

In May 2014, Touchstone was informed by the F and OCR that one of its FILE TRANSFER PROTOCOL servers was giving uncontrolled, illegal access to protected health information (PHI). This particular uncontrolled access allowed files to become indexed by search engines, meaning a good unauthorized individual could access another’s PHI simply by performing an Internet lookup.

 

Initially, Touchstone stated that there was no PHI orient by the uncontrolled server. The story transformed during OCR’s investigation, when Touchstone ultimately admitted that the PHI associated with over 300, 000 patients is at fact, exposed. The information involved in the publicity includes names, birth dates, interpersonal security numbers, and addresses.

 

Even after the notice had been issued to Touchstone and the machine was taken offline, PHI continued to be visible on the Internet.

 

The Investigation

 

OCR found that Touchstone is at violation of multiple HIPAA guidelines. Following the breach notice issued by FBI and OCR, Touchstone failed to conduct a thorough investigation of the infringement for several months. Not only did the particular delayed investigation of the breach break HIPAA, but also resulted in delayed infringement notifications for the affected individuals as well as a postpone in notifying the media – both additional HIPAA violations.

 

Further investigation revealed that will Touchstone had also failed to carry out an accurate and thorough risk evaluation of its organization, a critical component inside identifying potential risks to the privacy, integrity, and availability of electronic PHI (ePHI) – and the violations do not stop there.

 

OCR identified two situations where Touchstone failed to have Business Associate Contracts in place with their vendors – which includes their IT support and a third-party data center, another HIPAA infringement.

 

The Arrangement

 

The arrangement of $3 million dollars is not the only action that needs to be taken by Touchstone. In addition to the monetary settlement, a robust further action plan must be adopted to address their particular HIPAA compliance deficiencies, including undertaking business associate agreements, completing a good enterprise-wide risk analysis, and implementing HIPAA policies and procedures.

 

Although the number of HIPAA infractions associated with this breach is intensive, all serve as an important reminder from the requirements under HIPAA that can not be ignored. Performing a risk evaluation, having Business Associate Agreements in position for the entire duration of a vendor agreement, implementing and enforcing policies plus procedures, ensuring technical safeguards have been in place, and training employees upon HIPAA and security awareness are simply a few key pieces of HIPAA conformity that should be addressed and evaluated regularly.

 

In addition , this situation highlights the necessity of taking quick action following a breach. Had Touchstone started their corrective action initiatives immediately following their notification from the F and OCR, several violations might have been avoided – the violations related to delayed breach notifications specifically.Illinois

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282