The Proposed Rule on Association Health Plans and HIPAA Compliance

The Department of Health & Human Services (HHS) released a proposed rule that helps small businesses and self-employed workers to get less expensive health coverage. The proposed rule broadens the criteria of the Employee Retirement Income Security Act (ERISA) by partly changing the definition of “employer” to include small businesses and self-employed workers who have … Read more

Is it Allowed to Use Text Messaging Platforms in Healthcare?

The Centers for Medicare and Medicaid Services (CMS) sent emails to healthcare providers last November 2017 to explain the prohibited use of text messages in healthcare because of security and patient privacy concerns. SMS messages are not secure and could expose patients’ sensitive data and affect the integrity of medical records. Although there are SMS … Read more

Is Google Voice HIPAA Compliant?

Can healthcare organizations and its employees use Google Voice? Is it HIPAA compliant? Google Voice is a telephony service that provides voicemail and voicemail transcription to text. It can be used for sending text messages for free as well. With its useful features, many healthcare professionals would like to use it not just for work … Read more

Is Facebook Messenger HIPAA Compliant?

People including doctors and nurses use chat platforms for communication. The question is whether these platforms are acceptable for sending PHI? A popular chat platform is Facebook Messenger. Is Facebook Messenger HIPAA compliant? Services used for sending PHI must have security controls to make sure that information is not intercepted in transit. This requires encryption, … Read more

Is Azure HIPAA Compliant?

Healthcare organizations are not prohibited by HIPAA to use cloud services. Cloud services allow organizations to lower their IT costs. But there are rules to follow before any cloud service can be used to ensure the security and confidentiality of protected health information. One of the cloud service providers out there is Microsoft Azure. So … Read more

Connecticut Patients Can Now File a Lawsuit Against Healthcare Providers for Privacy Violations

The Health Insurance Portability and Accountability Act has no private cause of action. Because of this, patients cannot sue healthcare providers for privacy violations. But a number of states, such as New York, Massachusetts and Missouri, have rulings that allow patients to file lawsuits against healthcare organizations for unauthorized disclosures of medical records. The Connecticut … Read more

Q4 2017 Report on Healthcare Security Breaches

The healthcare security breaches in Q4 of 2017 decreased by 13%. In Q3, there were 99 data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In Q4, 86 security breaches were reported, which is 13 incidents less than the previous quarter. The number of healthcare security breaches reported per … Read more

December 2017 Report on Healthcare Data Breaches

The healthcare data breaches in December 2017 significantly increased by 81% from the previous month.  Thirty-eight healthcare data breaches that impacted over 500 persons were reported. The number of exposed patient records in December also increased by 219% from the previous month. There were 341,621 records of patients that were exposed or stolen. The pattern … Read more

What do RNs Say About Their Healthcare Organizations’ Ability to Stop Breaches?

The University of Phoenix College of Health Professions conducted a survey recently that involved 504 full time registered nurses (RNs) and administrative staff across the United States The results show that RNs who had their position for at least two years are confident that their healthcare organization can prevent data breaches. 48% of RNs and … Read more

Kathryn Marchesini Is the New Chief Privacy Officer at ONC

Kathryn Marchesini is the new appointed chief privacy officer at the Office of National Coordinator for Health IT (ONC). She replaced Acting Chief Privacy Officer Deven McGraw.  The need for the ONC to appoint a Chief Privacy Officer is stated in the HITECH Act. The work of the CPO includes advising the National Coordinator on … Read more

Florida Agency for Health Care Administration Security Breach Affects 30,000 Medicaid Recipients

The Agency for Health Care Administration in Florida discovered that an employee’s email account was accessed by an unauthorized person. The employee got a malicious phishing email on November 15, 2017. Unfortunately, he/she responded to the email and disclosed his/her login details so the hacker was able to remotely access the email account. The protected … Read more

SSM Health’s Former Employee Got Illegal Access to Sensitive Information of 29,000 Patients

The non-profit health system SSM Health based in St. Louis, MO discovered the unauthorized access of patient health records by a former employee. The former employee was part of SSM Health’s customer service call center. His access to information was limited to demographic, health and clinical information only. He did not have access to patients’ … Read more

OCR’s Cybersecurity Tips for Travelling Healthcare Professionals

In the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) newsletter issued last December, travelling healthcare professionals were given recommendations to avoid malware infections and potential exposure of patients’ protected health information. When healthcare professionals travel during the holidays, they could be taking work-issued devices, such as laptops, tablets and mobile … Read more

Questions and Answers About PHI

What is PHI? PHI is a commonly used term in healthcare, but some people do not fully understand what it means. Let’s talk about PHI and a few related terms. What are PHI, PII, and IIHI? PHI, PII and IIHI are acronyms for Protected Health Information, Personally Identifiable Information and Individually Identifiable Health Information, respectively. … Read more

What are HIPAA Compliant Email Providers?

HIPAA-covered entities are responsible for making sure that the transmission of protected health information by email is secured. The entity may choose any HIPAA compliant email provider as long as appropriate controls guarantee PHI confidentiality, integrity and availability. A HIPAA compliant email provider must offer end-to-end encryption of messages. It doesn’t matter if the software … Read more

24,000 Emory Healthcare Patients Impacted by Data Breach

A former physician at the Emory Healthcare (EHC) took the protected health information of thousands of EHC patients without hospital authorization and knowledge. He uploaded the information to a Microsoft Office 365 OneDrive account, where other individuals could potentially access it. The former EMC physician now works at the University of Arizona (UA) College of … Read more

Cyberattack on Jones Memorial Hospital Did Not Stop Patient Care Services

The University of Rochester Medicine’s Jones Memorial Hospital in Wellsville, New York experienced an unexpected downtime because of a cyberattack on December 27, 2017. The cyberattack disrupted some of the hospital’s information services. While the nature of the cyberattack was not disclosed, the public should know that only Jones Memorial Hospital was attacked and other … Read more

Tips for Effective Identity and Access Management to Prevent Insider Data Breaches

The HIPAA Security Rule requires the effective management of information access. Employees who are granted access to protected health information must have proper authorization. But what happens when employees leave their work? The organization needs to make sure that PHI access privileges are terminated immediately. If procedures to terminate access to PHI are not implemented, … Read more

Ethical Hackers to Help NHS Find Security Vulnerabilities to Prevent Future Cyberattack

A serious WannaCry ransomware attack occurred in May 2017. The hackers exploited vulnerabilities in the UK’s National Health Service (NHS) systems. They installed their malicious payload into the systems and disrupted services at more than 50 NHS Trusts. The attack resulted in the cancellation of appointments and postponement of operations. It took some time to … Read more

Healthcare Organizations Need to Address the Increasing Threat of Ransomware and Fileless Malware Attacks

Ponemon Institute conducted a study on current endpoint security trends. Two of the threats that need to be dealt with are ransomware and fileless malware attacks. The healthcare industry spends over $1 billion on endpoint attacks every year. The big money spent on mitigating attacks highlights the importance of endpoint security. Sad to say, healthcare … Read more

Nebraska Ransomware Attack Impacted About 10,000 Patients

Columbus Surgery Center, LLC and Eye Physicians, P.C in Columbus, Nebraska were attacked by ransomware resulting in the potential protected health information exposure of about 10,000 patients. The ransomware attacked on October 7, 2017 and encrypted a range of files on some servers. The attackers demanded a ransom but no ransom was paid. The healthcare … Read more

PHI of 6,600 Patients Has Been Exposed

NYU Langone Health System Data Breach A binder that contained a log of presurgical insurance authorizations from NYU Langone Health System was mistakenly recycled by a cleaning company in October 2017. The binder contained the information of about 2,000 patients’ names, dates of birth, dates of service, diagnosis codes, procedural terminology code, insurance ID numbers … Read more

Healthcare Data Breach Report for November 2017

Twenty one reports of healthcare data breaches with over 500 affected individuals were submitted to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in November 2017. Of the 21 breach reports, seven impacted over 5,000 persons. The number of reported breaches decreased this month but the number of impacted individuals … Read more

Email-Based Cyberattacks on Healthcare Organizations Increasing

HIMSS Analytics conducted a study for email security firm Mimecast. The survey results showed that 78% of healthcare organizations had been attacked by ransomware or malware in the past 12 months. Many of the survey respondents had more than 12 ransomware or  malware attacks in the last 12 months. According to 37% of surveyed healthcare … Read more

Medicaid Billing Company Pays $100,000 for Data Breach Case with Massachusetts Attorney General

The Multi-State Billing Services (MBS) based in New Hampshire experienced a data breach that resulted to a financial settlement of $100,000 with Massachusetts attorney general’s office. MBS is the provider of Medicaid processing services for 13 public school districts in Massachusetts. Allegedly, a password-protected, unencrypted laptop computer was stolen from an MBS employee in 2014. … Read more

Phishing Attack Potentially Exposed 11,350 Sinai Health System Patients PHI

Chicago’s Sinai Health System was compromised when two of its employees’ email accounts were involved in a phishing attack. The phishing incident that took place on October 2 was immediately discovered and mitigated. Hence, potential access of the compromised accounts was only for a few hours. Cybersecurity experts investigated the matter and believed that the … Read more

AHA’s Suggestions for Congress to Lessen Regulatory Requirements on Hospitals

The American Hospital Association (AHA) wrote a letter to the House Ways and Means Health Subcommittee concerning how the Congress can help lessen the regulatory burden on hospitals and health systems. The increased regulatory activity on hospitals and health systems is counter-efficient and negatively affects patient care. For example, the Centers for Medicare & Medicaid … Read more

Lawsuit Filed Against 60 Hospitals for Violating the HITECH Act

An unsealed complaint against 60 hospitals was filed in a U.S. District Court in Indiana in 2016 for violating the HITECH Act. The 60 hospitals allegedly received the HITECH Act meaningful use incentive payments for transitioning to an electronic health records system without actually satisfying the requirements of the HITECH Act. Before hospitals can receive … Read more

UK Man Linked to The Dark Overlord Hacking Group To Serve 3-Year Jail Term

A man was sentenced to serve a three-year jail term for fraud and blackmail offenses. Nathan Wyatt, a 36-year old from Wellingborough, England was allegedly linked to TheDarkOverlord hacking group. But his offenses were not related to TheDarkOverlord gang’s cyberattacks or extortion attempts.  Nathan, better known online as Crafty Cockney, pleaded guilty to 20 counts … Read more

Big and Small Organizations That Had Misconfigured Cloud Services

As reported by cloud threat defense firm RedLock, the number of misconfigured cloud services is growing. Some of the incidents that had been reported include the widespread misconfigured MongoDB installations. When hackers discovered the misconfigured databases in January 2017, they plundered the databases, deleted the data and demanded ransom. The total number of hijacked MongoDB … Read more

Businesses with Misconfigured Cloud Storage Services are Growing in Numbers

Much of the healthcare industry now use secure cloud storage services to store files of electronic protected health information (ePHI) and to host web applications. But the cloud does not guarantee there won’t be any data breach. It also does not guarantee HIPAA-compliance even with a Business Associate Agreement. When cloud storage services are misconfigured, … Read more

Phishing Attack at Baptist Health Louisville Potentially Impacted 880 Patients

A security breach at Baptist Health in Louisville, Kentucky was discovered on October 3, 2017. Potentially 880 patients had been notified that their sensitive information may have been accessed and stolen by unauthorized persons. According to the report, there was irregular activity detected in an employee’s email account. Prior to that, a third party sent … Read more

Medical Records From Women’s Heath Consultants Dumped at a Public Recycling Center

Some physical files of medical records from Women’s Health Consultants in South Whitehall Township and Hanover Township, PA were dumped in a recycling center in Allentown, Pennsylvania. The files contained names, medical histories of cancer and HIV patients and Social Security numbers. Women’s Health Consultants is no longer open for business. So, there’s probably no … Read more

Can HIPAA-Covered Entities Use OneDrive?

It is a common practice today for covered entities to use cloud storage services. Is Microsoft OneDrive HIPAA compliant? Can it be used by covered entities? Many healthcare organizations are actually already using Microsoft Office 365 Business Essentials. They use the included exchange online for email and OneDrive Online for storing and sharing files. Microsoft … Read more

Nurse Terminated from Work for HIPAA Violation

Nurse Dianna Hereford’s employment contract was terminated after a patient of Norton Audubon Hospital complained of a nurse HIPAA violation. Hereford filed an action in the Jefferson Circuit Court against her employer for wrongful termination of her contract because she claimed that she always complied with HIPAA regulations. Here’s how the alleged improper disclosure of … Read more

Former Nurse Who Stole Patient Information and Committed Tax Fraud Convicted

Tangela Lawson-Brown, a former nurse in a Tallahassee nursing home from October 2011 to December 2012, was convicted of possession of unauthorized access devices, wire fraud, aggravated identity theft and theft of government funds by a court in Tallahassee. She stole the personal information of 26 patients while she was working in the nursing home. … Read more

SAManage USA Paid $264,000 as Data Breach Settlement

The SAManage USA data breach in 2016 caused the online exposure of the Social Security numbers of 660 Vermont residents. The Vermont Attorney General required a settlement amount of $264,000 from SAManage USA for its violation of Vermont Security Breach Notice Act. SAManage USA provided business support services for Vermont Health Connect. The problem was … Read more

Unencrypted Laptop Stolen from Rocky Mountain Health Care Services Compromised Patients’ PHI

Another unencrypted laptop got stolen from an employee of Rocky Mountain Health Care Services of Colorado Springs. This is the second time that a similar incident happened in three months. The second theft, which was discovered on September 28, has been reported to law enforcement. The 909 patients whose protected health information has been compromised … Read more

What are Some Important Facts About the History of HIPAA?

Bill Clinton signed the Health Insurance Portability and Accountability Act or HIPAA on August 21, 1996. The HIPAA ensured the continuity of health insurance coverage for everyone, especially the employees that were between jobs. It also accomplished the following: set standards as to the amount of pre-tax medical savings that could be saved prohibited tax-deduction … Read more

UPMC Susquehanna Patients’ PHI Exposed Due to Phishing Attack

The protected health information of 1,200 UPMC Susquehanna patients has potentially been exposed to unauthorized persons. UPMC Susquehanna is a network of hospitals and medical facilities in Muncy, Pennsylvania and Williamsport, Wellsboro. According to the report, an employee responded to a phishing email, which paved the way to unauthorized access of the PHI. No specific … Read more

NYC to Introduce the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)

The state of New York will introduce the SHIELD Act, which stands for Stop Hacks and Improve Electronic Data Security Act. This law requires all businesses that hold sensitive data of New Yorkers to adopt administrative, technical and physical security measures. This applies to all business even those that are not based in New York … Read more

Experian Health Breach Impacted Cook County Health and Hospitals System Patients

Patients of Cook County Health and Hospitals System received notification of a breach of their protected health information. Two hospitals and about a dozen community health centers in Cook County Illinois are potentially affected. The Experian Health, Cook County Health and Hospital System’s business associate, was responsible for the breach. As an entity contracted to … Read more