Patients of Cook County Health and Hospitals System received notification of a breach of their protected health information. Two hospitals and about a dozen community health centers in Cook County Illinois are potentially affected. The Experian Health, Cook County Health and Hospital System’s business associate, was responsible for the breach. As an entity contracted to … Read more
Florida Blue, the business name of Blue Cross and Blue Shield of Florida, has recently announced that the personally identifiable information of a nearly one thousand insurance applicants has been exposed online following a data breach of their network. The organisation was alerted to the exposure of patient data in late August. They immediately launched … Read more
Following a break-in at a file storage facility in East Brunswick, New Jersey, the Otolaryngology Associates of Central Jersey is in the process of alerting patients to a breach of their protected health information. The files stolen included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the … Read more
Amazon Web Services has announced that new safeguards have been incorporated into its cloud server that reduce the probability that users to misconfigure their S3 buckets. If their S3 buckets are not configured in the correct manner, users risk accidentally leaving the data they store on the server unsecured. Amazon will sign a business associate … Read more
A report covering data breaches in 2017 has recently been released by Risk Based Security (RBS). The report revealed there has been a 305% increase in the number of records exposed in data breaches compared to 2016. RBS- a provider of real time information and risk analysis tools-analyzed breach reports from the first 9 months … Read more
Earlier this month, the Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires. This waiver is like those issued following Hurricanes Irma … Read more
Cook County Health and Hospitals System has recently alerted patients to a breach of their protected health information (PHI). The organisation consists of a health system comprising two hospitals and more than a dozen community health centers in Cook County Illinois, and services many patients. The breach occurred at Experian Health, a business associate of … Read more
In August, the Catholic Charities of the Diocese of Albany (CCDA) performed a routine upgrade of its computer security software. While the technicians were working on the upgrade, they discovered that malware had been installed on one of the computer servers used by its Glens Falls office. This office serves patients in Saratoga, Warren and Washington … Read more
The Department of Health and Human Services’ Office for Civil Rights (OCR) has increased its enforcement operations in recent years, and 2016 HIPAA settlements were at the highest levels ever recorded. Overall, payments of $22,855,300 were submitted to the OCR during 2016 to settle alleged HIPAA breaches. Seven settlements were over the figure of $1,500,000. … Read more
The Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) has recently announced that it experienced a ransomware attack. The attack caused files on one of the agency’s servers to be encrypted, and thus inaccessible to the agency. They announced that the files contained the protected health information (PHI) of 8,750 patients. The attack occurred … Read more
Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies. The patient list was created and used by the company to inform patients of a new practice that was opening in the area. In mid-July this year, one of … Read more
The Brevard Physician Associates has announced that they have experienced a breach of protected health information (PHI). They state that the breach occurred due to a desktop computer being stolen in a burglary at one of their sites. They have identified nearly 8,000 affected patients. The incident occurred on Labor Day, 2017. As the offices … Read more
An independent care provider, who provides care to patients of TJ Samson Community Hospital in South Central Kentucky, has recently been discovered to have inappropriately accessed the protected health information (PHI) of 683 patients. The data was all connected to patients of the TJ Samson Community Hospital in Glasgow, KY and the TJ Health Columbia … Read more
FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has recently announced that it has experienced a data breach. They have identified the cause of this breach to be the new, rampant, WannaCry ransomware variant. WannaCry ransomware was used in worldwide attacks in earlier this year. More than 230,000 computers were infected … Read more
Briggs Stratton Corporation, a manufacturer of lawnmower engines, has recently reported that they have experienced a breach of PHI, resulting from a malware attack. It is not obvious that the company is a HIPAA covered entity; the firm does not work in the healthcare industry and does not act as a business associate to provide … Read more
Phishing-the act of obtaining sensitive information such as usernames, bank details or other private information, often for malicious reasons, by disguising as a trustworthy entity via electronic communication-has become the biggest data security threat faced by healthcare organizations. Phishing attacks commonly take the form of fake invoices and package delivery notifications, to hide their true … Read more
Protenus-an organisation dedicated to patient privacy monitoring of electronic health records-has released its Breach Barometer report. The report shows there was a significant increase in healthcare data breaches in September in comparison to previous months. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and … Read more
Texas Children’s Health Plan has announced a breach of nearly 1,000 patient’s protected health information (PHI). The organisation said that the breach was discover when they identified the information as having been emailed to the personal email account of a former employee. The incident was discovered on September 21, 2017, although the former employee emailed … Read more
Amida Care-a not-for-profit community healthcare service based in New York-has reported a HIPAA breach to the Office of Civil Rights (OCR). Their initial report reveals that the breach has affected nearly 6,250 of its patients. The organisation specializes in providing health coverage and coordinated care to Medicaid members suffering from chronic health conditions. This includes … Read more
The Advanced Spine & Pain Center (ASPC) has announced that it has experienced a potential breach and unauthorized use of their protected health information. The organisations-based in San Antonio, Texas, has notified as many as 8,362 of their patients that they have been affected by the incident. ASPC became aware of a potential breach … Read more
The Man-Grandstaff VA Medical Center in Spokane, WA has announced that it has experienced a breach of PHI. The breach was a result of the theft of two USB drives, which contained the protected health information of almost 2,000 veterans. The devices were stolen on July 18, 2017 from a contract employee while on a … Read more
Dr Riaz Baber, M.D.-a Naperville, Illinois-based psychiatrist-has recently admitted to a breach of patient protected health information (PHI). The breach was discovered medical files of more than 10,000 patients of have been found in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored … Read more
In the third quarter of 2017, Q3, 2017, HIPPA covered entities reported 99 breaches of healthcare data, each involving more than 500 records, reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). These figures bring the total number of data breaches reported in 2017 up to 272 incidents. The 99 … Read more
In January 2014, the Department of Health and Human Services proposed a new rule for certification of compliance for health plans to be introduced into HIPAA legislation. The rule was entitled “Certification of Compliance for Health Plans”. This rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS … Read more
The radiology center of Mid-Michigan Physicians-managed by McLaren Medical Group-has announced today that they have experienced a breach of protected health information (PHI). They have stated that the PHI of over 100,000 patients has potentially been compromised in the breach. McLaren Medical Group announced earlier this month that the breach affected a system that stored … Read more
A decommissioned laptop computer previously used by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has been discovered to be missing. The laptop is thought to have stored protected health information (PHI) of patients of the clinic, and its loss raises the possibility of the exposure of this sensitive patient information. The laptop was … Read more
TheDarkOverlord is a hacking group that has been involved in many high-profile cases in recent months, from allegedly accessing the British Royal family’s healthcare information to accessing private user from medical centres, schools, and even Netflix, the online streaming giant. The primary motivation for their attacks is extortion of those whose data they have stolen. … Read more
Our Lady of the Angels Hospital has announced the discovery of a breach of patient protected health information (PHI). The breach occurred when a former employee accessed the medical records of 1,140 patients without proper authorization to do so. In accordance with the HIPAA Breach Notification Rules, the affected patients have been informed of the … Read more
Recently, the MS Center of Saint Louis and Mercy Clinic Neurology Town and County have announced that they have breached HIPAA regulations. Over one-thousand patients of the are being informed that they may be contacted for marketing and research purposes by pharmaceutical companies and other third-parties, even though they may not have given their permission … Read more
In response to the devastating Hurricanes Harvey and Irma that hit the United States earlier this year, the U.S. Department of Health and Human Services issued two partial waivers of HIPAA sanctions and penalties in areas affected. Now, following Hurricane Maria’s wreckage of Puerto Rico and the U.S. Virgin Islands, the government department has issued … Read more
Yolanda Farrar-former employee of the Arkansas Department of Human Services (DHS)-has been fired from her position at the state hospital for breaching HIPAA legislation in March 2017. She was discovered to have emailed spreadsheets containing the protected health information of patients to a personal email account. Yolanda Farrar worked as a payment integrity coding analyst … Read more
The University of Pittsburgh Medical Center’s Bedford Memorial hospital has announced that an incident occurred at the facility which was in violation of HIPAA legislation. The incident, in which photographs and videos of a patient’s genitals were taken by hospital staff, occurred in late December 2016. This media was shared with other individuals, including those … Read more
The American Hospital Association (AHA) recently sent an open letter to the House Ways and Means Health Subcommittee, in which they suggested several steps that Congress can take to immediately reduce the regulatory burden on hospitals and health systems. In the letter, the AHA states the regulatory burden on hospitals and health systems is “substantial … Read more
The Department of Health and Human Services has issued a waiver of sanctions and penalties for violations of HIPAA’s Privacy Rule in the Hurricane Harvey disaster zone area. It is often difficult for hospitals to comply all HIPAA Privacy Rule following a natural disaster. Furthermore, following such limitations can potentially have a negative impact on … Read more
Delaware has amended its data breach notification law by introducing some of the strictest requirements of any state. It is the first time in a decade that any change has been made to the law. According to the update, any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or … Read more
Salina Family Healthcare, based in Kansas, has announced that they were subjected to a ransomware attack earlier this year. They stated that the ransomware was installed on servers and workstations at their offices, resulting in the encryption of their patients’ protected health information (PHI). The healthcare organisation expressed uncertainty as to whether the PHI had … Read more
Senators Joe Manchin and Shelley Moore Capito, both of West Virginia, have announced that Jessie’s Law has been passed by the Senate. The legislation was designed to ensure doctors are provided with details of a patient’s previous substance abuse history if the patient has provided consent for the information to be shared. The bill will … Read more
In June 2017, the Department of Health and Human Services (HHS) confirmed it was contemplating updating its data breach portal. This section is commonly referred to as the OCR ‘Wall of Shame’, as all data breaches which have involved 500+ records are listed on the breach portal. This list is maintained due to section 13402(e)(4) … Read more
Women’s Health Care Group of Pennsylvania has announced that they have been subject to a data breach. The organisation states that the breach was noticed in May, and they have notified nearly 300,000 patients that some of their sensitive protected health information has been compromised. The group is one of the largest healthcare networks in … Read more
The Office for Civil Rights’ “Wall of Shame” was established in December 2009. This data portal contained summaries of healthcare data breaches published on the website by OCR. The list only provides a short synopsis of data breaches that involved more than 500 documents. The information includes the name of the covered entity, the state … Read more
Earlier this month, the Mississippi Division of Medicaid (DOM) announced that over 5,000 Medicaid recipients have had some of their protected health information (PHI) exposed. They stated that the breach occurred via email because of an error with an online form service. DOM discovered that the online form service was sending emails containing PHI to … Read more
The Department of Health and Human Services has recently released data revealing the frequency of the most common types of HIPAA violations. The report concerned itself with HIPAA violations that have resulted in financial penalties against the covered entity. The five most common most common HIPPA violations of this type are; • failure to perform … Read more
In addition to having their employment contract terminated, healthcare employees who have been identified as improperly accessing the medical records of patients are also likely to face a criminal investigation into their conduct because of breaching HIPAA rules. This is regardless of the reason why they accessed the medical data in the first place. A … Read more
The Health Information Trust Alliance (HITRUST) is the most widely adopted privacy and security framework in the United States. Earlier this month, it announced that it has updated the HITRUST common security framework (CSF). Furthermore, they also launched a new CSF initiative specifically designed to aid small healthcare organizations protect their PHI against cyberattacks and … Read more
On February 10, 2017, Tom Price was appointed as secretary of the Department of Health and Human Services on February. He has replaced Sylvia Matthews Burwell, who held the post for three years. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities … Read more
After calls from healthcare professionals to clear the ambiguity surrounding allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones, the Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance surrounding these issues. Most healthcare professionals are aware that the HIPAA Privacy Rule permits … Read more