The July 2018 cyber security newsletter issued by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) reminds health care providers and their business associates of the importance of properly disposing and destroying electronic devices and/or media that are no longer needed or that will be repurposed. The HIPAA Security Rule requires covered entities and business associates to have policies and procedures in place that govern that proper disposal and re-use of hardware and electronic media that contains electronic protected health information (“ePHI”).
The first statistic comes from a recently published study by the Ponemon Institute, with sponsorship from IBM Security, entitled “2018 Cost of a Data Breach Study: Global Overview.” Ponemon’s study found that heavily regulated organizations, most notably the health care industry, face breach costs that are substantially higher than their peers. The study found that the per capita cost of a data breach in the health care industry is $408–nearly double that of the financial industry, which claims the second spot on the list. The chart below makes the health care industry’s outlier status crystal clear: Continue Reading These Statistics Keep Health Care Execs Up At Night
Unbeknownst to many, Congress established the Health Care Industry Cybersecurity Task Force in 2015 to address the health care industry’s cybersecurity challenges. That Task Force–a combination of public and private participants–released a report last week describing U.S. healthcare cybersecurity as being in “critical condition.” This conclusion, while disheartening, shouldn’t be surprising to readers of this blog. We’ve blogged about a range of cybersecurity issues affecting health care, from the potential hacking of medical devices with deadly consequences, to ransomware attacks that threaten to shut down hospitals. Continue Reading HHS Task Force Says Healthcare Cybersecurity is in “Critical Condition”
As reported on the Privacy and Security Matters blog last week, the Mintz Levin privacy team recently updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws that we update on a quarterly basis, or more frequently as needed. In addition to HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. The Mintz Matrix is available here.
In non-election news, the Office for Civil Rights (OCR) at the Department of Health and Human Services recently released its November Cyber Awareness Newsletter. This month’s newsletter focuses on the topic of authentication. OCR encouraged health care companies to review and strengthen their authentication methods and other safeguards to avoid breaches of electronic protected health information (ePHI).
21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago.
The breach occurred as early as October 3rd of last year when a hacker accessed a database containing current and former patient names, Social Security numbers, physician names, diagnosis and treatment information and insurance information. The FBI informed the company of the possibility of a breach in November of 2015, prompting the company’s investigation. After a five-month delay, requested by the FBI, the company announced the breach (see HERE) and is offering patients one year of identity theft protection services. Continue Reading Oh No, Not Again…Chalk Up Yet Another Health Data Breach
Earlier this week Mintz Levin’s Privacy & Security Matters blog posted some useful “bytes” to consider for the latest installment of the “Privacy Monday” series.
Of particular interest for those following health care privacy and security matters is the recent House Energy & Commerce Committee report revealing data breaches and vulnerabilities involving HHS. The Privacy and Security Matters blog post also provides some very practical privacy pointers and most importantly, an invite to our webinar discussion of vendor risk management and data protection on August 26 at 1PM ET.
Click here to get these handy end-of-summer bytes.
In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on July 17, 2015, that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (including medical conditions, medications, procedures, and test results). Affected individuals include UCLA’s patients as well as providers that sought privileges at the health system.
On July 21, 2015, UCLA became a defendant in a class action lawsuit after plaintiff Michael Allen filed the action in California federal court. The complaint alleges a number of violations related to the breach, including violation of California’s Confidential Medical Information Act.
According to its press release, UCLA determined on May 1, 2015, that the attackers had accessed UCLA’s network. Interestingly, UCLA notes that it had detected suspicious activity on its network in October of 2014, at which time it began working with the FBI to investigate the breach. At the time, UCLA did not believe that the attackers had access to the part of its network that contained personal information. However, as of May 5, 2015, UCLA concluded that the hackers may have had access to personal information as far back as September of 2014. UCLA has made identity protection and credit monitoring services available to potentially impacted individuals.
The class action claims that the breach was a direct result of UCLA’s failure to take “basic steps” to safeguard the sensitive information. One of these “basic steps”, the plaintiff argues, is the encryption of UCLA’s patient information. Continue Reading Class Action Suit Filed Against UCLA After It Suffers Massive Data Breach Affecting 4.5 Million Individuals
As reported in a Privacy and Security Matters post last week, we maintain a summary of the U.S. state data breach notification laws, which we refer to as the “Mintz Matrix.” We update the Mintz Matrix on a quarterly basis, or more frequently if necessary. The Mintz Matrix is available here. This update includes new information about Kentucky and Iowa laws.
We hope this chart is helpful to you, but we must note that it is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Since 2009, the HHS Office for Civil Rights (“OCR”) has posted all large data breaches – those that involve 500 or more individuals – online on its so-called “Wall of Shame.” In 2013, 160 large data breaches were reported to OCR and posted on the Wall of Shame. Taken together, these breaches involved the unsecured protected health information (“PHI”) of nearly 6.85 million individuals.
The following top five breaches of 2013 accounted for over 88% of all individuals affected by large data breaches in that year:
- Advocate Health and Hospitals Corp. (4,029,530);
- Horizon Healthcare Services, Inc. d/b/a Horizon Blue Cross Blue Shield of New Jersey and its affiliates (839,711);
- AMHC Healthcare Inc. (729,000);
- Texas Health Harris Methodist Hospital Fort Worth (277,014); and
- Indiana Family & Social Services Administration (187,533).
Of these five breaches, one breach involved the PHI of over four million individuals; the other four breaches each affected over 150,000 individuals. Three out of these five breaches resulted from the theft of equipment or electronic files with unencrypted PHI. The two remaining breaches were due to errors by business associates: one that failed to destroy microfiches containing PHI that ultimately ended up in several local parks; and one that made a computer programming error and transmitted records to an unintended party. Interestingly, the first incident involved the PHI of patients seen by the facility between 1980 and 1990, demonstrating that older PHI is no safer from improper disclosure than newly generated PHI.
These incidents from 2013 should alert covered entities, business associates, vendors and other agents handling PHI to the following lessons:
- Encrypt, encrypt, and encrypt again – in one of the breaches, the hospital system had focused on encrypting their laptops, but had not yet completed encrypting the desktops that contained PHI;
- Monitor where PHI is going– if (or when) PHI gets inadvertently transmitted to the wrong party, knowing where it went will help the breaching party to perform an adequate risk assessment under 45 C.F.R. 164.402(2); and
- Follow up (and follow through) on the destruction of PHI – having policies on how to properly protect or destroy older PHI records and following up with entities entrusted with completing those tasks will lessen the risk that these records will cause a future breach down the road.