Unbeknownst to many, Congress established the Health Care Industry Cybersecurity Task Force in 2015 to address the health care industry’s cybersecurity challenges. That Task Force–a combination of public and private participants–released a report last week describing U.S. healthcare cybersecurity as being in “critical condition.” This conclusion, while disheartening, shouldn’t be surprising to readers of this blog. We’ve blogged about a range of cybersecurity issues affecting health care, from the potential hacking of medical devices with deadly consequences, to ransomware attacks that threaten to shut down hospitals. Continue Reading HHS Task Force Says Healthcare Cybersecurity is in “Critical Condition”
As reported on the Privacy and Security Matters blog last week, the Mintz Levin privacy team recently updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws that we update on a quarterly basis, or more frequently as needed. In addition to HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. The Mintz Matrix is available here.
In non-election news, the Office for Civil Rights (OCR) at the Department of Health and Human Services recently released its November Cyber Awareness Newsletter. This month’s newsletter focuses on the topic of authentication. OCR encouraged health care companies to review and strengthen their authentication methods and other safeguards to avoid breaches of electronic protected health information (ePHI).
21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago.
The breach occurred as early as October 3rd of last year when a hacker accessed a database containing current and former patient names, Social Security numbers, physician names, diagnosis and treatment information and insurance information. The FBI informed the company of the possibility of a breach in November of 2015, prompting the company’s investigation. After a five-month delay, requested by the FBI, the company announced the breach (see HERE) and is offering patients one year of identity theft protection services. Continue Reading Oh No, Not Again…Chalk Up Yet Another Health Data Breach
Earlier this week Mintz Levin’s Privacy & Security Matters blog posted some useful “bytes” to consider for the latest installment of the “Privacy Monday” series.
Of particular interest for those following health care privacy and security matters is the recent House Energy & Commerce Committee report revealing data breaches and vulnerabilities involving HHS. The Privacy and Security Matters blog post also provides some very practical privacy pointers and most importantly, an invite to our webinar discussion of vendor risk management and data protection on August 26 at 1PM ET.
Click here to get these handy end-of-summer bytes.
In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on July 17, 2015, that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (including medical conditions, medications, procedures, and test results). Affected individuals include UCLA’s patients as well as providers that sought privileges at the health system.
On July 21, 2015, UCLA became a defendant in a class action lawsuit after plaintiff Michael Allen filed the action in California federal court. The complaint alleges a number of violations related to the breach, including violation of California’s Confidential Medical Information Act.
According to its press release, UCLA determined on May 1, 2015, that the attackers had accessed UCLA’s network. Interestingly, UCLA notes that it had detected suspicious activity on its network in October of 2014, at which time it began working with the FBI to investigate the breach. At the time, UCLA did not believe that the attackers had access to the part of its network that contained personal information. However, as of May 5, 2015, UCLA concluded that the hackers may have had access to personal information as far back as September of 2014. UCLA has made identity protection and credit monitoring services available to potentially impacted individuals.
The class action claims that the breach was a direct result of UCLA’s failure to take “basic steps” to safeguard the sensitive information. One of these “basic steps”, the plaintiff argues, is the encryption of UCLA’s patient information. Continue Reading Class Action Suit Filed Against UCLA After It Suffers Massive Data Breach Affecting 4.5 Million Individuals
As reported in a Privacy and Security Matters post last week, we maintain a summary of the U.S. state data breach notification laws, which we refer to as the “Mintz Matrix.” We update the Mintz Matrix on a quarterly basis, or more frequently if necessary. The Mintz Matrix is available here. This update includes new information about Kentucky and Iowa laws.
We hope this chart is helpful to you, but we must note that it is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Since 2009, the HHS Office for Civil Rights (“OCR”) has posted all large data breaches – those that involve 500 or more individuals – online on its so-called “Wall of Shame.” In 2013, 160 large data breaches were reported to OCR and posted on the Wall of Shame. Taken together, these breaches involved the unsecured protected health information (“PHI”) of nearly 6.85 million individuals.
The following top five breaches of 2013 accounted for over 88% of all individuals affected by large data breaches in that year:
- Advocate Health and Hospitals Corp. (4,029,530);
- Horizon Healthcare Services, Inc. d/b/a Horizon Blue Cross Blue Shield of New Jersey and its affiliates (839,711);
- AMHC Healthcare Inc. (729,000);
- Texas Health Harris Methodist Hospital Fort Worth (277,014); and
- Indiana Family & Social Services Administration (187,533).
Of these five breaches, one breach involved the PHI of over four million individuals; the other four breaches each affected over 150,000 individuals. Three out of these five breaches resulted from the theft of equipment or electronic files with unencrypted PHI. The two remaining breaches were due to errors by business associates: one that failed to destroy microfiches containing PHI that ultimately ended up in several local parks; and one that made a computer programming error and transmitted records to an unintended party. Interestingly, the first incident involved the PHI of patients seen by the facility between 1980 and 1990, demonstrating that older PHI is no safer from improper disclosure than newly generated PHI.
These incidents from 2013 should alert covered entities, business associates, vendors and other agents handling PHI to the following lessons:
- Encrypt, encrypt, and encrypt again – in one of the breaches, the hospital system had focused on encrypting their laptops, but had not yet completed encrypting the desktops that contained PHI;
- Monitor where PHI is going– if (or when) PHI gets inadvertently transmitted to the wrong party, knowing where it went will help the breaching party to perform an adequate risk assessment under 45 C.F.R. 164.402(2); and
- Follow up (and follow through) on the destruction of PHI – having policies on how to properly protect or destroy older PHI records and following up with entities entrusted with completing those tasks will lessen the risk that these records will cause a future breach down the road.
Our sister blog, Privacy and Security Matters, recently posted a comprehensive analysis of the newly released data breach report from the California Attorney General’s Office (AG Report). The AG Report is the first state-based, state-specific review of reported data breaches, and it analyzes the data by industry sector, the breach size, the breach’s root cause, and the type of data compromised. Of note, breaches involving the health care industry comprised 15% of the total reported breaches (19 out of 131) last year in California. Continue Reading Lessons from the California AG’s Data Breach Report for the Health Care Industry
Written by Dianne Bourque
The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement.
Massachusetts Eye and Ear Infirmary (MEEI) was following the HITECH breach notification rules when it reported the theft of an unencrypted laptop in 2010. The laptop contained the protected health information of MEEI patients and research subjects, including prescription and other health information. OCR investigated the breach and brought an enforcement action, citing MEEI for a number of HIPAA security rule violations. Not unexpectedly, OCR was focused on laptop security and the security of portable devices generally, which has been an enforcement priority of OCR.
The MEEI enforcement provides important reminders for covered entities:
1. Encrypt laptops and other portable devices.
2. Keep track of portable devices.
3. The OCR trend toward seven-figure fines is continuing (the MEEI settlement was $1.5 million).
To read the MEEI resolution agreement, click here.