The New Jersey Attorney General’s office announced this week that it has fined Virtua Medical Group, which is comprised of more than 50 medical practices in New Jersey, for failing to protect the privacy of 1,650 patients when their medical information was accessible online. The information was uploaded to a password-protected FTP website, but during … Continue Reading
Verizon recently issued its Protected Health Information (PHI) Data Breach Report, which is always an interesting read. Not surprisingly, Verizon’s report concludes that based upon analysis of 1,360 security incidents involving the health care sector, 58 percent of the incidents were caused by insiders and 42 percent were caused by external threats. Insider threats can … Continue Reading
The recently released Protenus Healthcare Breach Barometer report notes that in January, 2018, at least 473,807 patient records were compromised in 37 breaches reported to the Office for Civil Rights. Twelve of the reported breaches were attributable to insiders, which was 32 percent of the data breaches reported in January. Seven of those incidents were … Continue Reading
In October 2017, healthcare insurer, CareFirst, petitioned the United States Supreme Court, requesting the Court to clarify the constitutional standing requirement for plaintiffs seeking to bring claims regarding their exposure during corporate data breaches. In order to invoke federal court jurisdiction, a plaintiff must plead an actual or imminent injury. The Supreme Court has held … Continue Reading
In its November newsletter, the Office for Civil Rights (OCR) made a great point that we are seeing in the industry—the risks associated with previous employees. According to its newsletter, entitled “Insider Threats and Termination Procedures,” the OCR states “Data breaches caused by current and former workforce members are a recurring issue across many industries, … Continue Reading
The Centers for Medicare & Medicaid Services (CMS) recently issued guidance intended to help clinicians eligible for the Merit-based Incentive Payment System (MIPS) navigate an attestation required thereunder concerning the prevention of information blocking. MIPS was implemented via CMS’s Quality Payments Program final rule with comment period released in 2016, and represents one avenue for … Continue Reading
Unfortunately, September was another banner month for data breaches involving the health care industry. According to the Office for Civil Rights (OCR) website, 39 data breaches involving over 500 records were reported to the OCR in the month of September. This does not include all records breached, as health care entities have until February 2018 … Continue Reading
With open enrollment in full swing for many employers, now is a good time to review employee benefit communications. Plan sponsors of health plans are generally responsible for properly administering all of the health plan notices required by law, including HIPAA. To ease the administrative burden and to cut costs, these notices can, and often … Continue Reading
We all know by now that we are not supposed to give our passwords to anyone else or use someone else’s passwords to access an electronic system. Despite this basic data security tenant, a new study by Healthcare Informatics Research reports that 73% of medical professionals admit that they have used another’s password to access … Continue Reading
Health Data Management (HDM), using information compiled by Protenus Breach Barometer, published a list this week of the biggest health care data breaches so far in 2017. The list used data accessible on the Office for Civil Rights website regarding self-reported breaches by health care entities. According to HDM, approximately 200 data breaches affecting more … Continue Reading
The Food and Drug Administration (FDA) issued guidance yesterday (September 6, 2017) entitled “Design Considerations and Pre-Market Submission Recommendations for Interoperable Medical Devices,” which is intended to “assist industry and FDA staff in identifying specific considerations related to the ability of electronic medical devices to safely and effectively exchange information and use exchanged information.” The … Continue Reading
The U.S. Department of Health and Human Services (HHS) has used its authority to waive certain provisions of HIPAA in response to Hurricane Harvey. HHS previously declared a public health emergency in Texas and Louisiana related to the hurricane and its aftermath. Under the waiver, HHS waives sanctions against covered hospitals that do not comply … Continue Reading
Baptist Medical Center South, located in Jacksonville, Florida has admitted that one of its backup drives has been missing since May 18, 2017. The unencrypted backup drive contained the protected health information of 531 patients who underwent an EEG at the facility between 2015 and 2017. It has not been recovered to date. The backup … Continue Reading
The North Dakota Department of Human Services has admitted that one of its employees threw Medicaid claim resolution worksheets into a dumpster instead of disposing them in a secure onsite shredding receptacle. The result? The documents were found in the dumpster by a citizen who notified the Department, which then notified almost 2,500 patients of … Continue Reading
For those of you who know me, you know that I have been very frustrated with the federal and state governments for continuing to use Social Security numbers for eligibility, enrollment and participating in Medicare and Medicaid. This includes listing individuals’ Social Security numbers on the Medicare and Medicaid cards. The good news is that … Continue Reading
A new report released by Check Point has security personnel working in the health care industry particularly concerned and they are warning their colleagues about the existence of “Fireball.” Fireball, released by a Chinese operation, has infected approximately 250 million computers worldwide. According to the report, the malware hijacks web browsers and turns computers into … Continue Reading
This week, the Department of Health and Human Services (HHS) issued its “Report on Improving Cybersecurity in the Health Care Industry,” which is the culmination of a year-long effort on behalf of the Cybersecurity Task Force, made up of industry professionals from the public and private sectors to identify and develop recommendations “on the growing … Continue Reading
Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care … Continue Reading
The fall-out from WannaCry continues, particularly in the healthcare sector. There are new reports that WannaCry affected at least two hospital systems in the U.S. and encrypted medical devices (power injector systems) in the hospitals. There are additional anecdotal reports that other medical devices were affected by WannaCry. According to medical device company spokesmen, if … Continue Reading
The Office for Civil Rights (OCR) issued a press release today announcing that it has settled alleged HIPAA violations with Memorial Hermann Health System (MHHS) for $2.4 million. According to the Resolution Agreement it has inked with the OCR, MHHS must also implement a corrective action plan, including updating its policies and procedures, training staff … Continue Reading
Now more than ever, workplace wellness programs are becoming increasingly popular among employers. A common concern many employers have is how to design a meaningful workplace program intended to improve the health of participating employees while complying with HIPAA’s privacy and security rules. Although employers are not covered entities, HIPAA may apply to an employer’s … Continue Reading
The Office for Civil Rights (OCR) has announced that it entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000. CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015 after an investigation of a … Continue Reading
The monthly breach report issued by Protenus last week outlining data breaches that occurred in the month of March concludes that there was an “uptick in the number of health data breach incidents.” According to the report, there were 39 incidents last month that involved health information, compromising 1.5 million patient records. A whopping 44 … Continue Reading
Showing no signs of letting up on enforcement actions, the Office for Civil Rights (OCR) late last week settled an investigation against Metro Community Provider Network MCPN, a Colorado based federally qualified health center, for alleged HIPAA violations. The fine, a whopping $400,000 for the center, which provides health care services to low income patients, … Continue Reading
