On July 9, 2018, Cass Regional Medical Center (CRMC) in Harrisonville, Missouri was hit with a ransomware attack that led to a complete shutdown of its electronic health record (EHR) and the diversion of trauma and stroke patients. According to CRMC, the attack affected CRMC’s internal communications system and “access to” its EHR. In response, … Continue Reading
In response to the opioid crisis, the Substance Abuse and Mental Health Services Administration (SAMHSA), in collaboration with the Office of the National Coordinator (ONC), recently issued two fact sheets to provide clarity on the updated 42 CFR Part 2 regulations in the context of health information exchanges and provider health settings. The fact sheets … Continue Reading
Medical transcription provider MEDantex has reportedly exposed the protected health information of thousands of patients through its unsecured provider portal, which did not require a password for access. According to reports, including KrebsOnSecurity, the patients’ audio medical notes were uploaded to MEDantex’s website, which were then to be transcribed and uploaded to a portal accessible … Continue Reading
Data breaches continue to be an issue for healthcare providers, as indicated when looking at breaches reported to the Office for Civil Rights (OCR), as required by HIPAA. In the first three months of 2018, there were 77 breaches of protected health information (PHI) reported to OCR, which included more than one million patient records. … Continue Reading
In what is being called a systematic targeting of large health care organizations, pharmaceutical companies, and IT companies and equipment manufacturers that service the health care industry, Symantec has reported that a new hacking group, dubbed “Orangeworm,” is carefully selecting its targets and strategy prior to launching an attack. According to Symantec, the hackers have … Continue Reading
The New Jersey Attorney General’s office announced this week that it has fined Virtua Medical Group, which is comprised of more than 50 medical practices in New Jersey, for failing to protect the privacy of 1,650 patients when their medical information was accessible online. The information was uploaded to a password-protected FTP website, but during … Continue Reading
Verizon recently issued its Protected Health Information (PHI) Data Breach Report, which is always an interesting read. Not surprisingly, Verizon’s report concludes that based upon analysis of 1,360 security incidents involving the health care sector, 58 percent of the incidents were caused by insiders and 42 percent were caused by external threats. Insider threats can … Continue Reading
The recently released Protenus Healthcare Breach Barometer report notes that in January, 2018, at least 473,807 patient records were compromised in 37 breaches reported to the Office for Civil Rights. Twelve of the reported breaches were attributable to insiders, which was 32 percent of the data breaches reported in January. Seven of those incidents were … Continue Reading
In October 2017, healthcare insurer, CareFirst, petitioned the United States Supreme Court, requesting the Court to clarify the constitutional standing requirement for plaintiffs seeking to bring claims regarding their exposure during corporate data breaches. In order to invoke federal court jurisdiction, a plaintiff must plead an actual or imminent injury. The Supreme Court has held … Continue Reading
In its November newsletter, the Office for Civil Rights (OCR) made a great point that we are seeing in the industry—the risks associated with previous employees. According to its newsletter, entitled “Insider Threats and Termination Procedures,” the OCR states “Data breaches caused by current and former workforce members are a recurring issue across many industries, … Continue Reading
The Centers for Medicare & Medicaid Services (CMS) recently issued guidance intended to help clinicians eligible for the Merit-based Incentive Payment System (MIPS) navigate an attestation required thereunder concerning the prevention of information blocking. MIPS was implemented via CMS’s Quality Payments Program final rule with comment period released in 2016, and represents one avenue for … Continue Reading
Unfortunately, September was another banner month for data breaches involving the health care industry. According to the Office for Civil Rights (OCR) website, 39 data breaches involving over 500 records were reported to the OCR in the month of September. This does not include all records breached, as health care entities have until February 2018 … Continue Reading
With open enrollment in full swing for many employers, now is a good time to review employee benefit communications. Plan sponsors of health plans are generally responsible for properly administering all of the health plan notices required by law, including HIPAA. To ease the administrative burden and to cut costs, these notices can, and often … Continue Reading
We all know by now that we are not supposed to give our passwords to anyone else or use someone else’s passwords to access an electronic system. Despite this basic data security tenant, a new study by Healthcare Informatics Research reports that 73% of medical professionals admit that they have used another’s password to access … Continue Reading
Health Data Management (HDM), using information compiled by Protenus Breach Barometer, published a list this week of the biggest health care data breaches so far in 2017. The list used data accessible on the Office for Civil Rights website regarding self-reported breaches by health care entities. According to HDM, approximately 200 data breaches affecting more … Continue Reading
The Food and Drug Administration (FDA) issued guidance yesterday (September 6, 2017) entitled “Design Considerations and Pre-Market Submission Recommendations for Interoperable Medical Devices,” which is intended to “assist industry and FDA staff in identifying specific considerations related to the ability of electronic medical devices to safely and effectively exchange information and use exchanged information.” The … Continue Reading
The U.S. Department of Health and Human Services (HHS) has used its authority to waive certain provisions of HIPAA in response to Hurricane Harvey. HHS previously declared a public health emergency in Texas and Louisiana related to the hurricane and its aftermath. Under the waiver, HHS waives sanctions against covered hospitals that do not comply … Continue Reading
Baptist Medical Center South, located in Jacksonville, Florida has admitted that one of its backup drives has been missing since May 18, 2017. The unencrypted backup drive contained the protected health information of 531 patients who underwent an EEG at the facility between 2015 and 2017. It has not been recovered to date. The backup … Continue Reading
The North Dakota Department of Human Services has admitted that one of its employees threw Medicaid claim resolution worksheets into a dumpster instead of disposing them in a secure onsite shredding receptacle. The result? The documents were found in the dumpster by a citizen who notified the Department, which then notified almost 2,500 patients of … Continue Reading
For those of you who know me, you know that I have been very frustrated with the federal and state governments for continuing to use Social Security numbers for eligibility, enrollment and participating in Medicare and Medicaid. This includes listing individuals’ Social Security numbers on the Medicare and Medicaid cards. The good news is that … Continue Reading
A new report released by Check Point has security personnel working in the health care industry particularly concerned and they are warning their colleagues about the existence of “Fireball.” Fireball, released by a Chinese operation, has infected approximately 250 million computers worldwide. According to the report, the malware hijacks web browsers and turns computers into … Continue Reading
This week, the Department of Health and Human Services (HHS) issued its “Report on Improving Cybersecurity in the Health Care Industry,” which is the culmination of a year-long effort on behalf of the Cybersecurity Task Force, made up of industry professionals from the public and private sectors to identify and develop recommendations “on the growing … Continue Reading
Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care … Continue Reading
The fall-out from WannaCry continues, particularly in the healthcare sector. There are new reports that WannaCry affected at least two hospital systems in the U.S. and encrypted medical devices (power injector systems) in the hospitals. There are additional anecdotal reports that other medical devices were affected by WannaCry. According to medical device company spokesmen, if … Continue Reading
