The Department of Health and Human Services Office for Civil Rights (OCR) announced this week that it has settled the largest health care data breach for the largest enforcement fine in history. OCR settled the massive data breach Anthem suffered in 2015 for $16 million—a substantially larger fine than any others assessed by OCR for … Continue Reading
Data breaches continue to plague the health care industry, and July 2018 was the worst month so far this year in the number of data breaches reported to the Office for Civil Rights (OCR). Thirty-three data breaches were reported by covered entities and business associates in July, with the largest one reported by UnityPoint Health, … Continue Reading
It is a rare occurrence when a health care entity challenges the Office for Civil Rights (OCR) regarding proposed fines and penalties for HIPAA violations. In my memory, it has only happened once before. On June 1, 2018, an Administrative Law Judge (ALJ) granted summary judgment in favor of the OCR against The University of … Continue Reading
Data breaches continue to be an issue for healthcare providers, as indicated when looking at breaches reported to the Office for Civil Rights (OCR), as required by HIPAA. In the first three months of 2018, there were 77 breaches of protected health information (PHI) reported to OCR, which included more than one million patient records. … Continue Reading
The recently released Protenus Healthcare Breach Barometer report notes that in January, 2018, at least 473,807 patient records were compromised in 37 breaches reported to the Office for Civil Rights. Twelve of the reported breaches were attributable to insiders, which was 32 percent of the data breaches reported in January. Seven of those incidents were … Continue Reading
On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located … Continue Reading
In its January newsletter, the Office for Civil Rights (OCR) focused on cyber extortion, which it stated has “risen steadily over the past couple of years and continue to be a major source of disruption for many organizations.” Since the health care industry has been the target of cyber extortion attacks, the OCR is specifically … Continue Reading
In the first settlement for HIPAA violations in 2018, Fresenius Medical Care North America (Fresenius) has agreed to pay $3.5 million to the Office for Civil Rights (OCR) to settle allegations against it relating to five data breaches that occurred over a four month period in 2012. Interestingly, the five separate breaches affected the information … Continue Reading
Our experience last year is consistent with the conclusion of a new report issued by Cryptonite in its 2017 Health Care Cyber Research Report—that the number of hacking events targeted at health care entities involving ransomware increased a whopping 89% from 2016. The report analyzed the self-reporting database of the Office for Civil Rights (OCR) … Continue Reading
In its November newsletter, the Office for Civil Rights (OCR) made a great point that we are seeing in the industry—the risks associated with previous employees. According to its newsletter, entitled “Insider Threats and Termination Procedures,” the OCR states “Data breaches caused by current and former workforce members are a recurring issue across many industries, … Continue Reading
The news about data breaches always seems to be dire lately. Some good news: data breaches in the healthcare industry were lower in October than in September, based upon reportable data breaches to the Office for Civil Rights (OCR). Note that only breaches involving more than 500 records have to be disclosed to the OCR … Continue Reading
Paper records continue to be problematic. An Illinois psychiatrist reported to the Office for Civil Rights (OCR) that the medical records of 10,500 patients were stored in the basement of a house that he rented to an individual for at least four years. The tenant was provided a key to the basement by the psychiatrist’s … Continue Reading
Unfortunately, September was another banner month for data breaches involving the health care industry. According to the Office for Civil Rights (OCR) website, 39 data breaches involving over 500 records were reported to the OCR in the month of September. This does not include all records breached, as health care entities have until February 2018 … Continue Reading
Cornerstone Business & Management Solutions, a medical supply company located in Nebraska, has notified 21,856 individuals and the Office for Civil Rights that while performing a routine review of system logs, it discovered a suspicious account on its server downloading personal information of patients using its medical devices, including names, addresses, dates of birth, and … Continue Reading
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. Any person who believes that a covered entity or business associate is not complying with HIPAA may file a complaint with OCR (complaints may also be submitted directly to a covered entity). … Continue Reading
The Office for Civil Rights (OCR) recently issued an “improved web tool that puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and learn how all breaches of health information are investigated and successfully resolved.” The tool, called “The HIPAA Breach Reporting Tool (HBRT) allows individuals … Continue Reading
The Office for Civil Rights (OCR) recently released guidance entitled “My Entity Just Experienced a Cyber-attack! What Do We Do Now?” The Checklist is a practical tool for health care entities and outlines several steps to take following a cyber-attack. According to the Checklist, in the event of a cyber-attack or similar emergency an entity: … Continue Reading
Following the frequent and varied ransomware attacks on health care entities over the past few years, the Office for Civil Rights (OCR) published guidance last summer to the health care industry reminding it that a ransomware attack could be a reportable breach under the HIPAA Breach Notification Rule. Despite the fact that many health care … Continue Reading
The Office for Civil Rights (OCR) issued a press release today announcing that it has settled alleged HIPAA violations with Memorial Hermann Health System (MHHS) for $2.4 million. According to the Resolution Agreement it has inked with the OCR, MHHS must also implement a corrective action plan, including updating its policies and procedures, training staff … Continue Reading
The Office for Civil Rights (OCR) has announced that it entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000. CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015 after an investigation of a … Continue Reading
Showing no signs of letting up on enforcement actions, the Office for Civil Rights (OCR) late last week settled an investigation against Metro Community Provider Network MCPN, a Colorado based federally qualified health center, for alleged HIPAA violations. The fine, a whopping $400,000 for the center, which provides health care services to low income patients, … Continue Reading
ABCD Pediatrics, located in San Antonio, Texas has notified the Office for Civil Rights that a ransomware cyber intrusion has resulted in access to its servers, including the protected health information (PHI) of its patients. The ransomware used by the attackers was Dharma. The practice found through forensic analysis that access had been gained to … Continue Reading
New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which … Continue Reading
We often forget that state AG’s have jurisdiction under the HIPAA Omnibus Rule to levy fines and penalties against HIPAA covered entities for violations. This is because the Office for Civil Rights has traditionally taken the primary role in enforcing HIPAA. But Horizon Blue Cross Blue Shield of New Jersey (Horizon) was reminded of the … Continue Reading
