Verizon recently issued its Protected Health Information (PHI) Data Breach Report, which is always an interesting read. Not surprisingly, Verizon’s report concludes that based upon analysis of 1,360 security incidents involving the health care sector, 58 percent of the incidents were caused by insiders and 42 percent were caused by external threats. Insider threats can … Continue Reading
On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located … Continue Reading
In its November newsletter, the Office for Civil Rights (OCR) made a great point that we are seeing in the industry—the risks associated with previous employees. According to its newsletter, entitled “Insider Threats and Termination Procedures,” the OCR states “Data breaches caused by current and former workforce members are a recurring issue across many industries, … Continue Reading
The Office for Civil Rights (OCR) issued a press release today announcing that it has settled alleged HIPAA violations with Memorial Hermann Health System (MHHS) for $2.4 million. According to the Resolution Agreement it has inked with the OCR, MHHS must also implement a corrective action plan, including updating its policies and procedures, training staff … Continue Reading
The Office for Civil Rights (OCR) has announced that it entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000. CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015 after an investigation of a … Continue Reading
ABCD Pediatrics, located in San Antonio, Texas has notified the Office for Civil Rights that a ransomware cyber intrusion has resulted in access to its servers, including the protected health information (PHI) of its patients. The ransomware used by the attackers was Dharma. The practice found through forensic analysis that access had been gained to … Continue Reading
Denton Heart Group, located throughout Dallas, has notified 21,665 patients that their protected health information has been compromised as a result of the theft of a hard drive from a locked closet. The hard drive that was in the closet contained the group’s backup data from the practice’s electronic health system—which included apparently of all … Continue Reading
Vanderbilt University Medical Center (VUMC) has announced that it will be sending breach notification letters to over 3,000 patients as a result of unauthorized access to PHI by two patient transporters. According to the announcement, VUMC audited its medical records (as it is required to do by HIPAA), and found that two individuals who worked … Continue Reading
Health care data breaches are not slowing. According to a report issued by Protenus, in conjunction with www.databreaches.net, the summary of healthcare data breaches in 2017 continues where 2016 left off. In January 2017, there were 31 data breaches reported to the Office for Civil Rights. The breaches resulted in the compromise of 388,307 patient … Continue Reading
A delay in reporting a HIPAA violation can result in a significant monetary penalty. That was the message sent by the Office for Civil Rights (OCR), which recently announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information (PHI). According to the OCR, Presence Health (a large … Continue Reading
Whenever fact sheets or other guidance is issued by either the Office of the National Coordinator for Health Information Technology (ONC) or the Office for Civil Rights (OCR), it helps gain insight into the thinking of the regulators so we watch it closely. But when the ONC and OCR issues joint guidance, it is hitting … Continue Reading
The United States Attorney’s Office for the District of Massachusetts recently announced that three former district managers of the pharmaceutical firm Warner Chilcott have been sentenced for violating the Health Insurance Portability and Accountability Act (HIPAA) and committing healthcare fraud. The allegations include that the district managers directed certain sales representatives to fill out prior … Continue Reading
Approximately 300,000 patients of Central Ohio Urology Group have been notified that their protected health information has been stolen and posted online. Although the actual date of the hacking has not been released, the records were posted online on August 2, 1016. The stolen data posted online included names, addresses, telephone numbers, email addresses, dates … Continue Reading
On October 6, 2016, the Department of Health and Human Services Office for Civil Rights (OCR) released HIPAA guidance on cloud computing (Guidance). The Guidance is intended to help covered entities and business associates understand their HIPAA obligations in cloud computing arrangements, and clarify the HIPAA obligations of cloud service providers (CSPs). The Guidance notes … Continue Reading
Everybody knows how much I hate USB and thumb drives. The latest scheme is for hackers to leave thumb drives in coffee shops, airports, office buildings, libraries and other public places. These USB and thumb drives contain malware and ransomware and can infect an entire system if they are plugged into a home or work … Continue Reading
The Office for Civil Rights (OCR) has issued its revamped audit protocol for its second phase of auditing covered entities and business associates’ compliance with the HIPAA Privacy, Security and Breach Notification Rules. The lengthy audit protocol is posted on the OCR website. It provides general instructions, and then cites each statutory section of the … Continue Reading
We previously reported [view related post] that 21st Century Oncology had suffered a data breach and notified 2.2 million patients that it had been the victim of a hacking that exposed the names, Social Security numbers, physicians’ names, diagnosis information, and insurance information of its patients. Although the intrusion occurred in October 2015, 21st Century … Continue Reading
The Office for Civil Rights has provided additional educational materials for app developers through the app developers portal that it developed last fall. The new material is intended to assist healthcare entities and software developers to learn from different scenarios that explain when HIPAA applies to mobile health apps and when it doesn’t. In particular, … Continue Reading
In an unusual scenario, in fact, only the second time in history, the Office for Civil Rights (OCR) was successful before an Administrative Law Judge (ALJ) in obtaining an order for the payment of civil monetary fines as a result of HIPAA violations. The OCR assessed a penalty of $240,000 against Lincare Holdings, Inc. (Lincare) … Continue Reading
Generally, court filings are public records unless sealed from public access by a judge. Vast amounts of personal information contained in public records can be, and are, accessed by criminals in order to obtain personal information of individuals, which can be aggregated with other information, to perpetrate fraud and identity theft. For this reason, most … Continue Reading
We previously reported that the Georgia Secretary of State’s office experienced a massive data breach in October, and didn’t find out about it until November. The breach affected approximately 6 million Georgian voters, and included their names, addresses, dates of birth, driver’s license numbers and Social Security numbers. Following the data breach and notification to … Continue Reading
Centene Corporation, a health insurer headquartered in St. Louis, announced on January 25, in a press release that it is undertaking an, “ongoing comprehensive internal search for six hard drives that are unaccounted for in its inventory of information technology (IT) assets.” The press release states that the hard drives contained the names, addresses, dates of … Continue Reading
On January 7, 2015, HHS issued new guidance (Guidance) regarding an individual’s right to access his or her health information under HIPAA’s Privacy Rule. The Guidance emphasizes that HIPAA, while protecting the privacy and confidentiality of individuals’ health information, also recognizes the importance of providing individuals with access to their health information. The Guidance reviews … Continue Reading
Just before Thanksgiving, the Office for Civil Rights (OCR) announced that Lahey Hospital and Medical Center (Lahey) has agreed to pay $850,000 in fines and penalties to the OCR and enter into a resolution agreement following the self-disclosure that a laptop containing CT scans was stolen from Lahey in October of 2011. Surprisingly, the fine … Continue Reading
