Phishing Attack Leaves 37K Gold Coast Health Plan Members’ PHI at Risk

On October 5, California-based Gold Coast Health Plan (GCHP) informed the Office for Civil Rights (OCR) that a phishing attack may have exposed the protected health information of 37,005 plan members. The attack occurred when hackers successfully tricked a GCHP employee with a phishing email, which allowed the hackers access to that employee’s email account from June 18, 2018, to August 1, 2018. According to GCHP, the incident was discovered on August 8, at which point the health plan immediately terminated the attack by disabling the compromised account, requiring a password change, and increasing monitoring to prevent further suspicious activity. Following the attack, law enforcement was notified, and a leading third-party cybersecurity firm was hired to investigate the breach. The cybersecurity firm was unable to rule out the possibility that any plan member’s personal data was inappropriately accessed or stolen. Based on the investigation, GCHP believes that the attack was financially motivated, as the majority phishing attacks are, with the hackers attempting to fraudulently transfer the health plan’s funds to their own account. The breach affected members who submitted claims information via email. Information that may have been compromised by the attack includes member names, dates of birth, ID health numbers, medical procedure codes, and dates of medical service. Currently, there is no evidence to suggest that any of the potentially compromised information has been misused. GCHP is providing free identity theft protection services to victims of the breach. As a result of the phishing attack, GCHP has committed to improving their security controls in addition to providing more extensive security awareness training to its employees, particularly regarding phishing...

HIPAA Violations During ‘Boston Med’ Filming Leave Three Boston Hospitals with $999,000 in Fines

On September 20, the Department of Health and Human Services’ Office for Civil Rights announced a fine of $999,000 for three Boston hospitals, all of which violated HIPAA while allowing ABC’s TV series “Boston Med” to film the show in their facilities. Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) allowed film crews on premises prior to obtaining patient’s authorization. The Fines BMC agreed to pay $100,000 for their failure to comply with HIPAA regulations when the hospital impermissibly disclosed PHI to ABC employees. BWH settled their HIPAA violations with a $384,000 fine. OCR found that although BWH did conduct a review of patient privacy issues and had ABC crews go through HIPAA privacy training, some written authorization forms signed by patients were received after an impermissible disclosure of their PHI. MGH agreed to pay their $515,000 fine issued by OCR for similar HIPAA violations to BWH. Filming of Boston Med occurred at MGH (as well as BWH) between October 2014 and January 2015, and similarly to BWH, film crews went through HIPAA privacy training, and a review of patient privacy issues was conducted. MGH was found to violate HIPAA by receiving patient authorization after the impermissible disclosure of PHI as well as failing to reasonably and appropriately safeguard patients’ PHI during filming. Not the First Time This is not the first time OCR has issued fines for violations regarding filming in a hospital. HIPAA fines were issued to New York Presbyterian Hospital (NYP) for HIPAA violations that resulted from the filming of “NY Med” in 2016. NYP, who allowed crews to film...

HIPAA and MACRA/MIPS 2018 – What You Need to Know

As we move into the second half of the year, many practices and physicians are starting to consider the data they will need to submit under the MACRA/MIPS program.  The MACRA/MIPS rules change slightly every year, and this year is no exception.  Even though the rules have been adjusted, a basic requirement remains in place:  You will need to perform a HIPAA Security Risk Analysis in order to maximize your MIPS score and avoid negative Medicare payment adjustments. Interested in a further explanation? See below: Your 2018 MIPS score is divided into four categories:  Quality (50 Points) Cost (10 Points) Improvement Activities (15 points) Promoting Interoperability (25 points)  Promoting Interoperability replaces Advancing Care Information from last year, and it remains the category that involves the HIPAA Security Risk Analysis.  Promoting Interoperability has a base score, a performance score, and a bonus score. The base score is 50% of the overall Promoting Interoperability score. There are several base score measures that are required. One of them is the requirement to perform a HIPAA Security Risk Analysis. You’ll need to meet the requirements of all the base score measures in order to receive the 50% base score. If these requirements are not met, you will get a 0 for the overall Promoting Interoperability performance category score. Conclusion:  Not performing an SRA gets a zero-base score, a zero-performance score and a very low overall Promoting Interoperability score.  This represents 25% of your total MIPS score. Best practice would dictate that you have a Security Risk Analysis performed and dated in 2018.  Of course, performing a Security Risk Analysis is always required for HIPAA compliance, regardless of whether a practice receives reimbursement from...

Missouri-Based Practice Suffers Breach of Nearly 45,000 Patient Records

Despite reports that the healthcare sector is seeing fewer ransomware attacks this year than years prior, that doesn’t mean they don’t still exist. Unfortunately, for Missouri-based Blue Springs Family Care, that lesson was learned the hard way after suffering a breach of 44,979 patient records resulting from a ransomware attack. Cass-Regional Medical Center, also based in Missouri learned the same lesson when they discovered their communication system was struck by ransomware in July, leading to a lock-out of the organization’s EHR system. In their statement, Blue Springs explains that the breach, which was discovered on May 12, 2018, had occurred when an unauthorized individual or individuals compromised the organization’s computer system, where they installed a “variety of malware programs,” including the program responsible for carrying out the ransomware attack. According to the statement released by Blue Springs, the compromised data includes a wealth of information on their patients. The statement reads: We have learned that your personal information, including your full name, home address, date of birth, Social Security number, account number, driver’s license number, medical diagnoses, and disability codes may have been compromised.” Once the malware was installed on Blue Springs’ system, the hackers had free-range to access all the patient data within that system. The organization indicated that at the time of their statement, they had no knowledge of the compromised information being used by any unauthorized individuals. In response to the incident, Blue Springs is taking corrective measures to prevent a similar attack from occurring in the future. They have implemented a new firewall and are transitioning EHR systems to one that provides encryption for all...

Healthcare Data Breaches Rise Along with Consumer Concerns of Privacy and Data Security

A recent survey conducted by the health insurance company Aetna revealed some significant results as to what consumers consider to be their most important concern in terms of healthcare. According to the survey of 1,000 consumers, concerns of patient privacy and data security are more important than the cost of care. 80% of survey respondents indicated that privacy was a top concern regarding their health care, while 76% of individuals felt the same high level of concern for their data security. With data breaches on the rise and showing no signs of slowing down, it appears consumers are putting their worries in the right place when it comes to their healthcare. Looking at healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), it appears that the number of individuals affected by healthcare data breaches is increasing dramatically. The first three months of 2018 (Q1), revealed over one million patients and health plan members were affected by a healthcare data breach, in comparison to Q4 of 2017, which saw 520,141 affected individuals. Looking at the Q2 2018 Protenus Breach Barometer, we see even more drastic results, further proving that healthcare privacy and data security should be a top concern for all consumers. According to the Breach Barometer, Q2 of 2018 saw a total of 3.14 million patient records; a massive increase over Q1 by 2 million patient records! In addition, the Protenus report found that nearly 30% of the privacy violations in Q2 of 2018 were caused by repeat offenders from within the organization. The Protenus report also found that 9.21 out...
Page 1 of 1712345...10...Last »