From Dorothy Cociu, COIN Editor and HIPAA Privacy & Security Consultant & Trainer
Published: The County of Orange Insurance News, January-February, 2020
There have been several OCR enforcement activities since the last issue of the COIN., and some helpful information was released from the Fall, 2019 Cybersecurity Newsletter that are helpful that I will share.
Enforcement Activities
On the enforcement side, the first settlement was regarding a failure to encrypt mobile devices, which led to a $3 Million HIPAA settlement.
1) Reported on November 5, 2019, The University of Rochester Medical Center (URMC) has agreed to pay $3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital. URMC is one of the largest health systems in New York State with over 26,000 employees.
URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR’s investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.
“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR Director. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”
In addition to the monetary settlement, URMC will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.
2) On November 7, 2019, OCR reported that The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has imposed a $1,600,000 civil money penalty against the Texas Health and Human Services Commission (TX HHSC), for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules between 2013 and 2017. TX HHSC is part of the Texas HHS system, which operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities; and administers hundreds of programs for people who need assistance, including supplemental nutrition benefits and Medicaid. The Department of Aging and Disability Services (DADS), a state agency that administered long-term care services for people who are aging, and for people with intellectual and physical disabilities, was reorganized into TX HHSC in September 2017.
On June 11, 2015, DADS filed a breach report with OCR stating that the electronic protected health information (ePHI) of 6,617 individuals was viewable over the internet, including names, addresses, social security numbers, and treatment information. The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials. OCR’s investigation determined that, in addition to the impermissible disclosure, DADS failed to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals’ ePHI.
3)On November 27, 2019, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS), reported that they and Sentara Hospitals (Sentara) have agreed to take corrective actions and pay $2.175 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules. Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.
In April of 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient’s protected health information (PHI). OCR’s investigation determined that Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services. Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred. Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR. OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director. “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring.
Cybersecurity Update
On December 2, 2019, OCR released it’s Cybersecurity Newsletter, which is designed to help prevent, mitigate and recover from ransomware attacks by providing insight into new developments and trends and how organizations can improve their security posture in response to this threat. I will summarize some of the information provided:
Ransomware attacks have involved mass, indiscriminate infection of as many devices across as many systems as possible. They often spread automatically through dedicated connections between networks and spam phishing emails.
The FBI reports that ransomware infects more than 100,000 computers a day around the world and ransomware payments approach $1 Billion annually, and those numbers are expected to rise. The ransom payments, however, do not account for all of the costs associated with a ransomware attack. Unrecoverable data, lost productivity, damage to reputation, damaged equipment, forensic investigations, remediation expenses, and legal bills are some of the additional costs that can be expected when responding to a ransomware attack.
In response to this new cyberthreat, organizations and governments began adapting. Anti-malware vendors updated their products to help customers identify, prevent and contain infections. Cybersecurity researchers and scientists studied ransomware code and, in some cases, were able to reverse-engineer decryption keys to help ransomware victims recover data without paying the ransom. Organizations prioritized incident response and data backups in order to mitigate the damage caused. However, as organizations adapt, so do ransomware developers… Stay tuned for more HIPAA Privacy & Security updates in the next issue of the COIN! ##