January 31, 2024 Hi regulation rockstars! There have been some major new updates in OSHA fines. A Staten Island health center recently learned a $195,000 lesson on the importance of whistleblower protection during a global pandemic. What Happened: A Staten Island health center, Community Health Center of Richmond (CHCR), has been ordered to pay $195,000 to a former employee they illegally fired for raising concerns about an in-person staff meeting during the early days of the COVID-19 pandemic. Ouch. The Whistleblower: This brave employee, concerned about the health risks of an in-person meeting in March 2020, requested a teleconference instead. They even went ahead and changed the meeting format themselves. Talk about taking initiative! Retaliation Bites Back: Unfortunately, CHCR CEO Henry Thompson wasn’t having it. He insisted on the in-person meeting, putting the employee in a tough spot. Faced with the choice between their health and their job, the employee ultimately chose not to attend. But instead of understanding their concerns, CHCR suspended them for “insubordination” and then fired them shortly after. Yikes. OSHA Steps In: The employee, rightfully upset, filed a whistleblower complaint with OSHA. And guess what? OSHA investigated and found CHCR in violation of whistleblower protection laws. Big win for employee rights! The Payout: As part of a settlement, CHCR and Thompson are shelling out $195,000 to the employee, on top of other measures like: The Takeaway: This case sends a clear message: Employers can’t silence employees who raise safety concerns, especially during a pandemic. Here’s what this means for you: Remember, your health and safety matter. Don’t let employers bully you into silence. If you have concerns, speak up and know that you have rights. To learn more about your rights in the workplace, email info@abyde.com and schedule an educational consultation here.
The Increase in HIPAA and OSHA Fines in 2024
January 30, 2024 Well, my compliance crew, the cost of noncompliance just went up. As we all know, the costs of a HIPAA or OSHA violation can be detrimental to a practice. 2024 is bringing some hefty new financial burdens for organizations responsible for protecting patient privacy and worker safety. Buckle up, because increased fines for HIPAA and OSHA violations are here, and they’re not messing around. HIPAA: Your Data, Your Dollars The Department of Health and Human Services (HHS) has adjusted HIPAA civil monetary penalties for inflation, effective January 1st, 2024. This means: The message is clear: protecting patient privacy is more important than ever, and the government is willing to put its money where its mouth is. It’s time for healthcare providers and covered entities to beef up their data security measures and HIPAA compliance training. OSHA: Safety First, Fines Second OSHA hasn’t been shy about increasing its civil monetary penalties either, effective January 17th, 2024. Here’s the breakdown: These adjustments reflect the rising cost of workplace injuries and illnesses. Businesses across all industries need to prioritize safety protocols and employee training to avoid these financial penalties and potential lawsuits. Who Feels the Pinch? These increased fines impact various stakeholders: The Bottom Line: The 2024 fine hikes for HIPAA and OSHA violations are a wake-up call for organizations. While the financial implications are significant, neglecting compliance can be far costlier in terms of reputational damage, legal repercussions, and potential harm to individuals. That’s where Abyde can help your practice and organization. Abyde’s software can simplify compliance for you, with our software including training, risk assessments, dynamically generated policies and more. By proactively addressing these regulations, organizations can create a safer and more secure environment for everyone involved. Remember, compliance isn’t just about avoiding fines; it’s about building trust and protecting what matters most. So, be a compliance champion, not a cautionary tale. Make 2024 the year of safety, security, and peace of mind! To learn more about what you need to do to be compliant, email us at info@abyde.com and set up an educational consultation here.
Two Years on Probation, $140,000 Lighter: The Price of Healthcare’s Insider Threat
January 12, 2024 Two Years on Probation, $140,000 Lighter: The Price of Healthcare’s Insider Threat A former healthcare executive in Kentucky has been sentenced to probation and ordered to pay restitution after admitting to disclosing patients’ protected health information (PHI) in violation of HIPAA. This case highlights the ongoing threat of insider data breaches in the healthcare industry and the importance of strong data security measures. The Case: Mark Kevin Robison, a former vice president at Commonwealth Health Corporation (now Med Center Health), pleaded guilty to knowingly disclosing PHI of patients under false pretenses to an unauthorized third party between 2014 and 2015. While details of the unauthorized disclosure remain unclear, the incident underscores the potential harm caused by insider data breaches within healthcare organizations. Avoiding Jail, Facing Consequences: Despite facing a potential five-year prison sentence and a $100,000 fine, Robison’s plea deal secured him two years of probation and a $140,000 restitution to the hospital. Half of the restitution has already been paid, and Robison is expected to cover the remaining amount by the end of January. Lessons Learned: The Robison case serves as a stark reminder of the importance of data security in healthcare. Healthcare organizations must: Insider Threats Remain a Challenge: While HIPAA violations by external hackers often grab headlines, insider threats like the Robison case pose a significant and often underestimated risk. Healthcare organizations must prioritize data security measures that take into account both external and internal threats. Looking Ahead: This case should serve as a wake-up call for healthcare organizations to redouble their efforts to protect patient data. By prioritizing data security and creating a culture of compliance, healthcare providers can help ensure that patients’ personal information remains safe and secure. To learn more on how to ensure your practice is compliant, email info@abyde.com and schedule an educational consultation.
2023’s Lessons Learned: Building a Secure Future for Patient Information
January 8, 2024 The year 2023 marked a turning point in healthcare data privacy. HIPAA compliance took center stage, with both the Office for Civil Rights (OCR) and state Attorneys General flexing their muscles and delivering hefty settlements for violations. This surge in enforcement activity sends a clear message: protecting patient data is crucial and required for practices. Ransomware reared its ugly head, leaving a trail of exposed records and compromised privacy. OCR’s first-ever settlement for a cyberattack, involving over 200,000 individuals impacted by Doctors’ Management Services, and costing the organization a $100,000 fine. This highlights the growing threat of malware and the need for robust cybersecurity measures. Investigations also revealed systemic vulnerabilities in security practices, risk analysis, and incident response, exposing crucial areas for improvement. Financial penalties skyrocketed in 2023, reflecting a zero-tolerance stance towards HIPAA non-compliance. From LA Care’s $1.3 million settlement for inadequate security to St. Joseph’s Medical Center’s $100,000 fine for unauthorized PHI disclosure, we see that violations come with a steep price tag. Hacking remained the primary culprit of breaches. Over 77% of the large breaches reported to OCR were due to hacking. In addition, the large breaches reported this year have affected over 88 million individuals, an increase of over 60% compared to 2022. This alarming trend underscores the urgency of prioritizing patient data protection and implementing robust cybersecurity solutions. The year 2023 also saw a stark reminder that safeguarding patient information extends beyond digital security. The Kaiser Foundation Health Plan’s $49 million settlement, while not directly fined by the OCR, but the State Attorney General of California, served as a cautionary tale. The case centered on the organization’s improper disposal of PHI and hazardous waste in dumpsters, exposing sensitive information and potentially harmful materials to anyone who stumbled upon them. This incident highlights the critical need for comprehensive data governance policies encompassing not just digital security protocols but also physical procedures for secure storage, transportation, and disposal of any materials containing PHI. While the statistics paint a grim picture, they also present an opportunity for positive change. Abyde, a leading provider of compliance software, believes this heightened awareness can be a catalyst for improvement. By embracing comprehensive and intuitive compliance solutions, enforcing policies and procedures and fostering a culture of compliance in your practice or organization, we can ensure patients’ data is safe. 2023 may have been a year of reckoning for HIPAA compliance, but it will be the foundation of a secure 2024. Let’s work together to prioritize patient privacy, strengthen security and overall, promote a culture of compliance, to keep patients safe. Contact Abyde today at info@abyde.com or set up a demo to see how our compliance software will keep your practice and patients safe this new year.
HIPAA Fine Announced: OCR Cracks Down After Multiple HIPAA Complaints Over Patient Right of Access
January 5, 2024 Patients at Optum Medical Care in New Jersey and Connecticut had a frustrating experience: waiting months for their medical records. They requested their records, as guaranteed by the Health Insurance Portability and Accountability Act (HIPAA), but Optum dragged its feet for months, far beyond the 30-day legal limit. Fed up with the delays, several patients filed complaints with the Office for Civil Rights (OCR). The OCR investigated and found that Optum had indeed violated the law. As a consequence, Optum has been slapped with a $160,000 fine and ordered to implement a corrective action plan to speed up the record-sharing process. This case is a reminder of two important things: This case is also the 46th enforcement action taken by the OCR under its Right of Access Initiative, highlighting the importance of timely access to medical records for patients across the country. Abyde: Your Partner in HIPAA Compliance At Abyde, we recognize the stress practices undergo trying to stay in compliance. We remain committed to supporting practices in navigating the complexities of HIPAA compliance, with a specific emphasis on the importance of providing patients medical records within the allotted time frame. Contact Abyde today at info@abyde.com and set up a demo to see why Abyde is considered the pre-eminent HIPAA compliance solution.
NewYork-Presbyterian Pays $300,000 for Leaked Health Data: A Call for Stronger Healthcare Security
January 3, 2024 At Abyde, we’re always tuned into the importance of keeping health info safe and sound. So, when we heard about what happened at NewYork-Presbyterian Hospital (NYP), you can bet we were listening. The big news? New York’s Attorney General Letitia James announced a whopping $300,000 settlement with NYP. This was a major letdown in the world of HIPAA compliance, revealing some serious gaps in how they were handling patient privacy and protected health information (PHI). Here’s the lowdown: Patients using NYP’s website to look for healthcare services got more than they bargained for. Unbeknownst to them, advertising tools were tracking their online moves, and sending information to third parties. Talk about a breach of trust, especially when we’re dealing with sensitive health info! This whole fiasco reminds us just how crucial HIPAA compliance is. It wasn’t just some tech glitch at NYP; it was a broken promise to keep patient data secure. This shows that following HIPAA rules isn’t just ticking a box; it’s a super important, continuous part of healthcare operations, needing tight controls and constant vigilance. The fallout from this kind of breach? Huge. We’re talking about identity theft, discrimination, and other nasty stuff that could hurt patients. It’s a stark reminder to healthcare folks that patient data isn’t just some digital file; it’s a deeply personal and private matter that deserves the utmost respect and protection. So, what’s the takeaway from NYP’s settlement? It’s just the start of a much bigger journey towards really valuing patient privacy rights. This incident should be a loud wake-up call for the healthcare industry to take a hard look at how they manage patient data, ensuring they stick to data protection laws and honor the dignity and privacy of the information patients trust. At Abyde, we’re all about compliance and keeping sensitive info safe. We see this moment as a chance for some serious thinking and action to make healthcare more secure and respectful of privacy. Let’s use the NYP breach as a lesson in what can happen if patients’ data isn’t secured properly. For more information about Abyde, email info@abyde.com and click here to schedule a demo of our revolutionary software solution.
Abyde Insights: Managing the Aftermath of the Delta Dental MOVEit Breach
December 18, 2023 In the ever-evolving landscape of cybersecurity, vigilance is key. Recently, Delta Dental of California faced the brunt of a cyberattack, highlighting the imperative need for robust security measures. At Abyde, we believe in keeping our community informed to fortify defenses against potential threats. Here’s a closer look at the Delta Dental MOVEit breach and insights on strengthening your cybersecurity posture. Understanding the Breach Delta Dental of California, an esteemed provider of dental insurance to 45 million individuals, fell victim to the Clop hacking group’s exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution. This breach, affecting a staggering 6,928,932 dental plan members, underscores the critical importance of cybersecurity in safeguarding sensitive information. Timeline of Events The breach unfolded when Delta Dental identified an SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer on June 1, 2023. Despite Progress Software swiftly releasing an emergency patch on May 31, 2023, the Clop group had exploited the flaw between May 27 and May 30, 2023. The aftermath saw unauthorized access and data exfiltration from Delta Dental’s MOVEit server. Response and Analysis Delta Dental responded promptly, engaging third-party computer forensics experts to conduct a thorough analysis. The complexity of the breach required meticulous scrutiny, leading to the finalization of the affected individuals and data types on November 27, 2023. Notification letters commenced distribution on December 14, 2023. Protective Measures for Affected Individuals In an effort to mitigate the impact on affected individuals, Delta Dental has taken proactive steps. Those affected are being offered 24 months of complimentary credit monitoring and identity theft protection services. This measure aims to empower individuals to monitor and protect their personal information during this challenging time. Learning from the Incident While Delta Dental emphasized that this was a mass exploitation incident affecting numerous companies, the magnitude of the breach sets it apart. With nearly 7 million individuals affected, it stands as the third-largest healthcare MOVEit-related breach reported. HIPAA Compliance and Notification Delta Dental adhered to the HIPAA Breach Notification Rule, reporting the breach to the HHS’ Office for Civil Rights on September 6, 2023, within the stipulated 60-day timeframe. The intricate process of identifying affected individuals and data involves digital forensic and incident response providers, highlighting the complexities of incident response. At Abyde, we advocate for a proactive approach to cybersecurity and compliance. Regularly updating and patching software, conducting comprehensive risk assessments, and fostering a culture of compliance are crucial components of a resilient HIPAA compliance strategy. Abyde is here to guide you on your journey to enhanced security and privacy. Reach out to one of our experts today to learn more! Call 800.594.0883 or email info@abyde.com.
Dissecting the Henry Schein Data Breach: A Stark Reminder for Dentists to Prioritize HIPAA
December 11, 2023 In October 2023, Henry Schein, a major dental supply distributor, suffered a significant data breach. The ransomware attack compromised sensitive information belonging to both patients and dental practices, including names, addresses, Social Security numbers, and financial information. This incident serves as a stark reminder for dentists of the importance of taking data security and compliance seriously. Key Takeaways from the Henry Schein Data Breach: Mitchell Rubinstein DMD, a practicing dentist and noted cybersecurity educator in New York City is hoping this is the wakeup call that dental professionals need to start taking cybersecurity and HIPAA seriously. “An important thing to learn from the Henry Schein breach is that everyone is vulnerable. They’re a multibillion dollar healthcare corporation with far greater resources than any dental practice. If they can fall victim to a cyberattack, then so can any of us.” He went on to add, “Having a plan in place to respond to a cyberattack is just as important as having a plan to prevent one.” What dentists can do to protect their practices: “The companies we do business with accumulate a great deal of information about us,” Dr. Rubinstein stated. “If that information is compromised in a cyberattack, it can result in several layers of harm, not only to us, but to our patients as well.” Abyde: Your Partner in Cybersecurity and Compliance Abyde understands the importance of data security and compliance for dental practices. We offer a comprehensive solution designed to help protect you from data breaches and audits while also helping you ensure HIPAA compliance. Our solution includes: By taking data security and compliance seriously, dentists can help prevent data breaches, protect their patients, and avoid legal ramifications. Let’s work together to create a safer environment for everyone involved in dental care. Contact Abyde today to learn more about our HIPAA-compliant solutions and how we can help you protect your practice. Call Abyde! 800.594.0883 or Email Us info@abyde.com Additional Resources:The Department of Health and Human Services (HHS) website on HIPAA: https://ocrportal.hhs.gov/
OSHA Fine Alert: Workplace Violence in Healthcare is A Serious Threat
December 1, 2023 The recent OSHA investigation of a South Bay correctional facility highlights the ongoing problem of workplace violence in healthcare settings. The facility failed to implement proper safety protocols, resulting in a violent attack on a nurse by an inmate. This incident underscores the critical need for healthcare employers to prioritize worker safety and comply with OSHA regulations. Key Takeaways from the South Bay Incident: Abyde: Your Partner in Healthcare Compliance Abyde understands the unique challenges of healthcare organizations in ensuring worker safety and compliance. We offer a comprehensive suite of solutions to help: Protect Your Workers and Avoid Legal Ramifications Failing to prioritize workplace safety can have serious consequences for healthcare organizations, including legal action, fines, and reputational damage. By partnering with Abyde, you can proactively comply with regulations and create a safer environment for your staff. Click here to learn more about Abyde’s solutions for healthcare compliance and worker safety. Additional Resources:
HIPAA Fine Announced: Medical Center Ignores Authorization Requirements for Media Release
November 20, 2023 In recent news, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) settled a HIPAA investigation with Saint Joseph’s Medical Center over the unauthorized disclosure of COVID-19 patients’ protected health information (ePHI) to a national media outlet. This incident underscores a critical lesson in patient privacy, prompting Abyde to emphasize the significance of obtaining patient authorization before releasing any ePHI or images. See, What Had Happened Was Saint Joseph’s Medical Center, a non-profit academic medical center in New York, faced potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The center improperly disclosed sensitive patient information to a national media outlet without obtaining the necessary written authorization from the patients, leading to a settlement with the OCR. The Importance of Patient Authorization The OCR makes it clear that patients have the right to control the disclosure of their health information. This settlement highlights the need for healthcare providers to prioritize patient authorization before releasing any ePHI or images, particularly to the media. Abyde’s Take When undergoing medical treatment in medical facilities, patients should feel assured that their healthcare providers will not disclose their personal health information to the media without obtaining proper authorization. Abyde cannot stress enough the responsibility of healthcare providers in safeguarding patient privacy. Key Takeaways: Our Final Word The settlement with Saint Joseph’s Medical Center serves as a valuable lesson for healthcare providers everywhere. Abyde remains committed to supporting practices in navigating the complexities of HIPAA compliance, with a specific emphasis on the importance of obtaining patient authorization before disclosing any ePHI or images. To see why Abyde is considered the pre-eminent HIPAA compliance solution, click here to schedule a demo.