July 15, 2022 What did the duck say when she went to buy lipstick? Put it on my bill! Speaking of bills (the money kind, not a beak), Oklahoma State University had to pay a huge bill of $875,000! It acts as a settlement for a huge hacking breach of the OSU CHS web servers. Oklahoma State University has agreed to pay the price and complete a corrective action plan over the next two years to resolve all of the violations of the Breach Notification Rules, Security, and HIPAA Privacy. OCR received a breach report in 2018 due to the hacking of the OSU’s web servers. They discovered that the hacker of this breach had access to 279,865 individuals’ electronic protected health information (ePHI). OSU found that the hackers had access to patients ePHI earlier than they originally thought, on March 9th, 2016. OCR Director, Lisa J. Pino, states, “HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems.” As technology in the healthcare business evolves, it is critical to understand how to appropriately secure personal health information (PHI) when being stored or sent. With cybersecurity dangers on the rise and electronic communication becoming more widespread, it’s imperative to secure your patients’ data. Encryption services are an excellent method to safeguard your practice and avoid those sticky HIPAA violations. Good news for you, you don’t have to be a sitting duck! (Cough, Abyde.) The OCR reported that OSU failed to follow the HIPAA rules by: Unfortunately for the Cowboys, their failure to maintain proper security, risk analysis measures, and documentation of compliance cost them a large fine and put all of the OSU patients ePHI at risk. This breach, and corresponding financial settlement, highlight that even for huge organizations like OSU, the right risk analysis practices and HIPAA-compliant policies are a must in order to prevent impermissible safeguarding or access to ePHI. Even as an independent practice, you may not feel like you have anything in common with a big fish like OSU. No matter if you’re a duck, fish, or cowboy, it doesn’t matter – everyone is monitored and at risk. As the penalties for these violations become more severe, it is more crucial than ever to ensure that your practice has a solid HIPAA program in place.
OCR Announces 2nd HIPAA Settlement of 2021 with Health Insurer for $5.1 Million
January 15, 2021 Buckle your seatbelts – it’s only 15 days into 2021 and it’s already looking like this year will be a wild ride when it comes to HIPAA enforcement. The Office for Civil Rights (OCR) just announced another HIPAA settlement (and a doozy at that), bringing in not one but TWO fines just this week. The latest (and greatest) HIPAA fine of 2021 was just awarded to Excellus Health Plan, Inc., a health insurance provider serving over 1.5 million people in New York. The settlement includes a whopping $5.1 million fine and a 2-year corrective action plan, the result of cyber attack affecting more than 9 million records along with a slew of other HIPAA Privacy and Security Rule violations. Fun fact: the OCR didn’t reach $5 million in total fines levied until September of last year, and today’s announcement means they’ve already exceeded the $5 million mark just 15 days into 2021 – talk about starting the year off strong! Excellus’ story all started when the OCR received a breach report on September 9, 2015 that cyber-attackers had gained access to Excellus Health Plan’s information technology systems. Of note with this particular breach story is that the hackers in Excellus’ case were accessing their systems so long, they not only set up shop but practically built a whole mall to go with it – hanging out in the health plans’ database from December 23, 2013 allllll the way until May 11, 2015 – an entire year and a half. Their overextended stay allowed the hackers to install malware in addition to other malicious activities that provided unauthorized access to the protected health information (PHI) of over 9.3 million individuals – improperly accessing everything from names, to addresses, social security numbers, financial information and clinical treatment information. If having hackers in your IT system for almost 2 years wasn’t bad enough, the OCR also found that Excellus had violated some pretty important HIPAA rules, including: As a great example of what NOT to do when it comes to your HIPAA and technical security programs, today’s fine also offered words of wisdom from the OCR: “Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.” One positive when it comes to increasingly concerning cyberthreats? The recently passed HIPAA Safe Harbor Bill offers your practice the chance to receive smaller HIPAA fines (even more important with the whopping $5.1 million precedent just set) IF you have the necessary safeguards in place 12 months BEFORE a cyber event. Even though data breaches and hacking incidents aren’t always in your control, practice’s preparation beforehand is – and could mean the difference between a smaller, manageable fine and ranking among the top 10 greatest hits on the OCR’s fine list.
OCR Drops Another HIPAA Fine, Business Associate Exposes 6 Million Records
September 23, 2020 The Office for Civil Rights has been dropping fines left and right in the last week, releasing their 7th (and largest) HIPAA settlement earlier today and bringing their running total to seven fines in just 8 days. The latest violation came with a hefty payout of $2.3 million as well as an extensive 2-year corrective action plan – and not to mention a whole lot of apology letters to write. The lucky winner of the latest HIPAA settlement is CHSPSC LLC, a business associate who serves a number of hospitals and clinics owned by Community Health Systems, Inc out of Tennessee. You may be thinking, “well no biggie, I’m a covered entity not a business associate so that wouldn’t be me,” but the 6 million+ patients affected and the reasons the OCR gave for levying a fine would beg to differ. Just like any covered entity might be, this business associate was the victim of a cyberattack that even after alarms were raised went unmitigated for months. As if that wasn’t enough, the OCR investigation discovered long standing non-compliance with the HIPAA Security Rule ultimately landing the business associate at the top of the most expensive 2020 fines list. On April 10, 2014, CHSPSC’s information system was infiltrated by a threat group that went unnoticed until the company was notified by the FBI 8 days later. The hackers continued to have a field-day, accessing the sensitive data for 4 months after the initial attack. CHSPSC’s continued disregard for implementing the necessary security protections required by HIPAA even AFTER receiving federal notice was described by OCR Director, Roger Severino, as “inexcusable”. The cyberattack affected 237 different covered entities served by CHSPSC and withdrew the PHI of 6,121,158 individuals including everything from names and birthdays to emergency contact information and social security numbers. As if over 6 million patients records being taken wasn’t bad enough, an OCR investigation into the business associate found several gaps in their compliance program including: It doesn’t matter whether you’re a healthcare provider, business associate, or just the average joe – falling victim to a cyberattack is fair game. Because business associates require the same HIPAA safeguard requirements as covered entities, no matter who gets hacked the OCR is looking for the same requirements and can hand out the same fines for either type of health related entity. For providers especially, entrusting your patients sensitive data to your business associates comes with added risks. In this case, 237 covered entities had to find that out the hard way. While there’s no way to be 100% in the clear from things like cyber attacks, having the proper business associate agreements in place at least takes the liability of an incident off your practice’s hands. If you had been one of those 237 entities affected here, lack of an agreement could have put your practice on the same chopping block as CHSPSC.
OCR Announces $1.5 Million Dollar Settlement for Systemic Non-compliance after a Hacking Incident Sparked Investigation
September 21, 2020 The OCR is certainly seeing $$$ this September. On top of the record five fines announced last week, the Office for Civil Rights (OCR) has just announced the latest settlement of a whopping $1,500,000 fine and 2-year corrective action plan for an orthopedic clinic out of Georgia. Athens Orthopedic Clinic found themselves in the HIPAA violation hot seat after a hacking incident sparked an OCR investigation beginning in 2016. The OCR found Athens Orthopedic had longstanding noncompliance with HIPAA rules, especially required technical safeguards, that led to the breach incident. On June 26, 2016, the orthopedic clinic was notified that their database of patient records had been posted online for sale. Two days later, a hacker contacted the clinic demanding money in return for the stolen database. After investigation, Athens Orthopedic determined that the hacker was able to gain access through a vendor’s credentials on June 14, 2016, and the hacker continued to access protected health information (PHI) for a month after the initial breach. On July 29, 2016, Athens Orthopedic filed a breach report with the OCR noting all of the sensitive PHI that had been hacked: names, dates of birth, social security numbers, and other personal medical information of the 208,557 patients affected. The breach initiated a full-scale investigation into the clinic’s HIPAA program, where the OCR discovered a laundry list of key compliance elements that the practice was missing: Cyber threats are an ongoing and rising threat to the healthcare industry. When practices lack the proper safeguards to secure their patients’ PHI, they put themselves at the top of hackers ‘easy target’ list (would your practice be posted if such a list existed?). Along with the fine, OCR Director Roger Severino emphasized that “Hacking is the number one source of large healthcare data breaches. Healthcare providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.” So how do you ‘hack proof’ your business? Well, you probably can’t completely prevent a hack given how quickly hackers adapt to new security measures, but your practice CAN go a long way to avoid being targeted (and getting slapped with a HIPAA fine) by ensuring your HIPAA compliance program – especially your technical safeguards – is up to scratch.
COVID-19 Brings Increased Risk of Cyber Attacks
March 19, 2020 The situation around COVID-19 (Novel Coronavirus) has continued to evolve across the globe, including recent changes to HIPAA & Telehealth as well as how to share PHI during this public health emergency. Late last night, the OCR & Cybersecurity and Infrastructure Security Agency (CISA) released another bulletin regarding new concerns around maintaining the security of your data and PHI. Scammers frequently increase their attacks during a public emergency, when they know that there is an increased dependence on digital communications and heightened fear and uncertainty, and the bulletin included several recommendations to protect your practice. The CISA warned individuals of the increased cyber threats related to the Coronavirus. They recommend caution when receiving any emails with a subject line related to COVID-19 as well as anything containing an attachment or hyperlink, as these are often directed to fraudulent websites asking individuals to provide private information. To exercise proper security measures, the CISA offered specific precautions to take: Leveraging public fear during a health emergency isn’t the only tactic that is used by scammers during this Coronavirus outbreak. As most companies have decided to move to remote operations, there has been an even larger window for cyber threat actors to hack into private information as sensitive data is now accessed through unsecured networks. Good “cyber hygiene” to instill in your practice includes: Protecting PHI from cyberattacks also means ensuring you are aware of the HIPAA regulations surrounding public health emergencies. Reminding employees of appropriate access to PHI and implementing controls such as applying additional protections for COVID-19 health records are especially important. As the news continues to focus on the Coronavirus, individuals who have access to public health records may become curious about the health of those around them. It is important to ensure that PHI is only accessed when necessary, especially on less secure wireless networks such as those used when working from home.
Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History
October 16, 2018 Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016. Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans. This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans. On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014. In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules. The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.