Enforcement, Ransomware, and More – Ep 280 

Every time we think we get ahead of the current news more things happen! More enforcement news, more ransomware specific warnings, more cyber threats to worry about. Let’s get to it!

In this episode:

Enforcement, Ransomware, and Cybernews – Ep 280

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

HIPAA Say What!?!

States are capable of getting involved since HITECH allowed State AG to enforce HIPAA on behalf of their constituents.

ShopRite Supermarkets Inc., which owns a ShopRite store in Kingston, N.Y., – violated HIPAA and the New Jersey Consumer Fraud Act in 2016 by failing to properly dispose of electronic devices used to collect signatures and purchase information of pharmacy customers, the attorney general says.

The devices, which Wakefern had replaced with newer technology, were discarded in dumpsters in 2016 without first destroying any protected health information that may have been stored on them, as required under HIPAA, the state attorney general’s office said.

Under the $235,000 settlement, Wakefern also has agreed to put in place data protection measures aimed at creating and maintaining a comprehensive security program to better safeguard PHI collected at ShopRite supermarkets that operate in-store pharmacies. Those steps include:

Appointing a chief privacy officer;

Executing business associate agreements with ShopRite Supermarkets, Union Lake and each of its members that operate pharmacies;

Ensuring that all the ShopRite stores with pharmacies in the Wakefern cooperative designate a HIPAA privacy officer and HIPAA security officer;

Providing online training for those officers on HIPAA security and privacy rules.

This is your reminder that the OCR isn’t the only one to consider the HIPAA police out there.

Enforcement, Ransomware, and Cybernews – Ep 280

[10:44] There is so much going on we have to bounce around today. Let’s get to it!

CISA, FBI, HHS Healthcare Alert

We mentioned last week that CISA, FBI, and HHS released a joint alert about ransomware attacks targeting the US healthcare sector. More information has continued to come out about what is going on in the ether about this.

“UNC1878 has been aggressively targeting healthcare since their return in September 2020. We believe that their success in negotiating ransoms from these organizations has resulted in them ramping up targeting of hospitals over the last week,” says Kimberly Goody, manager, cybercrime analysis at FireEye.

“The operators conducting these campaigns have actively targeted hospitals, retirement communities and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life,” the report says.

20 facilities have been hit based on NBC News reports. https://www.healthcareinfosecurity.com/analysis-tactics-group-waging-attacks-on-hospitals-a-15285

Threats increasing all around

Ransomware has continued on a prolific mark as this year drags on. Payouts continue to rise now up to over $200k at $233,817 on average. It was $178k.

https://www.healthcareinfosecurity.com/maze-claims-to-end-its-ransomware-extortion-operations-a-15291

https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report

Emotet attacks have ramped up. https://www.healthcareinfosecurity.com/emotet-attacks-continue-to-soar-as-botnet-spreads-globally-a-15306

The Maze ransomware gang claims it is shutting down. That just means they made a bunch of money and want to take some time off. Maybe law enforcement is getting close. Who knows. But, you can never be sure if they really go away.

Finally, we have 3 more resolution OCR agreements.  

OCR continues its rapid release pace for the end of the year.

Aetna

[27:44] “When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement,” said OCR Director Roger Severino.

Aetna reports 3 breaches over 500 in one year which makes OCR say enough is enough.  $1,000,000 and a 2 year CAP. https://www.hhs.gov/sites/default/files/aetna-ra-cap.pdf

https://www.hhs.gov/about/news/2020/10/28/aetna-pays-one-million-to-settle-three-hipaa-breaches.html

Investigations of Aetna started after 3 breach reports submitted in 2017 between June and November.

1. April 27, 2017, Aetna discovered that two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and indexed by various internet search engines.
2. July 28, 2017, benefit notices were mailed using window envelopes. Shortly after the mailing, Aetna began receiving calls and emails from members who had received the benefit notice complaining that the letter could be shifted within the envelope in a manner that allowed the words “HIV medication” to be seen through the envelope’s window below the member’s name and address.
3. September 25, 2017, a research study mailing sent to Aetna plan members contained the name and logo of the research study in which they were participating, on the envelope.

How many things did they find wrong in the investigation:

• Failed to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of PHI
• Failed to implement procedures to verify that a person or entity seeking access to PHI is the one claimed
• Impermissibly disclosed the PHI of 18,489 individuals in total across three separate breaches
• Failed to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure
• Failed to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI

The CAP is all about creating policies and procedures that address all these failures, making sure the whole organization gets them and is trained on them.

New Haven

New Haven Community health center doesn’t have an effective employee termination plan. https://www.hhs.gov/sites/default/files/new-haven-resolution-agreement-corrective-action-plan.pdf

$202,400 and 2 year CAP

On July 27, 2016, a former employee returned to the health department, eight days after being terminated, logged into her old computer with her still-active user name and password, and downloaded PHI that included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results onto a USB drive. Additionally, OCR found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI on New Haven’s network after the employee was terminated.

“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.

A. The City impermissibly disclosed the PHI of 498 individuals (See 45 C.F.R. § 164.502(a));

B. During the period of December 1, 2014 to December 31, 2018, The City failed to implement Privacy Rule policies and procedures (See 45 C.F.R. §164.530(i)(l));

C. The City failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by NHHD (See 45 C.F.R. § 164.308(a)(1)(ii));

D. During the period of December 1, 2014 to December 31, 2018, The City failed to implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends (See 45 C.F.R. § 164.308(a)(3)(ii)(C));

E. During the period of December 1, 2014 to December 31, 2018, The City failed to assign a unique name and/or number for identifying and tracking user identity (See 45 C.F.R. § 164.312 (a)(2)(i)).

This Risk Analysis shall incorporate all ePHI from all of NHHD’s clinics and anywhere throughout the City Department’s that contain ePHI, and evaluate the risks to the ePHI on all of its electronic equipment, data systems, and applications controlled, administered or owned by NHHD or any NHHD entity, that contain,

store, transmit, or receive ePHI. Prior to conducting the Risk Analysis, NHHD shall develop a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI that will then be incorporated into its Risk Analysis. NHHD may submit a Risk Analysis currently underway for consideration by HHS for compliance with this provision. NHHD shall provide documentation supporting a review of current security measures and level of risk to its ePHI.

NHHD shall review and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and 164, Subparts A and C of 45 C.F.R. Part 164, the “Privacy Rule”), the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”), and the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and 164, Subparts A, and E of 45 C.F.R. Part 164, the “Privacy Rule”)

Riverside

Just this morning as we are preparing this episode, OCR announced its TENTH settlement for the HIPAA Right Of Access initiative.

Riverside Psychiatric Medical Group (“RPMG”) has agreed to take corrective actions and pay $25,000.

RPMG, based in Riverside, California, is a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders.

In March 2019, OCR received a complaint from a patient alleging that RPMG failed to provide her a copy of her medical records despite multiple requests to RPMG beginning in February 2019.  Shortly after receiving the complaint, OCR provided RPMG with technical assistance on how to comply with the HIPAA Right of Access requirements and closed the matter.  In April 2019, however, OCR received a second complaint alleging that RPMG still had not provided the complainant with access to her medical records.

OCR initiated an investigation and determined that RPMG’s failure to take action in response to the individual’s request was a potential violation of the HIPAA right of access standard.  RPMG claimed that because the requested records included psychotherapy notes, they did not have to comply with the access request.  While the HIPAA Rules do not require production of psychotherapy notes, they do require covered entities (1) to provide requestors a written explanation when it denies any records request in whole or in part (which RPMG did not do), and (2) to provide the individual access to his or her medical records other than psychotherapy notes (and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding).

As a result of OCR’s investigation, RPMG sent the individual all the requested information in her medical record, excluding psychotherapy notes, in October 2020.

“When patients request copies of their health records, they must be given a timely response, not a run-around,” said OCR Director Roger Severino.

The CAP is all about policies and procedures being properly done plus proper training.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.