The dermatology practice, Forefront Dermatology, based in Wisconsin has decided to settle a class action lawsuit filed on behalf of patients who had their protected health information (PHI) compromised in a ransomware attack in late May 2021. Forefront Dermatology has associate practices in 21 states and Washington D.C. In May 2021, the Cuba ransomware group … Read more
The New York State Department of Financial Services (DFS) has decided to resolve an investigation of EyeMed Vision Care (EyeMed) into possible violations of the DFS Cybersecurity Regulation for $4.5 million. EyeMed based in Ohio is a licensed medical insurance provider, which gathers and keeps sensitive consumer data as a business practice. The DFS investigated … Read more
When a HIPAA complaint is submitted, what happens next depends on who it is filed with, the nature of the complaint, and whether the complaint is valid. After registering with a healthcare company or becoming a group health plan member, a person should receive a Notice of Privacy Practices. This Notice details what the healthcare … Read more
Health-ISAC has publicized a white paper to help guide healthcare CISOs planning to employ zero trust security architectures. The standard security approach is to set up border defenses in order to keep unauthorized persons out. Although this security strategy has helped companies well in past times, it isn’t useful online where there’s no border to … Read more
Florida Orthopaedic Institute has offered to pay $4 million to settle claims from patients impacted by a data breach in 2020. In April 2020, Musculoskeletal Institute, doing business as Florida Orthopaedic Institute, found that an unauthorized third party had acquired access to a server keeping patients’ protected health information (PHI) and employed ransomware for file … Read more
Senators Ron Wyden (D-OR), Cory Booker (D-NJ), and Elizabeth Warren (D-MA) wrote to two major mental health app vendors and required replies regarding their practices regarding information collection and disclosure. There were a number of allegations that the mental health applications offered by Talkspace and BetterHelp are acquiring, mining, and distributing private client data to … Read more
The latest version of the HHS Security Risk Assessment (SRA) Tool has been released by the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS)’ Office of the National Coordinator for Health Information Technology (ONC). The HIPAA Security Rule calls for HIPAA-controlled entities to carry out a detailed, organization-wide risk … Read more
The HHS’ Office for Civil Rights (OCR) is creating a video to support HIPAA-regulated entities in carrying out “Recognized Security Practices.” The Health Information Technology for Economic and Clinical Health (HITECH) Act was lately modified (Public Law 116-321) to necessitate OCR to look at recognized security practices that were set up for about 12 months … Read more
The law agency Morgan & Morgan filed a class-action lawsuit in the U.S. District Court for the District of Massachusetts against Injured Workers Pharmacy (IWP) in relation to a breach of the personal records of 75,771 consumers. IWP is a drugstore located in Andover, MA that gives supplies to workers who were hurt at the … Read more
Solara Medical Supplies offered to pay $9.76 million to resolve a class-action lawsuit in connection with a 2019 data breach. This offer has gotten initial approval from the court. Solara Medical Supplies, which supplies products and services to help people take care of their diabetes, encountered a phishing attack that permitted unauthorized individuals to access … Read more
The American Telemedicine Association (ATA), American College of Physicians (ACP), and the Organization for the Review of Care and Health Applications (ORCHA) have worked together to make a new system for examining digital health technologies employed by healthcare specialists and patients. At this time, greater than 86 million Americans utilize a health or fitness application. … Read more
$50,000 Civil Monetary Penalty Issued to Dental Practice for Social Media HIPAA Violation OCR investigated Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., (UPI), a dental practice operating offices in Charlotte and Monroe, NC because a patient sent a complaint last November 2015 about unauthorized disclosure of his protected health information (PHI) related to a … Read more
Healthcare hacking incidents are continuously growing for a few years. Hacking/IT incidents increased by 45% between 2019 and 2020. In 2021, 66% of breaches involving unsecured electronic protected health information (ePHI) were due to hacking and also other IT incidents. A substantial percentage of those breaches might have been averted if HIPAA-regulated entities were completely … Read more
The development, observance, and enforcement of HIPAA guidelines and procedures is the foundation of HIPAA compliance. If there are no policies and procedures to give instructions, employees of Covered Entities and Business Associates are going to be uninformed of how they ought to perform their tasks that comply with HIPAA, how they ought to respond … Read more
The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule puts a rigid time frame on sending notifications to people whose protected health information (PHI) was breached or impermissibly disclosed. The max time limit is 60 days since the discovery of the data breach, though notification letters ought to be sent “without unreasonable delay.” … Read more
The Government Accountability Office (GAO) has started a quick response survey of healthcare companies and business associates under the Health Insurance Portability and Accountability Act (HIPAA) to obtain comments on their experiences sending data breach reports to the Secretary of the Department of Health and Human Services (HHS). The survey will continue to be accessible … Read more
Marietta Area Health Care Inc., dba Memorial Health System, is dealing with a class-action lawsuit with regards to a cyberattack and data breach that Memorial Health System discovered on August 14, 2021. As per the investigation, it was established the hackers initially acquired access to organization servers on or approximately July 10, 2021, and put … Read more
The Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general are authorized to issue penalties for HIPAA violations. Besides paying financial penalties, covered entities must follow a corrective action plan to have policies and procedures that are according to the criteria specified by HIPAA. The Health Insurance Portability and … Read more
The COVID-19 pandemic has not led to any long-term modifications to HIPAA, however, it has seen unmatched flexibilities announced on a non-permanent basis to make it less complicated for healthcare companies and business associates that are battling against COVID-19. In emergency scenarios like disease outbreaks, HIPAA Rules stay effective and the demands of the HIPAA … Read more
The Department of Health and Human Services’ Office for Civil Rights (OCR) has released new guidance to make clear how the HIPAA Privacy Law can be applied to disclosures of protected health information (PHI) to aid applications for extreme risk protection orders. In June 2021, the U.S. Department of Justice shared model legislation to give … Read more
The New Jersey Division of Consumer Affairs has agreed to resolve a data breach investigation that identified violations of the federal Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act. Regional Cancer Care Associates located in Hackensack, NJ is a name for 3 healthcare companies that run healthcare services in … Read more
West Virginia University Health System is dealing with a class-action lawsuit because of a compromise of the protected health information (PHI) of 7,445 patients, however, the Supreme Court of Appeals of West Virginia has lifted the class certification order. The lawsuit is in connection with an insider data breach that took place in 2016. From … Read more
Ransomware attacks, hacks, and other IT security problems are the cause of major data breach reports sent to the Department of Health and Human Services’ Office for Civil Rights, although data breaches concerning physical documents are likewise common. The Verizon Data Breach Investigations Report showed that exposed physical files made up 43% of all data … Read more
A New Jersey infertility clinic has reached a settlement with the state and will pay a $495,000 penalty fee for its violation of the HIPAA and New Jersey laws as it did not implement appropriate cybersecurity action. Diamond Institute for Infertility and Menopause, LLC (Diamond) in Millburn, NJ operates one healthcare facility in New Jersey, … Read more
Lately, the U.S. Department of Justice has been pursuing healthcare criminal acts and investigations frequently entail the issuance of a HIPAA subpoena. The subpoena pressures HIPAA-regulated entities to give data including patient health records that they are not allowed to reveal because of Privacy Rule prohibitions on uses and disclosures. Under the HIPAA Privacy Rule, … Read more
Two DuPage Medical Group patients are filing a lawsuit against the healthcare company subsequent to a July 2021 ransomware attack whereby patients’ protected health information (PHI) was exposed. DuPage Medical Group encountered a ransomware attack in the middle of July. The forensic investigation confirmed unauthorized people had acquired access to its computer system between July … Read more
Four healthcare employees filed a lawsuit against Amazon because allegedly their Amazon Alexa devices possibly captured conversations without their intention or permission and might have caught health data protected by HIPAA. Amazon Alexa devices listen for words and phrases that awaken the devices and activates them to begin recording. Particularly, the devices listen to the … Read more
Social media platforms including Facebook, Snapchat, Twitter, and Instagram allow healthcare companies to easily promote their services and earn new clients. Healthcare companies could utilize social media platforms to connect with patients, give announcements about their services, and get patients to take on a more dynamic part in their medical care. Although there are a … Read more
There is a lot of misunderstandings concerning the case of questioning a person if they had a COVID-19 vaccine. Is it considered a HIPAA violation, especially pertaining to employers questioning their personnel to give evidence of being vaccinated against COVID-19 to cease using a face mask in the work area? The Health Insurance Portability and … Read more
The National Institute of Standards and Technology (NIST) is preparing to modify and make updates to its guidance on carrying out the HIPAA Security Regulation and is looking for ideas from stakeholders on facets of the guidance that ought to be adjusted. NIST publicized the guidance – NIST Special Publication (SP) 800-66, Revision 1, An … Read more
Devised by the Department of Health and Human Services as part of the 21st Century Cures Act, the information blocking and interoperability regulations became enforceable on April 5, 2021. These new regulations set out what information blocking entails and states that penalties can be imposed when providers engage in practices that disrupt access, exchange, and … Read more
Montefiore Medical Center has found out that another employee accessed patient records without having any valid work reason. The report of New York hospital in February 2020 stated that an employee was identified to have accessed patient health records without any authorization for a period of 5 months in 2020, and another employee was identified … Read more
The Delaware Superior Court dismissed a legal action filed on behalf of affected individuals of a Brandywine Urology Consultants data breach because the plaintiffs failed to present proof showing they had experienced harm because of the breach. Brandywine Urology Consultants encountered a ransomware attack on January 27, 2020 The attack was identified after two days … Read more
The Department of Health and Human Services’ Office for Civil Rights has stated that it is going to implement enforcement discretion and will not issue financial penalties on HIPAA-covered entities or business associates in the event of HIPAA rules violations associated with the honest use of online or web-based scheduling applications (WBSAs) for booking individual … Read more
The U.S. Court of Appeals for the Fifth Circuit has reversed the $4,348,000 HIPAA violation charges enforced by the Department of Health and Human Services’ Office for Civil Rights on the University of Texas M.D. Anderson Cancer Center. The Civil Monetary Penalty was charged to M.D. Anderson in 2018 after the investigation of three data … Read more
The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices. Mobile devices are now ubiquitous in the workforce due to the vast range of benefits offered to employers. They allow individuals to readily communicate with each … Read more
The Secretary of the Department of Health and Human Services (HHS), has declared a public health emergency in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian. On September 4, the Secretary, Alex Azar, also declared in North Carolina, retroactive to September 1, 2019. Secretary Azar’s announcement comes as … Read more
Kaspersky Labs has released a report revealing significant deficiencies in the cybersecurity training provided to healthcare employees. The study was conducted by surveying 1,758 healthcare employees in the United States and Canada. Kaspersky Lab, a vendor of cybersecurity software, instigated the study to investigate potential causes for the substantial increase in cybersecurity breaches in recent … Read more
The Department of Veteran Affairs Office of Inspector General (VA OIG) has discovered severe security failings at the Tibor Rubin VA Medical Center in Long Beach, California. A recent inspection by the VA OIG uncovered security vulnerabilities related to medical device workarounds and multiple compliance issues with the Veterans Health Administration (VHA) and VA policies. The … Read more
In response to the Tropical Storm Barry that made landfall in Louisiana on July 13, the Secretary of the US Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties. The HHS announced a public health emergencies in the areas affected by the storm on July 12, 2019. The … Read more
UChicago Medicine faces a potential class-action lawsuit for allegedly sharing patient information with Google with having the correct authorization to do so. The lawsuit names UChicago Medicine, UChicago Medical Center, and Google, and was filed by Matt Dinerstein, a former patient of UChicago Medicine. The suit claims patient information that still had personal identifiers attached … Read more
Kingman Regional Medical Center (KRMC) is in the process of notifying patients that their sensitive data may have been compromised following the discovery of a flaw on its website which may have allowed unauthorized users to access patient data. KRMC became aware of the security issue on April 8, 2019. Their IT team immediately took … Read more
Takai, Hoover & Hsu has terminated a nurse for accessing the protected health information (PHI) of 16,542 without the correct authorization to do so. The healthcare provider, owned by Takai, Hoover & Hsu and based in Germantown, MD, has stated that the information may have been passed on to a third-party and used for fraud … Read more
On May 24, 2019, the Department of Health and Human Services issued a clarification on business associates liability for violations of the Health Insurance Portability and Accountability Act. HHS Office for Civil Rights released information on what violations could result in a HIPAA fine for business associates of HIPAA covered entities. According to the HHS … Read more
The Department of Health and Humans Services has issued a notification of enforcement discretion in which they have reduced the maximum financial penalty for three of the four HIPAA violation tiers. The notification, entitled ‘Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties’, was published on April 20th. In 2009, the Health Information Technology for … Read more
Michigan-based Brookside ENT and Hearing Center has announced its closure following a ransomware attack on their facility resulted in all of their patient files being permanently destroyed. The practice-run by just two doctors-lost access to patient records, appointment schedules, payment information, and other sensitive after a hacker gained access to their network and infected it … Read more
The healthcare and fitness tech industry is booming, with millions of users across the US using these devices and apps to track everything from their weight, sleeping habits, heart rate, and food consumption. Some of this information is similar to that collected by healthcare organisations when monitoring their patients. However, there is a vast difference … Read more
The Internal Revenue Service has launched a tax-related phishing awareness campaign. The campaign is designed to inform taxpayers fo the twelve most common tax scams, known as the ‘Dirty Dozen”. Each tax season, the IRS raises awareness of the most common phishing campaigns in an attempt to protect taxpayers, businesses, and tax professionals. Cybercriminals are particularly … Read more
Ransomware attacks against healthcare organisations are becoming increasingly common. However, many individuals are still uncertain as to what constitutes a ransomware attack, and the potential consequences it has on an organisation. This article provides some background on ransomware attacks, outline how these attacks occur, and offer some guidance on how employees can mitigate the risk … Read more
The U.S. Department of Health and Human Services has issued a four-volume publication on voluntary cybersecurity best practices for healthcare organisations. The publication includes guidelines for managing cyber threats and protecting patients. It is hoped that the guidelines will help all organisations that handle the protected health information (PHI) and other sensitive information of patients … Read more