Peachtree Neurological Clinic has uncovered a 15-month security incident during the investigation of a ransomware attack. The Atlanta, GA clinic says the incident has resulted in the exposure of 176,295 patients’ protected health information. Initially, sensitive data...
Dropbox is a widely-used file hosting service operated by many organizations to share files, but what about protected health information? Is the service HIPAA compliant? Dropbox beleives it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is...
The names, admission dates and medical record numbers of 5,292 patients of University of Iowa Health Care were accessible over the Internet for around 2 years as a result of an error configuring an application development website. University of Iowa Healthcare reports...
A recent survey conducted by risk management software vendor Netwrix has revealed only 5% of healthcare organizations are using software for risk management and security governance. Additionally, only 32% of healthcare organizations said they had a separate...
The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a reminder to all covered entities and business associates of the possible risks associated with file sharing and collaboration tools, outlining the dangers these services can...
Health insurance provider Aetna, based in Hartford, CT has found that the protected health data of more than 5,000 plan subscriber has been released online and was accessible to the public through search engines. Aetna started looking into a security issue affecting...
A ransomware attack on medical supply company Airway Oxygen Inc., in April 2017 may have led to the protected health information of 500,000 individuals being accessed by cyber attackers. No evidence of data access or theft was found by Airway Oxygen, based in Wyoming,...
The largest data breach settlement officially recorded has been agreed by the health insurer Anthem Inc. Anthem suffered the largest healthcare data breach ever reported in 2015, with s cyberattack leading to the theft of 78.8 million records of current and former...
One of the largest data breaches of the year to date has been reported by Washington State University. An unencrypted hard drive containing the data of more than 1 million individuals has been stolen. The breach is likely to be costly for the University. The 2017...
A data breach that happened in October 2015 should have seen affected people notified within 8 weeks. However, it took CoPilot Provider Support Services Inc., until early 2017 to issue data breach notifications. An administration online portal controlled by CoPilot...
The HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to patients within 60 days of the discovery of a data breach. Already this year, OCR has agreed its first settlement with a HIPAA-covered entity solely for delaying the...
Beginning from 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website, a list is often referred to as OCR’s ‘Wall of Shame’. This list only gives a brief summary of data...
The Ponemon Institute has conducted an annual benchmark study on the cost of data breaches for the last decade. Their 2016 Cost of Data Breach Study was published by the Institute earlier this week. The overall report shows the cost of breach resolution has continued...
Patient medical record access guidance has been issued by the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC). The HIPAA Privacy Rule permits patients to obtain copies of their health information from...
The healthcare industry is under attack from hackers and malicious insiders. Systems are being compromised at a greater rate than ever before. Last year saw record numbers of HIPAA breaches reported to OCR and the trend has continued in 2017. This year looks like it...
The recent ransomware attacks and healthcare IT security incidents have driven the Department of Health and Human Services’ Office for Civil Rights to release a reminder to covered entities about HIPAA Rules on security breaches. In its May 2017 Cyber Newsletter, OCR...
In May, the global WannaCry ransomware attacks resulted in more than 230,000 computers being infected and encrypted. There were also a high number of other IT security incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR)....
Iliana Peters, Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast. OCR reviews all data breaches involving...
The Trump administration has revealed its 2018 fiscal budget with the Department of Health and Human Services’ Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) both facing major cuts to their operational...
St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations identified during an OCR investigation of a complaint about a disclosure of PHI without permission. In September 2014, OCR was informed of a potential privacy...
Following the recent WannaCry ransomware attacks, the Department of Health and Human Services’ Office for Civil Rights (OCR) was particularly active. OCR sent out warnings, updates, and threat information related to WannaCry ransomware. OCR also took the attacks as an...
A $2.4y m settlement has been agreed by Memorial Hermann Health System with the Department of Health and Human Services’ Office for Civil Rights (OCR) to settle potential HIPAA Privacy Rule violations The settlement arises from an impermissible disclosure on an...
A class action lawsuit has been filed following an allegation claiming that telemedicine company MDLive violated the privacy of patients by releasing sensitive medical information to a third party without informing, or obtaining consent from, subscribednpatients. App...
CardioNet, a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias, has agreed a $2.5 million settlement to resolve potential HIPAA violations. Compensation settlements have, in the past been,...
Patient records held by the New York Organ Donor Network must be turned over to a plaintiff, and that the request cannot be denied based on HIPAA, following a ruling made by a New York Supreme Court Judge. Patrick McMahon claims he was removed from his role of...
A legal action has been taken action against a Denver, CO-based federally-qualified health center (FQHC), by Department of Health and Human Services’ Office for Civil Rights (OCR) for security management process failures that contributed to the organization...
Indications are that 2017 will be another record breaking year for healthcare data violations. Results for the first quarter of 2017 show data breaches have risen, with rises in theft incidents, hacks and unauthorized disclosures. Last year was a very bad year for...
The Kentucky-based 6-hospital health organization Med Center Health has reported a data violation affecting around 160,000 patients. Med Center Health believes a former staff member may have stolen patients’ protected health information (PHI) prior to leaving their...
Following the appointment of Roger Severino as head of OCR many human rights organizations have expressed concern over due to the views he views regarding transgender people and same-sex marriages. Mr Severino has written a number of reports in which he has expressed...
Former civil rights trial attorney Roger Severino has been appointed by The Department of Health and Human Services’ Office for Civil Rights has a new leader by The Trump Administration. Mr Severino will lead the HIPAA enforcement efforts of the Office for Civil...
A medical physician at the Dr. O Medical and Wellness Center in San Antonio, Texas allegedly retaliated against a patient by posting a recorded video of the person wearing only underwear on Facebook and YouTube. The actions of the physician, which appear to be a clear...
With Phase 2 of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits now well underway, the American Health Information Management Association (AHIMA) has updated its HIPAA audit readiness toolkit. Late last year, covered bodies...
The Health Insurance Portability and Accountability Act (HIPAA) allows patients to access a copy of their medical records in electronic or paper form. In 2016, the Department of Health and Human Services released a series of videos and documentation to outline...
Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has agreed to pay a $1.1 million fine for failing to protect the electronic protected health information of almost 690,000 plan members. The New Jersey Division of Consumer Affairs made the announcement of...
The official deadline for reporting 2016 healthcare data breaches which impacted fewer than 500 people is March 1, 2017. The Health Insurance Portability and Accountability Act’s Breach Notification Rule states that all covered bodies must report breaches of unsecured...
The Department of Health and Human Services’ Office for Civil Rights (OCR), equaling last year’s record HIPAA settlement with Advocate Health, announced that a $5.5 million settlement had been agreed with Florida-based Memorial Healthcare Systems to settle potential...
At the Healthcare Information and Management Systems Society’s 2017 conference-HIMSS17-OCR’s Deven McGraw released some new information on the HIPAA guidance OCR expects to release in 2017. Last year, the Joint Commission lifted the ban on the use of text messages for...
In January 2017, the Department of Health and Human Services’ Office for Civil Rights issued a communication to covered entities in relation to the late reporting of data breaches following the announcement of a settlement with Chicago-based healthcare network...
Although the total number of healthcare data breaches reported in 2016 is an order of magnitude lower than the number seen in 2015, there was a significant increase in the number of covered entities (CEs) that reported breaches. There were 16,471,765 recorded breaches...
The Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. The Department of Health and Human Services’ Office for Civil Rights (OCR) made the announcement revealing the fine...
Covenant HealthCare has advised more than 6,000 patients that their electronic medical records were inappropriately accessed by one of its staff members. The improper access was identified during a November 2016 review of EMR access logs. The audit revealed an unusual...
The first HIPAA settlement of 2017 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR). This is also the first settlement to date specifically based on an unnecessary delay to breach notification after the exposure of...
MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – has agreed a $2.2 million settlement, with the U.S. Department of Health and Human Services’ Office for Civil Rights, to resolve potential noncompliance with the Health Insurance...
During her campaign to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., impermissably used patients’ contact information – classed as protected health information under HIPAA Rules – to garner donations from...
HIPAA settlements reached record highs in 2016. This is in part due to the Department of Health and Human Services’ Office for Civil Rights increasing its enforcement activities in recent years. In total, payments of $22,855,300 were made to OCR in 2016 to resolve...
Over the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been on the rise. Ethical Hacker Victor Gevers found in late December that many MondoDB databases had been left unsecured and were freely...