Healthcare Regulation News

United States House Republicans have introduced a bill to ensure pharmacists can refuse patients’ requests for abortion medicines if they oppose. The Pharmacist Conscience Protection Act, which was proposed on Wednesday, forbids the federal government from punishing pharmacists who object on moral or religious grounds to prescribing medications that might result in an abortion. The bill comes following the Department of Health and Human Services’ (HHS) guidance which states that pharmacists who refuse to provide prescriptions for abortions could be in violation of several civil rights laws.  The HHS argued that in accordance with federal civil rights rules, pharmacists are…

The United States Department of Health and Human Services’ Director Xavier Becerra has formally sworn in Melanie Fontes Rainer as Director of the Office for Civil Rights (OCR). As of Wednesday, September 12, 2022, Fontes Rainer will lead the OCR in its duties to enforce federal civil rights, conscience protections, and the Health Insurance Portability and Accountability Act’s (HIPAA) Rules, which protect Americans’ fundamental civil rights and medical privacy.  Melanie Fontes Rainer has been officially sworn in as the Director of the Office for Civil Rights by Xavier Becerra, Director of the United States’ Department of Health and Human Services…

The U.S.’s Department of Homeland Security (DHS) has released a final rule, which will be released in the Federal Register, that clarifies and uniformly applies DHS’s management of the public charge basis of inadmissibility for non-citizens. The rule amends actions that the Trump Administration made to identify supplemental public health benefits like Medicaid and nutritional assistance as part of the public charge inadmissibility determination and corrects the historical understanding of a “public charge” that had been recognized for previous decades. According to the DHS’s press release, the rule is a reflection of the Biden Administration’s commitment to restore faith in…

A bill has been approved by the California legislature that forbids businesses operating in the state of California from providing access to information on those pursuing or performing abortions to other states who require the information through warrants. The bill is an attempt made by the California legislature to protect women’s privacy following the U.S. Supreme Court’s decision to overturn Roe v Wade. Following the Supreme Court’s decision, women’s federal right to an abortion has been left been left to individual states to choose whether abortion is legal. Several republican states had trigger laws in place to immediately prohibited abortions in…

A letter has been sent by Angus S. King Jr. (I-ME) and Congressman Mike Gallagher (R-WI), Co-Chairs of the Cyberspace Solarium Commission to the Department of Health and Human Services’ Secretary Xavier Beccerra expressing concerns regarding the public health sector’s cybersecurity. In the letter, the lawmakers emphasize the significant rise in cyberattacks aimed at the healthcare industry, call for more concerted effort to confront the growing danger, and request the government for an urgent update on the issue.  King and Gallagher detail how the COVID-19 pandemic exposed several systemic issues within the healthcare sector, particularly the shortage of resources. However,…

Medtronic has announced a recall of its Cobalt and Crome implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators. A report issued by the Food and Drug Administration labeled the recall in the Class I after the report found that the devices may only deliver approximately 79 percent of the intended energy of the shock during high-voltage treatment. The recall includes more than 20,000 units.  The recall comes after healthcare professionals in Europe received an urgent field safety notification from Medtronic last month regarding the same issue with the same product codes. The notification stated that the effectiveness of the defibrillator…

A long-waited bill worth $740 billion to reduce the price of prescription medications and health insurance has officially been approved by the Senate. The legislation comes as a new form of the Build Back Better Act, which passed through the House of Representatives in November. However, the previous Act was far greater, amounting to $2.2 trillion. The Act may have been too optimistic as the Act did not pass through the Senate. The Act underwent a rebrand and reduction which warranted enough support from Senators to pass the law through the upper chamber of Congress. On August 7, the Biden…

A letter has been sent to the Federal Trade Commision (FTC) by Senator Josh Hawley requesting an investigation into Amazon’s plans to purchase primary care company organization One Medical. The letter comes as a result of concerns regarding patient health information privacy and security concerns.  On July 21, it was announced that Amazon had settled a deal to purchase 1Life Healthcare, which provides primary treatment via One Medical. In the letter, Senator Hawley recognizes the FTC’s efforts to counteract America’s growing economic oligopoly and the influence of tech giants. However, he maintains that the One Medical acquisition requires particular attention….

The Department of Health and Human Services (HHS) and the US Department of Justice (DOJ) has issued a new guidance for healthcare providers to help prevent telehealth discrimination. The new guidance marks the 32nd anniversary of the Americans with Disabilities Act, where the US government seeks to address several federal nondiscrimination laws such as the ADA Section 504 of the Rehabilitation Act of 1973, Title VI of the Civil Rights Act of 1964, and Section 1557 of the Patient Protection and Affordable Care Act along with several steps healthcare providers can take to prohibit discrimination and protect access to health…

An executive order has been released by President Biden to address patient privacy protection concerns and to emphasize the significance of access to abortion in response to the Supreme Corut’s decision to overturn Roe v. Wade.  “Eliminating the right recognized in Roe has already had and will continue to have devastating implications for women’s health and public health more broadly. Access to reproductive healthcare services is now threatened for millions of Americans, and especially for those who live in States that are banning or severely restricting abortion care.” The “Executive Order on Protecting Access to Reproductive Healthcare Services” details how…

United States Senators Catherine Cortez Masto and Michael Bennet have written to the Department of Health and Human Services’ Secretary, Xavier Becerra, (HHS) requesting an update of the Health Insurance Portability and Accountability Act (HIPAA) to improve reproductive rights protection. The letter comes as major concerns have been raised regarding data and privacy concerns following the Supreme Court’s decision to overturn Roe v. Wade.  “Last week, the Supreme Court upended almost 50 years of legal precedent in its decision to overturn Roe v. Wade. The decision has created profound uncertainty for patients concerning their right to privacy when making the…

The Canadian federal government is seeking to strengthen their privacy legislation with the introduction of new laws to the House of Commons. The developments to privacy law were introduced in the form of Bill C-27, a renovation of the previously proposed Bill C-11. The objective of Bill C-11 was to repeal the Personal Information Protection and Electronic Documents Act (PIPEDA), the current federal private sector privacy law and replace them with a new legislative framework for data and privacy. However, Bill C-11 was unsuccessful and never made it into law.  Bill C-27 is another attempt to introduce more stringent privacy…

Since 2014, there has been a dramatic increase in the utilization of telemedicine, resulting in the advancement of telemedicine technologies and new challenges to the safety of patients. The rapid expansion of telemedicine generated by the public health emergency of the COVID-19 pandemic  has caused concerns regarding fraud and abuse and access inequity. To address these concerns, the FSMB appointed a workgroup tasked with establishing an updated policy regarding telemedicine. The workgroup created the new policy by addressing the challenges and evolving use of telemedicine, analyzing the effect of waiving licensing requirements and practice across state lines, reviewing current state…

During the COVID-19 pandemic, all U.S. 50 states were granted emergency authority to waive components of their state licensing requirements.  Under these waivers, states could allow temporary visits from out of state physicians to provide services. However, as the Covid-19 pandemic winds down, waivers allowing for cross-state telehealth are expiring. Hospitals with large amounts of COVID-19 cases were put under immense pressure and had their resources stretched thin. Under the pandemic waivers, overwhelmed hospitals were permitted to request help from physicians in other states to provide care via telehealth. The result of these waivers were extremely advantageous. Particularly to patients…

Following the Supreme Court’s decision to overrule Roe v. Wade, U.S. Department of Health and Human Services’ (HHS) Secretary Xavier Becerra has recently urged HHS agencies to take action to protect women’s access to sexual and reproductive health care, which includes abortion, pregnancy complications, and other related care. The decision made by the Supreme Court to overrule Roe v. Wade has removed women’s rights to safe and legal abortions, leaving the decision for the individual states to determine women’s reproductive rights. 13 states have trigger laws embedded in Roe v. Wade that will outlaw abortions once overturned. The HHS’ Office…

San Diego Family Care, a medical, dental, & mental health services provider in California, has opted to settle a class-action lawsuit filed by patients affected by a 2020 data breach. The data breach that prompted the lawsuit was announced by the healthcare services provider in May 2021. The breach report submitted to the HHS’ Office for Civil Rights (OCR) stated that 125,500 patients were impacted, though the total was afterward adjusted to 154,513 patients. The breached data included names, dates of birth, government ID numbers, Social Security numbers, medical diagnosis or treatment details, health insurance data, financial account numbers, and…

BD has published security alerts regarding two vulnerabilities that impact certain BD Pyxis automatic medication dispensing system products and the BD Synapsys microbiology informatics software program. BD Pyxis – CVE-2022-22767 As per BD, a number of BD Pyxis products were installed using default credentials and could still run using those credentials. In certain situations, the affected products could have been put in having the same default local operating system credentials or domain-joined server(s) credentials that might be shared among product types. Should a threat actor exploit the vulnerability, it is possible to acquire privileged access to the root file system,…

On July 1, 2022, revised data breach notification laws (HB 1351) will be in force in Indiana that necessitates the issuance of notifications 45 days from the time of discovering a breach that affected the personally identifiable information (PII) of Indiana citizens. Presently, the data breach notification conditions are for notifications to be given with no unreasonable delay. The revision has been made to make sure that those whose PII was exposed are given immediate notification. When PII is compromised, individual notifications ought to still be given without unreasonable delay. A reasonable delay is whenever one of these situations applies:…

Newman Regional Health (NRH), which runs a 25-bed critical access hospital situated in Emporia, KS, has of late commenced notifying 52,224 people that unauthorized folks have obtained access to a few employee email accounts comprising protected health information (PHI). NRH noted on its web page that unauthorized persons had seen a number of employee email accounts in a period of 10 months in 2021 from January 26, 2021 to November 23, 2021. After identification of the data breach, prompt measures were done to secure the email accounts. NRH began an investigation to determine the magnitude and nature of the breach….

The law agency BakerHostetler has publicized its 8th Annual Data Security Incident Response (DSIR) Report, which gives information based upon 1,270 data security incidents handled by the agency in 2021. 23% of those occurrences involved data security incidents at healthcare companies, which was the most attacked industry. Ransomware Attacks Grew in 2021 Ransomware attacks have continued happening at heightened levels. 37% of all data security occurrences dealt with by the company in 2021 were ransomware attacks in comparison to 27% in 2020. Attacks on healthcare institutions grew significantly year over year. 35% of healthcare security breaches addressed by BakerHostetler in…

Two bipartisan senators have presented the Protecting and Transforming Cyber Health Care (PATCH) Act which seeks to increase the security of medical devices. Vulnerabilities are usually discovered in medical devices that can likely be taken advantage of by threat actors to alter the operation of the devices, render them unuseable, or utilize the devices as a channel for more extensive attacks on healthcare sites. During the pandemic, there was a surge of cyberattacks on healthcare institutions, and medical devices, and the systems to which they hook up were affected by ransomware attacks. These attacks have hurt hospitals, patients, and the…

The U.S. Department of Justice (DOJ) has announced the settlement reached with the healthcare services provider, Comprehensive Health Services (CHS) based in Cape Canaveral, FL to resolve alleged False Claims Act violations. This is the first settlement reported under the DOJ Civil Cyber Fraud Initiative, which was introduced in 2021. The Civil Cyber Fraud Initiative was started to pursue cases against government contractors that knowingly utilized lacking cybersecurity tools and services which put information systems at risk, and failures to send notifications of cybersecurity incidents. CHS together with its subsidiaries had agreements with the U.S. Air Force and the U.S….

Although the changes to HIPAA regulations in 2021 were not much, new laws were introduced that are associated with the HIPAA Privacy and Security Rules, with regards to cybersecurity, patient access to medical information, and HIPAA enforcement. 2021 HIPAA Safe Harbor Law President Trump signed the HIPAA Safe Harbor Bill (HR 7898) on January 5, 2021 and changed the HITECH Act. The goal of the HIPAA Safe Harbor Bill was to inspire healthcare institutions to follow standard cybersecurity procedures to enhance their protection against cyberattacks. The HIPAA Safe Harbor Bill teaches the HHS to consider the cybersecurity guidelines that a…

The accountancy company Bansley and Kiener LLP located in Chicago, IL has reported that it experienced a ransomware attack in December 2020 that permitted the encryption of certain files inside its network. The attack merely brought about brief interruption, and all encrypted systems can be recovered using backup copies and immediately go back to usual operations. The attack took place on December 10, 2020, and the succeeding investigation into the occurrence didn’t get any proof of data theft and affirmed that the attack was completely secured. Nonetheless, Bansley and Kiener stated in a December 3, 2021 breach notification letter that…

A class-action lawsuit has been filed against San Juan Regional Medical Center located in Farmington, New Mexico over a reported data breach in June 2021. Based on the breach investigation, an unauthorized person acquired access to its system and exfiltrated files that contain sensitive patient information from September 7, 2020, to September 8, 2020. The data breach report was at first submitted to the HHS’ Office for Civil Rights as impacting 500 people, with San Juan Regional Medical Center stating back then that no less than 500 people were impacted. When the total number of people impacted by a security…

The HHS’ Office for Civil Rights (OCR) is moving forward with its enforcement of the HIPAA Right of Access compliance and has reported 5 more financial penalties. The HIPAA Right of Access enforcement project was started in the autumn of 2019 as a reaction to a considerable number of grievances from patients who didn’t get prompt access to their medical data. The HIPAA Privacy Rule calls for covered entities to give patients access to their health documents. A copy of the health data needs to be delivered within 30 days after the request is made, though a 30-days extension could…

The hacker responsible for getting access to the University of Pittsburgh Medical Center (UPMC) databases and stole the W-2 details and personally identifiable information (PII) of roughly 65,000 UPMC workers has been given the maximum sentence for the offenses and will be in jail for 7 years. Sean Johnson, a resident of Detroit, Michigan, also known as TheDearthStar and Dearthy Star – hacked into the UPMC databases in 2013 and 2014 and took highly sensitive data. Then he sold the stolen data on dark web hacking forums. Identity thieves used the information to file fake tax returns in the names…

A lawsuit was filed in the U.S. District Court in Minnesota by 180 healthcare employees concerning the COVID-19 vaccine mandates of their company owners. The plaintiffs, who were anonymous in the lawsuit, assert vaccine mandates violate religious freedom and state and federal legislation. The legal case is one of the cases that challenge the legitimacy of this kind of mandate. Vaccines continue to be the most efficient way to avoid the passing on of COVID-19, keep persons from becoming very ill, and lessen the number of people who need to be hospitalized due to the illness. The vaccines are risk-free…

Healthcare companies that need to comply with the California Consumer Privacy Act (CCPA) are having difficulties getting compliance, as per a new study shared in the Health Policy and Technology – DOI: 10.1016/j.hlpt.2021.100543 The CCPA was made into law on June 28, 2018 and enforced on January 1, 2020. The purpose of the CCPA was to offer California locals more control over their personal records and how their usage. The CCPA provided the residents of California the right to get information with regards to their personal information that will be collected, whether their records may be sold or exposed, to…

St. Joseph’s/Candler Hospital Health System is facing a class-action lawsuit because of a ransomware attack that took place on June 17, 2021. Because of the attack, files were encrypted, which forced the hospital to take its IT systems off the internet. The hackers accessed the systems containing the protected health information (PHI) of 1.4 million individuals, such as names, driver license numbers, Social Security numbers, medical insurance data, healthcare information, and financial details. St. Joseph’s/Candler provided impacted patients with an Experian IdentityWorks credit monitoring and identity theft protection service membership for one year. The ransomware attack investigation results confirmed that…

On August 21, 1996, that is 25 years ago, President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. Not many people then would have thought that the HIPAA would develop into the all-inclusive national health privacy legislation that it is nowadays. It is hard to dispute that the HIPAA isn’t a total success, however, the legislation has drawn a reasonable number of criticism through the years, particularly at first because of the substantial administrative burden it put on healthcare companies. Overall, the enhancements to medical care that have resulted from HIPAA compliance more than offset the…

A2Z Diagnostics, a specialist diagnostic screening laboratory in New Jersey, started informing patients about the inclusion of some of their protected health information (PHI) in employee email accounts that were accessed by unauthorized individuals. Upon knowing about the breach, A2Z quickly protected the email accounts and third-party cybersecurity experts investigated the breach to ascertain if any emails or attachments were viewed or obtained during the attack. A2Z Diagnostics discovered on June 28, 2021 that the breach of accounts took place from February 2, 2021 to April 2, 2021. Some of the accounts comprised the personal information and PHI of persons…

UPMC has suggested a $2.65 million settlement to close a data breach case filed by workers affected by a data breach in February 2014. UPMC based in Pittsburg, PA submitted a report about the data breach in February 2021 and initially thought the attackers had just taken the tax-data of several hundred of its staff; but, in April 2014, UPMC stated that the breach was much more extensive and impacted 27,000 of its 66,000 workers. In May 2014, UPMC reported that the personal data of all of its workers had probably been breached. The information impacted in the attack included…

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has published a new resource that discusses bad practices in cybersecurity, which are particularly damaging and significantly increase the risk to critical infrastructure. A lot of resources had been published regarding cybersecurity best practices, which if implemented can strengthen security. Even so, CISA thinks another point of view was needed as it is in the same way, if not more, vital to ensure the removal of bad cybersecurity practices. CISA mentioned that stopping the most egregious risks demands that companies should make a decisive effort to stop bad practices. CISA is advocating…

In September 2020, The University Of Nebraska Medical Center And Nebraska Medicine learned that their systems were attacked and infected with malware giving the hackers access to the protected health information (PHI) of around 219,000 persons. The attack pushed Nebraska Medicine to turn off its systems interrupting operations. The attackers primarily obtained access to Nebraska Medicine’s networks on Aug 27, 2020 and for 24 days viewed its systems and patient data. Nebraska Medicine blocked access on Sept. 20, 2020. During that time frame, the lawsuit alleged the hackers exfiltrated patient information. The breach affected patients of Nebraska Medicine, Great Plains…

The number of healthcare providers to claim they were affected by the Accellion ransomware attack is growing, with two of the newest victims such as Trillium Community Health Plan and Arizona Complete Health. In the later part of December, unauthorized persons took advantage of zero-day vulnerabilities in Accellion’s obsolete File Transfer Appliance platform and stole files of its clients prior to implementing CLOP ransomware. Trillium Community Health Plan lately informed 50,000 of its members that protected health information (PHI) including names, birth dates, addresses, medical insurance ID numbers, and diagnosis and treatment information was acquired by the folks associated with…

US Fertility is confronted with a class-action lawsuit in connection with a ransomware attack in September 2020, where the resulting data breach impacted 878,550 people. US Fertility offers IT systems and administrative, clinical, and business data services. It is one of the biggest vendors of support services to infertility clinics in America. On September 14, 2020, US Fertility identified ransomware that encrypted files on its systems. The investigation showed that the threat actors responsible for the attack copied files from August 12 to September 14, 2020, a few of which included protected health information (PHI). The types of information acquired…

The Delaware Superior Court dismissed a legal case filed on behalf of affected persons of a Brandywine Urology Consultants data breach after plaintiffs were unable to produce information proving they had sustained harm because of the breach. Brandywine Urology Consultants suffered a ransomware attack on January 27, 2020 The attack was discovered after two days and the following investigation established the attackers acquired access to a system that included patient data. Brandywine Urology Consultants determined from its inquiry that the cyber attack was done for extortion and not just to acquire patient records, though unauthorized data access and data theft…

The Department of Health and Human Services’ Office for Civil Rights has released its 2016-2017 HIPAA Audits Industry Report, showing areas where HIPAA-covered entities and their business associates are complying or fails to follow the conditions of the Health Insurance Portability and Accountability Act. The Health Information Technology for Economic and Clinical Health (HITECH) Act mandates the HHS to perform routine audits of HIPAA covered entities and business associates to evaluate HIPAA Policies compliance. Between 2016 and 2017, the HHS carried out its second level of compliance reviews on 166 covered entities and 41 business associates to check compliance with…

Twitter is going to pay a €450,000 ($544,600) penalty for breaking the EU’s General Data Protection Regulation (GDPR). The Ireland Data Protection Commission (DPC) issued the penalty because of the privacy breach report Twitter submitted to the DPC last January 8, 2019. After receiving a breach notification report from Twitter International Company, DPC launched an investigation on January 22, 2019 to find out if Twitter is GDPR compliant. On December 26, 2018, a researcher informed Twitter regarding a problem. Twitter gives its users the choice to send protected Tweets or not. Only a particular group of people or followers can…

Mayo Clinic is confronted with multiple class-action lawsuits because of an insider data breach in October 2020. Mayo Clinic learned an ex-worker obtained access to the health data of 1,600 patients with no authorization and viewed details that include patient names, demographic data, dates of birth, clinical notes, medical record numbers, and medical images. As per the Health Insurance Portability and Accountability Act (HIPAA), all HIPAA-covered entities need to employ safety measures to secure the confidentiality, integrity, and privacy of protected health information (PHI) and controls data disclosures and uses if patient permission is not acquired. Healthcare staff are granted…

On November 20, 2020, the Office of Inspector General (OIG) and the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) launched the final rules for enhancing the coordination of health care and lessen regulatory difficulties. The two final rules consist of safe harbor conditions that permit hospitals and healthcare delivery systems to provide cybersecurity technology to physician practices. The CMS launched the final copy of the 627-page Modernizing and Clarifying the Physician Self-Referral Regulations, generally known as Stark Law, and the OIG finalized updates to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary…

The due date for compliance with the required information blocking and health IT certification of the 21st Century Cures Act was prolonged as a result of the current coronavirus pandemic. The US Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) published on October 29, 2020 the launch of an interim final rule with the time period for giving comments lengthened the compliance dates and time periods for getting particular information blocking and Conditions and Maintenance of Certification (CoC/MoC) standards. The ONC’s Cures Act Final Rule unveiled on March 9, 2020 outlined exclusions…

Montefiore Medical Center in Bronx, NY has dismissed a staff because of the claimed theft of the protected health information PHI of roughly 4,000 patients. Montefiore knew about the probable internal data breach in July 2020 and started an investigation into unauthorized health record access. Montefiore had put in place a technology solution that monitors EHRs for unauthorized access. Therefore, the personnel was determined. The investigation affirmed that the personnel had gotten access to healthcare records with no valid work reason between January 2018 and July 2020. Accessing the medical records of patients though there isn’t a valid reason for…

A new study that JAMA published revealed that nearly all websites providing COVID-19 information include third-party tracking code that presents a risk to privacy. With the tracking code, the web pages could collect information from website visitors and transmit that data to third parties. The transferred data usually includes the URLs visited by a user and his/her IP address. Other data could also be obtained, and that information enables the creation of detailed profiles on the browsing habits and interests of people. Because IP addresses are gathered, that data can quickly be linked with a particular individual. The Carnegie Mellon…

A bill (SB-980) that confirms the Genetic Information Privacy Act has been approved by the California Senate. Currently, California Governor Gavin Newsom simply needs to sign the bill. The Genetic Information Privacy Act will bring in new requirements for businesses providing direct-to-customer genetic tests to safeguard consumer privacy and protect personal and genetic data. Presently, direct-to-client genetic testing services are mostly not regulated. There is the worry that the tactics of organizations that provide these services can possibly expose sensitive genetic information and that external parties can exploit the utilize of genetic information for sketchy purposes, for example, mass surveillance,…

What is HIPAA certification? This is a frequently asked question by organizations in the healthcare industry. The HIPAA does not have a standard or implementation requirements for the certification of covered entities or business associates. However, a number of third-party organizations provide HIPAA certification solutions. The HHS does not have any official HIPAA certification procedure or accreditation. If there was, that would be helpful. A HIPAA compliance certification can tell if a Covered Entity or Business Associate is aware of and compliant with HIPPA rules. That would help lessen the amount of time spent doing research on potential vendors. Nevertheless,…

On July 1, 2020, observance of the California Consumer Privacy Act (CCPA) of 2018 commenced. The CCPA effectivity was on January 1, 2020, nonetheless, all firms placed under the Act were provided a 6 month grace period to abide by the terms of the CCPA. Considering that the grace period has already lapsed. California Attorney General Xavier Bercerra affirmed that enforcement won’t be postponed, though businesses and trade associations have asked to extend the grace period for an additional 6 months as a result of the 2019 Novel Coronavirus crisis. The requests had been accepted nevertheless there’s no extension granted….

Patients of Episcopal Health Services Inc. based in Uniondale, N.Y. filed a lawsuit over the compromise of their personal and protected health information in a phishing attack in 2018. The New York State Supreme Court has kicked back the lawsuit for further proceedings. The lawsuit asserts Episcopal Health Services did not safeguard the private data of its patients from unauthorized exposures. Due to those downfalls, some employee email accounts of Episcopal Health Services experienced a breach between August 28, 2018 and October 5, 2018. The types of information contained in the email accounts included the patients’ names, birth dates, addresses,…

This 2020, because of the COVID-19 public health crisis, the HHS’ Centers for Medicare and Medicaid Services (CMS) widened the coverage of telehealth service by incorporating all Medicare beneficiaries, irrespective of area. Telehealth services do away with the limitations to in-person treatment that the COVID-19 pandemic brought about and make it possible for healthcare providers to offer treatment to patients within their own residences and, in that way, make patient security and regulation of the spread of COVID-19 achievable. The extension of coverage is only implemented during the COVID-19 public health crisis, despite increasing requests that for the extended CMS…

Zoom got to a deal with the New York Attorney General’s office and has made a commitment to employ better privacy and security measures for its teleconferencing program. New York Attorney General Letitia James investigated Zoom after analysts found a variety of privacy and security problems with the program sometime this year. Zoom has shown to be one of the most widely used teleconferencing systems throughout the COVID-19 outbreak. In March, around 200 million persons were joining Zoom meetings with usership rising by 2,000% in the period of merely 3 months. As more people use Zoom more regularly, flaws in…

The HHS’ Office for Civil Rights (OCR) published guidance to point out to healthcare organizations that with the HIPAA Privacy Rule, the media and film staff aren’t permitted access to healthcare amenities where the protected health information (PHI) of patients is accessible except if the involved patients have given written permission beforehand. A public health emergency doesn’t adjust the demands of the HIPAA Privacy Rule, which stays in force in emergency scenarios. In 2018, Brigham and Women’s Hospital, Boston Medical Center, and Massachusetts General Hospital were subjected to enforcement actions by OCR after learning they had granted film staff access…

The contact tracing technology that Google and Apple are creating may be helpful in tracking persons who have gotten into close contact with persons verified to be COVID-19 positive; nevertheless, the Electronic Frontier Foundation (EFF) is cautioning against the probability that hackers would exploit the system in its present form. The technology is set to be available soon. The system will enable app developers to make contact tracing applications to help track down persons who might have been exposed to COVID-19. When a person installs a contact tracing application, every time he/she comes into contact with a man or woman…

The HHS’ Office of Inspector General (OIG) proposed a rule on Tuesday that corrects civil monetary penalty regulations to additionally include data blocking. Once enforced, the new CMPs for data blocking is going to be a crucial instrument to guarantee program integrity as well as the stated advantages of technology and data. OIG knows that all through the COVID-19 public health crisis, medical companies are concentrated on delivering treatment and follow-up patient care. OIG is accomplishing its responsibilities by posting the new guideline however is likewise attempting to be as versatile as can be to lessen the load on healthcare…

The Federal Bureau of Investigation released an alert subsequent to an increase in Business Email Compromise (BEC) attacks that are capitalizing on the anxiety related to the COVID-19 outbreak. BEC is the word used to pertain to the effort to deceive people in control of doing legit cash transfers into a bank account managed by the attacker. This is attained by impersonating somebody within the firm that the victim typically performs business with. A normal attack case entails mailing an email to somebody in the finance team asking to alter a bank account detail for an impending payment. A few…

In seeking to avoid the spreading of the 2019 novel coronavirus, patients alleged of having been exposed to the virus and persons with indications of COVID-19 were instructed to self-quarantine by staying at home. It is necessary for contact to be avoided with persons at an increased risk, especially aged people and persons with health issues. Telehealth services, which include video calls, are handy tools for medical specialists when evaluating and treating patients at a distance to lower the possibility of getting infected by the coronavirus. Telehealth services could also be employed to keep contact with patients who opt not…

The Swedish Data Protection Authority (DPA) issued Google a 75 million kroner ($7.8 million) GDPR penalty for failing to comply with the right-to-be-forgotten’ requests coming from European Union residents to take out webpages from its search result pages. The right to be forgotten in the European Union exists prior to GDPR. It was initially included in EU laws in 2014 after a judgment by the European Court of Justice concerning the lawsuit, Google Spain SL, Google Inc vs Agencia Española de Protección de Datos, Mario Costeja González. The rules require search engines to take out hyperlinks to freely accessible websites…

A federal judge has finally approved the settlement concerning Quest Diagnostics Inc. to take care of a class-action lawsuit connected with its 2016 data breach. The medical lab company in New Jersey is going to pay a $195,000 settlement, which allocates to each breach victim about $325 compensation. On November 26, 2016, the attackers accessed the Care360 MyQuest mobile application that patients use to save and share their digital test results and schedule visits. The health application saved names, phone numbers, birth dates, and laboratory test findings which, for certain patients, listed their HIV test findings. The breach impacted 34,000…

Based on the latest TigerConnect research, 52% of healthcare companies encounter communication problems that badly affect patients day by day or a number of times each week. These communication issues are a reason for annoyance for healthcare personnel. They make it harder to organize patient care, hence resulting in mistakes with patient care. Actually, the consequence of awful communication is substantial and has an effect on the whole institution. At best, ineffectiveness in communication leads to slowdowns that boost the expenditure of giving healthcare. At worst, awful communication increases avoidable medical flaws, doctor burnout and, in the most severe instances,…

The HHS released an updated HIPAA Security Risk Assessment Tool offering a couple of new features that users request to optimize usability. The HHS Office of the National Coordinator for Health Information Technology (ONC) together with the HHS’ Office for Civil Rights (OCR) designed the HIPAA Security Risk Assessment Tool. The Security Risk Assessment Tool is intended to help small to medium-sized healthcare organizations when performing thorough, company-wide risk analysis to identify the risks to protected health information (PHI) integrity, availability, and confidentiality. Healthcare organizations can use the tool to identify and assess risks and vulnerabilities. After which, they could…

A Kaspersky Lab survey has revealed that nearly a third of all healthcare workers do not receive any cybersecurity training from their employers. The results are part of a survey the cybersecurity research group completed in response to the enormous spike in large data breaches seen since January 2019. Kaspersky Lab researchers surveyed 1,758 healthcare workers in the United States and Canada to ascertain how the looming threat of a cyber attack is being dealt with by healthcare organizations. The researchers discovered that 32% of those surveyed stated that their employer failed to offer any cybersecurity training while at work….

The Secretary of the Department of Health and Human Services (HHS), has declared a public health emergency in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian. On September 4, the Secretary, Alex Azar, also declared in North Carolina, retroactive to September 1, 2019. Secretary Azar’s announcement comes as the US mainland prepares for Hurricane Dorian to make landfall. The declaration was accompanied by the announcement of a limited waiver of HIPAA sanctions and penalties for specific provisions of the HIPAA Privacy Rule, as mandated by the Project Bioshield Act of 2004 of the…

Around 10,000 patients are being notified that their data may have been accessed by an unauthorized individual following a data security incident at Massachusetts General Hospital (MGH).  On June 24, 2019, MGH discovered that unauthorized individuals had accessed computer applications used by researchers in its Department of Neurology. Upon discovery of the breach, MGH immediately took steps to revoke the unauthorized access and secure the applications and associated databases.  An investigation was immediately launched to determine the scope of the breach. MGH hired a third-party cybersecurity organization to facilitate the breach investigation. The investigators concluded that the unauthorized individual could…

Grays Harbor Community Hospital in Washington has experienced a data breach after patient health information may have been compromised in a ransomware attack. The hospital and its associated clinics, based in Aberdeen, WA, is still dealing with the consequences of the attack months after the fact. The attackers have demanded $1 million for the keys to unlock the encryption. On June 15, 2019, Grays Harbor Community Hospital noticed some suspicious activity on its network and started experiencing IT problems. The attack occurred on a Saturday when staffing was limited so initially the problem was attributed to an IT issue. On Monday…

The US Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in Louisiana following Tropical Storm Barry making landfall on July 13. The HHS announced a public health emergencies in the areas affected by the storm on July 12, 2019. The waiver only applies to covered entities in areas where a public health emergency has been declared. Furthermore, the waiver only covers the 72 hours immediately following the implementation of the hospital’s disaster protocol. The waiver is only effective for specific provisions of the HIPAA Privacy Rule. These include: The requirements to obtain…

A medical student has filed a lawsuit against Marshall University and Cabell Huntington Hospital claiming that his x-rays were shared with fellow students in a class without his consent. The lawsuit, filed by the student who identifies as J.M.A., claims that a professor at the Joan C. Edwards School of Medicine showed his x-rays to fellow students during a class. J.M.A. claims that the professor failed to remove the information that identified the x-rays as his. As such, the images were identifiable as his. As J.M.A’s consent was not obtained before the x-rays were shared, this incident potentially constitutes a…

A cybersecurity incident at Rosenbaum Dental Group has resulted in the protected health information (PHI) of 1,200 individuals being compromised. Rosenbaum Dental Group, an independently owned facility in Florida, is in the process of notifying affected patients of the data breach. The breach is thought to have been caused by a malware infection of a desktop computer on which patient data was stored. The malware may have allowed unauthorized individuals access to patient data. It is as of yet unknown how the malware was installed on the laptop, but it is likely that a hacker launched a phishing attack on…

Mercy Health is notifying almost 1,000 patients that their data may have been accessed by an unauthorized individual. In March, Mercy Health, a non-profit healthcare system in west Michigan, discovered that some protected health information (PHI) may have been exposed after realising patient data was stored on a private server that was used for other purposes, such as online scheduling and check-ins. As the information was saved on this private server, it was possible for individuals to access the data without having their identity authenticated. An investigation was launched into the incident. Mercy Health discovered that patient data may have…

Only a few days after it agreed to a settlement with OCR, Medical Informatics Engineering (MIE) has been instructed to pay a $900,000 financial penalty to resolve a multi-state lawsuit over a 2015 data breach that saw 3.9 million patient records compromised. MIE, an Indiana-based provider of electronic medical record software and services, experienced the data breach when hackers compromised the server of its NoMoreClipboard (NMC) subsidiary. Through providing these services, MIE acts as a business associate (BA) to several healthcare organizations covered by HIPAA’s rules, and are therefore themselves required to be compliant with the legislation. The hackers had…

TriHealth is in the process of notifying 2,433 patients that their protected health information (PHI) has been impermissibly disclosed to a student mentee in June 2018. TriHealth, a unified health system based in Cincinnati, Ohio, revealed that a student was provided with sensitive information of nearly 2,500 patients. The data was provided on June 8 and June 9 2018, during which time the student was under the direct supervision of a TriHealth physician who is no longer in employment at the organization. The physician had been using the information for a research project. The patient information provided included first and…

A malware attack on Centrelake Medical Group has resulted in sensitive patient information being compromised. Centrelake Medical Group is a network of 8 medical imaging and oncology centres in California. They discovered a malicious virus on their system in February 2019 which blocked access to all of their files. Although the virus appears to perform the function of malware, Centrelake Medical Group did not mention receiving a ransom demand from a threat actor in their media notice about the attack. Subsequent reports indicated that the malware was not ransomware, therefore leaving some uncertainty as to the motivation behind the attack….

Blue Cross of Idaho is notifying 5,600 individuals that a data breach at their facility has compromised their protected health information (PHI). Blue Cross of Idaho is a not-for-profit health insurer, with around 560,000 customers, making it one of the largest health insurance organisations in the state of Idaho. Paul Zurlo, the Executive Vice President, has said that the breach only affects 1% of its members. The breach was discovered on March 22, 2019. Blue Cross immediately launched an investigation to assess the scope of the breach and determine how it first occurred. Investigators discovered that an unauthorised individual hacked…

Rave Mobile Security has released a report showing that while businesses are improving their preparedness for ‘modern emergencies’, employees safety is still at risk. Overall, Rave Mobile Security’s 2019 Workplace Safety and Preparedness Survey indicated that businesses in the United States were improving their emergency response strategies. The report assessed how prepared organisations were for modern emergencies, including active shooter emergencies, cyber attacks, system outages, and workplace violence incidents. The report discovered that while organisations may have strategies and plans in place for these events, senior management may fail to explain these plans to employees adequately. In some circumstances, the businesses may not…

Covenant Care has announced that a data breach at their facility has affected 7,858 patients. Covenant Care is a residential care provider and skilled nursing facilities based in Aliso Viejo, California. The organisation discovered the breach when suspicious activity was detected on an employee’s email account on January 29, 2019. Covenant Care immediately launched an investigation into the breach and contracted a third-party cyber forensics firm to assist with assessing the cause and scope of the breach. The investigation revealed that the email account was compromised on January 22, 2019. The hacker was able to access the accounts until Covenant…

The United States Financial Industry Regulatory Authority (FINRA) has warned brokerage firms of a phishing campaign used by hackers to install malware on employee devices. The cybercriminal designed the emails to appear as if they were sent by a staff member of a credit union. As with many phishing campaigns, the emails contained a fake “urgent” message, this time pretending to alert the brokerage firm to potential money laundering by one of their clients. FINRA is a private not-for-profit organisation that is authorised by Congress to protect and regulate the broker-dealer industry. Several brokerage firms notified the organisation of suspicious…

Hackers are distributing a new module for the Trickbot malware through a phishing campaign. The update renders the Trojan variant capable of obtaining VNC, PuTTY, and remote desktop credentials. Hackers are spreading the latest updates through a phishing campaign in which spam emails purporting to offer help with recent changes to the U.S. tax code to reduce tax bills are used to trick recipients into downloading the malware. Trojans are malware variants that are disguised as benign or useful pieces of software. They are installed under false pretences, as the user is often tricked into believing that they serve a…

New a Senate bill has proposed that individuals should be allowed to permit their healthcare providers to sell their health data and receive financial compensation if their health information is sold to a third party.  Senate Bill 703, more commonly known as the Oregon Health Information Property Act, is sponsored by Senator Floyd Prozanski (D-Eugene) and has more than 40 co-sponsors. Should it be passed, the bill would see consumers health information treated in a similar way to an individual’s property. Patients would allow them to profit from its sale, much as they would their regular physical possessions. This bill…

The U.S. Department of Health and Human Services’ Office for Civil Rights has is looking to appoint a permanent Deputy Director for Health Information Privacy. There has been no permanent Deputy Director for Health Information Privacy since October 2017, when Deven McGraw left the office to take a position in the private sector. OCR’s Senior Advisor for Compliance and Enforcement, Iliana Peters, stepped in temporary before also moving to the private sector in February 2018. Timothy Noonan, the former regional manager for the HHS Office for Civil Rights in Atlanta, replaced Peters in February 2018 and is still acting in…

Massachusetts Attorney General issued a $75,000 fine to McLean Hospital over a 2015 HIPAA violation. McLean Hospital, a psychiatric hospital and affiliate of Harvard Medical School, was issued the fine by Massachusetts Attorney General Maura Healey for a violation of the Health Insurance Portability and Accountability Act (HIPAA) in 2015. The violation pertained to a data breach experienced by the hospital that compromised the integrity of the protected health information (PHI) of approximately 1,500 patients. The breach occurred through a former employee of the facility taking 8 backup tapes containing sensitive patient data back to their home. The employee had…

The results of a recent survey conducted by Censuswide has revealed the huge threat that phishing attacks pose to Irish workers due to lack of security training. The study was conducted on 500 Irish workers by Censuswide, a survey consultancy. The survey was commissioned by Datapac, an Irish IT service management company, in conjunction with Sophos, an IT security organisation. Phishing attacks are campaigns made by cybercriminals to obtain sensitive information such as passwords or credit card details from a victim by pretending to be a reputable organisation via electronic communication channels. The attacks are often conducted through emails. The…

Upstate University Hospital in Syracuse, NY, has announced that over a thousand patients have been affected by a security breach involving a former employee of the facility.  The breach was discovered at Upstate University Hospital on September 12, 2018. An investigation was launched to determine the cause of the breach and assess the scope of the damage. The investigation revealed that the former employee first accessed patient health records without any legitimate work reason for doing so on November 3, 2016. Patient records continued to be accessed until October 23, 2017. Employees accessing the protected health information (PHI) of individuals…

RSA, a computer and network security organisation based in the USA, has released its security analysis for Q3 2018. The analysis shows that the number of phishing attacks has increased by 70% between Q3 and Q2 2018. The report also stated that 50% of all fraud incidents experience by organisations come in the form of phishing attacks.  Phishing is a form of fraud in which the criminal attempts to obtain sensitive information by pretending to be a trustworthy entity. These types of attacks are most commonly made over email. The emails are often easy to mistake for legitimate emails; they…

About 10,200 Plastic Surgery patients from South Dakota have been informed that a part of their PHI has been breached due to the Ransomware attack in Feb. According to the Associates of Plastic Surgery belonging to South Dakota found that virus got connected to the systems on 12th Feb 2017. In order to remove the ransomware from the systems, the authority took immediate steps and they also called the experts to determine and analyze the severity of the breach and to what extent the patients got affected. Luckily, the health information of the patients was coded properly so most of…