Forwarding Emails Causes Breach

hipaalogoHealth Department officials in Multnomah County, OR, have discovered that an employee set up an automatic mail forwarder on an email account that sent all email correspondence to a personal Google email account for a period of around three months.

The emails were forwarded to an account outside the control of Multnomah County, in violation of the Health Insurance Portability and Accountability Act. Since the employee works in the Health Department, emails sent to that individual’s official email account contained a range of patients’ electronic protected health information (ePHI). The ePHI included first and last names, ages, medical record numbers, medical diagnoses, dates of service, medication names and prescription numbers.

The email forwarder was discovered during a random audit that was conducted on November, 22, 2016. An internal investigation into the incident revealed that the ePHI of 1,700 patients was exposed. The investigation did not uncover any evidence to suggest that any of the forwarded emails had been opened or read, but the possibility that ePHI was inappropriately accessed could not be ruled out.

Multnomah County has now confirmed that the email account has been deleted and none of the forwarded emails can be accessed by the employee. Multnomah County believes the risk of ePHI being used inappropriately is low and no reports have been received to suggest any ePHI has been used inappropriately. Multnomah County has also confirmed that no Social Security numbers, home addresses, or phone numbers were present in the emails or email attachments forwarded to the personal account.

The incident has prompted Multnomah County to conduct a review of policies and procedures with the member of staff concerned. Policies, controls, business practices, and data protection solutions are also being reviewed in direct response to this incident.

It is unclear why the emails were being forwarded to the personal account and it would appear from the substitute breach notice issued by Multnomah County that the matter has been dealt with internally and the employee in question has not been terminated.

The lesson to be learned here is:

  • email is not a secure way to transfer ePHI
  • email can be made secure enough to use for ePHI through encryption
  • using ANY email service, other than an in-house Exchange email server, in the absence of a HIPAA Business Associate Agreement, is a data breach and is reportable to the Office for Civil Rights.

You MUST use email that is provided by a Business Associate or you MUST have an in-house Exchange email server to be compliant. Yahoo, MSN, Cox mail, FIOS email, Network Solutions, GoDaddy, etc. are NOT compliant. Using those services for ePHI is a reportable breach.

As the article mentions, forwarding any ePHI to a personal email account, such as the ones listed above, also constitutes a data breach that is reportable to OCR.

Computer Networks of Roanoke, Inc.
Hank Wagner, Owner
hank.wagner@computernetworksinc.com
757-333-3299 x232

It doesn’t cost anything to talk.

PHI is everywhere. Find it. Protect it.

datasecurity

HIPAA Training

Just a reminder that you should be conducting HIPAA staff training:

  • annually for each staff member
  • very soon after for a new hire
  • at least annually for each staff member on your HIPAA Policies and Procedures

That’s right. You must train on HIPAA Rules and Regulations. And, you must train on HIPAA, specifically, on your internal Policies and Procedures.

New Head of HHS Tom Price, MD.

tompriceThe new Administration has appointment a Physician to be the head of HHS.

During his time in the U.S. House of Representatives, Price repeatedly introduced legislation to repeal the Affordable Care Act, or Obamacare. He also was an advocate of easing timeline requirements for healthcare providers participating in the HITECH Act "meaningful use" financial incentive program for electronic health records. Under the program, participating healthcare entities must, for example, attest in each reporting period to conducting a security risk assessment of EHR data.

"Price is a physician who has complained of the huge burden of current regulations, so I imagine that he may not be a big fan of HIPAA. Many physicians are not," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "However, I don't think his personal views on the law will necessarily lead to a significant change in enforcement."

"There has been bipartisan support for the HIPAA and HITECH standards," says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "Secretary Price comes into office with a reputation of opposing government regulatory activity, which impacts the day-to-day relationship between physicians and patients. We will all be watching for indications of how he views the HIPAA privacy and security rules."

During his time in the U.S. House of Representatives, Price repeatedly introduced legislation to repeal the Affordable Care Act, or Obamacare. He also was an advocate of easing timeline requirements for healthcare providers participating in the HITECH Act "meaningful use" financial incentive program for electronic health records. Under the program, participating healthcare entities must, for example, attest in each reporting period to conducting a security risk assessment of EHR data.

nocloud1

Hack a Minute Says Fortinet

There were more than 700,000 hacking attacks in any given minute against healthcare organizations in the fourth quarter of 2016, according to a study of 450 providers around the world by the threat intelligence arm of cybersecurity vendor Fortinet.

“By far, the most interesting trend we have seen is Internet of Things-based attacks,” said Derek Manky, global security strategist and head of the FortiGuard Labs global threat research team at Fortinet. “These are attacks not going after traditional Windows-based PCs or Internet Explorer but rather the No. 1 attacks specifically in healthcare have been against an operating system called VxWorks. We saw about two million attempts to hack into this system in Q4 2016. This runs on medical devices and infusion pumps and personal monitors, these sorts of things, and that’s really concerning.”

Study: Insiders Responsible For 6 in 10 Breached Patient Records in January

Nearly 60 percent of breached patient records in January 2017 were the result of insiders, according to the Protenus Breach Barometer, a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

January’s health data breaches reinforce the importance of health data security as the need to protect patient data from insiders continues to loom large, healthcare cybersecurity company Protenus said.

2016 averaged one health data breach per day, and 2017 is off to a similar start with 31 health data breaches, the barometer found. There were fewer incidents disclosed in January than December, when there were 36, and far fewer affected patient records, 1,431,449 in December versus 388,307 in January. These numbers are based on incidents either reported to HHS or disclosed in media or other sources during December 2016 and January 2017. Information was available for 26 of those incidents in January.

The majority of breached patient records – 230,044 – were attributable to insider incidents, the barometer found. Five of nine insider incidents were the result of insider wrongdoing and 4 of the insider incidents were the result of insider error.

Of 12 hacking incidents disclosed in January, there are numbers for 10, affecting 145,636 patient records. One incident involved an extortion demand from the infamous TheDarkOverlord, who leaked the data when the entity did not pay the demand. A second hacking incident disclosed in January was somewhat unusual, Protenus observed. Although there was no reported ransomware or ransom demand involved, the hacked entity reported that the attack interfered with patient care when data was corrupted and clinics could not access the necessary data for marijuana records and prescriptions.

A third hacking incident disclosed in January involved two sequential breaches: one insider error that exposed patient data followed by an external attack, according to the barometer. Both events stemmed from a misconfiguration of a vendor’s database, Protenus reported. The misconfiguration, which exposed patient data, was detected by researchers, but before the researchers could contact the covered entity to alert them to secure the database, criminals also detected the exposure and hacked the database, wiping it out and leaving a ransom demand, Protenus said.

Of the 31 reported incidents in January, 25 involved healthcare providers, four involved health plans, and two involved third parties, the barometer found.