Subscribe: HIPAA Blog
http://hipaablog.blogspot.com/atom.xml
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
apparently  breach  data breach  data  health  hipaa  memorial hermann  ocr  patient  ransomware  records  risk analysis  wrong   the 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: HIPAA Blog

HIPAA Blog



A discussion of medical privacy issues buried in political arcana



Updated: 2017-08-21T08:35:30.671-05:00

 



0 Comments

2017-08-21T08:35:30.690-05:00

Hospitals are the Number One Target for Hackers: at least for ransomware.



0 Comments

2017-08-14T10:24:44.520-05:00

Women's Health Care (PA): A large Philadelphia-area ob/gyn practice has notified 300,000 patients of a potential data breach.  Not much news on what happened, but it was apparently a hack that penetrated the group's computer system; they don't know for sure if information was actually viewed or extracted, but the information subject to potential breach did include social security numbers (bur



0 Comments

2017-07-26T14:07:11.338-05:00

Wall of Shame: OCR is updating its large data breach reporting website.



0 Comments

2017-07-20T10:36:13.648-05:00

Peachtree Neurological (Atlanta): Peachtree Neurological was hit with ransomware recently.  Fortunately, (i) they were able to restore their systems without paying the ransom, and (ii) there was no evidence that the ransomware exfiltrated any data, thus likely giving them a good reason to determine that the ransomware incident did not constitute a reportable breach (yes, OCR, I'm talking to you)



0 Comments

2017-07-20T10:25:07.995-05:00

Petya: More on the ransomware virus that disproportionately hit healthcare entities.  



0 Comments

2017-07-13T12:29:05.080-05:00

University of Iowa: Seems like a pretty minor breach, but some names, admission dates, and medical records were available online.  



0 Comments

2017-07-12T18:16:38.486-05:00

Employee Snooping Draws Criminal Charges (St. Charles Health System, Oregon): A nursing assistant looked at about 2,500 patients records; no identity theft or fraud, apparently just idle curiosity.  However, she's being charged with misdemeanor computer crimes.  Sounds about right -- nice to make a point of how she's dealt with, but not punishing her unnecessarily harshly.



0 Comments

2017-06-30T10:03:45.372-05:00

Petya Cyberattack: A rural West Virginia hospital is one of the headline victims of the most recent ransomware iteration, known as Petya (which follows closely on the heels of WannaCry, which had a built-in escape hatch that prevented it from causing too much damage).  How do you protect yourself: Don't pick up the virus.  Easier said than done, but you can go a long way just through education



0 Comments

2017-06-26T13:22:07.828-05:00

Anthem Breach: Remember the 2015 Anthem breach?  The one with up to 80 million individuals' information compromised?  The one where we think the Chinese were involved, and they got the IT folks to give up their credentials and got sysadmin privileges, so encryption wouldn't have even mattered?  Yeah, that one. Well, Anthem has agreed to settle the lawsuit for $115 million.  Of course, that's a



0 Comments

2017-06-14T14:24:01.069-05:00

Wall of Shame: Apparently OCR is considering some changes to the website listing of all large breaches, based on concerns expressed by a congressman (who also happens to be a doctor) that the listing is too punitive to entities that did no wrong but had to report anyway.



0 Comments

2017-06-14T11:36:56.712-05:00

St. Luke's-Roosevelt's Faxing Problem: An NYC hospital has been fined $387,000 for two misdirected faxes.  That's a big fine.  Why? Three reasons: One, all fines are big these days.  OCR still feels it needs to make an impression, and if you've done wrong and get caught, you're going to pay in a big way.  Two, the PHI that was disclosed, and whom it was disclosed to, were pretty egregious: it



0 Comments

2017-06-12T07:32:48.493-05:00

Hospital Cybersecurity in Critical Condition: So says a report by HHS' Health Care Industry Cybersecurity Task Force.  Not particularly surprising.



0 Comments

2017-05-30T11:57:28.565-05:00

Molina, AZ Health Dept Breaches: Molina Healthcare, a big player on the insurance exchanges established by the ACA, has reacted to word from Brian Krebs, cybersecurity expert, that their patient portal has some problems. Additionally, the Arizona Department of Health Services has reported a possible breach due to some lost mail. 



0 Comments

2017-05-15T12:04:19.142-05:00

Memorial Hermann: Memorial Hermann in Houston had a patient who used a fake ID to get services; the staff called the cops, who arrested the patient.  Apparently, the patient was an illegal immigrant (undocumented alien, if you wish, but being an undocumented alien is against the law, hence the word "illegal").  If I recall correctly, Memorial Hermann got hammered in the press for "reporting"



0 Comments

2017-05-01T12:14:22.707-05:00

Connecticut Case on Patient-Physician Confidentiality: Interesting case, but probably not specifically HIPAA-relevant.  HIPAA allows disclosure of PHI under non-judicial subpoenas, as long as "reasonable assurances" are received.  It's unclear whether they were in this case, but it's also unclear if there's any HIPAA component to the case at all at this point, given that this is the second trip



0 Comments

2017-04-26T10:00:14.578-05:00

Maine Psychiatric Center: Sorry, I've been busy recently and haven't had the chance to blog about this; still don't, really, but need to get something out there.  Thanks to @DissentDoe for taking the lead on this (if you're on Twitter, read me and don't read her, you're missing out). When it comes to HIPAA data breaches and the "what's the worst thing that can happen" standard, this is probably



0 Comments

2017-04-25T14:24:23.247-05:00

"First Ever HIPAA Settlement with a Wireless Health Service!"  Feh.  This is just an unencrypted laptop theft by someone without a good Risk Analysis story to tell. CardioNet provides remote monitoring of patients with severe arrhythmia.  An employee had her laptop stolen from her car.  It had PHI of about 1400 patients on it, and was not encrypted.  Fail. CardioNet had done some form of risk



0 Comments

2017-04-21T13:32:46.870-05:00

It's Hard to Violate HIPAA When You're Not Covered By It: A New York trial court has ruled that the New York Organ Donor Network can't refuse to hand over records to a whistleblower because of HIPAA.  A disgruntled ex-employee, who claims he was fired for whistleblowing, is seeking records from the Donor Network, which sought to avoid discovery of the records due to HIPAA.  The trial judge



0 Comments

2017-04-21T13:25:21.160-05:00

A Small Fine: OCR announced one of their smallest HIPAA fines yesterday.  Center for Children's Digestive Health, in suburban Chicago, agreed to pay a $31,000 fine for failing to have a BAA in place with its document management and destruction company, FileFax.  The press release indicated that the investigation started with an "investigation of a business associate," which is presumably FileFax



0 Comments

2017-04-13T14:42:50.152-05:00

Metro Community (Colorado): A federally-qualified health center falls victim to a phishing attack.  The attack is not their fault, and they respond appropriately.  All good, right? Wrong.  Even though they did nothing wrong here, they had never done an initial risk analysis.  They did a risk analysis after the phishing attack; apparently, even if they had done it before the attack, they still



0 Comments

2017-04-10T16:33:40.604-05:00

Doctors and Bad Yelp Reviews: Well, Yelp isn't the only one.  There are quite a few social media sites that allow customers to post reviews of businesses.  What happens when a reviewer posts a bad review?  What can the business do? In some cases, the business can sue the reviewer, particularly if the business can prove that the review is false.  In fact, that just happened in respect to a



0 Comments

2017-04-07T12:52:52.354-05:00

Has Health IT's Rapid Growth Rendered HIPAA Obsolete?  Of course not.  HIPAA is, at its root, conceptual; no new healthcare delivery systems, and certainly no change in technology,  can surplant the basic concepts of HIPAA: health data is only worthwhile if it is used, but it is also private and deserves privacy and security; health data should not be used or disclosed except for proper purposes



0 Comments

2017-04-07T11:24:16.243-05:00

A question from the audience: Q: At our group therapy counseling sessions, we have the clients sign in on a sign in sheet that is passed around once group therapy starts. No one but the clients in group, the therapist, and the billing department sees the sign in sheet. We are required by the state agency we serve to have a sign in sheet, and since we bill insurance, we need to be able to



0 Comments

2017-03-20T15:04:09.402-05:00

Well, this is embarrassing: Cybersecurity contractor hit by W2 phishing scam.  



0 Comments

2017-03-01T13:44:30.398-06:00

Interesting Question: HIPAA lawyer Adam Greene was interviewed at HIMSS, and noted that HHS is close to publishing the regulations implementing the HITECH revisions that allow affected individuals to get a share of the fines levied by OCR.  As you should know, there's no private cause of action for a HIPAA violation, so unless a victim of a data breach can prove damages in a regular tort claim