Apr 182018

David Kitchen writes:

If you work at a typical company, employee actions and inadvertent disclosures present the greatest threat to the security of your data. Therefore, providing proper training and technical safeguards is one of the most important means to enhance your company’s security profile.

In BakerHostetler’s newly-released 2018 Data Security Incident Response Report, we assisted our clients with over 560 incidents, more than a third of which stemmed from phishing incidents in which an employee was tricked by an email message into providing access credentials to an unauthorized party, visiting a phony website, downloading an infected document or clicking on a link that installed malware. Other sizeable incident types also involved employee errors: 17 percent of incidents were inadvertent disclosures and 11 percent were due to stolen or lost devices.

Because people are fallible, training is not enough. Technological safety nets are needed.

Read more on BakerHostetler Data Privacy Monitor.

Apr 182018

Michael Bertoncini writes:

Health insurance carriers often provide explanation of benefits (EOB) summaries to the policyholder specifying the type and cost of health care services received by dependents covered by the policy. EOBs often disclose sensitive information regarding the mental or physical health condition of adult dependents. Massachusetts has now enacted a law, an act to protect access to confidential health care (the PATCH Act), that permits patients to require their insurance carriers to send their medical information only to them as opposed to the policyholder. This will permit a spouse or adult child of the policyholder to keep medical information from being shared with the policyholder. The law also requires insurance carriers to use a common summary of payments form to be developed by the Massachusetts Division of Insurance. The law takes effect April 1, 2019; however, any carrier that has the capacity to provide electronic access to common summary of payments forms prior to that date must do so.

Read more on Jackson Lewis Workplace Privacy, DataManagement & Security Report.

Apr 182018

Elliot Golding and Jennifer Tharp of Squire Patton Boggs write:

Overview of Recent Settlement Actions

Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement.  Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at 42 U.S.C. § 1320d-5(d), state attorney generals have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected.  Although states also have authority to bring civil actions under state law Unfair and Deceptive Acts (“UDAP”) laws, their additional authority under HIPAA provides an independent vehicle to enforce data privacy and cybersecurity practices.  This increased enforcement trend provides yet another reason that health care entities subject to HIPAA need to ensure they have taken steps to ensure HIPAA compliance.

Read more on The National Law Review.

Apr 172018

The FastHealth breach is confusing the heck out of patients and employees. I’m getting inquiries from folks who are understandably suspicious because they never heard of the firm or can’t figure out how their details got caught up in this all. Others see news reports and realize that an entity has no connection to them, so they can’t figure out what’s going on at all.  And yet others see numbers on HHS’s breach tool and have no idea whether that number represents one entity’s patients or more than one entity or all…. (Hint:  I’ll bet you a pot of coffee that it’s definitely not all or even most).

Case in point from today’s news from Michigan:

Community members may have received a letter from FastHealth Interactive Healthcare notifying them of a security incident. War Memorial Hospital has received inquiries from staff and community members regarding the legitimacy of the letter. FastHealth provides website programming and hosting for hundreds of hospitals and other healthcare organizations. Fasthealth provided these services for WMH from January 2009 through August of 2013.

FastHealth cannot notify patients or employees unless the entity with whom they have a contract has that as part of their contract. Would it likely be infinitely less confusing to patients and employees if the covered entities themselves notified their current and former patients and/or employees? I have no doubt it would. But there’s nothing that requires that by law.

Do we need to change the regulations so that a business associate or third party must disclose the names of all of their covered entities that are impacted by a breach?  I can imagine there would be a lot of resistance to that idea, but if the purpose of notification is to help mitigate harm from breaches, then wouldn’t a less confusing approach be in order?

Apr 152018

On February 15, 2018, UnityPoint Health discovered our email system was the victim of a phishing attack that compromised some employee email accounts. UnityPoint Health promptly took action to secure the impacted email accounts, changed passwords, and engaged external cybersecurity professionals to analyze what information might have been contained in the impacted accounts. After a detailed forensic investigation and document review, UnityPoint Health determined that protected health information was contained in impacted email accounts, including patient names and one or more of the following: dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For a limited number of impacted individuals, information that may have been viewed included Social Security Numbers or other financial information. The impacted email accounts may have been accessed between November 1, 2017 and February 7, 2018.

Impacted individuals have been provided with written notification to their last known home address, where available, commencing on April 16, 2018.

To date, we are not aware of any reports of identity fraud, theft, or improper use of information as a direct result of this incident. However, we want to make impacted individuals aware of the situation so they can take precautionary measures to protect their health information. We are advising impacted individuals of the following steps they can take to protect their medical privacy:

” Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.

” Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date.

” Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.

Additionally, we encourage impacted individuals to remain vigilant in reviewing account statements for fraudulent or irregular activity on a regular basis.

UnityPoint Health apologizes to impacted patients for this incident. UnityPoint Health is committed to protecting your information and has taken steps to help prevent a similar event from taking place in the future. We are continually evaluating and modifying our security practices to further strengthen the protections for your personal and health information.

To learn whether your information was impacted in this incident or if you have any questions regarding this incident, please call our dedicated and confidential toll-free response line at 855-331-3612. This response line is staffed by professionals familiar with this incident and knowledgeable about what you can do to help protect against misuse of your information. The response line is available Monday through Friday, 8:00 a.m. to 8:00 p.m. Central Time.

Source: UnityPoint Health