Updated HIPAA Breach Reporting Tool Launched by HHS

Linda Hunt Mullany, JD, RN, CHPC

July 31, 2017

“…a more positive, relevant resource of information for concerned consumers.”

On July 25, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), unveiled a revised Health Insurance Portability and Accountability Act (HIPAA) Breach Reporting Tool (HBRT) that provides consumers improved access to information on breach data, and also provides greater ease-of-use for organizations reporting incidents. The HBRT makes required reporting information public, such as name of the entity suffering the breach; state where the breach occurred; number of individuals affected; date of the breach; type of breach (e.g. hacking/IT incident, theft, loss, unauthorized access or disclosure); and the location of the breached information (e.g. laptop, paper records, desktop computer). HIPAA also requires health care providers and other covered entities to promptly notify individuals of a breach and, in some cases, notify the media.

HHS Secretary Tom Price, M.D., explained, “HHS heard from the public.  . . .To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned citizens.”

The HRBT may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

Arizona Anesthesia Group Notifies 882,590 Patients of Data Breach

Valley Anesthesiology and Pain Consultants (“VAPC”), a physician group of more than 200 anesthesiologists and pain management specialists with several locations near Phoenix, Arizona, began notifying patients on August 11, 2016, of a potential data breach involving protected health information (“PHI”), despite the fact their retained forensic consultant found no evidence that the information on the computer system was accessed. However, the consultant was unable to definitively rule that out after investigation, and it did confirm that an individual gained access to a system containing PHI. The physician group elected to take the proactive route of notifying affected individuals. The forensic firm was apparently called in shortly after VAPC learned on June 13, 2016, that a third party may have gained unauthorized access to VAPC’s computer system on March 30, 2016, including records of 882,590 current and former patients, employees and providers.

On its website, VAPC says they value their relationship with patients and so decided to mail the notification letters. Law enforcement was also advised, and a dedicated call center has been set up to answer patients’ questions. Patients have been advised to review the statements they receive from their health insurer and to advise the insurer of any unusual activity. The computer system accessed is believed to have contained patient names, limited clinical information, name of health insurer, insurance identification numbers, and in some instances, social security numbers (“SSN”). No patient financial information was included in the computer systems. For providers, the information included credentialing information such as names, dates of birth, SSN, professional license numbers, DEA (Drug Enforcement Agency) and NPI (National Provider Identifier) numbers, as well as bank account information and potentially other financial information. The employee records on the system included names, dates of birth, addresses, SSNs, bank account information and financial information. Individuals that had their SSN or Medicare number exposed are being offered credit monitoring and identity theft protection services.

The circumstances of the incident illustrate the quandary regarding the presumption that it is a reportable breach if you can’t prove there was no access to the information, and the interplay between the HIPAA Security Rule and the Privacy Rule. Here, it was apparently established the system’s security was breached, but unclear whether personal health information was accessed once the unauthorized individual was in the system.

More information is available on VAPC’s website: https://valley.md/securityupdate.

‘The Dark Overlord’ Places Healthcare Databases on Dark Web

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however,  is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?