Ledes from the Land of Enchantment

Report on Patient Privacy Volume 22, Number 1. Privacy Briefs: January 2022 | Health Care Compliance Association (HCCA)

Farmington
By Lolly Garcia
Report on Patient Privacy Volume 22, Number 1. Privacy Briefs: January 2022 | Health Care Compliance Association (HCCA)

[author: Jane Anderson]

Patient Privacy Report 22, #1 (January 2022)

◆ New Jersey passed its third settlement in three months on state health care privacy and security lawsand announced that three cancer care providers would take new security measures and pay $425,000 to settle an investigation into two data breaches.[1] Acting Attorney General Andrew Bruck said Regional Cancer Care Associates LLC, RCCA MSO LLC and RCCA MD LLC (collectively RCCA) have experienced violations that may have exposed personal and proprietary health information of 105,200 consumers, including 80,333 New Jersey residents. The first data breach occurred “when multiple RCCA staff email accounts were compromised through a targeted phishing scheme that allowed unauthorized access to patient data stored in those accounts in April-June 2019. The proprietary information disclosed included medical records, driver’s license numbers, Social Security numbers, financial account numbers and payment card numbers,” the state said. “Then in July 2019, in the course of notifying customers of the initial breach, RCCA abusively disclosed patient data when a third-party provider abusively sent out notification letters to 13,047 living patients by addressing the letters to those patients’ potential next-of-kin. As a result of this second violation, family members of these cancer patients were informed of their loved ones’ illnesses without their consent,” the state said. “The settlement consists of $353,820 in penalties and $71,180 in attorney and investigation fees.” Although RCCA denies the allegations, it has agreed to additional privacy and security measures, including implementing and maintaining a comprehensive information security program; developing, implementing and maintaining a written incident response plan and cybersecurity operations center for preparing, detecting and responding to security incidents; Conducting of training courses; Hiring a Chief Information Security Officer; and engaging an independent third party to assess patient data policies and practices. In October, Bruck announced two settlement agreements that included payments and additional security measures.[2]

◆ The Maryland Department of Health (MDH) servers that were reporting positive COVID-19 cases were taken offline following a cyberattack in early December.[3] According to the department, “unauthorized activity involving multiple network infrastructure systems” was detected on Dec. 4. “Immediate countermeasures were taken to contain the incident and servers were taken offline to protect the network,” the department said. “Due to the state’s aggressive cybersecurity strategy and use of MD THINK and other cloud-based services, many of the department’s core functions were unaffected. There is still no evidence that data has been compromised. To prevent additional damage and to avoid compromising sensitive health information, we are methodical and thoughtful in restoring network systems while prioritizing health and safety functions.” As of Jan. 2, the state said, “Approximately 95% of surveillance data on state levels are restored. MDH continues to work to recover the full COVID-19 dataset. Previously recovered data reports on vaccines, hospitalizations, case surveillance, and outbreaks from congregations and schools hosted on coronavirus.maryland.gov datasets remain current. MDH and our agency partners are intensely focused on full recovery and reporting of surveillance data at Consideration of all related steps and protocols.”

◆ Planned Parenthood Los Angeles faces a possible class action lawsuit after a cyberattack exposed the health records of more than 400,000 patients.[4] According to a news report, a patient filed a lawsuit against the healthcare provider in early December, claiming she suffered from anxiety and stress as a result of the violation. The lawsuit alleges that Planned Parenthood Los Angeles violated state and federal privacy laws by failing to provide adequate safeguards against hacking incidents. The ransomware attack may have started as early as October 9 and was discovered on October 17, Planned Parenthood Los Angeles said in a letter to patients reporting the possible breach. Some files had been exfiltrated from the provider’s system, the letter said.[5] Data that may have been disclosed included patient names; dates of birth; addresses; insurance identification numbers; and clinical data such as diagnosis, treatment, and prescribing information.

◆ A violation of the Rhode Island Public Transit Authority’s (RIPTA) health insurance billing schedule potentially exposed information on approximately 12,700 government employees.[6] RIPTA has begun sending letters to state officials informing them that files related to the state health insurance billing schedule containing their personal information have been accessed. The attack was identified in August, and RIPTA is offering free identity monitoring services to those affected. The Rhode Island Attorney General’s office is investigating the violation.

◆ Monongalia Health System Inc. (Mon Health) of Morgantown, West Virginia, is notifying patients of an email phishing incident that may have resulted in unauthorized access to emails and attachments.[7] Mon Health said it “became aware of the incident after a provider reported not receiving payment from Mon Health on July 28, 2021. In response, Mon Health promptly launched an investigation which found that unauthorized persons had gained access to a Mon healthcare contractor email account and were sending emails from that account in an attempt to collect funds from Mon Health through fraudulent transfers.” Subsequent investigation confirmed that the incident did not involve the electronic medical record system. Between May 10 and August 15, unauthorized persons gained access to the e-mail accounts. “Based on its investigations, Mon Health believes that the purpose of the unauthorized access to the email accounts was to obtain funds from Mon Health through fraudulent transfers and an email phishing scheme to avoid personal access information,” the health system said. “Nonetheless, Mon Health cannot rule out the possibility that emails and attachments from the involved Mon Health email accounts containing patient, provider, employee and contractor information were accessed as a result of this incident.”

◆ The American Medical Association (AMA) is urging health app developers to protect patient privacy and has released a new guide on data stewardship and equitable collection of digital health data for developers to refer to.[8] AMA noted that the ability to collect and track health and wellness data had positive benefits as it allowed providers to monitor conditions more closely and “proactively engage with patients regarding their health concerns.” . However, the AMA noted, “Health insurers have used information from wearable devices to deny reimbursement claims, employers have used access to health information employees may not be aware of to make employment decisions, and data brokers are trying to collect more and more of this.” Information to create detailed profiles of individuals who serve as gatekeepers for housing opportunities and more.” The AMA said its data policies “aim to help technology developers navigate this space so patients and clinicians can make informed decisions about privacy can meet.”

◆ San Juan Regional Medical Center in Farmington, New Mexico is facing a class action lawsuit alleging a 2020 data breach.[9] “The lawsuit alleges that the hospital was negligent in handling patients’ personal information, resulting in the disclosure of health information and other sensitive private information for 68,792 people,” a news report said. The compromised data included names, dates of birth, addresses, email addresses, phone numbers, social security numbers, financial account numbers, passport numbers, driver’s license numbers, health insurance information, and medical information. The complaint contains several allegations against the hospital and describes how the injury has adversely affected patients.

1 New Jersey Division of Consumer Affairs, “New Jersey Health Care Providers Will Adopt New Security Measures and Pay $425,000 to Settle Investigation in Two Data Breaches,” press release, December 15, 2021, https://bit.ly/3sMnKwF.
2 Jane Anderson, “New Jersey Latest to Target Privacy Breaches: Printers Must Pay $130,000 to Settle 2016 Breach,” Report on Patient Privacy 21, no. 12 (December 2021), https://bit.ly/3eLrHcN.
3 Maryland Department of Health, “Updates: Maryland Department of Health Network Security Incident,” Incident Update, January 3, 2022, https://bit.ly/32Vccfr.
4 Sam Dorman, “Planned Parenthood of Los Angeles Faces Data Breach Class Action Lawsuit,” Fox News, December 17, 2021, https://fxn.ws/3qHrjl5.
5 “Notice of Patient Privacy Incident”, Planned Parenthood Los Angeles, November 2021, https://bit.ly/3qHbWJl.
6 Eli Sherman and Ted Nesi, “AG Office Investigates RIPTA Data Breach Affecting Over 12,000 Government Workers,” WPRI.com, December 29, 2021, https://bit.ly/3EQlVRA.
7 Monongalia Health System Inc., “Monongalia Health System, Inc. Investigates and Addresses Data Security Incident,” press release, December 21, 2021, https://prn.to/3sRp15I.
8th American Medical Association, Privacy Is Good Business: A case for privacy by design in app development, December 2021, https://bit.ly/3zpAOJB.
9 Joshua Kellogg, “Nearly 69,000 Affected by Data Breach in San Juan Region,” Albuquerque Journal, December 14, 2021, https://bit.ly/3HsS9Ed.

[View source.]

Lolly Garcia 14261 posts 0 comments
You might also like More from author

Comments are closed.