[author: Jane Anderson]

Report on Patient Privacy 24, no. 5 (May, 2024)

◆ Kaiser Permanente is notifying 13.4 million current and former members that their personal information may have been compromised when it was transmitted to tech giants Google, Microsoft Bing and X (formerly Twitter) when members and patients accessed Kaiser’s websites or mobile applications. According to Kaiser, the information transmitted included IP address, name, information that could indicate a member or patient was signed into a Kaiser Permanente account or service, information showing how a member or patient interacted with and navigated through the website and mobile applications and search terms used in the health encyclopedia. Information did not include usernames, passwords, Social Security numbers, financial account information or credit card numbers, Kaiser said. “Kaiser Permanente is not aware of any misuse of any member’s or patient’s personal information,” the company said in a recent statement. “Nevertheless, out of an abundance of caution, we are informing approximately 13.4 million current and former members and patients who accessed our websites and mobile applications. We apologize that this incident occurred.” Kaiser said it is conducting an internal investigation into the breach.[1]

◆ A former employee pleaded guilty to a 2023 data breach at Springfield, Missouri-based Jordan Valley Community Health Center. Chante Falcon admitted to accessing records from more than 2,500 patients who identified as Native American. She then gave that information to two individuals who cold-called patients, offering free services from the Southwest Missouri Indian Center. Court documents said that Falcon also accessed one person’s sensitive health information and then shared that information with others for malicious purposes. A judge accepted Falcon’s guilty plea to the federal felony of wrongful disclosure of individually identifiable health information. The charge carries a possible 10-year prison sentence.[2] Jordan Valley said it became aware of the breach last August and that Falcon accessed information between March 9 and June 22, 2023. “Fortunately, all printed and digital material taken from Jordan Valley was retrieved and destroyed,” the hospital said in a statement. “Affidavits were obtained in the attempt to ensure no other copies of information existed.”[3]

◆ The HHS Office for Civil Rights’ (OCR) revised bulletin for covered entities and business associates using online tracking technologies only confirms that the original bulletin was “substantively and procedurally unlawful,” the American Hospital Association (AHA) told a federal court as part of its challenge to the original bulletin. AHA sued OCR last year to bar enforcement of the bulletin. “Recognizing that its Original Bulletin was legally indefensible, HHS responded to this suit by issuing a Revised Bulletin just days before its brief was due. But the agency’s inconsequential modifications only confirmed that both agency actions were substantively and procedurally unlawful,” AHA wrote in its brief. “The unprecedented rule HHS has adopted is unmoored from statutory text and purpose, as well as practically unworkable and internally inconsistent—unsurprising for a rule hastily reformulated in the crucible of litigation and still critically lacking in public feedback. Just like the Original Bulletin, the Revised Bulletin will prevent healthcare providers from communicating vital health information to the communities they serve.” The hospital group also noted that its member hospitals “had no choice but to comply with this unlawful government mandate,” but “several federal agencies—including one within HHS itself—continue to engage in the very conduct that the Revised Bulletin purportedly reminds them has always been illegal.” The case was filed in the U.S. District Court for the Northern District of Texas, Fort Worth Division.[4]

◆ The Federal Trade Commission (FTC) has taken action against an alcohol addiction treatment service for allegedly disclosing as many as 84,000 users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent after promising to keep such information confidential. As part of a proposed order settling the allegations, New York-based Monument Inc. will be banned from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third parties for any other purpose. FTC imposed a $2.5 million penalty on Monument but suspended it; the company had said it was unable to pay. Depending on membership levels that cost from $14 to $249 a month, Monument offers users access to online support groups, community forums, online therapy and physicians who can prescribe medications that assist in treating alcohol addiction. The company collects personal information from consumers when they sign up for the service, including their names, email addresses, dates of birth, phone numbers, physical addresses, copies of their government-issued IDs, information about their alcohol consumption and medical history and their IP addresses and device IDs when they start using the service. The FTC complaint said that “from 2020-2022, Monument claimed on its website and/or in other communications with consumers that users’ personal information would be ‘100% confidential’ and that the company would not disclose such data to third parties without users’ consent. The company also claimed it complied with [HIPAA],” although “an outside assessor hired by the company found that it had not fully complied with HIPAA’s requirements.” According to the complaint, the company allegedly disclosed users’ personal information, including their health information, to numerous third-party advertising platforms via tracking technologies, which Monument integrated into its website. Monument used the information to target ads for its services to both current users who subscribe to the lowest cost memberships and target new consumers, according to the complaint.[5]

◆ HHS is warning hospitals that threat actors employ advanced social engineering tactics to target information technology (IT) help desks in the health sector and gain initial access to target organizations. According to a threat bulletin from the HHS Health Sector Cybersecurity Coordination Center (HC3), the threat actors “target an organization’s IT help desk with phone calls from an area code local to the target organization, claiming to be an employee in a financial role (specifically in revenue cycle or administrator roles). The threat actor is able to provide the required sensitive information for identity verification, including the last four digits of the target employee’s Social Security number (SSN) and corporate ID number, along with other demographic details. These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches. The threat actor claimed that their phone was broken, and therefore could not log in or receive MFA [multi-factor authentication] tokens. The threat actor then successfully convinced the IT help desk to enroll a new device in [MFA] to gain access to corporate resources.” HC3 cited two incidents in the health care sector that “leverage[d] spearphishing voice techniques and impersonation of employees with specific access related to the threat actors’ end goals.” HC3 recommended several possible mitigations, including requiring callbacks to the phone number on record for the employee requesting a password reset and enrollment of a new device.[6]

◆ A new report from the Identity Theft Resource Center found that the number of publicly reported data compromises in the U.S. nearly doubled in the first quarter of 2024 compared to the same period last year. The first quarter of each year tends to be the lowest in terms of reported data compromises, according to the report. The number of cyberattack-related breach notices “without information about the root cause” also increased significantly in the first quarter of 2024, to more than two-thirds of notices, the report said. Fewer than half of cyberattack notices posted in the first quarter of 2023 lacked root cause information, the group said. Attacks increased across 15 of 17 industries tracked by the Identity Threat Resource Center. Financial services, with 224 notices in the first quarter of 2024, displaced health care, with 124 notices, as the most attacked industry in the first quarter. However, health care remained at the top spot for industries represented in the top ten compromises, the list of the biggest breaches, the report said. Health care notices still make up half of the top ten compromises in terms of the estimated number of victims impacted, the report said.[7]

◆ The average user in the health care sector interacts with an average of 22 cloud apps per month, and the top 1% of users interacted with 94 apps per month, the highest of all industries, according to a report from data security company Netskope. The report found that approximately 40% of all malware downloads in the health care industry originate from cloud apps, compared to around 30% a year ago. “The abuse of cloud apps allows the malware to fly under the radar and evade regular security controls that rely on tools such as domain block lists or that do not inspect cloud traffic,” the report said. Microsoft OneDrive is the most popular app in the health care sector, and the sector saw more malware downloads originating from OneDrive than from any other cloud app, the report said.[8]

1 NBC Bay Area staff, “Kaiser Permanente data breach may have affected millions,” NBC Bay Area, April 29, 2024, https://bit.ly/44tQGu5.

2 Harrison Keegan, “Ex-employee pleads guilty in 2023 data breach at Jordan Valley Community Health Center,” OzarksFirst.com, April 11, 2024, https://bit.ly/4bneNwJ.

3 Jordan Valley Community Health Center, “Notice of Data Breach,” September 15, 2023, https://bit.ly/4dsMvTl.

4 American Hospital Association, “AHA to court: Revised OCR bulletin on online tracking technologies still unlawful,” April 12, 2024, https://bit.ly/3JLOtRa.

5 Federal Trade Commission, “Alcohol Addiction Treatment Firm will be Banned from Disclosing Health Data for Advertising to Settle FTC Charges that It Shared Data Without Consent,” news release, April 11, 2024, https://bit.ly/3WnLzJR.

6 U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center, “HC3: Sector Alert – Social Engineering Attacks Targeting IT Help Desks in the Health Sector,” Report 202404031000, April 3, 2024, https://bit.ly/4a4u2tp.

7 Identity Theft Resource Center, “Q1 2024 Data Breach Analysis: Two-Thirds of Cyberattack Notices Do Not Include the Cause; Notices Nearly Double YoY,” report, April 2024, https://bit.ly/3UNqeIU.

8 Netskope, Netskope Threat Labs Report: HEALTHCARE 2024, March 2024, https://bit.ly/3Ur15Cb.

[View source.]