[author: Jane Anderson]

Report on Patient Privacy 23, no. 11 (November, 2023)

◆ The American Hospital Association (AHA) is urging federal lawmakers to intervene with the HHS Office for Civil Rights (OCR) so that hospitals and health systems can continue to use online tracking pixels on their websites.^[1] In a response to a request for information from Sen. Bill Cassidy, R-La., on the privacy implications of pixels, AHA said that OCR’s December 2022 guidance that many pixels violate HIPAA “inflicts meaningful harm on patients and public health” because it prevents hospitals and health care systems from being able to provide their communities with reliable health care information. “AHA urges Congress to make clear to OCR that the agency should withdraw the rule immediately,” the AHA said. Meanwhile, a study from cybersecurity company Feroot found that the vast majority of health care and telehealth websites are collecting data via trackers and transferring it without consent from the users.^[2] Feroot analyzed hundreds of health care and telehealth websites and found that more than 86% are collecting and transferring data without obtaining consent from the user. More than 73% of login and registration pages have trackers, the study found. About 15% of the tracking pixels identified by Feroot read and collect a user’s keystrokes, meaning they could identify Social Security numbers, names, email addresses, appointment dates, internet protocol addresses, billing information, medical diagnoses and treatment, the study found. Some of the most common tracking pixels were from Alphabet Inc.’s Google, Microsoft Corp., Meta Platforms Inc. (the parent company of Facebook, Instagram and Threads), and ByteDance (the parent company of TikTok), the study found.

◆ An August cyberattack at three Prospect Medical Holdings hospitals in Connecticut was far more debilitating than hospital officials publicly acknowledged; the attack now threatens a planned sale of two of the hospitals to Yale New Haven Health, an investigation by the CT Mirror found. The attack affected Manchester, Rockville General and Waterbury hospitals, as well as medical offices affiliated with the hospitals. Over the course of the more than 40-day breach at the hospitals, administrators at two facilities issued 29 “divert notifications” to emergency personnel throughout the region, according to ambulance dispatch logs obtained by the nonprofit publication. In addition, the hospitals were unable to bill Medicaid for payment, forcing the state Department of Social Services to advance them about $7.5 million. “A review of the records shows the facilities had to cancel nearly half of their elective procedures and at times over the nearly six-week period couldn’t process X-rays or CT scans that are vital for treating potential stroke or heart attack victims,” the investigation found. “At one point in mid-August, state officials were so concerned about staffing issues at Waterbury Hospital they considered activating the volunteer Medical Reserve Corps, which had previously been done only during the height of COVID.” All three hospitals declared “all services back online on Sept. 12, nearly six weeks after the attack began, according to diversion notifications.” But the hospitals are still recovering financially, and documents uncovered in the CT Mirror investigation revealed that Yale executives have questioned whether they still want to acquire Manchester and Waterbury hospitals, as previously agreed.^[3]

◆ New York-based Westchester Medical Center Health Network was forced to divert ambulances following a cyberattack that forced it to take all its connected IT systems offline. “Our first priority is the safety of our patients, which is why out of an abundance of caution, we are taking preemptive and proactive measures,” the health network said in a statement Oct. 19 following the cyberattack. “This includes temporarily diverting ambulances from HealthAlliance Hospital to other nearby medical facilities, and making decisions on whether to discharge current HealthAlliance Hospital patients to their homes or facilitate transfers to other hospitals within the WMCHealth Network.” The health network said that the hospital would remain open and walk-in patients would be treated, assessed, and either released or stabilized and transferred to other WMCHealth facilities. The ambulance diversion lasted for 24 hours, and all systems were restored by Oct. 24, according to the health network.^[4]

◆ Ransomware attacks on health care organizations in the U.S. since 2016 have cost the economy around $77.5 billion in downtime alone, according to a report from security firm Comparitech. “Since 2016, 539 ransomware attacks on healthcare organizations in the US have been confirmed,” the report said. “These attacks impacted more than 52 million patient records and have had an often devastating impact on 10,000 separate facilities.” The analysis found that downtime varied from minimal disruption—thanks to frequent data backups—to “months upon months of recovery time.” On average, medical organizations lost nearly 14 days to downtime across all years studied, the report said. This year, downtime has averaged the highest, at 18.71 days of downtime on average, the report said. Hackers demanded more than $39 million across 34 attacks and received payment in 31 out of 160 cases where the medical organizations disclosed whether they had paid the ransom, the report said, noting, “They are more likely to disclose that they haven’t paid the ransom than if they have.” Conti, Maze, Hive, Pysa and LockBit were the most prolific attackers, with the first three dominating in 2020/2021, Hive taking over in 2022 and LockBit accounting for the most attacks so far in 2023.^[5]

◆ The FBI is warning that cybercriminals are targeting plastic surgery offices and plastic surgeons in an effort to harvest personally identifiable information and sensitive medical records, including photographs. Once successful, the FBI said, the cybercriminals use social engineering techniques to enhance the harvested data and extort individuals for cryptocurrency. Phishing is the main way bad actors attempt to deploy malware to plastic surgery offices, the FBI said. Once they have data and photographs, they use open-source information, including social media and social engineering techniques, to enhance the harvested electronic protected health information (ePHI) data of plastic surgery patients, the FBI said. Ultimately, “Cybercriminals contact plastic surgeons and their patients via social media accounts, emails, text messages, or messaging apps, and ask for payment to prevent sharing of their ePHI. To exert pressure on victims for extortion payments, cybercriminals share the sensitive ePHI to victims’ friends, family, or colleagues, and create public-facing websites with the data. Cybercriminals tell victims they will remove and stop sharing their ePHI only if an extortion payment is made.”^[6]

◆ Nearly three-quarters of U.S. consumers are worried about the potential misuse of their health information by external entities, a study from consent management platform company Cassie found. Cassie’s Prescribing Privacy Healthcare Report found that 6 in 10 consumers are apprehensive about electronically sharing their health data due to privacy concerns, and consumers rated their healthcare providers 2 out of 5 for compliance with regulations. In addition, 35% of consumers reported having experienced “a disjointed process with healthcare providers,” and of those consumers, some 80% said this process caused confusion. Approximately 83% of consumers said they were skeptical of how well government regulations protect their health data, and 6 in 10 consumers believe that health care providers are not keeping up well with new data privacy regulations, the survey found.^[7]

◆ The Cybersecurity & Infrastructure Security Agency (CISA) and HHS have released a cybersecurity toolkit that includes resources tailored for the health care and public health sector. The toolkit can be found online at www.cisa.gov/healthcare and consolidates resources such as CISA’s Cyber Hygiene Services, which use vulnerability scanning to help secure against known vulnerabilities, reduce the risk of cyberattacks and encourage the use of best practices. It also includes HHS’s Health Industry Cybersecurity Practices, which was developed with industry and outlines effective cybersecurity practices for health care organizations of all sizes. Over the past year, CISA, HHS and the Health Sector Coordinating Council Cybersecurity Working Group have been working together to deliver tools, resources, training and information that can help health organizations, and the toolkit is part of this effort. “We have seen a significant rise in the number and severity of cyber attacks against hospitals and health systems in the last few years. These attacks expose vulnerabilities in our healthcare system, degrade patient trust, and ultimately endanger public safety,” said HHS Deputy Secretary Andrea Palm. “HHS is working closely with CISA and our industry partners to deliver the tools, resources, and guidance needed to help healthcare organizations, especially our under-resourced hospitals and health centers, mount a strong cyber defense and protect patient lives.”^[8]

1 Stacey Hughes, “AHA Responds to Senate RFI on Health Data Privacy,” letter to Sen. Bill Cassidy, September 28, 2023, https://bit.ly/3MqKV8T.

2 Jessica Nix, “Private Health Data Still Being Exposed to Big Tech, Report Says,” Bloomberg, October 17, 2023, https://bit.ly/49xJOhF.

3 Dave Altimari and Jenna Carlesso, “Inside the cyberattack at Prospect Medical Holdings’ CT hospitals,” CT Mirror, October 1, 2023, https://bit.ly/40nuFv1.

4 Westchester Medical Center Health Network, “HealthAlliance Cyber Attack Update,” news release, October 19, 2023, https://bit.ly/3tZCevO.

5 Paul Bischoff, “Since 2016, ransomware attacks on healthcare organizations have cost the US economy $77.5bn in downtime alone,” Comparitech, October 23, 2023, https://bit.ly/3QjQkj7.

6 Federal Bureau of Investigation, “Cybercriminals are Targeting Plastic Surgery Offices and Patients,” Alert Number: I-101723-PSA, public service announcement, October 17, 2023, https://bit.ly/3so2zTF.

7 Cassie, “72% of consumers are apprehensive about the potential misuse of their health information by external entities,” Yahoo! Finance, news release, October 24, 2023, https://bit.ly/47cPzz9.

8 Cybersecurity & Infrastructure Security Agency, “CISA, HHS Release Collaborative Cybersecurity Healthcare Toolkit,” news release, October 25, 2023, https://bit.ly/3QFmvLh.

[View source.]