[author: Jane Anderson]

Report on Patient Privacy 23, no. 10 (October, 2023)

◆ Kaiser Foundation Health Plan Inc. and Kaiser Foundation Hospitals will pay California $49 million to resolve allegations that they unlawfully disposed of hazardous waste, medical waste and protected health information at Kaiser facilities statewide. California Attorney General Rob Bonta, in partnership with six district attorneys, announced the settlement, saying Kaiser will be required to take “significant steps” to prevent future unlawful disposals. The settlement results from undercover inspections of dumpsters from 16 different Kaiser facilities conducted by the district attorneys’ offices. During those inspections, the district attorneys’ offices reviewed the content of unsecured dumpsters destined for disposal at publicly accessible landfills and found hundreds of items of hazard and medical waste, along with more than 10,000 paper records containing the information of more than 7,700 patients. The California Department of Justice subsequently joined the district attorneys and expanded the investigation of Kaiser’s disposal practices throughout the state. In response to the joint law enforcement investigation, Kaiser hired a third-party consultant and conducted more than 1,100 trash audits at its facilities in an effort to improve compliance, Bonta said. Kaiser also modified its operating procedures to improve its handling, storage and waste disposal.^[1]

◆ FBI and the Cybersecurity and Infrastructure Security Agency have released a joint cybersecurity advisory on Snatch ransomware, which provides organizations with signs of a compromise associated with Snatch ransomware. Snatch recently attacked a hospital in Maine and also claimed responsibility for attacking the Florida Department of Veterans Affairs. According to the agencies, Snatch threat actors operate a ransomware-as-a-service model and change their tactics according to current cybercriminal trends and successes of other ransomware operations.^[2]

◆ The Department of Justice (DOJ) has charged nine Russian nationals who allegedly used Russian-based malware in cyberattacks on various U.S. entities, including a 2021 attack on Scripps Health that resulted in weeks’ worth of computer downtime and breached information for more than 150,000 patients. DOJ charged the nine Russians with using the malware tools Trickbot and Conti to infiltrate Americans’ devices. The defendants are behind “one of the most prolific ransomware variants used in cyberattacks across the United States, including attacks on local police departments and emergency medical services,” Attorney General Merrick Garland said in a statement. The nine men allegedly infected victims’ computers with Trickbot malware designed to capture victims’ personal data such as banking credentials as well as passwords and personal identification for things like credit cards and emails, according to an indictment unsealed in the Northern District of Ohio. The hackers then infected other computers and used the login credentials to steal funds from victims’ bank accounts and then installed ransomware on the victims’ computers, the indictment said. According to the indictment, the defendants sent phishing emails to companies with an embedded malicious link or attachment in the email. Several defendants face indictments for cybercrimes in Tennessee, California and Ohio.^[3]

◆ Indiana-based Schneck Medical Center has agreed to pay $250,000 to the state of Indiana in a settlement agreement to resolve a 2021 breach. According to court documents, Schneck experienced a data breach Sept. 29, 2021, exposing personal and protected health information for approximately 89,707 Indiana residents. The settlement agreement, signed Sept. 6 by the medical center and Indiana Attorney General Todd Rokita, also requires Schneck to implement a data security program within 90 days. The required data security program outline includes provisions on governance, incident response planning, tabletop exercises, training, password management, account management, access controls, multi-factor authentication, asset inventory, vulnerability scanning, software updates and patch management, segmentation, encryption, logging and monitoring, intrusion detection and prevention, penetration testing and risk assessment.^[4]

◆ More than three-quarters of health care organizations experienced at least one cybersecurity incident over the last year, and 47% cited at least one incident that affected cyber-physical systems such as medical devices and building management systems, according to a survey. The survey from security firm Claroty of 1,100 cybersecurity, engineering, information technology and networking professionals from health care organizations reported that 30% of companies that experienced cybersecurity incidents saw sensitive data such as protected health information affected. In addition, the survey said more than 60% of respondents reported that incidents caused a moderate or substantial impact on care delivery, while another 15% reported a severe impact that compromised patient health and/or safety. One-quarter of those who reported being victims of ransomware attacks said they paid the ransom. The survey found that more than one-third of entities experiencing incidents in the past year incurred costs from the attack of more than $1 million. Most respondents selected National Institute of Standards and Technology and HITRUST Cybersecurity Frameworks as important. Still, nearly 30% of respondents were critical of the government, saying current government policies and regulations require improvement or do nothing to prevent attacks. More than 70% of health care organizations reported that they were looking to hire workers for cybersecurity roles, and 80% of those hiring say it’s difficult to find qualified candidates who have the skills and experience required to properly manage a health care network’s cybersecurity.^[5]

◆ National Institute of Standards and Technology (NIST) has released a draft of the second edition of its publication, Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide. The publication provides practical guidance and resources that can be used by regulated entities of all sizes to safeguard ePHI, according to NIST. The agency released an earlier draft for public comment in 2022, received more than 250 comments from “several dozen individuals and organizations” and intends to release a final version of the publication next year. In that version, NIST said, it would include more specific resources for small, regulated entities and it would collaborate with other public and private sector organizations to help create those resources, which may include tools, use cases, or more specific guidance. In addition, NIST said, the new version will include clarification of the terms “risk analysis” and “risk assessment.” According to NIST, “the term ‘risk analysis’ cannot be eliminated because it is the term used in the Security Rule, and we will consistently refer to risk analysis as that which is required by the Security Rule – namely, an accurate and thorough assessment of the threats and vulnerabilities to ePHI. Risk assessment will refer to the process by which a regulated entity can determine the level of risk to ePHI.” The draft resource guide provides a risk assessment process that regulated entities can use, NIST said.^[6]

◆ A top member of the U.S. Senate Health, Education, Labor, and Pensions Committee has asked stakeholders for ways to improve the privacy protections of health data to safeguard sensitive information while balancing the need to support medical research. Sen. Bill Cassidy, R-La., the committee’s ranking member, said in his request to stakeholders that he hopes to use stakeholder feedback to identify solutions to modernize HIPAA and ensure all health data is properly guarded. Cassidy noted that new technologies such as wearable devices, smart devices, and health and wellness apps have expanded the creation and collection of health data. “While these technologies have enabled better care and greater patient access to health information, much of this data is not protected by the HIPAA framework,” Cassidy said. The senator is seeking information on how well the HIPAA framework is working, whether Congress should expand HIPAA’s scope, and how biometric, genetic and location data should be handled. He also asked which entities outside of HIPAA should be accountable for handling health data and whether different types of entities should have other obligations and privileges. In addition, Cassidy would like to know what privacy challenges and benefits are posed by using artificial intelligence—within and outside the HIPAA framework.^[7]

◆ The Connecticut Department of Social Services (DSS) failed to report a data breach impacting nearly 59,000 patients, according to a report from the state’s Auditors of Public Accounts. State auditors reviewed the agency’s internal controls and policy compliance for the fiscal years of 2019, 2020 and 2021 and identified several instances when the agency did not make statutorily required reports. Those incidents included a failure to report nearly $1.8 million in lost funding due to noncompliance with verification requirements for Medicaid-funded services that require a home visit. The agency also failed to report two data breaches, including a phishing incident that impacted some 58,964 Medicaid clients as well as 21 state employees and contractors. “Breaches of data increase a client’s risk of identity theft, medical insurance abuse, and financial fraud,” the auditors wrote. “DSS incurred costs for two-year security monitoring for clients identified in the breaches. DSS experienced revenue losses that it cannot recover.” In an agency response included in the report, the department agreed it should have notified auditors of the data breaches; it said it acted on the issue when it was notified. “An extensive forensic review was conducted that did not find evidence that client information had been disclosed,” DSS responded in the report. “The Department notified the affected clients to offer identity-theft protection services and notified the United States Department of Health and Human Services Office of Civil Rights.”^[8]

1 State of California Department of Justice, Attorney General Rob Bonta, “Attorney General Bonta Announces $49 Million Settlement with Kaiser for Illegal Disposal of Hazardous Waste, Medical Waste, and Protected Patient Information,” news release, September 8, 2023, https://bit.ly/46b00Dp.

2 Cybersecurity & Infrastructure Security Agency, “FBI and CISA Release Advisory on Snatch Ransomware,” alert, September 20, 2023, https://bit.ly/3tem6Gm.

3 Luke Barr, “9 Russians charged with cyberattacks targeting US companies,” ABC News, September 8, 2023, https://bit.ly/3ZCu9Je.

4 Agreed Motion to Approve Consent Judgment and Order, State of Indiana Ex Rel. Rokita v. Jackson County Schneck Memorial Hospital d/b/a Schneck Medical Center, Case No. 4:23-cv-00155, (S.D. Ind. New Albany Division), August 14, 2023, https://bit.ly/3Q1OtAH.

5 Claroty, The Global Healthcare Cybersecurity Study 2023, accessed October 2, 2023, https://bit.ly/3RDfFqw.

6 Jeff Marron, “NIST’s Planned Updates to Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide,” National Institute of Standards and Technology (blog), September 5, 2023, https://bit.ly/3tenhpo.

7 U.S. Senate Committee on Health, Education, Labor, & Pensions, “Ranking Member Cassidy Seeks Information from Stakeholders on Improving Americans’ Health Data Privacy,” news release, September 7, 2023, https://bit.ly/3F1KQo0.

8 Hugh McQuaid, “Audit Finds DSS Failed to Report Data Breaches, Losses in Medicaid Funding,” CT News, September 13, 2023, https://bit.ly/3EYBMjA.

[View source.]