Steve Cagle, MBA, HCISPP, CEO, Clearwater
In recent months there have been several regulatory enforcement actions on healthcare organizations resulting from investigations into breaches of electronic protected health information (ePHI). In addition to the Office for Civil Rights (OCR)—at one point the primary enforcement agency investigating healthcare organizations’ compliance with HIPAA—state attorney generals are now aggressively pursuing regulatory enforcement actions related to failure to properly secure protected health information.
In all the recent cases where fines or settlements occurred, the healthcare organization was cited for failure to conduct an accurate and thorough risk analysis of ePHI, which is required by the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A), as well as many state regulations. This blog will examine recent enforcement actions and outline key recommendations to help your organization avoid unnecessary breaches and be prepared to respond to an inquiry or investigation related to a healthcare breach.
Recent Enforcement Action by Office for Civil Rights
The Office for Civil Rights, a division of Health and Human Services, is responsible for enforcing the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E). OCR carries out this responsibility by investigating all breaches of 500 or more records, as well as investigating some complaints filed with the Office.
On May 16, 2023, OCR announced that it reached a settlement with MedEvolve, a business associate that provides practice and revenue cycle management and practice analytics software services to healthcare entities. In July 2018, OCR initiated an investigation of MedEvolve following the receipt of a breach notification report stating that an FTP server containing ePHI was openly accessible to the internet. The information included patient names, billing addresses, telephone numbers, primary health insurer and doctor’s office account numbers, and in some cases, Social Security numbers.
OCR alleged that MedEvolve failed to conduct a risk analysis, as required by the HIPAA Security Rule, and additionally that it failed to enter into a business associate agreement with its subcontractor. As detailed in OCR’s Final Guidance on Risk Analysis Requirements under the HIPAA Security Rule and detailed in numerous published Resolution Agreements and Correction Action Plans (CAPs), covered entities and business associates must inventory all their information systems and components that create, receive, transmit, or maintain ePHI. They must include this inventory in the scope of the risk analysis, identify all reasonably anticipated unique vulnerabilities and threats to ePHI in each of those systems, assess relevant controls, and evaluate likelihood and impact to arrive at a risk score. In addition, they need to respond to high risks by way of a risk management plan. This process must be performed not once but on a continuous basis.
If MedEvolve had conducted a risk analysis of all its information systems and their associated components with ePHI (including the server that was exposed to the Internet) would it have discovered this vulnerability and taken action to remediate it prior to the breach? We can’t know for sure, but from our experience, it most likely would have been discovered. 3 million records of ePHI exposed to the Internet is a critical risk (high impact and high likelihood), and one that would likely have been remediated right away, had the organization known about it. As a result of this resolution agreement, MedEvolve paid a fine of $350K and will now be under a CAP for two years.
Recent State Attorney General (SAG) Actions
There has been a notable amount of regulatory enforcement by state attorney generals, who are fining both covered entities and business associates for HIPAA violations. While each state has its own rules and regulations regarding protection of health information or consumer data, under the HITECH Act SAGs also have jurisdiction to enforce HIPAA regulations, and states can levy their own fines and penalties for any violations of the Rules.
SAG enforcement of HIPAA is not new—in fact, there have been numerous cases over the last several years. Based on the size of the recent fines, it may turn out that healthcare organizations should be more concerned about SAG enforcement of the HIPAA Security Rule than OCR’s. Some SAGs are pooling resources and teaming up to gain economies of scale in investigations. State fines may exceed even OCRs’ resolution agreement amounts, so healthcare organizations should take these actions seriously.
On May 16th, 2023, the attorney generals from New Jersey, Oregon, Florida, and Pennsylvania announced that together they levied a total of $2.5 million fines on vision care provider EyeMed to settle an investigation into a 2020 email phishing incident that exposed the personal data of 2.1 million individuals in the United States. EyeMed was found to have violated several state consumer protection and personal information protection laws as well as HIPAA, according to the officials involved in the matter.
Among other security lapses, several EyeMed employees shared a single password to an email account used to communicate sensitive consumer data, including vision benefits enrollment and coverage information, despite a company policy prohibiting the shared use of email accounts.
What was noted in the consent order as one of the key culprits in their breach and the enforcement action? You guessed it—failing to conduct an accurate and thorough risk analysis. While EyeMed used third-party assessors to conduct risk assessments, they did not meet the definition of a risk analysis under the HIPAA Security Rule. The assessors did not include all the systems with ePHI and specifically excluded the email system.
The SAGs’ interpretation of the risk analysis requirement is consistent with OCR’s guidance that all systems that have ePHI must be included in the risk analysis, and the assessment must include the different risks and controls associated with each of those systems. EyeMed also failed to implement other security measures, which likely would have been identified as deficiencies in a bonafide, by-the-book risk analysis.
It’s important to note that EyeMed had previously paid a $4.5 million penalty to New York State’s Department of Financial Services last year over the same breach and another $600,000 in a different settlement with that state’s attorney general. That totals $7.1 million so far just in fines related to this breach. This cost may have been avoided altogether or reduced had EyeMed completed a risk analysis as required by law.
Amherst, New York-based Professional Business Systems Inc., which does business as Practicefirst Medical Management Solutions, agreed to pay a $550,000 fine and implement a comprehensive data security program to settle an enforcement action by New York state regulators in the aftermath of a 2020 ransomware attack that affected 1.2 million individuals.
PracticeFirst failed to apply a software update from its firewall provider to patch a critical vulnerability. The unpatched firewall left Practicefirst’s networks susceptible to a November 2020 hack leading to the deployment of ransomware and exfiltration of patient data. The company also failed to conduct regular security testing of its systems and encrypt personal information on its servers, violating both state laws and federal HIPAA regulations.
Following the breach notice, the New York’s Office of the Attorney General (OAG) launched an investigation that found the stolen data was not encrypted on Practicefirst’s network. The state audited Practicefirst, and its investigation concluded that the company did not “maintain reasonable data security practices.” Once again, a primary failure was that it did not conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI it holds, per the HIPAA Security Rule.
- Ensure you have an inventory of all systems with ePHI (as required by HIPAA) and other protected health information protected by state privacy and security laws
- Determine whether your organization has completed a risk analysis that is comprehensive (all systems and their components in the above inventory) and includes all nine elements of OCR’s Final Guidance. If not, the risk analysis must be conducted as soon as possible.
- Ensure any third parties performing the risk analysis are abiding by OCR’s final guidance and will analyze the risks of all information systems. Ask to review their methodology and deliverables and ask about their experience with OCR. If they have not sat across the table from an OCR investigator, it’s probably not the right firm.
- Keep your risk analysis up to date. Your attack surface as well as threat actors, change over time, and therefore your risks change over time as well. Perform a new risk analysis if you have not completed one in the last 12 months or if your environment has changed materially, e.g., from an acquisition or change in tech stack.
- Create a risk management plan to address any risks above the threshold.
Failing to conduct risk analysis leaves an organization with unknown risks, potentially including critical or high risks that eventually may lead to a breach. Not performing a risk analysis on an ongoing basis will likely be considered negligent by regulatory authorities and therefore exposes the organization to regulatory action. The organizations discussed above may have avoided their breaches, the harm caused to patients, and all the associated costs associated with remediation, lawsuits, fines, legal fees, and the longer-term costs due to reputational damage, had they conducted a risk analysis.
If you do not know where your ePHI is or have not conducted a risk analysis of all your information systems with ePHI, don’t wait any longer. Threat actors are targeting healthcare more than ever before. Get help now from a firm that specializes in healthcare risk analysis. Avoid preventable breaches and be confident that you are abiding by the letter of the law should you be subject to an investigation.