Breach at Pacific Northwest insurance company impacts 11 million customers

Seattle-based Premera Blue Cross announced that it recently discovered it had been hacked in May 2014. The Premera hack accessed a full range of customer information including medical data. The insurer, which is working with the FBI in the investigation, is offering free credit monitoring and identity theft protection services to those affected.

See Washington Post article at "Cyberattack at health insurer exposed data on 11 million customers -- including medical information"

Sophisticated one-time hacking scam costs target $289K; useful lessons for health industry

The details of a recent hacking scam, while not in the healthcare industry, may contain useful pointers for healthcare nonetheless. A San Diego area attorney clicked a link in a legitimate-looking email which released a virus into his computer which recorded his keystrokes. As the hackers could now follow the attorney's activities from moment to moment, they waited until he attempted to access his firm's bank account online. The hackers then initiated a telephone call to him, purporting to be from the bank. The ersatz bank employee noted that the bank saw he was attempting to access his account and having trouble logging in. As this was, of course, the case, thanks to the hackers' behind-the-scenes work in his computer, the attorney saw no reason to doubt the caller, and followed the caller's instructions to "fix the problem." When the smoke cleared, $289,000 had been wired out of his firm's bank account. While the bank is refusing to cover the loss, observers note that the level of sophistication of such multi-part scams is making it increasingly difficult for targets to identify what is happening in time to avert harm .

See ABA Journal (American Bar Association) article at "Lawyer who clicked on attachment loses $289K in hacker scam"

80 million patient records breached in Anthem hack

Health insurance giant Anthem reports that it has been the target of a cyberattack exposing tens of millions of customer records. Anthem, until very recently known as WellPoint, the largest of the Blue Cross Blue Shield for-profit managed health care companies, is based in Indianapolis, and operates New York and California as well as in twelve other states. Anthem states that while neither credit card nor medical information was stolen, the information the hackers did make off with is significant and includes names, dates of birth, social security numbers, employer names, and income data. This latest data breach is the largest to date in the healthcare industry, 20 times the size of the most significant previous breach. Anthem has hired cybersecurity firm Mandiant to assist it in determining exactly what happened and how to improve security for the future. Anthem will be offering services for credit monitoring and identity protection free of charge to affected customers.

See Modern Healthcare article at "Hackers breach Anthem; 80M exposed"

Meaningful use program Stage 3 inches nearer to approval

The draft regulatory language of Stage 3 of the meaningful use program, scheduled to start in 2017, has been submitted for review to the Office of Information and Regulatory Affairs in the Office of Management and Budget.  The rules, submitted to the OMB by the Office of the National Coordinator for Health Information Technology, may reflect some of the discussions that have been taking place in the healthcare industry regarding lessons learned from the program’s roll-out so far.

See Modern Healthcare article at "EHR Stage 3 proposals go to OMB, hint at changes" 

 

Connecticut Supreme Court: plaintiffs can sue for HIPAA violations

 It has been a commonly held belief that a patient cannot sue under HIPAA for a breach of confidential health information as HIPAA provides no private cause of action.  The patient’s only recourse has been to report the violation to the relevant federal agency responsible for enforcing the law, in this case the Department of Health and Human Services.

Recently, however, the Connecticut Supreme Court overturned a lower court’s decision that HIPAA precludes plaintiffs’ individual liability claims relating to violations of health information confidentiality.  In Byrne v. Avery Center for Obstetrics and Gynecology, in which the clinic released PHI in response to a subpoena, the higher court ruled that “If Connecticut’s common law recognizes claims arising from a health care provider’s alleged breach of its duty of confidentiality in the course of complying with a subpoena, HIPAA and its implementing regulations do not preempt such claims.”

The Connecticut court’s ruling follows similar rulings in Tennessee and Delaware in recent years.  The Connecticut ruling went on to say “We further conclude that, to the extent it has become the common practice for Connecticut health care providers to follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

Healthcare providers are, of course, paying close attention to these court rulings.  But these rulings are sending shock waves through other industries as well whose privacy and data security is similarly governed by federal laws that do not provide a private cause of action.  These laws include FERPA and COPPA -- which protect the privacy of students and children, GLBA – the Gramm-Leach-Bliley Act – which governs financial institutions, and the wide-reaching FTC Act – the Federal Trade Commission Act.

See Clinical Psychiatry News article at “Court: Patients can sue over HIPAA breaches”

A plus in the operating room, EHRs can cause trouble for providers in the courtroom

Electronic health records have been touted as having – and have proven to have – many benefits for healthcare organizations in terms of cost savings and efficacy of medical treatment.  They are not, however, unalloyedly beneficial in the courtroom.  As might be expected, the most important evidence in malpractice cases is medical records and now that they are digitized these records tend to be in EHR form.  According to defense attorneys, electronic medical records come with their own set of problems for the provider facing a malpractice lawsuit.  One striking issue is the “autofill” feature in EHR templates which automatically populates fields with data that may not be pertinent to the situation at hand.  Other issues include technical glitches, as well as users not using the software correctly.

See Business Insurance article at "Malpractice suits often tap electronic medical records"

AHIMA issues health info management recommendations

The American Health Information Management Association (AHIMA) recently released a set of guidelines regarding data governance of what it calls “information assets.”  AHIMA asserts that the healthcare industry must manage the huge amounts of data it works with in an intentional, standardized manner across the industry.  According to AHIMA, “information governance” is “…an organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.”  Prioritizing accuracy, timeliness and accessibility, AHIMA’s approach rests on eight principles:  accountability, transparency, integrity, protection, compliance, availability, retention, and disposition.

See Modern Healthcare article at “AHIMA releases principles for new area: information governance,” and the 21-page AHIMA document at “Information Governance Principles for Healthcare”

California courts: Sutter Health not liable in $4.25 billion data breach case

In a development sure to draw attention, the California Supreme Court last week upheld a lower court’s dismissal of the $4.25 billion case against Sutter Health arising from an October 2011 data breach.  A password-protected computer full of unencrypted data, stolen from one of Sutter Health’s Sacramento locations, contained records for 4.24 million patients.  In July 2014, thirteen coordinated lawsuits in the case were dismissed by an appeals court.  According to the appeals court, the case was dismissed because there is no evidence the stolen data has been used. 

See Sacramento Business Journal (California) article at “California Supreme Court declines to review Sutter data-breach case”

Human-computer interactions: what happened during September's Texas Ebola misdiagnosis?

A new report on what went wrong in the processing of the late Thomas Eric Duncan upon his first visit to the emergency room proposes that a combination of human and computer errors was responsible.  A team of medical informaticists reviewed events leading up to the misdiagnosis, reporting their findings in "Ebola U.S. Patient Zero: Lessons on Misdiagnosis and Effective Use of Electronic Health Records."   The report, published October 23 in the online journal Diagnosis, suggests that certain EHR usability issues can contribute to medical errors.  One concern of the researchers is that EHRs are designed to try to “routinize” processing of patient information in a way that may blinder providers when faced with an out-of-the-ordinary situation.

See Modern Healthcare article at “Botched U.S. Ebola diagnosis points to computer, human errors” and Information Week article at “Ebola Misdiagnosis: Experts Examine EHR Lessons”

Medical info now 10 times more valuable than financial data on the black market

Credit card numbers have dropped precipitously in value in recent years as PHI replaces it on the underground market.  Why?  Cyber criminals use the PHI to engage in medical fraud which, because of its complexity, may continue undetected for years.  Theft and misuse of credit cards, on the other hand, is usually detected almost immediately and the cards canceled.  In addition, in part because the financial industry has had many more years to develop sturdy safeguards against data theft, healthcare industry data is relatively easier for thieves to access.

See Reuters article at “Your medical record is worth more to hackers than your credit card”