[author: Jane Anderson]

Report on Patient Privacy 24, no. 8 (August, 2024)

◆ On July 19, Change Healthcare Ince. filed a breach report with HHS Office for Civil Rights (OCR) concerning its mammoth ransomware attack and breach. The organization’s breach report to OCR identifies just 500 individuals as the “approximate number of individuals affected”; however, OCR noted in an update to its FAQ page on the breach that “[t]his is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal. Change Healthcare is still determining the number of individuals affected.” It’s estimated that the March breach impacted millions of patients. OCR said that the posting on the HHS breach portal “will be amended if Change Healthcare updates the total number of individuals affected by this breach” and added that “HIPAA breach reports filed on the HHS Breach Portal may be amended as the breach report form allows a filer to file an initial breach report or an addendum to a previous report.”^[1]

◆ Bipartisan legislation that would direct federal agencies to collaborate on cybersecurity to improve the resiliency of health care and public health sector entities has advanced to the full Senate. The Healthcare Cybersecurity Act, sponsored by Sens. Jacky Rosen, D-Nev., Todd Young, R-Ind. and Angus King, I-Maine, would require the Cybersecurity and Infrastructure Security Agency (CISA) and HHS to collaborate on improving cybersecurity and make resources available to nonfederal entities relating to cyberthreat indicators and appropriate defense measures. It also would create a special liaison to HHS within CISA to coordinate during cybersecurity incidents and collaborate to support health care and public health sector entities. The Homeland Security and Governmental Affairs Committee approved the bill on July 31.^[2]

◆ The American Hospital Association (AHA) and the nonprofit Health-ISAC organization formed to collaborate and combat cyberthreats have issued a joint bulletin urging the health care industry to focus on supply chain security and resilience. The bulletin, written in the wake of recent ransomware attacks on blood supplier OneBlood, pathology provider Synnovis and blood plasma provider Octapharma, stated that these attacks resulted in a “massive disruption to patient care” and that organizations should prioritize applying risk management assessment principles to their critical suppliers and partners. “Consider supply-chain outages, and availability, determine impact to business operations and care delivery, and identify alternative suppliers or use multiple suppliers to create redundancy,” AHA and Health-ISAC said. According to the bulletin, the attacks against Octapharma, Synnovis and OneBlood appear unrelated and have been conducted by separate Russian-speaking ransomware groups. “However, the unique nature and proximity of these ransomware attacks – targeting aspects of the medical blood supply chain within a relatively short time frame, is concerning,” AHA and Health-ISAC said. “As the healthcare sector begins to become more interconnected with third-party medical suppliers and software providers, these incidents are beginning to have larger impacts on patient care. Hypothetically, if attacks were to occur on different suppliers at the same time, for example, a blood donation organization and a medical gas supplier, the impacts on patient care would likely compound to create a larger impact than if the suppliers were attacked individually at different times.” A potential coordinated ransomware attack against multiple mission-critical suppliers could result in significant disruption to patient care globally, AHA and Health-ISAC warned.^[3]

◆ A 34-year-old man has been convicted of illegally accessing the private medical data of Supreme Court Justice Ruth Bader Ginsburg in 2019 but acquitted of posting the information to an online message board where conspiracists falsely claimed Democratic politicians were covering up her death. Trent Russell testified in his own defense near the end of a two-day trial on HIPAA violations in U.S. District Court in Alexandria, Va., repeatedly asserting that he never viewed or posted the justice’s confidential medical information, which showed details of her cancer treatments at George Washington University Hospital. Ginsburg’s hospital chart first surfaced on the message board 4chan and then spread to Twitter and YouTube. During the trial, FBI agents and a former hospital administrator testified that they traced Ginsburg’s chart to one of Russell’s home computers. Russell, an organ transplant coordinator who would evaluate patients near death across 48 hospitals in the Washington, D.C., region, initially told federal agents that it was possible his cats had run across his keyboard, causing the chart to appear; however, he later told the jury that he didn’t know how Ginsburg’s records appeared on his screen. Ginsburg had not been referred as a potential organ donor to Russell’s employer, according to testimony at the trial. Russell faces a maximum sentence of 21 years in prison.^[4]

◆ Health savings account administrator HealthEquity has suffered a data breach that could affect 4.3 million customers, the company said. HealthEquity, which also administers other types of health benefit plans, said it became aware of “a systems anomaly” on March 25 that required “extensive technical investigation” through June 10. “Through this extensive work, we discovered some unauthorized access to or disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems,” the company said, adding that a vendor’s user accounts were impacted, and those had access to an online data storage location, HealthEquity said. “Because of this, an unauthorized party was able to access a limited amount of data stored in a storage location outside our core systems.” The affected data consisted primarily of sign-up information for accounts and benefits, including names, addresses, phone numbers, employee ID numbers, employer names, Social Security numbers, dependent information, and payment card information. Not all data categories were affected for every person involved in the breach, HealthEquity said. The company is offering two years of credit monitoring, insurance and restoration services to those impacted by the breach.^[5]

◆ The UAB School of Nursing in Birmingham, Ala., notified 1,655 patients that their protected health information had been compromised due to a study recruitment postcard. According to the university, the postcard—which was intended to encourage participation in a survey related to a breast cancer diagnosis—displayed the patients’ first and last names, addresses and inferred diagnoses. A letter to affected patients offered an apology for the error. The letter included the nature of the breach and the information at risk and reiterated the institution’s commitment to patients, as well as steps taken in response to the incident.^[6]

◆ More than 1,000 clients of the Multnomah County Health Center in Portland, Ore., may have had their personal information and records breached in April due to a stolen laptop, the county health department said. According to health officials, the department has begun notifying the 1,092 clients that their names, medical record numbers, Medicaid IDs, dates of birth, gender, race, ethnicity, clinic and dates of service may have been accessed by a former employee who refused to return a county-issued computer. Social Security numbers and driver’s license numbers were part of the data potentially accessed, the county said. Clients who were affected by the data breach will receive a letter explaining how to enroll in a free identity theft program offered by the county.^[7]

◆ The health care sector received a B+ security rating for the first half of 2024, but it faces a critical vulnerability: supply chain cyber risk, according to cybersecurity advisory firm SecurityScorecard. In the wake of the Change Healthcare ransomware attack, SecurityScorecard threat analysts investigated what they termed as the most critical risks faced by the 500 largest health care companies. They got better than expected results: the average security score was 88 out of 100. However, the report noted that the health care sector still has room for improvement since organizations with a B rating are nearly three times more likely to be victims of data breaches than those with an A rating. Medical device and equipment companies scored two-to-three points lower than those of the overall health care sample, and those organizations also had a 16% higher rate of reported breaches and compromised machines than those in other health care sectors, the report said.^[8]

1 U.S. Department of Health and Human Services, “Update to Change Healthcare Cybersecurity Incident FAQ Webpage,” July 30, 2024, blog, https://bit.ly/46CmE8w.

2 Jacky Rosen, U.S. Senator for Nevada, “Rosen Bipartisan Bill To Improve Cybersecurity In Healthcare Advances Out Of Committee,” news release, July 31, 2024, https://bit.ly/3WBAG5N.

3 American Hospital Association, “American Hospital Association and Health-ISAC Joint Threat Bulletin – TLP White,” July 1, 2024, https://bit.ly/4dw3Lq7.

4 Salvador Rizzo, “Jury convicts man of illegally accessing Justice Ginsburg’s health records,” The Washington Post, July 31, 2024, https://wapo.st/3WLOafg.

5 HealthEquity, “Notice of Data Breach,” accessed August 12, 2024, https://bit.ly/3WVI9hl.

6 WBRC Digital Staff, “UAB study postcard discloses patient information,” WBRC Fox 6 News, July 27, 2024, https://bit.ly/3SEj5sN.

7 Fox 12 Staff, “Stolen laptop leads to breach of 1,092 Multnomah Co. hea[l]th clients’ data,” Fox 12 Oregon, May 17, 2024, https://bit.ly/4fPBtJl.

8 SecurityScorecard, “Healthcare Industry Gets a ‘B+’ on Cybersecurity for 2024,” news release, June 25, 2024, https://bit.ly/3AeIYcd.

[View source.]