2 Hacking Incidents Collectively Hit PHI of Nearly 750,000Also, HHS Issues Updated HIPAA Guidance Pertaining to Violence Risks
In the home stretch of 2021, at least two more healthcare sector entities are in the process of notifying hundreds of thousands of individuals of recent hacking incidents compromising patients' protected health information.
Added this week to the Department of Health and Human Services' HIPAA Breach Reporting Tool website of major health data breaches affecting 500 or more individuals are large hacking/IT incidents reported by West Virginia-based Monongalia Health System Inc. and Florida-based BioPlus Specialty Pharmacy Services LLC. Combined, the two breaches affected nearly 750,000 individuals.
Separately, federal regulators this week issued updated guidance clarifying how the HIPAA Privacy Rule permits covered healthcare entities to disclose PHI in situations involving applications seeking "extreme risk protection orders" that temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms.
Monongalia Health System Phishing Incident
In a statement issued Wednesday, Morgantown, West Virginia-based Monongalia Health System and its affiliated hospitals, Monongalia County General Hospital Co. and Stonewall Jackson Memorial Hospital Co., which collectively are known as Mon Health, said they had concluded an Oct. 29 an investigation into a phishing incident involving a business email compromise scheme.
The incident potentially compromised PHI contained in emails and attachments of several Mon Health email accounts, the statement says.
Mon Health reported the incident to HHS' Office for Civil Rights as affecting nearly 399,000 individuals. The entity's notification statement says affected individuals include patients, employees, healthcare providers and contractors.
"Mon Health first became aware of the incident after a vendor reported not receiving a payment from Mon Health on July 28," the statement says. Mon Health promptly launched an investigation, determining that unauthorized actors had gained access to a Mon Health contractor's email account, sending emails from the account in an attempt to obtain funds from Mon Health through fraudulent wire transfers, the statement says.
"Upon learning of this, Mon Health secured the contractor's email account and reset the password, notified law enforcement, and a third-party forensic firm was engaged to assist with the investigation," the statement says.
The investigation also determined that unauthorized individuals gained access to several Mon Health email accounts between the dates of May 10 and Aug. 15. In response, Mon Health also secured the email accounts and reset their passwords, the statement says.
Information contained in the affected emails and attachments involves patients and members of Mon Health's employee health plan.
Potentially compromised information includes names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or status as a current or former Mon Health patient. Also potentially affected were Medicare insurance claim numbers, which could also contain Social Security numbers, the statement says.
The incident was limited to Mon Health's email system and did not involve Mon Health's electronic health records systems, the entity says.
The incident also did not disrupt the services or operations of Mon Health or any of its affiliated hospitals or healthcare facilities, the statement says.
In the wake of the incident, Mon Health says it is continuing to review and enhance its existing security protocols and practices, including the implementation of multifactor authentication for remote access to its email system.
BioPlus Specialty Pharmacy Services Breach
Altamonte Springs, Florida-based BioPlus Specialty Pharmacy Services on Dec. 10 reported to HHS OCR that a hacking incident involving a network server had affected the PHI of 350,000 individuals.
In a Dec. 10 notification statement, BioPlus says that on Nov.11, it identified suspicious activity in its IT network. BioPlus says it immediately took steps to isolate and secure its systems, notified law enforcement authorities and launched an investigation with the assistance of a third-party forensic firm.
The investigation determined that an unauthorized party had gained access to BioPlus' IT network between Oct. 25 and Nov. 11. During that time, the unauthorized actor accessed files that contained information pertaining to certain BioPlus patients. "Our investigation could not rule out the possibility that information pertaining to all current and former BioPlus patients may have been subject to unauthorized access," the statement says.
The information potentially accessed includes patient names, dates of birth, addresses, medical record numbers, current/former health plan member ID numbers, claims information, diagnoses, and/or prescription information. For certain patients, Social Security numbers were also involved, BioPlus says.
To help prevent similar incidents in the future, BioPlus says it has implemented additional safeguards and technical security measures to protect and monitor its systems.
The Mon Health and BioPlus hacking incidents are among the latest breaches affecting hundreds of thousands of individuals added to the HHS OCR breach reporting website in recent days and weeks.
Others include a hacking incident reported on Dec. 10 by Houston-based Texas ENT Specialists affecting more than 535,000 individuals and another reported on Nov. 30 by Planned Parenthood Los Angeles affecting nearly 410,000 individuals.
New HIPAA Guidance
Separately, HHS OCR's guidance issued on Monday aims to clarify how the HIPAA privacy rule allows covered healthcare providers to disclose PHI about a person without the individual's authorization in circumstances involving the application for "extreme risk protection orders," or ERPOs.
An ERPO is a court order that temporarily prevents a person in crisis, who poses a danger to themselves or others, from accessing firearms, HHS OCR says.
"HIPAA should not be a barrier to communication for law enforcement, concerned family members, healthcare providers, and others when they see an individual in crisis," HHS OCR Director Lisa Pino says in a statement. She says the guidance "helps clarify legal requirements and better support individuals in crisis."
The guidance includes specific examples for each permitted disclosure of PHI in situations involving ERPOs. That includes scenarios in which a covered healthcare provider receives a court order compelling the provider to provide an individual’s medical records to the court to support its determination as to whether to issue an ERPO against the provider’s patient.
"This is not new, as OCR-released guidance in 2016 and the HIPAA Security Rule has a law enforcement exception," says regulatory attorney Rachel Rose.
"The key is to use the minimum necessary and verify that due process procedure considerations and other laws are being followed. The trend in violence over the past 18 months in different settings and school shootings most likely had an impact" in HHS OCR issuing the update, she says.
Regulatory attorney Paul Hales of Hales Law Group notes that OCR’s latest guidance lines up with the agency's proposed HIPAA Privacy Rule modification, published in January, permitting PHI disclosures to avert "serious and reasonably foreseeable" health and safety threats. The current standard permits such disclosures only when a threat is "serious and imminent," he says.
"OCR explained the proposed modification, noting that in the wake of incidents of mass violence, such as shootings and acts of terrorism, it heard claims HIPAA prevented healthcare providers from disclosing PHI that could prevent those incidents," Hales says.
"It is tragic for violence to grow because health privacy laws are unclear or misunderstood by professionals who fear violating them."