HIPAA Say What!?!
[08:43] Sixteenth – yes, 16th Patient Right of Access settlement.
OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative
Sharp Rees-Stealy Medical Centers HIPAA Resolution Agreement and Corrective Action Plan
Sharp HealthCare has agreed to take corrective actions and pay $70,000
“Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right,” said Acting OCR Director Robinsue Frohboese.
June 2019, a complaint was filed with OCR alleging that SRMC failed to take timely action in response to a patient’s records access request directing that an electronic copy of protected health information in an electronic health record be sent to a third party. OCR provided SRMC with technical assistance on the HIPAA Right of Access requirements. In August 2019, OCR received a second complaint alleging that SRMC still had not responded to the patient’s records access request. OCR initiated an investigation and determined that SRMC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, SRMC provided access to the requested records.
PACS Images Exposed Part 2
[17:46]https://www.healthcareinfosecurity.com/pacs-flaws-put-data-at-risk-for-18-months-a-16021
Article Feb 17, 2021
PACS Flaws Put Data at Risk for 18 Months
California Medical Imaging Group Describes Data Exposure
A California medical imaging group practice says vulnerabilities in its picture archiving and communications system left patient data at risk of unauthorized access for more than a year.
Wait a minute. This sounds familiar.
Sutter Buttes Imaging Medical Group, based in Yuba City, California, recently disclosed that in December 2020, it learned that the PACS system had been vulnerable to hacking from July 2019 to December 2020.
The practice’s administrator tells Information Security Media Group that the vulnerabilities left accessible “names of about 100,000 patients on a worklist.” The German security firm Greenbone Networks discovered the flaws while it was conducting its own research, the administrator says.
The vulnerabilities in the PACS included open ports and authentication issues, the administrator says. The practice did not reveal the brand of the PACS system.
The practice learned about the potential data exposure when it was alerted by the Department of Health and Human Services’ Office for Civil Rights, the administrator says.
[18:55] Oh, yeah, this does sound familiar. In Feb 2020 we did an episode about this – Images Exposed – Episode 243. At the time we had been following the story for months before discussing it. Let’s review what we knew back then….
An article was published in ProPublica in September 2019 based on findings from a German research company, Greenbone. At that time it was reported that there were images exposed for around 5 million patients in the US alone, plus millions more from around the world.
By the time it was all said and done, they found that there were over 5 million patients with images exposed in some states all by themselves. And they published a really cool map of the US showing how many patients had images exposed by state. GA and FL had over 1 million patients with images exposed and California, where Sutter Buttes in Yuba City is located, had over 10 million patients with exposed images.[21:55] Turns out the PACS system had been vulnerable from July 2019 to December 2020. And they didn’t learn about this until the Department of Health and Human Services Office for Civil Rights alerted them. Uh oh!
There is some good news, though. According to the article Sutter Buttes has “hired IT consultants to help bolster SBI’s security controls”. So does that mean they didn’t have that done before. Was no one handling security prior to this? Did they believe that someone was taking care of it only to find out they were screwed.
There are millions of images from thousands of providers still exposed on the internet. Apparently no one is paying attention at the healthcare facilities. But you know who is paying attention? The criminals are. They see these announcements and take it as their queue to try to exploit this vulnerability to do even more damage.[35:05] You don’t even have to be a sophisticated criminal to use those images to identify people or at least narrow the list down to sometimes a very small number of people. MIT researchers have created a website where you can enter in your zip code, date of birth and maybe your sex and it will show you how easy it is to identify you with just a few pieces of information.
Have you ever tried to find someone by their name and maybe state or company they work for say on Facebook or LinkedIn. It isn’t that hard. Right?
So, the idea that these are just images with very little information about an individual so no one needed to be dealing with it is crazy… and scary. So, if you see information actively out there and vulnerable, share it with someone who can do something about it.