OIG Audit Divulges Extensive Inappropriate Use of Medicare Part D Eligibility Verification Transactions

The Department of Health and Human Services’ Office of Inspector General (OIG) performed a review, which showed that a lot of pharmacies and other healthcare organizations are wrongly using the information of Medicare beneficiaries.

OIG carried out the audit since the HHS’ Centers for Medicare and Medicaid Services (CMS) asked for it to find out if there was incorrect access and usage of Medicare recipients’ details by mail-order and retail pharmaceuticals and other healthcare organizations, for example, doctors’ offices, treatment centers, hospitals and long-term treatment facilities.

CMS was troubled that a mail-order drugstore and other healthcare organizations were not making use of Medicare Part D Eligibility Verification Transactions (E1 transactions) correctly, which ought to be utilized solely for confirming Medicare recipients’ qualifications for particular policy benefits.

OIG made the review to find out if E1 transactions were merely being employed for their designed intent. Considering that E1 transactions consist of the protected health information (PHI) of Medicare beneficiaries, they may probably be employed for scams or other destructive or wrong intentions.

There are two components in an E1 transaction: a request and a response. The healthcare organization submits an E1 request which consists of an NCPDP provider ID number or NPI, coupled with primary patient demographic details. The request is sent to the transaction facilitator who complements the E1 request details with the information kept in the CMS Eligibility archive. A response is consequently given, which consists of a beneficiary’s Part D coverage details.

CMS picked one mail-order drugstore and 29 companies for the review performed. Of the 30 entities reviewed, 25 utilized E1 transactions for an intent other than invoicing for prescriptions or to know drug coverage order if beneficiaries got a few insurance plans. 98percent of the E1 transactions of those 25 companies weren’t related to prescriptions.

OIG learned that companies were getting coverage details for beneficiaries with no prescription medications. The companies are utilizing E1 transactions for assessing sales prospects, several providers had granted marketing firms to file E1 transactions for sales purposes, companies were getting data pertaining to personal insurance coverage for stuff not included in Part D, long term care facilities had received Part D coverage making use of batch transactions, and E1 transactions were sent by 2 non-pharmacy firms.

The HIPAA covers E1 transactions and implements the basic essential conditions. PHI needs to be safeguarded against unauthorized access whenever it is being digitally stored or sent between covered entities. The review findings indicate that there’s HIPAA violation and that this might well be a countrywide concern. As per the results of the review and evident prevalent incorrect access and usage of PHI, OIG is going to extend the reviews nationally.

OIG thinks these concerns have occurred because CMS hasn’t totally enforced controls to keep an eye on providers who are sending big numbers of E1 transactions compared to prescriptions given; CMS has yet to provide clear direction not to utilize E1 transactions for advertising purposes; and CMS hasn’t limited non-pharmacy access.

Subsequent to the review, CMS took additional steps to keep an eye on violations of the eligibility confirmation system and will be having suitable enforcement actions in instances of misuse are identified. OIG has advised that CMS ought to give clear guidance on E1 transactions and make sure that exclusively pharmacies and other certified businesses file E1 transactions.

Email Security Breaches at Shields Health Solutions and Lafayette Regional Rehabilitation Hospital

Shields Health Solutions Email Account Breach

Shields Health Solutions located in Stoughton, MA provides covered entities and hospitals with specialty pharmacy services. Unauthorized access of an employee’s email account probably allowed the hacker to view or copy the protected health information (PHI) contained in the account.

Shields Health Solutions spotted dubious activity in the email account of the employee on October 24, 2019. A cybersecurity firm inspected the incident and stated that the account was accessed by an unauthorized individual from October 22 up to October 24, 2019. The breach only affected one email account.

The email messages and attachments in the account contained the names of patients, birth dates, names of providers, medical record numbers, clinical information, prescription information, insurance company names, and minimal claims information. There is no proof that indicates patient data access or copying by the hacker.

Shields Health Solutions upgraded its email security by implementing multi-factor authentication on all employees’ email accounts and mailed notification letters to all affected individuals on December 16, 2019. The HHS’ Office for Civil Rights (OCR) breach portal has not posted about the breach yet thus the actual number of affected individuals is not yet completely identified.

Lafayette Regional Rehabilitation Hospital Email Breach

In July 2019, Lafayette Regional Rehabilitation Hospital located in Lafayette, IN learned about unauthorized access to an employee’s email account resulting in the potential viewing of patients’ PHI.

As soon as the hospital knew about the breach on November 25, 2019, prompt investigation of the incident was started to ascertain if unauthorized persons viewed any patient information. There is no certainty that the hackers viewed or copied patient data, nevertheless, there is a possibility that it happened. The information contained in the compromised email account included names, birth dates, clinical information and treatment details linked to medical services availed at the hospital. The Social Security number of several patients were likewise compromised.

On January 24, 2019, the hospital mailed breach notification letters to affected patients and offered those who had their Social Security numbers compromised free credit monitoring services. Further action taken by Lafayette Regional Rehabilitation Hospital included improving email security and reinforcing employee training on security awareness.

OCR already received the breach report which stated that approximately 1,360 patients were affected.

5,000+ Individuals Impacted by Phishing Attacks on Phoenix Children’s Hospital, VillageCareMAX and VillageCare Rehabilitative and Nursing Center

Village Senior Services Corporation, also known as VillageCareMAX (VCMAX), and Village Center for Care, also known as VillageCare Rehabilitative and Nursing Center (VRNC), experienced a business email compromise (BEC) attack. During a BEC attack, a threat actor impersonates an executive. It could be by accessing the executive’s real email account that was previously compromised in an attack or it could be spoofing the email address of an executive.

The sensitive data of VCMAX members and VRNC patients was requested by an unauthorized individual pretending to be an executive staff member. An employee thought it was a legitimate request and responded by giving the asked for information. On December 30, 2019, VCMAX and VRNC got a notice that there was a potential BEC attack.

Investigation of the incident confirmed the bogus request and the impermissible disclosure of sensitive information of VCMAX members and VRNC patients. The compromised data in the email account included the Medicaid ID numbers and names of 2,645 VCMAX members and the first and last names, dates of birth, names of the insurer, and Insurance ID numbers of 674 VRNC patients.

No report has been received regarding cases of personal data misuse, nevertheless, the instruction to all impacted persons was to be watchful and keep track of explanation of benefits statements, accounts and credit reports for evidence of bogus activities. A review of the policies and procedures by VCMAX and VRNC is ongoing and improvements will be implemented to avert identical attacks later on.

Phoenix Children’s Hospital Phishing Attack

Phoenix Children’s Hospital had a targeted phishing attack from September 5 to September 20, 2019, which brought about the breach of seven hospital employees’ email accounts.

After knowing that a breach occurred, a well-known computer forensic company was appointed to look into the scope of the breach. On November 15, 2019, it was confirmed that the compromised email accounts contained 1,860 past and present patients’ protected health information (PHI). It’s possible that the attackers have accessed or downloaded the information, which included names, personal information, and Social Security numbers along with some medical information for certain patients.

Phoenix Children’s Hospital mailed breach notification letters to the impacted patients beginning January 14, 2020. The hospital at the same time offered the patients who had potentially compromised Social Security numbers free credit monitoring and identity theft protection services.

Patients Desire Easy Health Data Access But Prefer Better Privacy Protections

Morning Consult conducted a new survey on behalf of America’s Health Insurance Plans (AHIP), which revealed that what patients want is quick access to their health information that is presented in a brief, quick to understand format. Nonetheless, patients and consumers know very well that the risks of cyberattacks and data breaches could result in the compromise of their private health data. 62% of the surveyed patients and consumers stated that they’re ready to forget about easy access to their health information as long as their health data have greater privacy protections.

Last November 2019, President Trump approved an Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First. Different governing bodies, including the Department of Health and Human Services, the Department of the Treasury and the Department of Labor responded by proposing a new Transparency in Coverage Rule. The rule necessitates employer-based group health plans and medical insurance companies offering group and personal coverage to make known price and cost-sharing details to participants, enrollees, and beneficiaries first.

With that available information, patients become aware of how much they ought to pay to satisfy the deductible of their plan or co-insurance or co-pay prerequisites. Patients can easily compare costs.

The price of healthcare procedures is a major concern for patients. The percentage of poll respondents that stated they were very likely or somewhat likely to research the cost of a medical procedure or service that their medical insurance plan would cover are 52% and 22%, respectively. Those that said it was very likely or somewhat likely that they would choose a cheaper medical procedure than what a physician recommends is 68%. 66% of survey participants said they would think about seeing a specialist as per doctor’s recommendation if care quality is the same at a cheaper price.

Although quick access to cost details and better transparency are welcome, 3 in 4 people who participated in the poll mentioned they won’t support a federal rule that improves transparency, at the same time, increases insurance premiums.

With regards to acquiring details on medical treatments, patients prefer easy to understand data as opposed to complete data. 82% of adults mentioned that they give more value to applications and websites with concise, easy to understand data about medical treatment as opposed to complete data that is unclear.

The survey likewise showed there is good support for federal laws similar to HIPAA for technology organizations that gather or are given health information. 90% of participants said tech firms ought to comply with stringent specifications for privacy and security just like the instance with healthcare providers.

More Patients Affected by Quest Health Systems Phishing Attack in 2018

Health Quest, which is presently a part of Nuvance Health, learned that the impact of the phishing attack in July 2018 was more extensive than first believed.

Some staff were deceived into revealing their email account details by phishing emails, therefore letting unauthorized persons to access their accounts. A prominent cybersecurity company helped with the investigation to find out if there was a breach of patient data.

In May 2019, Quest Health found out that the email messages and attachments in the breached accounts contained 28,910 patients’ protected health information (PHI) therefore the health system dispatched notification letters to the impacted people. The details contained in the breached accounts included patient names, contact details, claims data, and some medical information.

Another investigation of the breach showed on October 25, 2019 the compromise of yet another email account of an employee containing PHI. As per the substitute breach notification published on the Quest Health site, the compromised details were varied from one patient to another, nevertheless, the names and one or more of these data elements might have been included:

Birth dates, driver’s license numbers, Medicare Health Insurance Claim Numbers (HICNs), Social Security numbers, provider name(s), treatment dates, treatment and diagnosis data, medical insurance plan member and group numbers, medical insurance claims data, financial account data with PIN/security code, and payment card data.

There is no proof uncovered that unauthorized persons viewed patient information. There is likewise no report acquired about the misuse of patient data. For security reasons, on January 10, 2020, Health Quest mailed another notification letter to patients.

As a result of the breach, Quest Health currently implements multi-factor authentication for email accounts and toughened security systems and offered staff more training about phishing and other cybersecurity concerns.

There is no certain statement as to the number of more patients were impacted by the breach. To date, the number of people impacted as stated on the HHS’ Office for Civil Rights breach portal is still 28,910 people.

Microsoft Finally Stops Support for Windows 7

Microsoft will not provide support anymore for Windows 7, Windows Server 2008, and Windows Server 2008 R2 starting on January 14, 2020. Microsoft will not release any more patches to correct OS vulnerabilities. Office 2010 will not be supported as well.

Microsoft will update the operating systems on January 14, 2020 and fix all known vulnerabilities, however, it will just be some time before cybercriminals would find exploitable vulnerabilities to steal information and install malware.

Although Microsoft gave notice about the end of life of the operating system long ago, it remained the second most utilized operating system after Windows 10. NetMarketShare reported that in December 2019, 33% of all desktop and laptop computers use Windows 7.

A lot of healthcare companies continue to use Windows 7 on some devices. The persisted use of those devices even without support increases the risk of cyberattacks and consequently HIPAA Security Rule violation.

The obvious resolution is to upgrade Windows 7 to Windows 10, though that might not be easy. Besides buying licenses and updating the OS, hardware might also need upgrading and certain applications might not function on more recent operating systems. The upgrade is consequently a major task that could require a lot of time.

If it’s not possible to update Windows 7 and Windows 2008 systems, steps must be taken to secure the devices and lessen the probability of a compromise and the effect of a cyberattack.

To minimize the odds of a compromise, the following best practices should be observed:

Stop Windows 7 devices from linking to untrusted content. This means that the devices should not be used for browsing the web or accessing email accounts. Avoid using removable media and portable storage devices as well.

Remove local administrator rights from all Windows 7 units and strengthen firewall protection. Don’t use the devices for accessing sensitive information, like protected health information (PHI). Transfer sensitive data found on the devices to devices using supported operating systems.

Malware infection is more likely to occur on devices that run using unsupported operating systems. Be sure to install updated anti-virus software. Scans the devices for malware regularly and monitor the devices for possible cyberattacks.

Microsegmentation may be beneficial in limiting the resulting harm in case of a compromise. All devices using unsupported operating systems must be separated from other systems and the devices must only be permitted to connect to critical services. Remove access to core servers and systems. Review and modify business continuity plans to make sure that critical business operations will go on in case of a compromise. Although extended support is very expensive, it is strongly advised.

These options can minimize risk, however, they won’t remove it. Organizations must consequently speed up their plans to update their operating systems and computer hardware. Using a supported OS is the only means to completely secure devices.

Hospital Staff Pleads Guilty to Patient Account Intrusion for Five Years

The U.S. Department of Justice (DOJ) reported that an ex-staff of an unnamed hospital in New York City pleaded guilty to utilizing malicious software programs to get the credentials of fellow-workers, which he later misused for stealing sensitive data.

Richard Liriano, 33 years of age, from Bronx, New York, was a hospital’s IT employee. He enjoyed administrative-level access to the computer systems of the hospital but abused those access rights and copied patient information onto his personal computer.

Liriano employed a keylogger to acquire the credentials of a bunch of hospital co-workers from 2013 to 2018. Those credentials made it possible for Liriano to get access to the coworkers’ PCs or web accounts and acquire sensitive data including tax records, personal photos, videos, and other personal docs and files. He likewise employed other malicious software programs for surveillance of his co-workers.

Liriano took his coworkers’ sign-in data to their private webmail accounts, social network accounts, and other web-based accounts. In addition, he obtained access to the hospital computer systems that contain sensitive patient data. As per the DOJ, Liriano’s computer infiltrations cost his company close to $350,000 to remediate.

From 2013 to 2018, Liriano logged into his coworkers’ PCs and private accounts on various times trying to find sensitive data. Most of his 70+ victims were women. The DOJ information indicates that Liriano performed searches in their individual accounts trying to find sexually explicit photographs and videos.

The uncovering of the computer infiltrations got Liriano detained on November 14, 2019. On December 20, 2019, Richard Liriano pleaded guilty to 1 count of transferring software to a protected PC to purposefully bring about harm.

Geoffrey S. Berman, the U.S. Attorney for the Southern District of New York, explained that Liriano’s crimes did not merely breach the personal privacy of his co-workers; he likewise unlawfully logged into computers holding crucial healthcare and patient data, costing his ex-employer tens of thousands of dollars to fix. He is now going to be made liable for his behavior.

Liriano is due to be sentenced with a maximum jail period of 10 years on April 15, 2020 by U.S. District Judge Lewis A. Kaplan.

Ambulance Company Pays $65,000 Financial Penalty for Multiple HIPAA Violation Cases

The Department of Health and Human Services Office for Civil Rights (OCR) issued a financial penalty amounting to $65,000 to West Georgia Ambulance, Inc. to settle its multiple Health Insurance Portability and Accountability Act violations.

OCR’s investigation of the ambulance company in Carroll County, GA began after seeing the breach notification submitted on February 11, 2013 concerning the missing unencrypted laptop computer that carries the 500 patients’ protected health information (PHI). The breach report mentioned the failure of the company to retrieve the laptop computer, which fell off the ambulance’s rear bumper.

OCR’s investigation revealed that the company has longstanding noncompliance with some HIPAA Rules. West Georgia Ambulance was found in violation of the following:

  • 45 C.F.R. § 164.308(a)(1)(ii)(A) for failure to conduct a complete, company-wide risk analysis
  • 45 C.F.R. § 164.308(a)(5) for not giving its employees a security awareness training program
  • 45 C.F.R. § 164.316 for not enforcing HIPAA Security Rule policies and procedures

OCR provided technical help to West Georgia Ambulance to make it possible for the company to take care of its compliance problems, but even with that support, OCR claimed that the company did not make any meaningful step to resolve its noncompliance. Consequently, OCR issued a financial penalty.

Aside from the $65,000 financial penalty that should be paid, West Georgia Ambulance must follow a corrective action plan to fix all areas of noncompliance found by OCR. For two years, West Georgia Ambulance’s HIPAA compliance program will be under OCR’s strict monitoring to make sure it complies with the HIPAA Rules.

Patients using an ambulance’s services shouldn’t have any worries about the privacy and security of their medical information. All healthcare providers, whether big or small, should take their HIPAA responsibilities seriously.

This is OCR’s 10th HIPAA financial penalty passed in 2019. OCR got paid a total of $12,274,000 in financial fines for the resolution of noncompliance issues in 2019.

10,000 Medicare Beneficiaries Impacted by CMS Blue Button 2.0 Coding Bug

The Centers for Medicare and Medicaid Services (CMS) uncovered a bug within its Blue Button 2.0 API which affected 10,000 Medicare beneficiaries’ protected health information (PHI). For this reason, CMS for the time being suspended the use of its Blue Button API as investigations and detailed code analysis is in progress. There is no word yet when the Blue Button 2.0 service will be available.

On December 4, 2019, a third-party program partner informed CMS concerning the data anomaly connected to the Blue Button API. The CMS confirmed the data problem and quickly stopped system access while looking into the problem.

The anomaly was due to a coding bug that allowed the sharing of data with the incorrect beneficiaries and Blue Button 2.0 apps. The CMS stated that the bug impacted 30 applications. Medicare beneficiaries utilize the Blue Button platform for permitting third-party apps and services to access their claims data. A CMS identity management system creates a random unique user ID and ensures sharing the correct beneficiary claims data with the appropriate third-party apps. The CMS discovered a coding bug in the Blue Button 2.0 that transforms a 128-bit user ID to a 96-bit user ID. Because a 96-bit user ID lacks randomness, a number of beneficiaries got similar truncated user IDs. That led to the disclosure of the claims information of beneficiaries with identical truncated user ID found within the identity management system to other beneficiaries and applications via the Blue Button 2.0.

Initially, it wasn’t clear how the bug began and why it was not quickly identified to stop sensitive beneficiary information exposure.

There are three things to realize from the investigation findings related to testing, code reviews, and cross-team collaboration.

Based on the CMS investigation findings, the bug came about on January 11, 2018. Usually, the changes introduced are thoroughly reviewed, but there was no detailed review in January. If perhaps a review was done, CMS most likely discovered the bug and remedied it prior to the sharing of sensitive data.

The CMS inspects Blue Button 2.0 using synthetic data to validate functionality to make sure no PHI is jeopardized. This time, integrating Blue Button 2.0 with other programs was not inspected. Subsequently, it was integrated into the identity management system without testing.

The CMS notes that a distinct identity management team works on the code that generates the user ID token. The Blue Button 2.0 team supposed that the token functioned well, and failed to validate it. Perhaps if the two teams had good collaboration, they would have the essential details to make good decisions.

CMS by now had taken the measures to do away with more errors. An improved check and verification process is right now ready and the Blue Button 2.0 team is thoroughly checking all new codes to ensure identification and correction of coding errors before having the live code changes. The Blue Button 2.0 from now on will not truncate user IDs and keep the complete user IDs.

An overall platform and coding review is being done and the API will remain unavailable until the review is done. CMS is likewise doing a comprehensive evaluation to know the likely effect on Medicare beneficiaries and decide the other essential steps to secure the beneficiaries’ data, including providing credit monitoring services.

Theft of Devices Containing PHI of Truman Medical Centers and La Clínica de La Raza Patients

Truman Medical Centers in Kansas City, MO, the city’s biggest inpatient and outpatient services provider, found out that an unencrypted laptop computer containing the protected health information (PHI) of 114,466 patients was stolen from an employee’s vehicle.

The laptop was password-protected, however, the password can be deciphered and the information on the device can be accessed. When issuing the notices, Truman Medical Centers has found no evidence that an unauthorized person has accessed or misused any patient data.

The laptop contained different types of information of each patient, but may have included the names of patients as well as at least one of the following data: birth dates, patient account numbers, Social Security numbers, medical record numbers, health insurance details, and some medical and treatment data, including dates of service, diagnoses, and names of provider.

The theft happened on July 18, 2019, however, the confirmation that the device contained patient data was only on October 29, 2019. Truman Medical Centers already notified by mail all the people whose PHI was kept on the laptop. Those whose Social Security number were potentially compromised got offered free credit monitoring and identity protection services.

Employees received additional training on portable device security. Employee laptops were also installed with additional controls to strengthen security.

Theft of Blackberry Containing the PHI of 2,477 La Clínica de La Raza, Inc. Patients

La Clínica de La Raza, Inc. provides primary health care and other services in Contra Costa, Alameda, and Solano counties in California. It recently discovered the theft of a portable electronic device on August 20, 2019.

The stolen briefcase from an employee’s vehicle contained a Blackberry device issued by La Clínica de La Raza. With the help of a computer forensics company, La Clínica de La Raza confirmed on October 16, 2019 that the device contained the PHI of 2,477 patients.

The data was contained in two email messages that were downloaded to the Blackberry device. The information in the emails included names, dates of birth, non-sensitive test data and medical record numbers.

Although it is possible that unauthorized people could access the information, La Clínica de La Raza stated that it would have been difficult to access the PHI. La Clínica de La Raza notified the affected patients about the breach via mail on December 13, 2019 and offerred them free one-year membership to credit monitoring and identity protection services.

The company is also taking steps now to strengthen the protection of portable electronic devices and gave the employees additional training on portable device security.