Up to 69,000 Persons Affected by Cyberattacks on Healthcare Fiscal Management and Friendship Community Care

Nearly 69,000 Persons Affected by Cyberattacks on Healthcare Fiscal Management and Friendship Community Care

Healthcare Fiscal Management Inc. (HFMI) located in Wilmington, NC provides physician groups, hospitals and clinics with self-pay conversion and insurance eligibility services. HFMI suffered a ransomware attack that allowed attackers to have access to the private and protected health information (PHI) of patients of St. Mary’s Health Care System based in Athens, GA.

An unauthorized person accessed the HFMI systems on April 12, 2020 and released a ransomware payload the next day that encrypted information kept on its systems. The hacker accessed systems that have the personal and PHI of patients who obtained medical services at St. Mary’s from November 2019 to April 2020.

The attackers possibly accessed and acquired the information of about 58,000 patients, though data accessor theft cannot be affirmed. The PHI kept on the breached systems included names, Social Security numbers, birth dates, account numbers, health record numbers, and service dates.

HFMI was ready in case of this sort of event and had practical backups that were employed to reestablish information the same day to an alternative hosting provider. A forensic investigation team was hired to look into the incident. The forensic investigators stated that the attackers do not have possession of the information. The information is likewise not available over the web.

Security experts are going over security settings and, from their advice, steps are undertaken to improve security. HFMI has given all impacted persons no-cost credit monitoring and identity theft protection services as a precautionary measure against identity theft and fraud.

Phishing Attack on Friendship Community Care Affects 9,745 Patients

Friendship Community Care (FCC) based in Russellville, AR, a not-for-profit care provider of grownups and youngsters with handicaps, encountered a phishing attack last January 2020.

FCC identified the phishing attack on February 4, 2020 after seeing suspicious activity in the email account of an employee. Forensic investigators helped inspect the breach and confirmed on February 5, 2020 that an unauthorized person had obtained access to the email account, however upon additional investigation, it confirmed the breach of a number of Office 365 email accounts utilizing credentials acquired in the phishing attack.

FCC found out on February 7, 2020 that the email accounts comprised PHI. A detailed evaluation of the email accounts affirmed the probable access of 9,745 persons’ PHI, even though there is no proof received that indicate the attacker accessed or acquired the emails.

The compromised email accounts comprised names, birth dates, addresses, Client ID numbers, Social Security numbers, Medicaid IDs/Medicare IDs, employer ID numbers, patient numbers, medical data, state ID card numbers, student ID numbers, driver’s license numbers, financial account details, mother’s maiden names, marriage certificates, birth certificates, facial photographs and disability codes.

FCC provided free credit monitoring and identity protection services to impacted persons. An analysis of email security was performed, and steps are being undertaken to strengthen security to avert identical breaches later on.

Ransomware Attacks on North Shore Pain Management and Florida Orthopaedic Institute

North Shore Pain Management (NSPM) based in Massachusetts started sending notifications to 12,472 patients because hackers potentially stole some of their protected health information (PHI). NSPM became aware of the breach on April 21, 2020 and its investigation confirmed the first access of their system by hackers on April 16, 2020.

NSPM posted on its website a substitute breach notice but did not provide any data with regards to the nature of the attack. Nonetheless, Emsisoft and databreaches.net affirmed the attack where AKO ransomware was used. The group that conducted the attack posted 4GB of stolen information on their Tor website because of no ransom payment.

The posted data include various sensitive data of workers and patients. The NSPM breach notice claimed that the stolen information consists of patient names, medical insurance information, account balances, birth dates, financial details, diagnosis and treatment information. Ultrasound and MRI images were likewise compromised for For several patients. Those patients using their Social Security numbers with their health insurance /member number had exposed their SSNs as well.

Because of the exposed stolen information on the web, NSPM instructed the affected patients to monitor their explanation of benefits statements and financial accounts for any sign of information misuse. NSPM provided credit monitoring and identity theft protection services at no cost to the patients whose Social Security numbers were exposed. NSPM appointed another IT management provider to reinforce its cybersecurity.

The AKO ransomware attackers are identical to gangs that deploy ransomware manually. They engaged in data theft prior to file encryption to increase the likelihood of getting ransom payment. The AKO group typically requires companies with big revenues to pay two ransom payments – one for the price tag of the decryptor and another for stolen data deletion. The cost of deleting files may be between $100,000 and $2,000,000.

The group claimed that some healthcare providers just pay the cost of deleting data. There is no confirmation if NSPM made a ransom payment.

Ransomware Attack on Florida Orthopaedic Institute

A ransomware attack on Florida Orthopaedic Institute in Tampa, FL occurred on April 9, 2020 resulting in the encryption of patient data. An internal investigation of the breach showed there was a potential theft of patients’ personal information and PHI prior to file encryption. Nevertheless, there is no report received by Florida Orthopaedic Institute regarding any patient data misuse due to the attack.

Florida Orthopaedic Institute appointed a third-party computer forensic firm to continue the investigation. Steps had already been taken to get back the encrypted data and protect its servers. The affected patients already received breach notification letters, including the offer of free fraud consultation, credit monitoring, and identity theft restoration services.

The encrypted data and possibly obtained by the attackers included the following: names, Social Security numbers, birth dates, medical information related to appointment times, diagnosis codes, doctor’s locations, paid amount, insurance plan ID numbers, payer ID numbers, claims addresses, and/or FOI claims history.

Florida Orthopaedic Institute appointed third-party experts to enhance security to avert any more cyberattacks in the future.

The HHS’ Office for Civil Rights breach hasn’t put up yet the incident details on its breach website, hence the number of impacted patients is not known at this time.

Hacker Busted and Charged for the UPMC Cyberattack in 2014

The United States Attorney’s Office of the Western District of Pennsylvania announced the arrest of a person who was accused of the breach of the University of Pennsylvania Medical Center (UPMC) HR databases in 2014.

UPMC runs 40 hospitals in 700 outpatient sites and physicians’ offices and has over 90,000 staff. In January 2014, UPMC learned that a hacker viewed a human resources server Oracle PeopleSoft database where the personally identifiable information (PII) of 65,000 UPMC staff is stored. The stolen information in the breach was purportedly made available for sale on the darknet. There were names, birth dates, addresses, tax, and salary details, and Social Security numbers included.

The arrested person was Justin Sean Johnson. He’s 29 years old residing in Michigan who recently worked at the Federal Emergency Management Agency as an IT expert.

On May 20, 2020, Johnson was under the monikers TDS and DS when he was charged on 43 counts: one count of conspiracy, 5 counts of aggravated identity theft, and 37 counts of wire fraud. Apparently, Johnson hacked the database, copied PII, and marketed the stolen PII on darknet marketplaces including AlphaBay Market to many international buyers. Prosecutors furthermore claim that Johnson offered other PII on the darknet community aside from the PII of UPMC staff from 2014 to 2017.

The compromised UPMC PII was later employed in a massive plan to deceive UPMC workers. Hundreds of fake tax returns were submitted using the names of UPMC workers, which prosecutors state resulted in approximately $1.7 million in phony reimbursements being given. Those refunds were turned into Amazon gift cards that were used to acquire approximately $885,000 in goods, which were largely sent to Venezuela to be offered in marketplaces on the web.

Two more people were accused in 2017 regarding the UPMC hacking.
Maritza Maxima Soler Nodarse, from Venezuela who pleaded guilty to conspiracy to swindle the United States and was associated with reporting fake tax returns, got sentenced to time served and was expelled from the country.
Yoandy Perez Llanes, from Cuba who pleaded guilty to aggravated identity theft and money laundering, is awaiting his sentence in August 2020

The breach investigation showed that the hacker gained access to the OracleSoft database initially on December 1, 2023. After being able to access the database, the hacker conducted a test query and was able to access the information of around 23,500 people. From January 21, 2014 to February 14, 2014, the hacker viewed the database several times daily and stole the information of a huge number of UPMC employees.

Johnson encounters a long prison term in case he is determined guilty of the violations. The conspiracy charge holds a 5 years maximum imprisonment and a penalty of about $250,000. The wire fraud charges hold 20-years maximum imprisonment and a penalty of as much as $250,000 for every count and, there is going to be compulsory 2-year imprisonment for aggravated identity theft and a penalty of as much as $250,000 for every count.

The healthcare industry is an enticing target of hackers interested in taking personal data for use in scams; the Secret Service is fully committed to uncovering and arresting those that partake in criminal acts that exploit the Nation’s critical systems for their own benefit.

Cybercriminals like Johnson need to realize that the U.S. Secret Service won’t stop chasing them until they’re in custody and pay for their criminal acts.

PHI Exposed Due to Breaches at Cano Health and the Department of Behavioral Health and Intellectual Disability Services

Cano Health, a population health management firm and healthcare service provider located in Florida, reported that an unauthorized individual got access to the email accounts of three workers by creating a mail forwarder the email accounts which directed emails to other addresses.

Caro Health became aware of the data breach on April 13, 2020, nevertheless, the investigation findings showed that the accounts were compromised two years earlier, some time in May 18, 2018. That means every email that was sent to and from the email accounts from May 18, 2018 to April 13, 2020 are presumed to have been acquired and were possibly accessed.

An evaluation of the emails affirmed that they held private and protected health information (PHI) for instance names, contact details, dates of birth, medical details, insurance data, government identification numbers, financial account numbers and/or social security numbers.

Cano Health is notifying impacted people and has instructed them to periodically check their accounts and benefits statements for indications of fake transactions. Cano Health is going to give impacted patients credit monitoring services at no cost.

Cano Health is working to strengthen email security. The Department of Health and Human Services’ Office for Civil Rights hasn’t published the breach details on its portal yet, thus it is uncertain at this point how many individuals have been impacted.

Phishing Attack on City of Philadelphia Affects 33,376 Patients

The City of Philadelphia’s Department of Behavioral Health and Intellectual disAbility Services (DBHIDS) reported a cyberattack that led to the exposure of the PHI of 33,376 persons.

On March 31, 2020, DBHIDS noticed suspicious actions in the email account of an employee, though the breach investigation affirmed that there were two email accounts compromised on April 2, 2020. The phishing attack investigation is still in progress and forensics professionals are already analyzing the email accounts, though there is no proof yet showing the hackers accessed or exfiltrated patient information.

The breach impacts patients having mental disabilities who had formerly gotten services from the Division of Intellectual disAbility Services (IDS). The kinds of data exposed varied from one patient to another and might have contained data elements like names, addresses, birth dates, Social Security numbers, medical insurance details, account and/or medical record numbers, diagnoses, provider names, service dates and short descriptions of the services the person had or were obtained from IDS. The copies of birth certificates and Social Security cards of a number of patients were likewise exposed.

DBHIDS will mail the notification letters to impacted persons in the forthcoming weeks and will provide free credit monitoring services.

To avoid identical breaches later, a number of steps were undertaken. Further education will be given to workers to enable them to identify phishing emails. Campaigns to track network activity were improved.

St Joseph Health System Confirms the Improper Disposal of Patient Documents by Health Record Storage Center

St Joseph Health System in North Central Indiana is notifying patients concerning the compromise of some of their protected health information (PHI) because of unauthorized access. The data breach didn’t take place at St Joseph Health but in a business associate.

Central Files Inc, a safe document storage center in South Bend, IN, was hired to safely store patient files in compliance with government and state laws and to discard some records as per HIPAA regulations. Central Files Inc. is now completely closed nevertheless must continue to keep patient information until an alternate safe records center may be established.

From April 1 to April 9, 2020, various healthcare groups allied with St Joseph Health System were advised that sensitive information comprising patient information was thrown in a place in the South Bend area some time prior to April 1, 2020.

The data uncovered at the location were in a terrible state. As per the substitute breach notification published on the St Joseph Health System webpage, the files had evidence of mold, moisture damage, and rodent infestation, and damage caused by combining with trash and other particles. Efforts were done to know patients whose records were compromised, however, trained security employees confirmed that inspecting almost all the records is going to be harmful to health and endorsed the best solution was to safely dispose of the files.

The documents that can be securely taken were retrieved and St Joseph Health System has employed a vendor to retrieve the other files from the area. That process was done on May 20, 2020 and agreements were made to safely and completely dispose of those documents.

In numerous instances, the records were obsolete and included old data. A couple of the paperwork involved paper copies of healthcare information and billing statements that comprised details like names, contact data, Social Security numbers, clinical and diagnostic details and service dates. Patients were advised concerning the breach. there is no proof that indicates the misuse of any data, though the likelihood of unauthorized access cannot be eliminated.

The documents were related to these entities

Allied Physicians of Michiana (From 1995 to 2007)
Saint Joseph Health System (From 1999 to 2013)
South Bend Medical Foundation (From 2009 to 2015)
New Avenues (From June 2004 to December 2015
Michiana Hematology Oncology (From 2002 to 2004)
Cardiology Associates, Inc. (From March 1, 2007 to November 30, 2013)
Elkhart Emergency Physicians, Inc. / Goshen Emergency Physicians, LLC (From 2002 to 2010)

The HHS’ Office for Civil Rights breach website hasn’t posted the breach yet, hence it is unclear at this time how many patients were impacted.

Increase in Mobile Phishing Attacks During the COVID-19 Health Pandemic

Cybercriminals are reforming their strategies, approaches, and processes throughout the COVID-19 health pandemic and are targeting work from home workers by means of COVID-19 inspired baits in their phishing activities. The number of phishing attacks directed at individuals using mobile gadgets like mobile phones and tablets has dramatically increased based on a newly released report by Lookout mobile security firm.

Around the world, there was a 37% higher number of mobile phishing attacks on company users from the 4th quarter of 2019 up to the ending of the 1st quarter of 2020. In North America, there was actually a 66.3% growth in mobile phishing attacks. Cybercriminals are targeting people working from home in certain industries for instance healthcare and financial companies.

Although the dramatic rise in mobile phishing attacks is linked to the switch in work practices caused by the COVID-19 crisis, mobile phishing attacks have been progressively increasing during the last few quarters. The rate of success of phishing attacks on mobile gadget users seem to be greater, as users are more inclined to click on hyperlinks than if utilizing a laptop or desktop computer because the phishing links are trickier to distinguish as malicious on more compact screen measurements.

Though the full web link is likely viewable on a laptop or desktop computer, a mobile gadget will merely present the last segment of the web link, which could make the hyperlink seem legitimate on mobile gadgets. Whenever doing work from home, people more probably opt to use their smartphone to carry out tasks to be productive, especially those who do not have big screens or several monitors at home.

Mobile gadgets generally have no identical level of security like laptop computers and office computer systems, thus it’s less possible to deter phishing emails. There are even more ways that phishing hyperlinks could be sent to mobile gadgets than netbooks and desktop computers. On a desktop computer, phishing hyperlinks will mainly be sent through email, however, on mobile gadgets they could easily be sent through email, messaging applications, SMS, and social networking and dating applications. There is additionally a leaning for mobile phone users to react quickly and not wait to give thought to whether a request is authentic, though they might be notably mindful on a desktop or laptop computer.

The surge in phishing attacks aiming for mobile device users is a security problem and one that ought to be attended to by company management by means of education and training about security awareness, specifically with remote employees. Phishing awareness training needs to include the danger of mobile phishing attacks and make clear how hyperlinks could be previewed on mobile units and other tips that ought to be taken to confirm legitimate requests.

When the message looks like it comes from a person you are familiar with but looks like an unusual ask or brings you to an odd website, make contact with that individual straight away and verify the message. When doing remote jobs, it’s a lot more necessary to verify any sort of odd communication.

Education by itself might not be enough. Security software ought to also be employed on mobile gadgets to better secure users from phishing and ransomware attacks.

Feds Advisory to Raise Awareness of Scams Linked to COVID-19 Economic Payments

The IRS, DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury published a joint notification to boost awareness of the danger of phishing attack and other cyber attacks connected to the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

Because of the CARES Act, there is $2 trillion funds available to assist businesses and persons detrimentally impacted by the COVID-19 crisis, which could help to lessen the financial weight by economic impact payments to qualified U.S. citizens. Hackers are utilizing CARES Act payments as a trick in phishing attacks to acquire personal and financial details and try to reroute CARES Act payments. All people in America are exhorted to search for criminal fraud linked to the CARES Act and COVID-19.

The U.S. Government reports that plenty of cybercriminal groups are employing stimulus-themed lures in phishing emails and texts to acquire sensitive details including bank account details. Financial companies were asked to inform their customers to follow good cybersecurity practices and to watch for questionable account use and creation.

Criminals are utilizing CARES Act-themed email messages and web pages to acquire sensitive details, pass on malware, and get access to computer systems. They include themes like loan and grant programs, economic stimulus, personal checks, or other subject-matter linked to the CARES Act. These CARES Act connected cybercriminal efforts could support a large selection of follow-on activities that may jeopardize the rollout of the CARES Act.

Threat actors may well attempt to disturb the operations of institutions in charge of the implementation of the CARES Act, which includes the usage of ransomware to disturb the flow of CARES Act funds and to extort the beneficiary money. Government, state, local and tribal groups are being advised to assess their loan processing, banking and payment systems and fortify security to avert attacks.

International threat actors were identified to be showing bogus claims for COVID-19 relief cash, such as one Nigerian business email compromise (BEC) gang regarded to have filed more than 200 bogus claims for unemployment benefits and CARES Act payments. The group, named Scattered Canary, has been filing a number of claims through state unemployment web pages to acquire payments making use of data stolen in W-2 phishing attacks. The gang has placed no less than 174 fraudulent claims with the state of Washington and about 12 claims with the state of Massachusetts. About 8 states were targeted thus far.

The U.S. Government has been giving out threat intelligence and cybersecurity best tactics to help break up and stop criminal activity. The U.S. Secret Service is now focused on investigating operations to track down persons taking advantage of the pandemic to be sure they face the law and money lost due to the crimes are reclaimed.

The IRS has informed taxpayers that it won’t contact taxpayers through email, text, or social media platforms to ask for personal and financial data like bank account numbers, PINs and credit card details. The IRS has notified Americans that copycat web pages that can be built to acquire sensitive details and to carefully check out any domain name for transposed letters or mismatched SSL certificates. The IRS is merely making use of www.irs.gov and the IRS-run website, https://www.freefilefillableforms.com/.

All U.S. citizens were cautioned to be watchful and keep an eye on their financial accounts for indications of fake activity and to report instances of phishing attacks and other fraudulence to the right authorities. They must likewise notify their employer in case they believe they were victimized by a scam and disclosed sensitive details concerning their business.

The notification, Avoid Scams Related To Economic Payments, COVID-19, are downloadable on this link.

Guidance Document on Handling the Cybersecurity Tactical Response During a Pandemic

The Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) published a joint guidance on cybersecurity tactical response management when going through emergency conditions, like a pandemic.

Threat actors are going to make an effort to take advantage of emergency events to perform attacks, which was undoubtedly noticed at this period of the COVID-19 pandemic. In numerous situations, the entire time of an emergency will control the likelihood for threat actors to capitalize on the situation, but with a pandemic the time period of exposure is prolonged. The SARS-CoV-2 episode was proclaimed on January 30, 2020 as a public health emergency, allowing threat actors enough time to make use of COVID-19 to execute attacks on the healthcare industry.

What is essential to managing the higher level of cybersecurity danger through emergency conditions is planning. Without planning, healthcare providers will be continually fighting fires and struggling to better security during the time when resources are outspread.

The latest guidance was made for the COVID-19 crisis by HSCC’s Cybersecurity Working Group (CWG), H-ISAC, and healthcare sector and government cybersecurity professionals and is designed to guide healthcare providers produce a tactical response for dealing with cybersecurity threats that crop up at the time of emergencies and to aid them to boost their level of readiness.

At this time of the COVID-19 pandemic, cyber threat actors have performed an array of attacks on healthcare institutions such as domain attacks, phishing attacks, and malware and ransomware attacks. The attacks occurred at a time when healthcare providers were striving to deliver health care for highly infectious patients, utilize remote diagnostic and medication services, and transition to teleworking to avert the spread of the coronavirus. The transformation in working procedures considerably expanded the attack surface and presented new attack vectors and vulnerabilities.

The exposure to malicious cyber-actors goes up with every gain afforded by automation, interoperability, and information analytics. To combat these attacks well before they come about, it is vital for healthcare institutions to establish, use, and retain existing and effective cybersecurity strategies.

Healthcare institutions of different sizes can utilize the guidance document to strengthen their cybersecurity programs and be prepared for emergency cases. Smaller healthcare companies could employ the guidance for selecting suitable measures to boost their security posture, whereas larger sized institutions that have previously organized their tactical crisis response could employ the guide as a list to make certain nothing is skipped.

The guidance document puts strategies, practices, and activities into four primary groups:

  1. Education and Outreach
  2. Enhance Prevention Techniques
  3. Enhance Detection and Response
  4. Take Care of the Team

The cybersecurity response to a crisis is mainly centered on technical regulators, nevertheless, HSCC/H-ISAC points out that education and outreach take a crucial part in the response strategy’s good results. In emergency scenarios, even the best-laid plans could come unstuck without having the right education and outreach. Organizations that communicate their plans properly will lessen mix-up, better response times, and boost the performance of their cybersecurity plan. The guide makes clear how to make a communication plan and execute policy and procedure evaluations correctly.

Avoiding cyber attacks is very important. Many healthcare institutions will have used many different measures to curb cyberattacks ahead of the public health emergency, nonetheless, HSCC/H-ISAC recommends three practices must be evaluated: Confining the probable attack surface, reinforcing remote access, and utilizing threat intelligence feeds.

Limiting the attack surface demands reliable vulnerability management, fast patching, keeping safe medical devices and endpoints, and controlling third party network access. The guidance document recommends a number of the tactics of securing remote access, and how to use threat intelligence feeds to avert attacks and quicken the response.

Plenty of attacks are tough to prevent, thus it is essential for processes to be designed and employed to locate successful attacks and act promptly. The guidance document advises a number of steps to optimize detection and resolution to attacks.

It is likewise crucial to handle the team. In critical conditions, health, well-being, employment security, and financial reliability are all major considerations for healthcare personnel. It is necessary for businesses to communicate appropriately with their staff and street address these concerns and discuss how the business will assist employees while in the crisis.

The guidance document can be downloaded on this link. HSCC published another guidance document earlier this month that highlights steps healthcare institutions can do to secure trade secrets and research work. The guidance document can be viewed here.

Survey Uncovers Status of Workplace Safety and Preparedness in The Healthcare Industry

Rave Mobile Safety had published the results of its yearly survey of workplace safety and preparedness performed early this 2020. The report looks at the emergency preparedness levels in medical care and other industries all across the United States. It must be factored in that the survey was performed before the announcement of the COVID-19 public health crisis, which most likely caused a switch in priorities in numerous companies.

Workplace Security in 2020

The coronavirus pandemic set off the necessity of effective communication at the time of emergencies, nonetheless, the survey shows other vital reasons for bettering security and communication in the work environment. The last time the study was performed in 2019, 26 participants reported cases of violence in the work environment. This year, the employees who came across violence in their workplace has increased two times.

The survey unveiled that workers are now more mindful of safety. 58% of survey respondents stated they would file a safety problem report on the job regardless of whether it may be accomplished anonymously or not; however, 41% of Gen Z and millennials will only report safety problems if it is completed anonymously. This implies that 18-29-year olds are scared that voicing safety problems will have adverse consequences.

Though most employers have created emergency options, most aren’t doing drills. For example, 76% of firms have emergency programs for extreme weather occurrences, however, only 40% carried out drills to rehearse their reaction in case there is an event, though 48% of survey participants said they had an extreme weather situation last year. Many organizations have designed emergency blueprints for cyberattacks, yet 51% of survey participants mentioned drills were not done to check those options. About 30% of employees were not sure or uninformed regarding their employer’s emergency programs. The least aware were the 18-29-year old employees.

Emergency Communications

The selection of methods utilized to converse with employees in emergency events has gone up in 2020. Email is still the most often used way of communication and 63% of companies utilize it to communicate critical advice, yet communication options like mass texting have increased in popularity. Mass SMS is nowadays utilized by 42% of businesses represented in the annual survey, though many continue to count on obsolete communication techniques including in-person press releases, which don’t include remote employees.

The survey revealed that employers typically adhere to dated communication procedures, even if employees would opt to get notifications concerning safety and security utilizing a faster and quickly accessible system, for instance mass texting.

Emergency Communication in the Medical Industry

The survey showed a considerable proportion of healthcare employees were uninformed of emergency programs for cases including system breakdowns (22%) and active shooters (16%). The moment there are emergency events, email was the most prevalent means of correspondence, utilized by 65% of healthcare companies. Intercom systems were likewise often used (50%) coupled with in-person press releases (44%). Even though these might be valuable onsite, they’re not efficient for conversing with remote employees, who would choose to accept notifications by means of text message, however, just 41% of healthcare providers are utilizing mass text notifications in crisis events. The survey likewise showed breaks in security practices, with 80% of healthcare staff not expected to carry out a security check-in when doing work off-site.

The complete findings of the Annual Workplace Safety and Preparedness Study can be viewed on this page.

Ciitizen HIPAA Right of Access Report Reveals Considerable Improvement in Compliance

Healthcare organizations’ compliance with the HIPAA Right of Access has considerably improved, reported by the latest Ciitizen’s Patient Record Scorecard Report.

To create the report, Ciitizen carried out a study that was participated by 820 healthcare organizations to examine their response to patients requesting to obtain copies of their healthcare records. A variety of healthcare organizations were evaluated for the review which includes single doctor practices and big hospital systems.

Under the HIPAA Privacy Rule, patients are given the right to ask for a copy of their healthcare records from their companies. Request ought to be filed in writing. The healthcare organization needs to give the patient a copy of the health records in a specific record set in 30 days from the filing of the request. The information ought to be given in the format the patient asked for when the PHI may be easily made in that format. In case it is impossible to produce the information in the asked for format, the healthcare provider ought to provide the patient with the healthcare information in or in an alternate format decided by the patient.

For the study, Ciitizen users submitted requests for copies of healthcare records to healthcare organizations. The healthcare provider then receives a score from 1-5 based upon their performance. A 1-star rating means a non-HIPAA-compliant response. 2-stars are given when requests are in the end done satisfactorily, although it took several escalations to administrators. A 3-star rating is assigned if the request is completed with little intervention, and a 4-star rating is assigned to healthcare providers that are absolutely compliant and provided a smooth response. A 5-star rating is earmarked for healthcare providers with a patient-focused approach who exceed the HIPAA requirements.

Past studies showed that many providers (51%) don’t comply with the HIPAA Right of Access. The most current study showed a better percentage of 27%. The number of healthcare organizations given 4-star scores improved from 40% to 67%, and the number of healthcare organizations given 5-star ratings improved from 20% to 28%.

Another great news from this year’s report showed that just 6% of the 820 healthcare organizations billed patients fair-priced fees for generating the data.

In past studies, numerous healthcare organizations asked patients to fill up a standard form, but this year, almost all providers accepted any type of written request and didn’t necessitate patients to sign a certain form before producing the request.

The recent study had a substantial increase in evaluations, which may mostly be because of the developments in compliance. There were 51 healthcare providers evaluated for the Patient Record Scorecard report the first time, 210 providers the second time, and 820 the third time. Ciitizen remarks that the proportion of non-compliant healthcare providers in those studies did correspond with another study done on 3,000 healthcare providers, which shows that the developments made are legitimate.

Ciitizen attributes improved compliance rates to three major reasons:

  • A higher emphasis has been put on the right of persons to acquire copies of their healthcare records after the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT circulated new guidelines, making it a lot easier for patients to get copies of their healthcare records.
  • There’s a favorable effect on the release of information (ROI) vendors who generate the patient data requests for covered entities so they are in compliance with the HIPAA Right of Access.
  • The HHS’ Office for Civil Rights began a HIPAA Right of Access enforcement action this past year. From then on, two covered entities that failed with compliance were imposed fines of $85,000.

It is also perhaps because the Ciitizen created a website that presents the scores of every healthcare provider motivating healthcare providers to observe this essential aspect of HIPAA.