People Just Notified Regarding the September 2020 and February 2021 Cyberattacks

Two HIPAA-regulated entities have not long ago commenced sending notifications to persons whose protected health information (PHI) was likely jeopardized in cyberattacks that took place over 12 months ago. One entity took 18 months to inform impacted people that their PHI was accessed and possibly stolen.

Comprehensive Health Services Informs 94,449 Patients Concerning September 2020 Cyberattack

Comprehensive Health Services located in Cape Canaveral, FL offers employees medical services. It is additionally a part of Acuity International, which lately reported its encounter with a cyberattack that was discovered on September 30, 2020.

The security incident was observed after a number of fake wire transfers were made using its accounts. Third-party forensics professionals were employed to find out the severity of the security incident, safeguard its digital environment, distinguish how the attacker acquired systems’ access, and whether or not any sensitive data was copied from those systems.

Comprehensive Health Services mentioned in its breach notice to the Maine Attorney general that it established on November 3, 2021, that the personal information of some people hired by one of its clients could have been viewed and exfiltrated in the attack. The provider mailed notification letters to those affected persons on February 15, 2022 and provided those persons with either 12 or 24 months of credit monitoring and identity theft protection services. It is unknown why the company took 15 months to ensure the compromise of protected health information, and then an extra three months to send out notification letters to impacted people.

Based on the breach report forwarded to the Maine Attorney General, the PHI of 94,449 persons was likely affected.

Minimally Invasive Surgery of Hawaii Alerts Patients Regarding February 2021 Cyberattack

Orthopedic Associates of Hawaii, All Access Ortho, and Specialty Suites, dba Minimally Invasive Surgery of Hawaii (MISH), has commenced informing patients that were affected by an event leading to the breach of their PHI.

The recent occurrence was a ransomware attack noticed on February 19, 2021. As per the breach notifications, the attacker encrypted information on systems that comprised patient information. Steps were undertaken to speedily regain records and know if the unauthorized actor accessed or got files made up of patient information.

MISH stated the investigation established on or approximately April 2, 2021, that the threat actor viewed its systems between February 12, 2021, and February 19, 2021, and acquired limited files. An analysis was then performed to find out which patients were impacted and the types of data that were acquired, and then the contact data of those people must be verified.

Notification letters dated February 19, 2021, were mailed to the California attorney general, even though the breach report was sent to the HHS’ Office for Civil Rights last April 2021. According to the breach report, 500 persons were affected, even though 500 is usually utilized as a placeholder right until the finalized total of impacted people is known.

MISH explained these types of data were exposed: complete names, addresses, birth dates, medical treatment and diagnosis details, health insurance data, and a small number of Social Security numbers. There is no proof found that reveals the improper use of patient information. Impacted persons got offers of free credit monitoring and identity theft protection services.

MISH mentioned it evaluated its guidelines and procedures and has put in place further administrative and technical safety measures to strengthen security.

HIMSS Cybersecurity Survey Indicates the Human Factor is the Major Vulnerability in Medical Care

HIMSS has shared the results of its 2021 Healthcare Cybersecurity Survey which revealed that 67% of respondents have encountered a minimum of one major security occurrence in the past year, with the most prominent security breaches caused by phishing attacks.

The 2021 HIMSS Healthcare Cybersecurity Survey was performed on 167 medical care cybersecurity experts, who were responsible for everyday cybersecurity operations or oversight.

The surveyed IT specialists were inquired about the major security breaches they had suffered in the past 12 months, and in 45% of incidents it was a phishing attack, and 57% of survey participants mentioned the most significant breach concerned phishing. Phishing attacks are most often carried out by email. 71% of the major security incidents are email-related phishing attacks; nonetheless, 27% stated there was a considerable voice phishing incident (vishing), 21% reported they had substantial SMS phishing incident (smishing), and 16% claimed there was a substantial social media phishing incident.

Phishing was the most prevalent first point of compromise, accounting for 71% of the major security breaches. Following are social engineering attacks at 15%. Human error is usually the reason behind major data breaches, making up 19% of the big security breaches, with 15% a result of the extended use of legacy software for which support is no longer given. The survey additionally showed standard security controls were not totally implemented at a lot of businesses.

Ransomware attacks still affect the healthcare industry, and the attacks usually bring about major trouble and have substantial mitigation costs. 17% of respondents stated the biggest security incident they encountered was a ransomware attack. 7% of survey participants claimed negligent insider activity triggered the major security incident, though HIMSS states that medical companies typically do not have strong defenses against insider breaches, thus it is probable that these sorts of breaches were underreported.

Taking into consideration the degree to which phishing results in account breaches or serious cyberattacks, it is crucial for healthcare institutions to use effective email security measures to stop phishing emails and to furthermore invest in security awareness training for the employees. Not only one security solution can prohibit all phishing attacks, therefore it is important for the labor force to acquire training on how to determine phishing and social engineering attacks. Educating employees on security best practices can help to lessen human error which commonly causes data breaches.

The prolonged usage of legacy programs when it is the end-of-life can be a concern in medical care, nevertheless, plans must be made to update out-of-date systems, and if that is not achievable, mitigations must be applied to make exploiting vulnerabilities harder, like separating legacy programs and not exposing them online.

44% of survey respondents mentioned their most critical breach had no minimal effect; nevertheless, 32% stated security breaches prompted interruption to systems that impacted business functions, 26% explained security breaches disturbed IT systems, and 22% reported security breaches triggered data breaches or data loss. 21% stated the security breaches had affected clinical care, and 17% stated the most critical security incident led to financial loss.

Regardless of the risk of cyberattacks, finances for cybersecurity budgets continue to be slim. 40% of surveyed IT experts mentioned 6% or less of their IT budget was dedicated to cybersecurity, which is the same proportion as the last four years although the risk of attacks has gone up. 40% of survey participants stated they either had funds that did not change since last year or had lessened, and 35% mentioned their cybersecurity fund is not predicted to alter.

The HIMSS survey asked respondents to know about the biggest security problems, which for 47% of participants was not enough budget. Employees’ compliance with guidelines and procedures was a serious problem for 43% of respondents, the prolonged use of legacy software programs was a concern for 39% of participants, and 34% reported they had problems with patch and vulnerability management.

Personnel making mistakes, identity and access management, device management, developing a cybersecurity culture, information leaks, and shadow IT were likewise regarded as big security issues.

The discoveries of the 2021 HIMSS Healthcare Cybersecurity Survey indicate that healthcare companies still have considerable problems to overcome. These limitations to progress involve restricted security budgets, increasing legacy footprints, and the expanding volume of cyber-attacks and compromises. In addition, fundamental security controls were not completely enforced by a lot of organizations. Most likely, the major weakness is the human factor. Medical providers ought to do more to help healthcare cybersecurity specialists and their cybersecurity plans.

AccelHealth and Pace Center for Girls Reported Hacking Incidents

Cross Timbers Health Clinics based in Brownwood, Texas, operating under the brand AccelHealth, experienced a ransomware attack on December 15, 2021. As a result, the Federally Qualified Health Center could not gain access to selected files and folders on its network. AccelHealth hired third-party forensics professionals to investigate the security breach who confirmed that unauthorized people first acquired access to its system on December 9, 2021.

Throughout the 6 days when the attackers had access to the network, they may have viewed or gotten files that contain patient data. A detailed evaluation of all files on the exposed parts of the system revealed they comprised the protected health information (PHI) of 48,126 patients, such as names, addresses, dates of birth, driver’s license numbers, financial account details, Social Security numbers, health insurance details, treatment, and diagnosis data and medical record numbers.

There was no evidence found of data exfiltration and, while issuing notification letters, no report was obtained that suggests actual or attempted misuse of patient data. AccellHealth stated additional technical security steps are being enforced to avoid further cyber attacks and affected persons were given no-cost credit monitoring services.

Pace Center for Girls Became Aware of 11-Month System Breach

Pace Center for Girls based in Jacksonville, FL provides a 6-12 education program for at-risk teenage girls. It has been found that unauthorized individuals accessed certain infrastructure systems and might have viewed or got the sensitive information of current and former students.

The security breach was discovered in the week of December 13, 2021, and the following investigation affirmed last January 2021 that unauthorized persons got access to segments of its IT infrastructure that held sensitive records. The breached information included students’ full names, phone numbers, addresses, birth dates, Florida Department of Juvenile Justice identification numbers, enrollment information, parent/guardian names, and behavioral health details.

Pace Center for Girls stated a third-party cybersecurity agency was employed to help secure its network and physical computer access and evaluate its data security and gateway security systems. Extra security procedures will be carried out, as necessary, to better safeguard against unauthorized access. Affected people were told to place fraud warnings with Equifax, Experian, and TransUnion to detect any fake use of their personal data. The breach report was submitted to the HHS’ Office for Civil Rights indicating that up to 18,300 individuals were impacted.

Ransomware Actors Take Advantage of Unpatched Vulnerabilities as the Most Typical Attack Vector

Ransomware groups are increasingly exploiting unpatched vulnerabilities in software programs and operating systems to obtain access to organization systems, and they are using zero-day vulnerabilities easily. Unpatched vulnerabilities are right now the principal attack vector in ransomware attacks, based on Ivanti’s Ransomware Year-End Spotlight report.

Ivanti joined with the next-gen SOAR and threat intelligence solutions company Cyware and Certifying Numbering Authority (CNA) Cyber Security Works in making the report, which determined 32 new ransomware variants last 2021, which went up by 26% compared to last year. There are currently 157 identified ransomware families, which are being utilized in cyberattacks on companies.

Ivanti claims 65 new vulnerabilities were found in 2021 that ransomware gangs are known to have used in attacks. This number is 29% higher year-over-year. There is a total number of 288 vulnerabilities connected to ransomware attacks. 37% of the new vulnerabilities were buzzing on the dark web and were exploited in a number of attacks, while 56% of the 223 older vulnerabilities remain consistently taken advantage of by ransomware groups.

Ransomware gangs and the first access brokers they usually use are seeking zero-day vulnerabilities to be employed in their attacks even before CVE codes are designated to the vulnerabilities and are included in the National Vulnerability Database (NVD). Examples are the following: Sonic Wall (CVE-2021-20016) QNAP (CVE-2021-28799), Apache Log4j (CVE-2021-44228), and Kaseya (CVE-2021-30116) vulnerabilities.

The report demonstrates the importance of using patches immediately and the necessity to prioritize patching to make certain that weaponized vulnerabilities are patched first of all. Although it is vital to keep an eye on vulnerabilities as they are put in the NVD, security teams must also subscribe to get threat intelligence news and security advisories from security bureaus and need to be looking out for exploitation occurrences and vulnerability developments.

Though ransomware attacks on businesses are prevalent, ransomware groups are in search of big paydays and are more and more attacking supply chain networks and managed service providers in order to cause problems on as many firms as possible. A supply chain attack or an attack on a managed service provider enables a ransomware group to carry out ransomware attacks on many or even hundreds of victim sites, much like in the REvil’s ransomware attack on the Kaseya VSA remote management service.

Ransomware gangs are furthermore increasingly working with others in these means:

  • ransomware-as-a-service (RaaS), where affiliates are employed to perform many attacks for a percentage of the ransom profits
  • exploit-as-a-service, where exploits for identified vulnerabilities are leased from coders
  • dropper-as-a-service operations, where ransomware groups pay malware operators to install malicious payloads on unsecured devices.

Ransomware gangs are more advanced today, and their attacks are more effective. These attackers are using automated tool kits to take advantage of vulnerabilities and go deeper into breached networks, explained Srinivas Mukkamala, Ivanti’s Senior VP of Security Products. Institutions should be extra attentive and patch weaponized vulnerabilities right away. This calls for utilizing a combo of risk-based vulnerability prioritization and computerized patch intelligence to discover and prioritize vulnerability weaknesses and then quicken remediation.

Cyberattacks and Data Theft Announced by Medical Healthcare Solutions and Advocates Inc.

Advocates Inc. in Massachusetts., a non-profit provider of support services for people encountering life challenges including autism, brain injury, addiction intellectual handicaps, behavioral health, and mental health, has reported it recently suffered a sophisticated cyberattack and data theft occurrence.

Advocates discovered on October 1, 2021, that an unauthorized person had obtained access to its system and copied files comprising the sensitive data of patients and staff members. A prominent cybersecurity agency was engaged to aid with the inquiry, which revealed that an anonymous individual had accessed its network and duplicated files in a period of four days between September 14, 2021 and September 18, 2021.

The files included names, birth dates, addresses, Social Security numbers, medical insurance details, client ID numbers, diagnoses, and treatment details. After validating the individuals impacted, Advocate compiled updated contact data to be able to issue the written notifications, thus the delay in providing notification letters.

The cyberattack report was sent to the Federal Bureau of Investigation and government authorities. The breach report sent to the Department of Health and Human Services’ Office for Civil Rights reveals the protected health information (PHI) of 68,236 persons was contained in the stolen information. Advocates mentioned it doesn’t know if any actual or attempted improper use of the stolen data; nevertheless, as a preventative measure, affected people were provided free credit monitoring and identity theft protection services.

PHI Compromised in Cyberattack on Medical Healthcare Solutions

The medical billing firm Medical Healthcare Solutions located in Boston, MA has lately reported it encountered a cyberattack. The attack was identified on November 19, 2021, and steps were promptly taken to safeguard its system to stop more unauthorized access. The investigation established an unauthorized person had acquired access to its network from October 1, 2021 to October 4, 2021, and stolen a number of files from its system.

An analysis of the stolen records showed they comprised these types of information: Name, address, birth date, sex, telephone number, email address, driver’s license/state ID number, Social Security number, financial account number, payment card number, card CVV/expiration, routing number, diagnosis/treatment details, procedure type, provider name, prescription data, date of service, patient account number, medical record number insurance group number, insurance ID number, insurance plan name, claim number, provider ID number, process code, treatment price, and diagnosis code.

A final record of persons impacted by the breach was secured on January 8, and notification letters were already distributed. Free credit monitoring and identity theft protection services were given to affected people. The breach report was submitted to the HHS’ Office for Civil Rights, nevertheless, it has not yet been posted on the breach site, therefore it is presently not clear how many persons were impacted.

More Than 50% of All Healthcare IoT Devices Have an Identified, Unpatched Critical Vulnerability

The latest research by Cynerio, a healthcare IoT security platform provider, has shown that 53% of connected medical devices and other healthcare IoT devices have at the least one unresolved critical vulnerability that can probably be taken advantage of to acquire access to systems and sensitive records or impact the availability of the devices. The researchers likewise identified one-third of bedside healthcare IoT devices have a minimum of one unpatched critical vulnerability that may impact service availability, data privacy, or put patient safety at risk.

The researchers assessed the connected device footprints at over 300 hospitals to determine threats and vulnerabilities existing in their Internet of Medical Things (IoMT) and IoT devices. The most often utilized healthcare IoT device is IV pumps, which constitute approximately 38% of a hospital’s IoT footprint. These devices were known to be the most susceptible to attack, as 73% got a vulnerability that can jeopardize patient safety, service accessibility, or cause information theft. 50% of VOIP systems included vulnerabilities, with patient monitors, ultrasound devices, and medication dispensers the next most unsecured device types.

The lately reported Urgent11 and Ripple20 IoT vulnerabilities are obviously a reason for concern; nevertheless, there are far more prevalent and quickly exploitable vulnerabilities in IoT and IoMT devices. The Urgent11 and Ripple20 vulnerabilities have an effect on close to 10% of medical IoT and IoMT devices, although the most well-known risk was weak credentials. Standard passwords can simply be located in online device guides and weak passwords are prone to brute force attacks. 1/5 or 21% of IoT and IoMT devices were identified to have default or inadequate credentials.

Most pharmacology, oncology, and laboratory units and substantial numbers of the gadgets employed in neurology, radiology, and surgery sections were using obsolete Windows versions (older than Windows 10) which are likely vulnerable.

Unaddressed software programs and firmware vulnerabilities are usual in bedside gadgets, with the most usual being wrong input validation, inappropriate authentication, and the ongoing usage of devices for which a device recall alert was given. With no visibility into the devices connected to the network and detailed stock of all IoT and IoMT devices, determining and responding to vulnerabilities before attackers exploit them will be a serious challenge and it is going to be inescapable that certain devices will continue to be vulnerable.

A lot of medical instruments are utilized in critical care settings, where very minimal downtime happens. Over 80% of healthcare IoT devices are employed every month or more often, which provides security teams a short time to identify and deal with vulnerabilities and separate the network. An IT solution ready that could provide visibility into interconnected medical devices and give key details on the security of those equipment will allow security teams to determine vulnerable devices and schedule updates.

Frequently, it’s not possible to use patches. In many cases, medical IoT devices are in continual use and they are usually utilized beyond the end-of-support time. In these instances, the best security choice is virtual patching, where steps are undertaken to avert the exploitation of vulnerabilities like quarantining devices and sectioning the system.

Sectioning the network is one of the most critical steps to take on to strengthen healthcare IoT and IoMT security. When segmentation is done that takes into account healthcare workflows and patient care situations, Cybnerio claims 92% of critical risks in IoT and IoMT devices may be successfully mitigated.

Nearly all medical IoT and IoMT cybersecurity initiatives are targeted on developing a complete inventory of all IoT and IoMT devices and getting data concerning those devices to determine probable risks. Hospitals and health networks don’t require more information – they need to have innovative solutions that minimize risks and enable them to combat cyberattacks, and as medical device security specialists, it’s time for all of us to step up.

Online Pharmacy Alerts 105,000 Patients Concerning Cyberattack and Probable Theft of PHI

The digital pharmacy and health application creator Ravkoo in Auburndale, FL has begun informing selected patients concerning an unauthorized person who accessed and likely stole their sensitive personal information.

Ravkoo makes use of Amazon Web Services (AWS) to host its online prescription site. The site suffered a cyberattack that was noticed on September 27, 2021. After the knowledge of the data breach, Ravkoo took prompt action to safeguard the website and engaged third-party cybersecurity specialists to aid in the forensic investigation, mitigation, recovery, and remediation initiatives.

The investigation established the compromise of sensitive patient data, which include names, telephone numbers, addresses, a number of prescription details, and limited medical information. Ravkoo explained the affected site didn’t include any Social Security numbers, which are not retained in the impacted portal. The forensic investigation uncovered no proof that suggested the improper use of data stored in the portal.

Ravkoo already submitted the cyberattack report to the Federal Bureau of Investigation (FBI) and is helping with the inquiry. Ravkoo likewise has employed forensics professionals to assess the security of its AWS system. Steps are currently being undertaken to strengthen security to avert other data breaches down the road.

The security breach report has been sent to the Department of Health and Human Services’ Office for Civil Rights stating that approximately 105,000 persons were impacted. Affected people are being given free use of Kroll’s online credit monitoring service as a preventative measure, which consists of access to resolution services in the eventuality of identity theft.

The Intercept’s Micah Lee mentioned in a September 28, 2021 Twitter update that an attacker had taken responsibility for the cyberattack on Ravkoo and stated the patient site was “hilariously easy” to get into and needed the usage of a secret admin website that any user can sign in to and get patient records.

PHI of Anthem Members and Advocate Aurora Health Patients Possibly Exposed

Anthem Inc. has notified 2,003 people that an unauthorized person possibly seen or acquired their protected health information (PHI) after getting access to the network of one of its business associates.

Anthem partners with the insurance broker OneDigital based in Atlanta, GA, which gives assistance for people signed up in group health plans to support them in getting and taking care of their health insurance. OneDigital was provided access to the protected health information of a number of members to guide them or their existing or past employer to get and take care of their medical insurance policy.

On November 24, 2021, OneDigital alerted Anthem concerning a system server hacking incident that took place in January 2021. Anthem stated the incident investigation did not show any direct proof that there was unauthorized access or theft of PHI, however, those activities cannot be eliminated.

The types of data kept on the breached systems consisted of names, birth dates, addresses, healthcare company names, health insurance numbers, group numbers, dates and types of medical care services, medical record numbers, medication data, laboratory test data, payment details, claims data, driver’s license numbers, and Social Security numbers.

Anthem provided the impacted persons with complimentary credit monitoring and identity theft protection services for one year. Anthem mentioned it is working together with OneDigital to lessen the chance of the same breaches taking place later on.

Exposure of the PHI of Over 1,700 Advocate Aurora Health Patients Because of Billing Error

The 26-hospital health system located in Illinois, Advocate Aurora Health, has informed over 1,700 individuals concerning the possible breach of some of their PHI.

Approximately on July 29, 2021, the hospital made billing statements and sent them to patients by mail, however, they were unable to reach their destination. The documents included some PHI, for example, patients’ names, the types of services received, dates of service, the name of the medical care provider they went to, and visit account numbers.

Advocate Aurora Health became aware of the billing problem on October 29, 2021. The following investigation showed there was an unintentional alteration to its billing application that was not noticed so that the statements were sent to the incorrect address. Advocate Aurora Health stated it didn’t get any report of actual or attempted improper use of any patient information resulting from the incident, nevertheless patients were advised by mail as a preventative measure and were given free credit monitoring services.

Advocate Aurora Health explained it is changing its internal processes and technical solutions to avert identical breaches down the road. The breach report was sent to the HHS’ Office for Civil Rights as impacting 1,729 persons.

Broward Health Alerts More Than 1.3 Million People Regarding the October 2021 Data Breach

At the beginning of the year, a big breach was announced by Broward Health located in Florida, which has just started informing over 1.3 million patients and workers concerning a data breach that took place on October 15, 2021. A hacker obtained access to the Broward Health system via a third-party healthcare provider’s office that was given access to the Broward Health network for delivering medical services.

Broward Health uncovered and stopped the attack on October 19, 2021, and performed a password reset for all staff members to avert more unauthorized access. With the assistance of a third-party cybersecurity firm, Broward Health carried out a thorough investigation to find out the nature and extent of the breach.

The investigation established that the attacker acquired access to sections of the system where worker and patient data were saved, which include sensitive data: names, addresses, email addresses, birth dates, telephone numbers, financial/bank account details, health insurance data, medical backgrounds, medical problems, treatment and diagnosis details, medical record numbers, Social Security numbers, and driver’s license numbers. Broward Health reported some records were exfiltrated from its networks.

The cyberattack report was sent to the Department of Justice which wanted Broward Health to put off distributing breach notification letters to affected people in order not to obstruct the law enforcement inquiry.

Broward Health took action to boost security and avert the same occurrences down the road, which comprise of using multifactor authentication for all end-users of its network and establishing minimum-security specifications for all devices not maintained by Broward Health’s IT department having network access. Those security prerequisites will be effective this January.

Broward Health did not receive any reports that show patient or staff information was misused, nevertheless as a preventative measure against identity theft and fraud, impacted persons were provided a free two-year membership to the Experian IdentityWorksSM service, consisting of identity theft protection, discovery, and resolution services.

The breach hasn’t shown up on the HHS’ Office for Civil Rights breach website although it was documented with the Maine Attorney General as likely impacting 1,357,879 individuals.

Attorneys General are Also Allowed to Issue HIPAA Violation Fines

Since the HITECH Act (Section 13410(e) (1)) was introduced in February 2009, state attorneys general are authorized to make HIPAA-covered entities responsible for the compromise of the PHI of state locals and may submit civil actions to the federal district courts. In case of HIPAA violations, penalties may be issued as much as $25,000 for each violation category, for every calendar year. The minimum applicable penalty is $100 for every violation.

A covered entity that encountered a data breach impacting residents in several states may be required to pay HIPAA violation penalties to attorneys general in several states. Not many states have issued penalties to HIPAA-regulated entities for violating the HIPAA Regulations. They are California, Connecticut, the District of Columbia, Massachusetts, Minnesota, Indiana, New Jersey, New York, and Vermont.

In the past years, attorneys general worked together and issued penalties for HIPAA violations to address big data breaches that have impacted individuals throughout America. They have pooled their resources together and taken a part of any resolutions or civil monetary penalties. Although just a few states have used their authority to require penalties for HIPAA violations, that doesn’t indicate HIPAA violations are not punished. Numerous states issued financial penalties for comparable violations of state regulations.

Are HIPAA Violations Criminal?

If a HIPAA-covered entity or business associate breaks HIPAA Rules, civil penalties may be enforced. If healthcare companies do not comply with the HIPAA, it is normally the employer that gets fined, however not at all times. When healthcare experts knowingly acquire or use protected health information (PHI) for purposes that aren’t allowed by the HIPAA Privacy Rule, they could be criminally accountable for the HIPAA violation based on the criminal enforcement condition of the Administrative Simplification subtitle of HIPAA.

The Department of Justice prosecutes criminal HIPAA violations, particularly those committed by individuals that have intentionally broken HIPAA Rules. There were a number of incidents that have led to large fines and jail sentences.

Criminal HIPAA violations consist of theft of patient data for monetary gain and improper disclosures with the intention to cause damage. Insufficient understanding of HIPAA rules isn’t an acceptable excuse. A person that “knowingly” breaks the HIPAA means the person knew what makes up the offense, not that there’s the absolute knowledge that he or she is breaking HIPAA Rules.

Criminal Penalties for HIPAA Violations

Criminal penalties for HIPAA violations have three distinct tiers with particular terms and an associated fine. A judge decides the penalties according to the facts of every specific case. Like with OCR, various general factors will have an effect on the penalty given. When a person made profits from the PHI access, theft, or disclosure, all money acquired may be returned, besides the payment of a penalty.

There are three tiers of criminal penalties for HIPAA violations. These are as follows:

Tier 1: Reasonable cause or without knowledge of violation – About 1 year in prison

Tier 2: Acquiring PHI under false pretenses – About 5 years in prison

Tier 3: Acquiring PHI for personal profit or with malicious intention – About 10 years in prison

In the past months, there’s been an increase in the number of workers found to be viewing or stealing PHI for different motives. The price of PHI on the black market is high, and this may be a big appeal for several people. It is consequently important that controls are set up to restrict the possibility for people to steal patient information, and to have systems and policies to make sure to identify improper PHI access and theft promptly.

All employees with access to PHI due to their work duties must be educated about the HIPAA criminal penalties and the result of violations, such as loss of job and potentially a long jail sentence and a big penalty.

State attorneys general are going after data theft and penalizing people found to have broken HIPAA Privacy Rules. A jail sentence for stealing HIPAA data is consequently very likely.