FTC, HHS OCR scrutiny tightens on third-party ad trackers, sends letter to 130 hospitals and telehealth providers

If you’ve checked on your legal department, they may resemble Pepper (left). Hospitals and telehealth companies have been put on notice by letter agencies HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) that personal health information–not just protected health information (PHI) covered by HIPAA–that can be transmitted to third-parties by ad trackers like Meta Pixel is now forbidden, verboten, not permitted. In the joint statement by OCR and FTC, hospitals, providers, and telehealth providers were explicitly told that use of these online trackers is being equated with violations of consumer privacy. Their release specified “sensitive information” such as health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, and where an individual seeks medical treatment. Hospitals and telehealth companies also cannot plead ignorance of what their developers did, as the responsibility is being put squarely on them to monitor the data going to third parties out of websites and apps. 

“The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said. At OCR, which historically had its hands full with HIPAA violations and data breaches, their scope has broadened. “Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.” Both HHS and FTC can take action without the time-consuming legal actions that DOJ must undertake.

True to FTC’s renewed use of the 2009 Health Breach Notification Rule, the letter sent to 130 hospital systems and telehealth providers came down hard on anything that could be interpreted as personal health information. Even for health organizations not covered by HIPAA, the letter is explicit on their obligation to protect against disclosure to third parties and to monitor the flow to third parties even if not used for marketing. Without explicit consumer authorization, it can “violate the FTC Act as well as constitute a breach of security under the FTC’s Health Breach Notification Rule.” Previous TTA coverage on third-party trackers and FTC actions here. Health IT Security

Between the DOJ and FTC alone, with actions on ad trackers and changes to antitrust guidelines, they have made the spring and summer of 2023 a most interesting and busy one for hospital and healthcare company legal departments. It’s even more amazing that given this background and on notice, Amazon just keeps flouting basic regulations about health information usage, such as for Amazon Clinic–which to date has not rolled out. TTA 27 June

Amazon Clinic delays 50-state telehealth rollout due to Federal data privacy, HIPAA concerns on user registration, PHI–is it a warning?

Amazon delaying Amazon Clinic national rollout from today (27 June) to 19 July. Amazon Clinic, which debuted last November as an asynchronous, message-based telehealth consult or prescription renewal referral platform [TTA 16 Nov 2022], has run once again into Federal scrutiny. This time, it’s two Senators from New England–the well-known Elizabeth Warren (D-MA) and the little-known Peter Welch (D-VT)–who are poking Amazon with the stick of whether sensitive health and personal data are flowing into Amazon’s other databases.

Their letter to CEO Andy Jassy was fair warning that, as this Editor predicted last February (see the list of open issues) after the One Medical buy closed to high-fives all around, the government is nowhere near finished with scrutinizing Amazon and how personal data, including health data, flows between their units and is monetized. 

In a two-page letter dated 16 June based on reporting in the Washington Post (100% owned by Amazon’s 12.6% shareholder and controller, Jeff Bezos–the irony runs deep here), the two senators believe that they have caught Amazon but good–and with some of the goods. 

  • Users of the Amazon Clinic service are asked, in the registration form, to authorize the “use and disclosure of protected health information.” They are told that agreement to this gives Amazon access to the “complete patient file” and that this information “may be re-disclosed,” after which it will “no longer be protected by HIPAA”. By agreeing to this, users waive any HIPAA personal health information protections.
  • If the user declines to agree, they are redirected and unable to complete Amazon Clinic registration and denied care. HIPAA regulations specifically prohibit conditioning care on agreement to disclose patient information. (This is known by anyone who has taken required training or certification on HIPAA when working for health plans or other regulated healthcare providers including RPM and telehealth vendors.)

The letter raises the sensible, usual questions on why personal data is being collected and what Amazon is doing with it. For instance, it requests responses on how patient data is used by Amazon, what data is shared with third-party entities, and what data is used in any analytics or algorithms. It cites as a non-compliance example the $1.5 million that GoodRx paid in an FTC penalty on their past Meta Pixel usage for ad tracking. (Interestingly avoiding the $7.5 million Teladoc paid for similar ad tracker misuse by BetterHelp.)

The $30/visit service has been available in 33 states since last year and currently through asynchronous messaging, provides care for minor conditions such as UTIs, herpes, and skin infections. The expansion will cover all 50 states and add synchronous video telehealth.

One would think that with billions on the line with One Medical, Amazon would be more cautious about poking the Antitrust Bear. They have already been put on notice by the Federal Trade Commission, the Department of Justice (DOJ), Congress, and multiple states. For Amazon Clinic, requiring individuals to waive their right to protect their PHI in registering for the service is downright brazen. How this got past their legal and compliance departments boggles the mind. Why Amazon is not ‘hiving off’ PHI collected through this small service is another question. Doing so would show to FTC and DOJ that Amazon can play by the rules. Instead, it confirms the widely held belief of those in healthcare that Amazon culturally cannot deal with the restrictions that come with the territory. Are they deliberately ‘playing chicken’ with the Feds? Pollo loco? This up-to-the-line behavior tends not to end well, as the telemental health providers that over-prescribed controlled substances found out.  POLITICO, The Hill, mHealth Intelligence

News roundup: WakeMed sued on Meta Pixel; Hint Health buys AeroDPC; Neurotrack’s $10M raise, 3 min. cognitive tool intro; layoffs dim Kry, Brightline

WakeMed has been caught up in the litigation surrounding Meta Pixel. The Raleigh, North Carolina area health system installed it on their MyChart patient portal and website, where it was in place for over four years sending information back to Facebook, violating patient privacy and open to unauthorized misuse. The class action lawsuit filed in NC states that it was installed in March 2018 and not removed until June 2022. PHI cited includes names and contact details; computer IP addresses; emergency contact information; check-in information, such as allergies and medications; appointment details; and, in some cases, Social Security numbers or financial information. Matthiae v. WakeMed Health and Hospitals (ClassAction.org), Becker’s.  TTA’s Meta Pixel articles

Two more acquisitions and fundings announced this week:

  • Hint Health is acquiring AeroDPC, an EHR and practice management software for direct primary care clinics. Purchase price was not disclosed. AeroDPC will operate as a subsidiary of Hint, with cofounder Dr. Brad Brown joining the combined company as medical director. Hint is a platform with a subscription-based payment model for primary care providers that bypasses health plans. It sets them up with enrollment, member management, billing, and administration.  Mobihealthnews   In June, Hint raised $45 million in a funding round led by Banneker Partners and Frist Cressey Ventures. Crunchbase, Mobihealthnews
  • Neurotrack, a startup focusing on developing digital cognitive tools, raised $10 million in new funding, adding to its 2019 $21 million Series C. Putting the raise to work right away, yesterday (1 Nov) it launched a three-minute digital assessment tool to screen for cognitive decline and impairment during the typical 40-minute wellness appointment. CMS guidelines require a cognitive assessment as part of a Medicare beneficiary’s annual wellness visit (AWV) enrolled in Part B or Medicare Advantage, yet only about 25% actually receive one.   Release, Mobihealthnews

Unfortunately, the layoffs do continue. From Layoffs.fyi which track them by industry:

  • Kry, known in the UK, US, and France as Livi, is having its second layoff of the year with 10% (about 300) of its workforce pinkslipped. Back in June, they released 100 employees [TTA 30 July]. While Dagens Nyheter reports that Kry is already profitable in Sweden, overall profitability is elusive. The goal is to achieve it in 18-24 months.
  • On Friday, pediatric virtual behavioral health startup Brightline laid off 20% of their workforce, citing realignment of strategic priorities. A number was not estimated. Brightline raised $115 million between March and July this year from 7Wire and Northwell Health, for a total of $212 million (Crunchbase) and, at that time, a valuation of $705 million. [TTA 1 April]. Brightline provides digital tools, coaches, live therapy sessions, psychiatric services, and medication support for children, teens, and families. Behavioral Health Business

Amazon moves to acquire One Medical provider network for $3.9B (updated)

Amazon joining the in-person provider network space for real. Amazon Health Services last week moved beyond experimenting with in-person care via provider agreements (Crossover Health, TTA 17 May) to being in the provider business with an agreement to acquire One Medical. Earlier this month, news leaked that One Medical as 1Life Healthcare was up for sale to the right buyer, having spurned CVS, and after watching their stock on Nasdaq plummet 75%.

  • The cash deal for $3.9 billion including assumption of debt is certainly a good one, representing $18 per share, a premium to their $14 share IPO in January 2020. (The stock closed last Wednesday before the announcement at just above $10 per share then plumped to ~$17 where it remains.)
  • The announcement is oddly not on One Medical’s website but is on Amazon’s here.
  • The buy is subject to shareholder and the usual regulatory approvals. The IPO was managed by JP Morgan Securities and Morgan Stanley. It is primarily backed by Alphabet (Google).
  • One Medical’s CEO Amir Dan Rubin will stay on, but there is no other executive transition mention.
  • Also not mentioned: the Iora Health operation that serves primarily Medicare patients in full-risk value-based care models such as Medicare Advantage (MA) and Medicare shared savings, quite opposite to One Medical’s membership-based concierge model. However, Iora’s website is largely cut over to One Medical’s identity and their coverage is limited to seven states.

There is a huge amount of opinion on the buy, but for this Editor it is clear that Amazon with One Medical is buying itself into in-person and virtual primary care for the employer market, where it had limited success with its present largely virtual offering, and entree with commercial plans and MA. One Medical has over 700,000 patients, 8,000 company clients and has 125 physical offices in 12 major US markets including NYC, Los Angeles, Boston, and Atlanta. It has never turned a profit. Looking at their website, they welcome primarily commercial plans and MA (but not Medicare supplement plans).

Amazon, with both a virtual plus provider network, now has a huge advantage over Teladoc and Amwell, both of which have previously brushed off Amazon as a threat to their business. There is the potential to run two models: the current Amazon Care pay-as-you-go model and the One Medical corporate/concierge model. This puts Amazon squarely in UHC’s Optum Health territory, which owns or has agreements with over 5% of US primary care practices, is fully in value-based care models such as Medicare shared savings through its ACOs, and is aggressively virtual plus integrating services such as data analytics, pharmacy, and financial. Becker’s

What doesn’t quite fit is Iora Health and the higher cost/higher care needs Medicare market that is less profitable and requires advanced risk management, a skill set that Amazon doesn’t have. This Editor will make a small prediction that Iora will be sold or spun off after the sale.

This Editor continues to believe that the real game for Amazon is monetizing patient data. That has gained traction since we opined that was the real Amazon Game in June and October last year, To restate it: Amazon Care’s structure, offerings, cheap pricing, feeds our opinion that Amazon’s real aim is to accumulate and own national healthcare data on the service’s users. Then they will monetize it by selling it to pharmaceutical companies, payers, developers, and other commercial third parties in and ex-US. Patients may want to think twice. This opinion is now shared by those with bigger voices, such as the American Economic Liberties Project. In their statement, they urged that the government block the buy due to Amazon’s cavalier attitudes towards customer data and far too much internal access, unsecured, to customer information (Revealnews.org from Wired). Adding PHI to this is like putting gasoline on a raging fire, and One Medical customers are apparently concerned. For what it’s worth, Senator Bernie Sanders has already tweeted against it.   MarketWatch

Whether this current administration and the DOJ will actually care about PHI and patient privacy is anyone’s guess, but TTA has noted that Amazon months ago beefed up its DC lobbying presence last year. According to Opensecrets.org, they spent $19.3 million last year. In fairness, Amazon is a leading Federal service provider, via Amazon Web Services. (Did you know that AWS stores the CIA’s information?)  One Medical is also relatively small–not a Village MD/Village Medical, now majority owned by Walgreens Boots. This is why this Editor believes that HHS, DOJ, and FTC will give it a pass, unlike UHG’s acquisition of Change Healthcare, especially if Amazon agrees to divest itself of the Iora Health business.

Treat yourself to the speculation, including that it will be added as an Amazon Prime benefit to the 44% of Americans who actually spend for an Amazon Prime membership. It may very well change part of the delivery model for primary care, and force other traditional providers to provide more integrated care, which is as old as Kaiser and Geisinger. It may demolish telehealth providers like Teladoc and Amwell. But as we’ve also noted, Amazon, like founder Jeff Bezos, deflects and veils its intents very well. FierceHealthcare 7/25, FierceHealthcare 7/21, Motley Fool, Healthcare Dive

Let the lawsuits begin: Meta sued by health system patient for Meta Pixel info gathering

That was fast. Class action game on! Today’s reports of a class action lawsuit being filed against Meta Friday in the US District Court for the Northern District of California in San Francisco is going to be only the first. The ‘John Doe’ plaintiff, a patient of Baltimore-based Medstar Health System and a Facebook user, claims that he is filing on behalf of “millions of other Americans whose medical privacy has been violated by Facebook’s Pixel tracking tool.” Four law firms are involved in the lawsuit. It follows on last week’s investigative report by The Markup and STAT on the Meta Pixel tracker being used by 33 of the top 100 hospital systems [TTA 17 June].

The study indicates that the information gathered in the appointment booking form included IP address, doctor’s name, patient name, email address, phone number, zip code, and city of residence. When it’s put together with outside information, it can be considered a HIPAA violation.

The lawsuit alleges that the information was collected without consent. Neither Meta nor Facebook have a Business Associate Agreement (BAA) agreement in place covering them for gathering this information in any one of the 664 health systems using the Meta Pixel cited in the suit.

The suit requests compensatory and punitive damages for breach of contract, constitutional invasion of privacy, violation of the Electronic Communications Privacy Act, violation of the California Invasion of Privacy Act, and other allegations. The filing was captured by ReclaimTheNet.org. If you look at page 18, there are multiple statements from Meta/Facebook stating that advertising based on health is ‘inappropriate’, but then illustrates how Facebook goes ahead and does it anyway (!)

A small wrinkle: In a statement to HIPAA Journal, Medstar Health Systems claimed it does not use the Meta Pixel or any Facebook code on its website. It creates an issue of the plaintiff’s standing and harm.

FierceHealthcare, Becker’s, HealthITSecurity

“All That We Let In”: health apps’ APIs are vulnerable and easy to hack, exposing and altering PHI and PII

Mobile security company Approov has issued a scary report on the hackability of popular health apps. They tested 30 apps (not named in the report) of the 300,000-odd health apps in the market, and found that the application programming interfaces (APIs) used in 100 percent of these apps had hardcoded vulnerabilities that could allow hackers to access protected health information (PHI), personally identifiable information (PII), identity, and billing information. According to the report (registration required), these apps used by patient care organizations for remote account management and telemedicine appointments may expose 23 million individuals. Of the 30 apps tested:

  • 77 percent contained hardcoded API keys, some of which do not expire
  • Seven percent had hardcoded usernames and passwords in plain text
  • 50 percent of the doors that these API vulnerabilities opened led to PHI and billing information
  • 100 percent of the API endpoints tested were vulnerable to Broken Object Level Authorization (BOLA) attacks. These involve a relatively simple process of falsifying user IDs and swapping out numbers. For some apps, the hack could gain clinician-level access and alter medical histories and records (including issuing prescriptions for medication).
  • 100 percent of the apps were vulnerable to man-in-the-middle attacks due to failure to implement certificate pinning, which forces the app to validate the server’s certificate against a known good copy

Alyssa Knight, the ‘recovering hacker’ who authored the report, also hacked into one hospital’s EHR and changed its values by one digit. She was then able to access health records and registration information. She used a hacking tool that looks like it is generating data from a mobile health app.

The use of mobile apps for telehealth and portals has become far more widespread as a result of the pandemic, yet security has lagged–even though the level of sophistication in the apps, and the amount of information they integrate, has accelerated to become the norm. It’s a wakeup call to developers, health systems, and digital health companies that off the shelf and old APIs don’t meet security demands. Unfortunately, Gartner projects that APIs will become the vector for most data breaches by 2022. CPO Magazine, FierceHealthcare

Hackermania ‘bigger than government itself’–and 25% of healthcare organizations report mobile breaches

To quote reporter Andy Rooney, ‘why is that?’ Everyone in healthcare (with our Readers well ahead of the curve) has known for years that our organizations are special targets, indeed–by hackers (activists or not), spammers, ransomwarers, criminals, bad guys in China, North Korea, and Eastern Europe, plus an assortment of malicious insiders and the simply klutzy. Why? Healthcare organizations, payers, and service companies have a treasure trove of PHI and PII with Big Value. 

So to read in Healthcare IT News that Christopher Wray, the new director of the FBI, is saying that today’s cyberthreats are bigger than any one agency, and in fact bigger than the government itself, it gives you the feeling that the steamroller has not only run over us, but is on the second pass.

According to one reporting company, Bitglass, breach incidents were year-over-year flat (290), but the number of records affected in 2018 nearly tripled from 4.7 million to 11.5 million. Hacking finally became the top cause (45.9 percent) versus unauthorized access and disclosure (35.9 percent). Loss and theft is down to about 15 percent.

And mobile feels like that second pass. Verizon’s Mobile Security Index 2019 reports that 25 percent of healthcare organizations have had a mobile-related compromise. Nearly all hospitals are investing in mobile. In the field, doctors and other clinicians are either using issued devices or BYOD, whether authorized or not. Whether or not their organizations are using app security systems like Blue Cedar [TTA 17 Feb 18] or work with companies like DataArt on securing proprietary systems is entirely another question. Apparently it’s not a priority. According to the Verizon study, nearly half of all organizations sacrificed mobile security in the past year to “get the job done.” Healthcare Dive.

Back to Director Wray, who is urging public-private cooperation especially with the FBI, which itself has not hesitated to break encryption (e.g. Apple’s) in going after criminals’ phones.

About time: digital health grows a set of ethical guidelines

Is there a sense of embarrassment in the background? Fortune reports that the Stanford University Libraries are taking the lead in organizing an academic/industry group to establish ethical guidelines to govern digital health. These grew out of two meetings in July and November last year with the participation of over 30 representatives from health care, pharmaceutical, and nonprofit organizations. Proteus Digital Health, the developer of a formerly creepy sensor pill system, is prominently mentioned, but attending were representatives of Aetna CVS, Otsuka Pharmaceuticals (which works with Proteus), Kaiser Permanente, Intermountain Health, Tencent, and HSBC Holdings.

Here are the 10 Guiding Principles, which concentrate on data governance and sharing, as well as the use of the products themselves. They are expanded upon in this summary PDF:

  1. The products of digital health companies should always work in patients’ interests.
  2. Sharing digital health information should always be to improve a patient’s outcomes and those of others.
  3. “Do no harm” should apply to the use and sharing of all digital health information.
  4. Patients should never be forced to use digital health products against their wishes.
  5. Patients should be able to decide whether their information is shared, and to know how a digital health company uses information to generate revenues.
  6. Digital health information should be accurate.
  7. Digital health information should be protected with strong security tools.
  8. Security violations should be reported promptly along with what is being done to fix them.
  9. Digital health products should allow patients to be more connected to their care givers.
  10. Patients should be actively engaged in the community that is shaping digital health products.

We’ve already observed that best practices in design are putting some of these principals into action. Your Editors have long advocated, to the point of tiresomeness, that data security is not notional from the smallest device to the largest health system. Our photo at left may be vintage, but if anything the threat has both grown and expanded. 2018’s ten largest breaches affected almost 7 million US patients and disrupted their organizations’ operations. Social media is also vulnerable. Parts of the US government–Congress and the FTC through a complaint filing–are also coming down hard on Facebook for sharing personal health information with advertisers. This is PHI belonging to members of closed Facebook groups meant to support those with health and mental health conditions. (HIPAA Journal).

But here is where Stanford and the conference participants get all mushy. From their press release:

“We want this first set of ten statements to spur conversations in board rooms, classrooms and community centers around the country and ultimately be refined and adopted widely.” –Michael A. Keller, Stanford’s university librarian and vice provost for teaching and learning

So everyone gets to feel good and take home a trophy? Nowhere are there next steps, corporate statements of adoption, and so on.

Let’s keep in mind that Stanford University was the nexus of the Fraud That Was Theranos, which is discreetly not mentioned. If not a shadow hovering in the background, it should be. Perhaps there is some mea culpa, mea maxima culpa here, but this Editor will wait for more concrete signs of Action.

Higi and Interpreta’s data mix partnership–questions on consent, data security

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2017/08/Interpreta-Higi.jpg” thumb_width=”150″ /]Higi (also higi), which has placed health monitoring kiosks in over 11,000 US retail locations and a 5.5 million signup base, and data cruncher Interpreta announced that they are partnering to blend Higi’s vital signs data with Interpreta’s claims, clinical and genomics data analytics. Based on Mobihealthnews’ article and the joint release, an individual’s health information taken at higi retail stations will be “prioritized within Interpreta in real time”. They also claim that for the first time, insurance payers and providers will be able to leverage biometrics data, clinical, claims and additional genomic information a person may obtain from genetic testing services into a ‘personalized care roadmap’ that closes gaps in care. This is positioned as a big advance in population health and it all sounds great.

Perhaps not so great are the details. What about consent and data security? Aside from absolutely no mention of patient consent and HIPAA compliance in the above news, this Editor suspects that past, current and future Higi users may not be made aware that their vital signs data recorded with Higi will be 1) sent into a non-Higi database and 2) integrated with other information that appears in Interpreta’s database. How is this being done? Is consent obtained? What then happens? Is it used on an identified or de-identified basis? Where is it going? Who is doing what with it? Can it be sold, as 23andme’s genomic information is (with consent, but still…)? “Interpreta works in the realm of precision medicine, continuously interpreting and synchronizing clinical and genomics data in real time to create a personalized roadmap to enable the orchestration of timely care.” but they do this for providers and health plans who are then responsible for privacy and data integrity. Consent for Higi to keep a record of your blood pressure when you drop into your local RiteAid or ShopRite is not consent for Interpreta to use or manipulate it. These questions should have been addressed in the release or an accompanying fact sheet. We welcome a response from either Higi or Interpreta.

And one last and exceedingly ‘gimlety’ observation by this Editor: kiosks get hacked, and here we have not a price to a McDonald’s meal but a portal to deep PHI. Here’s a two-part article in an industry publication, Kiosk Marketplace, if you are skeptical. Part 1, Part 2 

Is wearable IoT really necessary–and dangerous to your privacy?

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/08/is-your-journey-neccessary_.jpg” thumb_width=”150″ /]But does the average person even care? This Editor senses a groundswell of concern among HIT and health tech regarding the highly touted Internet of Things (IoT) and the dangers it might present. Our previous article reviewed the possibilities of hacking, system vulnerabilities in IoT networks and software bugs ‘bricking’ everyday objects such as refrigerators and cars. But what about wearables and the unimaginable amount of data they generate? Is it as unidentifiable as wearables makers claim? Columbia University computer science student Matthew Piccolella focuses in his article on healthcare ‘things’, primarily fitness trackers like Editor Charles’ favorite, Jawbone, but also clothing and even headsets that measure brain waves (Imec). Their volumes of data are changing the definition of healthcare privacy, which in the US has been synonymous with HIPAA. The problem is that health metadata are increasingly identifiable in a ‘big data’ world. (more…)

Extent, cost of health ID theft exposed in Wall Street Journal

Confirmation that your Editors (including Founder Steve) are no longer Voices Crying In The Wilderness on health data insecurity came this weekend on the front page (print) of The Wall Street Journal. It concentrated less on the profit of stolen PHI–$50 per record on average versus $7 for a credit card, according to Ponemon Institute–than on the horror of the 2.3 million individuals suddenly finding out that hospitalizations, procedures and prescriptions in their name were being used by others, leaving them with the bill and unable to clear both their financials and their health records.

EHRs are treasure troves of health and financial information. Unlike credit card theft, there’s no warning–and no limits. Providers and insurance companies put the onus on the person with the stolen data. There is no healthcare equivalent of the Fair Credit Billing Act (FCBA) and the Fair Credit Reporting Act (FCRA), which since 1974 and 1970 respectively have limited the individual impact of fraudulent credit card charges.

Consumer security programs like LifeLock are not particularly effective in proactive notification. In other words, you’re stuck. You may run through your benefits and then be responsible for the bills. Second, you may never get the bad information and diagnoses out of the supposedly accessible health record because of privacy laws, especially if you are a caregiver.

Victims sometimes only find out when they get a bill or a call from a debt collector. They can wind up with the thief’s health data folded into their own medical charts. A patient’s record may show she has diabetes when she doesn’t, say, or list a blood type that isn’t hers—errors that can lead to dangerous diagnoses or treatments.

Adding insult to injury, a victim often can’t fully examine his own records because the thief’s health data, now folded into his, are protected by medical-privacy laws. And hospitals sometimes continue to hound victims for payments they didn’t incur.

According to Ponemon, “65% of victims reported they spent an average of $13,500 to restore credit, pay health-care providers for fraudulent claims and correct inaccuracies in their health records.”

Very rarely does this Editor look for a Federal remedy to a problem, (more…)

UCLA Health data breach may affect 4.5 million patients

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/06/keep-calm-and-secure-your-data-4.png” thumb_width=”150″ /]Breaking news out of Los Angeles this afternoon is that the UCLA Health System’s computer network was compromised by an external cyberattack, compromising an estimated 4.5 million patient records. According to the LA Times, “the hospital saw unusual activity in one of its computer servers in October and began investigating with assistance from the FBI. The investigation confirmed May 5 that the hackers had gained access to parts of UCLA Health’s computer system where some patient information was stored. The hackers gained access to names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information like patient diagnoses and procedures.” There also appears to have been a delay in the realization that the sensitive PHI had been accessed, and that the suspicious activity could have started as early as September 2014. Yet the UCLA Health statement equivocates: “At this time, there is no evidence that the attacker (more…)

The sheer screaming attractiveness of medical ID theft

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/10/screenshot-med-25.jpg” thumb_width=”170″ /]Harry Lime Lives!  It’s the 1949 Vienna of ‘The Third Man’ when it comes to the black market of medical identity theft. Data breaches are easier than heisting penicillin off an Army Medical Corps truck and far less noticeable–there’s always a lag time in discovery as more than one health system (Community Health System) found. And protected health information (PHI) has value down the line. According to a report cited by FierceHealthIT:

  • Simple data comes cheap: names, birth dates and health insurance contract with group numbers fetch a pedestrian $20.
  • Add Social Security (SSI) numbers, banking and credit card information, and these ‘kits’ fetch $1,500. These can be used for financial fraud of multiple types or alternate identities.
  • Add medical data, and direct marketing data brokers and pharmacy benefit companies are willing to pay. They use it for legitimate (but annoying) purposes, such as targeting those with specific diseases.
  • Add physical identification, and the value goes through the roof for fake passports, driver’s licenses and visas.

The ways PHI can be accessed are many: EHRs, paper records, stolen laptops, CDs, accounting systems, provider, insurer and supplier systems, and simple ‘friendly fraud’ (more…)

Data breaches may cost healthcare organizations $5.6 bn annually: Ponemon (US)

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”150″ /]The PHI threat is within for HIT staff and CIOs, with no end in sight: Ponemon Institute and IS Decisions

The Ponemon Institute’s fourth annual benchmark report on patient privacy and data security was released last week and with a few exceptions, the news is worse than last year. Eight highlights in the study of 91 responding organizations (Ponemon admits results are skewed to larger sized respondents) for 2013 are:

  1. The average cost of data breaches in the study group was approximately $2 million over a two-year period. Extrapolated to the over 5,700 hospitals in the US, the annual cost is $5.6 billion, down from $7 billion in 2012.
  2. The number of data breaches decreased slightly. 38 percent report more than five in the 2013 report compared to 45 percent in 2012. The number of organizations reporting at least one data breach in the past two years was 90 percent versus 94 percent in 2012.
  3. Healthcare organizations improve ability to control data breach costs. The economic impact of data breaches for the healthcare organizations represented in this study over the past two years is $2.0 million–but it is 17 percent (nearly $400,000) less than 2012.
  4. ACA increases risk to patient privacy and information security. No surprises here for readers with insecure exchange of information between healthcare providers and government (75 percent ), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent) leading the way. (more…)