DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

An OCR investigation illustrates the value of investigating small and medium-sized entities

Posted on October 8, 2018 by Dissent

One of the common themes in discussing security is that many organizations are not “mature” yet. And of course, as HIPAA recognizes in its security rule, smaller practices should not be expected to do everything you might expect a larger hospital system to do. But even small or  medium-sized entities need to comply with the core standards.

At the Privacy and Security Forum in D.C. this past week, I had the opportunity to speak briefly with Roger Severino,  the new Director of the Office for Civil Rights at the U.S. Department of Health and Human Services.

Severino comes to the position, he explained, with an enforcement background and orientation. So I took the opportunity to mention that I have yet to see OCR really take enforcement action against entities who never even disclose a breach to OCR or to affected patients. It’s certainly been the case that over the past few years, a freelance security researcher has notified OCR of a number of FTP server leaks, and I’ve notified OCR of a number of leaks or hacks (some involving TheDarkOverlord) that were seemingly never reported to OCR and may never have been disclosed to affected patients.

Severino asked me to send him a batch of information on breaches that were never investigated or have not shown up on their breach tool — or where patients may never have been notified. I will be collaborating with the security researcher to compile a sample list for OCR. Not all of the entities may be covered entities under HIPAA, of course, but I bet you the majority are.

Anyway, I left D.C. encouraged by Severino’s enforcement attitude, and got home to a second pleasant surprise relevant to this topic.  OCR had sent the researcher a letter about the outcome of an investigation they had conducted based on a complaint he sent them in December, 2016. The complaint involved an FTP server that was open to the public because it permitted anonymous login.

As with the Patterson Dental situation that I have reported on in the past,when contacted by OCR, Patients Choice in Texas reportedly told OCR that the researcher had hacked them. It’s not clear whether Patients Choice really understood their leak or if they were just trying to deflect responsibility. In any event, when OCR investigated, they found numerous deficiencies on Patients Choice’s part. By the time OCR closed its investigation more than 18 months later, they had provided substantial information and assistance to help Patients Choice come into compliance with HIPAA and HITECH.

The Complaint

On December 27, 2016, the researcher reported to OCR that in November, 2016 he had found Patients Choice patient data in the form of 1,069 scanned pdf files with protected health information exposed on an FTP server that permitted anonymous login. He also reported to OCR that he had notified Patients Choice by phone and had recorded the notification calls.

OCR reached out to Patients Choice in March, 2017 and thereafter. Patients Choice’s report on HHS’s breach tool is dated in September, 2017.

The Investigation and Findings

As OCR explains it, the Patients Choice report in response to their inquiry indicated possible noncompliance with certain aspects of the privacy and security rules:

The report indicated potential violations of 45 C.F.R. §§ 164.502(a) (Uses and Disclosures of PHI), 164.308(a)(l)(ii)(A) (Risk Analysis), 164.308(a)(l)(ii)(B) (Risk Management Plan), 164.308(a)(7)(ii)(A) (Data Backup Plan), 164.312(a)(2)(iv) (Encryption and Decryption), 164.312(d) (Person or Entity Authentication), 164.312(e)(l) (Transmission Security), 164.404 (Notification to Individuals), 164.406 (Notification to Media), and 164.408 (Notification to Secretary)

That’s a lot of potential violations for OCR to investigate. As their closing letter explains:

By letters dated March 2, 2017, and January 26, 2018, OCR notified Covered Entity of its investigation into this matter.  In its responses to OCR from March 31, 2017 to September 21, 2018, and during a site visit by OCR, Covered Entity provided evidence of its internal investigation concerning the breach incident as well as extensive corrective action it has taken in response to the incident.

The evidence revealed that at the time of the breach incident, Covered Entity’s satellite offices utilized the involved FTP server to send billing documents to Covered Entity’s Billing Department. Covered Entity discovered that a contractor handling multiple hardware issues allowed the FTP server to accept anonymous logins while trouble shooting network errors. The contractor inadvertently failed to disable the anonymous login on the FTP server. Covered Entity ceased using the IT vendor that employed the involved contractor and hired a new IT vendor.

The closing letter (see below) reviews all of the corrective actions Patients Choice subsequently took.  But would they have taken any of these actions if OCR had not contacted them and opened an investigation based on the researcher’s report? I think that the entity would likely have continued to claim that they were hacked, and might have taken significantly different corrective actions. And it’s not clear to me whether OCR or patients would ever have been notified. Why was their notification to OCR dated September, 2017 instead of no later than January, 2017 after the researcher contacted them in November, 2016?  As OCR found, notification was not timely.

In its investigation, OCR also looked at notification to patients, to the media, and to OCR. They found that although Patients Choice had made notifications, the notifications were all untimely, and there were other deficiencies:

Upon review, OCR also noted that Covered Entity’s substitute notice did not include a brief description of the breach, the types of PHI involved in the breach, steps affected individuals should take to protect themselves from potential harm, and a brief description of what Covered Entity is doing to investigate the breach, mitigate the harm, and prevent further breaches. Further, the substitute notice did not include a toll-free number for individuals to contact Covered Entity regarding the breach. OCR, therefore, provided technical assistance to Covered Entity regarding Breach Notification requirements, including timeliness of notifications and requirements for substitute notice. Covered Entity re-educated appropriate workforce members on Breach Notification requirements specified at 45 C.F .R. § § 164.404- 164.408. Covered Entity provided OCR sufficient documentation of the aforementioned re­education.

A lightly redacted copy of OCR’s closing letter is reproduced below this post. I think it reflects OCR’s approach to educating and assisting via enforcement, and that it is a good document to share with medical practices/small groups to show them how OCR applies the standards to small or medium-sized practices. If we want to help more entities mature in their security, we could use more enforcement actions like this one that are then made public so that other small and medium-sized entities can learn from them.

When asked for his reaction to OCR’s actions, the researcher responded,

I am glad OCR investigated this matter and that the covered entity became more educated on HIPAA\HITECH.

I know HHS/OCR has been limited in terms of resources, and that the present environment leans more to deregulation, but these enforcement actions can be a wonderful tool to help more entities understand and comply with regulatory requirements.  I hope to see more of them.

PatientsChoiceLetter_redacted

 

Category: Breach IncidentsCommentaries and AnalysesHealth DataOf NoteU.S.

Post navigation

← Hackers Compromise 30,000 Routers in India – Cryptojacking Report
MedCall Advisors suffers second data leak in less than one month →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.