Thursday, October 10, 2019

DHHS Reports That Majority Of Data Breaches Expose Non-Health-Related Data

By: Marcus J. Hopkins, Policy Consultant

The U.S. Department of Health and Human Services released on September 23rd, 2019, a report in the Annals of Internal Medicine that found that the majority of information accessed in the over 1,500 protected health information (PHI) breaches reported over the last decade has been sensitive demographic information (e.g. – driver’s license number and Social Security Numbers – SSNs) and financial information including billing and payment information (Hlavinka, 2019). Only 2% of data breaches were found to expose sensitive medical information, such has HIV status, cancer diagnoses, or substance abuse, but 65% of these breaches exposed general medical or clinical information (Hlavinka).

According to the findings, over half of data breaches reported to HHS could be attributed to healthcare providers’ personal mistakes or negligence. This could include anything from failing to encrypt laptops, to using “CC” instead of “BCC” when E-mailing patients (Hlavinka).

Data Privacy Breach
Photo Source: evidencesolutions.com

HHS proposed regulatory, in March 2019, that would modernize the way that health information is shared by implementing certain provisions of the 21st Century Cures Act, including increasing the amount of data that is entered and shared electronically. The fundamental tradeoff of this modernization, however, is that health data will naturally become more susceptible to exposure. This last point is increasingly concerning considering the recent increase in so-called “Ransomware” cyber-attacks against public computer systems. Campbell County Health in Gillette, Wyoming, was hit, this month, with one such cyber-attack affecting all 1,500 of the systems computers, including the E-mail server, which resulted in the CCH having to divert patients from ERs starting on September 20th, 2019, as well as cancelling many exams, procedures, and new patient admissions (Landi, 2019).

Healthcare systems remain one of the largest targets of hackers, and while ransomware attacks, themselves, do not access private information, instead denying access to information, the potential exists for hackers to jump from denying access to exposing sensitive data if ransoms are not paid.

These data presented by HHS come on the heels of a recent settlement announcement in the state of Ohio between state AIDS Drug Assistance Program (ADAP) clients and CVS Health, the company contracted to provide prescription drug benefits, after a CVS mailer to OHDAP (Ohio’s ADAP program) clients in an envelope that clearly announced clients’ HIV status (Hopkins, 2017). In our August 2017 coverage of this issue, one of the plaintiffs, Eddie Hamilton, head of the ADAP Educational Initiative, shared with us the envelope he received (unredacted) which clearly listed his ID number as: “PM 6402 HIV”.

“In our case, CVS used our Ryan White CAREWare numbers as their subscriber numbers,” Hamilton told me. “It has our birthdates embedded in that URN (Unique Record Number), which is not HIPAA compliant. So, not only was our HIV status on the mailer, but our names, addresses, and birthdates all visible to anyone who looked at the envelope. I do not think that the Health Resources and Services Administration (HRSA) is even aware that those numbers are being used for public consumption.”

The CVS settlement, which has yet to receive approval from a judge, agrees to pay out $4.4 million to settle the class-action lawsuit filed in June 2018 by the roughly 4,500 patients impacted. Under the settlement, each recipient of the mailer would receive a minimum of $400, those who can show they suffered non-financial harm can get as much as $2,500, and those who can prove they suffered financial harm can receive up to $10,000. The lawyers representing the plaintiffs may receive up to $1.46 million – over a third of the overall reward (Anderson, 2019).

CVS Pharmacy
Photo Source: UpGuard

The agreement language, itself, include some troubling clauses, such as clause 10.19 which reads:
"10.19 Non-Disparagement. The Parties and their counsel agree that neither the fact that Caremark entered into this Settlement Agreement nor its terms shall at any time, directly or indirectly, be used to disparage Caremark’s administration of OhDAP. For purposes of this Section, the term “disparage” shall mean to make comments or statements that would adversely affect the business or professional reputation of Caremark. Nothing in this Paragraph or any other Paragraph of the Agreement, precludes the Parties or their Counsel from (a) referring to public information about the above-captioned litigation, Settlement, or other publicly available documents; (b) responding to any subpoena, legal process or request for information from any governmental authority; (c) testifying truthfully under oath pursuant to any lawful court order or subpoena; or (d) pursuing any legal right they may have against each other. Nothing in this paragraph or any other paragraph of this Agreement precludes Counsel for Plaintiffs from making statements regarding signatories to this Agreement in the context of pursuing a claim or lawsuit. Nothing in this paragraph or any other paragraph of the Agreement shall be construed to restrict the right to practice in violation of applicable Rules of Professional Conduct."
Non-Disparagement clauses are frequently used as tools to prevent those who agree to settle from going public with their personal stories, particularly in the event that they come to feel that the amount they received in the settlement is not sufficient to cover their injury.

In addition to the Non-Disparagement clause, the settlement includes no admission of guilt – a common practice in settlement agreements. This, to my way of thinking, is unconscionable. CVS’ negligence in this matter had the potential to result in long-lasting impacts, both personally and financially, for those whose statuses were exposed in their mailers. That no party involved in the decision to use “HIV” in the member ID numbers – not OHDAP, not the Ohio Department of Health, and certainly not CVS Caremark – is willing to admit to wrongdoing despite clearly having done wrong is worthy of disparagement.

The reality of living in the 21st Century is that, the further along we go, the more information about us is going to be accessible to others. Data breaches have always occurred and oftentimes, it can be the result of a simple mistake. The question then becomes, “How much security are we willing to sacrifice in the name of expedience?”

Personally, because I’m very vocal and open about my status and personally invite any hacker to try to use my SSN to gain access to credit (best of luck, suckers! The joke’s on you [Marcus goes to cry over his poor credit rating]), as well as the fact that I have a tendency to relocate pretty frequently, I prefer the ease of data mobility. Others, however, are not so open, and for them, the risk of exposure – while, according to the HHS data, is slim – presents a far more daunting choice.

References:
  • Anderson, Maia. (2019, September 13). CVS to pay $4.4M settlement over inadvertent HIV disclosure of 4,500 patients. Chicago, IL: Becker’s Healthcare: Becker’s Hospital Review: Pharmacy. Retrieved from: https://www.beckershospitalreview.com/pharmacy/cvs-to-pay-4-4m-settlement-over-inadvertent-hiv-disclosure-of-6-000-patients.html
  • Hlavinka, E. (2019, September 23). Health Data Breaches Give Up SSN, Not HIV Status - Just 2% involved sensitive medical information. New York, NY: MedPage Today, LLC: MedPage Today: Public Health & Policy: Practice Management. Retrieved from: https://www.medpagetoday.com/publichealthpolicy/practicemanagement/82332
  • Hopkins, M.J. (2017, August 28). HIPAA: Healthcare mailers violate privacy rights of people living with HIV. Washington, DC: Community Access National Network: HEAL Blog. Retrieved from: https://communityaccessnationalnetwork.wordpress.com/2017/08/28/1498/
  • Landi, H. (2019, September 23). Wyoming health system hit with ransomware attack, diverts ER patients and cancels services. Framingham, MA: Questex, LLC: Fierce Healthcare: Tech. Retrieved from: https://www.fiercehealthcare.com/tech/campbell-county-health-wyoming-hit-ransomware-attack-diverts-er-patients




Disclaimer: Guest blogs do not necessarily reflect the views of the ADAP Advocacy Association, but rather they provide a neutral platform whereby the author serves to promote open, honest discussion about public health-related issues and updates.

No comments: