Breaking Compliance News Blog

Scott Gima

Recent Posts

Healthcare Provider Ransomware Risk is Elevated – What Do We Do???

Posted by Scott Gima on 11/5/20 10:00 AM

On October 28, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) that provided a warning of imminent ransomware attacks to U.S. hospitals and healthcare providers.

This advisory provides technical information on the methods used by the hackers so healthcare providers can better protect themselves. In particular, the advisory mentioned the hackers’ use of Ryuk and Conti ransomware.

Leading up to this advisory, Universal Health Services was a recent target of a ransomware attack in late September. UHS is a large health care provider with 26 hospitals in the U.S., Puerto Rico and the U.K. It is believed that the Ryuk ransomware was used in the attack.

I don’t know about you, but for me, a non-IT person, the technical details are way over my head. However, the user awareness best practices are relevant to anybody who uses a workstation or laptop. Here are the user awareness best practices found in the advisory (direct quote):

Read More

Topics: HIPAA, data breach, security, compliance

Protect your organization from skyrocketing COVID cyber scams

Posted by Scott Gima on 4/30/20 11:00 AM

Google’s Threat Analysis Group (TAG) is responsible for identifying online vulnerabilities and threats. The Group released a report on April 22, 2020 that describes their latest information on COVID-19 related threats. This report provides a timely reminder that cybersecurity concerns continue and everyone must remain cautious and vigilant with their email accounts.

COVID-19 Themed Attacks

In April, Google has detected 18 million COVID-19 related malware and phishing Gmail messages per day and more than 240 million COVID-related daily spam messages. If you use Gmail, 99.9% of these messages never reach your inbox. The TAG has found that these attacks are government sponsored. They have identified over a dozen government-backed attacker groups using COVID-19 related topics.

Type of Attacks

The attack tools are no different from what has been used in the past; phishing emails that lure you to click malicious links or download files that contain malware. Google provided the following examples:

Free meals and coupons in response to COVID-19.

Links to malicious websites disguised as online ordering and delivery options, where the recipient is asked to provide their Google account credentials.

Emails that impersonate the World Health Organization:

Emails luring users who may be working from home:

Stimulus package theme:

Best Practices Reminder

These types of attacks are not limited to Gmail and everyone must be vigilant with all email accounts, work and personal. For all your accounts, users should:

  • Never download file attachments - or, verify an email attachment with the recipient by voice or text before downloading – this is an old-fashioned version of two-factor authentication.
  • Don’t click on an email link. An alternative safe option is to go directly to the web-page or google the target described in the link. For example, if it is an email from your bank that could be legitimate, open a new browser page and type in the website or search for the website.
  • If possible, use or activate two-factor authentication.

MPA can help with your HIPAA Security Risk Analysis - contact me today to learn more.

Read More

Topics: HIPAA, security, COVID-19

Breaking News: First social media HIPAA settlement!

Posted by Scott Gima on 10/8/19 7:15 AM


Whenever a settlement agreement is announced, the OCR is sending a message to all providers. On October 2nd, The OCR announced a $10,000 settlement agreement with Elite Dental Associates in Dallas Texas. At first glance, it is easy to overlook this settlement; $10,000 does not seem to be a big deal when there are other cases with fines in the millions of dollars. For example, Anthem paid a record $16 million following the PHI breach of close to 79 million people; the largest health data breach in history. So what is the big deal? Or more importantly, what are the lessons to be learned from this breach? There are several.

Read More

Topics: HIPAA, Social Media

Not-for-profit provider hit with ransomware twice in four months

Posted by Scott Gima on 8/28/19 6:35 AM

A not-for-profit community health center that provides health care for low-income and uninsured patients experienced two ransomware attacks in a four-month period. 


The first attack shut down computers for three weeks while the center rebuilt its systems from backups, and did not pay the ransom. This approach is consistent with industry advice for two reasons. First, there is no guarantee that the data will be reinstated after ransom is paid. Second, paying ransom encourages future ransomware attacks.

The second attack likewise locked the center out of its medical records.

Read More

Topics: HIPAA, data breach, security

The Threat of Nation-State Sponsored Cyber Attacks

Posted by Scott Gima on 7/31/18 7:13 AM


The public continues to be bombarded by the media coverage and debate of President Trump’s support or non-support of the U.S. intelligence agencies’ position on Russia. What has taken a backseat is the substance and urgency of a possible cyber-attack. The purpose of this blog is to discuss the threats and its relevance to covered entities and business associates.

On Friday, July 13, 2018, Dan Coats, the director of National Intelligence spoke at the Hudson Institute and discussed the current national security threats against the US. He equated the current risk of a cyber-attack to terrorist attack threats prior to September 11, 2001. The following are a few quotes from his speech:

     In 2001, our vulnerability was heightened…At the time, intelligence and law enforcement communities               were identifying alarming activities that suggested that an attack was potentially coming to the United                 States. It was in the months prior to September 2001 when, according to then CIA Director George Tenet,         the system was blinking red. And here we are nearly two decades later, and I'm here to say the warning             lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack.

     Every day, foreign actors — the worst offenders being Russia, China, Iran and North Korea — are                     penetrating our digital infrastructure and conducting a range of cyber intrusions and attacks against targets       in the United States. The targets range from U.S. businesses to the federal government (including our               military), to state and local governments, to academic and financial institutions and elements of our critical         infrastructure — just to name a few.

     All of these disparate efforts share a common purpose: to exploit America's openness in order to undermine       our long-term competitive advantage.

Threat to Healthcare Providers?

Mr. Coats never mentions healthcare providers. So does this mean there is nothing to worry about? Probably not.

Back in January, the Washington Post reported about NotPetya, a 2017 a Russia-sponsored cyber-attack against Ukraine, designed to disrupt their financial system. The ransomware wiped computer data from banks, energy firms, and senior government officials. While 50% of affected computer systems were located in the Ukraine, the attack spread across the globe and affected systems in Denmark, India and the United States. Half of the victims were unintended targets of the attack.

If government-sponsored cyber-attacks are imminent, the NotPetya attack reminds us that another attack can easily result in collateral damage against unintended victims. Healthcare providers could easily become collateral damage, especially those who have not adequately prepared for a ransomware attack. In the healthcare context, that collateral damage can include costly HIPAA Breaches, and, more alarmingly, patient harm due to lack of utilities and electronic medical records.

Mr. Coats’ “red-flag” warning makes clear that cyber-security measures must be in place. The OCR recommends the following preventative security measures as part of HIPAA compliance:

  • Complete a security management process, which includes a risk analysis and implementing security measures to mitigate or remediate those identified risks
  • Implementing policies and procedures to guard against and detect malicious software
  • User training so staff can assist in detecting and report attacks
  • Implementing access controls to limit access to ePHI to only persons or software programs requiring access.


HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA, data breach, security

Improper Sharing of Medical Files Results in a Criminal Violation of HIPAA

Posted by Scott Gima on 5/15/18 7:00 AM

On April 30, 2018, the U.S. Attorney’s Office in the District of Massachusetts reported the criminal conviction of Rita Luthra, M.D., a Springfield, Massachusetts gynecologist for one count of violation of the HIPAA Act and one count of obstruction of a criminal health care investigation. Sentencing has yet to be scheduled. The HIPAA criminal charges stemmed from the allegation that Dr. Luthra allowed a Warner Chilcott pharmaceutical sales representative to access her patients’ medical files.

October of 2015, Warner Chilcott entered a false claims settlement with the federal government.  Warner Chilcott agreed to pay $125 million to resolve its criminal and False Claims Act allegations related to the company’s drug marketing campaign. Warner Chilcott was charged with paying kickbacks to physicians to induce them to prescribe its drugs, and manipulating prior authorizations to get insurers to cover the drugs they would not normally cover.

Dr. Luthra was receiving “numerous” denials for a Warner Chilcott osteoporosis medication unless there was a prior authorization. To expedite the prior authorization process, the Warner Chilcott sales representative was given access to Dr. Luthra’s medical records in order to prepare the prior authorizations that would then be signed by Dr. Luthra.

Criminal convictions as a result of a HIPAA violation do happen occasionally. In addition to OCR fines and penalties, criminal charges and convictions can occur when covered entities “knowingly” obtain or disclose protected health information in violation of HIPAA. MPA recommends including examples of both civil and criminal HIPAA violations and penalties in your HIPAA training program.

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: HIPAA, Kickbacks and Referrals

Is your EHR ready for ransomware?

Posted by Scott Gima on 2/28/18 7:02 AM

In January 2018, EHR vendor Allscripts was a target of a ransomware attack that took down several of its applications, including its EHR and patient management/scheduling systems. FierceHealthcare reported the following notice from Allscripts: “While we cannot guarantee that the hosted Professional suite and hosted Allscripts PM service will be fully restored to all clients on Monday, Jan. 22, we do currently expect to return meaningful service to the majority of clients over the next 12-24 hours."

For example, a medical group was unable to use Allscripts’ e-prescribing system after the ransomware attack. Others could not access their EHR.

The use of cloud-based applications has increased providers’ reliance on EHR vendor security measures. A detailed contract that states standards for EHR data protection is a start. But it only provides the ability to seek legal and financial remedies if the EHR vendor fails to meet its contractual obligations. It does nothing to guarantee uninterrupted access to your data.

A copy of your EHR data that is saved to an on-site computer is the only way to ensure access. A mirror backup provides an exact copy of the data. The technology allows updates to the mirror backup every 15 minutes. When selecting an EHR vendor, the availability of a mirror backup must be a key selection criteria. A local copy of the EHR application is also needed. Without it, the data is useless.

Read More

Topics: HIPAA, records, data breach

U.S. vs Epic Software – Lessons for EMR Users

Posted by Scott Gima on 11/14/17 7:00 AM

A whistleblower False Claims case against Epic Software Corp. (ESC or Epic) was made public on November 2, 2017. The complaint was originally filed in January of 2015, and states that Epic was overbilling Medicare for anesthesia services.

As of January 1, 2012, base units should not be billed to Medicare – only the physician’s time is submitted by the provider. The lawsuit alleges that Epic’s billing software has a default setting that charges both 1) base units for anesthesia provided for a procedure; and 2) the time of the procedure. As a result, payors are overbilled.

The whistleblower filed a lawsuit after attempts to get Epic to change the software were met with resistance.

Why Are the Hospitals Being Sued?

The breadth of this False Claims complaint is immense. In addition to Epic Systems, the defendants in this case include customers of Epic Systems, which number more than 280. The complaint states: “it is probable that most of ESC’s software customers (ie, the other listed Defendants) are using ESC’s Epic billing software as written.” These customers may have been submitting false claims” by not recognizing and correcting billing errors caused by flawed billing software. The DOJ is sending a clear message that providers are accountable and liable for overbilling errors that are caused by billing software.

Read More

Topics: HIPAA

Prevent “Worthless Services” With a QAPI Checklist

Posted by Scott Gima on 11/7/17 7:02 AM

In October, Health Services Management, Inc., the parent company for Huntsville Health Care Center, agreed to pay the U.S. government $5 million to resolve a whistleblower lawsuit that included allegations that the company billed Medicare and Medicaid for “worthless services” and services that were not provided. The settlement includes an agreement to enter a Corporate Integrity Agreement with the OIG. The whistleblower was an employee of the facility who claimed she witnessed patient physical and verbal abuse and neglect, inadequate care, and the absence of basic services including food and water.

The common response to this settlement is “This can’t happen in our building!!!” But how is it prevented? With a strong QAPI program.

Read More

Topics: Quality Assurance

Outdoor Engine Power Equipment Company Reports HIPAA Breach – Could this happen to you?

Posted by Scott Gima on 11/1/17 7:03 AM

Briggs and Stratton is not a healthcare provider – they make gasoline engines for lawn and outdoor power equipment. Yet, on September 29, 2017, the company notified OCR of a breach of unsecured protected health information (PHI). According to the OCR Breach Portal, the breach affected 12,789 individuals as a result of a hacking/IT incident affecting desktop computers, laptops, and network server(s).


Briggs and Stratton is not a health care provider or a business associate under HIPAA. But, it offers an employer-sponsored health plan – which makes it a HIPAA covered entity. This is a reminder that any employer that provides health insurance may need to be HIPAA compliant if PHI is shared with the employer. This includes employers who are self-insured or provide health insurance through a group health plan. Simply put, an employer that handles PHI could be a covered entity that needs to be in 100% compliance with HIPAA’s privacy, security and breach notification requirements.

Read More

Topics: HIPAA

    Privacy Policy           Terms of Use