Change Healthcare and United Health have put out additional information.
I know most clinicians won't but I'm making the decision to give my clients a heads-up right now given:
a) Change Healthcare seems to be offering people who call two years of free credit monitoring, &
b) They say it will take months before they notify anyone what data was actually breached, &
c) Data on a huge percentage of the US population has been breached.
I'm posting a few quotes below with my commentary in red. Those interested should read the articles at the links provided for more.
"Change Healthcare says data stolen by hackers in a February cyberattack likely covers a 'substantial proportion of people in America.'"
It's a huge breach -- almost certainly effects your clients. 1 in 3 patient records nation-wide effected.
"The company set up a website and hotline for more information on the data breach and is offering two years of free credit monitoring and identity theft protection for anyone affected."
"A dedicated call center is available to offer free credit monitoring and identity theft protections for two years to anyone impacted." Call 1-866-262-5342
Given that they are offering credit monitoring in advance of knowing who/what data was breached, I'm guessing they are giving it to anyone who calls. Hopefully.
Even if your clients don't care about medical data being leaked, the data could also be such that thieves could establish credit in client's names. So everyone needs to lock down their credit and monitor from now on.
"Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals."
Don't expect any timely information. Lock your credit down now.
"To help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer."
This would seem to imply they will do formal breach notifications for providers. Someday... Tell me more please how to make this happen...
But... see article below...
"Change Healthcare Service Restoration"
They claims their systems are back to 80%+ operational status. Read for details, but really -- what matters is if you have noticed if your claims submissions, EFT, and ERA are working again.
One wonders how vigilant they will be given this story.
"HHS said it has not received a breach notification from UnitedHealth's subsidiary Change Healthcare in the wake of the February cyberattack it suffered." (as of April 19th)
"HHS did say HIPAA-covered entities have at least 60 days to report a breach from the date it was discovered. The Change hack occurred Feb. 21."
"Additionally, HHS said any covered entities that have been affected by the breach must report it if protected health information has been compromised."
Huh. So... United Health seems to be saying they will undertake breach notifications on the part of any provider, but HHS says it is our responsibility. I'm confused.
My non-legal speculative opinion is that this is not yet my problem as I have not been notified of any breach by United Health or Change Healthcare. Right? Won't be so for months.
-- Michael
--
Michael Reeder, LCPC
Hygeia Counseling Services : Baltimore / Mt. Washington Village location http://www.hygeiacounseling.com - main website.
I wonder if.... one could create a Data Use Agreement around one's own personal data. And somewhere within the text include something like "By using my data in any way, you agree to these terms." Then send it to any company you interact with. #privacy#legal#dataprotection
Adobe Magneto: una pericolosa minaccia RCE per i siti di e-commerce
Gli specialisti di Sicurezza Informatica hanno avvertito che gli #hacker stanno già sfruttando una nuova #vulnerabilità in #Magento (CVE-2024-20720) e l'utilizzatore per implementare una #backdoor persistente sui siti di e-commerce.
We need an independent regulator to ensure strong protections and get redress when things go wrong.
But the Data Protection and Digital Information Bill (UK) weakens the role of the Information Commissioner's Office. That’s why we've presented amendments.
EU’s use of Microsoft 365 found to breach data protection rules
An investigation into the European Union’s use of Microsoft 365 has found the Commission breached the bloc’s data protection rules through its use of the cloud-based productivity software.
Heute stellt @ulrichkelber den Datenschutzbericht 2023 vor. Die @Bundesregierung kann sich nicht auf seinen Nachfolger einigen.
Die @fsfe fordert daher gemeinsam mit der digitalen Zivilgesellschaft in einem Offenen Brief:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit muss die Amtsgeschäfte unabhängig von politischer Sanktion wahrnehmen können. Dazu ist ein transparentes Benennungsverfahren nötig.
Together with digital civil society, the @fsfe is therefore calling in an open letter:
The Federal Commissioner for Data Protection and Freedom of Information must be able to carry out official duties independently of political sanction. This requires a transparent appointment procedure.
This report showing car insurance quotes are more expensive in areas of greater mixed ethnicity is further evidence of how algorithms can embed discrimination and carry real-life harms.
🔴 Changes to subject access requests will make it harder to find out what data insurance companies hold on you to challenge a decision or incorrect data.
🔴 Protections from solely automated decisions are weakened.
Lacking in oversight and transparency, the national Prevent database operates in the shadows.
Prevent masquerades as a safeguarding measure while the police exercise security exemptions over data to limit protections in favour continued surveillance of mostly Muslim communities.
The EDPS ("European Data Protection Supervisor") has released an open source tool called "Website Evidence Collector" that will collect evidence of personal data processing, such as cookies, or requests to third parties.
You are in control of the data you share. Full stop.
The #GDPR has put you in control of your personal data, including enshrining consent to its processing and the right to be forgotten.
As of January, the European Data Act will extend your rights to connected products by making it easy to access and move any data generated – whether it's about personal data or not.
On #DataProtectionDay, we ask you: What are the most important advancements for you? 👇
I'm still kinda new to Linux (started using this year 😅) I already made it to my main OS, even if I still missing some things which I used on Windows, anyway. What I wanted to ask you guys, what recommendations do you have for Linux Mint (Cinnamon)? In terms of security, optimization, (a way to make the UI looking modern ;-;) and privacy? I would be very interested in what you do guys to optimize your Linux setup :) I'm pretty technical, so there is nothing which could overwhelm me (probaly).
NYS announces $8 Million Penalty Against Genesis Global Trading, Inc. After DFS Investigation Finds Significant Failings in Anti-Money Laundering and Cybersecurity Programs
Issues of data protection and human dignity of generative AI processing and creations are an important one. My #GDPR complaint about OpenAI's data processing. It concerns input and output, access to information, and technology design.
Context/writeup: https://blog.lukaszolejnik.com/ai-llms-gdpr-complaint-and-human-dignity/
The UK Met Police have announced plans to use facial recognition tech to identify shoplifters – the new boogeyman to legitimise a explosion of biometric surveillance.
At the same time as the #DataGrabBill weakens the regulatory framework by scrapping the position of the Biometrics and Surveillance Camera Commissioner and the Surveillance Camera Code.
Beyond Data: Reclaiming Human Rights at the Dawn of the Metaverse
Why laws focused on data cannot effectively protect people—and how an approach centered on human rights offers the best hope for preserving human dignity and autonomy in a cyberphysical world.
TITLE: Polite Example Letter to a Health-Related Website Endangering Your Privacy
THIS is the letter I wish more people would send to health-related websites and merchants when they observe a privacy problem!
fullscript.com is a service that dispenses non-pharma products to patients (like medical grade supplements) based upon doctor's orders. You have to be referred by a physician to get a patient account. They even have a way of integrating with EHR systems.
They need to get security right.
To: Fullscript Support <support@fullscript.com>
Dear Fullscript Team:
I have always appreciated being able to order from your excellent website.
Your service strives to supply patients with supplements and medicines ordered by doctors. As such, what is ordered can give insight into medical conditions that patients may have.
You may or may not be covered by HIPAA regulations, but I'm sure you will agree that ethically and as a matter of good business practice, Fullscript would want to maintain medical privacy of patients given that medical practices trust you.
This is why I'm concerned with the HIGH level of 3rd party tracking going on throughout your product catalogue. On your login page, the Firefox web browser displays a "gate" icon to let me know that information (I believe my email address) is being shared with Facebook. This is also the case with your order checkout page (see attached screenshot showing Facebook "gate" icon, as well as Privacy Badger and Ghostery plug-in icons in upper right-hand corner blocking multiple outbound data connections).
Privacy Badger is a web browser plugin that detects and warns of or stops (depending upon severity) outbound information from my web browser to 3rd party URLs. Directly below is Privacy Badger's report from your checkout page:
~~~~
Privacy Badger (privacybadger.org) is a browser extension that automatically learns to block invisible trackers. Privacy Badger is made by the Electronic Frontier Foundation, a nonprofit that fights for your rights online.
Privacy Badger blocked 23 potential trackers on us.fullscript.com:
insight.adsrvr.org
js.adsrvr.org
bat.bing.com
static.cloudflareinsights.com
script.crazyegg.com
12179857.fls.doubleclick.net
12322157.fls.doubleclick.net
googleads.g.doubleclick.net
connect.facebook.net
www.google-analytics.com
analytics.google.com
www.google.com
www.googletagmanager.com
fonts.gstatic.com
ad.ipredictive.com
trc.lhmos.com
snap.licdn.com
o927579.ingest.sentry.io
js.stripe.com
m.stripe.network
m.stripe.com
q.stripe.com
r.stripe.com
~~~
Please note that I was able to successfully checkout WITH Privacy Badger blocking protections on, so most of this outbound information was NOT necessary to the operation of your website.
There are several advertising networks and 3rd party data brokers receiving some kind of information.
I am aware that a limited amount of data sharing can be necessary to the operation of a website (sometimes). I am also aware that this all is not malicious -- web development and marketing does not usually talk to the legal department before deploying tools useful to gathering site usage statistics (Crazy Egg and Google Analytics). However, these conversations need to happen.
As for "de-identified" or "anonymized" data -- data brokers collect information across several websites, and so are able to reconstruct patient identities even if you don't transmit what would obviously be PHI (protected health information). As an example, if Google sees the same cookie or pixel tracking across multiple websites and just one of them sends a name, then Google knows my name. If Facebook is sent my email address (as looks to be the case), and I happen to have a Facebook account under that same email address, then Facebook knows who I am -- and can potentially link my purchases with my profile.
The sorts of computing device data that you are collecting and forwarding here may well qualify as PHI. Please see:
Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates
<https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html>
This HHS and OCR guidance includes many 3rd party tracking technologies.
What I would really like to see happen is:
a) A thorough look at what information your website is sending out to what 3rd parties, along with an understanding of how data brokers can combine information tidbits from multiple websites to build profiles.
b) Use of alternative marketing analysis tools that help your business. For example, there are alternatives to Google Analytics that do not share all that data with Google and still give your marketing team the data they need.
c) An examination if you are sharing information about what products patients are clicking on and/or purchasing with 3rd parties. This would be especially problematic. (Crazy Egg tracks client progress through a website, but I'm unclear if they keep the information or just leave it with you.)
d) Use of alternative code libraries that are in-house. For example, web developers frequently utilize fonts.gstatic.com, but you could likely get fonts and other code sets elsewhere or store them in-house.
I appreciate you taking time to read this and working on the privacy concerns of your patients and affiliated medical practices.
Thanks.
~~~~~~
#AI #CollaborativeHumanAISystems #HumanAwareAI #artificialintelligence #psychology #counseling #socialwork #psychotherapy #EHR #medicalnotes #progressnotes @psychotherapist@a.gup.pe @psychotherapists@a.gup.pe @psychology@a.gup.pe @socialpsych@a.gup.pe @socialwork @psychiatry@a.gup.pe #mentalhealth #technology #psychiatry #healthcare #patientportal #HIPAA #dataprotection #infosec @infosec@a.gup.pe #doctors #hospitals #BAA #businessassociateagreement #coveredentities #privacy #HHS #OCR #fullscript
A quick follow-up to this. I eventually got a polite blow-off letter from them about how they strive to value customer privacy or some such. Very little I can do. Have to decide if a complaint to US government about possible HIPAA violations is worth it.
TITLE: Further Adventures in the HIPAA Silliness Zone
This short essay was inspired by a video I watched going over Microsoft legal agreements, the upshot of which is that they can harvest and use ALL of your data and creations (See *1 below in References). This inspires interesting HIPAA questions to say the least:
IF you have a HIPAA agreement with Microsoft, do they actually NOT harvest or use your data? How do they track that across all their applications and operating systems to tell?
Do their HIPAA and regular legal departments even talk to each other?
If you have a HIPAA agreement for your work computers, but then access your data through home computers, are all bets off? (And what sole proprietors don't mix use of computers for both?)
Now I don't really believe that Microsoft is doing all of this. What I THINK is that their lawyers just wrote overly broad legalese to protect them from all situations. Still -- legally it leaves us hanging. I certainly don't know that they are NOT doing it.
Then, I start thinking on some of the other crazy security situations I've encountered the past few years:
-- The multi-billion dollar medical data sales vendor that bought a calendar scheduling system, then wrote a HIPAA BAA agreement in which the PROVIDER has to pay any financial damages and penalties if THEY slip-up and lose data. (*2). Gee, what could go wrong?
-- The new AI progress notes generator service that sends data to 3rd parties including Google Tag Manager, LinkedIn Analytics, Facebook Connect, and Gravatar (*3)
-- The countless data breaches currently hitting hospitals across the USA. (*4)
It's all really quite mind numbing if you are a small healthcare provider or sole practitioner. I suspect 99% of us have just tuned this all out as noise at this point. After all, do we have the time or money to take on the legal departments of multi-billion dollar corporations?
The net results of this will be helpless nonchalance, boredom, and a gradual shifting of liability to US when upon occasion data is actually leaked by our vendors. And, of course, ever more fear and uncertainty in professions already full of it. Oh, and client data flowing through data brokers everywhere.
So what can we do? At first glance, not much. We need to be pressuring our professional associations to take on (or further take on) data security concerns including liability of giant "subcontractors" and insurance companies versus small healthcare providers. We also need to be supporting HHS and Federal government efforts to stop 3rd party trackers, including cookies, web beacons, pixel tracking, etc. from being allowable on systems related to healthcare. (*5) Bonus points if the penalties can apply mainly to larger corporations rather than hitting small provider offices hard.
Thanks,
Michael Reeder LCPC
Baltimore, MD
REFERENCES:
(*1)
The following video walks through the Microsoft Services Agreement and Microsoft Privacy Agreement to explain how Microsoft reserves the rights to use all data that you transmit through their services, or create or store in their apps (including data stored on OneDrive). It also collects information from all the programs used on your Windows machine. (This would seem to mean they can harvest data from your local hard drive, but I'm not sure.)
Microsoft Now Controls All Your Data
[https://m.youtube.com/watch?v=1bxz2KpbNn4&pp=ygUkTWljcm9zb2Z0IG5vdyBjb250cm9scyBhbGwgeW91ciBkYXRh](https://m.youtube.com/watch?v=1bxz2KpbNn4&pp=ygUkTWljcm9zb2Z0IG5vdyBjb250cm9scyBhbGwgeW91ciBkYXRh)
"("Data"), how we use your information, and the legal basis we use to process your Personal Information. The Privacy Statement also describes how Microsoft uses your content, i.e. Your communications with other people; the submissions you send to Microsoft through the Services; and the files, photographs, documents, audio, digital works, live streams, and videos that you upload, store, transmit, create, generate, or share through the Services, or any input you submit to generate content ("Your Content")."
(*2)
Full Slate: Last I checked their HIPAA, privacy, and BAA agreements. Although they reserve the right to change these agreements without notification and just post them to their website, so who knows at this point. <https://www.fullslate.com>
(*3)
Autonotes.ai: In fairness, they claim that no HIPAA data should be input into their system, even though you are writing progress notes. As of 7/30/23 they sent some sort of data to Google Tag Manager, LinkedIn Analytics, Facebook Connect, Gravatar which was severe enough that the Ghostery browser plug-in felt compelled to block or flag the transmissions. I hope they have changed this.
It should be pointed out that services similar to Full Slate and Autonotes claim that data sent to 3rd parties is not PHI and/or necessary to the operation of the service. This all could be true. I find that when Privacy Badger, or Ghostery, or my Pihole DNS server block these 3rd party transmissions that the vast majority of the time services work just fine.
Please also see Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates
<https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html>
This HHS and OCR guidance includes the sorts of 3rd party tracking technologies often referred to as non-PHI, or de-identified. My non-lawyer mind is suspicious that violations could be found at several services.
(*4)
Just take a look at any of the daily headlines on Becker's Hospital Review:
<https://www.beckershospitalreview.com/cybersecurity.html>
(*5)
Hospital associations sue HHS over pixel tracking ban
<https://www.beckershospitalreview.com/healthcare-information-technology/hospital-associations-sue-hhs-over-pixel-tracking-ban.html>
--
#AI #CollaborativeHumanAISystems #HumanAwareAI #artificialintelligence #psychology #counseling #socialwork #psychotherapy #EHR #medicalnotes #progressnotes @psychotherapist@a.gup.pe @psychotherapists@a.gup.pe @psychology@a.gup.pe @socialpsych@a.gup.pe @socialwork@a.gup.pe @psychiatry@a.gup.pe #mentalhealth #technology #psychiatry #healthcare #patientportal #HIPAA #dataprotection #infosec @infosec@a.gup.pe #doctors #hospitals #BAA #businessassociateagreement #Microsoft #coveredentities #privacy #HHS #OCR
I'm always a bit skeptical of presentations from tech company CEOs on
how their product areas are necessary in the mental health field.
That said, this article has a few good points:
/"Umar Nizamani, CEO, International, at NiceDay, emphasised that AI will
inevitably become an essential tool in mental health care: 'I am very
confident AI will not replace therapists – but therapists using AI will
replace therapists not using AI.'"//
/
I am beginning to think this also -- for better or worse. I took a VERY
fast 60 second look at NiceDay and it appears to be another
all-encompassing EHR, but with a strong emphasis on data. Lots of tools
and questionnaires and attractive graphs for therapists to monitor
symptoms. (I need to take a longer look later.) So data-driven could
be very good, if it does not crowd out the human touch.
/"Nizamani said there had been suicides caused by AI, citing the case of
a person in Belgium who died by suicide after downloading an anxiety
app. The individual was anxious about climate change. The app suggested
'if you did not exist' it would help the planet, said Nizamani."//
/
YIKES... So, yes, his point that care in implementation is needed is
critical. I worry at the speed of the gold-rush.
/"He [//Nizamni] //called on the industry to come together to ensure
that mental health systems using AI and data are 'explainable’,
'transparent', and 'accountable'." //
/
This has been my biggest focus so far, coming from an Internet security
background when I was younger.
/"Arden Tomison, CEO and founder of Thalamos"/ spoke on how his company
automates and streamlines complex bureaucracy and paperwork to both
speed patients getting help and extract the useful data from the forms
for clinicians to use. More at: https://www.thalamos.co.uk/
/"Dr Stefano Goria, co-founder and CTO at Thymia, gave an example of
'frontier AI': 'mental health biomarkers' which are 'driving towards
precision medicine' in mental health. Goria said thymia’s biomarkers
(e.g. how someone sounds, or how they appear in a video) could help
clinicians be aware of symptoms and diagnose conditions that are often
missed."//
/
Now THIS is how I'd like to receive my AI augmentation. Give me
improved diagnostic tools rather than replacing me with chatbots or
over-crowding the therapy process with too much automated tool data
collection (some is good). I just want this to remain in the hands of
the solo practitioner rather than being a performance monitor on us by
insurance companies. I want to see empowered clinicians.