CentroMed Cyberattack, HIPAA Compliance Audits are Back, and FTC’s Health Breach Notification Rule

CentroMed Encounters Another Cyberattack

The healthcare provider El Centro Del Barrio based in San Antonio, TX, which is also known as CentroMed, has reported that it encountered a cyberattack. This is CentroMed’s second cyberattack and data breach since last year. The first data breach was reported by CentroMed in August 2023, after discovering unauthorized access to its network on June 9, 2024. The Karakurt threat group professed to be behind the attack and theft of 42 GB of files, though the group doesn’t seem to have exposed the information. CentroMed submitted the breach report to the HHS’ Office for Civil Rights as having affected the protected health information (PHI) of 350,000 individuals.

CentroMed’s website has a post about the latest incident and started sending notification letters to the impacted persons on May 17, 2024. CentroMed mentioned that strange activity was discovered inside its IT system on May 1, 2024. It took immediate steps to protect its systems and data and launched an investigation to determine the reason for the irregular activity.

Based on the forensic investigation, an unidentified third party accessed its system on April 30, 2024, and accessed or obtained files that included the PHI of present and past patients. The analysis of the files revealed that they included patient names, birth dates, addresses, Social Security numbers, financial account details, medical insurance data, medical record numbers, diagnosis and treatment data, and claims details.

The notification letters sent by CentroMed instructed the impacted patients to review their statements and submit a report to their healthcare provider if there are services they have not received included in the statements. They were also instructed to keep track of their financial accounts for irregular activity. The notification letters did not mention any offer of free credit monitoring and identity theft protection services.

CentroMed stated it has applied extra safety and technical security procedures to further secure and keep track of its systems. The data breach is not yet posted on the OCR data breach website nor the Texas Attorney General’s website, thus it is presently uncertain how many people were impacted.

HIPAA Compliance Audits Beginning in 2024

OCR Director, Melanie Fontes Rainer, has reported the restart of OCR’s HIPAA audit program and audits at some point in 2024. At the beginning of this year, OCR asked the HIPAA-covered entities audited in the previous HIPAA audits held in 2016/2017 to give feedback by answering a questionnaire to enhance OCR’s audit process. OCR is currently finishing the new audit process and Fontes Rainer stated OCR will be doing proactive audits this 2024 centering on HIPAA Security Rule compliance. OCR started an enforcement initiative focusing on the risk analysis section of the HIPAA Security Rule in 2023, because poor risk analysis procedures are often discovered in OCR’s data breach inspections and are an important factor leading to data breaches. The practices on risk analyses and risk management will be checked in the forthcoming 2024 HIPAA audits.

FTC Releases Most Recent Update on Health Breach Notification Rule

HIPAA-regulated entities must comply with the HIPAA Breach Notification Rule and must send notifications in case of a data breach. Health data breaches happening at non-HIPAA-covered entities may call for notifications under the Federal Trade Commission’s (FTC) Health Breach Notification Rule. The FTC saw the need to update its Health Breach Notification Rule because of the growing number of organizations collecting health information. On April 26, 2024, the FTC released a final rule update on the Health Breach Notification Rule, which includes new definitions and annotations. Definitions were extended to include health applications and other technologies not protected by HIPAA. Like the HIPAA Breach Notification Rule, breach notification letters should be sent without undue delay and on or before 60 days from the date of discovering a data breach.