Health IT Roundup—UCLA Health reaches $7.5M settlement over 2015 data breach

UCLA Health reaches $7.5M settlement over 2015 data breach

UCLA Health reached a proposed settlement for a class action lawsuit stemming from a massive data breach in May 2015 that impacted 4.5 million patients.

The settlement will provide $2 million to reimburse current or former patients who incurred costs seeking to protect against or remedy identity theft and $5.5 million for a cybersecurity enhancement fund. UCLA Health also will provide all settlement class members two years of free credit monitoring, identity theft protection, and insurance coverage, according to a press release.

Under the proposed settlement, UCLA Health admits no wrongdoing. UCLA Health maintains that it was not liable for the cyber attack and that, following an extensive investigation, there continues to be no evidence that the cyber attackers actually accessed or acquired personal or medical information, organization officials said. (Press release)

Most healthcare apps share user data, with little transparency: study

In a study, researchers found that 79% of health-related smartphone apps shared user data with third parties, and 67% of those third-party companies provide services related to analysis of user data or advertising.

The study, published in the British Medical Journal, found that some third-party companies advertised the ability to share user data with 216 “fourth parties.” The sharing of user data is routine, yet far from transparent, the researchers wrote. “Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent,” the researchers said.

The study authors also said privacy regulation should emphasize the accountabilities of those who control and process user data. “Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom,” the researchers said. (Study)

Hospital employees susceptible to phishing emails: study

Hospital employees are vulnerable to phishing emails, according to a recent study which found that 1 in 7 simulated phishing emails sent were clicked on by hospitals employees.

For the study, which was published in JAMA Network Open, more than 2.9 million simulated emails were sent to employees at six hospitals with the phishing simulations running from August 2011 through April 2018. Click rates in phishing simulations at hospitals indicate a major cybersecurity risk, according to the study, with a median click rate of 16.7%.

Phishing is an easily deployable attack strategy, largely because email is an easy access point to hospital employees, many of whom have credentials for several internal information systems, such as electronic health records, according to the study authors. It only takes one successful phishing email, sent to one user, to shut down a critical system, potentially disrupting care across an entire organization.

The study authors recommend hospitals use technology to filter out phishing emails and require multifactor authentication to make credentials less useful even if they are obtained. Hospitals also need to foster employee awareness and training and simulating phishing campaigns are an important component to reducing risk, the study authors said. (Study)

Cambia, OHSU and MultiCare Connected Care team up to improve data sharing using FHIR

Cambia Health Solutions is partnering Oregon Health and Science University and MultiCare Connected Care to streamline health data exchange through the use of HL7 Fast Healthcare Interoperability Resources (FHIR).

The partnerships are part of the Da Vinci Project, a private-sector initiative that is leveraging FHIR to improve data sharing in value-based care arrangements. The project membership consists of 37 organizations, including payers, providers, and health IT vendors.

Cambia is working with MultiCare Connected Care, a Washington State accountable care organization, to streamline medication reconciliation process and deliver information directly from and to the electronic health record (EHR). The company is working with OHSU to advance FHIR-based workflows to allow providers to easily request and receive information on prior authorizations with the goal of increasing efficiency, reduce administrative burden and improve timely access to care. (Press release)