Health-care industry is most at risk from cyberattack, study says

Health care is increasingly more at risk of cyberattacks than other industries, according to a recent study by Soax, a data-collection platform, reports Cara Smith of Inside Health Policy.

As cyberattacks against Change Healthcare and Ascension, a 19-state hospital system, "disrupted the health-care industry, lawmakers, doctors, payers and other stakeholders are scrambling to prevent future cyberbreaches to protect the health-care system," Smith reports.

"The health-care industry is the most vulnerable sector, topping the ranking with 809 data-violation cases in 2023. This is a staggering surge in incidents from the prior year, with cases totaling 343 in 2022 -- a 136% increase, the study found. Further data revealed that these cases affected 56 million victims."

For the study, Soax used data from the Identity Theft Resource Center, and it says "the health-care industry should be on high alert," Smith reports.

If subpoenaed, pharmacy chains hand over customers' private medical information; lawmakers say warrants should be required

ECommerce360 graphic; other chains are involved.

"The nation’s largest pharmacy chains have handed over Americans’ prescription records to police and government investigators without a warrant, a congressional investigation found, raising concerns about threats to medical privacy," reports Drew Harwell of The Washington Post. "Though some of the chains require their lawyers to review law enforcement requests, three of the largest — CVS Health, Kroger and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers’ medical records in the store."

Sen. Ron Wyden of Oregon and Reps. Pramila Jayapal of Washington and Sara Jacobs of California, all Democrats, revealed the policy in a letter Monday to Health and Human Services Secretary Xavier Becerra. They investigated the practice "after the Supreme Court’s decision last year in Dobbs v. Jackson Women’s Health Organization ended the constitutional right to abortion," Harwell reports. In Kentucky, the legislature has banned abortion except to save the woman's life or prevent serious imparment of a life-sustaining organ.

"Pharmacies’ records hold some of the most intimate details of their customers’ personal lives, including years-old medical conditions and the prescriptions they take for mental health and birth control," Harwell notes. "Because the chains often share records across all locations, a pharmacy in one state can access a person’s medical history from states with more-restrictive laws. Carly Zubrzycki, an associate professor at the University of Connecticut law school, wrote last year that this could link a person’s out-of-state medical care via a 'digital trail' back to their home state."

Officials with eight large pharmacy chains — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx and Amazon Pharmacy — told congressional investigators that they required only a subpoena from law enforcement, not a warrant issued by a judge, to share the records. The lawmakers said employees face “extreme pressure to immediately respond.” Harwell notes, "To obtain a warrant, law enforcement must convince a judge that the information is vital to investigate a crime."

The senators and representatives asked Becerra to strengthen HIPAA’s rules and make pharmacies insist on a warrant, noting that the tech industry did likewise a decade ago.

The companies told the investigators that they get "tens of thousands of legal demands every year, and that most were in connection with civil lawsuits," Harwell reports. "It’s unclear how many were related to law enforcement demands, or how many requests were fulfilled. Only one of the companies, Amazon, said it notified customers when law enforcement demanded its pharmacy records unless there was a legal prohibition, such as a gag order, preventing it from doing so, the lawmakers said."

The Health Insurance, Portability and Accountability Act allows Americans to ask drug companies if they’ve disclosed their information, "but very few people do," Harwell reports. "CVS, which has more than 40,000 pharmacists and 10,000 stores in the United States, said it received a 'single-digit number' of such consumer requests last year."

CVS, the largest pharmacy chain by prescription revenue, told Harwell that most subpoenas include a directive that the information remain confidential, and if it does not, the company considers “on a case-by-case basis whether it’s appropriate to notify the individual.”

"A Walgreens spokesman said the company’s law enforcement process follows HIPAA and other applicable laws," Harwell reports. "A Walmart spokeswoman said the company takes its 'customers’ privacy seriously as well as our obligation to law enforcement.' An Amazon spokeswoman said that the company cooperates with law enforcement requests as required. . . . Rite Aid declined to comment. The other companies did not respond to requests for comment."

Carmel Shachar, a Harvard Law School professor who studies health law and policy, said pharmacies have a “ton of sensitive data” and pharmacists are likely not trained to "evaluate the merits or validity of a police request — or to turn an officer down," as Harwell put it. Shachar said, “These need to go to someone who understands privacy law for review. probably feels very nerve-racking to get a subpoena and tell the person who gave it to you, ‘Oh, you’ll have to wait.’”

Harwell writes, "The pharmacy data could be especially concerning for the nearly one in three women ages 15 to 44 who a Post analysis found live in states where abortion is fully or mostly banned," including Kentucky. "In Texas, Attorney General Ken Paxton has warned pharmacies they could face criminal charges for providing women with 'abortion-inducing drugs'," which are used for most abortions in the U.S.

Cameron, other GOP AGs challenge Biden rule that would block access to medical records of women leaving state for abortions

Attorney General Daniel Cameron

By Melissa Patrick
Kentucky Health News

Attorney General Daniel Cameron joined fellow Republican attorneys general in opposing a proposed federal privacy rule to shield the medical records of patients who get reproductive health care services, such as abortions, in other states.

The June 16 letter that Cameron co-signed with 18 other attorneys general to the U.S. Department of Health and Human Services argues that the agency's proposed rule would upset the framework that safeguards the privacy of individual health information while permitting disclosure of information to state authorities to protect public health, safety and welfare. 

Under the proposed rule states that have banned abortions would not be able to collect personal health information about these services from other states for investigations, lawsuits or criminal charges. This would “unlawfully interfere with states’ authority to enforce their laws and does not serve any legitimate need," says the letter.

Kentucky has no law forbidding women from going to other states to get abortions.

The proposed privacy rule would prevent states from obtaining private medical information “for a criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care … outside of the state where the investigation or proceeding is authorized” and “is lawful in the state where it is provided.”

HHS defines "reproductive health care" broadly in the proposed rule and says it is inclusive of all types of health care related to an individual's reproductive system. These would include, but not be limited to, pregnancy, contraception, fertility, prenatal care, miscarriage management and abortion.  

The AGs' letter says that while the broad definition of reproductive heath care includes “health care related to reproductive organs, regardless of whether the health care is related to an individual’s pregnancy or whether the individual is of reproductive age.” 

This, they argue, may allow the Biden administration "to advance radical transgender-policy goals" and "obstruct state laws concerning experimental gender-transition procedures for minors (such as puberty blockers, hormone therapy, and surgical interventions).”

Cameron said in a news release that the federal health-privacy law, the Health Insurance Portability and Accountability Act, or HIPAA, balances privacy and public-interest concerns by allowing disclosure of certain information to law enforcement. Cameron says the proposed rule would interfere with this.

Cameron writes, "HHS’s proposed rule exceeds the department’s legal authority. HIPAA authorizes HHS to set standards for protecting privacy in 'health information.' But HIPAA does not empower HHS to shield from authorities evidence of legal wrongdoing based on a claimed connection to 'reproductive health care.' The administration’s claims to the contrary could incentivize health-care providers to break state laws on everything from protecting unborn life to gender-altering surgeries."

The AGs' letter says the proposed rule would "curtail the ability of state officials to obtain evidence of potential violations of state laws." 

Kentucky has two laws that largely ban abortion in the state. One bans abortion except to save the mother's life and another bans abortions after six weeks of pregnancy, when many women are still not aware that they are pregnant. These laws have forced women who want or need an abortion to do so in states where it is still legal. 

This year, the General Assembly passed a law to ban gender-affirming medical care for transgender youth, which took effect last week when an injunction to block it was stayed, pending a future court ruling. This also creates a situation where families will likely seek care out of state.  

The same day Cameron and other Republican AGs sent their letter, all 23 Democratic state attorneys general submitted a letter supporting the rule, with suggestions for how to make it stronger. "Given this rapidly changing backdrop of extreme legal risks and increasing uncertainty, it is critical that additional guardrails be added to the privacy rule to protect against the disclosure of reproductive health information,” they wrote.

In a pepared statement, Angela Cooper of the American Civil Liberties Union of Kentucky called the attorney general's opposition to the proposed rule “another in a long line of actions indicating Daniel Cameron's unwillingness to stay out of Kentuckians’ private medical decisions. . . . The government has no place inserting themselves between families and their doctors, whether the issue is reproductive care or medically necessary care for transgender youth."

The letter in opposition of the proposed rule was led by Mississippi Attorney General Lynn Fitch and includes attorneys general from Mississippi, Alabama, Alaska, Arkansas, Georgia, Idaho, Indiana, Louisiana, Missouri, Montana, Nebraska, North Dakota, Ohio, South Carolina, South Dakota, Tennessee, Texas, and Utah.

Catholic Health Initiatives hospitals in Kentucky suffer data breach, say 'no evidence that this information has been misused'

By Melissa Patrick

Kentucky Health News

Kentucky is one of 13 states with hospitals that have been affected by a ransomware attack on the CommonSpirit health-care system, which is the parent organization of Catholic Health Initiatives in Kentucky. 

Mary Branham, spokesperson for CHI Saint Joseph Health, said in an email that it started the notification process about this data breach in December, even as the review of the files was ongoing. 

"We have completed the review and identified additional current and past CommonSpirit locations associated with the data," Branham wrote. "Beginning in April 2023, we issued our last anticipated notification to potentially impacted individuals." 

According to an April 6 CommonSpirit update, these Kentucky facilities were included in the ransomware event:  Flaget Memorial Hospital, Bardstown; Saint Joseph Hospital, Lexington, Nicholasville; Saint Joseph Health Community Pharmacy, Lexington; Saint Joseph Berea; Saint Joseph East, Lexington; Saint Joseph London; Saint Joseph Mount Sterling; Saint Joseph Mount Sterling Outpatient Rehab; Saint Joseph Mount Sterling Outpatient Rehab, Flemingsburg; Continuing Care Hospital, Lexington; and CHI Saint Joseph Medical Groups in Central and Eastern Kentucky, as well as Jewish Hospital in Louisville and Saint Joseph Martin in Floyd County, which were formerly part of CHI. 

CommonSpirit, which has more than 1,000 care sites and 140 hospitals in 21 states, said the ransomware attack was detected Oct. 2 and an investigation determined an unauthorized third party gained access to the network between Sept. 16 and Oct. 3. The party obtained copies of some data, including two file-share servers containing information on individuals going back several years. 

Information in those files included "demographics such as name, address, date of birth, phone number(s), email address, as well as medical information such as dates of service, medical record number, health-care provider’s name, diagnosis/treatment information, medical billing/claims information, patient’s facility associated account/encounter number, and health insurance information," the update said. "For a small number of individuals, Social Security number was also involved."

Branham said, "We immediately took steps to secure the network, which included proactively taking certain systems offline, and began an extensive investigation with the assistance of leading external cybersecurity specialists and law enforcement. . . . We have no evidence that this information has been misused."

That said, the CommonSpirit update advises ongoing caution: “Though CommonSpirit has no evidence that the information has been misused as a result of this event, it is always prudent to review health care statements for accuracy and report any services or charges that were not incurred to the provider or insurance carrier.”

According to CommonSpirit’s most recent quarterly financial statement, the data breach cost the organization about $150 million, which includes lost revenues from the interruption to business and costs to remedy the issue, Modern HealthCare reports. It also reports that the  U.S. Department of Health & Human Services Office for Civil Rights reported that more than 623,700 people were affected.

Legislature passes bill aimed at preventing doctors' burnout by saying they don't have to report seeking mental-health treatment

Photo from Getty Images via Kentucky Lantern

By Sarah Ladd
Kentucky Lantern

A bill aimed at preventing burnout among physicians has cleared both chambers of the General Assembly. Senate Bill 12 unanimously cleared the Senate in late February and the House on Monday.

The legislation would protect Kentucky doctors who seek mental-health help from wellness programs by stating they do not need to report their participation in such a program and can't be dismissed for not reporting it. It does not mean that physicians don’t need to report conditions that have the potential to hinder their judgment, the Lantern previously reported.

Doctors who testified in committee in favor of the bill said burnout among doctors can lead to lower patient satisfaction, low morale, high turnover, increased rates of substance abuse and even suicide.

The bill's primary sponsor, Sen. Donald Douglas, R-Nicholasville, is a physician. He has testified that being able to access private help for stress “without fear of retaliation” is “imperative” for Kentucky’s doctors.

Rep. Killian Timoney, R-Nicholasville, in presentoing the bill to the House, sid it would “have a significant impact for Kentucky physicians.”

“Like many professions over the last few years,” Timoney said, “physicians have seen significant increases in work-related stress both due to the Covid-19 pandemic and the overall demanding nature of their work.”

He said SB 12 will help address this by encouraging doctors to get mental health help when they need it — and promising them confidentiality when they do so.

There was no discussion before a unanimous and bipartisan House vote. The bill now heads to Gov. Andy Beshear’s desk for a signature or veto.

Beshear says current state of Ky. law on abortion is 'the most extremist in the nation' because of no rape or incest exceptions

Beshear talks about abortion. (Screenshot from Facebook)

By Al Cross
Kentucky Health News

The current state of Kentucky's law on abortion is "the most extremist in the nation" because it is bans almost all abortions with no exceptions for cases of rape or incest, Gov. Andy Beshear said Thursday.

At his regular weekly press conference, Beshear was asked for his reaction to the defeat Tuesday in Kansas of a constitutional amendment similar to one on the Nov. 8 ballot in Kentucky, which would negate a preliminary court ruling that two state abortion laws probably violate the state constitution's privacy and religious-freedom provisions.

The temporary injunction, issued by Jefferson Circuit Judge Mitch Perry in a lawsuit by the state's two abortion clinics, has been blocked by state Court of Appeals Judge Larry Thompson of Pikeville pending the court's consideration of an appeal and a request to toss the case to the state Supreme Court.

That makes abortion illegal in Kentucky, except to save the woman's life or prevent permanent damage to a life-sustaining organ, under a "trigger law" the General Assembly wrote to take effect if the U.S. Supreme Court overturned its 1973 Roe v. Wade decision for abortion rights, which it did on June 24. 

"I believe that most Kentuckians view the current state of reproductive health in Kentucky as extremist," Beshear said. "I believe people should go thinking about that constitutional amendment with regards to the trigger law. . . . If that constitutional amendment passes, it will make the trigger constitutional, if it is not" under Perry's ruling.

"The trigger law is, I think, the most extremist in the nation," Beshear said. "It means that rape victims have no options. It means that victims of incest have no options. . . . They deserve options. I think the vast majority of Kentuckians agree the current state that we're under right now is extremist, and I don't think most people out there like extremism."

Beshear generally favors abortion rights, but not late-term abortions. He did not give a reaction to the Kansas referendum, in which voters defeated by 3 to 2 a constitutional amendment that would have negated a Kansas Supreme Court decision that said the state constitution creates a right to abortion.

The amendment on Kentucky's ballot would likewise negate Perry's ruling or any appellate-court ruling upholding it.

Beshear also did not respond to a question about The New York Times' state-by-state estimates of the likely outcome in similar referenda in each state, which predicted that the proposed amendment would be defeated, by a vote of 53 to 47 percent. Here's an adapted version of the Times map with its estimates; for a larger version, click on it.

Judge on state Court of Appeals issues temporary order making almost all abortions in Kentucky illegal again

A judge on the Kentucky Court of Appeals has issued an order that, in effect, at least temporarily bans abortions in Kentucky unless needed to save the woman's life or prevent permanent damage to a life-sustaining organ.

Judge Larry Thompson

Judge Larry Thompson of Pikeville granted Attorney General Daniel Cameron's request that he be allowed to enforce the "trigger law" the legislature passed to ban almost all abortions if the U.S. Supreme Court overturned its 1973 Roe v. Wade decision, which it did June 24, and another law banning abortion after the sixth week of pregnancy.

Thompson's order "temporarily countermands an order from Jefferson Circuit Judge Mitch Perry to suspend enforcement of the laws while a legal challenge is pending," explains Deborah Yetter of The Courier Journal. "Thompson's order will remain in place while the appeals court appoints a three-judge panel to consider Cameron's appeal and other matters, including his request that the case be transferred directly to the state Supreme Court for swifter resolution."

Perry's ruling found that the two laws violate the rights to privacy, self-determination and religious freedom established by the state constitution and court decisions based on it.

Thompson said in his order that abortions performed while a legal challenge is pending "cannot be undone."

The American Civil Liberties Union of Kentucky, which represents Louisville abortion clinic EMW Women's Surgical Center, said it would appeal Thompson's ruling to the state Supreme Court.

"Cameron had asked the appeals court for an emergency decision to immediately lift the injunction and also transfer his appeal of Perry's decision directly to the state Supreme Court for faster resolution of his case seeking to enforce the two abortion laws," Yetter notes. "Neither law contains exemptions for pregnancies resulting from rape or incest. . . . Physicians who violate the laws could be charged with a felony and subject to up to five years in prison."

Voters could decide the issue Nov. 8, when they consider a proposed constitutional amendment that would say the state constitution does not create a right to abortion or government funding of it.

Judge gives sides in abortion lawsuit until July 18 to file pleadings; until then, at least, legal abortion can continue in Kentucky

Jefferson Circuit Judge Mitch Perry heard arguments.
(Courier-Journal photo by Scott Utterback)

Kentucky Health News

Abortion can legally continue in Kentucky until at least July 18, the deadline a Louisville judge set to file briefs in a lawsuit seeking to create a right to abortion under the Kentucky Constitution.

Jefferson Circuit Judge Mitch Perry is considering whether to issue an injunction that would maintain the status quo until he tries the lawsuit filed by the state's two abortion clinics. His June 30 restraining order allowed abortions to resume in Kentucky after the U.S. Supreme Court’s overturning of its 1973 Roe v. Wade decision.

A Kentucky law, triggered by the decision, bans abortion except when the woman's life is threatened. Perry's order blocked the law temporarily.

Perry "said he was undecided" about issuing a more lasting injunction, reports Mark Maynard of Kentucky Today. Attorney General Daniel Cameron, who tried to get appellate courts to reinstate the trigger law, "does not understand why Kentucky’s new abortion laws are being delayed."

A lawyer for the abortion clinics argued that women would be “forced to remain pregnant against their will,” in violation of the first two sections of the state constitution. Those sections say Kentuckians have “the right of seeking and pursuing their safety and happiness” and “Absolute and arbitrary power over the lives, liberty and property of freemen exists nowhere in a republic, not even in the largest majority.”

Kentucky courts have found in those sections a limited right to privacy. The state Supreme Court cited the sections and cases in 1992 when it struck down a law banning sexual activity between people of the same sex.

The state legislature, perhaps anticipating a similar decision regarding abortion, put on the Nov. 8 ballot a constitutional amendment saying that the constitution, written in 1891, does not create a right to abortion or government funding of it.

Gov. Andy Beshear said Thursday that he would vote against the amendment because it has no exceptions for rape and incest. Beshear said he "generally" supports Roe v. Wade but opposes late-term abortion.

Health departments getting temporary workers to trace contacts of people who have the coronavirus; start of school will be big test

Centers for Disease Control and Prevention chart, via CFCF

By Lisa Gillespie

Kentucky Health News

As restaurants have reopened and people are gathering more after three months of social isolation, Kentucky’s health departments are finally getting extra help to help track down people who may have been exposed to the coronavirus and ask them to self-isolate.

The “contact tracers” will allow health-department employees who have been reassigned to covid-19 work to get back to their normal work in public health. But most of the new workers haven’t been hired yet, because officials expect a surge of cases when school begins.

Congress gave states money to hire temporary contact tracers. Sara Jo Best, public-health director at the Lincoln Trail District Health Department in Elizabethtown, said contact tracing has been done for decades, but it might be a new term people haven’t heard of.

“If you’ve ever seen in a newspaper, ‘If you ate this food product between this date and this date, you need to call us,’ that’s contact tracing,” Best said. “No one ever thought anything about that; it was almost expected. It would be unethical for public health to know that you’re at higher risk of a disease or injury and withhold that information from you.”

But some legislators at the June 24 meeting of the Interim Joint Committee on State Government expressed privacy concerns.

"I know we've been doing contact tracing at local health departments for a long time, but at the level that we're doing it here . . . it could very much infringe on people's freedom and liberty," said Senate Majority Leader Damon Thayer, R-Georgetown.

Mark Carter, the state official leading Kentucky's contact-tracing efforts, said "We are not going to be tracking people's movements. The purpose for this contact tracing effort is simply to help people protect their family, friends, loved ones from the spread of covid."

The state covid-19 website says contact tracing is completely confidential. When someone is contacted, they’re only informed that they may have been exposed to someone who has the virus, and aren’t told the identity of that patient.

Rep. Patti Minter, D-Bowling Green, spoke up for contact tracing: "We have been a hotspot in Warren County, so one of the reasons we're not a hotspot anymore has been the heroic work that has been done in the eight-county area by Barren River health department, and contact tracing has been a very big part of that.”

Some job slots wait for start of school

So far, the state Department for Public Health has hired 180 contact tracers and investigators to work in health departments across the state but is waiting to fill another 520 jobs, Carter said.

“The staffing is ahead of the disease,” he said. “We kind of want to see what the virus is going to do, because it wouldn't make sense if they had 500 people right now, because most of them would be sitting around with nothing to do. But they’re probably going to be busy in September and October with schools back.”

Robert Redfield, director of the federal Centers for Disease Control and Prevention, told a congressional committee June 23 that tracing the contacts of infected people and getting them to self-isolate will be “critical” as schools open.

For the Barren River District Health Department, the new help will mean the staff reassigned to covid-19 work can go back to their original work in public health; things like health education or work to reduce infant mortality rates.

About 80 of the Bowling Green-based agency’s approximately 100 employees were reassigned in March, Director Matt Hunt said. Before the pandemic, he said, only seven full-time staff notified members of the public if there was a possibility of contracting a communicable disease.

“We had to move very, very quickly to repurpose nearly 80 percent of our staff to work on covid,” Hunt said.

At the Lincoln Trail department, Best said her staff were moved to contact tracing and other covid-19 tasks. Night and weekend work became the norm, with many hours of overtime or comp time. Meanwhile, unemployment from the pandemic restrictions brought more clients into the department’s Women, Infants and Children food program.

“It’s nice to have the ability to bring in the additional staff to be able to relieve our staff so they don’t burn out,” Best said.

Asked if permanent staff would now give more attention to enforcing covid-19 preventive measures like limits on business’ space capacity, Best said her environmentalists working with restaurants try education first.

“You're treating it as a partnership,” she said. “Because we're good at educating people on risks, most people comply and do all right. Also, with restaurants, there is a liability issue; they want to know how to operate so they can successfully follow the rules."

State-local dispute caused delay

Each state handled the federal money for contact tracing differently. Health departments said the money should go directly to them. They have years of experience tracing diseases, from food-borne illnesses caused by bad grocery food to wide outbreaks of diseases such as hepatitis.

“We do this all the time for things like pertussis [whooping cough], hepatitis, tuberculosis, and we’re actually still doing that right now while we’re doing covid-19; other diseases didn’t take a vacation when covid-19 came to town," said Best.

Kentucky decided to use staffing agencies to hire tracers. But these agencies only conduct initial resume screenings, interviews and background checks. Health departments do the final hiring and supervision of contact tracers and investigators.

Best and Hunt said their district health departments could have used extra dollars for contact tracers much earlier, but they made do with the employees they had.

Barren River District’s eight counties all have relatively high per-capita infection rates. Hunt said he doesn’t think the delay led to more infection or negative health outcomes, mostly because his district didn’t wait for federal funds to arrive. He said he has hired 26 people, with five slots left to fill.

Carter said he and other state officials decided to use temp agencies for several reasons. While most health departments will hire local contact tracers, the state is also hiring regional tracers who can work anywhere within a broad region.

“If you had an outbreak in Bowling Green, for example, and it was quiet in Somerset, what that [our model] allows us to do very easily is to redirect some of those resources in Somerset to focus on the problem in Bowling Green,” he said.

Though the strategy might work best for state control of the contact tracing project, Best hopes the legislature will help increase staffing levels to help health departments prepare better.

“Local health departments have been carrying the bulk of the load of this since March; that’s a long time,” Best said. “I hope this is enough to highlight the necessity to invest in our infrastructure, like our staffing levels, so that we’re nimble and able to respond quickly to the next thing, because there will be a next thing … that would reduce negative health impacts.”

Information for this story was also gathered by Melissa Patrick of Kentucky Health News.

Feds find security flaws in Kynect; state says no data breaches; problems also found in federal exchange

State health-insurance exchanges in Kentucky, Vermont and California had "significant weaknesses" in protecting their electronic information from hackers, the Government Accountability Office said in a report last month.

"These included insufficient encryption and inadequately configured firewalls, among others," said the report from the investigating arm of Congress. "In September 2015, GAO reported these results to the three states, which generally agreed and have plans in place to address the weaknesses."

Ricardo Alonso-Zaldivar and Frankfort-based Adam Beam of The Associated Press report, "Vermont authorities would not discuss the findings, but officials in California and Kentucky said this week that there was no evidence hackers succeeded in stealing anything."

The report said the federal Centers for Medicare and Medicaid Services, which oversees the exchanges, had not fully implemented its oversight of their security and privacy protections.

"The GAO report examined the three states' systems from October 2013 to March 2015 and released an abbreviated, public version of its findings last month without identifying the states," AP reports. "Thursday, the GAO revealed the states' names in response to a Freedom of Information [Act] request from the AP. According to the GAO, one state did not encrypt passwords, potentially making it easy for hackers to gain access to individual accounts. One state did not properly use a filter to block hostile attempts to visit the website. And one state did not use the proper encryption on its servers, making it easier for hackers to get in. The report did not say which state had what problem."

Steve Beshear, who was governor until early December, told AP through a spokeswoman that "because of the time required to fix the technical issues, not all those issues had been addressed" when Republican Gov. Matt Bevin took over. "It is important to note that there were never any security breaches of any kind, and no one's information was ever compromised."

Doug Hogan, spokesman for the Cabinet for Health and Family Services, told AP the fixes "are in various stages of completion and implementation" and security is "of the utmost importance" to the Bevin administration.

Bevin is dismantling Kentucky's exchange, which Beshear branded as Kynect, and planning to transfer the 93,000-plus people who used it to buy federally subsidized policies to the federal exchange, Healthcare.gov.

"But Kentuckians' information might not be any safer on the federal exchange," AP reports. "According to the GAO report, Healthcare.gov had 316 security incidents between October 2013 and March 2015. Such incidents can include unauthorized access, disclosure of data or violations of security practices. None resulted in lost or stolen data, but the GAO said technical weaknesses with the federal system 'will likely continue to jeopardize the confidentiality, integrity and availability of Healthcare.gov.'"

Female legislator files bill to put restrictions on erectile-dysfunction medications to make a point about men pushing abortion bills

Rep. Mary Lou Marzian

Fed up with a string of anti-abortion bills backed by religious conservatives, Democratic state Rep. Mary Lou Marzian of Louisville has filed a bill that would require men seeking medication to treat erectile dysfunction to have two office visits with a doctor -- and limit such prescriptions to married men who swear on a Bible that they will use the drug only for sex with their spouse, who would have to consent to the prescription.

“I just thought my 80 male colleagues in the House might like to consider what it feels like when legislators get between them and their physicians,” Marzian told John Cheves of the Lexington Herald-Leader.

“I’m just sick of them,” she told Joe Sonka of Insider Louisville. “It’s just to make a point. Should we have a bunch of politicians untrained in health care telling women what to do? So I thought I’d just tell them what to do.”

Sonka notes that Gov. Matt Bevin has already signed a bill requiring a woman seeking an abortion to have a face-to-face consultation with a doctor, and the Senate is moving a bill that would require a trans-vaginal ultrasound before an abortion.

Marzian's counter-measure is House Bill 396. "Much of the bill’s sentiment, and some of its precise language, mirrors the anti-abortion bills," Cheves notes. "That’s not a coincidence," said Marzian, a retired Louisville nurse. Cheves notes that almost half of House members are 60 or older.

Marzian told Sonka she may file the bill's language as an amendment to the Senate bill and other anti-abortion measures “to demonstrate how ridiculous it is for elected government officials to be meddling in private health care decisions. … they’re so obsessed with uteruses and ovaries and women’s health, but not concerned about the 9 percent cut to mental health services” proposed by Bevin as part of budget reductions for most state agencies.

Patient portals at Leitchfield hospital are breached in cyber attack; officials say it did not involve any data in state system

By Melissa Patrick
Kentucky Health News

Twin Lakes Regional Medical Center's patient portals were the target of a sophisticated cyber attack earlier this year, which may have breached protected patient health information, reports The Record, a Leitchfield newspaper.

The cyber attack was made on one of the Kentucky Health Information Exchange's patient portal vendors, NoMoreClipboard. KHIE patient portals are secure, online websites that give patients access to their personal health information.

"The NoMoreClipboard breach only affected one hospital, Twin Lakes," Beth Fisher, spokeswoman for the Cabinet for Health and Family Services, said in an e-mail. "The breach affected the patient portal maintained by NoMoreClipboard, not KHIE. No information from KHIE was breached or accessed."

KHIE provides a common electronic information infrastructure that supports the exchange of electronic health information among healthcare providers and organizations throughout Kentucky. It contracts with many different vendors to provide this service.

The security notice from NoMoreClipbard said the data that might have been compromised are: an individuals’ name, home address, Social Security number, username, password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information. The newspaper says that no financial or credit card information was compromised because this information is not collected or stored.

The hospital made the announcement on July 27 and asked patients to not call the hospital "since the breach did not involve any information stored by the hospital or by any local doctor's office," the newspaper writes.

As of July 30, the hospital could not determine the number of people affected by the breach, but said "It should be kept to a minimum since the system was only recently put into place," the newspaper reports.

NoMoreClipboard began contacting affected individuals on June 2, according to the online security notice. It has also established a confidential, toll-free hotline to answer any questions. The hotline is available Monday through Friday, 8 a.m. to 8 p.m. CDT and can be reached at 866-328-1987.

NoMoreClipboard is offering credit monitoring and identity protection services to affected individuals, free of charge, for the next 24 months. Click here to see the security notice sent to its clients.

UK hospital tells 1,079 former patients that a laptop computer with their medical records was stolen in early February

The University of Kentucky reported Wednesday that personal health information of 1,079 people who had been patients at its hospital was on a laptop computer that was stolen in early February.

UK HealthCare said the computer, which was password-protected, belonged to one of its pharmacy billing management vendors. The computer contained dates of birth, medical records and perhaps some patients' insurance carriers and ID numbers, but not Social Security numbers or bank information, UK said.

"We have no reason to believe at this time that any data has been compromised, but under federal privacy regulations we are required to notify people whose information was on the computer in question," UK spokesman Jay Blanton said. "We are also notifying those individuals directly about what has occurred. In that communication, we provide information about where people can contact UK HealthCare for further information." For coverage from WKYT-TV, click here.

In wide-ranging interview, secretary says her state health cabinet is a national leader in guarding the privacy of electronic data

Despite concerns elsewhere about the privacy of personal health information, Kentucky's top health official says her agency is one of the best in the nation at protecting and managing such data.

Audrey Tayse Haynes, secretary of the Cabinet for Health and Family Services, talked about information technology and privacy in an interview with Mark Green, editor of The Lane Report, a Lexington-based business publication. She credited her cabinet's information-technology department and its good record on privacy.

Secretary Audrey Haynes

"We have an extraordinary IT department at this cabinet," Haynes said. "They really are stellar. I’ve worked at national organizations, in the federal government, and of course at the state level, and we have as good an IT department, if not better, than any I’ve seen. That gives us in-house expertise and also, obviously, they can contract for further expertise."

She added, "This cabinet has a long history of maintaining people’s private information because of Medicaid and food stamps and many other programs that we run here. Last year millions of dollars were collected for Kentucky’s kids through court-ordered child support that runs through this cabinet. We have very strict requirements, both at the federal and state levels, and we take privacy very seriously. Our IT department and others plan for it, and we’re alert to it all the time."

Haynes said Kentucky is also a national leader in helping health-care providers share electronic health records, through the Kentucky Health Information Exchange, with more than 2,000 participating and getting more than $144 million in federal incentive payments. The information exchange "is nationally recognized as being in the forefront for the exchange of health information records," Haynes said. "We are one of the most progressive in the nation."

She noted that the cabinet also runs KASPER (the Kentucky All Schedule Prescription Electronic Reporting) system, which doctors and medical professionals check before prescribing controlled substances to prevent drug abuse. A 2012 law cracking down on prescription painkillers required prescribers to use the system, and it now has more than 24,700 users, Haynes said. "KASPER is a very complex system to maintain," she said, "but it is keeping Kentucky at the forefront nationally as far as helping to curb the prescription drug problem in our state.

Green and Haynes touched on many subjects in the interview, which as published runs almost 3,000 words. She said the state's health-insurance exchange, Kynect, has been successful also because of its executive director, Carrie Banahan, who "has a long history of experience with insurance, with Medicaid and with management. That’s critical. And we made it not just Carrie’s project but a Cabinet project. Then we were able to get a great company that was very committed to the success of this in Deloitte" Consulting, which built the system. "Finally, we kept it simple. We knew we could make improvements as the months and years went on. We didn’t try to be too fancy right out of the gate. We knew that it needed to work well when it was launched – that was more important than making it the fanciest online system right away."

Haynes concluded, "When I came back from Washington, D.C., to take this job, people who know me and know this cabinet were very surprised, but I’ve never regretted it. I believe in public service as well as in the role of the private sector, and this has been a dream job for me because I’ve had an opportunity to work making good policy. I’ve had some pretty neat dream jobs in my career, but this is certainly going to be the topper. Few of us ever have an opportunity to say that we have done something that can truly have an impact and be part of something that’s going to have an impact for many, many years. I think about that all the time. I wouldn’t want to be anywhere else." (Read more)

Northern Kentucky included in Medicaid's pilot program to increase data about quality of health care

The Health Improvement Collaborative of Greater Cincinnati, which includes much of Northern Kentucky, is included as one of three regions to participate in a program designed to bolster availability of information about doctors, hospitals and health care providers, the federal Centers for Medicare & Medicaid Services has announced. According to the Robert Wood Johnson Foundation, the new program will match private data with Medicare claims data to create comprehensive reports on provider performance.  The other two organizations selected are Kansas City Quality Improvement Consortium and the Oregon Health Care Quality Corporation.

The program will place quality markers on those receiving Medicare claims data. For example, they must show that they can manage and process consumer-focused data, can prevent breaches of protected health information and that they are working with private insurers in order to produce comprehensive reports on provider performance. The program is also intended to protect patient privacy, enforcing strong penalties if Medicare data is misued.
(Read more)

Major newspapers publish reflections, reactions and details (including videos) on new law that will fight 'pill mills'

Reflections on the new law to fight "pill mills" are in both of Kentucky's major metropolitan newspapers today.

The Courier-Journal, which rightly takes partial credit for focusing attention on the issue, has a story by Laura Ungar that summarizes what the bill will do and not do. In the Lexington Herald-Leader, Kentucky Medical Association President Shawn Jones has an opinion piece defending his organization's lobbying against key parts of the bill.

"Unfortunately, in a desire to pass something, many did not consider the details of proposed legislation, and many of the details were extremely troublesome," writes Jones, right. "Most troubling were the proposed infringements on patient privacy through access to the state's Kentucky All Scheduled Prescription Electronic Reporting, or KASPER, system, which contains what is essentially a log of all of the controlled substances an individual has bought. A controlled substance is not just what many people have characterized as 'pain medicine.' It also includes prescriptions for medicines for anxiety, depression or attention deficit disorder." (Read more)

Jones is among the people featured in videos posted with The Courier-Journal's story. Others include Dr. Greg Cooper of Cynthiana; attorney Fox DeMoisey, who represents physicians accused of malpractice; and Dr. Patrick Murphy, a pain-management physician, talking about the various responsibilities of doctors in his field.

Doctors' lobby still working for changes in 'pill mill' legislation

By Al Cross
Kentucky Health News

The Kentucky Medical Association, historically one of the most powerful lobbying interests at the General Assembly, has mounted a last-ditch attempt to change or perhaps kill the bill that would crack down on "pill mills" that contribute to prescription drug abuse.

The bill would require pain clinics to be owned by doctors, require doctors to participate in the state's prescription-tracking system, and move the system to the attorney general's office from the Kentucky Board of Medical Licensure, which is made up almost entirely of doctors and has done little to curb the growing problem.

The tracking system remains the central concern for the KMA, which issued a "call to action" for physicians to contact legislators and argue that it "could infringe on privacy and lead to excessive oversight of legitimate medical practices," reports Mike Wynn of The Courier-Journal. "Other critics have said the bill could make doctors reluctant to provide pain medication for legitimate patients."

KMA President Shawn Jones told Wynn, “We would like to see something come out of this session. We would just like to make sure that it is something that addresses both the needs of law enforcement and at the same time is not overreaching in its imposition on our ability to practice medicine in a professional way.”

The KMA’s call notes that the system "tracks medications such as Xanax, Valium and Klonopin and was placed under the cabinet’s responsibility partly for patient privacy and protection," Wynn notes. Jones told him, “The access to that data really should be limited to government agencies that are charged with public health, and not law enforcement.”

Moving the tracking system to the attorney general's office is "pretty much a cornerstone of this legislation," Senate Majority Floor Leader Robert Stivers, R-Manchester, left, told Ryan Alessi Friday night on cn|2's "Pure Politics" program. He said the medical licensure board "hasn't done a whole lot" about prescription drug abuse, and indicated that part of the bill would stand.

However, Stivers said he and other supporters of the bill might drop the bill's 30-day limit on the length of painkiller prescriptions because of concerns that it would raise costs to patients. Those concerns helped delay the bill on the 59th day of the legislature's 60-day session. House Speaker Greg Stumbo "has said the issue could be resolved with a simple fix in the bill’s language," Wynn notes.

Stivers and Stumbo were among a group of bipartisan political leaders, led by Gov. Steve Beshear, who issued a statement Friday calling on the General Assembly to pass the bill Thursday, when it is scheduled to reconvene. The legislature is in recess, pending possible vetoes of other legislation by Beshear.

KMA "also takes issue with a $50 fee that the attorney general would be able to charge doctors to fund the program," Wynn reports. "Jones said the amount will only continue to climb in coming years to address a societal problem that doctors did not create. Proponents contend that the fee is nominal and is capped by statute except for inflation adjustments." (Read more)

Kentucky Health News is a service of the Institute for Rural Journalism and Community Issues, based in the School of Journalism and Telecommunications at the University of Kentucky, with support from the Foundation for a Healthy Kentucky.

This is Child Abuse Awareness Month; tips for prevention

April is child abuse awareness month, and the state Cabinet for Health and Family Services is reminding Kentuckians that it's the law to report suspected child abuse or neglect.

"Protecting our children should be everyone's number one priority, and during the month of April, we are raising awareness about the warning signs of child abuse and how to report it," Gov. Steve Beshear said. "The cabinet works year round to educate our families and investigate every aspect of abuse. Together, we can make Kentucky a safer place for all our children."

To report child abuse, Kentuckians should call 800-KYSAFE1. Calls are anonymous. If the report meets the criteria for abuse, an investigation is conducted within 24 hours in most cases or, if the child is suspected to be in immediate danger, they are conducted within the hour.

Callers should try to know the child's name, approximate age, address, parents' names and location of the child when the call is made. They should also have names and phone numbers of other people who have information about the suspected abuse.

The ultimate goal is to reunite families when circumstances improve. "We want children to return home to a stronger, safer family," said Jim Grace, assistant director of the Department for Community Based Services' Division of Protection and Permanency.

The cabinet's handling of child abuse investigations and its reluctance to release records pertaining to child abuse deaths and near deaths has been a hot-button issue in the past year. The Courier-Journal and Lexington Herald-Leader both sued the cabinet for refusing to turn over records and a judge twice ruled the cabinet was wrong not to do so. Since, it has released hundreds of pages of records, but has chosen to redact, or omit, some of the information therein. In January, Beshear acknowledged the cabinet had been accused of "operating under a veil of secrecy in a supposed attempt to protect inept workers and a poorly designed system."  Legislators have since heard hours of arguments about the issue, and a bill that would create an external panel to review child abuse cases involving fatalities and near-fatalities, while imposing more secrecy, is one of the few measures that could pass the General Assembly when it re-convenes for one day next Thursday to end its legislative session.

In its effort to increase awareness about child abuse, the cabinet offered strategies for parents to prevent abuse, including:

• never discipling a child when a parent's anger is out of control

• never leaving a child unattended, especially in a car

• learning the signs of physical abuse, nothing bruises, cuts, burns or other injuries a child can't explain

• teaching children the difference between "good touches," "bad touches" and "confusing touches"

• listening to a child when he or she doesn't want to go with something

• noting a change in a child's behavior or attitude

• teaching children what if he or she gets lost

• teaching children the correct name for private body parts

• being alert for talk that indicates premature sexual understanding

• paying attention when someone shows an unusual interest in a child

• making sure a child's school or daycare will only release him or her to a designated person
(Read more)

Health and family cabinet continues to withhold more information in copies of child abuse records than judge allowed

The state Cabinet for Health and Family Services released three more death and near-death cases involving child abuse or neglect Friday under court order, but continued to withhold critical information. It has appealed the order.

The 2009 cases involve two babies who died from suffocation while the parents were impaired. A third case involves a 2-year-old girl from Lawrence County, who was injured after she was reportedly kicked in the head by a horse while unsupervised.

The cabinet "continues to withhold, or redact, far more information" than was allowed under the Jan. 19 order of Franklin Circuit Judge Phillip Shepherd, reports Deborah Yetter of The Courier-Journal. Shepherd said the cabinet could withhold the names of children seriously injured by abuse or neglect, names of private citizens who report suspected abuse, the names of minor siblings in the home and the names of minor perpetrators.

But the cabinet is withholding more information than that. "For example, in the case of the girl injured by the horse, the cabinet deleted the name and relationship of the adult who was watching her, even though the adult is named and identified as her grandfather in a separate internal review of the case," Yetter reports. "The cabinet also withheld juvenile and family court records in that case and the names of all adults involved." The girl recovered from the skull fracture sustained by the horse.

Gavin Villarreal never woke up after he was found with a plastic bag over his head in his crib, possibly placed over the 5-month-old's head by other young children in the home. His parents both tested positive for drugs on the day of his death and were convicted. In the third case, a month-old baby died after his father apparently rolled over him in his sleep. Both parents admitted they had been drinking and used marijuana before they went to bed. (Read more)

U of L physicians' group drops open-records appeal, but C-J may still not get records

An organization representing University of Louisville doctors who were trying to keep their financial records private dropped its lawsuit appealing an adverse open-records decision Tuesday. In April, Attorney General Jack Conway ruled that University of Louisville Physicians Inc. is a public agency and, as such, is subject to the Kentucky Open Records Act. Conway's opinion was requested by The Courier-Journal.

Last November, state auditor Crit Luallen released a scathing audit against Passport, which provides managed care for 165,000 Medicaid patients in Jefferson and 15 surrounding counties. The audit accused the organization of "wasteful spending, conflicts of interest and the questionable transfer of $30 million in Medicaid funds to organizations represented on Passport's board, including University Physician Associates," The Courier-Journal's Tom Loftus reports. Because of the audit, the newspaper asked for financial records from University Physicians Associates and University of Louisville Physicians Inc., which is the successor to University Physicians Associates. They refused to hand over the records, and Conway's decision followed.

Though the attorney general determined the organization should be subject to the open-records law, and the doctors' lawsuit has been dismissed, giving Conway's opinion the force of law, The Courier-Journal may not receive the records it has asked for. In its notice of dismissal, University of Louisville Physicians stated it could change "its structure and function in the future which it believes may alter its status as a public agency."

"We are still forming our final structure and function," Diane Patridge, ULP's vice president for marketing and communications, told Loftus. "Once we're up and fully established we may appeal this current determination." Curiously, "Partridge also said that ULP has no records to release to the newspaper as a result of the dismissal of the case," because it has no employees -- even though it was incorporated in March 2010. "She said University Physicians Associates . . . has handled all financial matters and paperwork for ULP to date," Loftus reports.

“This case is another piece of a puzzle,” Courier-Journal attorney Jon Fleischaker said. “It’s another step to try to make sure there’s more transparency at the University of Louisville School of Medicine and University Medical Center.” (Read more) "Sounds like a shell game with shell corporations," said Al Cross, director of the Institute for Rural Journalism and Community Issues and associate extension professor of journalism at the University of Kentucky.