A data leak over the summer may have given hackers access to health records and personal information for both residents and staff at 40 nursing homes, according to the healthcare services provider whose servers were compromised. 

The company, HMG Healthcare, said earlier this month that it first identified the leak in November and traced the data breach incident back to August. 

Although the exact information stolen is unidentifiable, HMG has taken steps to try and mitigate harm and make sure data was not spread further, as well as increasing their “data security protocols,” the company said in a letter sent to affected employees and residents. 

“We sincerely apologize for any inconvenience and concern this incident causes you,” HMG CEO Derek Prince said in a statement. “HMG will continue to do everything we can to correct this situation and improve our protections for you and others going forward.”

These kinds of costly leaks are why new cybersecurity is one of the highest tech priorities for healthcare organizations, McKnight’s reported last month.

Senior care and living operations remain one of the most vulnerable industries to these attacks, due to a number of factors from weak passwords and staff errors, to outright theft, security experts have warned.

One recent settlement involving a data breach ended up costing one senior living operator, Acts Retirement-Life Communities $1 million.

The HMG leak possibly occurred due to a ransomware attack, and the company may have been forced to negotiate with the hackers to prevent further damage, one cybersecurity company exec speculated. 

“Because they were compromised and couldn’t completely guarantee nothing was visually seen and copied via screen shot or other means, they had to publicly disclose the breach,” said Bobby Cornwall, vice president for strategic partner enablement and integration at SonicWall. “They would need to be careful with their statement and disclosure so as not to be put in a situation that could result in larger fines due to HIPAA violations.”

As healthcare organizations, including senior care providers, must weigh an increasing number of tech innovations to adopt, one new high-level survey aims to “sift through the noise” by capturing what tools may be most beneficial. 

Although cybersecurity and telemedicine currently are the most widely adopted tech tools among those pooled, adding more remote monitoring appeared to be the highest future priority for healthcare companies, according to a newly released report from digital marketplace Panda Health.

Eighty-six percent of the survey participants said they believed remote monitoring would have the biggest future benefit, whereas virtual nursing was considered the least valuable of the slate of technologies reviewed in the survey.

Not all technologies adopted in healthcare have been immediately beneficial or accomplished their stated goals. Many experts believe initial electronic health records systems were not designed to be user friendly, and thus created new problems and training needs. 

Healthcare leaders identified three broad goals for tech that they require in new tools: They must improve workflow, the must improve resident/patient outcomes and they must reduce costs.

The need to frame tech solutions in terms of return on investment and perceived value also is due to financial pressures organizations face, the Panda survey noted. Within senior care, that issue is most acutely felt in staffing concerns. 

“The current state of the healthcare industry has raised the stakes on hospital and health system leaders to ensure they are investing their limited resources in the most effective way possible,” Ryan Bengston, president and chief operating officer of Panda Health, said in a statement.

In addition to low enthusiasm for virtual nursing, the survey participants also rated chatbots or digital care navigators as having lower perceived value.

Based on those findings, it seems many healthcare leaders are on the same page with caregivers and residents/patients in terms of being wary of any tools that replace or diminish human, interpersonal interactions.

As more and more older adults turn to their smartphones, laptops or other devices for holiday shopping, scammers are coming up with new tricks to ruin Christmas.

Online scams against older adults are expected to increase this month, including offers from fake look-alike “stores” or missed delivery notifications, the US Attorney’s Office has warned.

“December is the month of giving, but it’s also the time of year when cybercriminals try to take advantage of consumers, quickly turning a joyous season into a living nightmare,” US Attorney Dena J. King said in a statement.

Although the most likely targets for such scams are older adults living at home, long-term care facilities and communities also should be making sure their residents and their families understand the current risks around online fraud.

Fraud aimed at older adults, even online, is nothing new, and many older adults are becoming more savvy about being targeted.

But the combination of increased online shopping and new digital tools that use artificial intelligence has created new potential threats. 

One concern is that many people, including older adults, more often are using payment apps such as Venmo or Zelle; they can make it easier to send money to more vendors than ever but also provide less consumer protection if payment is sent to the wrong person, or a scammer, the AARP warns.

AARP’s Fraud Network is a free resource that anyone can access, and the organization sends out a “fraud knowledge” survey every year. This year, less than 30% of survey respondents were able to score a 7 out of 10 or better when quizzed about fraud issues, the AARP reported. 

Over the past few months, Congress and the Senate Special Subcommittee on Aging have warned that AI tools have engendered more sophisticated scams, such as creating fake images or conversations that can credibly mimic family members or government agents.

The pressures on the senior living sector only abated marginally in 2023, as operators tried to maintain their balance in a precarious business and economic environment. And any significant reversal in fortunes is unlikely to occur until 2025, as political volatility in 2024 will continue to influence the regulatory and interest rate environment.

Managing against countervailing forces has been an ongoing struggle that’s not going to ease much in the new year.

There’s good news, for example, in that senior living occupancy rates are coming back from the pandemic’s devastation. And in nursing homes, occupancy reached 82.3% in August, topping 82% for the first time since April 2020. Regardless of setting, however, providing adequate resident care is a challenge given severe staff shortages amidst the worst job losses of any healthcare sector.

And although cooling inflation is a positive, it’s still running above the Federal Reserve’s 2% target and has not yet resulted in relief on costs. Interest rates are stubbornly high, and operators should be worried about the impact on the cost of long-term debt coming due, not to mention revolving credit lines.

Plus, unlike other sectors, parts of the industry can’t just offset inflationary costs by raising its fees — assisted living operators that rely heavily on Medicaid, for instance, and nursing homes, most of which depend on Medicare and Medicaid reimbursements, which are based on data two years behind and not adjusted for inflation.

Managing the risks is do-able, if difficult. One area where senior living and care organizations can help themselves in 2024 is by staying open to and leveraging risk mitigation and transfer strategies and solutions.

Meeting the staffing challenge

In early 2023, more than 70% of assisted living communities and 80% of nursing homes reported staffing shortages, and for some operators, the situation only has gotten worse as the year progressed. Providers have been forced to ask current staff members to work overtime or additional shifts, depend on temporary agency staff, or limit new move-ins.

Minimum staffing requirements proposed for nursing homes by the Centers for Medicare & Medicaid Services may further sap the industry given associated costs of some $6.8 billion, according to one study. And the effects of that proposal, if it is implemented, will be felt by assisted living operators and others.

The pace at which the population is aging and pressuring the system suggests that better pay alone is not the answer. Still, many are watching California to see whether its new $25 minimum wage for healthcare workers moves the needle.

Equally important may be balancing out a tough working environment by providing a quality employee experience built around individualized benefits. By offering benefits that respond to where people are in their personal and professional lives, employers can make their work environments stand out.

More than just health benefits, this means those benefits that simplify and improve employees’ lives or help them save money, including auto, home or renters’ insurance. Or that improve their lives, like mental health services or emergency backup services. Or even other benefits that might demonstrate the value that is placed on employees, such as recognition and motivation programs. Such benefits may be no or low-cost but can yield big returns for the investment.

Two coverages to transfer hard and soft risks

The healthcare industry continues to be a top target for cyber intrusions, and the senior living and care sector is just as vulnerable as the big hospital systems. The good news overall is that the number of healthcare data breaches dropped 15% through 2023’s first half. The bad news, though: a new record of 40 million individuals were affected.

The issue is not going away in 2024, and senior living and care providers should take heed. Cyber breaches often stem from human error, which is more likely to occur with the pressures of staff shortages. Plus, most communities and facilities are underinsured for the risk, with policies that leave big exposures. When cash-strapped, they’re not likely to want to think about better coverage against the risk, even with more moderate rate increases of about 10% ahead. That should make improved digital security controls an imperative.

A softer risk, but one that’s no less costly, is workplace violence, and particularly active shooter incidents. These incidents have occurred this year in senior living and care facilities from California to Texas to Florida, involving family members, workers and outsiders. It makes the case for workplace violence coverage, which is a relatively inexpensive business interruption protection.

The Mother Nature effect

A continuing concern for every business sector, including senior living, has been the pressured market environment for property insurance. Building valuations still are escalating on top of pure rate changes.

Blame Mother Nature, and not just for the cost of hurricanes, winds and storms, particularly in coastal areas. Add in scorching heat, which stands to cost the United States $100 billion in lost productivity, even as it causes mortality and disrupts business continuity.

Looking ahead, communities and facilities in more vulnerable regions can expect double-digit rate increases, whereas those less exposed will see rates stay flat.

Moving into 2024…

Now is the ideal time for senior living and care management to enlist its brokerage partners to undertake a thorough assessment of how much risk they are comfortable with and the cost of transferring that risk. That should lead to a better understanding of whether it would make financial sense to put alternative risk structures in place.

When there’s a financial squeeze from the perspective of cash flow, profitability and insurance cost, it’s time to reassess how if dollars spent on insurance are rendering the most profitable outcome. Now is the time to be asking those questions, because status quo no longer works.

Gerald Stoll is the US senior care segment leader with global insurance brokerage Hub International. He specializes in developing comprehensive insurance and risk management solutions for the long-term care industry, including independent living, assisted living, nursing homes, clinics and urgent care centers.

Jordan Parnell is the healthcare practice group leader for Hub International’s Gulf South Region. The practice group consults, designs risk management programs and brokers insurance transactions. He also is involved in the national healthcare team that brokers complex multi-state and international healthcare transactions.

The opinions expressed in each McKnight’s Senior Living marketplace column are those of the author and are not necessarily those of McKnight’s Senior Living.

Have a column idea? See our submission guidelines here.

A group of four US senators is urging the Federal Trade Commission to take action against artificial intelligence and scam threats aimed at older adults. 

“Many times, the AI-powered scams seem so realistic that the victims do not know the scammers have utilized AI in targeting them,” the senators warn in a letter sent Tuesday. “In order to respond effectively, we must understand the extent of the threat before us; we ask that the FTC share how it is working to gather data on the use of AI in scams.”

Older adults, wherever they live, are being more frequently targeted by AI scams that better reproduce the voice or tone of family members or someone affiliated with their care, such as a false Medicare representative.

As part of their request, the senators asked that the FTC update AI scam information in its fraud database. 

The letter comes on the heels of a recent Senate hearing on AI and cyber scams, as well as the release of a new edition of the annual “fraud book” produced by the Senate Special Committee on Aging.

Sen. Bob Casey (D-PA), the chairman of the committee, joined his fellow Pennsylvanian colleague John Fetterman (D-PA), along with Sens. Kirsten Gillibrand (D-NY) and Richard Blumenthal (D-CT) in signing the letter.

There are ongoing efforts to pass federal legislation to regulate the use of AI in healthcare, although much of that is centered around protecting patient privacy or issues of transparency.

In addition, 23 states either have proposed or passed state laws regulating AI in some capacity, according to one law firm tracking the data. 

A cybersecurity threat ominously titled the “Citrix bleed” requires immediate attention from healthcare organizations, federal agencies warned Friday.

The issue is a vulnerability in network systems that could allow hackers to access private healthcare information by bypassing passwords and multifactor authentication, the Department of Health and Human Services said.

The cloud computing company Citrix first warned users of the “bleed” threat in October and since then, reports showed that hackers were exploiting the software since August, according to HHS.

Two security systems, NetScaler ADC and Netscaler Gateway 12.1, are now considered “end-of-life,” the HHS warning stated. It recommended that they be replaced immediately.

The threat is exacerbated by the fact that Citrix boasts that all of the top 10 largest healthcare organizations in the United States use its IT solutions.

The warning from HHS requires those using the software to deploy Citrix patches and upgrade security systems, said John Riggi, cybersecurity risk advisor for the American Hospital Association.

“This situation demonstrates the aggressiveness by which foreign ransomware gangs continue to target hospitals and health systems,” Riggi said in a statement. “Ransomware attacks disrupt and delay healthcare delivery, placing patient lives in danger. We must remain vigilant and harden our cyber defenses, as there is no doubt that cyber criminals will continue to target the field, especially during the holiday season.”

New software technology has not yet abated cybersecurity threats. In fact, new artificial intelligence tools have allowed for sophisticated cyber scams that mimic voices or government agents, which prompted a recent Senate hearing on the threat.

In addition to any harm caused by leaking sensitive information, data breaches also could also cost healthcare providers via expensive lawsuits, such as a class-action case levied against PharMerica, which provides services to long-term care operators, earlier this year.

Tech scams are among the most common, and costliest, kinds of fraud that older adults fall victim to, and their losses more than doubled over the past two years, a new report shows.

Adults aged 65 or more years who fall victim to fraud scams lose, on average, more than $1,000 annually, according to a new report sent to Congress this week from the Federal Trade Commission.

The median amount for fraud victims aged more than 80 years is even higher, at $1,750, the report shows.

Considering that many recent studies have shown that older adults have a better understanding of technology than ever before, the statistics serve as a reminder that scammers have responded in kind, either in prevalence or sophistication. 

Overall, older adults lost $159 million in tech support scams, the FTC report states. Although that dollar figure is still less than other categories, such as business impersonation or investment scams, it represents a 117% increase between 2021 and 2022.

The FTC report echoes similar analyses, which show that computer/IT scams are among the most common kinds of fraud aimed at seniors, including robocalls and government rep impersonators. 

If there is a silver lining, it’s that a majority of participating seniors are aware of the pitfalls of social media — either scams or misinformation — based on a ClearMatch Medicare study from last month.

In light of the higher amounts of financial losses seniors incurred last year, the FTC recommended new legislation, or an update to a 2021 Supreme Court ruling that limits the agency’s ability to recover the losses.

“We do all we can to protect older adults and shut down the scams targeting them,” Samuel Levin, director of the FTC’s Bureau of Consumer Protection, said in a statement. “But we still need Congress to restore our authority to get money back from the scammers and into consumers’ pockets.”

Cybersecurity should be a strategic priority for senior living providers, nursing homes, hospitals, physician and dental practices, and other facilities where sensitive personal data are kept and could be compromised without appropriate safeguards. Robust cybersecurity protocols, in fact, are as essential to resident and patient safety as any other accountability or quality control mechanism. Healthcare leaders, industry associations and even members of Congress all are pushing for healthcare organizations to go further to protect their data and that of those in their care.

There is no question the stakes are high. Care organizations generally are bigger targets than the average corporation, because bad actors bet they will be able to get their hands on Social Security numbers, bank details or emerging medical research and drug patents, to name a few of many examples. Cybercriminals also will assume that they hold most or all of the cards in such a situation, with organizations such as hospitals under extreme pressure to meet ransoms for the sake of patient safety.

Fixing a breach after the fact can come with monetary and reputational costs. Research compiled this year by the US Department of Health and Human Services points to healthcare-related data breaches having doubled over the past three years, noting that the average ransom demand reached nearly $250,000 in 2021, and that typical downtime, with critical systems rendered inoperable by an attack, increased from 18 to 22 days in a single year. 

None of this is to say that providers are helpless. Broadly speaking, you can take certain steps on both the resident side and provider-administrator side to mitigate risks and provide the maximum possible protection.

Some of those steps are fairly straightforward. For residents and their designated caregivers, multi-factor authentication should be the minimum standard for accessing confidential records. Users should be expected to verify their identities through at least one additional step, such as entering a one-time code sent via SMS message. Adaptive authentication steps also care monitor potential attempts at gaming the system, such as repeatedly entering the wrong password, while also preserving good faith assumptions.

Residents and their families also should have a basic awareness of the steps your organization is taking to protect their data. If they have any responsibilities — such as routinely changing their passwords on a patient portal — those should be made very clear and simple. Ultimately, the responsibility lies with the provider for data to be safeguarded.

Providers, owner-operators or administrators of healthcare organizations have a few other considerations to keep in mind, some of which will involve advocating for themselves and their needs in front of lawmakers and regulators. For one thing, HIPAA on its own isn’t a sufficient cybersecurity safeguard, even if its stipulations are followed to the letter. Providers need to know what other regulations are expected of them, depending on what exactly their organization does. The organization may fall under the umbrella of the Cybersecurity Information Sharing Act, for instance.

It is encouraging to see that legislators at the federal level are reexamining the role of cyber insurance as a safeguard. More should be done to incentivize small healthcare organizations, in particular, to take out policies sufficient to cover their likely risks. Minimum coverage provisions would be one strong step. Another, arguably, is shifting regulatory responses to cybersecurity crises and breaches from punitive to supportive, focusing less on punishing the victims of a cyber breach for negligence and more on enabling them to strengthen their defenses and learn lessons.

It also is worth noting that a large number of cybersecurity breaches originate from third-party vendors, suggesting that more must be done to patch up vendor vulnerabilities throughout the supply chain. At the very least, healthcare organizations have the right to fully understand the steps that third-party contractors are taking to firm up their cyber defenses. Draw up a risk matrix to visualize both strengths and potential pain points.

The adoption of any new service, software or product between the healthcare organization and the third-party vendor needs to be accompanied by a unique cybersecurity discussion. What steps have been taken to ensure safe and seamless system integration? Have all team members who will either use or get access to the software or product been trained on both its basic functions and any relevant security protocols? What gaps exist, real or potential? How are they being plugged, and how will both sides respond in the event a breach is discovered?

To receive bespoke advice and gain a better understanding of your organization’s unique risks, it is worth approaching a cybersecurity consultant who is skilled and experienced at working with companies in your industry. There is no reason to wait. Resident safety, quality of care and reputation all truly depend on it.

Mike Skinner is the founder and principal consultant of the Skinner Technology Group, a provider of IT managed services, business network management and cybersecurity consulting. He has more than 20 years of experience in IT and cybersecurity services across multiple industries.

The opinions expressed in each McKnight’s Senior Living marketplace column are those of the author and are not necessarily those of McKnight’s Senior Living.

Have a column idea? See our submission guidelines here.

The state of Colorado has settled with Broomfield Skilled Nursing and Rehabilitation Center for not protecting the personal data of hundreds of residents, patients and employees before and during a 2021 data breach. The skilled nursing facility will pay a fine of at least $35,000 and be required to upgrade its information security systems.

All due to the fact that two of its computers did not have dually protected emails accounts and were compromised.

“Every cybersecurity threat is potentially devastating, but it’s particularly troubling when older Coloradans and those who care for them are the victims of cybercrime due to a failure on the part of a nursing facility to properly handle the personal data of patients and employees,” State Attorney General Phil Weiser said Friday in a statement.

In March 2021, Broomfield discovered that two employee email accounts were compromised. Even though most company emails had been equipped with two-factor authentication, those two email accounts were not protected, officials said.

The breached inboxes contained tens of thousands of emails, Weiser explained. Some emails contained personal, financial and medical data for hundreds of current and former residents, patients and employees, including emails containing personal data going back as far as 2016.

Broomfield had no written data disposal policy even though it is required by state law, according to the attorney general’s office. In addition, the facility also waited months to notify those affected, even though the law requires notification to occur within 30 days, Weiser said.

Under the terms of the settlement agreement, Broomfield will pay a fine of $35,000 to $60,000, depending on restitution and future antitrust enforcement needs. The company also will develop a written paper and electronic data disposal policy and update its security protocols.

The settlement funds may be used to pay restitution and for future consumer fraud or antitrust enforcement, consumer education or public welfare purposes, Weiser said.

The Broomfield Skilled Nursing and Rehabilitation Center became Adara Living in February 2022, with the same ownership and staff, according to a post on social media. 

So far in 2023, the number of cybersecurity incidents within healthcare has increased by a whopping 104% — affecting 40 million individuals — over the same time period last year, a report from Fortified Health Security shows.

“Every cybersecurity threat is potentially devastating, but it’s particularly troubling when older Coloradans and those who care for them are the victims of cybercrime due to a failure on the part of a nursing facility to properly handle the personal data of patients and employees,” state Attorney General Phil Weiser said Friday in a statement. “While the damage has already been done in this case, let this settlement be a warning that I will not hesitate to act against any company that fails to comply with Colorado data protection laws.”

In March 2021, according to the attorney general, Broomfield discovered that two employee email accounts were compromised. Even though most company emails had been equipped with two-factor authentication, those two email accounts were not protected. The breached inboxes contained tens of thousands of emails, Weiser said. Some emails contained personal, financial and medical data for hundreds of current and former residents, patients and employees, including emails containing personal data going back as far as 2016.

Broomfield had no written data disposal policy even though it is required by state law, according to the attorney general’s office. In addition, the facility also waited months to notify those affected, even though the law requires notification to occur within 30 days, Weiser said.

Under the terms of the settlement agreement, Broomfield will pay a fine of $35,000 to $60,000. The company also will develop a written paper and electronic data disposal policy, update its security protocols, review the safeguards it has put in place at least once a year, develop an incident response plan and submit regular compliance reports to the attorney general.

The settlement funds may be used to pay restitution and for future consumer fraud or antitrust enforcement, consumer education or public welfare purposes, Weiser said.

The Broomfield Skilled Nursing and Rehabilitation Center became Adara Living in February 2022, with the same ownership and staff, according to a post on social media. 

In total, the healthcare sector witnessed a 45% surge in cyber attacks in 2021 alone.

So far in 2023, the number of cybersecurity incidents within healthcare has increased by a whopping 104% — affecting 40 million individuals — over the same time period last year, a report from Fortified Health Security shows.