$3.5M Settlement Agreed to Resolve Group Health Cooperative of South Central Wisconsin Data Breach Lawsuit
Group Health Cooperative of South Central Wisconsin, a non-profit, member-owned health plan with approximately 70,000 members, has agreed to settle a consolidated class action lawsuit stemming from a cyberattack and data breach detected in January 2024. Suspicious activity was identified within its computer systems, and the forensic investigation confirmed unauthorized access to its network. The file review determined that the protected health information of more than 533,000 current and former members and their dependents had been exposed in the attack. Data compromised in the incident included names, addresses, telephone numbers, email addresses, dates of birth, Social Security numbers, member names, and Medicare/Medicaid numbers. Several lawsuits were filed in response to the data breach, which were consolidated as they had overlapping claims. The consolidated lawsuit, Pearson, et al. v. Group Health Cooperative of South Central Wisconsin, was filed in the Circuit Court of Dane County, Wisconsin, and asserted claims of negligence, negligence per se, breach of fiduciary duty,...
Who Is Responsible For HIPAA Compliance?
Covered entities and business associates are responsible for HIPAA compliance, the compliance of their workforces, and the compliance of any third party service providers to whom Protected Health Information (PHI) is disclosed. To manage the responsibilities, covered entities and business associates are required to designate a Privacy Officer and/or a Security Officer. Although HHS’ Office for Civil Rights is responsible for enforcing Parts 160 and 164 of the Administrative Simplification Regulations (which include the Privacy, Security, and Breach Notification Rules), there are a number of standards within these Parts which place the responsibility for HIPAA compliance on covered entities and business associates. These standards include, but are not limited to: §160.304 – The Principles for Achieving Compliance The standard has two parts. The first part states that the Secretary of Health and Human Services (HHS) will seek the cooperation of covered entities and business associates in obtaining HIPAA compliance, while the second part states the Secretary may provide technical...
HIPAA Training for Rehab Centers
HIPAA training for rehab centers provides a baseline privacy framework that can help workforce members better understand, absorb, and comply with the more rigid confidentiality standards that apply to Part 2 programs or that are required by state laws. Compliance training for rehabilitation centers is more challenging than compliance training for general medical facilities because rehab centers sit at a crossroads between healthcare, behavioral health, social services, and criminal justice. In such environments, it is impractical to provide “one-size-fits-all” compliance training due to the diversity of workforce roles and the regulations that apply to each role. An effective solution to the challenge of compliance training for rehabilitation centers is to provide progressive “layered” training. Layered training consists of a foundation layer of concepts common to federal and state regulations – and that apply in most workforce roles – with additional training layered on top to account for more rigid confidentiality standards and/or role-specific compliance...
42 CFR Part 2 Training
42 CFR Part 2 training is a functional requirement for workforces of healthcare facilities that provide substance use disorder services because it is impossible for workforces to comply with the Part 2 regulations if they do not know what restrictions apply to uses and disclosures of Part 2 protected information. Although 42 CFR Part 2 does not contain a specific standard mandating 42 CFR Part 2 training, healthcare facilities that provide substance use disorder (SUD) services must comply with all applicable regulations relating to Part 2 uses, disclosures, consent, redisclosure warnings, and breach notifications. It is not possible for workforces to comply with the regulations if they do not understand what Part 2 protected information is, how it can be used or disclosed, and why it needs protecting. Similarly, it is not possible for facilities to implement and enforce “confidentiality safeguards” (as required by §2.13 ) without providing 42 CFR Part 2 training so that workforce members are aware of what the safeguards are. HIPAA Training for Employees Our training provides...
What is a Z1 Offense Wanted by HHS?
The term Z1 offense wanted by HHS relates to an individual who has been excluded from the System for Award Management database who also appears on HHS’ Office of Inspector General’s “Fugitive List”. Most individuals wanted by HHS for a Z1 offense have been charged with – or convicted of – healthcare fraud, but have fled before being sentenced. To help explain what is meant by the System for Award Management exclusions, wanted by HHS, and Z1 offences, it is best to go back to the 1980s. At the time, federal agencies were adopting computerized databases – allowing them to more easily create, maintain, and share lists of approved or excluded contractors. Early examples include the Department of Defense’s Central Contractor Registry (CCR), and HHS’ Office of Inspector General’s Exclusions List (LEIE). By the early 2000s, many federal agencies shared the same database of excluded contractors – the Excluded Parties List System (EPLS). This system categorized exclusions according to the excluding agency and the reason for the exclusion using Cause and Treatment (CT)...



