Philadelphia Judge Tosses Class Action Data Breach Lawsuit
A proposed class action lawsuit against the HIPAA-covered entities Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan has been tossed by a Philadelphia judge. The alleged negligence of the health plans was not deemed to warrant a class action lawsuit. Avrum Baum, one of the plaintiffs named in the lawsuit, alleged negligence and unfair trade practices when filing the claim on behalf of his special needs daughter. The suit was filed after a flash drive containing the Protected Health Information and Personally Identifiable Information of over 200,000 health plan members was lost in 2010. Employees copied the data onto the drive, but then misplaced it and were unable to locate the plug-in device. A case could have been filed on the grounds of violations of the Health Insurance Portability and Accountability Act (HIPAA), although the plaintiff’s legal team chose to file the suit on the grounds of negligence and a breach of the state of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law (“UTPCPL”). Class Action Lawsuits under Pennsylvania’s Unfair Trade...
Beacon Health System Learns of Cyberattack Spanning 14 Months
Beacon Health System (BHS) has announced it has discovered it is the victim of a sophisticated cyberattack. A hacker first infiltrated some of the company’s mailboxes in November 2013 with the last known access attempt taking place on January 26, 2015. The hacker reportedly gained access to email accounts after BHS employees were fooled into disclosing their login credentials in an email phishing campaign. The unauthorized access was discovered on March 25, 2015, and an investigation into the data breach was immediately launched. The affected patients have now been identified and breach notification letters started to be mailed on May 22, with the data breach understood to involve over 220,000 patients. However, the incident has now been reported to the Office for Civil Rights indicating 306,789 individuals have been affected. Social Security, Numbers, Driver’s License Numbers, and Health Data Exposed The email accounts contained a limited amount of information on patients, which mostly was limited to patient names, the name of the patient’s doctors, internal patient ID...
800 Patients of Pittsburgh Jefferson Hospital Affected by HIPAA Breach
Allegheny Health Network’s Jefferson Hospital in Pittsburg, PA is the latest HIPAA-covered entity to announce some of its patients are victims of a HIPAA breach caused by a rogue employee of a billing Business Associate, Medical Management LLC (MML). Allegheny Health Network (AHN) has now issued a HIPAA breach notice to the media announcing a small percentage of its patients will soon be receiving a breach notification letter in the post. The data breach has only affected some patients who used the hospital’s emergency services during the past two years; approximately 800 individuals. Those patients have been informed that the hospital has just discovered it has also been affected by the Medical Management data breach, first reported to have affected 2,259 patients of the University of Pittsburgh Medical Center. According to the breach notice, patient’s medical histories and treatments have not been exposed and disclosed, although some Protected Health Information (PHI) and Personally Identifiable Information (PII) has been compromised, including patient names, dates of birth and...
URMC Employee Breaches HIPAA Providing PHI to New Employer
A former nurse of the University of Rochester Medical Center (URMC) has violated the Health Insurance Portability and Accountability Act (HIPAA) after she took a list of patients of the URMC neurology department and gave that information to her new employer, Greater Rochester Neurology (GRN). The list contained the Protected Health Information (PHI) and Personally Identifiable Information (PII) of 3,403 individuals, according to the report in the Rochester Democrat & Chronicle. The nurse would not normally have been given a list of patient names, addresses, contact telephone numbers, dates of birth, gender, diagnosis information (and last treatment dates) prior to leaving employment at the hospital, but she “requested the list to help ensure continuity of care for the patients she was leaving, and she was provided the list for that purpose,” according to Dr. Robert G. Holloway, chair of the Department of Neurology. The purpose of the list was to allow the nurse to make notes on the patients so that the information could be passed on to her replacement to ensure the care...
US Coastguard Criticized for HIPAA Failures
The U.S. Coastguard (USCG) has been audited by the Office of the Inspector General (OIG) to assess privacy and security measures that have been implemented to safeguard Protected Health Information (PHI). The OIG auditors discovered the USCG lacks a number of the necessary controls to protect the privacy of the data it holds. The USCG operates 42 health clinics and 150 sick bays in coastal areas in the United States and Puerto Rico. Each year over 300,000 clinic visits are recorded, with data recorded in its Composite Health Care System (CHCS). The CHCS contains Personally Identifiable Information (PII) along with PHI that includes medical test results, immunization data, pharmacological and x-ray data; information covered under the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy and Security Rules place a number of requirements on HIPAA-covered entities to ensure that data remains private and confidential, and is only shared with authorized individuals for the provision of treatment and medical care to patients. HIPAA also covers the physical,...



