Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals
In 2019, a lawsuit was filed against Express Scripts by five independent pharmacies alleging improper use of patient data in violation of HIPAA. Express Scripts is the largest pharmacy benefits manager in the United States with its own retail pharmacies and pharmacy service. The five pharmacies were part of the Express Scripts network and were required to submit detailed claims to Express Scripts for processing and reimbursement before dispensing drugs. The pharmacies also needed to include information about the medications in their claims, along with the contact information of their customers. In the lawsuit, the pharmacies alleged that Express Scripts was in breach of contract and good-faith and fair-dealing covenants, and in violation of HIPAA and the HITECH Act. The pharmacies were required to provide Express Scripts with information about their customers, which it is alleged was then used to switch the customers to Express Script’s mail order service. The pharmacies alleged there was no need to supply that information to confirm coverage and for reimbursement. “The Pharmacies...
HHS Releases Updated Security Risk Assessment Tool
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that a new version of its Security Risk Assessment (SRA) Tool has now been released. The SRA tool was developed by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with OCR to help small- to medium-sized healthcare providers comply with the security risk assessment requirements of the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program. A security risk assessment is conducted to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI). The risk assessment should identify any unaddressed risks, which can then be addressed by implementing appropriate physical, technical, and organizational safeguards. HIPAA compliance audits and investigations of data breaches have revealed healthcare providers often struggle with the risk assessment. Risk assessment failures are one of the most common reasons why HIPAA penalties are issued....
HIPAA Right of Access Failures Result in Five OCR HIPAA Fines
The Department of Health and Human Services’ Office for Civil Rights has announced five settlements have been reached to resolve HIPAA violations discovered during the investigation of complaints from patients who had experienced problems obtaining a copy of their health records. The HIPAA Privacy Rule gives individuals the right to have timely access to their health records at a reasonable cost. If an individual chooses to exercise their rights under HIPAA and submit a request for a copy of their health records, a healthcare provider must provide those records without reasonable delay and within 30 days of receiving the request. After receiving multiple complaints from individuals who had been prevented from obtaining a copy of their health records, OCR launched its HIPAA right of access initiative in 2019 and made compliance with the HIPAA right of access one of its enforcement priorities. Two settlements were reached with HIPAA covered entities in 2019 over HIPAA right of access failures. Bayfront Health St Petersburg and Korunda Medical, LLC were each ordered to pay a financial...
Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs
The U.S. Department of Veteran Affairs (VA) has experienced a data breach involving the personal information of around 46,000 veterans. Hackers gained access to an online application used by the VA Financial Services Center (FSC) and attempted to divert payments sent by the VA to community care providers to pay for veterans’ medical care. Social engineering tactics were used, and authentication protocols were exploited to gain access to the application and change bank account information. Upon discovery of the breach, the FSC took the payment processing application offline to prevent any further payments from being sent. It is unclear how many payments were sent before the cyberattack was discovered and whether the attack was detected in time to block fraudulent transfers. The FSC said the breached payment processing application will remain offline until the Office of Information Technology has performed a comprehensive security review. The main purpose of the cyberattack appears to have been to divert payments; however, the personally identifiable information and Social Security...
CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning hackers affiliated with China’s Ministry of State Security (MSS) are conducting targeted cyberattacks on U.S. government agencies and private sector companies. The attacks have been ongoing for more than a year and often target vulnerabilities in popular networking devices such as Citrix and Pulse Secure VPN appliances, F5 Big-IP load balancers, and Microsoft Exchange email servers. The hacking groups use publicly available information and open source exploit tools in the attacks such as China Chopper, Mimikatz, and Cobalt Strike. The hacking groups, which have varying levels of skill, attempt to gain access to federal computer networks and sensitive corporate data and several attacks have been successful. The software vulnerabilities exploited by the hackers are all well-known and patches have been released to correct the flaws, but there are many potential targets that have yet to apply the patches and are vulnerable to attack. Some of the most...



