The HIPAA Journal legal news section contains details of the latest enforcement activities by the Department of Health and Human Services’ Office for Civil Rights, including settlements and civil monetary penalties, and legal actions taken against covered entities by state attorneys general.

You will also find brief details of class action lawsuits and other legal actions filed against covered entities for HIPAA violations, privacy violations, and data breaches, along with other legal news specifically relating to HIPAA or other legal matters of particular relevance to the healthcare industry.

Changes to HIPAA Rules are detailed in the HIPAA Updates category, although this section does include updates to state legislation, in particular any changes to breach notification and cybersecurity laws that are relevant to healthcare organizations.

Salinas Valley Memorial Healthcare Settles Email Data Breach Lawsuit for $340K
Aug09

Salinas Valley Memorial Healthcare Settles Email Data Breach Lawsuit for $340K

Salinas Valley Memorial Healthcare System in California has agreed to settle a class action lawsuit for $340,000 to resolve claims from patients affected by a breach of its email environment in 2020. Between April 30, 2020, and June 5, 2020, unauthorized individuals gained access to the email accounts of four employees and a contractor following responses to phishing emails. Prompt action was taken to secure its email environment, but during the 5-week period of compromise, the attacker(s) had access to emails containing sensitive patient information including names, hospital account numbers, medical record numbers, dates of service, and other information. Legal action was taken against Salinas Valley by a patient affected by the data breach. The plaintiff alleged that Salinas Valley acted unlawfully by failing to prevent the attack, did not fulfill its legal obligations to safeguard the personal and protected health information of the plaintiff and class members, and violated the California Confidential Medical Information Act, Civil Code §§ 56 et seq. Salinas Valley maintains it...

Read More
Dental Care Alliance Settles Class Action Data Breach Lawsuit for $3 Million
Aug04

Dental Care Alliance Settles Class Action Data Breach Lawsuit for $3 Million

Dental Care Alliance has agreed to settle a class action lawsuit filed in response to a data breach that affected more than 1.7 million individuals. A fund of $3 million has been created to cover claims from individuals affected by the breach. Dental Care Alliance, LLC, is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices across 20 states. Dental Care Alliance said its systems were compromised on September 18, 2020, the breach was detected on October 11, 2020, and was contained on October 13, 2020. The forensic investigation confirmed that names, addresses, diagnoses, treatment information, patient account numbers, billing information, dentists’ names, payment card information, and health insurance information had potentially been compromised. Individuals were notified about the breach in December 2020. The breach report submitted to the HHS’ Office for Civil Rights initially indicated 1,004,304 individuals had been affected, but it was later amended to 1,723,375 individuals. Dental Care Alliance said no specific evidence of data...

Read More
Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites
Aug01

Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites

Meta is facing another class action lawsuit over the unlawful collection and sharing of health data without content. The lawsuit was filed in the Northern District of California on behalf of plaintiff, Jane Doe. The lawsuit alleges Meta and its companies, including Facebook, have been collecting the sensitive health data of millions of patients without obtaining express consent and have used the information to serve individuals with targeted advertisements. Jane Doe was a patient of UCSF Medical Center and Dignity Health Medical Foundation and claims her sensitive health was unlawfully obtained by Meta when she entered the information into the UCSF Medical Center online patient portal. UCSF Medical Center had added Meta Pixel code to the web pages of the patient portal. Meta Pixel is a snippet of JavaScript code that is used to track website visitors. The code records and transmits to Meta the web pages that a user visits. If the code is present on a web page with a form, such as those used to book appointments, the selections from drop-down boxes are recorded and transmitted....

Read More
Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers
Jul21

Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers

The U.S Department of Justice has announced that around $500,000 in Bitcoin has been seized from North Korean threat actors who were using Maui ransomware to attack healthcare organizations in the United States. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a security alert warning that North Korean hackers have been targeting the healthcare and public health sector in the United States using Maui ransomware since at least May 2021. The attacks have caused extensive disruption to IT systems and medical services and have put patient safety at risk. The new ransomware variant was discovered during an investigation of a ransomware attack on a hospital in Kansas in May 2021. The attack was traced to a North Korean hacking group that is suspected of receiving backing from the state. The Kansas hospital had its servers encrypted, preventing access to essential IT systems for more than a week. The hospital paid a ransom of $100,000 for the keys to decrypt files and regain access to its servers and promptly...

Read More
The Methodist Hospitals, Inc. Settles Class Action Data Breach Lawsuit for $425,000
Jul21

The Methodist Hospitals, Inc. Settles Class Action Data Breach Lawsuit for $425,000

The Methodist Hospitals Inc. has agreed to settle a class action lawsuit and has created a fund of $425,000 to cover claims from victims of a 2019 data breach that affected almost 70,000 current and former patients. The Gary, IN-based healthcare provider reported an email security incident to the HHS’ Office for Civil Rights on April 4, 2019, that resulted in the exposure and potential theft of the protected health information of 68,039 patients. The investigation confirmed hackers gained access to two employee email accounts between March 13, 2019, and July 8, 2019, following responses to phishing emails and potentially exfiltrated patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, Medicare/Medicaid numbers, usernames, passwords, treatment and diagnosis information, and payment card information. A lawsuit – Jones v. The Methodist Hospitals, Inc. – was filed in the Harris County District Court in Texas in the wake of the data breach that alleged The Methodist Hospitals was negligent for failing to adequately protect...

Read More
BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack
Jul20

BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack

BJC HealthCare has agreed to settle a class action lawsuit to resolve claims it failed to adequately protect patient data from phishing attacks. The nonprofit St. Louis-based hospital system reported a breach of its email system to the HHS’ Office for Civil Rights on May 5, 2020, that affected 287,876 individuals. The investigation confirmed that three email accounts had been compromised in March 2020 as a result of responses to phishing emails. While data theft could not be determined, the affected email accounts contained the protected health information of patients of 19 of its hospitals, including names, birth dates, health insurance information, Social Security numbers, driver’s license, and healthcare data. The lawsuit, filed in the Circuit Court of the City of St. Louis State of Missouri, originally included 10 counts against the defendants and survived two motions to dismiss, with the lawsuit allowed to proceed on 8 of the 10 counts: unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, vicarious liability,...

Read More
Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit
Jul14

Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit

Tenet Healthcare and Baptist Health are facing a class action lawsuit over a recently reported data breach that affected 1.2 million patients. The breach was detected on April 20, 2022, with the forensic investigation confirming an unauthorized third-party had accessed the IT networks of Baptist Medical Center or Resolute Health Hospital between March 31 and April 24, 2022, and removed files containing sensitive patient data. The information potentially compromised included names, addresses, Social Security numbers, health insurance information, medical information, and billing and claims data. Tenet Healthcare issued a public notification about the cyberattack and data breach on April 26, 2022, while the investigation into the breach was ongoing. Notifications were sent to affected individuals in mid-June, less than two months after the discovery of the cyberattack. Affected individuals were offered complimentary credit monitoring and identity theft protection services. The lawsuit was filed in Dallas County and names Texas resident, Troy Contreras, as the lead plaintiff. The...

Read More
Health Aid of Ohio Settles Class Action Data Breach Lawsuit
Jul11

Health Aid of Ohio Settles Class Action Data Breach Lawsuit

Health Aid of Ohio has agreed to settle a class action lawsuit to resolve claims that it failed to protect the sensitive personal information of its customers. Health Aid of Ohio is a Parma, OH-based full-service home medical equipment provider. On February 19, 2021, Health Aid discovered hackers had gained access to its network and viewed and removed files containing sensitive customer information. The files contained information such as name, telephone number, Social Security number, date of birth, medical diagnosis, insurance information, and the type of equipment that was delivered or repaired. Notifications were issued to affected customers in May 2021. The data breach affected 141,149 individuals. A lawsuit was filed on behalf of affected individuals, which alleged Health Aid had failed to implement reasonable cybersecurity measures to ensure the confidentiality of customer data. The lawsuit alleged negligence, unjust enrichment, invasion of privacy, and other claims. Health Aid admitted no wrongdoing but decided to settle the lawsuit to resolve all claims related to the data...

Read More
Multiple Class Action Lawsuits Filed Against MCG Health Over Data Breach
Jun28

Multiple Class Action Lawsuits Filed Against MCG Health Over Data Breach

Multiple class action lawsuits have been filed against the Seattle-based Hearst Health subsidiary, MCG Health, over a data breach that has affected at least 10 healthcare organizations including Indiana University Health, Lenoir Health Care, Phelps Health, and Jefferson County Health Center. The data breach was reported to the HHS’ Office for Civil Rights on June 10 as affecting 793,283 individuals, but some affected healthcare organizations have self-reported the breach. The breach notification issued to the Maine Attorney General indicates the protected health information of up to 1.1 million patients was potentially obtained by an unauthorized third party in the attack. MCG Health said it discovered on May 25, 2022, that files had been removed from its systems that included names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and genders. Notification letters were sent to affected individuals on June 10, 2022, and 2 years of complimentary credit monitoring and identity theft protection services have been offered to...

Read More
University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000
Jun23

University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000

University of Pittsburgh Medical Center has agreed to settle a class action data breach lawsuit and will make $450,000 available to cover claims from individuals who have suffered losses due to the theft and misuse of their protected health information. The data breach affected approximately 36,000 patients and saw their protected health information accessed and stolen by an unauthorized third party between April 2020 and June 2020. The breach occurred at UPMC’s legal counsel, Charles J. Hilton PC, (CJH), which provided billing-related services. The compromised data was stored within the firm’s email environment and included names, birth dates, Social Security numbers, financial information ID numbers, signatures, insurance information, and medical information. The data breach was detected in June 2020; however, notifications were not sent to affected individuals until December 2020. While many speculative lawsuits are filed against healthcare organizations and their business associates over the exposure of patient data, in this case, the plaintiff was defrauded soon after the...

Read More
Meta Sued over the Scraping of Patient Data from Hospital Websites
Jun22

Meta Sued over the Scraping of Patient Data from Hospital Websites

A lawsuit has been filed against Meta that alleges the social media giant has been knowingly collecting patient data from hospital websites via the Meta Pixel tracking tool, and in doing so has violated the privacy of millions of patients. The lawsuit was filed in the U.S. Northern District of California and alleges violations of state and federal laws related to the collection of patient data without consent. Last week, a report was released by The Markup/STAT on a study on the 100 top hospitals in the United States which found that one-third used the Meta Pixel tool on their websites. The Meta Pixel tool is a snippet of JavaScript code that is used to track visitor actions on websites, such as the forms they click and the options they select from dropdown menus. When the tool is included on healthcare providers’ websites, there is potential for the tool to transmit protected health information to Meta/Facebook, such as IP address, when a patient has scheduled an appointment and any information selected from menus, such as the medical condition that the appointment is about. The...

Read More
Bill Seeks to Ban Data Brokers from Selling Health and Location Data
Jun17

Bill Seeks to Ban Data Brokers from Selling Health and Location Data

A new bill has been introduced by Sen. Elizabeth Warren (D-MA) that seeks to ban data brokers from selling the health and location data of Americans. The bill, The Health and Location Data Protection Act, was co-sponsored by Sens. Ron Wyden (D-OR), Chair of the Senate Finance Committee; Patty Murray (D-WA), Chair of the Senate Health, Education, Labor, and Pensions Committee; Sheldon Whitehouse (D-RI); and Bernie Sanders (I-VT.), Chair of the Senate Budget Committee. “Data brokers profit from the location data of millions of people, posing serious risks to Americans everywhere by selling their most private information,” said Senator Warren. “With this extremist Supreme Court poised to overturn Roe v. Wade and states seeking to criminalize essential health care, it is more crucial than ever for Congress to protect consumers’ sensitive data.” Currently, data brokers are largely unregulated by federal law, yet they are collecting highly sensitive data from Americans, including their location. That information is gathered from a huge range of mobile apps and, in many cases, the data is...

Read More
San Diego Family Care Agrees to $1 Million Settlement to Resolve Class Action Data Breach Lawsuit
Jun16

San Diego Family Care Agrees to $1 Million Settlement to Resolve Class Action Data Breach Lawsuit

San Diego Family Care, a Californian provider of medical, dental, & mental health services, has agreed to settle a class action lawsuit filed by patients affected by a data breach in 2020. The data breach that sparked the lawsuit was announced by the healthcare provider in May 2021 and was reported to the HHS’ Office for Civil Rights (OCR) as affecting 125,500 patients, although the total was later revised to 154,513 patients. The compromised data included names, Social Security numbers, government identification numbers, financial account numbers, dates of birth, medical diagnosis or treatment information, health insurance information, and client identification numbers. The security breach occurred in December 2020 at a technology provider and business associate, Netgain Technologies, and involved ransomware. Netgain Technologies reportedly paid a $2.3 million ransom for the keys to decrypt data and prevent any further disclosures of data. San Diego Family Care was one of several healthcare providers to have data compromised in the attack. After notifying the affected...

Read More
Class Action Lawsuit Filed Against Shields Health Care Group Over 2 Million-Record Data Breach
Jun15

Class Action Lawsuit Filed Against Shields Health Care Group Over 2 Million-Record Data Breach

A class action lawsuit has been filed against Shields Health Care Group over its recently announced 2 million-record data breach – the largest healthcare data breach to be reported so far this year by a single HIPAA-regulated entity. Shields Health Care Group is the largest provider of MRI imaging services in New England and operates more than 40 facilities in the region. On May 27, 2022, the Massachusetts-based medical imaging service provider reported the data breach to the HHS’ Office for Civil Rights and confirmed that an unauthorized actor had access to some of its IT systems from March 7 to March 21, 2022. During that time, files were exfiltrated from its systems that included protected patient information (PHI) such as names, addresses, birth dates,  Social Security numbers, diagnoses, billing information, insurance numbers and medical or treatment information. A data breach of this scale is likely to see several lawsuits filed, with Keller Postman LLC and co-counsel Sweeney Merrigan Law LLP, and Finkelstein, Blankinship, Frei-Pearson, & Garber LLC the first to file....

Read More
Injured Workers Pharmacy Faces Class Action Lawsuit over Email Account Breach
Jun02

Injured Workers Pharmacy Faces Class Action Lawsuit over Email Account Breach

A class action lawsuit has been filed in the U.S. District Court for the District of Massachusetts by the law firm Morgan & Morgan against Injured Workers Pharmacy (IWP) over a breach of the personal information of 75,771 customers. IWP is an Andover, MA-based pharmacy that serves employees who were injured at work and receive workers’ compensation benefits. On May 11, 2021, IWP discovered several employee email accounts had been accessed by an unauthorized individual, and those email accounts contained sensitive information such as names, addresses, and Social Security numbers. The first email accounts were compromised in January 2021, which allowed unauthorized access to the information in the accounts for 4 months before the breach was detected and the accounts were secured. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 24 months. Plaintiffs Alexsis Webb and Marsclette Charley allege IWP failed to implement appropriate data security safeguards to ensure the privacy of their personal information and that of the...

Read More
New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing
May27

New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing

A class action lawsuit filed against NorthEast Radiology PC and Alliance HealthCare Services over a data breach that exposed the protected health information of more than 1.2 million individuals has been dismissed by a New York Federal Judge for lack of standing. The lawsuit was filed in July 2021 on behalf of plaintiffs Jose Aponte II and Lisa Rosenberg, whose protected health information was exposed as a result of a misconfiguration of the companies’ Picture Archiving Communication System (PACS), which contained medical images and associated patient data. In late 2019, security researchers identified the exposed data and notified the affected companies, which included Northeast Radiology and its vendor, Alliance HealthCare Services. According to the lawsuit, more than 61 million medical images were exposed along with the sensitive data of 1.2 million patients. Northeast Radiology reported the breach to the HHS’ Office for Civil Rights as affecting 298,532 individuals. The lawsuit alleged the defendants had implemented inadequate security safeguards to ensure the privacy of...

Read More
Solara Medical Supplies $9.76 Million Data Breach Settlement Gets Preliminary Approval
May19

Solara Medical Supplies $9.76 Million Data Breach Settlement Gets Preliminary Approval

A $9.76 million settlement proposed by Solara Medical Supplies to resolve a class action lawsuit related to a 2019 data breach has received preliminary approval from the court. Solara Medical Supplies, which provides products and services to help people manage their diabetes, was the victim of a phishing attack that saw employees’ Microsoft Office 365 email accounts accessed by unauthorized individuals between April 2, 2019, and June 20, 2019. The email accounts contained the protected health information of patients and sensitive employee information, including names, dates of birth, billing and claims information, health insurance information, medical information, financial account information and credit card numbers, Social Security numbers, driver’s license numbers, state ID numbers, and Medicare/Medicaid IDs. The breach was reported to the HHS’ Office for Civil Rights as affecting 114,007 individuals. Legal action was taken on behalf of the individuals affected by the breach, with the class including all individuals residing in the United States and its territories who were...

Read More
Update to Indiana Data Breach Notification Law Shortens Timeline for Notifications
May18

Update to Indiana Data Breach Notification Law Shortens Timeline for Notifications

On July 1, 2022, updated data breach notification laws (HB 1351) will take effect in Indiana that require notifications to be issued within 45 days of the discovery of a breach of the personally identifiable information (PII) of Indiana residents. Currently, the data breach notification requirements are for notifications to be issued without unreasonable delay. The update has been made to ensure that individuals whose PII has been exposed are provided with timely notification. When PII has been exposed, individual notifications should still be issued without unreasonable delay. A reasonable delay would be when one of the following conditions applies: 1) It is necessary to delay notification to restore the integrity of computer systems 2) It is necessary to delay notification to discover the scope of the breach 3) When there has been a request from the state attorney general or law enforcement to delay notifications to ensure criminal or civil investigations are not impeded, or when notifications have the potential to jeopardize national security. In such cases, notifications should...

Read More
Class Action Lawsuits Filed Against Partnership Health Plan & Oregon Anesthesiology Group over Ransomware Attacks
May10

Class Action Lawsuits Filed Against Partnership Health Plan & Oregon Anesthesiology Group over Ransomware Attacks

Class action lawsuits have recently been filed against Partnership Health Plan in Northern California and Oregon Anesthesiology Group in response to ransomware attacks and the theft of sensitive patient/plan member data. Partnership Health Plan of California Partnership HealthPlan of California (PHC) is a non-profit community-based healthcare organization that serves over 550,000 Medi-Cal beneficiaries in Northern California. In March 2022, PHC announced that it was working with third-party forensic specialists to restore the functionality of its systems following a cyberattack. The Hive ransomware group claimed responsibility for the attack and allegedly exfiltrated 400GB of data prior to encrypting files. Those files are alleged to contain the sensitive data of 850,000 individuals including names, dates of birth, addresses, and Social Security numbers. The ransomware gang claimed to have encrypted files on March 19, 2022, although removed the listing from its data leak site after a few days. Last week, the law firms Whatley Kallas of San Diego and Janssen Malloy of Eureka filed a...

Read More
Solara Medical Supplies Proposes $5 Million Settlement to Resolve Class Action Data Breach Lawsuit
Apr26

Solara Medical Supplies Proposes $5 Million Settlement to Resolve Class Action Data Breach Lawsuit

A preliminary settlement has recently been approved by a California Federal court to resolve a consolidated class action lawsuit against Solara Medical Supplies. Solara Medical Supplies is a Chula Vista, California-based direct-to-consumer provider of medical devices and disposable medical products and a registered pharmacy. On June 28, 2019, Solara Medical identified suspicious activity in an employee email account. The subsequent investigation confirmed unauthorized individuals had gained access to multiple Office 365 email accounts between April 2, 2019, and June 20, 2019, as a result of employees responding to phishing emails. The forensic investigation confirmed that the sensitive information of 114,007 of its customers had been exposed and potentially stolen, including names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and financial information. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months. Four class action lawsuits were filed on behalf of the...

Read More
SuperCare Health Sued Over 318,000-Record Data Breach
Apr15

SuperCare Health Sued Over 318,000-Record Data Breach

A lawsuit has been filed against the in-home respiratory care provider, SuperCare Health, over a cyberattack and data breach that was reported to the Department of Health and Human Services on March 28, 2022. The incident involved the exposure and potential theft of the protected health information of 318,400 patients, including names, addresses, birth dates patient account numbers, medical record numbers, health insurance information, testing, diagnostic, treatment, and claims information. A subset of individuals also had their Social Security numbers and/or driver’s license numbers exposed. SuperCare Health said unauthorized individuals had access to its network between July 23, 2021, to July 27, 2021, but did not disclose the nature of the cyberattack. It took SuperCare Health until February 4, 2022, to determine that the files potentially accessed in the attack contained patients’ PHI. Notification letters were sent on March 25, 2022, and according to the notice provided to the California Attorney General, credit monitoring and identity theft protection services were offered to...

Read More
Increase in Class Action Lawsuits Following Healthcare Data Incidents
Apr12

Increase in Class Action Lawsuits Following Healthcare Data Incidents

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector and resulted in cases of HIPAA violations. Ransomware Attacks Increased in 2021 Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022. Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an...

Read More
OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals
Apr07

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits. The aim of the HIPAA Safe Harbor Act is to encourage HIPAA-regulated entities to implement cybersecurity best practices. The reward for organisations that have followed industry-standard security best practices for the 12 months prior to a data breach occurring is lower financial penalties for data breaches and less scrutiny by the HHS . Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments...

Read More
15-Month Jail Term for Woman Who Stole Over $200,000 Using Patient Data
Mar21

15-Month Jail Term for Woman Who Stole Over $200,000 Using Patient Data

A woman has been sentenced to serve 15 months in federal prison for her role in a scheme to defraud patients of a Metairie, LA, medical clinic. In 2015, three individuals were arrested in connection with the scheme following an investigation by the Jefferson Parish Sheriff’s Office in New Orleans and the U.S. Postal Inspection Service. Brandon Livas, 37, and Royale Lassai, 32, of New Orleans, LA, both pled guilty to a one-count bill of information with Bank Larceny in July 2019 for their role in the scheme, and in August 2021, Ashley Green, 41, pled guilty to a one-count Bank Larceny Bill of Information. Green’s cousin, Lassai, was employed as a clerk at an unnamed Metairie, LA, medical clinic where she was provided with access to patient records to complete her work duties. Lassai accessed the medical records of patients without authorization and provided patient information such as names, dates of birth, addresses, and Social Security numbers to her cousin and her cousin’s then-boyfriend Livas. Lassai was reportedly paid with a $1,000 gift card and was provided with around $150...

Read More
Eastern Ozarks Regional Health Sued by Arkansas AG for Failure to Secure Patient Data
Mar18

Eastern Ozarks Regional Health Sued by Arkansas AG for Failure to Secure Patient Data

Arkansas Attorney General Leslie Rutledge announced this week that legal action is being taken against Country Medical Services Inc., the former operator of Eastern Ozarks Regional Health System in Cherokee Village, and owners Robert Becht of Hartsville, TN, and Theresa Hanson of Deland, FL, for mishandling the sensitive personal and protected information of thousands of individuals. In December 2004, Eastern Ozarks Regional Health’s 40-bed hospital was permanently closed. Country Medical Services had run the hospital for 9 years; however, an investigation by the state Department of Health identified almost 3 dozen potential violations of the Emergency Medical Treatment and Labor Act, as the hospital was unable to provide emergency services. Rather than face the financial penalties, the hospital immediately terminated its hospital license in 2004. 6 years later, the property was transferred to the state after the owners failed to pay their taxes. An inspection of the property by the office of the Attorney General identified boxes of files in the property that contained...

Read More
DOJ Settles Civil Cyber Fraud Initiative Case with CHS and Imposes a $930,000 Penalty
Mar16

DOJ Settles Civil Cyber Fraud Initiative Case with CHS and Imposes a $930,000 Penalty

The U.S. Department of Justice (DOJ) has announced a settlement has been reached with the Cape Canaveral, FL-based healthcare services contractor, Comprehensive Health Services (CHS), to resolve alleged False Claims Act violations. This is the first settlement to be reached under the DOJ Civil Cyber Fraud Initiative, which was launched in 2021. The Civil Cyber Fraud Initiative was launched to pursue cases against government contractors that knowingly used deficient cybersecurity products and services which put information systems at risk, as well as failures to report cybersecurity incidents. CHS and its subsidiaries had contracts with the U.S. Department of State and the U.S. Air Force to operate medical services at U.S. military facilities in Afghanistan and Iraq. Two actions were filed under the whistleblower provisions of the False Claims Act that alleged CHS received payment for operating those medical facilities but failed to operate them in a manner consistent with U.S. standards. CHS was alleged to have failed to maintain appropriate staffing levels, allowed unqualified...

Read More
Logan Health Facing Class Action Lawsuit Over Data Breach
Mar11

Logan Health Facing Class Action Lawsuit Over Data Breach

Legal action is being taken against Logan Health and subsidiary, sister, and related entities over a data breach that occurred in 2021 and affected 213,543 Logan Health Medical Center patients. The class action lawsuit was filed in the U.S. District Court for the District of Montana Great Falls Division by law firm Heenan & Cook on behalf of plaintiff Allison Smeltz and all similarly affected individuals over the alleged failure of the health system to protect the plaintiff’s and class members’ sensitive personal information. The data breach in question was reported by Logan Health in February 2022, with its investigation confirming unauthorized individuals had access to its system between November 18, 2021, and November 22, 2021. Hackers gained access to a single file server housing files that contained patients’ protected health information such as names, contact information, insurance claim information, date(s) of service, medical bill account number, and health insurance informa­tion. Logan Health said it had found no evidence of misuse of patient data, offered affected...

Read More
Sea Mar Community Health Centers Facing Class Action Lawsuit over 688,000-Record Data Breach
Feb22

Sea Mar Community Health Centers Facing Class Action Lawsuit over 688,000-Record Data Breach

Seattle, WA-based Sea Mar Community Health Centers is facing a class action lawsuit over a cyberattack in which the protected health information of 688,000 individuals was compromised. The breach came to light in June 2021 when files stolen in the attack were posted on the Marketo dark web leak site. Databreaches.net spotted the leaked data on the Marketo data leak site in June 2021 and contacted Sea Mar. In October 2021, Sea Mar sent notification letters to affected individuals and explained that the hackers gained access to its network between December 2020 and March 2021 and exfiltrated sensitive data including names, addresses, Social Security numbers, dates of birth, and health information. The data breach was reported to the HHS’ Office for Civil Rights the same month as affecting 688,000 current and former patients. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months. According to Databreaches.net, the threat group behind the attack claimed to have stolen 3TB of data from Sea Mar. There may also have been a...

Read More
CaptureRx Proposes $4.75 Million Settlement to End Data Breach Litigation
Feb15

CaptureRx Proposes $4.75 Million Settlement to End Data Breach Litigation

CaptureRx has proposed a $4.75 million settlement to resolve claims related to a 2021 data breach that affected approximately 2.4 million patients of its healthcare provider clients. CaptureRx is a healthcare administrative service provider that helps hospitals manage their 340B drug discount programs. On February 6, 2021, CapturRx discovered unauthorized individuals had gained access to its network and used ransomware to encrypt its files. On March 19, 2021, CaptureRx determined files containing patient data had been compromised, and affected clients started to be notified on March 30, 2021. CaptureRx publicly announced the data breach but did not initially disclose how many individuals had been affected. The breach was reported to the HHS’ Office for Civil Rights in May 2021 by CaptureRx as affecting 1,656,569 individuals, although several of its healthcare provider clients reported the breach themselves. Several class action lawsuits were proposed that alleged CaptureRX was negligent for failing to implement and maintain appropriate safeguards to protect patient data and other...

Read More
Inmediata Agrees to Settle Class Action Lawsuit for $1.125 Million
Feb11

Inmediata Agrees to Settle Class Action Lawsuit for $1.125 Million

Inmediata, a provider of clearinghouse services and business process software, has agreed to settle a class action lawsuit filed by victims of its 2019 security breach that exposed the protected health information of more than 1.56 million individuals. In January 2019, Inmediata discovered a misconfiguration on its website resulted in internal web pages containing electronic protected health information (ePHI) being accessible over the Internet. The web pages were indexed by the search engines and could be found in the search engine listings. The exposed information was mostly limited to names, addresses, dates of birth, gender, and medical claim information. A small percentage of individuals also had their Social Security numbers exposed. When sending notification letters to affected individuals, errors were made by its mailing vendor that resulted in letters being sent to incorrect individuals. Some individuals reported receiving multiple notification letters, with some containing the names of other patients. The notification letters were sent in April 2019, three months after...

Read More
Federal Court Recommends Dismissal of PracticeFirst Data Breach Lawsuit
Feb09

Federal Court Recommends Dismissal of PracticeFirst Data Breach Lawsuit

The U.S. District Court for the Western District of New York has recommended a class action lawsuit against Practicefirst Medical Management Solutions be dismissed. The lawsuit was filed on behalf of victims of a 2020 ransomware attack whose sensitive information was stolen in the attack. Practicefirst, an Amherst, New York-based medical management services provider, provides billing, credentialing, bookkeeping, coding, and compliance services to medical practices. On December 30, 2020, Practicefirst discovered unauthorized individuals had gained access to its network, exfiltrated sensitive data, then attempted to deploy ransomware. The files exfiltrated from its systems included names, addresses, email addresses, Social Security numbers, usernames and passwords, financial information, and healthcare information. PracticeFirst entered into negotiations with the ransomware gang and arranged for the return of the data and received confirmation that the stolen files had been destroyed and were not further disclosed. The breach was reported to regulators as affecting more than 1.2...

Read More
Can A Patient Sue for A HIPAA Violation?
Feb07

Can A Patient Sue for A HIPAA Violation?

Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules. So, if it is not possible for a patient to sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws. In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information....

Read More
RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach
Feb04

RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach

The Rhode Island Attorney General is investigating UnitedHealthcare and the Rhode Island Public Transit Authority (RIPTA) over a cyberattack and data breach that resulted in hackers gaining access to RIPTA’s network that contained the sensitive personal and protected health information of up to 22,000 individuals. The Office of the Rhode Island Attorney General was notified about the security breach on December 23, 2021. RIPTA said it discovered and blocked a cyberattack on August 5, 2021, with its investigation confirming the hackers gained access to its network on August 3, 2021. Files stored on the compromised part of its network included extensive information on its employees, including names, dates of birth, Social Security numbers, and health plan ID numbers, along with the sensitive information of thousands of state employees who had never worked at RIPTA. RIPTA reported the breach to the HHS’ Office for Civil Rights as affecting 5,015 individuals but said in its breach notice that the incident had resulted in the exposure of the personal data of 17,378 individuals....

Read More
Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack
Jan27

Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack

Marietta Area Health Care Inc., doing business as Memorial Health System, is facing a class action lawsuit over a cyberattack and data breach that was detected by Memorial Health System on August 14, 2021. The investigation into the attack confirmed the attackers first gained access to company servers on or around July 10, 2021, and installed malware on its systems. Unauthorized access remained possible until August 15, 2021. The breach notification letters state Memorial Health System learned on September 17, 2021, that the threat actor potentially accessed or acquired information from its systems. The review of the affected systems was completed on November 1, 2021, and affected individuals were notified on January 12, 2022, and were offered a 12-month complimentary membership to a credit monitoring service. The breach notice submitted to the Maine attorney general indicates the personal information of 216,478 was potentially accessed by the attackers. The lawsuit was filed in the U./S. District Court of the Southern District of Ohio, Eastern Division against Marietta Area Health...

Read More
Settlement Reached in Excellus Class Action Data Breach Lawsuit
Jan26

Settlement Reached in Excellus Class Action Data Breach Lawsuit

Excellus Health Plan Inc., its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) have reached a settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015. The attack involved the personally identifiable information (PII) and protected health information (PHI) of more than 10 million members, subscribers, insureds, patients, and customers. The cyberattack was detected on August 5, 2015, by a cybersecurity firm that was hired to assess Excellus’s information technology system. The subsequent investigation by Excellus and cybersecurity firm Mandiant determined hackers had first gained access to its systems on or before December 23, 2013. Evidence was found that indicated the hackers were active within its network until Aug. 18, 2014, after which no traces of activity were found; however, malware had been installed which gave the attackers access to its network until May 11, 2015. On that date, something happened that prevented the hackers from accessing its network. It took Excellus 17 months from the...

Read More
New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach
Jan25

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents. The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers,...

Read More
Mass General Brigham Settles ‘Cookies Without Consent’ Lawsuit for $18.4 Million
Jan20

Mass General Brigham Settles ‘Cookies Without Consent’ Lawsuit for $18.4 Million

An $18.4 million settlement has been approved that resolves a class action lawsuit against Mass General Brigham over the use of cookies, pixels, website analytics tools, and associated technologies on several websites without first obtaining the consent of website visitors. The defendants in the case operate informational websites that provide information about the healthcare services they provide and the programs they operate. Those websites can be accessed by the general public and do not require visitors to register or create accounts. The lawsuit was filed against Partners Healthcare System, now Mass General Brigham, by two plaintiffs – John Doe and Jane Doe – who alleged the websites contained third party analytics tools, cookies, and pixels that caused their web browsers to divulge information about their use of the Internet, and that the information was transferred and sold to third parties without their consent. While it is normal for websites to use third-party analytics tools like those on the defendants’ websites, the plaintiffs alleged they were not informed that...

Read More
Accellion Proposes $8.1 Million Settlement to Resolve Class Action FTA Data Breach Lawsuit
Jan17

Accellion Proposes $8.1 Million Settlement to Resolve Class Action FTA Data Breach Lawsuit

The Palo Alto, CA-based technology firm Accellion has proposed an $8.1 million settlement to resolve a class action data breach lawsuit filed on behalf of victims of the December 2020 cyberattack on the Accellion File Transfer Appliance (FTA). The Accellion FTA is a legacy solution that is used for securely transferring files that are too large to be sent via email. The Accellion FTA had been in use for more than 20 years and was at end-of-life, with support due to end on April 30, 2021. Accellion had developed a new platform, Kiteworks, and customers were encouraged to upgrade from the legacy solution; however, a significant number of entities were still using the FTA solution at the time of the cyberattack. In December 2020, two previously unknown Advanced Persistent Threat (APT) groups linked to FIN11 and the CLOP ransomware gang exploited unaddressed vulnerabilities in the Accellion FTA, gained access to the files of its clients, and exfiltrated a significant amount of data. Following the breach, four vulnerabilities associated with the breach were disclosed and issued CVEs....

Read More
EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach
Jan14

EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach

QRS, a Tennessee-based healthcare technology services company and EHR vendor, is facing a class action lawsuit over an August 2021 cyberattack in which the protected health information (PHI) of almost 320,000 patients was exposed and potentially stolen. The investigation into the data breach confirmed a hacker had gained access to one of its dedicated patient portal servers between August 23 and August 26, 2021, and viewed and possibly obtained files containing patients’ PHI. Sensitive data stored on the server included patients’ names, addresses, birth dates, usernames, medical information, and Social Security numbers. QRS started sending notification letters to affected individuals in late October and offered identity theft protection services to individuals who had their Social Security number exposed. On January 3, 2022, Matthew Tincher, a Frankfurt, KY resident, filed a class action complaint in the U.S. District Court for the Eastern District of Tennessee against QRS. The lawsuit alleges QRS was negligent for failing to reasonably secure, monitor, and maintain the PHI...

Read More
BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach
Jan07

BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach

A Florida specialty pharmacy is facing a class action lawsuit over an October 2021 cyberattack in which the personally identifiable information (PII) and protected health information (PHI) of up to 350,000 patients were stolen. Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services said a hacker had access to its network from October 25, 2021, until November 11, 2021, and during that time viewed files containing sensitive patient data. A computer forensics firm investigated the breach and confirmed patient data had been accessed. Since it was not possible to determine how many patients had been affected, the decision was taken to send notification letters to all 350,000 patients on or around December 10, 2021, one month after the breach was discovered. Data potentially compromised in the attack included names, contact information, dates of birth, medical record numbers, health insurance and claims information diagnoses, prescription information, and Social Security numbers. Affected individuals were offered a 12-month subscription to credit monitoring services at no cost....

Read More
Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General
Jan05

Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General

The Rhode Island Public Transit Authority (RIPTA) has recently notified the Department of Health and Human Services’ Office for Civil Rights about a data breach involving the protected health information (PHI) of 5,015 members of its group health plan. RIPTA explained in a breach notice on its website that the cyberattack was detected and blocked on August 5, 2021, and the forensic investigation determined hackers had access to its network from August 3, 2021. A comprehensive review of files on the compromised parts of its network identified files related to the RIPTA health plan, which were found to contain the names, addresses, dates of birth, Social Security numbers, Medicare ID numbers, qualification information, health plan ID numbers, and claims information of health plan members. It was also confirmed that those files had been exfiltrated from its systems by the attackers. RIPTA sent notification letters to affected individuals on December 22, 2021, and offered a complimentary membership to Equifax’s identity monitoring services. RIPTA also explained in its website breach...

Read More
What is HIPAA Certification?
Jan03

What is HIPAA Certification?

HIPAA certification has two meanings. It can either be a point in time accreditation demonstrating an organization has passed a HIPAA compliance audit, or a recognition that members of the organization´s workforce have achieved the level of HIPAA knowledge required to comply with the organization´s policies and procedures. Both are useful accreditations to have. There are two things organizations and their workforces should be aware of before undertaking a HIPAA certification program. There are no requirements in HIPAA for organizations and/or their workforces to certify compliance, and certification is not a “get out of jail free card” that will absolve negligent parties from HIPAA violations. So why get certified? Why Get Certified as being HIPAA Compliant? The first reason for getting certified is that, in order to achieve an accreditation, organizations will have to adopt best privacy practices and implement the administrative, technical, and physical safeguards of the HIPAA Security Rule. This in itself will reduce the likelihood of HIPAA violations and data breaches – leading...

Read More
HIPAA Enforcement by State Attorneys General
Dec28

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules. The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000. State Attorney HIPAA cases...

Read More
Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures
Dec27

Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures

The Chicago, IN-based certified public accounting firm Bansley & Kiener LLP is facing a class action lawsuit over a data breach that was reported to regulators this December. The breach in question occurred in the second half of 2020, with the investigation indicating hackers accessed its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener discovered the breach on December 10, 2020, when ransomware was used to encrypt files. Bansley & Kiener explained in its breach notification letters that it was confirmed on May 24, 2021, that the attackers had exfiltrated data from its systems prior to encrypting files. Bansley & Kiener manages payroll, health insurance, and pension plans for its clients. In total, the sensitive information of 274,000 individuals was exposed or compromised, including names, dates of birth, Social Security numbers, passport numbers, tax IDs, military IDs, driver’s license numbers, financial account information, payment card numbers, health information, and complaint claims. While the attack was detected in December 2020, it...

Read More
New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations
Dec16

New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations

The New Jersey Division of Consumer Affairs has agreed to settle a data breach investigation that uncovered violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) Hackensack, NJ-based Regional Cancer Care Associates is an umbrella name for three healthcare providers that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC. Between April and June 2019, several employee email accounts were compromised. Employees had responded to targeted phishing emails and disclosed their credentials, which allowed the scammers to access their email accounts and the protected health information (PHI) of more than 105,000 individuals. The email accounts contained PHI such as names, Social Security numbers, driver’s license numbers, health records, bank account information, and credit card details. In July 2019, notification letters were sent to 13,047 individuals by a third-party vendor; however, the letters were mismailed to the...

Read More
Planned Parenthood Los Angeles Facing Class Action Lawsuit Over October 2021 Ransomware Attack
Dec14

Planned Parenthood Los Angeles Facing Class Action Lawsuit Over October 2021 Ransomware Attack

Planned Parenthood Los Angeles (PPLA) is facing a class action lawsuit over a ransomware attack that was discovered on October 17, 2021. The cyberattack exposed the protected health information of more than 409,759 patients. In the notification letters sent to affected individuals on November 30, 2021, PPLA explained that its systems were breached on October 9, 2021, and the hackers had access to files containing PHI until October 17, when they were ejected from the network. The files on the affected systems contained names, addresses, birth dates, diagnoses, treatment, and prescription information, and some files were exfiltrated from its network prior to file encryption. PPLA said it has found no evidence to suggest patient data has been misused. A PPLA patient whose PHI was exposed in the data breach has taken legal action over the incident. The lawsuit was filed in the U.S. District Court of Central California and alleges the patient, and class members, have been placed at imminent risk of harm as a result of the theft of their sensitive health data, which included electronic...

Read More
Medical Biller Faces Decades in Jail for Healthcare Fraud, Identity Theft, and Tax Offenses
Dec08

Medical Biller Faces Decades in Jail for Healthcare Fraud, Identity Theft, and Tax Offenses

A medical biller in the Tampa Bay area of Florida has pleaded guilty to four counts of healthcare fraud, four counts of aggravated identity theft, two counts of failing to file a tax return, and one count of filing a false tax return. Joshua Maywalt, 40, of Tampa, worked as a medical biller at a Clearwater company that provided credentialing and medical billing services to a range of healthcare provider clients in Florida. In his capacity as a medical biller, Maywalt was able to access the company’s financial, medical provider, and patient information. Maywalt was assigned to a Tampa Bay area physician’s account and submitted claims to Florida Medicaid HMOs for services provided by that physician to recipients of Medicaid. Maywalt wrongfully accessed the company’s patient information and used the name and identification number of the physician to submit false and fraudulent claims to a Florida Medicaid HMO for services that Maywalt claimed were provided by the physician when they had not been. The “pay to” information on the claims for the fictitious medical services was changed to...

Read More
New Mexico Hospital Hit with Class Action Lawsuit over 2020 Data Breach
Dec07

New Mexico Hospital Hit with Class Action Lawsuit over 2020 Data Breach

San Juan Regional Medical Center in Farmington, New Mexico is facing a class action lawsuit over a data breach that was announced in June 2021. The breach investigation confirmed an unauthorized individual gained access to its network and exfiltrated files containing sensitive patient data between September 7, 2020, and September 8, 2020. The data breach was initially reported to the HHS’ Office for Civil Rights as affecting 500 individuals, with San Juan Regional Medical Center saying at the time that at least 500 individuals had been affected. When the total number of individuals affected by a security breach is not known, breaches can be reported to OCR and the breach report updated when further information is known. The breach investigation later confirmed that the protected health information (PHI) of 68,792 individuals had potentially been stolen in the attack. While data theft was confirmed, the hospital has not uncovered any evidence to suggest any patient’s PHI has been misused and individuals whose Social Security number was compromised have been offered complimentary...

Read More
Patient Sues Eskenazi Health Over Ransomware Attack After Misuse of Her Data
Dec02

Patient Sues Eskenazi Health Over Ransomware Attack After Misuse of Her Data

An Eskenazi Health patient whose protected health information was stolen in an August 2021 ransomware attack is suing the healthcare provider over the data breach. It is now common for ransomware gangs to exfiltrate sensitive data prior to using ransomware to encrypt files. The stolen data is used to threaten victims to encourage payment of the ransom, as was the case in the Eskenazi Health ransomware attack. Indianapolis, IN-based Eskenazi Health discovered the attack in early August and immediately shut down its computer systems in an attempt to prevent further unauthorized access and contain the attack. The healthcare provider took the decision to divert ambulances and cancel certain appointments as a safety measure while its electronic medical record system was offline. The investigation into the breach determined its systems had first been compromised in May and files containing sensitive patient data had been exfiltrated from its systems. Notification letters started to be sent to affected patients in early November and patients were informed of the data theft and were...

Read More
Quest Diagnostics and Subsidiary Face Class Action Lawsuit Over Ransomware Attack
Dec02

Quest Diagnostics and Subsidiary Face Class Action Lawsuit Over Ransomware Attack

A lawsuit has been filed in the US District Court for the District of Massachusetts against Quest Diagnostics and its subsidiary, ReproSource Fertility Diagnostics, over an August 2021 ransomware attack that affected 350,000 patients. On October 8, 2021, ReproSource started sending notification letters to affected patients informing them that some of their protected health information had potentially been accessed or stolen prior to ransomware being used to encrypt files. The types of data stored on parts of its network that were accessible to the attackers included names, dates of birth, test results, medical histories, diagnosis codes, Social Security numbers, billing information, and other information. While breach notification letters were sent within the 60 days allowed by HIPAA, the lawsuit alleges Quest and ReproSource failed to issue timely notifications to patients, which violated Massachusetts law, and when the notification letters were issued – more than a month after the attack – they lacked important information about the breach, such as if the servers that...

Read More
HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations
Dec01

HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) is continuing with its enforcement of compliance with the HIPAA Right of Access and has recently announced a further 5 financial penalties. The HIPAA Right of Access enforcement initiative was launched in the fall of 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records. The HIPAA Privacy Rule requires covered entities to provide individuals with access to their medical records. A copy of the requested information must be provided within 30 days of the request being received, although an extension of 30 days may be granted in limited circumstances. HIPAA-covered entities are permitted to charge patients for exercising this important Privacy Rule right, but may only charge a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and delivering the PHI after it has been identified. The enforcement actions to date have not been imposed for charging excessive amounts, only for impermissibly refusing to provide a copy of the...

Read More
Class Certification Order Lifted in Data Breach Lawsuit Against West Virginia University Health System
Nov26

Class Certification Order Lifted in Data Breach Lawsuit Against West Virginia University Health System

A class action lawsuit filed against West Virginia University Health System over a breach of the protected health information of 7,445 patients has had the class certification order lifted by the Supreme Court of Appeals of West Virginia. The lawsuit is related to an insider data breach that occurred in 2016. Between March 2016 and January 2017, Angela Roberts, a former registration specialist at Berkeley Medical Center and Jefferson Medical Center, which are affiliated with West Virginia University Health System, accessed the medical records of 7,445 patients with a view to committing identity theft and fraud. When the unauthorized access was discovered, Roberts admitted she had accessed the medical records for work purposes, but also to steal patient data to provide to her boyfriend and co-defendant Ajarhi “Wayne” Roberts. When viewing the medical records for legitimate work purposes, Ms. Roberts determined whether there was enough information to allow her and her boyfriend to steal patients’ identities. If sufficient information was there, the information was stolen and provided...

Read More
DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information
Nov11

DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information

The United States Department of Justice (DoJ) has unsealed indictments charging two individuals for their roles in multiple REvil/Sodinokibi ransomware attacks on organizations in the United States. Ukrainian national, Yaroslav Vasinskyi, 22, has been indicted on multiple charges related to the ransomware attacks, including the supply chain attack that saw Kaseya’s Virtual System/Server Administrator (VSA) platform compromised. That attack involved ransomware being deployed on the systems of around 40 managed service providers and 1,500 downstream businesses. Russian national, Yevgeniy Igoryevich Polyanin, 28, has been indicted for his role in multiple ransomware attacks, including attacks on government entities in Texas. The DoJ says it seized $6.1 million in ransom payments that were paid to cryptocurrency wallets linked to Polyanin. The DoJ has indicted several individuals believed to have been involved in cyberattacks in the United States; however, those individuals can only face trial if they are located, arrested, and extradited to the United States. Many ransomware threat...

Read More
Federal Judge Rules in Favor of UMMC in Legal Battle Over Theft of Patient Data
Oct29

Federal Judge Rules in Favor of UMMC in Legal Battle Over Theft of Patient Data

A federal judge has ruled in favor of University of Mississippi Medical Center (UMMC) in an unauthorized access and data theft case against three former employees. UMMC took legal action against Dr. Spencer Sullivan and other former employees over the alleged theft and use of patients’ medical records. In July 2014, UMMC hired Dr. Sullivan as the medical director of its Hemophilia Treatment Center. When he joined UMMC, Dr. Sullivan signed a contract with a non-compete clause, which prevented him from using UMMC data to solicit patients for an independent practice. According to the lawsuit, in January 2016, Sullivan started making arrangements to open his own hemophilia clinic and pharmacy and conspired with other UMMC staff members – Linnea McMillan, Kathryn Sue Stevens, and Rachel Henderson Harris – to assist with setting up the new practice, which included compiling a list of UMMC patients. A patient list was created that included patient names, telephone numbers, dates of birth, diagnosis, prescription information, insurance information, and pharmacy information....

Read More
UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence
Oct21

UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence

The hacker who gained access to the databases of University of Pittsburgh Medical Center (UPMC) and stole the personally identifiable information (PII) and W-2 information of approximately 65,000 UPMC employees has been handed the maximum sentence for the offenses and will serve 7 years in jail. Sean Johnson, of Detroit, Michigan – aka TheDearthStar and Dearthy Star – hacked into the databases of UPMC in 2013 and 2014 and stole highly sensitive information which was then sold on dark web hacking forums and was used by identity thieves to file fraudulent tax returns in the names of UPMC employees. The Department of Justice (DOJ) also alleged Johnson conducted further cyberattacks between 2014 and 2017 and stole the PII of an additional 90,000 individuals. Those sets of data were also sold to identity thieves on dark web forums. In total, fraudulent tax returns totaling $2.2 million were filed and around $1.7 million was dispersed by the IRS. The funds received were converted to Amazon gift cards, which were used to purchase high-value goods that were shipped to Venezuela. Three of...

Read More
New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty
Oct14

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty. Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI). Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents. As a HIPAA-covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access. Diamond Investigated for...

Read More
Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours
Oct11

Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours

A new bill has been introduced that, if passed, will require victims of ransomware attacks to disclose any payments made to the attackers to the Department of Homeland Security (DHS) within 48 hours of the ransom being paid. The Ransom Disclosure Act was introduced by Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) and aims to provide the DHS with the data it needs to investigate ransomware attacks and improve understanding of how cybercriminal enterprises operate, thus allowing the DHS to gain a much better picture of the ransomware threat facing the United States. Between 2019 and 2020 ransomware attacks increased by 62% worldwide, and by 158% in the United States. The Federal Bureau of Investigation (FBI) received 2,500 complaints about ransomware attacks in 2020, up 20% from the previous year and there were more than $29 million in reported losses to ransomware attacks in 2020. Not all ransomware attacks are reported. Many victims choose to quietly pay the attackers for the keys to decrypt their data and prevent the public disclosure of any data stolen in the...

Read More
Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach
Oct08

Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach

A lawsuit has been filed on behalf of a former patient of Northwestern Memorial HealthCare (NMHC) against Elekta Inc. over its April 2021 ransomware attack and data breach. Elekta, a Swedish provider of radiation medical therapies and related equipment data services, is a business associate of many U.S. healthcare providers. Hackers targeted the company’s cloud-based platform that is used to store and transmit healthcare data and were able to access the platform between April 2 and April 20, 2021. The breach was detected when the hackers deployed ransomware. Elekta reported the attack as affecting a small percentage of its cloud customers in the United States, including NMHC. The entire oncology database of NMHC was compromised in the attack. The database contained the protected health information of 201,197 cancer patients including names, dates of birth, Social Security numbers, and healthcare data. In total, the attack affected 170 of its healthcare clients. The lawsuit was filed in the U. S. District Court for the Northern District of Georgia on behalf of Deborah Harrington and...

Read More
Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death
Oct04

Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death

A medical malpractice lawsuit has been filed against an Alabama hospital alleging vital information that could have prevented the death of a baby was not available due to a ransomware attack and that the mother was not informed that patient care had been affected by the incident. Springhill Medical Center in Mobile, AL suffered a ransomware attack in 2019 which caused widespread encryption of files and a major IT system outage. Computer systems were taken offline for 8 days, during which time care continued to be provided to patients with staff operating under the hospital’s emergency protocol during the downtime. With no access to computer systems patient information was recorded on paper charts. Following the attack, Springhill Medical Center issued a statement about the incident and said it had no impact on patient care, “We’d like to assure our patients and the community that patient safety is always our top priority and we would never allow our staff to operate in an unsafe environment.” During the system downtime, Teiranni Kidd arrived at the hospital to have her baby...

Read More
Healthcare Workers in Minnesota File Lawsuit Against Employers to Block Vaccine Mandate
Sep30

Healthcare Workers in Minnesota File Lawsuit Against Employers to Block Vaccine Mandate

A lawsuit has been filed in U.S. District Court in Minnesota on behalf of 180 healthcare workers over the COVID-19 vaccine mandates of their employers. The plaintiffs, who have not been named in the lawsuit, claim vaccine mandates are a violation of religious freedom and state and federal laws. The lawsuit is one of several that challenge the legality of such mandates. Vaccines remain the most effective way to prevent the spread of COVID-19, stop individuals becoming seriously ill, and reduce the number of hospitalizations from the illness. The vaccines are safe and are backed up by data showing they are highly effective at preventing serious illness. The majority of individuals who are hospitalized and/or die from COVID-19 are unvaccinated. Many employers have opted to implement vaccine mandates and President Biden has announced a vaccine mandate covering 17 million healthcare workers at facilities that receive Medicare and Medicaid funding. Most hospitals have reported high levels of vaccination, with Mayo Clinic saying 98% of its physicians have been vaccinated, as have 87% of...

Read More
Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack
Sep28

Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack

Multiple class action lawsuits have been filed against the Californian healthcare provider San Diego Health over a data breach involving the protected health information (PHI) of 496,949 patients. On March 12, 2021, San Diego Health identified suspicious activity in employee email accounts and launched an investigation. On April 8, 2021, it was determined multiple email accounts containing patients’ protected health information had been accessed by unauthorized individuals between December 2, 2020 and April 8, 2021. A review of the compromised email accounts confirmed them to contain protected health information such as names, addresses, dates of birth, email addresses, medical record numbers, government ID numbers, Social Security numbers, financial account numbers, and health information such as test results, diagnoses, and prescription information. HIPAA requires covered entities to issue notifications to affected individuals within 60 days of the discovery of a breach. San Diego Health published a substitute breach notice on its website on July 27, 2021 and started issuing...

Read More
Healthcare Organizations Face Legal and Technological Challenges Achieving CCPA Compliance
Sep22

Healthcare Organizations Face Legal and Technological Challenges Achieving CCPA Compliance

Healthcare organizations that are required to comply with the California Consumer Privacy Act (CCPA) are facing challenges achieving compliance, according to a new study published in the Health Policy and Technology – DOI: 10.1016/j.hlpt.2021.100543 The CCPA was signed into law on June 28, 2018 and took effect on January 1, 2020. The aim of the CCPA was to give California residents greater control over their personal data and how their information can be used. The CCPA gave California residents the right to be informed about their personal data that will collected, whether their data may be sold or disclosed, to whom disclosures may be made, and to opt out of the sale of their personal data. They were also given the right to view the personal data held by a company covered by the CCPA, to request their personal data be deleted, and not to be discriminated against for exercising their rights under the CCPA. The researchers conducted the study to explore any potential challenges associated with CCPA compliance for healthcare organizations, which involved interviews with 19...

Read More
Class Action Lawsuit Filed Against St. Joseph’s/Candler over Ransomware Attack Affecting 1.4 Million Patients
Sep15

Class Action Lawsuit Filed Against St. Joseph’s/Candler over Ransomware Attack Affecting 1.4 Million Patients

A class action lawsuit has been filed against St. Joseph’s/Candler Hospital Health System in response to a ransomware attack that occurred on June 17, 2021. The attack resulted in the encryption of files and forced the hospital’s IT systems offline. The systems accessed by the hackers contained the protected health information of 1.4 million patients, including names, Social Security numbers, driver license numbers, health insurance information, healthcare data, and financial information. St. Joseph’s/Candler offered affected patients a one-year membership to the Experian IdentityWorks credit monitoring and identity theft protection service. The investigation into the ransomware attack confirmed the hackers first accessed its network on December 18, 2020, 6 months prior to the ransomware being deployed. During that time the hackers had access to patient data stored on its systems. Georgia resident Daniel Elliott was one of the patients whose PHI was compromised in the attack. On August 28, 2021, the personal injury firm Harris Lowry Manton LLP, filed a class action...

Read More
Patients Sue DuPage Medical Group over July 2021 Ransomware Attack
Sep14

Patients Sue DuPage Medical Group over July 2021 Ransomware Attack

Two DuPage Medical Group patients are taking legal action against the healthcare provider following a July 2021 ransomware attack in which patients’ protected health information was exposed. DuPage Medical Group suffered the ransomware attack in mid-July. The forensic investigation determined unauthorized individuals had gained access to its computer network between July 12 and July 13, and deployed ransomware in an attempt to extort money. The attack caused a major computer and phone outage that lasted around a week. On August 17, the forensic investigators confirmed hackers had gained access to parts of the computer network that contained the protected health information of 655,384 patients, and potentially viewed or obtained patient names, addresses, dates of birth, diagnosis codes, medical procedure codes, and treatment dates. Some Social Security numbers may also have been compromised. Notification letters started to be sent to affected patients in late August. At the time of issuing notifications, DuPage Medical Group said it was unaware of any actual or attempted misuse of...

Read More
OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative
Sep13

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019. Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year. The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making...

Read More
California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents
Aug25

California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to send notifications to the HHS’ Office for Civil Rights (OCR) about data breaches and healthcare organizations are also required to comply with state data breach notification laws. Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified. Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health...

Read More
30 Month Jail Term for Texas Woman Who Stole and Sold Patients’ PHI
Jul30

30 Month Jail Term for Texas Woman Who Stole and Sold Patients’ PHI

The U.S. Department of Justice has announced a Texas woman has been sentenced by a federal court in the Eastern District of Texas to serve 30 months in federal prison for conspiring to obtain protected health information from a protected computer. Amanda Lowry, 40, or Sherman, TX, was a member of a fraud ring that used stolen protected health information to create fraudulent physician orders. The proceeds from the sale of the data were used to purchase a range of luxury items. Lowry, along with co-conspirators Demetrius Cervantes and Lydia Henslee, were named in a federal indictment on Sept. 11, 2019. The three defendants were charged with conspiracy to obtain information from a protected computer and conspiracy to unlawfully possess and use a means of identification. Lowry pleaded guilty to the charges on December 4, 2020. According to court documents, the defendants are alleged to have accessed a healthcare provider’s electronic health record system to steal the personal and protected health information of patients. The stolen data were repackaged as false and fraudulent...

Read More
Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case
Jul27

Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case

Overlake Hospital Medical Center in Bellevue, WA has proposed a settlement to resolve a class action lawsuit filed by victims of a December 2019 data breach that exposed patients’ demographic information, health insurance information, and health data. The breach in question was a phishing attack that was discovered on December 9, 2019. The investigation revealed unauthorized individuals gained access to the email accounts of several employees, with one of the email accounts compromised between December 6, 2019 and December 9, 2019, and the others compromised for several hours on December 9. The investigation did not uncover evidence of data theft or misuse of patient data, but it was not possible to rule unauthorized access to protected health information (PHI) and the exfiltration of data. The PHI of up to 109,000 patients was contained in the compromised email accounts. Affected individuals were notified starting on February 4, 2020 and Overlake Hospital Medical Center took several steps to improve security, including implementing multi-factor authentication, changing email...

Read More
CaptureRx Facing Multiple Class Action Lawsuits Over Ransomware Attack Involving PHI of 2.4 Million Patients
Jul23

CaptureRx Facing Multiple Class Action Lawsuits Over Ransomware Attack Involving PHI of 2.4 Million Patients

The healthcare administrative services provider CaptureRx is facing multiple class action lawsuits for failing to protect patient data, which was obtained by unauthorized individuals in a February 2021 ransomware attack. NEC Networks, doing business as CaptureRx, provides IT services to hospitals to help them manage their 340B drug discount programs. Through the provision of those services, CaptureRx is provided with the protected health information of patients. Around February 6, 2021, CaptureRx identified suspicious activity in some of its IT systems, which included the encryption of files. The investigation confirmed that files containing the protected health information of 2,400,000 or more patients were compromised in the attack. CaptureRx said in its breach notification letters that, “all policies and procedures are being reviewed and enhanced and additional workforce training is being conducted to reduce the likelihood of a similar future event.” Affected individuals were advised to “remain vigilant against incidents of identity theft and fraud, to review account statements...

Read More
Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case
Jul23

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments. In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims. The San Diego Sheriff’s’...

Read More
UPMC Settles Employee Data Breach Lawsuit for $2.65 Million
Jul22

UPMC Settles Employee Data Breach Lawsuit for $2.65 Million

UPMC has proposed a $2.65 million settlement to resolve a data breach lawsuit filed by employees affected by a February 2014 data breach. Pittsburg, PA-based UPMC announced the data breach in February 2021 and initially believed the attackers had only obtained the tax-information of a few hundred of its employees; however, in April 2014, UPMC determined that the breach was far more extensive and had affected 27,000 of its 66,000 employees. In May 2014, UPMC confirmed that the personal data of all of its employees had likely been compromised. The data compromised in the attack included names and Social Security numbers, some of which were used by the attackers to file fraudulent tax returns. Four individuals involved in the cyberattack have been charged and pleaded guilty to tax fraud and identity theft charges. They attempted to obtain around $2.2 million in tax refunds and received $1.7 million from the IRS. Under the terms of the settlement, current and former employees whose personal information was compromised in the data breach will be able to submit claims for fraud-related...

Read More
Cyber Incident Notification Act of 2021 Introduced in the Senate
Jul22

Cyber Incident Notification Act of 2021 Introduced in the Senate

In June, a bipartisan group of senators circulated a draft federal breach notification bill – the Cyber Incident Notification Act of 2021 – that requires all federal agencies, contractors, and organizations considered critical to U.S. national security to report data breaches and security incidents to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery. On Wednesday this week, an amended bill was formally introduced in the Senate. The draft bill was introduced by Senators Mark Warner (D-VA) and Marco Rubio (R-FL), and Susan Collins (R-ME). Another 12 senators across both parties have now added their names to the bill. The bill seeks to address some of the key issues that have come to light in the wake of recent cyberattacks that impacted U.S. critical infrastructure, including the SolarWinds Orion supply chain attack and the ransomware attacks on JBS and Colonial Pipeline. “The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the...

Read More
Ohio Personal Privacy Act Introduced to Improve Privacy Protections for Ohioans
Jul16

Ohio Personal Privacy Act Introduced to Improve Privacy Protections for Ohioans

A comprehensive new privacy framework has been introduced in Ohio to better protect the privacy of Ohioans. The Ohio Personal Privacy Act aligns closely with recently introduced legislation in Virginia (CDPA) and gives Ohio residents a host of new rights over the personal data collected, stored, maintained, and transmitted by businesses. Similar to Virginia’s CDPA, the Ohio Personal Privacy Act has a narrow definition of consumers and does not cover individuals acting in a business capacity or employment context. Personal data covered by the Ohio Personal Privacy Act is classed as “any information that relates to an identified or identifiable consumer processed by a business for a commercial purpose.” The Ohio Personal Privacy Act only applies to organizations that conduct business in the state of Ohio that meet one or more of the following criteria: Generates annual gross revenues in excess of $25 million; Controls or processes the personal data of 100,000 or more Ohio residents in a calendar year; Derives more than 50% of gross revenue from the sale of personal data and processes...

Read More
Colorado Privacy Act Passed and Signed into Law
Jul14

Colorado Privacy Act Passed and Signed into Law

Colorado has joined California and Virginia in passing a comprehensive data privacy law to protect state residents. It has taken several amendments to get the Colorado Privacy Act over the line, but the Act was finally passed unanimously by the state Senate on June 8, 2021. On July 7, 2021, Colorado Governor Jared Polis signed the bill, which will take effect on July 1, 2023. The Colorado Privacy Act applies to all data controllers that conduct business in Colorado that control or process the personal data of 100,000 or more Colorado resident consumers in a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado resident consumers. Exceptions include protected health information collected, processed, or stored by HIPAA-covered entities and their business associates, and any personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), data regulated by the Children’s Online Privacy Protection Act of 1998 (COPPA),...

Read More
Radiology Specialists Facing Class Action Lawsuit Over PACS Data Breach
Jul13

Radiology Specialists Facing Class Action Lawsuit Over PACS Data Breach

A class action lawsuit has been filed in the New York Southern District Court against a radiology company and its vendor. The radiology specialists are alleged to have failed to secure their Picture Archiving Communication System (PACS) which contained the protected health information and medical images of patients. In 2019, security researchers identified vulnerabilities in the PACS used by hospitals, clinics, and radiology companies to share medical images and data. The researchers analyzed more than 2,300 medical images, which were found to contain sensitive patient data. Northeast Radiology and its vendor, Alliance HealthCare Services, were among the companies affected and were notified about the exposed data by the researchers in December 2019. Both radiology firms used medical imaging archiving software that permitted unauthorized individuals to gain access to medical images and protected health information. The researchers identified 61 million X-rays, CT scans, and MRIs that had been exposed, which included protected health information such as names, test results, medical...

Read More
Texas Man Sentenced to 48 Months for Fraud Scheme Involving Theft of Electronic Health Records
Jul13

Texas Man Sentenced to 48 Months for Fraud Scheme Involving Theft of Electronic Health Records

A Texas man has been sentenced to 48 months in prison after pleading guilty to one count of conspiracy to obtain information from a protected computer. Demetrius Cervantes of McKinney, TX, was one of three defendants indicted over the theft and misuse of protected health information. Prosecutors alleged the defendants unlawfully gained access to an unnamed healthcare provider’s EHR system, stole information, then repackaged that data to create false and fraudulent physician orders, which were sold to durable medical equipment providers and contractors. The defendants are alleged to have obtained $1.4 million from the sale of the data, which they subsequently used to purchase high value items such as vehicles and jet skis. “Today’s sentence sends the message that the theft of protected health information, the fabrication of physicians’ orders, and the sale of prescriptions will not be tolerated in the Eastern District of Texas,” said Acting U.S. Attorney Nicholas J. Ganjei. “This office will continue to pursue those who place profits over patients and...

Read More
Kroger Proposes $5 Million Settlement to Resolve Data Breach Lawsuits
Jul09

Kroger Proposes $5 Million Settlement to Resolve Data Breach Lawsuits

The pharmacy and supermarket chain Kroger has proposed a $5 million settlement to resolve lawsuits filed by victims of data breach that exposed their personal and protected health information. Kroger was one of many victims of a cyberattack on Accellion’s File Transfer Appliance (FTA) in December 2020.  The Accellion FTA is a legacy solution used to transfer files too large to be sent via email. Hackers exploited several zero-day vulnerabilities in the solution and gained access to the data of more than 100 companies. While ransomware was not used, the attack was linked to the Clop ransomware gang which threatened to publish the exfiltrated data. Individual companies were sent demands for payment to prevent the exposure of their stolen data. Kroger was notified about the breach on January 23, 2021 and received a ransom demand from the attackers on February 2. The FBI was notified, and Kroger paid the ransom on February 18, 2021. The attackers returned the stolen data the following day and provided a video demonstrating the stolen data had been deleted. Approximately 1% of Kroger...

Read More
Federal Judge Allows Blackbaud Consolidated Class Action Data Breach Lawsuit to Proceed
Jul08

Federal Judge Allows Blackbaud Consolidated Class Action Data Breach Lawsuit to Proceed

Plaintiffs in a class action lawsuit against Blackbaud sufficiently demonstrated they have standing, and the lawsuit has survived Blackbaud’s motion to dismiss. Blackbaud is a publicly traded cloud software company with headquarters in Charleston, SC. Blackbaud provides data collection and maintenance solutions for administration, fundraising, marketing, and analytics to entities such as non-profit organizations, foundations, educational institutions, and healthcare organizations. In the course of providing its services, the company collects and stores personally identifiable information (PII) and Protected Health Information (PHI) from its customers’ donors, patients, students, and congregants. From February 7, 2020 to May 20, 2020, cybercriminals gained access to Blackbaud’s systems, exfiltrated data, and then used ransomware to encrypt files on Blackbaud’s systems. A ransom demand was then issued by the attackers and the attackers claimed they would provide the keys to decrypt data on Blackbaud’s systems and permanently delete the data they had exfiltrated if the ransom was...

Read More
Healthcare Workers File Lawsuit Alleging Amazon Alexa Devices Violated HIPAA
Jul08

Healthcare Workers File Lawsuit Alleging Amazon Alexa Devices Violated HIPAA

A class action lawsuit has been filed against Amazon by four healthcare workers who allege their Amazon Alexa devices may have recorded conversations without their intent that potentially included health information protected under HIPAA. Amazon Alexa devices listen for words that wake up the devices and triggers them to start recording. Specifically, the devices listen for the word “Alexa,” and will then attempt to answer a question that is asked. However, the plaintiffs claim that there are other words and phrases will awaken the devices and trigger them to start recording when it is not intended by users of the devices. The lawsuit cites a study conducted at Northeastern University which showed the devices wake up and record in response to statements such as “I care about,” “I messed up,” and “I got something.” The study also found that the devices wake up and record in response to the words “head coach,” “pickle”, and “I’m sorry.” The plaintiffs allege “Amazon’s conduct in surreptitiously...

Read More
BJC HealthCare Email Data Breach Lawsuit Survives Motions to Dismiss
Jul06

BJC HealthCare Email Data Breach Lawsuit Survives Motions to Dismiss

A class action lawsuit filed by two former patients against BJC HealthCare over a March 2020 email data breach has survived two motions to dismiss. Leaha Sweet and Bradley Dean Taylor took legal action against St. Louis-based BJC HealthCare in September 2020 after being notified that their protected health information had potentially been compromised in a data breach. BJC HealthCare had discovered the email accounts of three of its employees had been accessed by unauthorized individuals. The email accounts contained a range of sensitive patient data including Social Security numbers, driver’s license numbers, dates of birth, medical record numbers, patient account numbers, and treatment and clinical information. The lawsuit listed 10 counts against the defendants: Unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, invasion of privacy, vicarious liability, bailment, and violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA). The...

Read More
Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit
Jul05

Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has agreed to settle a class action lawsuit filed by victims of a 2.96 million-record data breach discovered in 2019. The investigation into the data breach was completed on April 24, 2019. Dominion National determined unauthorized individuals gained access to its servers which contained the personal and protected health information of health plan customers. Initially, the breach was thought to have affected 122,000 health plan members, but further investigations showed the protected health information of 2,964,778 individuals had potentially been compromised.  The investigation revealed the breach had started as early as August 25, 2010, with the types of data accessible including names, dates of birth, email addresses, member ID numbers, group numbers, subscriber numbers, and Social Security numbers. Individuals who enrolled online through the Dominion National website may also have had their bank account and routing number exposed. Providers were also affected...

Read More
No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation
Jun28

No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation

The U.S. Court of Appeals for the Fourth Circuit has ruled that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to address improper disclosures of protected health information; however, the ruling suggests there is potentially a cause of action under the 14th amendment when an individual’s privacy is violated. The case, Payne v. Taslimi, named Christopher N. Payne as plaintiff and Jahal Taslimi as the defendant. Payne was a Deep Meadow Correctional Center inmate and Taslimi a prison doctor. Payne took legal action against Taslimi over an alleged improper disclosure of his confidential medical information. Payne alleged Taslimi had approached his bed and stated in a voice loud enough for others to hear that the plaintiff had not taken his HIV medication. Payne alleged staff members, other inmates, and civilians had heard the doctor. In the lawsuit, Payne claimed his medical records were confidential and his HIPAA rights had been violated at Deep Meadow Correctional Center by Taslimi, as well as his right to privacy under the...

Read More
Former Mayo Clinic Doctor Charged Over Improper Medical Record Access
Jun28

Former Mayo Clinic Doctor Charged Over Improper Medical Record Access

In October 2020, Mayo Clinic announced a former employee was discovered to have impermissibly accessed the medical records of approximately 1,600 patients. According to a statement issued by the Mayo Clinic, the former employee viewed demographic information, date of birth, medical record number, clinical notes, and in some cases images. Mayo Clinic said its investigation uncovered no evidence to suggest any patient data was copied or retained. All affected patients were notified about the breach by mail. The employee in question was Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, who was a doctor at Mayo Clinic. Alsughayer ended his employment with Mayo Clinic in August 2020, around the time that the privacy violation was discovered. A criminal case has now been opened by the Olmsted County Attorney’s Office. Alsughayer has been charged with gross misdemeanor unauthorized computer access and has been scheduled to appear in court on July 8, 2021. The criminal case stems from allegations that Alsughayer had abused his access rights to view medical records when there was no...

Read More
Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation
Jun25

Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation

A former Cedar Rapids Hospital employee has been sentenced to 5 years’ probation for wrongfully accessing and distributing the protected health information (PHI) of her ex-boyfriend. Jennifer Lynne Bacor, 41, of Las Vegas, NV, was employed as a patient care technician at a Cedar Rapids hospital. The position gave her access to systems containing the individually identifiable information of patients. While she was authorized to access that information, she was only permitted to view the information of patients in order to complete her work duties. Bacor’s ex-boyfriend had visited the hospital on multiple occasions in 2017 to receive treatment. Bacor used her login credentials to access his medical records from October 2013 to September 2017 on multiple occasions between April and October 2017, when there was no legitimate work reason for doing so. Accessing the protected health information of an individual when there is no legitimate work purpose for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA), for which criminal charges can be filed....

Read More
Scripps Health Facing Multiple Class Action Lawsuits over Ransomware Attack
Jun24

Scripps Health Facing Multiple Class Action Lawsuits over Ransomware Attack

San Diego-based Scripps Health is facing multiple class action lawsuits over an April 29, 2021 ransomware attack that affected 147,267 individuals. The attack forced the 5-hospital healthcare system to take systems offline while the attack was remediated, including its patient portal. While care continued to be provided, some patients were diverted to other facilities as a precaution. The investigation into the breach confirmed that prior to the deployment of ransomware the attacker exfiltrated documents that contained patients’ protected health information. Information compromised in the attack included names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and/or clinical information, such as physician name, dates of service, and/or treatment information. A lawsuit was filed on June 1 in the San Diego County Superior Court that named Kenneth Garcia as plaintiff. The lawsuit, which seeks class action status, alleges Scripps Health was negligent for failing to prevent the theft of protected health information, which was...

Read More
Connecticut Legislature Enhances Data Breach Notification Law
Jun17

Connecticut Legislature Enhances Data Breach Notification Law

The Connecticut legislature has enhanced its data breach notification law, expanding the definition of personal information and shortening the maximum time frame for issuing breach notifications. The new law brings the data breach notification requirements in the state of Connecticut in line with those of other states that have recently updated their own privacy and security laws. The new data breach notification law was unanimously passed by the House of Representatives and the Senate and now awaits state Governor Ned Lamont’s signature. “Connecticut has led the nation in data privacy for over a decade, and this legislation ensures that we will continue to do so. Since we passed one of our nation’s first laws protecting consumers from online data breaches, technology and risks have evolved,” said Attorney General William Tong. “This legislation ensures that our laws reflect those evolving risks and continue to offer strong, comprehensive protection for Connecticut residents,” Previously, notification letters were only required for breaches of an individual’s first name or initial...

Read More
Houston Hospital Workers’ Lawsuit over Vaccine Mandate Dismissed by Federal Judge
Jun14

Houston Hospital Workers’ Lawsuit over Vaccine Mandate Dismissed by Federal Judge

Many U.S. employers have implemented a policy that requires their workers to be vaccinated against COVID-19, including several major healthcare systems and hospitals. These policies are in line with the guidance issued by the U.S. Equal Employment Opportunity Commission last month, which confirmed that U.S. employers are within their rights to require their employees to be vaccinated, with certain exceptions such as on medical or religious grounds. Houston Methodist Hospital in Texas introduced its vaccine mandate to ensure patients were protected against COVID-19 and set a June 7, 2021 deadline for employees to be vaccinated. While the majority of workers at Houston Methodist Hospital have been or have agreed to receive a COVID-19 vaccine, On Monday June 7, a walkout was staged by a small minority of workers over the vaccine requirements. On Tuesday, the hospital took the decision to suspend 178 workers without pay over their refusal to be inoculated. A lawsuit was brought by 117 of those workers, with lead plaintiff, Jennifer Bridges, claiming that if she is dismissed for...

Read More
IT Security Company COO Charged with Cyberattack on Georgia Medical Center
Jun14

IT Security Company COO Charged with Cyberattack on Georgia Medical Center

The Chief Operating Officer of an IT security firm has been charged over a financially motivated cyberattack on Gwinnett Medical Center in Lawrenceville, GA in September 2018. Vikas Singla, 45, of Marietta, GA is the COO of Securolytics, a network security company in the metro-Atlanta region. On June 8, 2021, Singla was indicted by a federal grand jury for allegedly accessing the systems of the healthcare provider, disrupting its phone and network printer services, and stealing information from a Hologic R2 digitizing device. According to the Department of Justice, the attack was conducted, in part, for financial gain and commercial advantage. According to court documents at least 10 protected computers were damaged in the attack. It is unclear whether Singla, or his IT company, had any previous business relationship with Gwinnett Medical Center and why the medical center was targeted. Singla was arraigned in the U.S. District Court for the Northern District of Georgia on June 10, 2021 and was charged with 17 counts of causing intentional damage to a protected computer and one...

Read More
Texas Legislature Passes Bill Calling for State AG to Establish Data Breach ‘Wall of Shame’
Jun10

Texas Legislature Passes Bill Calling for State AG to Establish Data Breach ‘Wall of Shame’

The Texas Legislature has followed in the footsteps of California and Maine and has passed a bill that requires the Texas Attorney General to publish notices of breaches of personal data that affect state residents on the state Attorney General’s public-facing website. House Bill 3746, which was unanimously passed, amends the Texas Business and Commerce Code § 521.053 and calls for the Texas Attorney General to publish notifications of data breaches that have affected 250 or more Texas residents and to update the website to include the notification within 30 days of the notification being received. Once a company has been listed on the website, the listing must remain in place for 12 months. The listing will be removed provided the individual or company has not suffered any further data breaches affecting 250 or more Texas residents during that 12-month period. Texas law requires notifications of breaches of system security to be sent to the state Attorney General within 60 days of the breach being discovered. The breach notices must include a detailed description of the nature of...

Read More
Humana and Cotiviti Facing Class Action Lawsuit over 63,000-Record Data Breach
Jun10

Humana and Cotiviti Facing Class Action Lawsuit over 63,000-Record Data Breach

The Louisville, KY-based health insurance and healthcare provider Humana and its business associate Cotiviti are facing legal action over a data breach discovered in late December 2020. On May 26, 2021, a lawsuit was filed in the U.S. District Court for the Western District of Kentucky over the mishandling of Humana insurance plan members’ medical records. Humana had contracted with Cotiviti to handle medical records requests to send to the HHS’ Centers for Medicare and Medicaid Services (CMS). Cotiviti had subcontracted some of the work to Visionary Medical Systems Inc. According to the lawsuit, an employee of Visionary Medical Systems uploaded the private and confidential medical records of Humana members to a personal Google Drive account in order to provide medical coding training as part of a “personal coding business endeavor.” The medical records were copied to the Google Drive account between October 12 and December 16, 2020, and that account was publicly accessible. The actions of the employee violated HIPAA and the terms of the business associate agreement. Visionary...

Read More
Settlement to Resolve Nebraska Medicine Data Breach Lawsuit Receives Preliminary Approval
Jun09

Settlement to Resolve Nebraska Medicine Data Breach Lawsuit Receives Preliminary Approval

In September 2020, Nebraska Medicine and the University of Nebraska Medical Center discovered their systems had been hacked and malware had been downloaded to its network that gave hackers access to the protected health information of up to 219,000 individuals. The attack forced Nebraska Medicine to shut down its systems causing disruption to operations. Hackers first gained access to Nebraska Medicine’s systems on Aug 27, 2020 and had access to its systems and patient data for 24 days. Access was terminated by Nebraska Medicine on Sept. 20, 2020. During that time, the lawsuit alleged patient data was exfiltrated by the attackers. The breach affected patients of Nebraska Medicine, Faith Regional Health Services, Great Plains Health, and Mary Lanning Healthcare. On February 24, 2021, a class action lawsuit was filed against Nebraska Medicine in the Nebraska U.S. District Court by two patients alleging Nebraska Medicine was negligent for failing to maintain an adequate data security system to reduce the risk of cyberattacks and data breaches. The plaintiffs sought damages,...

Read More
Michigan Man Pleads Guilty to Theft and Sale of PII of UPMC Employees
May26

Michigan Man Pleads Guilty to Theft and Sale of PII of UPMC Employees

A Michigan man has pleaded guilty to hacking into University of Pittsburgh Medical Center human resources databases in 2013 and 2014 and stealing the personally identifiable information (PII) and W-2 data of 65,000 UPMC employees. Justin Sean Johnson, 30, of Detroit, MI, was a Federal Emergency Management Agency (FEMA) IT specialist known on darknet forums as The DearthStar and Dearthy Star. 6 years after hacking the databases and selling stolen data, Johnson was indicted by a federal grand jury in Pittsburgh and was arrested and charged with conspiracy, wire fraud, and aggravated identity theft. Johnson initially hacked the Oracle PeopleSoft HR database of UPMC in December 2013 and accessed the PII of 23,500 UPMC employees. Between January 2014 and February 2014, Johnson accessed the databases multiple times each day and exfiltrated PII. Johnson then sold the stolen data on darknet marketplaces such as AlphaBay to criminals who used the data in 2014 to file hundreds of fraudulent 1040 tax returns. According to a Department of Justice press release, the scheme resulted in...

Read More
UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled
May19

UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled

A lawsuit filed against Universal Health Services (UHS) following a 2020 data breach has been allowed to proceed; however, only for one of the patients named on the lawsuit. UHS operates around 400 hospitals and care centers in the United States and the United Kingdom. In September 2020, UHS suffered a ransomware attack in which sensitive data was exfiltrated. The Ryuk ransomware gang threatened to release the stolen data on a leak site if the ransom was not paid, although the UHS investigation found no evidence of any data misuse. The attack affected all 400 UHS care sites and caused significant disruption, with IT systems finally being brought back online a month after the attack. UHS was forced to postpone some scheduled appointments as a result of the attack. A lawsuit was filed in the U.S. District Court, Eastern District of Pennsylvania by the law firm Morgan & Morgan naming three patients as plaintiffs – Graham v. Universal Health Service Inc. The lawsuit alleged negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence. Two of the...

Read More
Pennsylvania Department of Health and Insight Global Sued over 72,000-Record Data Breach
May11

Pennsylvania Department of Health and Insight Global Sued over 72,000-Record Data Breach

The Pennsylvania Department of Health and its COVID-19 contact tracing vendor are being sued over a breach of the personal and health data of 72,000 Pennsylvanians. The breach in question was announced by Insight Global and the Department of Health on April 29, 2021. Insight Global, an IT service management and staffing firm, had been awarded the contract for the state’s contact tracing program and had been given access to personal and health data to provide those services. The information was used to contact individuals potentially exposed to COVID-19 to identify and address the need for specific support services and to help slow the spread of COVID-19. Insight Global had implemented secure communication channels for its contact tracers and had security protocols in place, but it was discovered that some employees had “disregarded security protocols established in the contract and created unauthorized documents.” Those documents, including spreadsheets, had been shared between contact tracers using personal email accounts and consumer versions of cloud services such as Google...

Read More
Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack
Apr29

Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack

The Philadelphia-based health system, Einstein Healthcare Network, is facing a class action lawsuit over an August 2020 phishing attack that resulted in multiple employee email accounts being accessed by an unauthorized individual. Einstein Healthcare is a non-profit health system that operates four hospitals – Einstein Medical Center Philadelphia, Elkins Park Hospital, MossRehab in Elkins Park, and Einstein Medical Center Montgomery –   and multiple outpatient and primary care clinics throughout the greater Philadelphia area. The investigation into the breach determined the email accounts were subjected to unauthorized access for 12 days between August 5 and August 17, 2020. A review of the compromised email accounts revealed they contained the protected health information of 353,616 patients, including names, dates of birth, account/medical record numbers, medical information such as diagnosis and treatment information and, for some individuals, Social Security numbers and health insurance information. Patients affected by the breach were notified by mail starting October...

Read More
NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities
Apr16

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension is growing between Russia and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR). The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks. The NSA, CISA, and the FBI have previously shared mitigations that can be...

Read More
Adventist Health Physicians Network Fined $40,000 for Privacy Breach
Apr12

Adventist Health Physicians Network Fined $40,000 for Privacy Breach

Adventist Health Physicians Network in Simi Valley, California has been ordered to pay $40,000 in civil momentary penalties by the Ventura County District Attorney as part of a civil privacy settlement to resolve a patient privacy case that affected 3,797 patients. The privacy breach occurred in 2018 and involved an impermissible disclosure of physical documents containing private and confidential medical data. The Simi Valley hospital had used a storage facility Simi Valley for storing physical patient records; however, when payments stopped being to the storage facility, the hospital lost access to the storage unit and the contents were put up for sale at a public auction in October 2018. The individual who bought the contents of the storage unit at the auction discovered boxes of paperwork in the unit that contained the sensitive medical data of patients of Adventist Health. The hospital was notified, and the files were promptly collected and secured. Adventist Health conducted an investigation into the incident and was satisfied that none of the information in the storage unit...

Read More
Roper St. Francis Healthcare Faces Class Action Lawsuit Over Data Breach
Apr06

Roper St. Francis Healthcare Faces Class Action Lawsuit Over Data Breach

Roper St Francis Healthcare is facing a class action lawsuit over an October 2020 data breach in which patient data was allegedly stolen. The lawsuit alleges negligence for the failure to protect the private data of its patients. Between October 14 and 29, 2020, unauthorized individuals gained access to the email accounts of three of its employees. Those accounts contained the protected health information of around 190,000 patients. PHI in the compromised email accounts included financial and medical information. This was far from the only data breach to have affected Roper St. Francis Healthcare in the past 18 months. Prior to the October 2020 phishing attack, Roper St. Francis reported two data breaches in September, one of which was a phishing attack that affected 6,000 individuals and the other was a ransomware attack on its vendor Blackbaud, which affected around 92,963 Roper St. Francis patients. Prior to those breaches, a breach was reported on January 29, 2010 as affecting 35,253 individuals. According to the lawsuit, “At all relevant times, Roper knew the data it stored...

Read More
SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach
Mar26

SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach

SalusCare, a provider of behavioral healthcare services in Southwest Florida, experienced a cyberattack in March that saw patient and employee data exfiltrated from its systems. The exact method used to gain access to its servers has not been confirmed, although the cyberattack is believed to have started with a phishing email that was used to deliver malware. The malware was used to exfiltrated its entire database to an Amazon AWS storage account. The attack occurred on March 16, 2021 and the investigation into the breach established that the attacker, an individual who appeared to be based in Ukraine, gained access to its Microsoft 365 environment, downloaded sensitive data, and uploaded the stolen data to two Amazon S3 storage buckets. Amazon was notified about the illegal activity and it suspended access to the S3 buckets to stop the attacker accessing the stolen data.  SalusCare requested access to the audit logs, which it requires to continue to investigate the breach and determine exactly what data was stolen. SalusCare also wants to make sure that the suspension is...

Read More
Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access
Mar24

Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access

The former CEO of Novus and Optimum Health Services, which operates two hospices in Texas, has pleaded guilty in a fraud case that saw Medicare and Medicaid defrauded out of tens of millions of dollars through the submission of falsified health care claims. Prerak Shah, Acting U.S. Attorney for the Northern District of Texas, recently announced that Bradley Harris, 39, pleaded guilty to conspiracy to commit healthcare fraud and healthcare fraud and is now awaiting sentencing. In addition to defrauding federal healthcare programs out of tens of millions of dollars, the actions of Harris resulted in vulnerable patients being denied the medical oversight they deserved, saw prescriptions for pain medication written without physician input for his financial benefit, and allowed terminally ill patients to go unexamined. Harris admitted billing Medicare and Medicaid for hospice services between 2012 and 2016 that were not provided, not directed by medical professional, or were provided to individuals who were not eligible for hospice services. Harris also admitted to using blank,...

Read More
UPMC and Charles Hilton and Associates Facing Class Action Lawsuit Over 36,000-Record Breach
Mar23

UPMC and Charles Hilton and Associates Facing Class Action Lawsuit Over 36,000-Record Breach

University of Pittsburgh Medical Center (UPMC) and the law firm Charles Hilton and Associates are facing a class action lawsuit over a breach of the protected health information of 36,000 UPMC patients. Charles Hilton and Associates, which handles collections for UPMC, announced that hackers had gained access to the email accounts of some of its employees between April and June 2020. The investigation revealed the compromised accounts contained the protected health information of UPMC patients, some of which was potentially viewed or obtained by the attackers. The accounts contained a wide range of data including names, dates of birth, Social Security numbers, bank account information, driver’s licenses, health insurance information, and state ID card numbers. UPMC stated in its breach notice that no reports had been received to suggest information in the compromised accounts had been misused; however, the lawsuit alleges the plaintiffs’ personal and protected health information was obtained and used to open accounts in their names. Lead plaintiff, Vince Ranalli, received a letter...

Read More
Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft
Mar22

Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft

The Swiss hacktivist who gained access to the security cameras of the California startup Verkada in March 2021 has been indicted by the US government for computer crimes from 2019 to present, including accessing and publicly disclosing source code and proprietary data of corporate and government victims in the United States and beyond. Till Kottmann, 21, aka ‘tillie crimew’ and ‘deletescape’ resides in Lucerne, Switzerland and is a member of a hacking collective self-named APT 69420 / Arson Cats. Most recently, Kottman admitted accessing the Verkada surveillance cameras used by many large enterprises, including Tesla, Okta, Cloudflare, Nissan, as well as schools, correctional facilities, and hospitals. Live streams of surveillance camera and archived footage were accessed between March 7 and March 9, 2021, screenshots and videos of which were published online. Ethical hackers often exploit vulnerabilities and gain access to systems and their efforts often result in vulnerabilities being addressed before they can be exploited by bad actors. The vulnerabilities are reported to the...

Read More
More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed
Mar19

More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed

The number of healthcare organizations to announced they have been affected by the ransomware attack on Accellion has been increasing, with two of the latest victims including Trillium Community Health Plan and Arizona Complete Health. In late December, unauthorized individuals exploited zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance platform and stole data of its customers before deploying CLOP ransomware. Trillium Community Health Plan recently notified 50,000 of its members that protected health information such as names, addresses, dates of birth, health insurance ID numbers, and diagnosis and treatment was obtained by the individuals behind the attack and the data was posted online between January 7 and January 25, 2021. Trillium said it has now stopped using Accellion, has removed all data files from its systems, and has taken steps to reduce the risk of future attacks, including reviewing its data sharing processes. Trillium is offering affected members complimentary credit monitoring and identity theft protection services for 12 months. Arizona...

Read More
NY Nurse Pleads Guilty to Tampering with a Consumer Product in HIPAA Case
Mar15

NY Nurse Pleads Guilty to Tampering with a Consumer Product in HIPAA Case

A former Roswell Park Comprehensive Cancer Center nurse has pleaded guilty to tampering with a consumer product in a case involving fraud and HIPAA violations. In 2018, 6 patients of Roswell Park Comprehensive Cancer Center contracted a Sphingomonas paucimobilis bloodstream infection within the space of a few weeks. An investigation found syringes of hydromorphone had been contaminated with the bacteria. The cancer center suspected a nurse had removed some of the medication and replaced it with an equal volume of water. Kelsey Mulvey, 28, of Grand Island, NY, was placed on administrative leave in June 2018 after it was discovered she had stolen pain medication and resigned from her position at the cancer center in July 2018. Appropriate authorities were notified including the New York State Department of Health, the NYS Department of Education, Bureau of Narcotics and Tobacco Enforcement, and the U.S. Drug Enforcement Agency and  in July 2019, Kelsey was charged by the U.S. Attorney’s office with tampering with a consumer product, acquiring controlled substances by fraud, and...

Read More
Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation
Mar12

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of at least 21 million Americans. Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities. From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019. AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for...

Read More
FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent
Mar09

FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent

On March 4, 2021, Senator Robert Menendez (D-New Jersey), and Reps. Bonnie Watson Coleman (D-New Jersey) and Mikie Sherrill (D-New Jersey) wrote a letter urging the Federal Trade Commission (FTC) to start enforcing the Health Breach Notification Rule. The Federal Trade Commission (FTC) has a mandate to protect Americans from bad actors that betray consumer trust and misuse consumers’ healthcare data and has the authority to take enforcement action but is not enforcing compliance with the Health Breach Notification Rule. The Health Breach Notification Rule was introduced as part of the American Recovery and Reinvestment Act of 2009 and requires vendors of personal health records, PHR related entities, and third-party service providers to inform consumers about unauthorized disclosures of personal health information. The Health Breach Notification Rule applies to entities not covered by the Health Insurance Portability and Accountability Act (HIPAA), and has similar provisions to the HIPAA Breach Notification Rule. While the HHS’ Office for Civil Rights has enforced compliance with...

Read More
Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure
Mar09

Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure

This week, the Arizona Supreme Court revived a HIPAA violation lawsuit filed by a Phoenix man over a privacy violation by a pharmacy employee related to an erectile dysfunction medication prescription. Greg Shepherd, 50, had visited his doctor for a routine medical appointment in January 2016 and his doctor provided him with a erectile dysfunction medication sample. He received a call from the Costco pharmacy later and was told that the full prescription for the ED medication was available to collect. Shepherd explained that he did not want the medication and cancelled the prescription. Shepherd called the pharmacy a month later to check whether an unrelated prescription was ready to collect, and the pharmacy informed again him that his ED prescription was still waiting to be collected. Shepherd declined the medication a second time and told the pharmacy to cancel the prescription for the second time. Shepherd, who had been trying to reconcile with his ex-wife, authorized her to collect an unrelated, regular prescription refill from the pharmacy. When she visited the pharmacy, the...

Read More
Virginia Consumer Data Protection Act Signed into Law
Mar08

Virginia Consumer Data Protection Act Signed into Law

The Virginia Consumer Data Protection Act (CDPA) has been signed into law by Governor Ralph Northam. CDPA requires persons conducting business in the Commonwealth of Virginia to comply with new data privacy and security requirements. The CDPA takes effect on January 1, 2023. The CDPA mirrors some of the privacy and security provisions of the EUs General Data Protection Regulation (GDPR) that took effect on March 25, 2018, and the California Consumer Privacy Act (CCPA) that took effect on January 1, 2020. While there are similarities with the GDPR and the CCPA, there are some differences, so compliance with either the CCPA or the GDPR does not guarantee compliance with the CDPA. Like the CCPA, the CDPA only applies to organizations that control or process significant amounts of consumer data, with the data threshold twice as high as the CCPA, although there is no minimum revenue threshold in the CDPA. The CDPA applies to any person or business that: Controls or processes the personal data of 100,000 or more Virginia residents in a calendar year; or Controls or processes the data of...

Read More
Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months
Feb24

Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months

A Georgia man who falsely claimed a former acquaintance had violated patient privacy and breached the HIPAA Rules has been sentenced to 6 months in jail and fined $1,200. In October 2019, Jeffrey Parker, 44, of Rincon, GA, claimed to be a HIPAA whistleblower and alerted the authorities about serious privacy violations by a nurse at a Savannah, GA hospital, including emailing graphic pictures of traumatic injuries of hospital patients internally and externally. According to court documents, Parker “engaged in an intricate scheme” to frame a former acquaintance for violations of the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To back up the fake claims, Parker created multiple email accounts in the names of real patients and used those accounts to send false accusations of privacy violations. Emails were sent to the hospital where the nurse worked, the Federal Bureau of Investigation (FBI), and the Department of Justice (DOJ). Parker also alleged that he had been threatened for his actions as a whistleblower and law enforcement took steps to ensure his...

Read More
Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack
Feb19

Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack

Wilmington Surgical Associates in North Carolina is facing a class action lawsuit over a Netwalker ransomware attack and data breach that occurred in October 2020. As is now common in ransomware attacks, files were exfiltrated prior to the deployment of ransomware. In this case, the Netwalker ransomware gang stole 13GB of data from two Wilmington Surgical Associates’ servers that were used for administration purposes. Some of the stolen was published on the threat actors’ data leak site where it could be accessed by anyone. The leaked data was spread across thousands of files and included financial information related to the practice, employee information, and patient data such as photographs, scanned documents, lab test results, Social Security numbers, health insurance information, and other sensitive patient information. Wilmington Surgical Associates sent notifications to affected individuals in December 2020 and reported the data breach to the HHS’ Office for Civil Rights on December 17, 2020 as affecting 114,834 patients. The lawsuit – Jewett et al. v. Wilmington...

Read More
21st Century Oncology Data Breach Settlement Receives Preliminary Approval
Feb16

21st Century Oncology Data Breach Settlement Receives Preliminary Approval

A settlement proposed by 21st Century Oncology to resolve a November 2020 class action lawsuit has received preliminary approval from the court. The class action lawsuit was filed in District Court for the Middle District of Florida on behalf of victims of a 2015 cyberattack that potentially affected 2.2 million individuals. 21st Century Oncology was notified about a breach of its systems by the Federal Bureau of Investigation on November 13, 2015. An unauthorized individual had gained access to its network and may have accessed or obtained one of its databases on October 3, 2015. The database contained patients’ names, diagnoses, treatment information, Social Security numbers, and insurance information. Notifications to affected individuals were delayed at the request of the FBI so as not to interfere with the investigation. Patients affected by the breach started to be notified in March 2016. The Department of Health and Human Services’ Office for Civil Rights launched an investigation into the breach and found potential HIPAA violations. 21st Century Oncology settled the case in...

Read More
Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack
Feb09

Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack

US Fertility is facing a class action lawsuit over a September 2020 ransomware attack and data breach that affected 878,550 individuals. US Fertility provides IT platforms and administrative, clinical, and business information services, and is one of the largest providers of support services to infertility clinics in the United States. On September 14, 2020, US Fertility discovered ransomware had been used to encrypt files on its network. The investigation revealed the threat actors behind the attack exfiltrated files between August 12 and September 14, 2020, some of which contained protected health information. The types of data obtained by the hackers included names, addresses, dates of birth, driver’s license and state ID numbers, passport numbers, medical treatment/diagnosis information, medical record information, health insurance and claims information, credit and debit card information, and financial account information. The class action lawsuit, brought by Plaintiffs Alec Vinsant and Marla Vinsant, alleges US Fertility failed to implement adequate data security measures...

Read More
Hospital Researchers Jailed for Stealing and Selling Research Data to China
Feb04

Hospital Researchers Jailed for Stealing and Selling Research Data to China

A woman who worked in a medical research lab at the Nationwide Children’s Hospital in Columbus, OH has been jailed for stealing sensitive research data and selling the information to the People’s Republic of China. Li Chen, 47, and her husband Yu Zhou, 50, were both employed as medical researchers and worked in separate labs at the hospital’s Research Institute for more than 10 years. The former Dublin, OH residents were arrested in California in July 2019 and were subsequently charged over the alleged theft of cutting-edge scientific research. Zhou was working on a novel technique that allowed exosomes to be isolated from small quantities of blood. Exosomes are used in the research, identification, and treatment of several medical conditions, such as necrotizing enterocolitis. The novel exosome isolation method was a vital process in the research into necrotizing enterocolitis, as the condition affects premature babies and only small blood samples can be taken safely. The couple set up a company in China, stole at least five trade secrets related to exosome isolation, and...

Read More
Brandywine Urology Consultants Data Breach Lawsuit Dismissed Due to Lack of Harm
Feb03

Brandywine Urology Consultants Data Breach Lawsuit Dismissed Due to Lack of Harm

A lawsuit filed on behalf of victims of a Brandywine Urology Consultants data breach has been dismissed by the Delaware Superior Court after plaintiffs failed to provide evidence demonstrating they had suffered harm as a result of the breach. Brandywine Urology Consultants experienced a ransomware attack on January 27, 2020 The attack was detected after two days and the subsequent investigation confirmed the attackers had access to a network which contained patient information. Brandywine Urology Consultants concluded from its investigation that the attack was conducted to extort money rather than to obtain patient data, although unauthorized data access and data theft could not be ruled out. The attackers potentially accessed the protected health information of 130,000 patients, and may have viewed or obtained names, medical record numbers, Social Security numbers, financial data, claims data, and other information. The lawsuit was filed in May 2020 alleging Brandywine Urology Consultants was negligent for failing to prevent the attack, had breached its fiduciary duty, and was in...

Read More
Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data
Feb03

Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data

On January 28, 2021, Democratic senators introduced the Public Health Emergency Privacy Act to protect the privacy of Americans and ensure data security measures are applied to safeguard COVID-19 related health data collected for public health purposes. The Public Health Emergency Privacy Act was introduced by Sens. Mark Warner, D-Va., Richard Blumenthal, D-Conn. and U.S. representatives Anna Eshoo, D-CA., Jan Schakowsky, D-IL., and Suzan DelBene, D-WA and requires strong and enforceable privacy and data security rights for health information to be set. “Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” said Sen. Blumenthal. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19.” The Public Health Emergency Privacy Act will ensure strict privacy protections are implemented to ensure any health data collected...

Read More
Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent
Feb03

Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent

A lawsuit has been filed against Burr Ridge, IL-based Easy Healthcare Corp. over the alleged sharing of sensitive user data with third-party firms based in China without user consent. Easy Healthcare Corp is the developer of Premom, a popular smartphone fertility app for tracking users’ ovulation cycles to identify their most fertile days. The lawsuit alleges a range of sensitive user data has been shared with at least three Chinese companies without obtaining users’ consent. Since the data is stored on servers in China, the lawsuit alleges sensitive information could potentially be accessed or seized by the Chinese government. The data transmitted to the Chinese companies includes sensitive healthcare information, geolocation data, user and advertiser IDs, device activity data, and device hardware identifiers. Since the identifiers do not change, combining them with information where it was observed would allow data collectors to reconstruct app users’ activities. Identifiers shared with the Chinese firms include Wi-Fi media access controls or MAC addresses, which are unique...

Read More
Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack
Jan26

Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack

In May 2020, the cloud software company Blackbaud suffered a ransomware attack. As is common in human operated ransomware attacks, data was exfiltrated prior to file encryption. Some of the stolen data included the fundraising databases of its healthcare clients. One of the affected healthcare providers was Rady Children’s Hospital-San Diego, the largest children’s hospital in California in terms of admissions. A class action lawsuit has been proposed that alleges Rady was negligent for failing to protect the sensitive information of 19,788 individuals which was obtained by the hackers through Blackbaud’s donor management software solution. The lawsuit alleges Rady failed to implement adequate security measures and failed to ensure Blackbaud had adequate security measures in place to protect ePHI and ensure it remained private and confidential. The lawsuit alleges individuals affected by the breach now face “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud as a result of the breach and Rady’s negligence. Blackbaud discovered the ransomware...

Read More
M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal
Jan15

M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights. The Civil Monetary Penalty was imposed on M.D. Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen. The Office for Civil Rights investigation concluded that M.D. Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI. HIPAA penalties are tiered and are based on the level of culpability, with the Office...

Read More
FTC Settles 2019 Consumer Data Breach Case with SkyMed
Dec18

FTC Settles 2019 Consumer Data Breach Case with SkyMed

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information. SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted. The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused....

Read More
Seasonal Worker Sentenced to 42 Months Imprisonment for Stealing Data from Healthcare.Gov Database
Dec17

Seasonal Worker Sentenced to 42 Months Imprisonment for Stealing Data from Healthcare.Gov Database

A seasonal employee at a Virginia-based tech company that supported the Centers for Medicare & Medicaid Services (CMS) by operating contact centers that provided assistance with Medicare enrollment and other services, has been sentenced to 42 months in jail for accessing patient records, stealing personally identifiable information (PII), and using the PII for financial gain. While working at a call center in Bogalusa, LA, Colbi Trent Defiore, 27, of Carriere, MS, accessed the protected health information of more than 8,000 individuals stored in the HHS healthcare.gov database without authorization, copied that information, and used it for criminal activity, including opening credit lines in individuals’ names. Defiore had been employed by the company on three occasions in 2014, 2017, and 2018. He was discovered to have accessed records without authorization during his last employment period.  The company had taken steps to ensure personally identifiable information (PII) was protected and had provided training to all employees on how to handle that information securely. In...

Read More
Kalispell Regional Healthcare Proposes 4.2 Million Settlement to Resolve Data Breach Lawsuit
Dec07

Kalispell Regional Healthcare Proposes 4.2 Million Settlement to Resolve Data Breach Lawsuit

The Montana-based healthcare provider Kalispell Regional Healthcare has proposed a $4.2 million settlement to resolve a lawsuit filed on behalf of victims of a data breach that was announced in October 2019. The lawsuit was filed shortly after the announcement that the protected health information of approximately 130,000 patients had been impermissibly disclosed as a result of a sophisticated phishing attack. Unauthorized individuals had gained access to several email accounts after employees responded to phishing emails and disclosed their login credentials. The attackers first gained access to the email accounts on May 24, 2019 and were able to continue to access the accounts for several months. The compromised email accounts contained PHI such as names, addresses, telephone numbers, dates of birth, medical record numbers, medical histories, Social Security numbers, and health insurance information. Around 250 Social Security numbers are known to have been stolen by the attackers. The lawsuit alleged Kalispell Regional Healthcare had failed to implement appropriate measures to...

Read More
Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach
Nov30

Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach

Mayo Clinic is facing multiple class action lawsuits over an insider data breach reported in October 2020. Mayo Clinic discovered a former employee had accessed the medical records of 1,600 patients without authorization and viewed information such as patient names, demographic information, dates of birth, medical record numbers, medical images, and clinical notes. The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA-covered entities to implement safeguards to ensure the privacy, confidentiality, and integrity of protected health information and limits the disclosures and uses of that information when patient consent is not obtained. Healthcare employees are permitted to access PHI in the course of their work duties, but in this case the former employee had no legitimate work reason for viewing the records. The unauthorized access is in violation of the HIPAA Rules; however, there is no private cause of action in HIPAA, so individuals affected by such a breach cannot take legal action for any HIPAA violation that results in their medical records being...

Read More
Zoll Sues IT Vendor for 277,000-Record Server Migration Data Breach
Nov13

Zoll Sues IT Vendor for 277,000-Record Server Migration Data Breach

A lawsuit has been filed in the US District Court in Massachusetts by the medical device vendor Zoll which alleges its IT service vendor, Campbell, CA-based Barracuda Networks, was negligent for botching a server migration which resulted in the exposure of the protected health information of 277,139 patients. The breach in question involved archived emails that were being migrated to a new email archiving service. A configuration error resulted in the exposure of those emails for more than 2 months between November 8, 2018 and December 28, 2020. The configuration error was corrected, but Zoll was not informed about the breach until January 24, 2019. The breach investigation revealed the exposed emails contained patient information such as names, contact information, birth dates, medical information, and for certain patients, Social Security numbers. Zoll had contracted with a company called Apptix – now Fusion Connect – in 2012 and entered into a business associate agreement to provide hosted business communication solutions. Apptix then entered into a contract with a...

Read More
$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit
Nov09

$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit

A $350,000 settlement has been reached between Saint Francis Healthcare System and patients impacted by a September 2019 ransomware attack on Ferguson Medical Group (FMG). FMG was acquired by Saint Francis after a cyberattack that rendered data, including electronic medical records, on FMG systems inaccessible. The decision was taken to restore the encrypted data from backups rather than pay the ransom, and while patient data and other files were recovered, it was not possible to recover all data encrypted in the attack. FMG was unable to restore a batch of data related to medical services provided to patients between September 20, 2018 and December 31, 2018 which has been permanently lost. FMG announced the incident impacted around 107,000 patients, and those individuals were offered complimentary membership to credit monitoring services. A class action lawsuit was filed against Saint Francis Healthcare in January 2020 in the U.S. District Court of Eastern Missouri which alleged negligence per se, breach of express and implied contracts, invasion of privacy, and violations of the...

Read More
Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules
Oct06

Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules

A healthcare worker who was accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules and patient privacy by sending photographs of patients to unauthorized individuals has been cleared of any wrongdoing, following an investigation by federal law enforcement. A former acquaintance of the healthcare worker was discovered to have concocted a scheme to frame his former acquaintance for fictitious HIPAA violations and is now facing a prison sentence for making false statements. Jeffrey Parker, 43, of Richmond Hill, GA, concocted an elaborate scheme to frame the former acquaintance for violations of patient privacy. In U. S. District Court in the Southern District of Georgia, Parker pled guilty to one count of false statements and admitted creating fake email addresses and concocting information in an effort to harm a former acquaintance. Parker portrayed himself as a whistleblower and contacted the U.S. Department of Justice (DOJ), Federal Bureau of Investigation (FBI) and the hospital where the healthcare worker was employed to make false allegations of...

Read More
Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties
Oct01

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

The Indianapolis, IN-based health insurer Anthem Inc. has settled a multi-state investigation by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 43 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States. The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed...

Read More
Slew of Lawsuits Filed Over Recent Healthcare Data Breaches
Sep25

Slew of Lawsuits Filed Over Recent Healthcare Data Breaches

Individuals impacted by the recent data breaches at Blackbaud, Assured Imaging, and BJC Healthcare have taken legal action over the exposure and theft of their personal and protected health information. Multiple Lawsuits Filed Over Blackbaud Ransomware Attack The data breach at Blackbaud is one of the largest ever breaches of healthcare data to be reported. It is currently unclear exactly how many healthcare entities have been affected, as each affected entity is reporting the breach separately. As the deadline for reporting approaches, the extent of the breach is becoming clearer. Currently, at least 5 million individuals are known to have been affected and around 60 healthcare organizations have confirmed they have been impacted by the breach. As is now common in ransomware attacks, data were exfiltrated by the hackers prior to the use of ransomware. Blackbaud paid the ransom demand to obtain the keys to decrypt data and to ensure that all stolen data were permanently deleted. Blackbaud has received assurances that the stolen data have been deleted, but as a result of the breach,...

Read More
Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures
Sep23

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days. The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals. CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule. On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed...

Read More
Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Jail
Sep23

Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Jail

The U.S. Department of Justice has announced that a member of the notorious hacking group, The Dark Overlord, has been sentenced to 5 years in jail and has been ordered to pay $1.4 million in restitution. The Dark Overlord hacking group started targeting U.S. organizations in 2016. The hackers gained access to the networks of companies via brute force attacks on Remote Desktop Protocol, then stole data from victim companies and threatened to sell the stolen data on criminal marketplaces if the ransom demand was not paid. The hackers issued ransom demands of between $75,000 and $350,000 in Bitcoin and issued multiple threats if the ransom was not paid. In some instances, individuals in the victim companies received personal threats against them and their family members via the telephone, email, and text messages. Victims of The Dark Overlord included accounting firms, healthcare providers, and other companies. Healthcare provider victims included Farmington, MO-based Midwest Orthopedic Group, Swansea, IL-based Quest Records, Prosthetics & Orthotics Care in St. Louis, and Athens,...

Read More
Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals
Sep17

Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals

In 2019, a lawsuit was filed against Express Scripts by five independent pharmacies alleging improper use of patient data in violation of HIPAA. Express Scripts is the largest pharmacy benefits manager in the United States with its own retail pharmacies and pharmacy service. The five pharmacies were part of the Express Scripts network and were required to submit detailed claims to Express Scripts for processing and reimbursement before dispensing drugs. The pharmacies also needed to include information about the medications in their claims, along with the contact information of their customers. In the lawsuit, the pharmacies alleged that Express Scripts was in breach of contract and good-faith and fair-dealing covenants, and in violation of HIPAA and the HITECH Act. The pharmacies were required to provide Express Scripts with information about their customers, which it is alleged was then used to switch the customers to Express Script’s mail order service. The pharmacies alleged there was no need to supply that information to confirm coverage and for reimbursement. “The Pharmacies...

Read More
HealthAlliance Hospital and Ciox Health Facing Class Action Medical Records Lawsuit
Sep11

HealthAlliance Hospital and Ciox Health Facing Class Action Medical Records Lawsuit

A lawsuit has been filed against HealthAlliance Hospital and Ciox Health, its health record management vendor, for denying a widow from obtaining her deceased husband’s medical records. Sherry Russell, 62, from Woodstock NY, lost her husband of 42 years to lung cancer in October 2020. Mr. Russell visited HealthAlliance Hospital: Broadway Campus for a chest x-ray in March 2017 but lung cancer was not diagnosed. The cancer diagnosis came two years later when the tumor was 2 inches in diameter and it was too late to provide treatment. Mrs. Russell believes the radiologist failed to identify the tumor on the x-ray, resulting in a misdiagnosis. Had the tumor been found earlier, it is possible that treatment could have been provided in time to save her husband’s life. Mrs. Russell requested a copy of her husband’s medical records from HealthAlliance Hospital in order to obtain a copy of the chest x-ray report to support her malpractice lawsuit against the hospital over the failure to diagnose lung cancer; however, she has been unable to obtain a copy of the report. Under HIPAA, patients...

Read More
Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge
Sep09

Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge

A potential class action lawsuit filed against the University of Chicago, UChicago Medicine, and Google over an alleged privacy and HIPAA breach has been dismissed by a Federal judge. The lawsuit was filed in June 2019 in response to an alleged violation of HIPAA Rules related to a data sharing partnership between the University of Chicago Medicine and Google. In 2017, the University of Chicago Medicine sent the de-identified data of patients to Google as part of an initiative to use medical records to improve predictive analysis of hospitalizations, and by doing so, improve the quality of patient care. The aim of the partnership was to use machine learning techniques to identify when a patient’s health is declining, to allow timely interventions to prevent hospitalization. The University of Chicago Medicine sent hundreds of thousands of patient records dating from 2009 to 2016 to Google. The data shared with Google was deidentified but contained physicians’ notes and time stamps of dates of service. The lawsuit was filed by Edelson PC on behalf of lead plaintiff, Matt Dinerstein,...

Read More
Konica Minolta Settles EHR False Claims Case for $500,000
Sep01

Konica Minolta Settles EHR False Claims Case for $500,000

Konica Minolta Healthcare Americas Inc. has agreed to pay a $500,000 financial penalty to settle a case against its former subsidiary, Viztek LLC, to resolve False Claims Act violations related to its electronic health record (EHR) product. The American Recovery and Reinvestment Act of 2009 established the Medicare & Medicaid EHR Incentive Programs to encourage healthcare providers to adopt a certified EHR. Healthcare providers that adopted a certified EHR were entitled to claim incentive payments to offset the cost purchasing the solution, provided they were able to demonstrate meaningful use of the EHR technology. Companies that developed and marketed EHR solutions were required to demonstrate that their products met the HHS-adopted criteria and obtain certification for their solutions. According to a Viztek whistleblower, a former product manager at the company, Viztek and Konica Minolta Healthcare had falsified testing results of the Viztek solution, EXA EHR, in 2015 and misrepresented the capabilities of the product. Konica Minolta acquired Viztek in October 2015 during...

Read More
Federal Judge Dismisses Heritage Valley Health System NotPetya Lawsuit Against Nuance Communications
Aug24

Federal Judge Dismisses Heritage Valley Health System NotPetya Lawsuit Against Nuance Communications

In 2019, Beaver, PA-based Heritage Valley Health System filed a lawsuit against its vendor Nuance Communications over its NotPetya malware attack in 2017. The lawsuit was recently dismissed by a federal judge for the US District Court of the Western District of Pennsylvania. The NotPetya attacks occurred a short time after the WannaCry ransomware attacks in 2017 and targeted the same vulnerability in Windows Server Message Block (SMB). NotPetya encrypted the master boot record of infected computers, rendering them unusable. The attacks occurred in June 2017, more than three months after Microsoft released a patch to fix the SMB vulnerability that was exploited in the attacks. The cyberattack on Nuance Communications saw 14,800 servers and 26,000 workstations encrypted by NotPetya. The extent of the damage meant 7,600 servers and 9,000 workstations needed to be replaced. Heritage Valley Health System was also affected by the attack, with the investigation revealing the malware had spread to the health system’s computer network via a trusted virtual private network (VPN) connection...

Read More
Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge
Jul23

Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge

A lawsuit filed against Sarrell Regional Dental Center for Public Health Inc. over a July 2019 ransomware attack has been dismissed by a Federal judge due to a lack of standing. Sarrell was able to recover from the attack and restore its computer systems and data without paying the ransom, although the dental center was forced to close for two weeks while its systems were restored. No evidence was found to indicate patient data was accessed or downloaded from its systems, although it was not possible to rule out a data breach with 100% certainty so notification letters were sent to the 391,000 patients whose personal and protected health information (PHI) was potentially compromised. A lawsuit was filed against Sarrell in 2019 on behalf of patients affected by the attack. The lawsuit sought class action status and damages for patients whose PHI was potentially compromised in the attack. The lawsuit alleged patients faced a higher risk of identity theft as a result of the attack and had to cover the cost of credit monitoring services. Judge R. Austin Huffaker Jr. stated in his...

Read More
Two Chinese Nationals Indicted for 10-Year Hacking Campaign on U.S. Organizations and Government Agencies
Jul22

Two Chinese Nationals Indicted for 10-Year Hacking Campaign on U.S. Organizations and Government Agencies

Two Chinese nationals have been indicted by the U.S. Department of Justice (DOJ) for targeting and hacking US companies, government agencies, and others to steal sensitive information, including COVID-19 research data. The hackers are alleged to have been working under the direction of the Chinese government and also hacking organizations for personal financial gain. LI Xiaoyu, 34, and Dong Jiazhi, 33, were trained in computer application technologies and have been operating as state-backed hackers for more than 10 years. The DOJ said the hackers were operating on behalf of the China’s Ministry of State Security, the Guangdong State Security Department (GSSD), and other government agencies, as well as conducting their own attacks. The hackers have been accused of stealing more than a terabyte of intellectual property estimated to be worth hundreds of millions of dollars. The hackers were prolific and conducted sophisticated hacks on companies and organizations in the United States, Australia, Belgium, Germany, Japan, Lithuania, Spain, the Netherlands, South Korea, Sweden, and the...

Read More
Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack
Jul07

Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack

It is becoming increasingly common for healthcare organizations to face legal action after experiencing a ransomware attack in which patient data is stolen. The Florida Orthopedic Institute, one of the largest orthopedic providers in the state, is one of the latest healthcare providers to face a class action lawsuit over a ransomware attack. The ransomware attack was detected on April 9, 2020 when staff were prevented from accessing computer systems and data due to the encryption of files. A third-party computer forensics firm was engaged to assist with the investigation and determined on May 6, 2020 that the attackers may have accessed and exfiltrated patient data. A range of sensitive data was potentially compromised including names, dates of birth, Social Security numbers, and health insurance information. Affected patients were notified about the breach on or around June 19, 2020 and were offered complimentary identity theft and credit monitoring services for 12 months. At the time of issuing notifications, no evidence had been found to suggest patient data had been misused....

Read More
The California Consumer Privacy Act is Now Being Enforced
Jul02

The California Consumer Privacy Act is Now Being Enforced

On July 1, 2020, enforcement of the California Consumer Privacy Act (CCPA) of 2018 began. The CCPA took effect on January 1, 2020 and all companies covered by the Act were given a 6 month grace period before compliance with the CCPA would be enforced, although compliance with the provisions of the Act have been mandatory since January 1, 2020. The grace period has now elapsed. California Attorney General Xavier Bercerra confirmed there will be no delay to enforcement, even though dozens of requests were made by companies and trade associations asking for the grace period to be extended for a further 6 months due to the 2019 Novel Coronavirus pandemic. The requests were acknowledged but no extension was given. “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” said Attorney General Bercerra in a statement to Forbes. “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security...

Read More
$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit
Jul02

$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit

A proposed settlement has been agreed between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit over a June 2019 ransomware attack that resulted in the encryption of patient data. The settlement was negotiated by the plaintiff and Grays Harbor to avoid the uncertainty of a trial and the costs of further litigation. The settlement was not decided in favor of either party by the Court. The ransomware attack that prompted the lawsuit was detected in June 2019. The Washington healthcare provider powered down its systems to contain the virus that had prevented servers from being accessed, but not in time to prevent its computer systems from being encrypted. Grays Harbor had backed up its data for such an eventuality, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for around two months. A ransom demand of $1 million was demanded by the attackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that provided cover of up to...

Read More
UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit
Jun30

UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit

Des Moines, Iowa-based UnityPoint Health has agreed to settle a proposed class action lawsuit filed by victims of two phishing attacks in 2017 and 2018 that saw the protected health information of 1.4 million patients exposed. The first phishing attack occurred in November 2017 and was discovered on February 15, 2018. The attackers had access to the email accounts of certain employees of its Madison campus for more than 3 months and potentially obtained the protected health information of approximately 16,429 patients. Patients were notified about the breach in April 2018. The second phishing attach was much more extensive. The campaign saw a UnityPoint executive impersonated in March 2018, and several employees responded to the message and disclosed their login credentials. The breach was detected in May 2018 and the investigation revealed the compromised email accounts contained the protected health information of 1.4 million patients, making it the second largest healthcare data breach to be reported in 2018.  The attackers had access to the email accounts for almost a month...

Read More
NY District Court Kicks Data Breach Lawsuit Against Episcopal Health Services Back to State Court
Jun23

NY District Court Kicks Data Breach Lawsuit Against Episcopal Health Services Back to State Court

A lawsuit filed by patients of Uniondale, N.Y-based Episcopal Health Services Inc., whose personal and protected health information was compromised in a phishing attack in 2018, has been kicked back to the New York State Supreme Court for further proceedings. The lawsuit alleges Episcopal Health Services had failed to protect the private information of its patients from unauthorized disclosures. As a result of those failures, Episcopal Health Services suffered a breach of some of its employee email accounts between August 28, 2018 and October 5, 2018. The email accounts contained a range of sensitive data including patients’ names, addresses, dates of birth, Social Security numbers, and financial information. The PHI of more than 218,000 patients was exposed in the email system breach. The lawsuit named three plaintiffs who were patients of St. John’s Episcopal Hospital. They claimed injuries had been suffered as a direct result of the disclosure of their confidential information. The lawsuit referenced the Health Insurance Portability and Accountability Act (HIPAA) and the...

Read More
Hacker Arrested and Charged Over 2014 UPMC Cyberattack
Jun22

Hacker Arrested and Charged Over 2014 UPMC Cyberattack

The United States Attorney’s Office of the Western District of Pennsylvania has announced a suspect has been arrested and charged over the 2014 hacking of the human resources databases of University of Pennsylvania Medical Center (UPMC). UPMC owns 40 hospitals around 700 outpatient sites and doctors’ offices and employs over 90,000 individuals. In January 2014, UPMC discovered a hacker had gained access to a human resources server Oracle PeopleSoft database that contained the personally identifiable information (PII) of 65,000 UPMC employees. Data was stolen in the attack and was allegedly offered for sale on the darknet. The stolen data included names, addresses, dates of birth, salary and tax information, and Social Security numbers. The suspect has been named as Justin Sean Johnson, a 29-year old man from Michigan who previously worked as an IT specialist at the Federal Emergency Management Agency. Johnson, who operated under the monikers TDS and DS, was indicted on 43 counts on May 20, 2020: One count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity...

Read More
New York Accounting Firm Facing Class Action Lawsuit Over Maze Ransomware Attack
Jun12

New York Accounting Firm Facing Class Action Lawsuit Over Maze Ransomware Attack

Patients whose protected health information was stolen in a manual ransomware attack on the New York accounting firm BST & Co. CPAs LLC in late 2019 have taken legal action against the company. The lawsuit alleges BST & Co. was negligent for failing to take appropriate and reasonable steps to prevent the attack and did not provide a prompt an accurate notice to affected patients. The lawsuit also alleges the company breached its fiduciary duty to protect sensitive patient information and violated state laws related to deceptive business practices. The ransomware attack was discovered by BST on December 7, 2019. The attack involved Maze ransomware and, prior to file encryption, the gang exfiltrated a range of data from the company and threatened to publish the data if the ransom was not paid. The gang then follow through with the threat and published sensitive data on its website when payment was not made. According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, the PHI of 170,000 individuals was potentially...

Read More
Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack
Jun04

Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack

The Atlanta, GA-based healthcare provider Aveanna Healthcare is facing a class action lawsuit over a data breach that occurred in the summer of 2019. Affecting 166,000 patients, it is one of the largest healthcare data breaches to be reported this year. Aveanna Healthcare provides healthcare services to adults and children in 23 states and is the largest provider of pediatric home care in the United States. In the summer of 2019, several email accounts were compromised in a phishing attack. Aveanna Healthcare discovered the attack on August 24, 2019 and immediately secured its email accounts. The investigation revealed the first email account was breached on July 9, 2019, giving the attackers access to protected health information for more than 6 weeks. Emails in the compromised accounts contained patient information such as names, health information, financial information, passport numbers, driver’s license numbers, Social Security numbers, and other sensitive data. It was not possible to determine whether emails and files were viewed by the attackers. No evidence was found to...

Read More
New Washington D.C. Data Breach Notification Law Takes Effect
May29

New Washington D.C. Data Breach Notification Law Takes Effect

On May 19, 2020, legislative changes to the Washington D.C. data breach notification law took effect. The changes were introduced in March and significantly updated existing breach notification requirements. There has been a major expansion of data classified as personal information that warrants breach notifications if subjected to unauthorized access and new data security requirements have been introduced. Prior to the change, notifications were required if personal information such as names, phone numbers, and addresses were exposed in combination with a Social Security number, driver’s license number, DC ID card, or credit/debit  card number or if numbers and codes were breached that allowed credit or finance accounts to be accessed. The change has seen several other data elements added to the list. Breach notifications are now required if any of the following data is breached, even in the absence of a name if the data could be used for identity theft: Medical information Health insurance information Genetic data and DNA profiles Biometric information Passport numbers Usernames...

Read More
Indiana Court of Appeals Reinstates Respondeat Superior Claim in HIPAA Breach Lawsuit
May21

Indiana Court of Appeals Reinstates Respondeat Superior Claim in HIPAA Breach Lawsuit

A patient who sued Parkview Health System Inc. after a medical assistant accessed her medical records and shared sensitive information with another individual has had her respondeat superior claim reinstated by the Indiana Court of Appeals. Haley SoderVick sued Parkview Health System after she was notified that a medical assistant had accessed her medical records and disclosed the information to her then husband. The medical assistant’s husband had posted a picture on Facebook that was liked by SoderVick, which prompted the disclosure. SoderVick had visited Parkview Health in October 2017 and underwent a medical examination in the OB/GYN department. While she was there, her medical records were accessed by the medical assistant, Alexi Christian. Christian texted her husband information about SoderVick, stating she was a patient at the facility, disclosed a potential diagnosis, and told her husband SoderVick was a dispatcher. She also told her husband that SoderVick was HIV-positive and had had more than 50 sexual partners, although both claims were false and that information had...

Read More
Legal Action Taken Against Lurie Children’s Hospital of Chicago Over Two Recent Data Breaches
May19

Legal Action Taken Against Lurie Children’s Hospital of Chicago Over Two Recent Data Breaches

Lurie Children’s Hospital of Chicago is facing legal action over two privacy breaches involving employees accessing the medical records of patients without consent. The lawsuit was filed on behalf of a mother and her 4-year-old child. On December 24, 2019, Lurie Children’s Hospital notified the mother that her daughter’s medical records had been accessed by a nursing assistant at the hospital when there was no legitimate work purpose for doing so. The employee had been discovered to be viewing patient records without authorization between September 10, 2018 and September 22, 2019. On May 4, 2020, the mother received a second letter explaining that her daughter’s medical records had been accessed without authorization by a different employee. In this case, the employee was discovered to have accessed patient records with no work reason for doing so between November 1, 2018 and February 29, 2020. In early 2019, the mother took her then 3-year-old child to the hospital for an examination as she had suspicious that her daughter may have been sexually abused. The mother sought legal...

Read More
Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches
May01

Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches

A LabCorp shareholder is taking legal action against LabCorp and its executives and directors over the loss in share value that was caused by two cyberattacks experienced by the company in the past 12 months. LabCorp was one of the companies worst affected by the data breach at the medical debt collection company, American Medical Collection Agency (AMCA) in 2019. The records of 10,251,784 patients who used LabCorp’s services were obtained by hackers who infiltrated AMCA’s systems. At least 24 of AMCA’s clients were affected by the breach. A second LabCorp data breach was reported by TechCrunch in January 2020 that involved around 10,000 LabCorp documents, which the lawsuit alleges was not publicly disclosed by the company nor mentioned in any SEC filings. The breach was the result of a website misconfiguration and allowed the documents to be accessed by anyone. The breach was also not reported to the HHS’ Office for Civil Rights, even though TechCrunch researchers confirmed that the documents contained patient data. Raymond Eugenio holds shares in LabCorp which lost value as a...

Read More
$8.9 Million Banner Health Data Breach Settlement Gets Final Approval
Apr27

$8.9 Million Banner Health Data Breach Settlement Gets Final Approval

A settlement proposed by Banner Health to resolve a class action lawsuit filed on behalf of victims of its 3.7 million-record data breach in 2016 has received final approval from a Federal judge. The $8.9 million settlement was proposed in December 2019 to cover claims from victims of the breach and legal fees. Banner Health has also agreed to invest money to improve its cybersecurity defenses to prevent data breaches in the future. The Arizona-based health system was attacked by hackers via the payment processing system used in the food and beverage outlets in its hospitals. The system was connected to servers used to store the protected health information of patients. The hackers were able to access and steal a large quantity of highly sensitive patient data, including demographic information, Social Security numbers, health insurance information, and claims data from current and former Banner Health patients. The food and beverage system contained the credit and debit card numbers of around 30,000 customers. The data breach was the largest to be reported by a healthcare...

Read More
Tandem Diabetes Care Facing Class Action Lawsuit over January 2020 Phishing Attack
Apr17

Tandem Diabetes Care Facing Class Action Lawsuit over January 2020 Phishing Attack

The San Diego medical device manufacturer, Tandem Diabetes Care Inc., is facing a class action lawsuit in California over a January 2020 data breach that resulted in the exposure and possible theft of the protected health information of more than 140,000 individuals. The breach was the result of a phishing attack that gave unauthorized individuals access to the email account of an employee between January 17 and January 20, 2020. The information in the email account varied from patient to patient but included a range of private and confidential information including names, dates of birth, insurance information, billing information, healthcare data, and Social Security numbers. The incident was reported to the HHS’ Office for Civil Rights on March 17, 2020 as affecting 140,781 individuals. Notification letters started to be sent to those individuals the same day. The lawsuit was filed in the United States District Court in the Southern District of California and alleges violations of the Confidentiality of Medical Information Act (CMIA). The plaintiff and class members seek damages...

Read More