The HIPAA Journal legal news section contains details of the latest enforcement activities by the Department of Health and Human Services’ Office for Civil Rights, including settlements and civil monetary penalties, and legal actions taken against covered entities by state attorneys general.

You will also find brief details of class action lawsuits and other legal actions filed against covered entities for HIPAA violations, privacy violations, and data breaches, along with other legal news specifically relating to HIPAA or other legal matters of particular relevance to the healthcare industry.

Changes to HIPAA Rules are detailed in the HIPAA Updates category, although this section does include updates to state legislation, in particular any changes to breach notification and cybersecurity laws that are relevant to healthcare organizations.

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark
Oct16

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark

OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals. Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation. The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino. Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted...

Read More
California HIV Patient PHI Breach Lawsuit Allowed to Move Forward
Oct08

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss. The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco. In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information. A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities. It was...

Read More
Massachusetts Gynecologist Spared Jail Time for Criminal HIPAA Violation
Sep25

Massachusetts Gynecologist Spared Jail Time for Criminal HIPAA Violation

In April 2018, the former Massachusetts-based gynecologist Rita Luthra, 65, of Longmeadow, was convicted of criminally violating the HIPAA Privacy Rule and obstructing a federal investigation into a nationwide kickback scheme. At her sentencing on September 19, 2018, Luthra was spared jail time and a fine and was given one year of probation. Luthra was accused of being paid $23,500 to prescribe Warner Chilcott’s osteoporosis drugs, although Luthra maintained she had been paid the money as ‘speaker fees’ for speaking at medical educational events, which took place in her office, and for writing a research paper, although that paper was never finished. The jury found that Luthra lied to federal agents about money she had received from the pharmaceutical firm. Luthra also denied providing a pharmaceutical sales representative with access to patient health information in order to complete pre-authorization forms for insurance companies that were refusing to approve prescriptions for two osteoporosis drugs that Warner Chilcott was pushing. She also allegedly instructed her assistant to...

Read More
$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations
Sep20

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules. This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients. Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a). Brigham and Women’s Hospital (BWH) settled its HIPAA violations...

Read More
NY Attorney General Fines Arc of Erie County $200,000 for Security Breach
Sep04

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients. In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines. The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained. In total, 3,751 clients in New York had...

Read More
Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure
Aug27

Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure

Following the accidental drowning of their adopted son, Denise and Wayne Russell were contacted by the child’s birth mother who made threats against their family. The phone call from the birth mother came shortly after their son was admitted to McAlester Regional Health Center following a tragic swimming pool accident. Their 2-year old child had fallen into the pool after the gate to the pool area had been accidentally left open. The parents administered CPR at the scene until the paramedics arrived and the child was rushed to hospital where he was later confirmed to have died. Shortly after their son died, the Russells received the telephone call from the birth mother. When asked how she knew about the accident and death of the child, she confirmed that she had been informed by the hospital. The birth month screamed at the Russells and made multiple threats, according to Denise Russell, including a threat to kill their other son. The situation became so bad that a protective order was filed against their son’s birth mother. The Russells had taken care of their adopted son Keon...

Read More
Court Approves Anthem $115 Million Data Breach Settlement
Aug20

Court Approves Anthem $115 Million Data Breach Settlement

The $115 million settlement proposed by Anthem Inc., in 2017 to resolve the class action lawsuits filed by victims of its 78.8 million-record data breach in 2015 received final approval on Thursday, August 16. The Anthem cyberattack resulted in plan members’ names, dates of birth, health insurance information, Social Security numbers and other data elements stolen by cybercriminals. Several class-action lawsuits were filed in the wake of the breach, which were consolidated into a single lawsuit by the Judicial Panel for Multidistrict Litigation in June 2015. The case was assigned to the U.S District Court for the Northern District of California, where a large proportion of the class members reside. While 78.8 million individuals had protected health information (PHI) exposed when Anthem’s network was hacked, there are only 19.1 million members of the class action lawsuit, all of whom were able to demonstrate that their personal information was stored in the data center that was attacked by hackers. Following the data breach, Anthem offered breach victims 24 months of credit...

Read More
Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital
Aug07

Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital

A hacktivist who conducted a Distributed Denial of Service (DDoS) attack on Boston’s Children’s Mercy Hospital in 2014 has been convicted on two counts – conspiracy to intentionally damage protected computers and damaging protected computers – by a jury in the U.S. District Court in Boston. Martin Gottesfeld, 32, of Somerville, MA, conducted the DDoS attacks in March and April of 2014. He first conducted a DDoS attack on Wayside Youth and Family Support Network in Framingham, MA. The attack crippled its systems and took them out of action for more than a week. The attack cost the healthcare facility $18,000 to resolve. Following that attack, Gottesfeld conducted a much larger attack on Boston Children’s Hospital using 40,000 malware-infected network routers that he controlled from his home computer. The attack was planned for a week and occurred on April 19, 2014. Such was the scale of the attack that the hospital and several others in the Longwood medical area were knocked off the internet. 65,000 IP addresses used by the hospital and other healthcare facilities in the area were...

Read More
Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach
Jul26

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight. In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes. The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail. In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital...

Read More
Children’s Mercy Hospital Sued for 63,000-Record Data Breach
Jul13

Children’s Mercy Hospital Sued for 63,000-Record Data Breach

Legal action has been taken over a phishing attack on Children’s Mercy that resulted in the theft of 63,049 patients’ protected health information. In total, five email accounts were compromised between December 2017 and January 2018. On December, 2, 2017  two email accounts were discovered to have been accessed by an unauthorized individual as a result of employees responding to phishing emails. Links in the emails directed the employees to a website where they were fooled into disclosing their email account credentials. Two weeks later, two more email accounts were compromised in a similar attack, with a fifth and final account compromised in early January. The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, resulting in the unauthorized disclosure of patients’ protected health information. Patients were notified of the breach via a substitute breach notice on the Children’s Mercy website and notification letters were sent by mail. Due to the number of people impacted, the letters were sent out in batches. According to a recent...

Read More
Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation
Jul09

Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation

In 2016, Radnor, PA-based Main Line Health Inc., terminated an employee for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by accessing the personal records of a co-worker without authorization on two separate occasions. In such cases, when employee or patient records are accessed without authorization, employees face disciplinary action which can include termination. Gloria Terrell was one such employee who was terminated for violating company policies and HIPAA Rules. Main Line Health fired Terrell for “co-worker snooping.” Terrell filed an internal appeal over her termination and maintained she accessed the records of a co-worker in order to obtain a contact telephone number. Terrell said she needed to contact the co-worker to make sure a shift would be covered, and this constituted a legitimate business reason for the access as she was unable to find the phone list with employees’ contact numbers. After firing Terrell, Main Line Health appointed a significantly younger person to fill the vacant position. Terrell took legal action against Main Line...

Read More
District Court Ruling Confirms No Private Cause of Action in HIPAA
Jun25

District Court Ruling Confirms No Private Cause of Action in HIPAA

Patients who believe HIPAA Rules have been violated can submit a compliant to the Department of Health and Human Services’ Office for Civil Rights, but they do not have the right to take legal action, at least not for the HIPAA violation. There is no individual private cause of action under HIPAA law. Several patients have filed lawsuits over alleged HIPAA violations, although the cases have not proved successful. A recent case has confirmed once again that there is no private cause of action in HIPAA, and lawsuits filed solely on the basis of a HIPAA violation are extremely unlikely to succeed. Ms. Hope Lee-Thomas filed the lawsuit for an alleged HIPAA violation that occurred at Providence Hospital in Washington D.C., where she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, claims that while at the hospital on June 15, 2017, a LabCorp employee instructed her to enter her protected health information at a computer intake station. Ms. Lee-Thomas told the LabCorp employee that the information was in full view of another person at a different...

Read More
3-Year Jail Term for VA Employee Who Stole Patient Data
Jun18

3-Year Jail Term for VA Employee Who Stole Patient Data

A former employee of the Veteran Affairs Medical Center in Long Beach, CA who stole the protected health information (PHI) of more than 1,000 patients has been sentenced to three years in jail. Albert Torres, 51, was employed as a clerk in the Long Beach Health System-run medical center – a position he held for less than a year. Torres was pulled over by police officers on April 12 after a check of his license plates revealed an anomaly – plates had been used on a private vehicle, which were typically reserved for commercial vehicles. The police officers found prescription medications which Torres’ did not have a prescription for and the Social Security numbers and other PHI of 14 patients in his vehicle. A subsequent search of Torres’ apartment revealed he had hard drives and zip drives containing the PHI of 1,030 patients and more than $1,000 in cleaning supplies that had been stolen from the hospital. After pleading guilty to several crimes, including identity theft and grand theft, Torres was sentenced to three years in state penitentiary on June 4. Sutter Health Fires...

Read More
Lawsuits Filed Over Alleged HIPAA Violations
Jun05

Lawsuits Filed Over Alleged HIPAA Violations

Two lawsuits have recently been filed in relation to alleged breaches of Health Insurance Portability and Accountability Act (HIPAA) Rules, one by a former hospital employee and another by a patient whose privacy was allegedly violated by a CVS pharmacy employee. Former Employee of Mosaic Life Care Medical Center Takes Legal Action over Dismissal A former employee of Mosaic Life Care Medical Center in St. Joseph, MO is taking legal action over wrongful discharge and retaliation for her taking steps to avoid a violation of the False Claims Act. Debra Conard, 57, alleges she was wrongfully terminated for raising concerns about unlawful, unethical, and fraudulent billing practices. According to the lawsuit, in April 2017, Conard was instructed by hospital officials to release charges for billing even though the documentation did not support the claims. Multiple charges were required to be pushed through, which would induce payment by Medicare and other third parties, even though Conrad could not verify that the claims were correct. Conrad raised her concerns about potential violations...

Read More
Colorado Governor Signs Data Protection Bill into Law
Jun05

Colorado Governor Signs Data Protection Bill into Law

Colorado Governor John Hickenlooper has signed a bill – HB 1128 – into law that strengthens protections for consumer data in the state of Colorado. The bipartisan bill, sponsored by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously passed by the Legislature. The bill will take effect from September 1, 2018. The bill requires organizations operating in the state of Colorado to implement reasonable security measures and practices to ensure the personal identifying information (PII) of state residents is protected. The bill also reduces the time for notifying the state attorney general about breaches of PII and introduces new rules for disposing of PII when it is no longer required. Personal information is classed as first name and last name or first initial and last name in combination with any of the following data elements (when not encrypted, redacted, or secured by another means that renders the information unreadable): Social Security number Student ID number Military ID number Passport number Driver’s license number or...

Read More
Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach
Jun01

Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach

There have been further developments in the ongoing legal battles over a 2017 privacy breach experienced by Aetna involving the exposure of patients’ sensitive health information. A further lawsuit has been filed by the insurer in an attempt to recover the costs incurred as a result of the breach. Ongoing Legal Battles Over the Exposure of Patients’ HIV Statuses In 2017, the health insurer Aetna experienced a data breach that saw highly sensitive patient information impermissibly disclosed to other individuals. A mailing vendor sent letters to patients using envelopes with clear plastic windows and information about HIV medications were allegedly visible. The mailings related to HIV medications used to treat patients who had already contracted HIV and individuals who were taking drugs as pre-exposure prophylaxis. Approximately 12,000 patients received the mailing. Lawsuits were filed on behalf of patients whose HIV positive status was impermissibly disclosed, which were settled in January for $17.2 million. A settlement was agreed with the New York state attorney general for a...

Read More
Jury Must Decide Whether Psychiatrist was Sacked for a HIPAA Violation
May22

Jury Must Decide Whether Psychiatrist was Sacked for a HIPAA Violation

Boston-based Steward Healthcare System terminated a psychiatrist for violating HIPAA Rules but must now prove to a jury that was the case. The psychiatrist claims he was fired in retaliation over taking extended disability leave, not for a HIPAA violation. Dr. Alexander Lipin contracted pneumonia and requested extended disability leave under the Family Medical Leave Act (FMLA). Extended leave was granted by Steward Healthcare System and Lipin was due to return to work on March 2, 2016. However, Lipin was fired on February 23 while still on disability leave over a HIPAA violation, which his attorney, Kavita M. Goyal, claims was used as an excuse for the termination. Steward Healthcare System alleged Lipin had violated HIPAA Rules by providing patients’ protected health information to law enforcement. According to Steward Medical Group President, George Clairmont, the decision had been taken to fire Lipin over the HIPAA violation before he took leave. Clairmont also stated Lipin was fired after it was discovered he was working for Anna Jaques Hospital while on leave. Lipin sued...

Read More
South Carolina Insurance Data Security Act Signed into Law
May21

South Carolina Insurance Data Security Act Signed into Law

On May 14, 2018, South Carolina Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law. The Act closely follows the Insurance Data Security Model law drafted by the National Association of Insurance Commissioners (NAIC) in 2017.  South Carolina is the first state to implement a comprehensive cybersecurity law covering the insurance industry. From January 1, 2019, when the South Carolina Insurance Data Security Act becomes effective, all licensees of the South Carolina Department of Insurance will be required to comply with the Act. The Act requires all insurers, agents, and other licensed entities to develop a comprehensive written information security program within six months of the compliance date. The cybersecurity program should be commensurate with the size and complexity of the company, the nature and scope of its activities, and the sensitivity of nonpublic information used/stored by the company. The cybersecurity program should be guided by a comprehensive risk analysis and should mitigate all risks identified by that risk analysis. The Act...

Read More
Lincare Settles W-2 Phishing Scam Lawsuit for $875,000
May18

Lincare Settles W-2 Phishing Scam Lawsuit for $875,000

The respiratory therapy supplier Lincare Inc., has agreed to settle a class-action lawsuit filed by employees whose W-2 information was sent to cybercriminals when an employee responded to a phishing scam. On February 3, 2017, a member of Lincare’s human resources department received an email from a high-level executive requesting copies of W-2 information for all employees of the firm. Believing the email was a genuine request, the employee responded and attached W-2 information for ‘a certain number of employees of Lincare and its affiliates.’ After discovering the accidental disclosure of sensitive information, Lincare contacted affected employees and offered them two years of credit monitoring, identity theft insurance, and remediation services without charge. On October 16, 2017, three employees – Andrew Giancola, Raymond T. Scott, and Patricia Smith – took legal action against Lincare alleging negligence, breach of implied contract, breach of fiduciary duty, and violation of Florida’s Deceptive and Unfair Trade Practices Act. The lawsuit survived a motion to dismiss and...

Read More
Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack
May08

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals. As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018. HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights. Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for...

Read More
Massachusetts Physician Convicted for Criminal HIPAA Violation
May04

Massachusetts Physician Convicted for Criminal HIPAA Violation

Criminal penalties for HIPAA violations are relatively rare, although the Department of Justice does pursue criminal charges for HIPAA violations when there has been a serious violation of patient privacy, such as an impermissible disclosure of protected health information for financial gain or malicious purposes. One such case has resulted in two criminal convictions – a violation of the Health Insurance Portability and Accountability Act and obstructing a criminal healthcare investigation. The case relates to the DOJ investigation of the pharmaceutical firm Warner Chilcott over healthcare fraud. In 2015, Warner Chilcott plead guilty to paying kickbacks to physicians for prescribing its drugs and for manipulating prior authorizations to induce health insurance firms to pay for prescriptions. The case was settled with the DOJ for $125 million. Last week, a Massachusetts gynecologist, Rita Luthra, M.D., 67, of Longmeadow, was convicted for violating HIPAA by providing a Warner Chilcott sales representative with access to the protected health information of patients for a period of...

Read More
Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft
Apr17

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft

In federal court on Monday, Chief U.S. District Judge Gina M. Groh sentenced a former Berkeley Medical Center worker to 5 years’ probation for her role in an identity theft scam. In addition to probation, Angela Dawn Roberts, 42, of Stephenson, VA, must pay $22,000 in restitution. Angela Dawn Roberts, also known as Angela Dawn Lee, had been working for WVU University Healthcare since 2014. Roberts was employed to schedule appointments for patients at two medical centers – Berkeley Medical Center and Jefferson Medical Center – which provided her with access to patients’ protected health information. Roberts copied sensitive information onto paper, including names, birth dates, and Social Security numbers, and in some cases printed copies of identity documents. On January 19, 2017, Roberts was suspended following an internal investigation into data theft which was alleged to have occurred on June 27, 2016. She was fired on January 27, 2017 and was prosecuted for stealing patient health information. Approximately 7,000 patients whose information was accessed by Roberts were...

Read More
2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office
Apr11

2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office

A former receptionist at a New York dental practice has been sentenced to serve 2 to 6 years in state penitentiary for stealing the protected health information of hundreds of patients. Annie Vuong, 31, was given access to the computer system and dental records of patients in order to complete her work duties. Vuong abused the access rights and stole the PHI of more than 650 patients. That information was passed to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items. Vuong was arrested on February 2, 2015, following a two-and-a-half-year investigation into identity theft by the New York District Attorney’s Office. The theft of data occurred between May and November 2012, when the PHI of 653 patients was taken from the dental office. The types of information stolen included names, birth dates, and Social Security numbers. That information was shared with co-defendant Devin Bazile in an email. Bazile used the information to obtain credit lines from Barclaycard in the victims’ names. Credit ranged from $2,000 to $7,000 per...

Read More
HHS Files Motion to Dismiss Ciox Health Lawsuit
Apr10

HHS Files Motion to Dismiss Ciox Health Lawsuit

The Department of Health and Human Services has filed a motion to dismiss a lawsuit filed by the healthcare information management company Ciox Health claiming the lawsuit lacks standing. Early this year, Ciox Health filed a lawsuit challenging changes to HIPAA in 2013 and subsequent enforcement guidance issued by the HHS in 2016. The changes to the HIPAA Privacy Rule in 2013 in question placed a limit on the amount that could be charged by covered entities for providing patients with copies of their health records. The charges must be limited to a reasonable cost-based fee. In 2016, the HHS issued guidance for the public explaining the rulemaking and providing answers to commonly asked questions about medical record access. Ciox Health claims the changes threaten to upend the medical records industry and that the updates and guidance are ultra vires, arbitrary and capricious. Ciox Health is also seeking injunctive relief to stop the HHS from unlawfully enforcing the regulations. In its motion to dismiss the lawsuit, filed in the U.S. District Court in Washington, D.C., HHS...

Read More
Oregon Data Breach Notification and Information Security Laws Updated
Apr06

Oregon Data Breach Notification and Information Security Laws Updated

Oregon has updated its data breach notification law to improve protections for state residents whose personal information is exposed in a data breach. State governor Kate Brown added her signature to Senate Bill (SB 1551) last month, which updates several regulations, notably Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become effective in June 2018. Prior to the update, Oregon data breach notification law only applied to persons who own or license personal information. Now, the definition of a person is “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.” A data breach is defined as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” The definition of personal information has been expanded to include a first...

Read More
Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law
Apr05

Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law

Virtua Medical Group – A network of physicians affiliated to over 50 medical practices in New Jersey – has been financially penalized by the New Jersey Attorney General’s Office for failing to protect the privacy of more than 1,650 patients whose medical information was accessible online without the need for any authentication. The electronic protected health information was exposed as a result of a misconfigured server. The error occurred at a business associate of the medical group – Best Medical Transcription – which had been provided with audio files to transcribe medical notes. Best Medical Transcription was contracted to transcribe dictations of medical notes, reports, and letters from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport. The transcribed notes were uploaded to a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was accidentally removed allowing patient...

Read More
Alabama Governor Enacts Data Breach Notification Act
Apr04

Alabama Governor Enacts Data Breach Notification Act

Alabama has become the 50th state to require companies to issue breach notifications to individuals whose personal information has been exposed or compromised as a result of a data breach. Governor Kay Ivey signed the act into law on March 28. The effective date is May 1, 2018. The data breach notification law has taken a long time to be enacted although Alabama residents will now have some of the best protections in the country, with the law one of the strictest introduced in any state. While every state now has a data breach notification law that requires notifications to be issued to all individuals impacted by a data breach, only 28% of U.S. states – including Alabama – also require ‘covered entities’ to maintain reasonable security measures to protect the confidentiality of sensitive personally identifying information of state residents. Service providers must also be contractually required to maintain appropriate safeguards. Sensitive personally identifying information is classed as a state resident’s first name or first initial and last name in combination with any of...

Read More
South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill
Mar28

South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill

South Dakota has been slow to introduce legislation to improve protections for consumers affected by breaches of their personal information. Laws have already been introduced in 48 states that require individuals and companies that store personal information to issue notifications to breach victims when that information is compromised. Last week, South Dakota residents were given similar protections to those in place in neighboring states. On March 21, 2018, South Dakota attorney general Marty Jackley issued a statement confirming SB 62 had been signed by Governor Daugaard and will take effect on July 1, 2018. The bipartisan bill requires entities that experience a breach of personal information to issue notifications to affected state residents within 60 days of discovery of the breach – The same time frame as HIPAA. Personal information is classed as the full name or first initial and last name of a state resident in combination with either a government ID number, Social Security number, driver’s license number, credit/debit card number (with an associated code that allows the...

Read More
Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach
Mar26

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv. The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients. In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions. In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications. In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates....

Read More
EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach
Mar07

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General. While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members. Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information. The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law §...

Read More
What is HIPAA Certification?
Mar06

What is HIPAA Certification?

Many vendors would like HIPAA certification to confirm they are fully compliant with HIPAA Rules and understand all aspects of the Health Insurance Portability and Accountability Act (HIPAA), but is it possible to obtain HIPAA certification to confirm HIPAA compliance? What is HIPAA Certification? In an ideal world, HIPAA certification would confirm that all aspects of HIPAA Rules are understood and being followed. If a third-party vendor such as a transcription company was HIPAA certified, it would make it easier for healthcare organizations looking for such as service to select an appropriate vendor. Many companies claim they have been certified as HIPAA compliant or in some cases, that they are ‘HIPAA Certified’. However, ‘HIPAA Certified’ is a misnomer. There is no official, legally recognized HIPAA compliance certification process or accreditation. There is a good reason why this is the case. HIPAA compliance is an ongoing process. An organization may be determined to be in compliance with HIPAA Rules today, but that does not mean that they will be tomorrow or at some point in...

Read More
1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware
Feb22

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection. The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients. The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician. Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23,...

Read More
Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days
Feb22

Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days

In January, a new data breach notification bill was introduced in Colorado that proposed updates to state laws to improve protections for residents affected by data breaches. The bill introduced a maximum time frame of 45 days for companies to notify individuals whose personal information was exposed or stolen as a result of a data breach. The definition of personal information was also updated to include a much wider range of information including data covered by HIPAA – medical information, health insurance information, and biometric data. Last week, Colorado’s House Committee on State, Veterans, and Military Affairs unanimously passed an updated version of the bill, which has now been passed to the Committee on Appropriations for consideration. The updated bill includes further new additions to the list of data elements classed as personal information – passport numbers, military, and student IDs. There has also been a shortening of the time frame organizations have to issue notifications. Instead of the 45 days proposed in the original bill, the time frame has been cut to just...

Read More
What is FINRA Compliance?
Feb15

What is FINRA Compliance?

FINRA compliance is often mentioned in relation to the securities industry, but what is FINRA and what does FINRA compliance entail? Find out more about the FINRA, the role it plays, how the agency exerts control over brokers and brokerage firms, and the penalties for noncompliance with FINRA rules and regulations. What is FINRA? FINRA, an acronym of the Financial Industry Regulatory Authority, is a non-profit self-regulatory organization or SRO which is overseen by the Securities Exchange Commission (SEC). An SRO is a non-government agency that has a degree of regulatory authority over an industry, which in the case of FINRA is the securities industry and the New York Stock Exchange. The SEC’s role is to ensure fairness for investors whereas FINRA is also concerned with monitoring and regulating stockbrokers and brokerage firms, deterring misconduct, and ensuring the financial markets are fair. FINRA ensures transparency in the industry transaction and develops and enforces rules for the securities industry. FINRA also helps enforce SEC rules and other regulations. FINRA is...

Read More
Texas HB300 Compliance
Feb10

Texas HB300 Compliance

Texas HB300 (Texas House Bill 300) was signed into law by State governor Rick Perry in June 2011. The Bill made significant changes to state laws covering the privacy and security of protected health information (PHI) for individuals and organizations that assemble, collect, analyze, store, or transmit PHI. The Texas HB300 compliance date was September 1, 2012. Texas HB300 Introduced Stricter Privacy and Security Protections than HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) already requires covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and protect the privacy of patients and health plan members. Texas HB300 takes those requirements a step further, introducing even stricter requirements for covered entities, which under the new laws, also includes individuals and organizations not covered by HIPAA Rules. The existing laws updated by Texas HB300 were: Texas Health Code,...

Read More
Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach
Feb08

Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach

Aetna has taken legal action against an administrative support company over a July 2017 data breach that saw details of HIV medications visible through the clear plastic windows of envelopes in a mailing. Letters inside some of the envelopes had slipped, making the words ““when filling prescriptions for HIV medications” clearly visible to anyone who saw the envelopes. The privacy breach was condemned by the Legal Action Center and AIDS Law Project of Pennsylvania, who along with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking damages for breach victims. In January, Aetna settled the lawsuit for $17.16 million. Last month, Aetna also settled violations of HIPAA and state laws for $1.15 million with the New York attorney general over the same breach. The class action was only one of seven filed against the health insurer, and further fines from state attorneys general are to be expected. Several other attorneys general have opened investigations into the breach and may also determine that state laws have been violated. The costs associated with the...

Read More
Nebraska Personal Information Bill Advances After 34-0 First Round Vote
Feb05

Nebraska Personal Information Bill Advances After 34-0 First Round Vote

On January 3, 2018, Senator Adam Morfield introduced a bill that aims to improve protections for Nebraska residents whose personal information is exposed as a result of a data breach. The first round of voting has seen the bill unanimously passed by Nebraska lawmakers. The bill was introduced in the wake of the massive data breach at Equifax in 2017 that saw the personal information of more than 145 Americans – and almost 700,000 Nebraskans – compromised as a result of a cyberattack. The bill – Legislative Bill 757 – seeks to make changes to the Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 to improve protections for state residents, both by helping to prevent data breaches and ensuring appropriate action is taken by the breached entity when a breach is experienced. According to Sen. Morfield, his bill “ensures that the hard-earned dollars and credit of every Nebraskan is put before crediting reporting agencies like Equifax.” Sen. Morfield has made the bill his number one priority. It...

Read More
Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss
Feb02

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information. CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules. CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings. CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident. The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million. A lawsuit was filed by the CVS Pharmacy seeking...

Read More
Breach Notification Bill Passes South Dakota Senate Judiciary Committee
Jan30

Breach Notification Bill Passes South Dakota Senate Judiciary Committee

At present, South Dakota is one of two states that do not have breach notification laws (Alabama being the other), but that could soon change if proposals passed by the Senate Judiciary Committee last Tuesday are enacted by the South Dakota State Legislature. The proposed bill – SB 62 (PDF) – would amend Chapter 22-40 of the Codified Laws relating to identity crimes, and require companies maintaining computerized information about South Dakota residents to inform consumers of “unauthorized acquisition” of their personal data. If enacted, the bill stipulates residents have to be informed within sixty days of discovery of a breach unless the company and the State Attorney General´s Office determine the breach will unlikely cause harm to those whose data has been acquired without authorization. Under the proposed laws, extensions to the sixty-day limit are allowed if more time is required for law enforcement agencies to investigate the breach; and, if the breach involves more than 250 South Dakota residents, companies must notify consumer reporting agencies of the timing,...

Read More
New Bill Proposes to Amend Iowa Breach Notification Act
Jan29

New Bill Proposes to Amend Iowa Breach Notification Act

A new bill introduced by Iowa Attorney General Tom Miller will, if implemented, extend the definition of a data breach to include medical information, health insurance information and personal information that previously had to be combined with other individual identifiers before a breach was classified as a breach. Since 2014, data breaches affecting more than five hundred Iowa residents have had to be reported to the director of the consumer protection division of the office of the Iowa Attorney General. More than 120 breaches have been notified in the past four years including those at Anthem Blue Cross, Banner Health and Medical Informatics Engineering. The relatively low number of reported breaches implies that either the personal data of Iowa residents is remarkably secure, or that hacked entities are failing to notify the Attorney General´s office as required. AG Tom Miller intends to find out which by introducing an amendment to the state´s current Breach Notification Act that extends the definition of a data breach. Medical and Health Insurance Information to be Included...

Read More
Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case
Jan25

Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones. Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis. The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $1.15 million settlement with the New York Attorney General to resolve violations of federal and state laws. Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had...

Read More
Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records
Jan25

Kansas Attorney General Fines Healthcare Provider for Failing to Protect Patient Records

The Topeka, KS-based healthcare company Pearlie Mae’s Compassion and Care LLC and its owners have been fined by the Kansas Attorney General for failing to protect patient and employee records. The owners have agreed to pay a civil monetary penalty of $8,750. The HITECH Act gave attorneys general the authority to enforce HIPAA rules and take action against HIPAA-covered entities and business associates that are discovered not to be in compliance with HIPAA regulations. Only a handful of state attorneys general have exercised those rights, with many opting to pursue privacy violations under state laws. In this case, Attorney General Derek Schmidt issued the civil monetary penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act. Special agents of the Kansas attorney general’s office were assisting the Topeka Police Department execute a search warrant in June 2017 at the home of Ann Marie Kaiser, one of the owners of Pearlie Mae’s Compassion and Care. Kaiser’s home was used as an office location for the company. While at the property, the...

Read More
Colorado Considers New Privacy and Data Breach Legislation
Jan23

Colorado Considers New Privacy and Data Breach Legislation

Colorado is the latest state to consider changing its privacy and data breach notification laws to improve protections for state residents. The legislation has been proposed by a bipartisan group of legislators, and if passed, would make considerable changes to existing state laws. The proposed legislation applies to personally identifying information. The changes would see the following information included in the definition of PII: Full name or last name and initial in combination with any of the following data elements: Personal ID numbers, Social Security numbers, state ID numbers, state or government driver’s license numbers, passport numbers, biometric data, passwords and pass codes, employment, student and military IDs, financial transaction devices, health information, and health insurance information. Usernames/email addresses, financial account numbers, and credit/debit card numbers are also included, if they are compromised along with other information that allows account access or use. A breach would not be deemed to have occurred if the PII is encrypted, unless the key...

Read More
Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach
Jan18

Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach

Aetna has agreed to settle a class action lawsuit filed by victims of a mailing error that resulted in details of HIV medications prescribed to patients being visible through the clear plastic windows of the envelopes. Aetna was not directly responsible for the mailing, instead an error was made by a third-party vendor. For some of the patients, the letters had slipped inside the envelope revealing the patient had been prescribed HIV drugs. In many cases, those envelopes were viewed by flat mates, family members, neighbors, friends, and other individuals, thus disclosing each patient’s HIV information. Is not known how many patients had their HIV information disclosed, although the mailing was sent to 13,487 individuals. Some of the patients were being prescribed medications to treat HIV, others were taking the medication as Pre-exposure Prophylaxis (PrEP) to prevent contracting the disease. Many of the patients who were outed as a result of the breach have faced considerable hardship and discrimination. Several patients have had to seek alternative accommodation after been forced...

Read More
HHS Sued by CIOX Health Over Unlawful HIPAA Regulations
Jan16

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records. CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients. Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit. CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their...

Read More
Patients in Connecticut Can Now Sue Healthcare Providers for Privacy Violations
Jan16

Patients in Connecticut Can Now Sue Healthcare Providers for Privacy Violations

There is no private cause of action in the Health Insurance Portability and Accountability Act, so patients are not permitted to sue healthcare providers for privacy violations. However, there have been rulings in several states, including New York, Missouri, and Massachusetts, allowing patients to file lawsuits against healthcare providers over unauthorized and negligent disclosures of medical records. Following a ruling by the Connecticut Supreme Court last week, Connecticut residents will be permitted to file lawsuits for damages following negligent disclosures of medical records that have resulted in harm. The legal precedent was set by the Supreme Court in the case Byrne v. Avery Center for Obstetrics & Gynecology. Emily Byrne filed a lawsuit against Avery Center for Obstetrics and Gynecology (ACOG) after her medical records were disclosed to a man seeking custody of her child in a paternity suit. ACOG was issued with a subpoena to appear before an attorney and supply Byrne’s medical records. ACOG did not challenge the subpoena, made no attempt to limit disclosure, and...

Read More
Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000
Dec18

Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000

A data breach experienced by New Hampshire-based Multi-State Billing Services (MBS) has resulted in a $100,000 settlement with the Massachusetts attorney general’s office. MBS is a Medicaid billing company that provides processing services for 13 public school districts in Massachusetts –  Ashburnham-Westminster Regional, Bourne, Foxboro Regional Charter, Milford, Nauset Public Schools, Norfolk, Northborough-Southborough Regional, Plainville, Sutton, Truro, Uxbridge, Wareham, and Whitman-Hanson Regional. In 2014, MBS learned that a password-protected, unencrypted laptop computer containing the sensitive personal information of Medicaid recipients had been stolen from a company employee. Data stored on the device included names, Social Security numbers, Medicaid numbers, and birth dates. As a result of the laptop theft, more than 2,600 Massachusetts children had their sensitive information exposed. Following the data breach, MBS notified all affected individuals and offered to reimburse costs related to security freezes for three years following the breach. Security was also...

Read More
$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR
Dec15

$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR

A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI. The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases. 21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals. As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That...

Read More
Lawsuits Filed for Alleged HIPAA and HITECH Act Violations
Nov29

Lawsuits Filed for Alleged HIPAA and HITECH Act Violations

Two lawsuits have been filed against healthcare organizations over alleged HIPAA and HITECH Act violations. 60 Hospitals Named in Lawsuit Alleging HITECH Act Violations A recently unsealed complaint, filed in a U.S. District Court in Indiana in 2016, seeks more than $1 billion in damages from 60 hospitals that received HITECH Act meaningful use incentive payments for transitioning to electronic health records, yet failed to meet the requirements of the HITECH Act with respect to providing patients, and their legal representatives, with copies of health records promptly on request. In order to receive incentive payments, one of the requirements was for hospitals to attest that for at least 50% of patients, they were able to provide copies of medical records within 3 business days of requests being submitted. When copies of health records are requested, the HITECH Act only permits healthcare organizations to charge for labor costs for supplying copies of records. Michael Misch and Bradley Colborn, attorneys with Anderson, Agostino & Keller, P.C., of South Bend Indiana,...

Read More
3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group
Nov22

3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group

A man linked to the hacking group TheDarkOverlord has been sentenced to serve three years in jail for fraud and blackmail offenses, although not for any cyberattacks or extortion attempts related to the The Dark Overlord gang. Nathan Wyatt, 36, from Wellingborough, England, known online as the Crafty Cockney, pleaded guilty to 20 counts of fraud by false representation, a further two counts of blackmail, and one count of possession of a false identity document with intent to deceive. Last week, at Southwark Crown Court, Wyatt was sentenced to serve three years in jail by Judge Martin Griffiths. At the sentencing hearing, Judge Griffiths suggested Wyatt was responsible for many more crimes other than those pursued via the courts. Some of those offenses are related to the TheDarkOverlord. In September last year, Wyatt was arrested for attempting to broker the sale of photographs of Pippa Middleton, which had been obtained from a hack of her iPhone. Pippa Middleton is the sister of the Duchess of Cambridge. The charges in relation to that incident were dropped and Wyatt maintains he...

Read More
5 Year Jail Term Upheld for Clinic Worker Who Stole PHI
Nov15

5 Year Jail Term Upheld for Clinic Worker Who Stole PHI

A clinic worker who stole the protected health information of mentally ill patients and sold the data to identity thieves has failed to get his 5-year jail term reduced. Jean Baptiste Alvarez, 43, of Aldan, PA, stole daily census sheets from the Kirkbride Center, a 267-bed behavioral health care facility in Philadelphia. The census sheets contained all the information needed to steal the identities of patients and submit fraudulent tax returns in their names – Names, Social Security numbers, dates of birth and other personally identifiable information. Alvarez had the opportunity to steal the data undetected, as the floor where the sheets were kept did not have security cameras. Alvarez was paid $1,000 per census sheet by his to-co-conspirators, who used the information to submit 164 fraudulent tax returns in the names of the patients, resulting in a loss of $232,612 in tax revenue for the IRS. In early 2016, Alvarez was found guilty of conspiracy to defraud, misuse of Social Security numbers, and aggravated identity theft. The latter carried a minimum sentence of 2 years. The...

Read More
Can A Patient Sue for A HIPAA Violation?
Nov07

Can A Patient Sue for A HIPAA Violation?

Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules. So, if it is not possible for a patient to sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws. In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information....

Read More
Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG
Nov03

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. The aim of the act is to protect New Yorkers from needless breaches of their personal information and to ensure they are notified when such breaches occur. The program bill, which was sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is intended to improve protections for New York residents without placing an unnecessary burden on businesses. The introduction of the SHIELD Act comes weeks after the announcement of the Equifax data breach which impacted more than 8 million New Yorkers. In 2016, more than 1,300 data breaches were reported to the New York attorney general’s office – a 60% increase in breaches from the previous year. Attorney General Schneiderman explained that New York’s data security laws are “weak and outdated” and require an urgent update. While federal laws require some organizations to implement data security controls, in New York, there are no...

Read More
Employees Sue Lincare Over W2 Phishing Attack
Oct23

Employees Sue Lincare Over W2 Phishing Attack

In February 2017, Lincare Holdings Inc., a supplier of home respiratory therapy products, experienced a breach of sensitive employee data. The W2 forms of thousands of employees were emailed to a fraudster by an employee of the human resources department. The HR department employee was fooled by a business email compromise (BEC) scam. While health data was not exposed, names, addresses, Social Security numbers, and details of employees’ earnings were obtained by the attacker. This year has seen an uptick in W2 phishing scams, with healthcare organizations and schools extensively targeted by scammers. The scam involves the attacker using a compromised company email account – or a spoofed company email address – to request copies of W2 forms from HR department employees. Cyberattacks that result in the sensitive data of patients and consumers being exposed often results in class action lawsuits, although it is relatively rare for employees to take legal action against their employers. Lincare is one of few companies to face a lawsuit for failing to protect employee data. Three former...

Read More
Termination for Nurse HIPAA Violation Upheld by Court
Oct19

Termination for Nurse HIPAA Violation Upheld by Court

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’ The incident that resulted in her dismissal was an alleged impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was assisting with a transesophageal echocardiogram. At the time of the alleged HIPAA violation, the patient was in an examination area that was closed off with a curtain. Hereford was present along with a physician and an echocardiogram technician. Alleged Improper Disclosure of Sensitive Health Information Before the procedure took place, Hereford performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, checked to make sure the site of the procedure was clearly marked...

Read More
Former Nurse Convicted of Theft of Patient Information and Tax Fraud
Oct16

Former Nurse Convicted of Theft of Patient Information and Tax Fraud

A former nurse from Midway, FL has been convicted of wire fraud, theft of government funds, possession of unauthorized access devices and aggravated identity theft by a court in Tallahassee. 41-year old Tangela Lawson-Brown was employed as a nurse in a Tallahassee nursing home between October 2011 and December 2012. During her time at the nursing home, Lawson-Brown stole the personal information of 26 patients, although she was discovered to have a notebook containing the personal information of 150 individuals. According to a press release issued by the United States Attorney’s Office for the Northern District of Florida, Lawson-Brown’s husband was arrested in January 2013 and items were seized from Lawson-Brown’s vehicle by the Tallahassee Police Department, including the notebook. The police investigation revealed that in 2011, Lawson-Brown used the stolen credentials to file fraudulent tax returns in the names of 105 individuals, including 24 patients of the nursing home. Lawson-Brown filed claims totaling more than $1 million. The IRS detected many of the claims as fraudulent,...

Read More
Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement
Oct02

Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement

The 2016 SAManage USA data breach that saw the Social Security numbers of 660 Vermont residents exposed online has resulted in a settlement of $264,000 with the Vermont Attorney General. In 2016, SAManage USA, a technology company that provides business support services, failed to secure an Excel spreadsheet relating to the state health exchange, Vermont Health Connect. The spreadsheet was attached to a job ticket that was part of the firm’s cloud-based IT support system and was assigned a unique URL. The URL could theoretically have been guessed by anyone and accessed via a web browser without any need for authentication. The spreadsheet was also indexed by the Bing search engine and was displayed in the search results. Bing also displayed a preview of the contents of the spreadsheet, which clearly displayed names and Social Security numbers. Vermont Attorney General T.J Donovan said a Vermont resident found the spreadsheet via the search engine listings and reported the breach to his office, triggering an investigation. The Vermont Attorney General’s office contacted AWS and...

Read More
New York Hospital Sued for Disclosing Patient’s HIV Status to Employer
Sep14

New York Hospital Sued for Disclosing Patient’s HIV Status to Employer

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights settled a case with Mount Sinai St. Luke’s Hospital to resolve alleged HIPAA violations over a 2014 impermissible disclosure of a patient’s HIV positive status to his employer. St. Luke’s Hospital had faxed a document to the mailroom of the patient’s employer, rather than sending the information to a post office box as requested by the patient via his Authorization for Release of Medical Information form. The hospital, formerly known as the Spencer Cox Center for Health, also faxed the PHI of another patient to an office where he volunteered. St. Luke’s Hospital agreed to pay OCR $387,000 to resolve the case. St. Luke’s Hospital also agreed to a corrective action plan that required a review of its policies and procedures concerning PHI disclosures and further training of its employees. St. Luke’s Hospital accepted a mistake was made and the measures being undertaken will help to ensure similar incidents do not occur in the future. However, the hospital has refused to enter into a settlement...

Read More
CareFirst Data Breach Lawsuit May be Heading to the Supreme Court
Sep14

CareFirst Data Breach Lawsuit May be Heading to the Supreme Court

In June 2014, hackers succeeded in gaining access to a database maintained by CareFirst BlueCross BlueShield and the protected health information of 1.1 million of its members. The types of information exposed as a result of the hack included names, email addresses, dates of birth, and subscriber ID numbers. Lawsuits were filed following the breach, with the plaintiffs seeking damages for the elevated risk of identity theft and fraud they faced as a result of the breach. In 2016, the U.S. District Court for the District of Columbia and dismissed one punitive class action lawsuit against CareFirst – Chantal Attias vs. Carefirst, Inc. – for lack of standing. Further complaints were also dismissed by two federal district courts. However, on August 1, 2017, the case was revived when the U.S. District Court for the District of Columbia allowed the case to proceed, even though there was not a concrete, identifiable injury to plaintiffs. CareFirst submitted a motion for a stay to allow an appeal to be filed with the Supreme Court. Last week, U.S. District Court for the...

Read More
Healthcare Industry Tops List for Class Action Data Breach Lawsuits
Sep13

Healthcare Industry Tops List for Class Action Data Breach Lawsuits

In 2016, the healthcare industry faced the most class-action data breach lawsuits, according to a new analysis of data breach lawsuits by the law firm, Bryan Cave, LLP, although the risk of litigation following a breach is still relatively low. To produce the 2017 data breach litigation report, Bryan Cave conducted a comprehensive review and analysis of all class action lawsuits filed by victims of data security breaches in 2016. The report explains that while there is always a threat of legal action being taken by data breach victims, the risk of a company facing litigation following a data breach is fairly low due to the difficult plaintiffs have establishing an injury has been caused. Year over year, there was a slight (7%) increase in class action lawsuits filed against companies that have experienced a data breach although there was a fall in the number of breaches that resulted in lawsuits. The report shows only 3.3% of data breaches in 2016 resulted in class action lawsuits compared to between 4%-5% in previous years. In total, 76 class actions were filed in 2016 as a result...

Read More
Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients
Aug31

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. Details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses, in a recent mailing. The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed. Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused....

Read More
Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware
Aug24

Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware

For the first time in 10 years, Delaware has amended its data breach notification law and has now introduced some of the strictest requirements of any state. Any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information and must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws, with California also requiring the provision of credit monitoring services to breach victims. Breach victims must also be advised of security incidents involving their sensitive information ‘as soon as possible’ and no later than 60 days following the discovery of a breach. The new law also requires companies operating in the state to implement “reasonable” security measures to safeguard personal information – Delaware is the 14th state to require companies to adopt security measures to ensure sensitive information is protected. The definition of ‘personal information’ has also been expanded and now includes usernames/email addresses in combination with a...

Read More
$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching
Aug10

$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching

The importance of applying patches promptly to address critical security vulnerabilities has been highlighted by a recent $5.5 million data breach settlement. Yesterday, New York Attorney General Eric T. Schneiderman announced a settlement has been reached with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, to resolve a multi-state data breach investigation involving New York and 32 other states. Nationwide will pay a total of $5.5 million, $103,736.78 of which will go to New York State. The settlement will cover the costs of the investigation and litigation, with the remaining funds used for consumer protection law enforcement and other purposes. The investigation was launched following a 2012 breach of the sensitive data of 1.27 million individuals, some of whom were customers, although many had only obtained quotes from Nationwide and its subsidiary and did not go on to take out insurance policies. In 2012, hackers infiltrated Nationwide’s systems and stole the personal information of consumers along with highly...

Read More
U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses
Aug09

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient. Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months. Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use. The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed...

Read More
Maryland Data Breach Notification Law Updated
Aug07

Maryland Data Breach Notification Law Updated

Maryland data breach notification law has been updated, with the definition of personal information now expanded. The current data breach notification statute in Maryland does not include health insurance information or data covered under the definition of the Health Insurance Portability and Accountability Act (HIPAA), although from January 1, 2018 that will change. Maryland data breach notification law – specifically the Maryland Personal Information Protection Act – requires breach notification letters to be sent to all Maryland residents affected by a breach of personal information. Those notifications must be issued as soon as it is practicable to do so, but no later than 45 days after the discovery of a data breach that has resulted in personal information being misused or if it is likely that data could be misused. The current definition of personal information includes a Maryland resident’s first and last name or initial and last name along with either a driver’s license number, Social Security number, financial account number, credit or debit card number (with a security...

Read More
CareFirst Can Be Sued for Breach, Rules Court of Appeals
Aug02

CareFirst Can Be Sued for Breach, Rules Court of Appeals

The D.C. Circuit Court of Appeals has ruled that CareFirst can be sued for a 2014 data breach that saw the PHI of more than 1 million members exposed and potentially stolen. Following the announcement of the data breach, a lawsuit was filed by seven plaintiffs to recover damages, although in August last year the case was dismissed by a district court judge for lack of standing. The plaintiffs alleged that the breach had occurred as a result of the carelessness of CareFirst, and as a direct result of that carelessness, they faced an increased risk of suffering identity theft and fraud. The district court judge dismissed the case as the plaintiffs failed to establish harm, or a significant threat of future harm. The judge explained that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.” However, the three-judge panel overturned the previous ruling claiming the interpretation of the law was ‘unduly narrow’, explaining that all the plaintiffs were required to establish at that...

Read More
Massive Healthcare Fraud Takedown Sees 412 Charged for $1.3 Billion in Fraudulent Billings
Jul19

Massive Healthcare Fraud Takedown Sees 412 Charged for $1.3 Billion in Fraudulent Billings

Last week, the United States Department of Justice announced the largest healthcare fraud action to date. 412 individuals were charged, including 115 doctors, nurses and other medical professionals for their roles in healthcare fraud schemes. 120 doctors and other medical professionals were charged for prescribing opioids and other dangerous narcotics. The HHS has also initiated suspension actions against 295 doctors, nurses and pharmacists. The charges aggressively targeted individuals responsible for fraudulent Medicaid, Medicaid and TRICARE billings, although this year also saw a focus on doctors and other medical professionals that have been fueling the opioid epidemic by illegally distributing opioids and pother powerful narcotics. Approximately 91 Americans lose their lives each day due to opioid overdoses. The bust was a joint operation by the Department of Justice, FBI, Medicaid Fraud Strike Force, DEA, U.S Attorney’s Office and the Department of Health and Human Services. A joint announcement about the bust was made by Attorney General Jeff Sessions and HHS Secretary Tom...

Read More
Indiana Senate Passes New Law on Abandoned Medical Records
Jul13

Indiana Senate Passes New Law on Abandoned Medical Records

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information. HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely. For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or...

Read More
Pair Charged with Identity Theft in Relation to WVU Medicine Breach
Jun27

Pair Charged with Identity Theft in Relation to WVU Medicine Breach

A federal grand jury has charged a former healthcare worker and her accomplice with identity theft, aggravated identity theft, bank fraud and producing false documents. The charges relate to the theft of PHI from WVU Medicine University Healthcare. Angela Dawn Roberts, 41, of Stephenson, VA had previously worked at WVU Medicine Berkley Medical Center, where she is alleged to have accessed the WVU Medicine University Healthcare database to obtain sensitive patient information in order to steal the identities of patients. Court documents indicate names, addresses, dates of birth, Social Security numbers and driver’s license numbers were accessed and manually copied onto paper, with printouts of driver’s licenses also made. Angela Roberts is alleged to have disclosed the information to her accomplice, Ajarhi Savimi Roberts, 24, of Stephens City, VA. Ajarhi Roberts used the information to open bank accounts and obtain credit cards in victims’ names and used the accounts to steal thousands of dollars. The crimes occurred between March 1, 2016, and Jan. 31, 2017. The pair, who also used...

Read More
World’s Largest Data Breach Settlement Agreed by Anthem
Jun26

World’s Largest Data Breach Settlement Agreed by Anthem

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information. A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014. After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in...

Read More
Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG
Jun19

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications. An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details. The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual. However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of...

Read More
MDLive Privacy Lawsuit Voluntarily Dismissed
Jun06

MDLive Privacy Lawsuit Voluntarily Dismissed

The MDLive privacy lawsuit filed by law firm Edelson PC on behalf of plaintiff Joan Richards over alleged privacy violations has been voluntarily dropped without any settlement paid. The lawsuit was filed after following an alleged discovery that screenshots were repeatedly taken by MDLive and were passed to third-party Israeli firm Test Fairy. Test Fairy had been contracted to perform quality control checks and debugging services. However, the plaintiff alleged that the sending of screenshots, which contained sensitive information entered by users of MDLive, was a violation of patient privacy. Following the filing of the lawsuit on April 18, 2017, MDLive published a fact sheet explaining its relationship with the Israeli firm, stating the allegations were false, that there had not been a data breach and no HIPAA Rules had been violated. MDLive also said in the fact sheet that no data had been shared with unauthorized third parties. Some data had been disclosed to authorized third parties, although those firms were bound by contractual obligations and had agreed only to use data...

Read More
Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine
May11

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015. Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff. The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules. However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient...

Read More
MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations
Apr26

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients. App users are required to enter in a range of sensitive information into the MDLive app; however, the complainant alleges that during the first 15 minutes of use, the app takes an average of 60 screenshots and that those screenshots are sent to an Israeli company called Test Fairy, which conducts quality control tests for MDLive. The lawsuit alleges patients are not informed that their information is disclosed to a third-party company, and that all data entered into the app can be viewed by MDLive employees, even though there is no reason for those employees to be able to view the data. Users of the app enter their medical information during setup in order to find local healthcare providers. The types of information entered by users includes sensitive data such as health conditions, recent medical procedures, behavioral health histories,...

Read More
Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million
Apr24

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine. A $2.5 million settlement has been agreed with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider. While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures. In this case, the settlement relates to a data...

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients. OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from...

Read More
Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status
Mar24

Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status

A lawsuit filed by five plaintiffs following a breach of protected health information at Flowers Hospital in 2013 has finally been awarded class-action status. The lawsuit was filed against Triad of Alabama, the parent company of Flowers Hospital, in 2014. Triad of Alabama submitted motions to dismiss the lawsuit in 2014 and 2015, but the lawsuit survived. In contrast to many healthcare data breach lawsuits that are filed following cyberattacks by hackers, this incident involved an insider. A phlebotomist employed at Flowers Hospital – Kamarian Millender – stole non-hospital records stored at the hospital. The information in those records was used to file fraudulent tax returns in the names of 124 individuals over two years. Millender was arrested in 2014 and was found to be in possession of 54 patient records. Millender was subsequently charged with trafficking stolen identities and aggravated identity theft and pled guilty to stealing 73 identities for the purpose of filing fraudulent tax returns. In total, prosecutors alleged tax returns totaling around $536,000 were submitted...

Read More
Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft
Jan24

Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi. The incident which led to the lawsuit occurred between November 1 and 3, 2013. Two unencrypted laptop computers containing the personal information of 839,000 plan members were stolen from Horizon BCBS’s headquarters in Newark, NJ. Stored on the laptops were names, addresses, birth dates, Social Security numbers, medical histories, demographic data, lab test results, insurance information, and other care-related data. Four plaintiffs – Courtney Diana, Karen Pekelney, Mark Meisel, and Mitchell Rindner – are named on the lawsuit, which was filed on behalf of themselves and other customers whose personal information was exposed. The complainants maintain that the laptop computers were targeted...

Read More
Hospital Employee Jailed for Credit Card Theft
Dec12

Hospital Employee Jailed for Credit Card Theft

An employee of Banner Boswell Hospital in Sun City, AZ has been arrested and jailed for stealing credit card details from hospital patients. Filip Chudziak, 40, of Surprise, AZ was charged with identity theft, fraudulent schemes, and fraudulent use of credit cards by the Maricopa County Sheriff’s Office this weekend following an investigation into credit card fraud by Maricopa County detectives. The offenses were committed over a period of three months. Potentially fraudulent transactions were reported to law enforcement by Joe Bob’s Outfitters in Kansas and also reported to the Hays City Police Department by multiple patients who had noticed fraudulent charges on their credit card statements. Chudziak’s role at Banner Boswell Hospital involved moving patients and their possessions while they were receiving treatment at the hospital. Chudziak allegedly used access to patients’ possessions to obtain their credit cards. He then used those details to make online purchases at Joe Bob’s Outfitters. Using his mother-in-law’s name and a number of different billing addresses, Chudziak...

Read More
21st Century Cures Bill Sails Through Senate
Dec08

21st Century Cures Bill Sails Through Senate

Last week, the House of Representatives unanimously voted in favor of the 21st Century Cures Act. Yesterday, the bill sailed through the Senate with a vote of 94-5. All that remains is for President Obama to add his signature to the bill, which is expected to happen in the next few days. President Obama has already said he is happy to sign the new bill. The bill will provide funding for a number of initiatives that are intended to hasten the development of new cures and medical devices to treat cancer and other diseases. The bill makes more funds available for mental health treatment as well as for programs to tackle the growing problem of opioid abuse in the United States. $500 million per year will be made available for the latter to prevent new cases of opioid abuse and to fund treatment programs for addicts. The bill had originally called for changes to be made to the Health Insurance Portability and Accountability Act to improve data sharing for research purposes. By classifying research under healthcare operations, it would have been possible for the identifiable protected...

Read More
21st Century Cures Act Unanimously Passed by House
Dec01

21st Century Cures Act Unanimously Passed by House

The 21st Century Cures Act has been passed by the House of Representatives with a vote of 392-26. One Democrat and twenty Republicans voted against the bill. The legislation will now go to the Senate for the vote, which will take place early next week. The legislation was passed by the House last year, although the bill failed in the Senate in July 2015. Numerous revisions have been made since last summer and this time around the 21st Century Cures Act is expected to be passed by the Senate. However, not unanimously. Some senators are certain to vote against the legislation, including Senators Bernie Sanders (I-Vt.) and Elizabeth Warren (D-Mass.). Both strongly oppose the changes that have been made to the legislation to appease the pharmaceutical industry. The main purpose of the $6.3 billion bill is to advance medical innovation. A sizable chunk of cash will be given to a number of programs introduced by the Obama administration. NIH will receive $4.8 billion in funding over the next 10 years which will go towards programs such as the cancer moonshot research project, the...

Read More
HIPAA Breach Class-Action Dismissed for Lack of Evidence of Harm
Sep23

HIPAA Breach Class-Action Dismissed for Lack of Evidence of Harm

A class-action data breach lawsuit – Cox v. Valley Hope Association – has been dismissed by the U.S. District Court for The Western District of Missouri Central Division for lack of standing. In February 2016, Valley Hope Association, a healthcare organization providing drug, alcohol, and addiction treatment services, alerted patients to a breach of ePHI that occurred on December 30, 2015. The PHI of more than 52,000 patients was exposed when an unencrypted laptop computer was stolen from the vehicle of an employee. The data stored on the device included the personal and treatment information of 52,076 patients. While the laptop computer required a password to access the data, the device was not encrypted. After being notified of the breach, plaintiff Robert Cox filed the suit in Missouri state court on March 17, 2016. Cox and other members of the putative class sought damages for the exposure of personal information and increased risk of identity theft. In the suit, Cox claimed Valley Hope Association breached its fiduciary duty, breached its contract, violated the state...

Read More
Banner Health Class-Action Claims 12 Months ID Theft Protection is Insufficient Reparation
Aug10

Banner Health Class-Action Claims 12 Months ID Theft Protection is Insufficient Reparation

Following a healthcare data breach, a class-action lawsuit is almost guaranteed to be filed. However, the newsprint has barely dried, yet a class-action lawsuit has already been filed against Banner Health Network. The suit has not been filed by a patient, but on behalf of a former Banner Health physician whose information was exposed in the 3.7 million-record breach reported last week. The suit was filed three days after the breach was announced. Law firm Hagens Berman Sobol Shapiro filed the lawsuit on behalf of Dr. Howard Chen: A former Ophthalmologist at Banner Thunderbird Hospital in Glendale, Arizona. Chen used his Banner Health insurance while employed at the hospital between 2010 and 2013 and is concerned that his information was obtained by the hackers. The lawsuit is not being filed to recover damages related to identity theft, but in order to obtain compensation to cover the cost of paying for credit monitoring and identity theft protection services. Banner Health has offered these services to all affected individuals, but only for a period of 12 months. Dr. Chen’s...

Read More
CareFirst Inc. Data Breach Lawsuit Dismissed for Lack of Standing
Jul15

CareFirst Inc. Data Breach Lawsuit Dismissed for Lack of Standing

A class-action data breach lawsuit filed against CareFirst Inc., and CareFirst of Maryland Inc., following the 1.1 million-record data breach of 2015 – and a second breach in 2014 – has been dismissed by a Maryland federal court for lack of standing. The lawsuit, which was filed by two plaintiffs – Scott Adamson and Pamela Chambliss – was dismissed by Judge Richard Bennett after the pair were unable to allege facts sufficient to support the case. The pair alleged CareFirst had been negligent for failing to protect its computer hardware, resulting in the exposure of plan members’ names, ID numbers, and dates of birth. While any health insurer data breach could potentially place plan members at risk of harm or loss, in this case no Social Security numbers, credit card numbers, or financial information were exposed. The plaintiffs did not allege that their personal information had actually been used, but claimed their personal information had value and its exposure placed them at an increased risk of harm or loss. However, there was some doubt as to the amount of...

Read More
House Passes Mental Health Reform Bill (Without the HIPAA Changes)
Jul14

House Passes Mental Health Reform Bill (Without the HIPAA Changes)

A mental health bill that aims to improve mental healthcare in the United States has been passed by the House. The bill – H.R. 2646 – which was first introduced three years ago, was intended to usher in sweeping changes to improve the treatment of mental illness in the United States. While the bill was passed with an overwhelming majority of 422-2 last Wednesday, a number of the more contentious issues needed to be removed from the bill. One of the sticking points that was dropped from the bill were the changes to the Health Insurance Portability and Accountability Act (HIPAA). The bill introduces a number of important changes that will improve mental health care; however, the proposed changes to HIPAA were opposed by a number of Democrats and Republicans. In order for the bill to be passed, the HIPAA changes had to be dropped. In its original form, the bill would have changed HIPAA Rules to permit healthcare providers to share mental health data about patients with their caregivers. Instead, the Department of Health and Human Services is now required to clarify the law...

Read More
Philadelphia Business Associate Agrees to $650,000 OCR Settlement
Jun30

Philadelphia Business Associate Agrees to $650,000 OCR Settlement

On June 24, 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) published details of a resolution agreement that was reached with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).  CHCS has agreed to settle alleged HIPAA violations with the OCR and has agreed to implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS is the sole corporate parent of six nursing facilities – St. Francis Country House, Immaculate Mary Home, St. John Neumann Home, St. Mary’s Manor, St. Martha’s Manor, and St. Monica’s Manor – and provides management services to the nursing facilities. In its capacity as a HIPAA business associate, CHCS is required to comply with HIPAA Rules. In February 2014, each of the six nursing facilities submitted a breach notice to the OCR regarding a breach of ePHI. On April 17, 2014, the OCR launched an investigation into the breach. A large number of OCR investigations into ePHI breaches have revealed failures to comply with HIPAA administrative safeguards – specifically 45...

Read More
Criminal HIPAA Case: Conviction for Respiratory Therapist
Jun28

Criminal HIPAA Case: Conviction for Respiratory Therapist

A former respiratory therapist has been convicted on criminal HIPAA violations by a federal jury in Ohio. The jury agreed with prosecutors that the protected health information of patients was wrongly obtained and that PHI was used to seek and obtain intravenous prescription drugs. Jamie Knapp was employed as a respiratory therapist at the ProMedica Bay Park Hospital in Oregon, Ohio. Over a period of 10 months Knapp improperly accessed the medical records of 596 patients. Knapp was permitted access to patient records in order to conduct her work duties; however, she was only permitted access to the records of patients she was treating. Knapp abused her access rights and viewed the PHI of other patients without authorization, according to the prosecution. Sentencing has been tentatively scheduled for October and Knapp could be jailed for up to a year. It is relatively rare for individuals to be tried for HIPAA violations, even when violations of the Health Insurance Portability and Accountability Act clearly appear to have taken place. Criminal convictions are even rarer. In order...

Read More
Nurse Charged with Bank Fraud: HIPAA Breach Trial for Respiratory Therapist
Jun23

Nurse Charged with Bank Fraud: HIPAA Breach Trial for Respiratory Therapist

Healthcare workers can face lengthy jail terms and heavy fines for improperly accessing patient health information. This week, a nurse has been charged with fraud and identity theft and the trial of a respiratory therapist has commenced in Toledo. If found guilty, both could spend time behind bars. Virginia Nurse Charged with Bank Fraud and Identity Theft A nurse formerly employed at Commonwealth Primary Care in Richmond, VA., has been charged with bank fraud and identity theft and is expected to plead guilty to the charges at a plea agreement hearing scheduled for Friday morning. Capri Williams worked for at the West End branch of Commonwealth Primary Care for almost a year. During that time, she is believed to have accessed and copied the protected health information of hundreds of patients. Williams is alleged to have used patient information to fraudulently open bank and credit accounts in patients’ names. Williams has also been accused of making a fraudulent transfer of over $4,000 from one of the patients’ credit cards. According to WTVR, Commonwealth Primary Care received a...

Read More
Anthem Data Breach Lawsuit Heading for Trial
Jun06

Anthem Data Breach Lawsuit Heading for Trial

Following the mammoth 2015 data breach at Anthem Inc., around 100 lawsuits were filed by plan members seeking damages for the exposure of their protected health information. In June last year, the lawsuits were consolidated and moved to the Northern District of California and are being presided over by the Honorable Lucy H. Koh. The cyberattack on Anthem was the largest healthcare data breach ever reported, involving approximately 37 million records and affecting close to 78.8 million individuals. The persons responsible for the cyberattack have not been identified, although the security breach is widely believed to have been a state-sponsored attack by Chinese hackers. Class-action lawsuits are often filed by data breach victims following the exposure of personally identifiable information, although the cases are usually dismissed unless there is concrete evidence of actual harm of losses being suffered by the victims. However, the huge data breach case has survived motions to dismiss and looks set to be heading to trial. Last week, Koh indicated the latest motion by the defense...

Read More
Class-Action Lawsuit Filed Against Sharp Grossmont Hospital for Video Privacy Breach
May30

Class-Action Lawsuit Filed Against Sharp Grossmont Hospital for Video Privacy Breach

A class-action lawsuit has been filed against San Diego’s Sharp Grossmont Hospital for breaching the privacy of thousands of patients during and after a covert surveillance operation into drug theft at the hospital. Sharp Grossmont Hospital had installed hidden cameras in monitors in all three emergency rooms in the hospital in an attempt to obtain video evidence against a physician who was under investigation for the alleged theft of the sedative drug Propofol from operating room drug carts. While it was not the intention of the hospital to film patients, video clips were recorded of patients giving birth and undergoing other medical procedures. According to the lawsuit, approximately 15,000 videos were captured in total, of which 6,966 have been retained by the hospital. The hospital first installed the cameras in July 2012 as part of a year-long investigation into drug theft. The hidden cameras contained motion sensors which were triggered when individuals entered the operating rooms. The investigation ended in June 2013 and the cameras were removed. According to the lawsuit,...

Read More
ACLU Claims Myriad Genetics Violated HIPAA Rules by Withholding Genetic Data
May24

ACLU Claims Myriad Genetics Violated HIPAA Rules by Withholding Genetic Data

Late last week, a complaint was filed with the Department of Health and Human Services’ Office for Civil Rights by the American Civil Liberties Union after Myriad Genetics refused to provide four patients with copies of their full genetic records – an alleged breach of the HIPAA Privacy Rule. The patients in question had undergone genetic tests to assess hereditary risk for bladder, breast, and ovarian cancer. Myriad provided the patients with details of the genetic factors which were deemed to be significant and useful for healthcare providers. However, the data provided to the patients did not include information about all of the genetic variants Myriad’s testing had uncovered. The patients requested copies of all of their genetic data that was held by Myriad Genetics, including the genetic variants that Myriad deemed not to pose a risk to the patients. Myriad refused to provide copies saying the patients were not entitled to copies of the withheld data. It was claimed that the withheld data was not part of the designated record set which Myriad is required to provide to patients...

Read More
Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies
May20

Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies

The United States Department of Justice has charged an engineer with the theft and possession of trade secrets belonging to two medical device manufacturers. 43-year old Wenfeng Lu of Irvine, California, was indicted on 12 charges by a grand jury on Wednesday this week. Lu is alleged to have stolen proprietary trade secures from EV3 Covidien while employed at the company between January 2009 and October 2011, and from Edwards Lifesciences Corp., where he was employed between November, 2011 and November, 2012. Lu is alleged to have stolen information and emailed the confidential data to his personal email account. It has also been alleged that Lu took photographs of equipment and copied company reports, presentations, emails, and test results. Lu visited the People’s Republic of China (PRC) on multiple occasions after obtaining data. It is alleged that Lu was attempting to set up his own company with associates in PRC and planned to use the trade secrets to manufacture medical devices in PRC. Lu was arrested by the FBI in 2012 while preparing to board a plane bound for PRC. Lu was...

Read More
Illinois Data Breach Notification Law Updated
May20

Illinois Data Breach Notification Law Updated

Illinois data breach notification law has been updated, broadening the definition of personal information and changing the timescale for notifying the Attorney General of data breaches. A breach notification will need to be issued if a person’s full name or last name and initial is exposed in combination with any of the following data elements: Driver’s license number Social Security number Credit or debit card number Biometric data Usernames and email addresses (along with passwords or other data that would allow access to accounts to be gained) Medical information Health insurance information Notifications will not be required if a breach occurs and data are encrypted, or if exposed data are publicly available. The new law specifically mentions health insurance information which includes a subscriber ID number, health insurance policy number, or any other unique identifier used to identify an individual. Any medical data provided to a health insurer in an application, appeals records, or claims history, is also included in the new definition. The exposure of information relating...

Read More
Data Breach Class-Action Lawsuit Denied by Penn. Superior Court
May05

Data Breach Class-Action Lawsuit Denied by Penn. Superior Court

A proposed class-action lawsuit filed against two health plans for the exposure of members’ protected health information has been rejected by the Pennsylvania Supreme Court. Avrum Baum filed a lawsuit against Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in 2010 following the loss of a flash drive containing the data of approximately 286,000 patients. One of the patients affected by the data breach was Baum’s special needs daughter. Baum claimed in the suit that the loss of the device violated the privacy rights of patients. He also claimed the health plans had been negligent by failing to protect the data of patients, and the health plans had inaccurately told patients that their protected health information (PHI) was secured. Baum claimed that deceptive practices were used, which violated Uniform Trade Practices and Consumer Protection Law (UTPCPL). In July 2013, the class-action lawsuit was denied by a trial judge as Baum could not show that his daughter’s PHI was stored on the device and that the case did not have standing because Baum had not purchased his...

Read More
Chicago Hospital Council Files Lawsuit to Prevent Deletion of Patient Data
Apr28

Chicago Hospital Council Files Lawsuit to Prevent Deletion of Patient Data

A lawsuit has been filed against Sandlot Solutions, Inc., and its parent company Santa Rosa Consulting by the MCHC-Chicago Hospital Council in an attempt to prevent the deletion of more than 2 million patient records from Sandlot’s servers. The MCHC-Chicago Hospital Council (MCHC), which includes over 30 area hospitals, operates the MetroChicago Health Information Exchange (HIE). The HIE was formed to allow all participating hospitals to quickly and easily share patient health information and ensure that up-to-date medical records of patients could always be obtained by doctors and healthcare professionals. The HIE contains patient data collected over the past seven years. The HIE is hosted by healthcare information technology company Sandlot Solutions, Inc. On March 28, 2016., Sandlot notified MCHC that it would be winding down its operations and would soon be going out of business. Sandlot is alleged to have shut down access to the HIE a day later. MCHC was also advised that Sandlot would be deleting all HIE data from its servers within 24 hours of providing the council with a...

Read More
New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients
Apr22

New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from the patients. In 2011, an ABC crew was permitted to film inside NYP facilities for the show “NY Med” featuring Dr. Mehmet Oz. A number of patients were filmed including a dying man and another patient who was seriously distressed. The footage was aired in 2012. Authorization to film had been given by NYP, although not all patients gave their consent to be filmed. One of the patients was Mark Chanko . He had been rushed to hospital after being hit by a sanitation truck. He was filmed receiving treatment from chief surgery resident Sebastian Schubl. Despite the best efforts of Schubl, Chanko died from the injuries sustained in the accident. Chanko had not given NYP permission to film him. To hide his identity ABC used blurring and voice alteration software. This did not prevent the crew from viewing Chanko’s PHI and it was not sufficient to hide his identity from...

Read More
Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA
Apr20

Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. OCR launched an investigation into a data breach reported by Raleigh Orthopaedic on April 30, 2013. Raleigh Orthopaedic had agreed to provide a potential business associate (BA) with X-Ray films in order to have images transferred to a digital format. The company was allowed to recycle the original films to recover the silver after the images had been transferred to an electronic format. However, the agreement was reached over the telephone and no BAA was obtained. Prior to providing the company with the X-Rays Raleigh Orthopaedic should have issued a BAA and obtained a signed copy. The BAA should have detailed the responsibilities the company had to ensure...

Read More
Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation
Apr15

Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation

A lawsuit has been filed in Federal Court in San Jose, California by cancer patients who allege they have had their privacy violated after visiting the websites of cancer institutes. The plaintiffs claim that the websites of some cancer institutes contain secret code that captures data and passes the information to Facebook for marketing purposes. After visiting the websites, the plaintiffs claim they have been served advertisements relating to very specific types of cancer. It is alleged that in order for those advertisements to be served, Facebook must have been provided with site search data and the specific webpages that were visited. Lead plaintiff in the case, Winston Smith, claims to have visited cancer.org, a website of the American Cancer Society. Smith conducted searches on the site for information on lung cancer and claims those searches, and information about the webpages he visited, were provided to Facebook which used the information to serve him targeted adverts. Smith claims that Facebook’s privacy policy does not specifically mention that highly sensitive medical...

Read More
California Ransomware Bill Passed by State Senate Committee
Apr15

California Ransomware Bill Passed by State Senate Committee

Californian Senator Bob Hertzberg introduced a new bill (Senate Bill 1137) in February which proposes an amendment to the penal code in California to make it a crime to knowingly install ransomware on a computer. The bill has now been passed by the senate’s Committee on Public Safety, taking it a step closer to being introduced into the state legislature. The bill must now go before the state Senate Appropriations Committee; after which it will be considered by both houses. Currently, state law in California covers crimes relating to computer services including “knowingly introducing a computer contaminant,” as well as extortion, the latter being defined as “obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear.” Under existing laws, extortion is punishable with a prison term of 2,3, or 4 years. Ransomware is covered under current laws, although Senator Hertzberg believed an update was necessary given the extent to which ransomware is now being used to extort money from businesses. FBI figures suggest that in the first 3 months of...

Read More
Federal Court Rules Data Breach Covered by CGL Insurance Policy
Apr14

Federal Court Rules Data Breach Covered by CGL Insurance Policy

A federal appeals court ruled this week that Travelers Insurance has a duty to defend Portal Healthcare Solutions in a class-action lawsuit filed by patients whose medical records were exposed on the Internet in 2013. The lawsuit was filed following the exposure of 2,300 patients’ medical records in 2012/2013. The records were stored on computer server that could be accessed over the Internet, and the data of some patients had been indexed by the search engines. Two patients filed a class-action lawsuit after discovering their data could be accessed via Google. The patients claimed they both searched for their own names on Google and the first links that appeared were for their medical records. Both were patients of Glen Falls Hospital in New York. The lawsuit was filed against Portal Healthcare Solutions, which was contracted by Glen Falls Hospital to store patients’ medical records. The server on which doctors’ notes were stored should have been secured; however, a configuration error resulted in data being left unprotected. The files were accessible due to a misconfigured...

Read More
Anthem’s Request to Access Breach Victims’ Computers Denied
Apr13

Anthem’s Request to Access Breach Victims’ Computers Denied

Following any significant breach of protected health information HIPAA covered entities can expect breach victims to file lawsuits to recover damages. Last year’s 78.8 million-record data breach at Anthem Inc., is no exception. Over 100 lawsuits have been filed by plaintiffs to recover damages. Some of the suits are speculative, with plaintiffs attempting to recover damages for the increased risk of harm now faced, although some breach victims are claiming to have suffered actual losses as a result of the Anthem data breach. It is not surprising that the insurer’s legal team has attempted to determine whether the victims have actually suffered losses as a direct result of the Anthem breach. In 2015, over 113 million healthcare records were exposed or stolen. The majority of those records were stolen in the Anthem data breach, but it is conceivable that identity theft could have resulted from another healthcare – or non-healthcare – data breach, from a lack of basic security measures applied by the victims, or from the inadvertent installation of malware on victims’...

Read More
21st Century Oncology Patients Seek Damages After PHI Exposure
Mar25

21st Century Oncology Patients Seek Damages After PHI Exposure

Earlier this month, 21st Century Oncology reported a hacking incident that resulted in the exposure of 2,213,597 individuals’ protected health information (PHI). The security breach, which was discovered by the FBI in November last year, exposed patients’ Social Security numbers, health information, and insurance data. All affected patients were offered a year of credit monitoring and protection services without charge. According to the 21st Century Oncology’s substitute breach notice, in the four months since the discovery of the data breach, no evidence has been uncovered to suggest data have been used inappropriately. Four Class-Action Lawsuits Filed in the Past 3 Weeks Three weeks have passed since the announcement of the data breach and already four class action lawsuits have been filed against 21st Century by patients affected by the breach. Damages of $15 million are currently being sought for the failure to protect patients’ data from unauthorized access. The cancer care provider has also been accused of unjust enrichment, breach of implied covenant of good faith and fair...

Read More
St. Joseph Health Settles Class Action Data Breach Lawsuit
Mar15

St. Joseph Health Settles Class Action Data Breach Lawsuit

St. Joseph Health System has settled a class action lawsuit filed by two plaintiffs for the breach of 31,800 patient health records that took place in 2012. A settlement of $15 million will be split between patients and attorneys, with $7.5 million going to patients and $7.5 million covering attorneys’ fees and legal costs. All patients affected by the breach will receive a check for $242. A $3 million fund has also been set up to cover Identity theft losses that resulted from the exposure of patient health data. Each patient can potentially claim up to $25,000 if they can demonstrate they have suffered losses as a result of the data breach. The data breach in question lasted almost a year and affected patients from a number of hospitals and medical centers run by St. Joseph Health, including Queen of the Valley Medical Center in Napa, Santa Rosa Memorial Hospital, Petaluma Valley Hospital; St. Jude Medical Center in Fullerton, the Auxiliary of Mission Hospital in Mission Viejo and Laguna Beach, Redwood Memorial Hospital of Fortuna, Saint Joseph Hospital of Orange and Eureka. Full...

Read More
Healthcare Cyberattack Suspect Arrested After Being Rescued at Sea
Feb19

Healthcare Cyberattack Suspect Arrested After Being Rescued at Sea

A suspected hacktivist has been arrested after being rescued at sea off the coast of Cuba. Martin Gottesfeld, 31, from Somerville, Mass., is suspected of orchestrating two DDoS attacks on the computer network of a hospital in Boston last year, understood to the be Boston Children’s Hospital. Gottesfeld, who was under investigation for the cyberattacks, is believed to have fled Massachusetts recently to escape arrest. His home was searched by the FBI in October 2014 in connection with the distributed denial of service attack on the Boston Children’s hospital that occurred in April 2014. Somerville Police Department had recently been alerted to the disappearance of Gottesfeld and his wife after reports were received by concerned relatives and friends that the pair had not been seen for several weeks. Last week the police department visited Gottesfeld’s apartment to conduct a well-being check, but no one was home. Just a few days after the visit Gottesfeld turned up, although in a rather unusual place. He and his wife were found off the coast of Cuba in a small boat. They had issued a...

Read More
Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement
Feb18

Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement

OCR has announced it has arrived at a settlement with a Los Angeles-based provider of physical therapy services after the discovery of HIPAA Privacy Rule violations in 2012. Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Potential HIPAA Privacy Rule violations were reported to OCR on August 8, 2012 and an investigation into the complaint was launched. OCR concluded its investigation on January 15, 2013. OCR found that a number of patients had had their protected health information posted online, yet valid, HIPAA-compliant prior authorizations had not been obtained in writing from the patients before names and full-face photographs were uploaded to the website. OCR determined this to be a clear violation of the Privacy Rule, with CPT found to have violated HIPAA by failing to reasonably...

Read More
Cybersecurity Companies Be Found Liable for Healthcare Data Breaches
Feb13

Cybersecurity Companies Be Found Liable for Healthcare Data Breaches

When a cybersecurity company is contracted to investigate a data breach, that company is expected to conduct a thorough investigation, ensure the breach is contained, and make sure backdoors are found and removed. However, what happens if a security company fails to deliver on its promise? Cybersecurity Firm Sued for Failing to Remedy a Data Breach Chicago-based cybersecurity firm Trustwave was sued late last year by a company that had contracted it to investigate and remedy a data breach. The lawsuit was filed for the company’s alleged failure to adequately investigate and remedy the breach, leaving the computer system open to a further attack. The lawsuit was filed by Affinity Gaming in the U.S. District Court in Nevada with the lawsuit stating that Trustwave’s investigation and remediation efforts were “woefully inadequate.” The investigation into the suspected hacking of the company’s payment card system failed to prevent individuals from gaining access to payment system data two months later. According to the lawsuit, Trustwave had reported to Affinity Gaming that the breach...

Read More
Lincare Inc to Pay $239,800 CMP for HIPAA Violation
Feb03

Lincare Inc to Pay $239,800 CMP for HIPAA Violation

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc., is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. The Privacy Rule violation – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was granted and the decision to issue civil monetary penalties was sustained. HIPAA Privacy Rule Violation Uncovered by OCR Lincare Inc., doing business as United Medical, operates more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at its facilities, and via medical services delivered in-home. A complaint was filed with OCR about an Lincare employee who left documents containing the PHI of 278 patients at one of the locations where medical services were provided. The investigation by OCR confirmed that PHI had...

Read More
Prime Healthcare Services Hit with Privacy Breach Lawsuit
Feb03

Prime Healthcare Services Hit with Privacy Breach Lawsuit

Prime Healthcare Services has been hit with a lawsuit for repeatedly violating the privacy of a former patient of the Shasta Regional Medical Center. The lawsuit was filed in the Shasta County Superior Court last month by Medicare patient Darlene Courtois, 64. The plaintiff claims that her confidential medical files were shared with 785 employees of the Shasta Regional Medical Center in 2011 without her authorization. The medical information was allegedly emailed to medical center employees by the CEO of the medical center in what is believed by Courtois to be an attempt to discredit a news story published by California Watch. The story covered the healthcare chain’s “unusual and lucrative billing practices.” Reporters from California Watch investigated the unusually high number of Kwashiorkor cases dealt with by the hospital in 2009 and 2010. Kwashiorkor is a relatively rare form of protein malnutrition. Each year, fewer than 20,000 individuals are diagnosed with the condition in the United States. Kwashiorkor is more commonly associated with areas hit by famine, and is associated...

Read More
Survey Indicates Law Firms are not Complying with HIPAA Rules
Feb02

Survey Indicates Law Firms are not Complying with HIPAA Rules

The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health insurers, and healthcare clearinghouses, and all covered entities are required to comply with HIPAA Privacy, Security, and Breach Notification Rules. HIPAA also applies to vendors and other companies doing business with covered entities, which are classed as HIPAA Business Associates (BAs). If a BA is supplied with the Protected Health Information (PHI) of health plan members or patients, or their software or systems are capable of touching PHI/PII, those entities are also required to comply with HIPAA Rules. Are Attorneys Classed as Business Associates of HIPAA-Covered Entities? According to Legal Workspace, healthcare attorneys may fall under the classification of Business Associate, and as such, they must comply with HIPAA Rules.  If a healthcare attorney is provided with healthcare data, it is necessary for that attorney – or his or her law firm – to ensure the necessary technical, administrative, and physical controls are implemented to protect PHI supplied by...

Read More
Snapchat Video Posting Gets Nursing Assistant Fired
Jan20

Snapchat Video Posting Gets Nursing Assistant Fired

A nursing assistant from the Parkside Manor assisted-living facility in Kenosha, WI., has been fired for taking a video of a virtually naked 93-year-old Alzheimer’s patient and sharing the file on Snapchat. In recent months an unsavory trend has emerged involving nurses taking photographs and videos of elderly patients and sharing the files on social media networks. The images and videos show patients in various states of undress, performing degrading acts, or posing in compromising positions. An investigation conducted last year by ProPublica revealed the extent to which this is happening across the United States. Reporters discovered 35 separate cases had been reported, although numerous others have more than likely taken place. Snapchat was found to be the most popular site for image and video sharing, although it is far from the only social media network used for sharing degrading and demeaning images and videos of patients. The latest case involved a video of an Alzheimer’s patient who was recorded sitting on her bed wearing only a bra. Grace Riedlinger, 21, admitted taking...

Read More
New Oregon Breach Notification Law Comes Into Effect
Jan09

New Oregon Breach Notification Law Comes Into Effect

Organizations doing business in the state of Oregon must now comply with a new data breach law that came into effect on January 1, 2016. If a data breach is suffered that exposes the personal information of more than 250 state residents, a breach notice must be submitted to the Oregon Attorney General. On June 10 last year, Oregon Governor Kate Brown signed the new law (Oregon Revised Statutes 646A.604) updating the Oregon Consumer Identity Theft Protection Act of 2007. The amendment expanded the definition of “personal information” to include biometric data such as a retina or iris images and fingerprints, as well as medical and health insurance information. Other data classed as personal information include Social Security numbers, government ID numbers, Driver’s license numbers and financial information including credit or debit card number in combination with any required security code, access code or password. The exposure of any of those data elements along with a person’s full name or last name and initial requires a breach notice to be issued. Oregon is one of a few states...

Read More
Exposure of PHI Grounds to Sue for Damages, Rules Mass. Judge
Jan06

Exposure of PHI Grounds to Sue for Damages, Rules Mass. Judge

A data breach that exposes sensitive Protected Health Information may not necessarily result in patients coming to harm, or suffering an injury or loss. However, breach victims do face an elevated risk of suffering harm and losses. Many will even incur costs as a result of actions taken to reduce the risk of losses being suffered. It is not uncommon for data breach victims to attempt to recover damages from healthcare providers who have exposed their sensitive health data, but it is rare for those lawsuits to succeed or even be heard. In order to successfully sue a healthcare provider or health insurer for a data breach, the plaintiff must be able to produce evidence that losses have been suffered, or at the very least, that data have actually been viewed by unauthorized individuals. However, a Mass. Superior Court judge has recently ruled that a plaintiff does actually have grounds to sue for damages, even if evidence of harm or loss cannot be produced. The exposure of PHI alone can be grounds to claim damages. The ruling came on the case of Walker et al v. Boston Medical Center...

Read More
California Patient Privacy Law Enforcement is Inconsistent
Jan04

California Patient Privacy Law Enforcement is Inconsistent

Last week, California’s enforcement of data privacy rules was criticized after the Department of Public Health was found to be inconsistently enforcing state laws. Numerous healthcare organizations have committed serious privacy violations, yet have escaped fines. Two privacy bills were passed in California in 2008 in an effort to better protect the privacy of state residents. One of the aims was to make healthcare organizations more accountable when privacy violations occurred. The laws were introduced following a number of high profile privacy breaches involving hospital employees snooping on the medical records of celebrities (Britney Spears, Farrah Fawcett and Maria Shriver). Since the bills were passed, healthcare organizations in the state can receive heavy fines for privacy violations, although relatively few fines are issued. California Patient Privacy Laws Being Violated with Few Consequences The state of California has some of the strictest laws on data privacy in the country. While action is taken against healthcare organizations by the Department of Public Health when...

Read More
Pittsburgh Woman Arrested for $600K Medical Insurance Fraud
Dec23

Pittsburgh Woman Arrested for $600K Medical Insurance Fraud

A counselor from the Pittsburgh area has been arrested on suspicion of fraudulently billing over $600,000 for counseling services which were never provided to patients. The investigation was launched after a tip off was received by the Pennsylvania Office of Attorney General’s Insurance Fraud Division by Highmark Blue Cross Blue Shield. Highmark claimed that Lisa A. Wally, 33, also known as Lisa A. Smith Wally from McKeesport, PA, had inflated billings for services she provided to her clients, and billed the insurer for services that were never actually provided. Office of Attorney General investigators discovered Wally had billed for 9,746 office visits for 22 patients between 2011 and 2015. However, investigators only found evidence that 1,987 visits had occurred. In total, Wally had received $601,280 in payments for services that were allegedly provided at her offices in Uniontown, Fayette County, but no evidence could be produced to prove that those sessions had ever taken place. Wally was unable to produce any evidence that the sessions occurred as no patient records were kept...

Read More
HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time
Jul30

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time

For the first time, a HIPAA privacy complaint filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) has resulted in federal criminal prosecution. A complaint was filed with OCR over an impermissible disclosure of a patient’s protected health information by a doctor. The doctor, Richard Alan Kaye of Suffolk, Va., was alleged to have shared PHI with the patient’s employer without consent from the patient – A violation of the HIPAA Privacy Rule. The case against Kaye has been referred to the Department of Justice, which has pressed charges. While OCR has referred more than 500 HIPAA violation cases in the past, this if the first time that an investigation of a privacy complaint has resulted in criminal prosecution. Kaye had previously worked at Sentara Obici Hospital in Suffolk, Va., as Medical Director of its Psychiatric Care Center. The patient had been enrolled in a mental health treatment program at the hospital and Kaye treated and subsequently discharged the patient. On discharge, Kaye stated that the patient was not a threat to the public....

Read More