The HIPAA Journal legal news section contains details of the latest enforcement activities by the Department of Health and Human Services’ Office for Civil Rights, including settlements and civil monetary penalties, and legal actions taken against covered entities by state attorneys general.

You will also find brief details of class action lawsuits and other legal actions filed against covered entities for HIPAA violations, privacy violations, and data breaches, along with other legal news specifically relating to HIPAA or other legal matters of particular relevance to the healthcare industry.

Changes to HIPAA Rules are detailed in the HIPAA Updates category, although this section does include updates to state legislation, in particular any changes to breach notification and cybersecurity laws that are relevant to healthcare organizations.

Quest Diagnostics and Subsidiary Face Class Action Lawsuit Over Ransomware Attack
Dec02

Quest Diagnostics and Subsidiary Face Class Action Lawsuit Over Ransomware Attack

A lawsuit has been filed in the US District Court for the District of Massachusetts against Quest Diagnostics and its subsidiary, ReproSource Fertility Diagnostics, over an August 2021 ransomware attack that affected 350,000 patients. On October 8, 2021, ReproSource started sending notification letters to affected patients informing them that some of their protected health information had potentially been accessed or stolen prior to ransomware being used to encrypt files. The types of data stored on parts of its network that were accessible to the attackers included names, dates of birth, test results, medical histories, diagnosis codes, Social Security numbers, billing information, and other information. While breach notification letters were sent within the 60 days allowed by HIPAA, the lawsuit alleges Quest and ReproSource failed to issue timely notifications to patients, which violated Massachusetts law, and when the notification letters were issued – more than a month after the attack – they lacked important information about the breach, such as if the servers that...

Read More
HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations
Dec01

HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations

The HHS’ Office for Civil Rights (OCR) is continuing with its enforcement of compliance with the HIPAA Right of Access and has recently announced a further 5 financial penalties. The HIPAA Right of Access enforcement initiative was launched in the fall of 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records. The HIPAA Privacy Rule requires covered entities to provide individuals with access to their medical records. A copy of the requested information must be provided within 30 days of the request being received, although an extension of 30 days may be granted in limited circumstances. HIPAA-covered entities are permitted to charge patients for exercising this important Privacy Rule right, but may only charge a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and delivering the PHI after it has been identified. The enforcement actions to date have not been imposed for charging excessive amounts, only for impermissibly refusing to provide a copy of the...

Read More
Class Certification Order Lifted in Data Breach Lawsuit Against West Virginia University Health System
Nov26

Class Certification Order Lifted in Data Breach Lawsuit Against West Virginia University Health System

A class action lawsuit filed against West Virginia University Health System over a breach of the protected health information of 7,445 patients has had the class certification order lifted by the Supreme Court of Appeals of West Virginia. The lawsuit is related to an insider data breach that occurred in 2016. Between March 2016 and January 2017, Angela Roberts, a former registration specialist at Berkeley Medical Center and Jefferson Medical Center, which are affiliated with West Virginia University Health System, accessed the medical records of 7,445 patients with a view to committing identity theft and fraud. When the unauthorized access was discovered, Roberts admitted she had accessed the medical records for work purposes, but also to steal patient data to provide to her boyfriend and co-defendant Ajarhi “Wayne” Roberts. When viewing the medical records for legitimate work purposes, Ms. Roberts determined whether there was enough information to allow her and her boyfriend to steal patients’ identities. If sufficient information was there, the information was stolen and provided...

Read More
DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information
Nov11

DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information

The United States Department of Justice (DoJ) has unsealed indictments charging two individuals for their roles in multiple REvil/Sodinokibi ransomware attacks on organizations in the United States. Ukrainian national, Yaroslav Vasinskyi, 22, has been indicted on multiple charges related to the ransomware attacks, including the supply chain attack that saw Kaseya’s Virtual System/Server Administrator (VSA) platform compromised. That attack involved ransomware being deployed on the systems of around 40 managed service providers and 1,500 downstream businesses. Russian national, Yevgeniy Igoryevich Polyanin, 28, has been indicted for his role in multiple ransomware attacks, including attacks on government entities in Texas. The DoJ says it seized $6.1 million in ransom payments that were paid to cryptocurrency wallets linked to Polyanin. The DoJ has indicted several individuals believed to have been involved in cyberattacks in the United States; however, those individuals can only face trial if they are located, arrested, and extradited to the United States. Many ransomware threat...

Read More
Federal Judge Rules in Favor of UMMC in Legal Battle Over Theft of Patient Data
Oct29

Federal Judge Rules in Favor of UMMC in Legal Battle Over Theft of Patient Data

A federal judge has ruled in favor of University of Mississippi Medical Center (UMMC) in an unauthorized access and data theft case against three former employees. UMMC took legal action against Dr. Spencer Sullivan and other former employees over the alleged theft and use of patients’ medical records. In July 2014, UMMC hired Dr. Sullivan as the medical director of its Hemophilia Treatment Center. When he joined UMMC, Dr. Sullivan signed a contract with a non-compete clause, which prevented him from using UMMC data to solicit patients for an independent practice. According to the lawsuit, in January 2016, Sullivan started making arrangements to open his own hemophilia clinic and pharmacy and conspired with other UMMC staff members – Linnea McMillan, Kathryn Sue Stevens, and Rachel Henderson Harris – to assist with setting up the new practice, which included compiling a list of UMMC patients. A patient list was created that included patient names, telephone numbers, dates of birth, diagnosis, prescription information, insurance information, and pharmacy information....

Read More
UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence
Oct21

UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence

The hacker who gained access to the databases of University of Pittsburgh Medical Center (UPMC) and stole the personally identifiable information (PII) and W-2 information of approximately 65,000 UPMC employees has been handed the maximum sentence for the offenses and will serve 7 years in jail. Sean Johnson, of Detroit, Michigan – aka TheDearthStar and Dearthy Star – hacked into the databases of UPMC in 2013 and 2014 and stole highly sensitive information which was then sold on dark web hacking forums and was used by identity thieves to file fraudulent tax returns in the names of UPMC employees. The Department of Justice (DOJ) also alleged Johnson conducted further cyberattacks between 2014 and 2017 and stole the PII of an additional 90,000 individuals. Those sets of data were also sold to identity thieves on dark web forums. In total, fraudulent tax returns totaling $2.2 million were filed and around $1.7 million was dispersed by the IRS. The funds received were converted to Amazon gift cards, which were used to purchase high-value goods that were shipped to Venezuela. Three of...

Read More
New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty
Oct14

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty. Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI). Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents. As a HIPAA-covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access. Diamond Investigated for...

Read More
Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours
Oct11

Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours

A new bill has been introduced that, if passed, will require victims of ransomware attacks to disclose any payments made to the attackers to the Department of Homeland Security (DHS) within 48 hours of the ransom being paid. The Ransom Disclosure Act was introduced by Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) and aims to provide the DHS with the data it needs to investigate ransomware attacks and improve understanding of how cybercriminal enterprises operate, thus allowing the DHS to gain a much better picture of the ransomware threat facing the United States. Between 2019 and 2020 ransomware attacks increased by 62% worldwide, and by 158% in the United States. The Federal Bureau of Investigation (FBI) received 2,500 complaints about ransomware attacks in 2020, up 20% from the previous year and there were more than $29 million in reported losses to ransomware attacks in 2020. Not all ransomware attacks are reported. Many victims choose to quietly pay the attackers for the keys to decrypt their data and prevent the public disclosure of any data stolen in the...

Read More
Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach
Oct08

Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach

A lawsuit has been filed on behalf of a former patient of Northwestern Memorial HealthCare (NMHC) against Elekta Inc. over its April 2021 ransomware attack and data breach. Elekta, a Swedish provider of radiation medical therapies and related equipment data services, is a business associate of many U.S. healthcare providers. Hackers targeted the company’s cloud-based platform that is used to store and transmit healthcare data and were able to access the platform between April 2 and April 20, 2021. The breach was detected when the hackers deployed ransomware. Elekta reported the attack as affecting a small percentage of its cloud customers in the United States, including NMHC. The entire oncology database of NMHC was compromised in the attack. The database contained the protected health information of 201,197 cancer patients including names, dates of birth, Social Security numbers, and healthcare data. In total, the attack affected 170 of its healthcare clients. The lawsuit was filed in the U. S. District Court for the Northern District of Georgia on behalf of Deborah Harrington and...

Read More
Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death
Oct04

Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death

A medical malpractice lawsuit has been filed against an Alabama hospital alleging vital information that could have prevented the death of a baby was not available due to a ransomware attack and that the mother was not informed that patient care had been affected by the incident. Springhill Medical Center in Mobile, AL suffered a ransomware attack in 2019 which caused widespread encryption of files and a major IT system outage. Computer systems were taken offline for 8 days, during which time care continued to be provided to patients with staff operating under the hospital’s emergency protocol during the downtime. With no access to computer systems patient information was recorded on paper charts. Following the attack, Springhill Medical Center issued a statement about the incident and said it had no impact on patient care, “We’d like to assure our patients and the community that patient safety is always our top priority and we would never allow our staff to operate in an unsafe environment.” During the system downtime, Teiranni Kidd arrived at the hospital to have her baby...

Read More
Healthcare Workers in Minnesota File Lawsuit Against Employers to Block Vaccine Mandate
Sep30

Healthcare Workers in Minnesota File Lawsuit Against Employers to Block Vaccine Mandate

A lawsuit has been filed in U.S. District Court in Minnesota on behalf of 180 healthcare workers over the COVID-19 vaccine mandates of their employers. The plaintiffs, who have not been named in the lawsuit, claim vaccine mandates are a violation of religious freedom and state and federal laws. The lawsuit is one of several that challenge the legality of such mandates. Vaccines remain the most effective way to prevent the spread of COVID-19, stop individuals becoming seriously ill, and reduce the number of hospitalizations from the illness. The vaccines are safe and are backed up by data showing they are highly effective at preventing serious illness. The majority of individuals who are hospitalized and/or die from COVID-19 are unvaccinated. Many employers have opted to implement vaccine mandates and President Biden has announced a vaccine mandate covering 17 million healthcare workers at facilities that receive Medicare and Medicaid funding. Most hospitals have reported high levels of vaccination, with Mayo Clinic saying 98% of its physicians have been vaccinated, as have 87% of...

Read More
Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack
Sep28

Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack

Multiple class action lawsuits have been filed against the Californian healthcare provider San Diego Health over a data breach involving the protected health information of 496,949 patients. On March 12, 2021, San Diego Health identified suspicious activity in employee email accounts and launched an investigation. On April 8, 2021, it was determined multiple email accounts containing patients’ protected health information had been accessed by unauthorized individuals between December 2, 2020 and April 8, 2021. A review of the compromised email accounts confirmed them to contain protected health information such as names, addresses, dates of birth, email addresses, medical record numbers, government ID numbers, Social Security numbers, financial account numbers, and health information such as test results, diagnoses, and prescription information. HIPAA requires covered entities to issue notifications to affected individuals within 60 days of the discovery of a breach. San Diego Health published a substitute breach notice on its website on July 27, 2021 and started issuing individual...

Read More
Healthcare Organizations Face Legal and Technological Challenges Achieving CCPA Compliance
Sep22

Healthcare Organizations Face Legal and Technological Challenges Achieving CCPA Compliance

Healthcare organizations that are required to comply with the California Consumer Privacy Act (CCPA) are facing challenges achieving compliance, according to a new study published in the Health Policy and Technology – DOI: 10.1016/j.hlpt.2021.100543 The CCPA was signed into law on June 28, 2018 and took effect on January 1, 2020. The aim of the CCPA was to give California residents greater control over their personal data and how their information can be used. The CCPA gave California residents the right to be informed about their personal data that will collected, whether their data may be sold or disclosed, to whom disclosures may be made, and to opt out of the sale of their personal data. They were also given the right to view the personal data held by a company covered by the CCPA, to request their personal data be deleted, and not to be discriminated against for exercising their rights under the CCPA. The researchers conducted the study to explore any potential challenges associated with CCPA compliance for healthcare organizations, which involved interviews with 19...

Read More
Class Action Lawsuit Filed Against St. Joseph’s/Candler over Ransomware Attack Affecting 1.4 Million Patients
Sep15

Class Action Lawsuit Filed Against St. Joseph’s/Candler over Ransomware Attack Affecting 1.4 Million Patients

A class action lawsuit has been filed against St. Joseph’s/Candler Hospital Health System in response to a ransomware attack that occurred on June 17, 2021. The attack resulted in the encryption of files and forced the hospital’s IT systems offline. The systems accessed by the hackers contained the protected health information of 1.4 million patients, including names, Social Security numbers, driver license numbers, health insurance information, healthcare data, and financial information. St. Joseph’s/Candler offered affected patients a one-year membership to the Experian IdentityWorks credit monitoring and identity theft protection service. The investigation into the ransomware attack confirmed the hackers first accessed its network on December 18, 2020, 6 months prior to the ransomware being deployed. During that time the hackers had access to patient data stored on its systems. Georgia resident Daniel Elliott was one of the patients whose PHI was compromised in the attack. On August 28, 2021, the personal injury firm Harris Lowry Manton LLP, filed a class action...

Read More
Patients Sue DuPage Medical Group over July 2021 Ransomware Attack
Sep14

Patients Sue DuPage Medical Group over July 2021 Ransomware Attack

Two DuPage Medical Group patients are taking legal action against the healthcare provider following a July 2021 ransomware attack in which patients’ protected health information was exposed. DuPage Medical Group suffered the ransomware attack in mid-July. The forensic investigation determined unauthorized individuals had gained access to its computer network between July 12 and July 13, and deployed ransomware in an attempt to extort money. The attack caused a major computer and phone outage that lasted around a week. On August 17, the forensic investigators confirmed hackers had gained access to parts of the computer network that contained the protected health information of 655,384 patients, and potentially viewed or obtained patient names, addresses, dates of birth, diagnosis codes, medical procedure codes, and treatment dates. Some Social Security numbers may also have been compromised. Notification letters started to be sent to affected patients in late August. At the time of issuing notifications, DuPage Medical Group said it was unaware of any actual or attempted misuse of...

Read More
OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative
Sep13

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019. Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year. The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making...

Read More
California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents
Aug25

California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to send notifications to the HHS’ Office for Civil Rights (OCR) about data breaches and healthcare organizations are also required to comply with state data breach notification laws. Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified. Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health...

Read More
30 Month Jail Term for Texas Woman Who Stole and Sold Patients’ PHI
Jul30

30 Month Jail Term for Texas Woman Who Stole and Sold Patients’ PHI

The U.S. Department of Justice has announced a Texas woman has been sentenced by a federal court in the Eastern District of Texas to serve 30 months in federal prison for conspiring to obtain protected health information from a protected computer. Amanda Lowry, 40, or Sherman, TX, was a member of a fraud ring that used stolen protected health information to create fraudulent physician orders. The proceeds from the sale of the data were used to purchase a range of luxury items. Lowry, along with co-conspirators Demetrius Cervantes and Lydia Henslee, were named in a federal indictment on Sept. 11, 2019. The three defendants were charged with conspiracy to obtain information from a protected computer and conspiracy to unlawfully possess and use a means of identification. Lowry pleaded guilty to the charges on December 4, 2020. According to court documents, the defendants are alleged to have accessed a healthcare provider’s electronic health record system to steal the personal and protected health information of patients. The stolen data were repackaged as false and fraudulent...

Read More
Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case
Jul27

Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case

Overlake Hospital Medical Center in Bellevue, WA has proposed a settlement to resolve a class action lawsuit filed by victims of a December 2019 data breach that exposed patients’ demographic information, health insurance information, and health data. The breach in question was a phishing attack that was discovered on December 9, 2019. The investigation revealed unauthorized individuals gained access to the email accounts of several employees, with one of the email accounts compromised between December 6, 2019 and December 9, 2019, and the others compromised for several hours on December 9. The investigation did not uncover evidence of data theft or misuse of patient data, but it was not possible to rule unauthorized access to protected health information (PHI) and the exfiltration of data. The PHI of up to 109,000 patients was contained in the compromised email accounts. Affected individuals were notified starting on February 4, 2020 and Overlake Hospital Medical Center took several steps to improve security, including implementing multi-factor authentication, changing email...

Read More
CaptureRx Facing Multiple Class Action Lawsuits Over Ransomware Attack Involving PHI of 2.4 Million Patients
Jul23

CaptureRx Facing Multiple Class Action Lawsuits Over Ransomware Attack Involving PHI of 2.4 Million Patients

The healthcare administrative services provider CaptureRx is facing multiple class action lawsuits for failing to protect patient data, which was obtained by unauthorized individuals in a February 2021 ransomware attack. NEC Networks, doing business as CaptureRx, provides IT services to hospitals to help them manage their 340B drug discount programs. Through the provision of those services, CaptureRx is provided with the protected health information of patients. Around February 6, 2021, CaptureRx identified suspicious activity in some of its IT systems, which included the encryption of files. The investigation confirmed that files containing the protected health information of 2,400,000 or more patients were compromised in the attack. CaptureRx said in its breach notification letters that, “all policies and procedures are being reviewed and enhanced and additional workforce training is being conducted to reduce the likelihood of a similar future event.” Affected individuals were advised to “remain vigilant against incidents of identity theft and fraud, to review account statements...

Read More
Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case
Jul23

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments. In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims. The San Diego Sheriff’s’...

Read More
UPMC Settles Employee Data Breach Lawsuit for $2.65 Million
Jul22

UPMC Settles Employee Data Breach Lawsuit for $2.65 Million

UPMC has proposed a $2.65 million settlement to resolve a data breach lawsuit filed by employees affected by a February 2014 data breach. Pittsburg, PA-based UPMC announced the data breach in February 2021 and initially believed the attackers had only obtained the tax-information of a few hundred of its employees; however, in April 2014, UPMC determined that the breach was far more extensive and had affected 27,000 of its 66,000 employees. In May 2014, UPMC confirmed that the personal data of all of its employees had likely been compromised. The data compromised in the attack included names and Social Security numbers, some of which were used by the attackers to file fraudulent tax returns. Four individuals involved in the cyberattack have been charged and pleaded guilty to tax fraud and identity theft charges. They attempted to obtain around $2.2 million in tax refunds and received $1.7 million from the IRS. Under the terms of the settlement, current and former employees whose personal information was compromised in the data breach will be able to submit claims for fraud-related...

Read More
Cyber Incident Notification Act of 2021 Introduced in the Senate
Jul22

Cyber Incident Notification Act of 2021 Introduced in the Senate

In June, a bipartisan group of senators circulated a draft federal breach notification bill – the Cyber Incident Notification Act of 2021 – that requires all federal agencies, contractors, and organizations considered critical to U.S. national security to report data breaches and security incidents to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery. On Wednesday this week, an amended bill was formally introduced in the Senate. The draft bill was introduced by Senators Mark Warner (D-VA) and Marco Rubio (R-FL), and Susan Collins (R-ME). Another 12 senators across both parties have now added their names to the bill. The bill seeks to address some of the key issues that have come to light in the wake of recent cyberattacks that impacted U.S. critical infrastructure, including the SolarWinds Orion supply chain attack and the ransomware attacks on JBS and Colonial Pipeline. “The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the...

Read More
Ohio Personal Privacy Act Introduced to Improve Privacy Protections for Ohioans
Jul16

Ohio Personal Privacy Act Introduced to Improve Privacy Protections for Ohioans

A comprehensive new privacy framework has been introduced in Ohio to better protect the privacy of Ohioans. The Ohio Personal Privacy Act aligns closely with recently introduced legislation in Virginia (CDPA) and gives Ohio residents a host of new rights over the personal data collected, stored, maintained, and transmitted by businesses. Similar to Virginia’s CDPA, the Ohio Personal Privacy Act has a narrow definition of consumers and does not cover individuals acting in a business capacity or employment context. Personal data covered by the Ohio Personal Privacy Act is classed as “any information that relates to an identified or identifiable consumer processed by a business for a commercial purpose.” The Ohio Personal Privacy Act only applies to organizations that conduct business in the state of Ohio that meet one or more of the following criteria: Generates annual gross revenues in excess of $25 million; Controls or processes the personal data of 100,000 or more Ohio residents in a calendar year; Derives more than 50% of gross revenue from the sale of personal data and processes...

Read More
Colorado Privacy Act Passed and Signed into Law
Jul14

Colorado Privacy Act Passed and Signed into Law

Colorado has joined California and Virginia in passing a comprehensive data privacy law to protect state residents. It has taken several amendments to get the Colorado Privacy Act over the line, but the Act was finally passed unanimously by the state Senate on June 8, 2021. On July 7, 2021, Colorado Governor Jared Polis signed the bill, which will take effect on July 1, 2023. The Colorado Privacy Act applies to all data controllers that conduct business in Colorado that control or process the personal data of 100,000 or more Colorado resident consumers in a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado resident consumers. Exceptions include protected health information collected, processed, or stored by HIPAA-covered entities and their business associates, and any personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), data regulated by the Children’s Online Privacy Protection Act of 1998 (COPPA),...

Read More
Radiology Specialists Facing Class Action Lawsuit Over PACS Data Breach
Jul13

Radiology Specialists Facing Class Action Lawsuit Over PACS Data Breach

A class action lawsuit has been filed in the New York Southern District Court against a radiology company and its vendor. The radiology specialists are alleged to have failed to secure their Picture Archiving Communication System (PACS) which contained the protected health information and medical images of patients. In 2019, security researchers identified vulnerabilities in the PACS used by hospitals, clinics, and radiology companies to share medical images and data. The researchers analyzed more than 2,300 medical images, which were found to contain sensitive patient data. Northeast Radiology and its vendor Alliance Health were among the companies affected and were notified about the exposed data by the researchers in December 2019. Both radiology firms used medical imaging archiving software that permitted unauthorized individuals to gain access to medical images and protected health information. The researchers identified 61 million X-rays, CT scans, and MRIs that had been exposed, which included protected health information such as names, test results, medical record numbers,...

Read More
Texas Man Sentenced to 48 Months for Fraud Scheme Involving Theft of Electronic Health Records
Jul13

Texas Man Sentenced to 48 Months for Fraud Scheme Involving Theft of Electronic Health Records

A Texas man has been sentenced to 48 months in prison after pleading guilty to one count of conspiracy to obtain information from a protected computer. Demetrius Cervantes of McKinney, TX, was one of three defendants indicted over the theft and misuse of protected health information. Prosecutors alleged the defendants unlawfully gained access to an unnamed healthcare provider’s EHR system, stole information, then repackaged that data to create false and fraudulent physician orders, which were sold to durable medical equipment providers and contractors. The defendants are alleged to have obtained $1.4 million from the sale of the data, which they subsequently used to purchase high value items such as vehicles and jet skis. “Today’s sentence sends the message that the theft of protected health information, the fabrication of physicians’ orders, and the sale of prescriptions will not be tolerated in the Eastern District of Texas,” said Acting U.S. Attorney Nicholas J. Ganjei. “This office will continue to pursue those who place profits over patients and...

Read More
Kroger Proposes $5 Million Settlement to Resolve Data Breach Lawsuits
Jul09

Kroger Proposes $5 Million Settlement to Resolve Data Breach Lawsuits

The pharmacy and supermarket chain Kroger has proposed a $5 million settlement to resolve lawsuits filed by victims of data breach that exposed their personal and protected health information. Kroger was one of many victims of a cyberattack on Accellion’s File Transfer Appliance (FTA) in December 2020.  The Accellion FTA is a legacy solution used to transfer files too large to be sent via email. Hackers exploited several zero-day vulnerabilities in the solution and gained access to the data of more than 100 companies. While ransomware was not used, the attack was linked to the Clop ransomware gang which threatened to publish the exfiltrated data. Individual companies were sent demands for payment to prevent the exposure of their stolen data. Kroger was notified about the breach on January 23, 2021 and received a ransom demand from the attackers on February 2. The FBI was notified, and Kroger paid the ransom on February 18, 2021. The attackers returned the stolen data the following day and provided a video demonstrating the stolen data had been deleted. Approximately 1% of Kroger...

Read More
Federal Judge Allows Blackbaud Consolidated Class Action Data Breach Lawsuit to Proceed
Jul08

Federal Judge Allows Blackbaud Consolidated Class Action Data Breach Lawsuit to Proceed

Plaintiffs in a class action lawsuit against Blackbaud sufficiently demonstrated they have standing, and the lawsuit has survived Blackbaud’s motion to dismiss. Blackbaud is a publicly traded cloud software company with headquarters in Charleston, SC. Blackbaud provides data collection and maintenance solutions for administration, fundraising, marketing, and analytics to entities such as non-profit organizations, foundations, educational institutions, and healthcare organizations. In the course of providing its services, the company collects and stores personally identifiable information (PII) and Protected Health Information (PHI) from its customers’ donors, patients, students, and congregants. From February 7, 2020 to May 20, 2020, cybercriminals gained access to Blackbaud’s systems, exfiltrated data, and then used ransomware to encrypt files on Blackbaud’s systems. A ransom demand was then issued by the attackers and the attackers claimed they would provide the keys to decrypt data on Blackbaud’s systems and permanently delete the data they had exfiltrated if the ransom was...

Read More
Healthcare Workers File Lawsuit Alleging Amazon Alexa Devices Violated HIPAA
Jul08

Healthcare Workers File Lawsuit Alleging Amazon Alexa Devices Violated HIPAA

A class action lawsuit has been filed against Amazon by four healthcare workers who allege their Amazon Alexa devices may have recorded conversations without their intent that potentially included health information protected under HIPAA. Amazon Alexa devices listen for words that wake up the devices and triggers them to start recording. Specifically, the devices listen for the word “Alexa,” and will then attempt to answer a question that is asked. However, the plaintiffs claim that there are other words and phrases will awaken the devices and trigger them to start recording when it is not intended by users of the devices. The lawsuit cites a study conducted at Northeastern University which showed the devices wake up and record in response to statements such as “I care about,” “I messed up,” and “I got something.” The study also found that the devices wake up and record in response to the words “head coach,” “pickle”, and “I’m sorry.” The plaintiffs allege “Amazon’s conduct in surreptitiously...

Read More
BJC HealthCare Email Data Breach Lawsuit Survives Motions to Dismiss
Jul06

BJC HealthCare Email Data Breach Lawsuit Survives Motions to Dismiss

A class action lawsuit filed by two former patients against BJC HealthCare over a March 2020 email data breach has survived two motions to dismiss. Leaha Sweet and Bradley Dean Taylor took legal action against St. Louis-based BJC HealthCare in September 2020 after being notified that their protected health information had potentially been compromised in a data breach. BJC HealthCare had discovered the email accounts of three of its employees had been accessed by unauthorized individuals. The email accounts contained a range of sensitive patient data including Social Security numbers, driver’s license numbers, dates of birth, medical record numbers, patient account numbers, and treatment and clinical information. The lawsuit listed 10 counts against the defendants: Unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, invasion of privacy, vicarious liability, bailment, and violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA). The...

Read More
Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit
Jul05

Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has agreed to settle a class action lawsuit filed by victims of a 2.96 million-record data breach discovered in 2019. The investigation into the data breach was completed on April 24, 2019. Dominion National determined unauthorized individuals gained access to its servers which contained the personal and protected health information of health plan customers. Initially, the breach was thought to have affected 122,000 health plan members, but further investigations showed the protected health information of 2,964,778 individuals had potentially been compromised.  The investigation revealed the breach had started as early as August 25, 2010, with the types of data accessible including names, dates of birth, email addresses, member ID numbers, group numbers, subscriber numbers, and Social Security numbers. Individuals who enrolled online through the Dominion National website may also have had their bank account and routing number exposed. Providers were also affected...

Read More
No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation
Jun28

No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation

The U.S. Court of Appeals for the Fourth Circuit has ruled that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to address improper disclosures of protected health information; however, the ruling suggests there is potentially a cause of action under the 14th amendment when an individual’s privacy is violated. The case, Payne v. Taslimi, named Christopher N. Payne as plaintiff and Jahal Taslimi as the defendant. Payne was a Deep Meadow Correctional Center inmate and Taslimi a prison doctor. Payne took legal action against Taslimi over an alleged improper disclosure of his confidential medical information. Payne alleged Taslimi had approached his bed and stated in a voice loud enough for others to hear that the plaintiff had not taken his HIV medication. Payne alleged staff members, other inmates, and civilians had heard the doctor. In the lawsuit, Payne claimed his medical records were confidential and his HIPAA rights had been violated at Deep Meadow Correctional Center by Taslimi, as well as his right to privacy under the...

Read More
Former Mayo Clinic Doctor Charged Over Improper Medical Record Access
Jun28

Former Mayo Clinic Doctor Charged Over Improper Medical Record Access

In October 2020, Mayo Clinic announced a former employee was discovered to have impermissibly accessed the medical records of approximately 1,600 patients. According to a statement issued by the Mayo Clinic, the former employee viewed demographic information, date of birth, medical record number, clinical notes, and in some cases images. Mayo Clinic said its investigation uncovered no evidence to suggest any patient data was copied or retained. All affected patients were notified about the breach by mail. The employee in question was Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, who was a doctor at Mayo Clinic. Alsughayer ended his employment with Mayo Clinic in August 2020, around the time that the privacy violation was discovered. A criminal case has now been opened by the Olmsted County Attorney’s Office. Alsughayer has been charged with gross misdemeanor unauthorized computer access and has been scheduled to appear in court on July 8, 2021. The criminal case stems from allegations that Alsughayer had abused his access rights to view medical records when there was no...

Read More
Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation
Jun25

Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation

A former Cedar Rapids Hospital employee has been sentenced to 5 years’ probation for wrongfully accessing and distributing the protected health information of her ex-boyfriend. Jennifer Lynne Bacor, 41, of Las Vegas, NV, was employed as a patient care technician at a Cedar Rapids hospital. The position gave her access to systems containing the individually identifiable information of patients. While she was authorized to access that information, she was only permitted to view the information of patients in order to complete her work duties. Bacor’s ex-boyfriend had visited the hospital on multiple occasions in 2017 to receive treatment. Bacor used her login credentials to access his medical records from October 2013 to September 2017 on multiple occasions between April and October 2017, when there was no legitimate work reason for doing so. Accessing the protected health information of an individual when there is no legitimate work purpose for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA), for which criminal charges can be filed. Bacor...

Read More
Scripps Health Facing Multiple Class Action Lawsuits over Ransomware Attack
Jun24

Scripps Health Facing Multiple Class Action Lawsuits over Ransomware Attack

San Diego-based Scripps Health is facing multiple class action lawsuits over an April 29, 2021 ransomware attack that affected 147,267 individuals. The attack forced the 5-hospital healthcare system to take systems offline while the attack was remediated, including its patient portal. While care continued to be provided, some patients were diverted to other facilities as a precaution. The investigation into the breach confirmed that prior to the deployment of ransomware the attacker exfiltrated documents that contained patients’ protected health information. Information compromised in the attack included names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, and/or clinical information, such as physician name, dates of service, and/or treatment information. A lawsuit was filed on June 1 in the San Diego County Superior Court that named Kenneth Garcia as plaintiff. The lawsuit, which seeks class action status, alleges Scripps Health was negligent for failing to prevent the theft of protected health information, which was...

Read More
Connecticut Legislature Enhances Data Breach Notification Law
Jun17

Connecticut Legislature Enhances Data Breach Notification Law

The Connecticut legislature has enhanced its data breach notification law, expanding the definition of personal information and shortening the maximum time frame for issuing breach notifications. The new law brings the data breach notification requirements in the state of Connecticut in line with those of other states that have recently updated their own privacy and security laws. The new data breach notification law was unanimously passed by the House of Representatives and the Senate and now awaits state Governor Ned Lamont’s signature. “Connecticut has led the nation in data privacy for over a decade, and this legislation ensures that we will continue to do so. Since we passed one of our nation’s first laws protecting consumers from online data breaches, technology and risks have evolved,” said Attorney General William Tong. “This legislation ensures that our laws reflect those evolving risks and continue to offer strong, comprehensive protection for Connecticut residents,” Previously, notification letters were only required for breaches of an individual’s first name or initial...

Read More
Houston Hospital Workers’ Lawsuit over Vaccine Mandate Dismissed by Federal Judge
Jun14

Houston Hospital Workers’ Lawsuit over Vaccine Mandate Dismissed by Federal Judge

Many U.S. employers have implemented a policy that requires their workers to be vaccinated against COVID-19, including several major healthcare systems and hospitals. These policies are in line with the guidance issued by the U.S. Equal Employment Opportunity Commission last month, which confirmed that U.S. employers are within their rights to require their employees to be vaccinated, with certain exceptions such as on medical or religious grounds. Houston Methodist Hospital in Texas introduced its vaccine mandate to ensure patients were protected against COVID-19 and set a June 7, 2021 deadline for employees to be vaccinated. While the majority of workers at Houston Methodist Hospital have been or have agreed to receive a COVID-19 vaccine, On Monday June 7, a walkout was staged by a small minority of workers over the vaccine requirements. On Tuesday, the hospital took the decision to suspend 178 workers without pay over their refusal to be inoculated. A lawsuit was brought by 117 of those workers, with lead plaintiff, Jennifer Bridges, claiming that if she is dismissed for...

Read More
IT Security Company COO Charged with Cyberattack on Georgia Medical Center
Jun14

IT Security Company COO Charged with Cyberattack on Georgia Medical Center

The Chief Operating Officer of an IT security firm has been charged over a financially motivated cyberattack on Gwinnett Medical Center in Lawrenceville, GA in September 2018. Vikas Singla, 45, of Marietta, GA is the COO of Securolytics, a network security company in the metro-Atlanta region. On June 8, 2021, Singla was indicted by a federal grand jury for allegedly accessing the systems of the healthcare provider, disrupting its phone and network printer services, and stealing information from a Hologic R2 digitizing device. According to the Department of Justice, the attack was conducted, in part, for financial gain and commercial advantage. According to court documents at least 10 protected computers were damaged in the attack. It is unclear whether Singla, or his IT company, had any previous business relationship with Gwinnett Medical Center and why the medical center was targeted. Singla was arraigned in the U.S. District Court for the Northern District of Georgia on June 10, 2021 and was charged with 17 counts of causing intentional damage to a protected computer and one...

Read More
Texas Legislature Passes Bill Calling for State AG to Establish Data Breach ‘Wall of Shame’
Jun10

Texas Legislature Passes Bill Calling for State AG to Establish Data Breach ‘Wall of Shame’

The Texas Legislature has followed in the footsteps of California and Maine and has passed a bill that requires the Texas Attorney General to publish notices of breaches of personal data that affect state residents on the state Attorney General’s public-facing website. House Bill 3746, which was unanimously passed, amends the Texas Business and Commerce Code § 521.053 and calls for the Texas Attorney General to publish notifications of data breaches that have affected 250 or more Texas residents and to update the website to include the notification within 30 days of the notification being received. Once a company has been listed on the website, the listing must remain in place for 12 months. The listing will be removed provided the individual or company has not suffered any further data breaches affecting 250 or more Texas residents during that 12-month period. Texas law requires notifications of breaches of system security to be sent to the state Attorney General within 60 days of the breach being discovered. The breach notices must include a detailed description of the nature of...

Read More
Humana and Cotiviti Facing Class Action Lawsuit over 63,000-Record Data Breach
Jun10

Humana and Cotiviti Facing Class Action Lawsuit over 63,000-Record Data Breach

The Louisville, KY-based health insurance and healthcare provider Humana and its business associate Cotiviti are facing legal action over a data breach discovered in late December 2020. On May 26, 2021, a lawsuit was filed in the U.S. District Court for the Western District of Kentucky over the mishandling of Humana insurance plan members’ medical records. Humana had contracted with Cotiviti to handle medical records requests to send to the HHS’ Centers for Medicare and Medicaid Services (CMS). Cotiviti had subcontracted some of the work to Visionary Medical Systems Inc. According to the lawsuit, an employee of Visionary Medical Systems uploaded the private and confidential medical records of Humana members to a personal Google Drive account in order to provide medical coding training as part of a “personal coding business endeavor.” The medical records were copied to the Google Drive account between October 12 and December 16, 2020, and that account was publicly accessible. The actions of the employee violated HIPAA and the terms of the business associate agreement. Visionary...

Read More
Settlement to Resolve Nebraska Medicine Data Breach Lawsuit Receives Preliminary Approval
Jun09

Settlement to Resolve Nebraska Medicine Data Breach Lawsuit Receives Preliminary Approval

In September 2020, Nebraska Medicine and the University of Nebraska Medical Center discovered their systems had been hacked and malware had been downloaded to its network that gave hackers access to the protected health information of up to 219,000 individuals. The attack forced Nebraska Medicine to shut down its systems causing disruption to operations. Hackers first gained access to Nebraska Medicine’s systems on Aug 27, 2020 and had access to its systems and patient data for 24 days. Access was terminated by Nebraska Medicine on Sept. 20, 2020. During that time, the lawsuit alleged patient data was exfiltrated by the attackers. The breach affected patients of Nebraska Medicine, Faith Regional Health Services, Great Plains Health, and Mary Lanning Healthcare. On February 24, 2021, a class action lawsuit was filed against Nebraska Medicine in the Nebraska U.S. District Court by two patients alleging Nebraska Medicine was negligent for failing to maintain an adequate data security system to reduce the risk of cyberattacks and data breaches. The plaintiffs sought damages,...

Read More
Michigan Man Pleads Guilty to Theft and Sale of PII of UPMC Employees
May26

Michigan Man Pleads Guilty to Theft and Sale of PII of UPMC Employees

A Michigan man has pleaded guilty to hacking into University of Pittsburgh Medical Center human resources databases in 2013 and 2014 and stealing the personally identifiable information (PII) and W-2 data of 65,000 UPMC employees. Justin Sean Johnson, 30, of Detroit, MI, was a Federal Emergency Management Agency (FEMA) IT specialist known on darknet forums as The DearthStar and Dearthy Star. 6 years after hacking the databases and selling stolen data, Johnson was indicted by a federal grand jury in Pittsburgh and was arrested and charged with conspiracy, wire fraud, and aggravated identity theft. Johnson initially hacked the Oracle PeopleSoft HR database of UPMC in December 2013 and accessed the PII of 23,500 UPMC employees. Between January 2014 and February 2014, Johnson accessed the databases multiple times each day and exfiltrated PII. Johnson then sold the stolen data on darknet marketplaces such as AlphaBay to criminals who used the data in 2014 to file hundreds of fraudulent 1040 tax returns. According to a Department of Justice press release, the scheme resulted in...

Read More
UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled
May19

UHS Data Breach Lawsuit Allowed to Proceed but only for Patient Whose Surgery was Cancelled

A lawsuit filed against Universal Health Services (UHS) following a 2020 data breach has been allowed to proceed; however, only for one of the patients named on the lawsuit. UHS operates around 400 hospitals and care centers in the United States and the United Kingdom. In September 2020, UHS suffered a ransomware attack in which sensitive data was exfiltrated. The Ryuk ransomware gang threatened to release the stolen data on a leak site if the ransom was not paid, although the UHS investigation found no evidence of any data misuse. The attack affected all 400 UHS care sites and caused significant disruption, with IT systems finally being brought back online a month after the attack. UHS was forced to postpone some scheduled appointments as a result of the attack. A lawsuit was filed in the U.S. District Court, Eastern District of Pennsylvania by the law firm Morgan & Morgan naming three patients as plaintiffs – Graham v. Universal Health Service Inc. The lawsuit alleged negligence, breach of implied contract, breach of fiduciary duty, and breach of confidence. Two of the...

Read More
Pennsylvania Department of Health and Insight Global Sued over 72,000-Record Data Breach
May11

Pennsylvania Department of Health and Insight Global Sued over 72,000-Record Data Breach

The Pennsylvania Department of Health and its COVID-19 contact tracing vendor are being sued over a breach of the personal and health data of 72,000 Pennsylvanians. The breach in question was announced by Insight Global and the Department of Health on April 29, 2021. Insight Global, an IT service management and staffing firm, had been awarded the contract for the state’s contact tracing program and had been given access to personal and health data to provide those services. The information was used to contact individuals potentially exposed to COVID-19 to identify and address the need for specific support services and to help slow the spread of COVID-19. Insight Global had implemented secure communication channels for its contact tracers and had security protocols in place, but it was discovered that some employees had “disregarded security protocols established in the contract and created unauthorized documents.” Those documents, including spreadsheets, had been shared between contact tracers using personal email accounts and consumer versions of cloud services such as Google...

Read More
What is HIPAA Certification?
May03

What is HIPAA Certification?

A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services. What is HIPAA Certification? Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors. Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services...

Read More
Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack
Apr29

Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack

The Philadelphia-based health system, Einstein Healthcare Network, is facing a class action lawsuit over an August 2020 phishing attack that resulted in multiple employee email accounts being accessed by an unauthorized individual. Einstein Healthcare is a non-profit health system that operates four hospitals – Einstein Medical Center Philadelphia, Elkins Park Hospital, MossRehab in Elkins Park, and Einstein Medical Center Montgomery –   and multiple outpatient and primary care clinics throughout the greater Philadelphia area. The investigation into the breach determined the email accounts were subjected to unauthorized access for 12 days between August 5 and August 17, 2020. A review of the compromised email accounts revealed they contained the protected health information of 353,616 patients, including names, dates of birth, account/medical record numbers, medical information such as diagnosis and treatment information and, for some individuals, Social Security numbers and health insurance information. Patients affected by the breach were notified by mail starting October...

Read More
NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities
Apr16

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension is growing between Russia and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR). The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks. The NSA, CISA, and the FBI have previously shared mitigations that can be...

Read More
Adventist Health Physicians Network Fined $40,000 for Privacy Breach
Apr12

Adventist Health Physicians Network Fined $40,000 for Privacy Breach

Adventist Health Physicians Network in Simi Valley, California has been ordered to pay $40,000 in civil momentary penalties by the Ventura County District Attorney as part of a civil privacy settlement to resolve a patient privacy case that affected 3,797 patients. The privacy breach occurred in 2018 and involved an impermissible disclosure of physical documents containing private and confidential medical data. The Simi Valley hospital had used a storage facility Simi Valley for storing physical patient records; however, when payments stopped being to the storage facility, the hospital lost access to the storage unit and the contents were put up for sale at a public auction in October 2018. The individual who bought the contents of the storage unit at the auction discovered boxes of paperwork in the unit that contained the sensitive medical data of patients of Adventist Health. The hospital was notified, and the files were promptly collected and secured. Adventist Health conducted an investigation into the incident and was satisfied that none of the information in the storage unit...

Read More
Roper St. Francis Healthcare Faces Class Action Lawsuit Over Data Breach
Apr06

Roper St. Francis Healthcare Faces Class Action Lawsuit Over Data Breach

Roper St Francis Healthcare is facing a class action lawsuit over an October 2020 data breach in which patient data was allegedly stolen. The lawsuit alleges negligence for the failure to protect the private data of its patients. Between October 14 and 29, 2020, unauthorized individuals gained access to the email accounts of three of its employees. Those accounts contained the protected health information of around 190,000 patients. PHI in the compromised email accounts included financial and medical information. This was far from the only data breach to have affected Roper St. Francis Healthcare in the past 18 months. Prior to the October 2020 phishing attack, Roper St. Francis reported two data breaches in September, one of which was a phishing attack that affected 6,000 individuals and the other was a ransomware attack on its vendor Blackbaud, which affected around 92,963 Roper St. Francis patients. Prior to those breaches, a breach was reported on January 29, 2010 as affecting 35,253 individuals. According to the lawsuit, “At all relevant times, Roper knew the data it stored...

Read More
SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach
Mar26

SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach

SalusCare, a provider of behavioral healthcare services in Southwest Florida, experienced a cyberattack in March that saw patient and employee data exfiltrated from its systems. The exact method used to gain access to its servers has not been confirmed, although the cyberattack is believed to have started with a phishing email that was used to deliver malware. The malware was used to exfiltrated its entire database to an Amazon AWS storage account. The attack occurred on March 16, 2021 and the investigation into the breach established that the attacker, an individual who appeared to be based in Ukraine, gained access to its Microsoft 365 environment, downloaded sensitive data, and uploaded the stolen data to two Amazon S3 storage buckets. Amazon was notified about the illegal activity and it suspended access to the S3 buckets to stop the attacker accessing the stolen data.  SalusCare requested access to the audit logs, which it requires to continue to investigate the breach and determine exactly what data was stolen. SalusCare also wants to make sure that the suspension is...

Read More
Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access
Mar24

Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access

The former CEO of Novus and Optimum Health Services, which operates two hospices in Texas, has pleaded guilty in a fraud case that saw Medicare and Medicaid defrauded out of tens of millions of dollars through the submission of falsified health care claims. Prerak Shah, Acting U.S. Attorney for the Northern District of Texas, recently announced that Bradley Harris, 39, pleaded guilty to conspiracy to commit healthcare fraud and healthcare fraud and is now awaiting sentencing. In addition to defrauding federal healthcare programs out of tens of millions of dollars, the actions of Harris resulted in vulnerable patients being denied the medical oversight they deserved, saw prescriptions for pain medication written without physician input for his financial benefit, and allowed terminally ill patients to go unexamined. Harris admitted billing Medicare and Medicaid for hospice services between 2012 and 2016 that were not provided, not directed by medical professional, or were provided to individuals who were not eligible for hospice services. Harris also admitted to using blank,...

Read More
UPMC and Charles Hilton and Associates Facing Class Action Lawsuit Over 36,000-Record Breach
Mar23

UPMC and Charles Hilton and Associates Facing Class Action Lawsuit Over 36,000-Record Breach

University of Pittsburgh Medical Center (UPMC) and the law firm Charles Hilton and Associates are facing a class action lawsuit over a breach of the protected health information of 36,000 UPMC patients. Charles Hilton and Associates, which handles collections for UPMC, announced that hackers had gained access to the email accounts of some of its employees between April and June 2020. The investigation revealed the compromised accounts contained the protected health information of UPMC patients, some of which was potentially viewed or obtained by the attackers. The accounts contained a wide range of data including names, dates of birth, Social Security numbers, bank account information, driver’s licenses, health insurance information, and state ID card numbers. UPMC stated in its breach notice that no reports had been received to suggest information in the compromised accounts had been misused; however, the lawsuit alleges the plaintiffs’ personal and protected health information was obtained and used to open accounts in their names. Lead plaintiff, Vince Ranalli, received a letter...

Read More
Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft
Mar22

Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft

The Swiss hacktivist who gained access to the security cameras of the California startup Verkada in March 2021 has been indicted by the US government for computer crimes from 2019 to present, including accessing and publicly disclosing source code and proprietary data of corporate and government victims in the United States and beyond. Till Kottmann, 21, aka ‘tillie crimew’ and ‘deletescape’ resides in Lucerne, Switzerland and is a member of a hacking collective self-named APT 69420 / Arson Cats. Most recently, Kottman admitted accessing the Verkada surveillance cameras used by many large enterprises, including Tesla, Okta, Cloudflare, Nissan, as well as schools, correctional facilities, and hospitals. Live streams of surveillance camera and archived footage were accessed between March 7 and March 9, 2021, screenshots and videos of which were published online. Ethical hackers often exploit vulnerabilities and gain access to systems and their efforts often result in vulnerabilities being addressed before they can be exploited by bad actors. The vulnerabilities are reported to the...

Read More
More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed
Mar19

More Health Insurers Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed

The number of healthcare organizations to announced they have been affected by the ransomware attack on Accellion has been increasing, with two of the latest victims including Trillium Community Health Plan and Arizona Complete Health. In late December, unauthorized individuals exploited zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance platform and stole data of its customers before deploying CLOP ransomware. Trillium Community Health Plan recently notified 50,000 of its members that protected health information such as names, addresses, dates of birth, health insurance ID numbers, and diagnosis and treatment was obtained by the individuals behind the attack and the data was posted online between January 7 and January 25, 2021. Trillium said it has now stopped using Accellion, has removed all data files from its systems, and has taken steps to reduce the risk of future attacks, including reviewing its data sharing processes. Trillium is offering affected members complimentary credit monitoring and identity theft protection services for 12 months. Arizona...

Read More
NY Nurse Pleads Guilty to Tampering with a Consumer Product in HIPAA Case
Mar15

NY Nurse Pleads Guilty to Tampering with a Consumer Product in HIPAA Case

A former Roswell Park Comprehensive Cancer Center nurse has pleaded guilty to tampering with a consumer product in a case involving fraud and HIPAA violations. In 2018, 6 patients of Roswell Park Comprehensive Cancer Center contracted a Sphingomonas paucimobilis bloodstream infection within the space of a few weeks. An investigation found syringes of hydromorphone had been contaminated with the bacteria. The cancer center suspected a nurse had removed some of the medication and replaced it with an equal volume of water. Kelsey Mulvey, 28, of Grand Island, NY, was placed on administrative leave in June 2018 after it was discovered she had stolen pain medication and resigned from her position at the cancer center in July 2018. Appropriate authorities were notified including the New York State Department of Health, the NYS Department of Education, Bureau of Narcotics and Tobacco Enforcement, and the U.S. Drug Enforcement Agency and  in July 2019, Kelsey was charged by the U.S. Attorney’s office with tampering with a consumer product, acquiring controlled substances by fraud, and...

Read More
Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation
Mar12

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of at least 21 million Americans. Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities. From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019. AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for...

Read More
FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent
Mar09

FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent

On March 4, 2021, Senator Robert Menendez (D-New Jersey), and Reps. Bonnie Watson Coleman (D-New Jersey) and Mikie Sherrill (D-New Jersey) wrote a letter urging the Federal Trade Commission (FTC) to start enforcing the Health Breach Notification Rule. The Federal Trade Commission (FTC) has a mandate to protect Americans from bad actors that betray consumer trust and misuse consumers’ healthcare data and has the authority to take enforcement action but is not enforcing compliance with the Health Breach Notification Rule. The Health Breach Notification Rule was introduced as part of the American Recovery and Reinvestment Act of 2009 and requires vendors of personal health records, PHR related entities, and third-party service providers to inform consumers about unauthorized disclosures of personal health information. The Health Breach Notification Rule applies to entities not covered by the Health Insurance Portability and Accountability Act (HIPAA), and has similar provisions to the HIPAA Breach Notification Rule. While the HHS’ Office for Civil Rights has enforced compliance with...

Read More
Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure
Mar09

Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure

This week, the Arizona Supreme Court revived a HIPAA violation lawsuit filed by a Phoenix man over a privacy violation by a pharmacy employee related to an erectile dysfunction medication prescription. Greg Shepherd, 50, had visited his doctor for a routine medical appointment in January 2016 and his doctor provided him with a erectile dysfunction medication sample. He received a call from the Costco pharmacy later and was told that the full prescription for the ED medication was available to collect. Shepherd explained that he did not want the medication and cancelled the prescription. Shepherd called the pharmacy a month later to check whether an unrelated prescription was ready to collect, and the pharmacy informed again him that his ED prescription was still waiting to be collected. Shepherd declined the medication a second time and told the pharmacy to cancel the prescription for the second time. Shepherd, who had been trying to reconcile with his ex-wife, authorized her to collect an unrelated, regular prescription refill from the pharmacy. When she visited the pharmacy, the...

Read More
Virginia Consumer Data Protection Act Signed into Law
Mar08

Virginia Consumer Data Protection Act Signed into Law

The Virginia Consumer Data Protection Act (CDPA) has been signed into law by Governor Ralph Northam. CDPA requires persons conducting business in the Commonwealth of Virginia to comply with new data privacy and security requirements. The CDPA takes effect on January 1, 2023. The CDPA mirrors some of the privacy and security provisions of the EUs General Data Protection Regulation (GDPR) that took effect on March 25, 2018, and the California Consumer Privacy Act (CCPA) that took effect on January 1, 2020. While there are similarities with the GDPR and the CCPA, there are some differences, so compliance with either the CCPA or the GDPR does not guarantee compliance with the CDPA. Like the CCPA, the CDPA only applies to organizations that control or process significant amounts of consumer data, with the data threshold twice as high as the CCPA, although there is no minimum revenue threshold in the CDPA. The CDPA applies to any person or business that: Controls or processes the personal data of 100,000 or more Virginia residents in a calendar year; or Controls or processes the data of...

Read More
Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months
Feb24

Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months

A Georgia man who falsely claimed a former acquaintance had violated patient privacy and breached the HIPAA Rules has been sentenced to 6 months in jail and fined $1,200. In October 2019, Jeffrey Parker, 44, of Rincon, GA, claimed to be a HIPAA whistleblower and alerted the authorities about serious privacy violations by a nurse at a Savannah, GA hospital, including emailing graphic pictures of traumatic injuries of hospital patients internally and externally. According to court documents, Parker “engaged in an intricate scheme” to frame a former acquaintance for violations of the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To back up the fake claims, Parker created multiple email accounts in the names of real patients and used those accounts to send false accusations of privacy violations. Emails were sent to the hospital where the nurse worked, the Federal Bureau of Investigation (FBI), and the Department of Justice (DOJ). Parker also alleged that he had been threatened for his actions as a whistleblower and law enforcement took steps to ensure his...

Read More
Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack
Feb19

Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack

Wilmington Surgical Associates in North Carolina is facing a class action lawsuit over a Netwalker ransomware attack and data breach that occurred in October 2020. As is now common in ransomware attacks, files were exfiltrated prior to the deployment of ransomware. In this case, the Netwalker ransomware gang stole 13GB of data from two Wilmington Surgical Associates’ servers that were used for administration purposes. Some of the stolen was published on the threat actors’ data leak site where it could be accessed by anyone. The leaked data was spread across thousands of files and included financial information related to the practice, employee information, and patient data such as photographs, scanned documents, lab test results, Social Security numbers, health insurance information, and other sensitive patient information. Wilmington Surgical Associates sent notifications to affected individuals in December 2020 and reported the data breach to the HHS’ Office for Civil Rights on December 17, 2020 as affecting 114,834 patients. The lawsuit – Jewett et al. v. Wilmington...

Read More
21st Century Oncology Data Breach Settlement Receives Preliminary Approval
Feb16

21st Century Oncology Data Breach Settlement Receives Preliminary Approval

A settlement proposed by 21st Century Oncology to resolve a November 2020 class action lawsuit has received preliminary approval from the court. The class action lawsuit was filed in District Court for the Middle District of Florida on behalf of victims of a 2015 cyberattack that potentially affected 2.2 million individuals. 21st Century Oncology was notified about a breach of its systems by the Federal Bureau of Investigation on November 13, 2015. An unauthorized individual had gained access to its network and may have accessed or obtained one of its databases on October 3, 2015. The database contained patients’ names, diagnoses, treatment information, Social Security numbers, and insurance information. Notifications to affected individuals were delayed at the request of the FBI so as not to interfere with the investigation. Patients affected by the breach started to be notified in March 2016. The Department of Health and Human Services’ Office for Civil Rights launched an investigation into the breach and found potential HIPAA violations. 21st Century Oncology settled the case in...

Read More
Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack
Feb09

Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack

US Fertility is facing a class action lawsuit over a September 2020 ransomware attack and data breach that affected 878,550 individuals. US Fertility provides IT platforms and administrative, clinical, and business information services, and is one of the largest providers of support services to infertility clinics in the United States. On September 14, 2020, US Fertility discovered ransomware had been used to encrypt files on its network. The investigation revealed the threat actors behind the attack exfiltrated files between August 12 and September 14, 2020, some of which contained protected health information. The types of data obtained by the hackers included names, addresses, dates of birth, driver’s license and state ID numbers, passport numbers, medical treatment/diagnosis information, medical record information, health insurance and claims information, credit and debit card information, and financial account information. The class action lawsuit, brought by Plaintiffs Alec Vinsant and Marla Vinsant, alleges US Fertility failed to implement adequate data security measures...

Read More
Hospital Researchers Jailed for Stealing and Selling Research Data to China
Feb04

Hospital Researchers Jailed for Stealing and Selling Research Data to China

A woman who worked in a medical research lab at the Nationwide Children’s Hospital in Columbus, OH has been jailed for stealing sensitive research data and selling the information to the People’s Republic of China. Li Chen, 47, and her husband Yu Zhou, 50, were both employed as medical researchers and worked in separate labs at the hospital’s Research Institute for more than 10 years. The former Dublin, OH residents were arrested in California in July 2019 and were subsequently charged over the alleged theft of cutting-edge scientific research. Zhou was working on a novel technique that allowed exosomes to be isolated from small quantities of blood. Exosomes are used in the research, identification, and treatment of several medical conditions, such as necrotizing enterocolitis. The novel exosome isolation method was a vital process in the research into necrotizing enterocolitis, as the condition affects premature babies and only small blood samples can be taken safely. The couple set up a company in China, stole at least five trade secrets related to exosome isolation, and...

Read More
Brandywine Urology Consultants Data Breach Lawsuit Dismissed Due to Lack of Harm
Feb03

Brandywine Urology Consultants Data Breach Lawsuit Dismissed Due to Lack of Harm

A lawsuit filed on behalf of victims of a Brandywine Urology Consultants data breach has been dismissed by the Delaware Superior Court after plaintiffs failed to provide evidence demonstrating they had suffered harm as a result of the breach. Brandywine Urology Consultants experienced a ransomware attack on January 27, 2020 The attack was detected after two days and the subsequent investigation confirmed the attackers had access to a network which contained patient information. Brandywine Urology Consultants concluded from its investigation that the attack was conducted to extort money rather than to obtain patient data, although unauthorized data access and data theft could not be ruled out. The attackers potentially accessed the protected health information of 130,000 patients, and may have viewed or obtained names, medical record numbers, Social Security numbers, financial data, claims data, and other information. The lawsuit was filed in May 2020 alleging Brandywine Urology Consultants was negligent for failing to prevent the attack, had breached its fiduciary duty, and was in...

Read More
Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data
Feb03

Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data

On January 28, 2021, Democratic senators introduced the Public Health Emergency Privacy Act to protect the privacy of Americans and ensure data security measures are applied to safeguard COVID-19 related health data collected for public health purposes. The Public Health Emergency Privacy Act was introduced by Sens. Mark Warner, D-Va., Richard Blumenthal, D-Conn. and U.S. representatives Anna Eshoo, D-CA., Jan Schakowsky, D-IL., and Suzan DelBene, D-WA and requires strong and enforceable privacy and data security rights for health information to be set. “Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” said Sen. Blumenthal. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19.” The Public Health Emergency Privacy Act will ensure strict privacy protections are implemented to ensure any health data collected...

Read More
Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent
Feb03

Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent

A lawsuit has been filed against Burr Ridge, IL-based Easy Healthcare Corp. over the alleged sharing of sensitive user data with third-party firms based in China without user consent. Easy Healthcare Corp is the developer of Premom, a popular smartphone fertility app for tracking users’ ovulation cycles to identify their most fertile days. The lawsuit alleges a range of sensitive user data has been shared with at least three Chinese companies without obtaining users’ consent. Since the data is stored on servers in China, the lawsuit alleges sensitive information could potentially be accessed or seized by the Chinese government. The data transmitted to the Chinese companies includes sensitive healthcare information, geolocation data, user and advertiser IDs, device activity data, and device hardware identifiers. Since the identifiers do not change, combining them with information where it was observed would allow data collectors to reconstruct app users’ activities. Identifiers shared with the Chinese firms include Wi-Fi media access controls or MAC addresses, which are unique...

Read More
Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack
Jan26

Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack

In May 2020, the cloud software company Blackbaud suffered a ransomware attack. As is common in human operated ransomware attacks, data was exfiltrated prior to file encryption. Some of the stolen data included the fundraising databases of its healthcare clients. One of the affected healthcare providers was Rady Children’s Hospital-San Diego, the largest children’s hospital in California in terms of admissions. A class action lawsuit has been proposed that alleges Rady was negligent for failing to protect the sensitive information of 19,788 individuals which was obtained by the hackers through Blackbaud’s donor management software solution. The lawsuit alleges Rady failed to implement adequate security measures and failed to ensure Blackbaud had adequate security measures in place to protect ePHI and ensure it remained private and confidential. The lawsuit alleges individuals affected by the breach now face “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud as a result of the breach and Rady’s negligence. Blackbaud discovered the ransomware...

Read More
HIPAA Enforcement by State Attorneys General
Jan21

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules. The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of unencrypted hard drive containing the electronic protected health information 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000. State Attorney HIPAA cases were...

Read More
M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal
Jan15

M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights. The Civil Monetary Penalty was imposed on M.D. Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen. The Office for Civil Rights investigation concluded that M.D. Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI. HIPAA penalties are tiered and are based on the level of culpability, with the Office...

Read More
FTC Settles 2019 Consumer Data Breach Case with SkyMed
Dec18

FTC Settles 2019 Consumer Data Breach Case with SkyMed

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information. SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted. The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused....

Read More
Seasonal Worker Sentenced to 42 Months Imprisonment for Stealing Data from Healthcare.Gov Database
Dec17

Seasonal Worker Sentenced to 42 Months Imprisonment for Stealing Data from Healthcare.Gov Database

A seasonal employee at a Virginia-based tech company that supported the Centers for Medicare & Medicaid Services (CMS) by operating contact centers that provided assistance with Medicare enrollment and other services, has been sentenced to 42 months in jail for accessing patient records, stealing personally identifiable information (PII), and using the PII for financial gain. While working at a call center in Bogalusa, LA, Colbi Trent Defiore, 27, of Carriere, MS, accessed the protected health information of more than 8,000 individuals stored in the HHS healthcare.gov database without authorization, copied that information, and used it for criminal activity, including opening credit lines in individuals’ names. Defiore had been employed by the company on three occasions in 2014, 2017, and 2018. He was discovered to have accessed records without authorization during his last employment period.  The company had taken steps to ensure personally identifiable information (PII) was protected and had provided training to all employees on how to handle that information securely. In...

Read More
Kalispell Regional Healthcare Proposes 4.2 Million Settlement to Resolve Data Breach Lawsuit
Dec07

Kalispell Regional Healthcare Proposes 4.2 Million Settlement to Resolve Data Breach Lawsuit

The Montana-based healthcare provider Kalispell Regional Healthcare has proposed a $4.2 million settlement to resolve a lawsuit filed on behalf of victims of a data breach that was announced in October 2019. The lawsuit was filed shortly after the announcement that the protected health information of approximately 130,000 patients had been impermissibly disclosed as a result of a sophisticated phishing attack. Unauthorized individuals had gained access to several email accounts after employees responded to phishing emails and disclosed their login credentials. The attackers first gained access to the email accounts on May 24, 2019 and were able to continue to access the accounts for several months. The compromised email accounts contained PHI such as names, addresses, telephone numbers, dates of birth, medical record numbers, medical histories, Social Security numbers, and health insurance information. Around 250 Social Security numbers are known to have been stolen by the attackers. The lawsuit alleged Kalispell Regional Healthcare had failed to implement appropriate measures to...

Read More
Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach
Nov30

Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach

Mayo Clinic is facing multiple class action lawsuits over an insider data breach reported in October 2020. Mayo Clinic discovered a former employee had accessed the medical records of 1,600 patients without authorization and viewed information such as patient names, demographic information, dates of birth, medical record numbers, medical images, and clinical notes. The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA-covered entities to implement safeguards to ensure the privacy, confidentiality, and integrity of protected health information and limits the disclosures and uses of that information when patient consent is not obtained. Healthcare employees are permitted to access PHI in the course of their work duties, but in this case the former employee had no legitimate work reason for viewing the records. The unauthorized access is in violation of the HIPAA Rules; however, there is no private cause of action in HIPAA, so individuals affected by such a breach cannot take legal action for any HIPAA violation that results in their medical records being...

Read More
Zoll Sues IT Vendor for 277,000-Record Server Migration Data Breach
Nov13

Zoll Sues IT Vendor for 277,000-Record Server Migration Data Breach

A lawsuit has been filed in the US District Court in Massachusetts by the medical device vendor Zoll which alleges its IT service vendor, Campbell, CA-based Barracuda Networks, was negligent for botching a server migration which resulted in the exposure of the protected health information of 277,139 patients. The breach in question involved archived emails that were being migrated to a new email archiving service. A configuration error resulted in the exposure of those emails for more than 2 months between November 8, 2018 and December 28, 2020. The configuration error was corrected, but Zoll was not informed about the breach until January 24, 2019. The breach investigation revealed the exposed emails contained patient information such as names, contact information, birth dates, medical information, and for certain patients, Social Security numbers. Zoll had contracted with a company called Apptix – now Fusion Connect – in 2012 and entered into a business associate agreement to provide hosted business communication solutions. Apptix then entered into a contract with a...

Read More
$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit
Nov09

$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit

A $350,000 settlement has been reached between Saint Francis Healthcare System and patients impacted by a September 2019 ransomware attack on Ferguson Medical Group (FMG). FMG was acquired by Saint Francis after a cyberattack that rendered data, including electronic medical records, on FMG systems inaccessible. The decision was taken to restore the encrypted data from backups rather than pay the ransom, and while patient data and other files were recovered, it was not possible to recover all data encrypted in the attack. FMG was unable to restore a batch of data related to medical services provided to patients between September 20, 2018 and December 31, 2018 which has been permanently lost. FMG announced the incident impacted around 107,000 patients, and those individuals were offered complimentary membership to credit monitoring services. A class action lawsuit was filed against Saint Francis Healthcare in January 2020 in the U.S. District Court of Eastern Missouri which alleged negligence per se, breach of express and implied contracts, invasion of privacy, and violations of the...

Read More
Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules
Oct06

Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules

A healthcare worker who was accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules and patient privacy by sending photographs of patients to unauthorized individuals has been cleared of any wrongdoing, following an investigation by federal law enforcement. A former acquaintance of the healthcare worker was discovered to have concocted a scheme to frame his former acquaintance for fictitious HIPAA violations and is now facing a prison sentence for making false statements. Jeffrey Parker, 43, of Richmond Hill, GA, concocted an elaborate scheme to frame the former acquaintance for violations of patient privacy. In U. S. District Court in the Southern District of Georgia, Parker pled guilty to one count of false statements and admitted creating fake email addresses and concocting information in an effort to harm a former acquaintance. Parker portrayed himself as a whistleblower and contacted the U.S. Department of Justice (DOJ), Federal Bureau of Investigation (FBI) and the hospital where the healthcare worker was employed to make false allegations of...

Read More
Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties
Oct01

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

The Indianapolis, IN-based health insurer Anthem Inc. has settled a multi-state investigation by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 43 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States. The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed...

Read More
Slew of Lawsuits Filed Over Recent Healthcare Data Breaches
Sep25

Slew of Lawsuits Filed Over Recent Healthcare Data Breaches

Individuals impacted by the recent data breaches at Blackbaud, Assured Imaging, and BJC Healthcare have taken legal action over the exposure and theft of their personal and protected health information. Multiple Lawsuits Filed Over Blackbaud Ransomware Attack The data breach at Blackbaud is one of the largest ever breaches of healthcare data to be reported. It is currently unclear exactly how many healthcare entities have been affected, as each affected entity is reporting the breach separately. As the deadline for reporting approaches, the extent of the breach is becoming clearer. Currently, at least 5 million individuals are known to have been affected and around 60 healthcare organizations have confirmed they have been impacted by the breach. As is now common in ransomware attacks, data were exfiltrated by the hackers prior to the use of ransomware. Blackbaud paid the ransom demand to obtain the keys to decrypt data and to ensure that all stolen data were permanently deleted. Blackbaud has received assurances that the stolen data have been deleted, but as a result of the breach,...

Read More
Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures
Sep23

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days. The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals. CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule. On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed...

Read More
Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Jail
Sep23

Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Jail

The U.S. Department of Justice has announced that a member of the notorious hacking group, The Dark Overlord, has been sentenced to 5 years in jail and has been ordered to pay $1.4 million in restitution. The Dark Overlord hacking group started targeting U.S. organizations in 2016. The hackers gained access to the networks of companies via brute force attacks on Remote Desktop Protocol, then stole data from victim companies and threatened to sell the stolen data on criminal marketplaces if the ransom demand was not paid. The hackers issued ransom demands of between $75,000 and $350,000 in Bitcoin and issued multiple threats if the ransom was not paid. In some instances, individuals in the victim companies received personal threats against them and their family members via the telephone, email, and text messages. Victims of The Dark Overlord included accounting firms, healthcare providers, and other companies. Healthcare provider victims included Farmington, MO-based Midwest Orthopedic Group, Swansea, IL-based Quest Records, Prosthetics & Orthotics Care in St. Louis, and Athens,...

Read More
Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals
Sep17

Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals

In 2019, a lawsuit was filed against Express Scripts by five independent pharmacies alleging improper use of patient data in violation of HIPAA. Express Scripts is the largest pharmacy benefits manager in the United States with its own retail pharmacies and pharmacy service. The five pharmacies were part of the Express Scripts network and were required to submit detailed claims to Express Scripts for processing and reimbursement before dispensing drugs. The pharmacies also needed to include information about the medications in their claims, along with the contact information of their customers. In the lawsuit, the pharmacies alleged that Express Scripts was in breach of contract and good-faith and fair-dealing covenants, and in violation of HIPAA and the HITECH Act. The pharmacies were required to provide Express Scripts with information about their customers, which it is alleged was then used to switch the customers to Express Script’s mail order service. The pharmacies alleged there was no need to supply that information to confirm coverage and for reimbursement. “The Pharmacies...

Read More
HealthAlliance Hospital and Ciox Health Facing Class Action Medical Records Lawsuit
Sep11

HealthAlliance Hospital and Ciox Health Facing Class Action Medical Records Lawsuit

A lawsuit has been filed against HealthAlliance Hospital and Ciox Health, its health record management vendor, for denying a widow from obtaining her deceased husband’s medical records. Sherry Russell, 62, from Woodstock NY, lost her husband of 42 years to lung cancer in October 2020. Mr. Russell visited HealthAlliance Hospital: Broadway Campus for a chest x-ray in March 2017 but lung cancer was not diagnosed. The cancer diagnosis came two years later when the tumor was 2 inches in diameter and it was too late to provide treatment. Mrs. Russell believes the radiologist failed to identify the tumor on the x-ray, resulting in a misdiagnosis. Had the tumor been found earlier, it is possible that treatment could have been provided in time to save her husband’s life. Mrs. Russell requested a copy of her husband’s medical records from HealthAlliance Hospital in order to obtain a copy of the chest x-ray report to support her malpractice lawsuit against the hospital over the failure to diagnose lung cancer; however, she has been unable to obtain a copy of the report. Under HIPAA, patients...

Read More
Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge
Sep09

Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge

A potential class action lawsuit filed against the University of Chicago, UChicago Medicine, and Google over an alleged privacy and HIPAA breach has been dismissed by a Federal judge. The lawsuit was filed in June 2019 in response to an alleged violation of HIPAA Rules related to a data sharing partnership between the University of Chicago Medicine and Google. In 2017, the University of Chicago Medicine sent the de-identified data of patients to Google as part of an initiative to use medical records to improve predictive analysis of hospitalizations, and by doing so, improve the quality of patient care. The aim of the partnership was to use machine learning techniques to identify when a patient’s health is declining, to allow timely interventions to prevent hospitalization. The University of Chicago Medicine sent hundreds of thousands of patient records dating from 2009 to 2016 to Google. The data shared with Google was deidentified but contained physicians’ notes and time stamps of dates of service. The lawsuit was filed by Edelson PC on behalf of lead plaintiff, Matt Dinerstein,...

Read More
Konica Minolta Settles EHR False Claims Case for $500,000
Sep01

Konica Minolta Settles EHR False Claims Case for $500,000

Konica Minolta Healthcare Americas Inc. has agreed to pay a $500,000 financial penalty to settle a case against its former subsidiary, Viztek LLC, to resolve False Claims Act violations related to its electronic health record (EHR) product. The American Recovery and Reinvestment Act of 2009 established the Medicare & Medicaid EHR Incentive Programs to encourage healthcare providers to adopt a certified EHR. Healthcare providers that adopted a certified EHR were entitled to claim incentive payments to offset the cost purchasing the solution, provided they were able to demonstrate meaningful use of the EHR technology. Companies that developed and marketed EHR solutions were required to demonstrate that their products met the HHS-adopted criteria and obtain certification for their solutions. According to a Viztek whistleblower, a former product manager at the company, Viztek and Konica Minolta Healthcare had falsified testing results of the Viztek solution, EXA EHR, in 2015 and misrepresented the capabilities of the product. Konica Minolta acquired Viztek in October 2015 during...

Read More
Federal Judge Dismisses Heritage Valley Health System NotPetya Lawsuit Against Nuance Communications
Aug24

Federal Judge Dismisses Heritage Valley Health System NotPetya Lawsuit Against Nuance Communications

In 2019, Beaver, PA-based Heritage Valley Health System filed a lawsuit against its vendor Nuance Communications over its NotPetya malware attack in 2017. The lawsuit was recently dismissed by a federal judge for the US District Court of the Western District of Pennsylvania. The NotPetya attacks occurred a short time after the WannaCry ransomware attacks in 2017 and targeted the same vulnerability in Windows Server Message Block (SMB). NotPetya encrypted the master boot record of infected computers, rendering them unusable. The attacks occurred in June 2017, more than three months after Microsoft released a patch to fix the SMB vulnerability that was exploited in the attacks. The cyberattack on Nuance Communications saw 14,800 servers and 26,000 workstations encrypted by NotPetya. The extent of the damage meant 7,600 servers and 9,000 workstations needed to be replaced. Heritage Valley Health System was also affected by the attack, with the investigation revealing the malware had spread to the health system’s computer network via a trusted virtual private network (VPN) connection...

Read More
Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge
Jul23

Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge

A lawsuit filed against Sarrell Regional Dental Center for Public Health Inc. over a July 2019 ransomware attack has been dismissed by a Federal judge due to a lack of standing. Sarrell was able to recover from the attack and restore its computer systems and data without paying the ransom, although the dental center was forced to close for two weeks while its systems were restored. No evidence was found to indicate patient data was accessed or downloaded from its systems, although it was not possible to rule out a data breach with 100% certainty so notification letters were sent to the 391,000 patients whose personal and protected health information (PHI) was potentially compromised. A lawsuit was filed against Sarrell in 2019 on behalf of patients affected by the attack. The lawsuit sought class action status and damages for patients whose PHI was potentially compromised in the attack. The lawsuit alleged patients faced a higher risk of identity theft as a result of the attack and had to cover the cost of credit monitoring services. Judge R. Austin Huffaker Jr. stated in his...

Read More
Two Chinese Nationals Indicted for 10-Year Hacking Campaign on U.S. Organizations and Government Agencies
Jul22

Two Chinese Nationals Indicted for 10-Year Hacking Campaign on U.S. Organizations and Government Agencies

Two Chinese nationals have been indicted by the U.S. Department of Justice (DOJ) for targeting and hacking US companies, government agencies, and others to steal sensitive information, including COVID-19 research data. The hackers are alleged to have been working under the direction of the Chinese government and also hacking organizations for personal financial gain. LI Xiaoyu, 34, and Dong Jiazhi, 33, were trained in computer application technologies and have been operating as state-backed hackers for more than 10 years. The DOJ said the hackers were operating on behalf of the China’s Ministry of State Security, the Guangdong State Security Department (GSSD), and other government agencies, as well as conducting their own attacks. The hackers have been accused of stealing more than a terabyte of intellectual property estimated to be worth hundreds of millions of dollars. The hackers were prolific and conducted sophisticated hacks on companies and organizations in the United States, Australia, Belgium, Germany, Japan, Lithuania, Spain, the Netherlands, South Korea, Sweden, and the...

Read More
Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack
Jul07

Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack

It is becoming increasingly common for healthcare organizations to face legal action after experiencing a ransomware attack in which patient data is stolen. The Florida Orthopedic Institute, one of the largest orthopedic providers in the state, is one of the latest healthcare providers to face a class action lawsuit over a ransomware attack. The ransomware attack was detected on April 9, 2020 when staff were prevented from accessing computer systems and data due to the encryption of files. A third-party computer forensics firm was engaged to assist with the investigation and determined on May 6, 2020 that the attackers may have accessed and exfiltrated patient data. A range of sensitive data was potentially compromised including names, dates of birth, Social Security numbers, and health insurance information. Affected patients were notified about the breach on or around June 19, 2020 and were offered complimentary identity theft and credit monitoring services for 12 months. At the time of issuing notifications, no evidence had been found to suggest patient data had been misused....

Read More
The California Consumer Privacy Act is Now Being Enforced
Jul02

The California Consumer Privacy Act is Now Being Enforced

On July 1, 2020, enforcement of the California Consumer Privacy Act (CCPA) of 2018 began. The CCPA took effect on January 1, 2020 and all companies covered by the Act were given a 6 month grace period before compliance with the CCPA would be enforced, although compliance with the provisions of the Act have been mandatory since January 1, 2020. The grace period has now elapsed. California Attorney General Xavier Bercerra confirmed there will be no delay to enforcement, even though dozens of requests were made by companies and trade associations asking for the grace period to be extended for a further 6 months due to the 2019 Novel Coronavirus pandemic. The requests were acknowledged but no extension was given. “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” said Attorney General Bercerra in a statement to Forbes. “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security...

Read More
$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit
Jul02

$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit

A proposed settlement has been agreed between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit over a June 2019 ransomware attack that resulted in the encryption of patient data. The settlement was negotiated by the plaintiff and Grays Harbor to avoid the uncertainty of a trial and the costs of further litigation. The settlement was not decided in favor of either party by the Court. The ransomware attack that prompted the lawsuit was detected in June 2019. The Washington healthcare provider powered down its systems to contain the virus that had prevented servers from being accessed, but not in time to prevent its computer systems from being encrypted. Grays Harbor had backed up its data for such an eventuality, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for around two months. A ransom demand of $1 million was demanded by the attackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that provided cover of up to...

Read More
UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit
Jun30

UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit

Des Moines, Iowa-based UnityPoint Health has agreed to settle a proposed class action lawsuit filed by victims of two phishing attacks in 2017 and 2018 that saw the protected health information of 1.4 million patients exposed. The first phishing attack occurred in November 2017 and was discovered on February 15, 2018. The attackers had access to the email accounts of certain employees of its Madison campus for more than 3 months and potentially obtained the protected health information of approximately 16,429 patients. Patients were notified about the breach in April 2018. The second phishing attach was much more extensive. The campaign saw a UnityPoint executive impersonated in March 2018, and several employees responded to the message and disclosed their login credentials. The breach was detected in May 2018 and the investigation revealed the compromised email accounts contained the protected health information of 1.4 million patients, making it the second largest healthcare data breach to be reported in 2018.  The attackers had access to the email accounts for almost a month...

Read More
NY District Court Kicks Data Breach Lawsuit Against Episcopal Health Services Back to State Court
Jun23

NY District Court Kicks Data Breach Lawsuit Against Episcopal Health Services Back to State Court

A lawsuit filed by patients of Uniondale, N.Y-based Episcopal Health Services Inc., whose personal and protected health information was compromised in a phishing attack in 2018, has been kicked back to the New York State Supreme Court for further proceedings. The lawsuit alleges Episcopal Health Services had failed to protect the private information of its patients from unauthorized disclosures. As a result of those failures, Episcopal Health Services suffered a breach of some of its employee email accounts between August 28, 2018 and October 5, 2018. The email accounts contained a range of sensitive data including patients’ names, addresses, dates of birth, Social Security numbers, and financial information. The PHI of more than 218,000 patients was exposed in the email system breach. The lawsuit named three plaintiffs who were patients of St. John’s Episcopal Hospital. They claimed injuries had been suffered as a direct result of the disclosure of their confidential information. The lawsuit referenced the Health Insurance Portability and Accountability Act (HIPAA) and the...

Read More
Hacker Arrested and Charged Over 2014 UPMC Cyberattack
Jun22

Hacker Arrested and Charged Over 2014 UPMC Cyberattack

The United States Attorney’s Office of the Western District of Pennsylvania has announced a suspect has been arrested and charged over the 2014 hacking of the human resources databases of University of Pennsylvania Medical Center (UPMC). UPMC owns 40 hospitals around 700 outpatient sites and doctors’ offices and employs over 90,000 individuals. In January 2014, UPMC discovered a hacker had gained access to a human resources server Oracle PeopleSoft database that contained the personally identifiable information (PII) of 65,000 UPMC employees. Data was stolen in the attack and was allegedly offered for sale on the darknet. The stolen data included names, addresses, dates of birth, salary and tax information, and Social Security numbers. The suspect has been named as Justin Sean Johnson, a 29-year old man from Michigan who previously worked as an IT specialist at the Federal Emergency Management Agency. Johnson, who operated under the monikers TDS and DS, was indicted on 43 counts on May 20, 2020: One count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity...

Read More
New York Accounting Firm Facing Class Action Lawsuit Over Maze Ransomware Attack
Jun12

New York Accounting Firm Facing Class Action Lawsuit Over Maze Ransomware Attack

Patients whose protected health information was stolen in a manual ransomware attack on the New York accounting firm BST & Co. CPAs LLC in late 2019 have taken legal action against the company. The lawsuit alleges BST & Co. was negligent for failing to take appropriate and reasonable steps to prevent the attack and did not provide a prompt an accurate notice to affected patients. The lawsuit also alleges the company breached its fiduciary duty to protect sensitive patient information and violated state laws related to deceptive business practices. The ransomware attack was discovered by BST on December 7, 2019. The attack involved Maze ransomware and, prior to file encryption, the gang exfiltrated a range of data from the company and threatened to publish the data if the ransom was not paid. The gang then follow through with the threat and published sensitive data on its website when payment was not made. According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, the PHI of 170,000 individuals was potentially...

Read More
Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack
Jun04

Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack

The Atlanta, GA-based healthcare provider Aveanna Healthcare is facing a class action lawsuit over a data breach that occurred in the summer of 2019. Affecting 166,000 patients, it is one of the largest healthcare data breaches to be reported this year. Aveanna Healthcare provides healthcare services to adults and children in 23 states and is the largest provider of pediatric home care in the United States. In the summer of 2019, several email accounts were compromised in a phishing attack. Aveanna Healthcare discovered the attack on August 24, 2019 and immediately secured its email accounts. The investigation revealed the first email account was breached on July 9, 2019, giving the attackers access to protected health information for more than 6 weeks. Emails in the compromised accounts contained patient information such as names, health information, financial information, passport numbers, driver’s license numbers, Social Security numbers, and other sensitive data. It was not possible to determine whether emails and files were viewed by the attackers. No evidence was found to...

Read More
New Washington D.C. Data Breach Notification Law Takes Effect
May29

New Washington D.C. Data Breach Notification Law Takes Effect

On May 19, 2020, legislative changes to the Washington D.C. data breach notification law took effect. The changes were introduced in March and significantly updated existing breach notification requirements. There has been a major expansion of data classified as personal information that warrants breach notifications if subjected to unauthorized access and new data security requirements have been introduced. Prior to the change, notifications were required if personal information such as names, phone numbers, and addresses were exposed in combination with a Social Security number, driver’s license number, DC ID card, or credit/debit  card number or if numbers and codes were breached that allowed credit or finance accounts to be accessed. The change has seen several other data elements added to the list. Breach notifications are now required if any of the following data is breached, even in the absence of a name if the data could be used for identity theft: Medical information Health insurance information Genetic data and DNA profiles Biometric information Passport numbers Usernames...

Read More
Indiana Court of Appeals Reinstates Respondeat Superior Claim in HIPAA Breach Lawsuit
May21

Indiana Court of Appeals Reinstates Respondeat Superior Claim in HIPAA Breach Lawsuit

A patient who sued Parkview Health System Inc. after a medical assistant accessed her medical records and shared sensitive information with another individual has had her respondeat superior claim reinstated by the Indiana Court of Appeals. Haley SoderVick sued Parkview Health System after she was notified that a medical assistant had accessed her medical records and disclosed the information to her then husband. The medical assistant’s husband had posted a picture on Facebook that was liked by SoderVick, which prompted the disclosure. SoderVick had visited Parkview Health in October 2017 and underwent a medical examination in the OB/GYN department. While she was there, her medical records were accessed by the medical assistant, Alexi Christian. Christian texted her husband information about SoderVick, stating she was a patient at the facility, disclosed a potential diagnosis, and told her husband SoderVick was a dispatcher. She also told her husband that SoderVick was HIV-positive and had had more than 50 sexual partners, although both claims were false and that information had...

Read More
Legal Action Taken Against Lurie Children’s Hospital of Chicago Over Two Recent Data Breaches
May19

Legal Action Taken Against Lurie Children’s Hospital of Chicago Over Two Recent Data Breaches

Lurie Children’s Hospital of Chicago is facing legal action over two privacy breaches involving employees accessing the medical records of patients without consent. The lawsuit was filed on behalf of a mother and her 4-year-old child. On December 24, 2019, Lurie Children’s Hospital notified the mother that her daughter’s medical records had been accessed by a nursing assistant at the hospital when there was no legitimate work purpose for doing so. The employee had been discovered to be viewing patient records without authorization between September 10, 2018 and September 22, 2019. On May 4, 2020, the mother received a second letter explaining that her daughter’s medical records had been accessed without authorization by a different employee. In this case, the employee was discovered to have accessed patient records with no work reason for doing so between November 1, 2018 and February 29, 2020. In early 2019, the mother took her then 3-year-old child to the hospital for an examination as she had suspicious that her daughter may have been sexually abused. The mother sought legal...

Read More
Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches
May01

Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches

A LabCorp shareholder is taking legal action against LabCorp and its executives and directors over the loss in share value that was caused by two cyberattacks experienced by the company in the past 12 months. LabCorp was one of the companies worst affected by the data breach at the medical debt collection company, American Medical Collection Agency (AMCA) in 2019. The records of 10,251,784 patients who used LabCorp’s services were obtained by hackers who infiltrated AMCA’s systems. At least 24 of AMCA’s clients were affected by the breach. A second LabCorp data breach was reported by TechCrunch in January 2020 that involved around 10,000 LabCorp documents, which the lawsuit alleges was not publicly disclosed by the company nor mentioned in any SEC filings. The breach was the result of a website misconfiguration and allowed the documents to be accessed by anyone. The breach was also not reported to the HHS’ Office for Civil Rights, even though TechCrunch researchers confirmed that the documents contained patient data. Raymond Eugenio holds shares in LabCorp which lost value as a...

Read More
$8.9 Million Banner Health Data Breach Settlement Gets Final Approval
Apr27

$8.9 Million Banner Health Data Breach Settlement Gets Final Approval

A settlement proposed by Banner Health to resolve a class action lawsuit filed on behalf of victims of its 3.7 million-record data breach in 2016 has received final approval from a Federal judge. The $8.9 million settlement was proposed in December 2019 to cover claims from victims of the breach and legal fees. Banner Health has also agreed to invest money to improve its cybersecurity defenses to prevent data breaches in the future. The Arizona-based health system was attacked by hackers via the payment processing system used in the food and beverage outlets in its hospitals. The system was connected to servers used to store the protected health information of patients. The hackers were able to access and steal a large quantity of highly sensitive patient data, including demographic information, Social Security numbers, health insurance information, and claims data from current and former Banner Health patients. The food and beverage system contained the credit and debit card numbers of around 30,000 customers. The data breach was the largest to be reported by a healthcare...

Read More
Tandem Diabetes Care Facing Class Action Lawsuit over January 2020 Phishing Attack
Apr17

Tandem Diabetes Care Facing Class Action Lawsuit over January 2020 Phishing Attack

The San Diego medical device manufacturer, Tandem Diabetes Care Inc., is facing a class action lawsuit in California over a January 2020 data breach that resulted in the exposure and possible theft of the protected health information of more than 140,000 individuals. The breach was the result of a phishing attack that gave unauthorized individuals access to the email account of an employee between January 17 and January 20, 2020. The information in the email account varied from patient to patient but included a range of private and confidential information including names, dates of birth, insurance information, billing information, healthcare data, and Social Security numbers. The incident was reported to the HHS’ Office for Civil Rights on March 17, 2020 as affecting 140,781 individuals. Notification letters started to be sent to those individuals the same day. The lawsuit was filed in the United States District Court in the Southern District of California and alleges violations of the Confidentiality of Medical Information Act (CMIA). The plaintiff and class members seek damages...

Read More
Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers
Apr13

Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers

The McHenry County Health Department in Illinois has been refusing to provide the names of COVID-19 patients to 911 dispatchers to protect the privacy of patients, as is the case with patients that have contracted other infectious diseases such as HIV and hepatitis. The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule permits disclosures of PHI to law enforcement officers, paramedics, and 911 dispatchers under certain circumstances, which was clarified by the HHS’ Office for Civil Rights in a March 24, 2020 guidance document, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities. In the document, OCR explained that “HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 CFR 164.512(b)(1)(iv).” OCR also explained that “disclosing PHI such as patient names to first responders is...

Read More
$1 Million Settlement Agreed to Resolve American HomePatient Data Breach Lawsuit
Mar30

$1 Million Settlement Agreed to Resolve American HomePatient Data Breach Lawsuit

A $1 million settlement proposed by American HomePatient to resolve a class action lawsuit filed on behalf of victims of a 2017 data breach has received preliminary approval. The data breach that was the subject of the lawsuit occurred on January 6, 2017. The offices of American HomePatient in Delaware were burgled, and thieves stole several computers. The hard drives were not encrypted and contained sensitive information such as names, addresses, dates of birth, Social Security numbers, AHOM account information, financial information, diagnosis codes, and treatment information of 13,000 current and former patients and customers of American HomePatient and Lincare Holdings Inc. Following the breach, a class action lawsuit was filed on behalf of victims of the breach who claimed American HomePatient was negligent for failing to encrypt sensitive data and, that by failing to do so, the thieves had easy access to their sensitive information. The lawsuit also alleged invasion of privacy, breach of implied contract, negligence per se, unjust enrichment, breach of fiduciary duty, and a...

Read More
Law Firm Files Class Action Lawsuit After Being Charged Excessive Fees for Copy of Patient’s Medical Records
Mar18

Law Firm Files Class Action Lawsuit After Being Charged Excessive Fees for Copy of Patient’s Medical Records

A law firm is taking legal action against the healthcare release-of-information solution provider, Medical Records Online (MRO), for alleged overcharging for providing electronic copies of patients’ medical records. The lawsuit was filed by Cipriani & Werner of Pittsburgh in federal court in Camden, NJ. The lawsuit relates to MRO charges for providing a copy of a patient’s medical records for a personal injury case against the retailer Kohl’s, which the law firm represents. Cipriani & Werner obtained the medical records of the plaintiff in the suit from John F. Kennedy Medical Center, in Edison, NJ, and was charged $528 by MRO for 518 pages of the plaintiff’s medical records. The law firm was charged a $10 search fee and $1 per page, even though the records were provided electronically as a PDF file. Cipriani & Werner alleges MRO violated the New Jersey Declaratory Judgement Act by charging unlawful fees well in excess of the maximum limit. A claim was also made under the New Jersey Consumer Fraud Act for unconscionable commercial practices, and for a breach of New...

Read More
Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval
Mar04

Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval

A federal judge has given final approval of a settlement to resolve a class action lawsuit filed against the New Jersey-based medical laboratory company, Quest Diagnostics Inc., over its 2016 data breach. The $195,000 settlement provides up to $325 compensation for each breach victim. On November 26, 2016 hackers gained access to the Care360 MyQuest mobile app that is used by patients to store and share their electronic test results and make appointments. The health app contained names, dates of birth, telephone numbers, and lab test results which, for some patients, included their HIV test results. 34,000 patients were affected by the breach. A class action lawsuit was filed on behalf of patients affected by the breach in 2017. The lawsuit alleged Quest Diagnostics had been negligent and failed to protect the sensitive data of app users. The lawsuit states, “Despite the fact that it was storing sensitive Private Information that it knew or should have known was valuable to and vulnerable to cyber attackers, Quest and its fellow Defendants failed to take adequate measures that...

Read More
UW Medicine Faces Class Action Lawsuit Over 974,000-Record Data Breach
Feb24

UW Medicine Faces Class Action Lawsuit Over 974,000-Record Data Breach

Several lawsuits filed against healthcare organizations over data breaches in recent weeks, with University of Washington Medicine the latest to face legal action for exposing the protected health information of patients. The lawsuit has been filed over a December 2018 data breach that saw the personal information of 974,000 patients exposed over the internet as a result of a misconfigured server. The misconfigured server contained an accounting of disclosures database that included patient names, medical record numbers, a list of parties who had been provided with patient data, and the reason why that information was disclosed. Some individuals also had information exposed relating to a research study they were enrolled in, their health condition, and the name of a lab test that had been performed. For certain patients, sensitive information was exposed. According to the lawsuit, that included a patient’s HIV test-taking history and, in some cases, the patient’s HIV status. Social Security numbers, financial information, health insurance information, and medical records were not...

Read More
Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts
Feb21

Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts

A former employee of ACM Global Laboratories, part of Rochester Regional Health, has been accused of accessing the medical records of a patient, without authorization, on hundreds of occasions in an attempt to find information that could be used in a child custody battle. A criminal investigation was launched into the alleged HIPAA violations by Jessica Meier, 41, of Hamlin, NY, when it was suspected that she had been abusing her access rights to patient information for malicious purposes. Kristina Ciaccia was previously in a relationship with Meier’s half brother and has been in a lengthy child custody battle. In court, Ciaccia heard about a historic visit by her own brother to the emergency room at Rochester Regional Health, when she herself was unaware of the visit. Suspecting snooping on her family’s medical records, Ciaccia reported the matter to Rochester Regional Health. According to court documents, the Rochester Regional Health audit revealed Meier had accessed the private medical records of Ciaccia on more than 200 occasions between March 2017 and August 2019, without any...

Read More
Hackensack Meridian Health Faces Class-Action Lawsuit Over December Ransomware Attack
Feb19

Hackensack Meridian Health Faces Class-Action Lawsuit Over December Ransomware Attack

A lawsuit has been filed against the New Jersey Healthcare provider, Hackensack Meridian Health, over a December 2, 2019 ransomware attack that affected all 17 of its hospitals. The ransomware attack temporarily disrupted medical services while its systems were offline and access to medical records was prevented. Systems remained down for several days while data was recovered, and systems were restored. Medical services continued to be provided with staff reverting to pen and paper to record patient information. However, some non-emergent medical procedures had to be cancelled. Prompt action was taken to secure its systems and recover data and physicians, nurses, and clinical teams worked round the clock to ensure patient safety was maintained during the attack and recovery process. In order to restore systems in the fastest possible timeframe and prevent ongoing disruption to medical services, the decision was taken to pay the ransom. Hackensack Meridian Health had a comprehensive insurance policy in place, which helped cover the cost of the ransom payment, and its remediation and...

Read More
Florida Clinic Worker Facing 22 Years in Jail for Wire Fraud and Aggravated Identity Theft
Feb05

Florida Clinic Worker Facing 22 Years in Jail for Wire Fraud and Aggravated Identity Theft

A former medical clinic worker in Florida who impermissibly accessed the protected health information of patients and sold the information to identity thieves has pleaded guilty to wire fraud and aggravated identity theft. Stacey Lavette Hendricks, 49, of Leesburg, FL, had previously been employed as an administrative worker at several state medical clinics in Florida. Her role gave her access to the protected health information of patients. Hendrinks used her access to steal patient information from the unnamed medical clinics, including names, dates of birth, and Social Security numbers. That information was sold to identity thieves for cash and was also used to defraud businesses. The United States Secret Service investigated the case. Hendricks was apprehended after she attempted to sell stolen patient information to an undercover law enforcement officer. A warrant was obtained to search her home and car and law enforcement officers found patient information stolen from the clinics related to 113 different patients. Hendricks was charged in the United States District Court for...

Read More
Georgia Man Charged Over False Allegations of HIPAA Violations
Jan13

Georgia Man Charged Over False Allegations of HIPAA Violations

A Georgia man has been charged over an elaborate scheme to frame an acquaintance for violations of the Health Insurance Portability and Accountability Act (HIPAA) that never occurred. Jeffrey Parker, 43, of Richmond Hill, GA, claimed he was a whistleblower reporting HIPAA violations by a nurse. He reported the violations to the hospital where the person worked, and complaints also sent to the Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI). Parker was also interviewed by Fox28Media in October 2018 and told reporters that the nurse had been violating HIPAA privacy laws for an extensive period. The nurse worked at an unnamed hospital in Savannah, GA, which was part of a health system that also operated healthcare facilities in Nashville, TN and other areas. She was alleged to have emailed graphic photographs of patients with traumatic injuries such as gunshot wounds to other individuals outside the hospital. In the Fox28Media interview Parker explained that the sharing of images between employees and other individuals had been going on for a long time....

Read More
Second Lawsuit Filed Against Kalispell Regional Healthcare Over Phishing Attack
Jan03

Second Lawsuit Filed Against Kalispell Regional Healthcare Over Phishing Attack

A second lawsuit has been filed against Kalispell Regional Healthcare in Montana over a May 2019 phishing attack that saw the email accounts of some of its employees accessed by cybercriminals. Kalispell Regional Healthcare learned about the breach on August 28, 2019. The investigation revealed the hackers gained access to employee email accounts on May 24, 2019 and potentially accessed patient information. A forensic investigation revealed the accounts contained the protected health information of as many as 140,209 patients. According to Kalispell Regional Healthcare’s substitute breach notification on its website, the following information was compromised in the breach: Names, addresses, email addresses, telephone numbers, dates of service, treatment information, health insurance information, treating and referring physicians’ names, and medical bill account numbers. Kalispell Regional Healthcare said 250 or fewer patients had their Social Security number exposed. Patients affected by the breach were offered complimentary credit monitoring and identity theft protection services...

Read More
Georgia Supreme Court Overturns Ruling on Athens Orthopedic Clinic Data Breach Lawsuit
Dec27

Georgia Supreme Court Overturns Ruling on Athens Orthopedic Clinic Data Breach Lawsuit

A lawsuit filed against Athens Orthopedic Clinic over a June 2016 cyberattack by TheDarkOverlord has been revived by the Georgia Supreme Court. The cyberattack in question involved the theft of patient data from the clinic. A ransom demand was issued and the hacking group claimed the data would be returned if the ransom was paid.  The clinic refused to pay the ransom and, in response, the hacking group claimed to have sold some of the data. Later, the hacking group published a portions of the stolen data on Pastebin, where it was downloaded by others. Three victims of the data breach, Christine Collins, Paulette Moreland, and Kathryn Strickland, alleged that since their personal data had fallen into the hands of cybercriminals, was offered for sale on the dark net, and had been downloaded by some individuals, they were placed at risk of identity theft and other types of fraud.  One of the plaintiffs, Christine Collins, alleged there were fraudulent charges made to her credit card shortly after the cyberattack and that she had to spend time getting those charges reversed. She also...

Read More
Lawsuit Filed Against DCH Health System Over October Ransomware Attack
Dec26

Lawsuit Filed Against DCH Health System Over October Ransomware Attack

A lawsuit has been filed in the Western Division of U.S. District Court for the Northern District of Alabama against DCH Health System over a ransomware attack on October 1, 2019. The ransomware attack on the 3-hospital health system forced it to take its systems offline for a period of 10 days while systems were rebuilt and data was recovered. During that time, some non-emergency appointments had to be cancelled and patients experienced delays receiving treatment and, in some cases, had to seek medical services from other medical facilities in the state. It is the delay to treatment that has spurred the lawsuit. Four patients are named in the lawsuit and allege they have suffered harm as a result of the shutdown of its systems, which disrupted their daily lives and forced them to forego medical care and treatment or seek care and treatment from alternative facilities during the ten days when DCH Health System’s systems were offline. One of the plaintiffs, who filed on behalf of her daughter, was told that the ransomware attack was causing delays in the emergency room and that she...

Read More
Banner Health Agrees to Pay $6 Million to Settle Data Breach Lawsuit
Dec10

Banner Health Agrees to Pay $6 Million to Settle Data Breach Lawsuit

In June 2016, Banner Health suffered a data breach in which the protected health information of 2.9 million individuals was allegedly stolen by hackers. In August 2016, a class action lawsuit was filed by victims of the breach. A settlement has now been reached and Banner Health has agreed to pay $6 million to breach victims to resolve the lawsuit, according to documents filed in the U.S. District Court of Arizona on December 5, 2019. Plaintiffs alleged that the attack was financially motivated, and hackers gained access to systems containing patient information and exfiltrated the protected health information of approximately 2.9 million. The types of information stolen by the hackers included names, addresses, dates of birth, Social Security numbers, prescription information, medical histories and, for around 30,000 individuals, credit and debit card numbers. Individuals whose credit and debit card numbers were stolen had visited food and beverage outlets at Banner Health hospitals. Malware had been installed which exfiltrated card numbers when purchases were made. The hackers...

Read More
Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach
Dec05

Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach

Kalispell Regional Healthcare in Montana is being sued over a phishing attack in which hackers gained access to employee email accounts containing the protected health information of almost 130,000 patients. The compromised email accounts contained patient information such as names, contact information, medical bill account numbers, medical histories, and health insurance information. Approximately 250 individuals also had their Social Security number exposed. The phishing attack occurred in May 2019, but it was not initially clear which, if any, patients had been affected. It took until August for forensic investigators to determine that patient information had potentially been compromised. All affected patients were notified, and the health system offered 12 months of free credit monitoring and identity theft protection services to patients whose Social Security numbers had potentially been compromised. One of the patients whose personal and health information was compromised, William Henderson, has now taken legal action over the data breach. The lawsuit was filed in Cascade...

Read More
Solara Medical Supplies Sued Over 114,000-Record Data Breach
Dec04

Solara Medical Supplies Sued Over 114,000-Record Data Breach

Solara Medical Supplies is facing legal action over a June 2019 data breach that saw the protected health information of more than 114,000 customers exposed and potentially stolen by an unauthorized individual who gained access to its email system. Solara Medical Supplies, a supplier of medical devices and disposable medical products, discovered the breach on June 28, 2019. While initially believed to involve one email account, an investigation revealed several Office 365 email accounts had been compromised for a period of around 6 weeks, starting on April 2, 2019. The types of information exposed as a result of the attack included names, addresses, birth dates, employee ID numbers, Social Security numbers, health insurance information, financial information, credit card/debit card numbers, passport details, state ID numbers, driver’s license numbers, password/PIN or account login information, claims data, billing information, and Medicare/Medicaid IDs. Customers affected by the breach were notified in November and were offered complimentary credit monitoring and identity theft...

Read More
Exposure to Extreme Content at Work Sees Former Facebook Employees Sue for Psychological Injuries
Dec04

Exposure to Extreme Content at Work Sees Former Facebook Employees Sue for Psychological Injuries

Compensation is being sought by former Facebook content moderators who claim to have suffered psychological injuries as a direct result of the exposure to extreme online content at work. Several employees have started legal action against Facebook, first in California and now in Ireland, where Facebook has its EMEA headquarters. In September 2019, the Personal Injuries Assessment Board in Ireland gave the go-ahead for former employees to take their case against Facebook to the High Court. The legal action started on December 4, 2019 against Facebook and CPL Resources, one of the third-party companies Facebook uses to provide its content moderators. Former Facebook content moderator Chris Gray is named as lead plaintiff. Facebook content moderators perform a vital job for the social media platform. The job involves viewing content that had been posted by Facebook users and determining whether the content should remain on the social network or be filtered out or deleted. Without their efforts, the social media platform would be awash with extreme content. According to Facebook’s...

Read More
Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge
Oct30

Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge

Following a November 2016 cyberattack at Quest Diagnostics that resulted in an unauthorized individual accessing and stealing the personal information and medical test results of 34,000 individuals, a class action lawsuit was filed by the breach victims. Quest Diagnostics proposed a $195,000 settlement to resolve the case. The settlement has recently been approved by a New Jersey district court judge. The types of information obtained by the hacker included names, phone numbers, dates of birth, and the results of medical tests, including HIV test results. The lawsuit alleged Quest Diagnostics had violated New Jersey laws and had been negligent for failing to safeguard the sensitive health information of its clients, Quest Diagnostics had breached its contract with clients, and that the company failed to provide timely notifications to patients informing them about the hacking incident and theft of their data. Quest Diagnostics maintains the claims are meritless, but the decision was taken to settle the lawsuit to avoid ongoing litigation and further legal costs. Under the terms of...

Read More
California Amends CCPA and Expands Definition of Personal Information Warranting Data Breach Notifications
Oct15

California Amends CCPA and Expands Definition of Personal Information Warranting Data Breach Notifications

California Governor Gov. Gavin Newsom has signed a new bill that updates data breach notification law in California, expanding the definition of personal information requiring notifications in the event of a breach. Prior to the update, notifications were required if state residents had their Social Security number, driver’s license number, health information, financial information, or username/passwords compromised. The update means that entities that experience a breach that involves passport numbers, tax ID numbers, military ID numbers, other unique government ID numbers, or biometric information will also need to be notified of a data breach. The law applies to data breaches where personal information has been obtained by an unauthorized person or is reasonably believed to have been obtained by an unauthorized individual. The bill – AB-1130 – was introduced by California Assemblyman Marc Levine (D) and was co-sponsored by California Attorney General Xavier Bercerra. Governor Newsom signed the bill into law on October 11 and the bill will take effect on January 1, 2020....

Read More
New Data Breach Notification Requirements in Maryland for Health Insurers
Sep25

New Data Breach Notification Requirements in Maryland for Health Insurers

From October 1, 2019, providers of health insurance and associated services are required to notify the Maryland Insurance Administration (MIA) in the event of a breach of insureds’ personal information. The law change applies to health plans, health insurers, HMOs, managed care organizations, managed general agents and third-party health insurance administrators. The Compliance & Enforcement Unit at the MIA must be notified if the breach investigation determines there is a risk that insureds’ personal information has been or is likely to be misused. Personal information is defined as an individuals’ first name or first initial and last name in combination with one or more of the following data elements, if those data elements are not encrypted, redacted, or otherwise unreadable: Social Security number, Individual Taxpayer Identification Number, passport number, other federal ID number, driver’s license number, State identification card number, health information, biometric data, or health insurance policy/certificate number, health insurance subscriber identification...

Read More
UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit
Sep02

UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit

On June 26, a patient of University of Chicago Medical Center (UCMC) filed a lawsuit against the medical center and Google over an alleged privacy violation related to the sharing of protected health information (PHI) without first properly de-identifying the data. Patient information was shared with Google to assist with the development of its predictive medical data analytics technology. HIPAA does not prohibit the sharing of information with third parties such as technology companies, provided consent is obtained from patients prior to information being shared. Alternatively, healthcare organizations can share patient information provided it is de-identified. Under HIPAA, that means removing 18 identifiers to ensure patients cannot be identified. HIPAA calls for one of two methods to be used to de-identify PHI: Expert determination or the safe harbor method. The latter involves stripping PHI of all 18 identifiers, while the former requires an expert to determine, through recognized statistical and scientific principles, that the risk of patients being re-identified is...

Read More
Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages
Aug28

Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages

A class action lawsuit filed by victims of a June 2016 cyberattack on Athens Orthopedic in Georgia has gone before the Georgia Supreme Court to determine whether breach victims are entitled to recover damages. The cyberattack in question saw the personal information, Social Security numbers, and health insurance information of approximately 200,000 individuals stolen by the hacking group, Dark Overlord. The Dark Overlord has conducted numerous attacks on healthcare organizations in the United States over the past three years. Initially, attacks were conducted to steal sensitive data, which was subsequently sold on dark web marketplaces. More recently, attacks have involved data theft and extortion. A ransom demand is issued to breached entities that must be paid in order to prevent publication of the stolen data.  Athens Orthopedic did not pay the ransom demand. The Dark Overlord gained access to Athens Orthopedic’s systems via an attack on a “nationally-known health care information management contractor,” the login credentials of which were used to steal patient data. Athens...

Read More
MU Health Patients Take Legal Action Over May 2019 Phishing Attack
Aug13

MU Health Patients Take Legal Action Over May 2019 Phishing Attack

A lawsuit has been filed against University of Missouri Health Care (MU Health) over an April 2019 phishing attack. On May 1, 2019, MU Health learned that two staff email accounts had been compromised for a period of more than one week, starting on April 23, 2019. The email accounts contained a range of sensitive information including names, dates of birth, Social Security numbers, health insurance information, clinical and treatment information. MU Health’s investigation concluded on July 27 and notification letters were sent to individuals whose protected health information (PHI) had been exposed and potentially stolen. Approximately 14,400 patients had been impacted by the breach. The lawsuit was filed by MU Health patient Penny Houston around a week after the notifications were issued. The lawsuit states that, as a result of the breach, patients have been placed at an elevated risk of suffering identity theft and fraud. The types of data contained in the compromised accounts would allow criminals to steal identities, file fraudulent tax returns, and open financial accounts in...

Read More
Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case
Aug12

Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case

A preliminary settlement has been proposed by Allscripts Healthcare Solutions to resolve alleged violations of HIPAA, the HITECH Act’s electronic health record (EHR) incentive program, and the Anti-Kickback Statute related to the electronic health record (EHR) company Practice Fusion, which was acquired by Allscripts in 2018. Prior to the acquisition, Practice Fusion has been investigated by the Attorney’s Office for the District of Vermont in March 2017 and had provided documentation and information. Between April 2018 and January 2019, the company received further requests for documents and information through civil investigative demands and HIPAA subpoenas. Then in March 2019, the company received a grand jury subpoena over a Department of Justice (DOJ) investigation into the business practices of Practice Fusion, potential violations of the Anti-Kickback Statute, HIPAA, and the payments received under the HHS EHR incentive program. Scant information has been released about the nature of the alleged violations by Practice Fusion. The proposed settlement will see Allscripts pay...

Read More
UnityPoint Health Data Breach Lawsuit Partially Dismissed by Federal Judge
Aug09

UnityPoint Health Data Breach Lawsuit Partially Dismissed by Federal Judge

A class-action data breach lawsuit filed against UnityPoint Health has been partially dismissed by the US District Court for the Western District of Wisconsin. The lawsuit stems from a phishing attack on UnityPoint Health in February 2018. As a result of employees falling for phishing emails, the attackers were able to gain access to email accounts containing the protected health information (PHI) of 16,429 patients. The investigation into the breach showed access to patient data was first gained on November 1, 2017 and further email accounts were compromised up to February 7, 2018. The types of PHI in the compromised email accounts included names, contact information, diagnoses, medications, lab test results, and surgical information. Some patients also had their driver’s license number and/or Social Security number exposed. One month after the data breach was announced, four patients filed a lawsuit against UnityPoint Health claiming the company had mishandled the breach. The lawsuit also alleged UnityPoint Health had unnecessarily delayed the issuing of breach notification...

Read More
Judge Approves $74 Million Premera Blue Cross Data Breach Settlement
Aug05

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records. US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation. The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years. Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that...

Read More
New York Governor Signs SHIELD Act into Law
Jul30

New York Governor Signs SHIELD Act into Law

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act has been signed into state law by New York Governor Andrew M. Cuomo. The Act improves privacy protections for state residents and strengthens New York’s data breach notification laws to ensure they maintain pace with current technology. The SHIELD Act – S5575B/A5635B – was signed into law on July 25, 2019 and takes effect in 240 days. The Act makes several changes to existing state privacy and data breach notification laws: The definition of covered entities has been broadened to include any person or entity that holds the private information of a New York State resident, irrespective of whether that person or entity does business in New York State. All businesses must “develop, implement and maintain reasonable safeguards” to ensure the confidentiality, integrity, and availability of personal information. Those measures should reflect the size of the business. The SHIELD Act includes a list of factors considered to be ‘reasonable security protections’. A written information security program must be developed...

Read More
Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case
Jul23

Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case

Equifax has agreed to settle its federal data breach case for a minimum of $575 million. The settlement will potentially rise to $700 million and also requires considerable improvements to be made to enhance security and better protect consumer data. In 2017, Equifax experienced a colossal data breach in which the personal data of 147 million Americans was compromised. Names, dates of birth, addresses, and Social Security numbers were potentially stolen in the attack and the breach victims now have to face an elevated risk of suffering identity theft and fraud. Equifax announced the breach in September 2017. In the two years that followed, Equifax has been called before Congress on multiple occasions to explain how the breach occurred and how the response was being handled. Regulators also investigated Equifax to determine whether reasonable and appropriate security measures had been implemented to protect the vast amounts of consumer data that was stored on its network. The Federal Trade Commission (FTC) determined there had been security failures at Equifax that left the door...

Read More
Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine
Jul22

Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine

The GDPR data protection authority in the Netherlands –  Authoriteit Persoonsgegevens – has issued its first GDPR data breach fine. Haga Hospital in the Hague has been fined $460,000 ($516,000) for security failures that contributed to a privacy breach in 2018. The EU’s General Data Protection Regulation requires all entities that collect or process the personal data of EU citizens to implement appropriate security measures to ensure that information remains private and confidential. In the event of a data breach, the appropriate data protection authority must be notified within 72 hours and the breach will be investigated. In this case, the breach involved a single patient’s records – a well-known Dutch person. Those records were viewed, without authorization, by several employees at the hospital. The Dutch News website named the patient as Samantha de Jong, also known as ‘Barbie’. The GDPR investigation revealed the hospital had poor internal security controls for patient records, had failed to implement two-factor authentication, and was not regularly reviewing...

Read More
Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules
Jul19

Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules

New rules for hospitals have been implemented in Idaho that give patients new rights. The rules were implemented by the Idaho Department of Health and Welfare (IDHW) and are effective from July 1, 2019. The new rules were suggested by patient advocacy groups and “incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals,” according to IDHW. The policies align with the MyHealthEData initiative, which was launched in 2018 with the aim of removing the barriers to secure access to electronic medical records. Under previous state law, critical access hospitals (CAHs) were not required to comply with many of the regulatory conditions that applied to other healthcare providers. The new rules change that, which will mean new policies and procedures will need to be implemented by CAHs. That will come with a considerable administrative burden. The new rules apply to all hospitals in Idaho as well as any provider that renders services in hospitals. All hospitals and providers have been advised to check their policies...

Read More
Premera Blue Cross Settles Multi-State Action for $10 Million
Jul12

Premera Blue Cross Settles Multi-State Action for $10 Million

Premera Blue Cross has agreed to a $10 million settlement to resolve a multi-state data breach lawsuit involving 30 state attorneys general. The settlement resolves alleged violations of state and federal laws that contributed to its 10.4 million record data breach in 2014. A hacker gained access to Premera Health’s network on May 5, 2014 and remained undetected until March 6, 2015. For almost a year the hacker had access to highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers. Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit. Washington State Attorney General Bob Ferguson led the investigation and looked at the security vulnerabilities that had been exploited by the hacker to gain access to such a large amount of...

Read More
Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool
Jul04

Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool

A medical student is suing Marshall University and Cabell Huntington Hospital over the impermissible disclosure of some of his protected health information (PHI) to a class of students. The student, who is identified as J.M.A in the lawsuit, claims his x-rays were used as a teaching tool by a professor at Marshall University Joan C. Edwards School of Medicine, but information identifying J.M.A. as the patient had not been removed or redacted from the images. The matter had been brought to the attention of the university by another faculty member. On April 15, 2018, the dean of the medical school wrote to J.M.A to inform him of the privacy violation. The university was unaware that the professor was using the image as a teaching tool. J.M.A. claims he has suffered shame, embarrassment, humiliation, and severe anxiety as a direct result of the disclosure of his identity. It is unclear how many people viewed J.M.A’s x-rays and how many of those individuals disclosed what they saw to others. J.M.A is represented by Troy N. Giatras, Matthew W. Stonestreet, and Phillip A. Childs of The...

Read More
UChicago Accused of Illegally Sharing Patient Data with Google
Jul01

UChicago Accused of Illegally Sharing Patient Data with Google

A lawsuit has been filed by a former patient of UChicago Medicine who claims his medical records – and those of hundreds of thousands of other patients – have been shared with Google without authorization. UChicago Medicine, UChicago Medical Center, and Google have been named in the lawsuit. The suit claims patient information was shared with Google as part of study aimed to advance the use of artificial intelligence, but patient authorization was not obtained in advance and data were not properly deidentified. In 2017, UChicago Medicine started sending patient data to Google as part of a project to look at how historical health record data could be used to predict future medical events. Patient data were fed into a machine learning system which attempted to make health predictions about patients. The HIPAA Privacy Rule does not prohibit such disclosures, but prior to patient health information being disclosed, patients must either give their consent or protected health information must first be de-identified – Stripped of the 18 identifiers that allow protected health information...

Read More
Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation
Jun26

Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation

A former patient care coordinator at University of Pittsburgh Medical Center (UPMC) has received a 1-year jail term for accessing the medical records of patients and using that information to cause malicious harm. Sue Kalina, 62, of Butler, PA, had previously worked at UPMC Tri Rivers Musculoskeletal and Allegheny Health Network as a patient care coordinator. On March 30, 2016, while employed by UPMC, Kalina first started accessing patients’ medical records without authorization. She continued to do so until June 15, 2017. Kalina accessed the records of friends, old classmates, and individuals that she had a grievance with. She used information from the medical records in a campaign of vengeance against her former employer, Frank J. Zottola Construction. Kalina had worked at the firm as office manager for 24 years before losing the position and being replaced by a younger woman. Kalina accessed that woman’s medical records and disclosed gynecological information about the woman to the Zottola controller in June 2017. Kalina also left a voicemail message in which the medical...

Read More
AMCA Parent Company Files for Chapter 11 Protection
Jun19

AMCA Parent Company Files for Chapter 11 Protection

Following the massive data breach at American Medical Collection Agency (AMCA) which saw more than 20 million records compromised, AMCA’s parent company, Retrieval-Masters Creditors Bureau Inc., has filed for Chapter 11 protection. The data breach affected individuals who had received medical testing services from Quest Diagnostics, LabCorp, or BioReference Laboratories. Hackers gained access to the web payment portal used by AMCA and accessed and stole the sensitive personal and financial data of patients. The hackers had access to its payment page for more than 7 months before the breach was detected. The cost of recovering from a breach on this scale is considerable. So far, AMCA has mailed more than 7 million breach notification letters to affected individuals at a cost of $3.8 million. A further $400,000 has been spent on hiring IT consultants to assist with the breach response. The data breach caused a cascade of events that led to the bankruptcy filing. Retrieval-Masters Creditors Bureau CEO Russell Fuchs lent AMCA $2.5 million to help cover the cost of mailing the breach...

Read More
Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach
Jun14

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party. Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015. According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson. Deanna Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her ex husband in the custody battle. Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website and disclosed the information to her attorney, Gary Bradshaw.  Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules. After discovering that her...

Read More
AMCA Breach Sparks Flurry of Lawsuits and Investigations
Jun12

AMCA Breach Sparks Flurry of Lawsuits and Investigations

The dust has barely settled after the news of the massive data breach at American Medical Collection Agency (AMCA) broke last week, but already more than a dozen lawsuits have been filed by victims of the breach. The breach was officially announced by Quest Diagnostics on June 3, 2019 through a 8-K filing with the Securities and Exchange Commission (SEC), and a SEC filing by LabCorp on June 4, 2019, shortly followed by BioReference Laboratories. Currently, the personal of up to 20 million individuals has potentially been compromised. The data breach at AMCA was identified by security researchers at Gemini Advisory who found a batch of 200,000 payment card numbers for sale on a popular darknet marketplace. The numbers included dates of birth and Social Security numbers. AMCA and law enforcement were notified, and systems were secured. However, the investigation revealed hackers had access to its web payment portal for 7 months. It would appear that the hackers behind the breach have at least made an effort to monetize some of the stolen data so it is no surprise that there has been...

Read More
Oregon Updates Data Breach Notification Law to Include Vendors of Covered Entities
Jun07

Oregon Updates Data Breach Notification Law to Include Vendors of Covered Entities

Oregon has updated its breach notification laws and has broadened the definition of consumer information, updated the definition of covered entity, and expanded the law to cover vendors. The update (Senate Bill 684) renames The Oregon Consumer Identity Theft Protection Act as The Oregon Consumer Information Protection Act, which will come into effect on January 1, 2020. The update expands the definition of personal information to include usernames and other means of identifying a consumer which would allow access to be gained to a consumer’s account, along with any method used to authenticate a user. The definition of covered entity has been updated to “a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.” A vendor is defined as an individual or entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing...

Read More
Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts
Jun06

Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts

Coffey Health System has agreed to a $250,000 settlement with the U.S. Department of Justice to resolve alleged violations of the False Claims and HITECH Acts. The Kansas-based health system attested to having met HITECH Act risk analysis requirements during the 2012 and 2013 reporting period in claims to Medicare and Medicaid under the EHR Incentive Program. One of the main aims of the HITECH Act was to encourage healthcare organizations to adopt electronic health records. Under the then named Meaningful Use Program, healthcare organizations were required to demonstrate meaningful use of EHRs in order to receive incentive payments. In addition to demonstrating meaningful use of EHRs, healthcare organizations were also required to meet certain requirements related to EHR technology and address the privacy and security risks associated with EHRs. In 2016, Coffey Health System’s former CIO, Bashar Awad, and its former compliance officer, Cynthia McKerrigan, filed a lawsuit in federal court in Kansas against their former employer alleging violations of the False Claims Act. Both...

Read More
Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation
Jun06

Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation

The Supreme Court in Vermont has ruled that a patient can sue a hospital and one of its employees for a privacy violation, despite Vermont law and HIPAA not having a private cause of action for privacy violations. The lawsuit alleges negligence over the disclosure of personal information that was obtained while the patient was being treated in the emergency room. The woman had visited the ER room to receive treatment for a laceration on her arm. The ER nurse who provided care to the patient notified law enforcement that the patient was intoxicated, had driven to the hospital, and intended to drive home after receiving treatment. The nurse had detected an odor of alcohol on the patient’s breath. Using an alco-sensor, the nurse determined the patient had blood alcohol content of 0.215. In Vermont, that blood alcohol level is more than two and a half times the legal limit for driving. A police officer in the lobby of the hospital was notified and the patient was arrested, although charges were later dropped. The women subsequently sued the hospital and the employee for violating her...

Read More
$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit
Jun04

$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit

In March 2015, the Seattle-based health insurer Premera Blue Cross announced it had experienced a major data breach that impacted around 10.6 million plan members. The breach occurred in 2014 and resulted in the theft of a broad range of data, including Social Security numbers, bank account information, and health data. The cyberattack is thought to have been conducted by an APT group operating out of China. Shortly after the data breach was announced, several class action lawsuits were filed seeking damages for victims of the breach. More than 40 of those class action lawsuits were consolidated into a single class action lawsuit in the United States District Court in Oregon. The lawsuit alleged the cybersecurity practices at Premera Blue Cross were insufficient and vulnerabilities were exploited by threat actors to gain access to the sensitive information of its plan members. Premera Blue Cross has made the decision to settle the lawsuit and a $74 million settlement has been proposed. Under the terms of the settlement, Premera Blue Cross will pay $32 million to victims of the...

Read More
HHS Confirms When HIPAA Fines Can be Issued to Business Associates
May27

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules. On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate. Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.   You can download the HHS Fact Sheet on direct liability of business associates on this link. Penalties for HIPAA Violations by Business Associates The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the...

Read More
Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker
May13

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker

A lawsuit has been filed against Atchison Hospital in Kansas by a rape victim who alleges an x-ray technician at the hospital contacted her attacker and disclosed sensitive information about the treatment she received at the hospital. According to the Kansas City Star, after being raped, the woman sought treatment at the hospital. She underwent a rape kit examination, and allegedly made it clear to the hospital that she did not want her health information to be disclosed to third parties. Despite being against the patient’s wishes and a violation of the HIPAA Privacy Rule, information about the examination was disclosed to her attacker by a female X-ray technician at the hospital. The x-ray technician also told the man that he had been accused of sexually assaulting the patient. Following the disclosure, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff. A complaint was filed with the hospital over...

Read More
Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records
May10

Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records

Two Chinese nationals who were allegedly behind the 2015 hacking of Anthem Inc., have been charged by the U.S. Department of Justice. 32-year-old Fujie Wang and an unnamed man have been charged in a 4-count indictment in relation to the Anthem cyberattack and theft of 78.8 million health insurance records, along with cyberattacks on three other U.S. businesses between 2014 and 2015. “The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian A. Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.” The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer. According to the indictment, the international hacking scheme saw Wang and...

Read More
Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation
May02

Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation

An Arizona man who sued Costco over a privacy violation and had the lawsuit dismissed by the trial court has had the decision overturned by the Court of Appeals, which ruled that the patient can sue the pharmacy for negligence based on a violation of the Health Insurance Portability and Accountability Act (HIPAA). The privacy violation in question occurred in 2016. The man had received a sample of an erectile dysfunction drug in January 2016 and received a telephone call from Costco letting him know that his full prescription was ready to be collected. The man cancelled the prescription but when he contacted the pharmacy a month later about a separate prescription, he discovered the cancellation had not been processed. He then cancelled the prescription for a second time but, again, the prescription was not cancelled. The man subsequently authorized his ex-wife to collect his regular prescription. While at the pharmacy, the pharmacist joked with his ex-wife about the uncollected erectile dysfunction prescription. The man was attempting to reconcile with his ex-wife at the time. The...

Read More
Class Action Lawsuit Filed Over Baystate Health Phishing Attack
May01

Class Action Lawsuit Filed Over Baystate Health Phishing Attack

In February 2019, Baystate Health experienced a phishing attack that resulted in the exposure of the protected health information (PHI) of 12,000 patients. On April 11, a class action lawsuit was filed on behalf of individuals affected by the breach. The lawsuit was filed by attorney Kevin Chrisanthopoulos in the U.S. District Court in Springfield, MA, three days after Baystate Health announced the breach. The lawsuit alleges plaintiffs now face an elevated risk of identity theft and fraud as a result of the phishing attack and seeks monetary damages for all patients whose PHI was exposed. Upon discovery of the breach, Baystate Health secured its email system and launched an investigation. The investigation revealed the email accounts of nine employees had been compromised as a result of employees responding to phishing emails. The email accounts were subjected to unauthorized access and, as a result, the attacker(s) potentially gained access to patients’ PHI. For most patients, the information exposed was limited to names, birth dates, diagnoses, treatment information, and...

Read More
New Washington Breach Notification Law Unanimously Passed by Legislature
Apr24

New Washington Breach Notification Law Unanimously Passed by Legislature

A new data breach notification law (HB 1071 / SB 5064) has been unanimously passed by the Washington legislature and awaits Washington Governor Jay Inslee’s signature. The law broadens the definition of personal information and shortens the timescale for issuing notifications to 30 days. Currently, data breach notification laws in Washington only require entities to issue notifications in the event of a breach of a state resident’s name along with a Social Security number, state ID, driver’s license number, or credit/debit card number. The updated breach notification law will also require notifications to be issued in the event of a breach of the following data elements: Full date of birth Military ID numbers Biometric data Passport ID numbers Student ID numbers Medical histories Health insurance ID numbers Usernames and email addresses in combination with a password or answers to security questions that would allow an account to be accessed. Keys for electronic signatures With the exception of online account credentials, the new data elements could be classed as personal...

Read More
Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million
Apr23

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017. Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted. The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project. While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the...

Read More