Dedicated to providing the latest
HIPAA compliance news

The HIPAA Journal legal news section contains details of the latest enforcement activities by the Department of Health and Human Services’ Office for Civil Rights, including settlements and civil monetary penalties, and legal actions taken against covered entities by state attorneys general.

You will also find brief details of class action lawsuits and other legal actions filed against covered entities for HIPAA violations, privacy violations, and data breaches, along with other legal news specifically relating to HIPAA or other legal matters of particular relevance to the healthcare industry.

Changes to HIPAA Rules are detailed in the HIPAA Updates category, although this section does include updates to state legislation, in particular any changes to breach notification and cybersecurity laws that are relevant to healthcare organizations.

New York Hospital Sued for Disclosing Patient’s HIV Status to Employer
Sep14

New York Hospital Sued for Disclosing Patient’s HIV Status to Employer

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights settled a case with Mount Sinai St. Luke’s Hospital to resolve alleged HIPAA violations over a 2014 impermissible disclosure of a patient’s HIV positive status to his employer. St. Luke’s Hospital had faxed a document to the mailroom of the patient’s employer, rather than sending the information to a post office box as requested by the patient via...

Read More
CareFirst Data Breach Lawsuit May be Heading to the Supreme Court
Sep14

CareFirst Data Breach Lawsuit May be Heading to the Supreme Court

In June 2014, hackers succeeded in gaining access to a database maintained by CareFirst BlueCross BlueShield and the protected health information of 1.1 million of its members. The types of information exposed as a result of the hack included names, email addresses, dates of birth, and subscriber ID numbers. Lawsuits were filed following the breach, with the plaintiffs seeking damages for the elevated risk of identity theft and fraud...

Read More
Healthcare Industry Tops List for Class Action Data Breach Lawsuits
Sep13

Healthcare Industry Tops List for Class Action Data Breach Lawsuits

In 2016, the healthcare industry faced the most class-action data breach lawsuits, according to a new analysis of data breach lawsuits by the law firm, Bryan Cave, LLP, although the risk of litigation following a breach is still relatively low. To produce the 2017 data breach litigation report, Bryan Cave conducted a comprehensive review and analysis of all class action lawsuits filed by victims of data security breaches in 2016. The...

Read More
Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients
Aug31

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. Details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses, in a recent mailing. The letters related to pharmacy benefits and information on how HIV medications could be received. As a...

Read More
Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware
Aug24

Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware

For the first time in 10 years, Delaware has amended its data breach notification law and has now introduced some of the strictest requirements of any state. Any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information and must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws,...

Read More
$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching
Aug10

$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching

The importance of applying patches promptly to address critical security vulnerabilities has been highlighted by a recent $5.5 million data breach settlement. Yesterday, New York Attorney General Eric T. Schneiderman announced a settlement has been reached with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, to resolve a multi-state data breach investigation involving New York...

Read More
U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses
Aug09

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient. Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery....

Read More
Maryland Data Breach Notification Law Updated
Aug07

Maryland Data Breach Notification Law Updated

Maryland data breach notification law has been updated, with the definition of personal information now expanded. The current data breach notification statute in Maryland does not include health insurance information or data covered under the definition of the Health Insurance Portability and Accountability Act (HIPAA), although from January 1, 2018 that will change. Maryland data breach notification law – specifically the Maryland...

Read More
CareFirst Can Be Sued for Breach, Rules Court of Appeals
Aug02

CareFirst Can Be Sued for Breach, Rules Court of Appeals

The D.C. Circuit Court of Appeals has ruled that CareFirst can be sued for a 2014 data breach that saw the PHI of more than 1 million members exposed and potentially stolen. Following the announcement of the data breach, a lawsuit was filed by seven plaintiffs to recover damages, although in August last year the case was dismissed by a district court judge for lack of standing. The plaintiffs alleged that the breach had occurred as a...

Read More
Massive Healthcare Fraud Takedown Sees 412 Charged for $1.3 Billion in Fraudulent Billings
Jul19

Massive Healthcare Fraud Takedown Sees 412 Charged for $1.3 Billion in Fraudulent Billings

Last week, the United States Department of Justice announced the largest healthcare fraud action to date. 412 individuals were charged, including 115 doctors, nurses and other medical professionals for their roles in healthcare fraud schemes. 120 doctors and other medical professionals were charged for prescribing opioids and other dangerous narcotics. The HHS has also initiated suspension actions against 295 doctors, nurses and...

Read More
Indiana Senate Passes New Law on Abandoned Medical Records
Jul13

Indiana Senate Passes New Law on Abandoned Medical Records

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information. HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and...

Read More
Pair Charged with Identity Theft in Relation to WVU Medicine Breach
Jun27

Pair Charged with Identity Theft in Relation to WVU Medicine Breach

A federal grand jury has charged a former healthcare worker and her accomplice with identity theft, aggravated identity theft, bank fraud and producing false documents. The charges relate to the theft of PHI from WVU Medicine University Healthcare. Angela Dawn Roberts, 41, of Stephenson, VA had previously worked at WVU Medicine Berkley Medical Center, where she is alleged to have accessed the WVU Medicine University Healthcare...

Read More
World’s Largest Data Breach Settlement Agreed by Anthem
Jun26

World’s Largest Data Breach Settlement Agreed by Anthem

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information. A breach on that...

Read More
Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG
Jun19

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications. An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth,...

Read More
MDLive Privacy Lawsuit Voluntarily Dismissed
Jun06

MDLive Privacy Lawsuit Voluntarily Dismissed

The MDLive privacy lawsuit filed by law firm Edelson PC on behalf of plaintiff Joan Richards over alleged privacy violations has been voluntarily dropped without any settlement paid. The lawsuit was filed after following an alleged discovery that screenshots were repeatedly taken by MDLive and were passed to third-party Israeli firm Test Fairy. Test Fairy had been contracted to perform quality control checks and debugging services....

Read More
Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine
May11

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015. Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area....

Read More
MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations
Apr26

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients. App users are required to enter in a range of sensitive information into the MDLive app; however, the complainant alleges that during the first 15 minutes of use, the app takes an average of...

Read More
Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million
Apr24

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine. A $2.5 million settlement has been agreed with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote...

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified...

Read More
Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status
Mar24

Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status

A lawsuit filed by five plaintiffs following a breach of protected health information at Flowers Hospital in 2013 has finally been awarded class-action status. The lawsuit was filed against Triad of Alabama, the parent company of Flowers Hospital, in 2014. Triad of Alabama submitted motions to dismiss the lawsuit in 2014 and 2015, but the lawsuit survived. In contrast to many healthcare data breach lawsuits that are filed following...

Read More
Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft
Jan24

Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi. The incident which led to the lawsuit occurred...

Read More
Hospital Employee Jailed for Credit Card Theft
Dec12

Hospital Employee Jailed for Credit Card Theft

An employee of Banner Boswell Hospital in Sun City, AZ has been arrested and jailed for stealing credit card details from hospital patients. Filip Chudziak, 40, of Surprise, AZ was charged with identity theft, fraudulent schemes, and fraudulent use of credit cards by the Maricopa County Sheriff’s Office this weekend following an investigation into credit card fraud by Maricopa County detectives. The offenses were committed over a...

Read More
21st Century Cures Bill Sails Through Senate
Dec08

21st Century Cures Bill Sails Through Senate

Last week, the House of Representatives unanimously voted in favor of the 21st Century Cures Act. Yesterday, the bill sailed through the Senate with a vote of 94-5. All that remains is for President Obama to add his signature to the bill, which is expected to happen in the next few days. President Obama has already said he is happy to sign the new bill. The bill will provide funding for a number of initiatives that are intended to...

Read More
21st Century Cures Act Unanimously Passed by House
Dec01

21st Century Cures Act Unanimously Passed by House

The 21st Century Cures Act has been passed by the House of Representatives with a vote of 392-26. One Democrat and twenty Republicans voted against the bill. The legislation will now go to the Senate for the vote, which will take place early next week. The legislation was passed by the House last year, although the bill failed in the Senate in July 2015. Numerous revisions have been made since last summer and this time around the 21st...

Read More
HIPAA Breach Class-Action Dismissed for Lack of Evidence of Harm
Sep23

HIPAA Breach Class-Action Dismissed for Lack of Evidence of Harm

A class-action data breach lawsuit – Cox v. Valley Hope Association – has been dismissed by the U.S. District Court for The Western District of Missouri Central Division for lack of standing. In February 2016, Valley Hope Association, a healthcare organization providing drug, alcohol, and addiction treatment services, alerted patients to a breach of ePHI that occurred on December 30, 2015. The PHI of more than 52,000 patients...

Read More
Banner Health Class-Action Claims 12 Months ID Theft Protection is Insufficient Reparation
Aug10

Banner Health Class-Action Claims 12 Months ID Theft Protection is Insufficient Reparation

Following a healthcare data breach, a class-action lawsuit is almost guaranteed to be filed. However, the newsprint has barely dried, yet a class-action lawsuit has already been filed against Banner Health Network. The suit has not been filed by a patient, but on behalf of a former Banner Health physician whose information was exposed in the 3.7 million-record breach reported last week. The suit was filed three days after the breach...

Read More
CareFirst Inc. Data Breach Lawsuit Dismissed for Lack of Standing
Jul15

CareFirst Inc. Data Breach Lawsuit Dismissed for Lack of Standing

A class-action data breach lawsuit filed against CareFirst Inc., and CareFirst of Maryland Inc., following the 1.1 million-record data breach of 2015 – and a second breach in 2014 – has been dismissed by a Maryland federal court for lack of standing. The lawsuit, which was filed by two plaintiffs – Scott Adamson and Pamela Chambliss – was dismissed by Judge Richard Bennett after the pair were unable to allege facts...

Read More
House Passes Mental Health Reform Bill (Without the HIPAA Changes)
Jul14

House Passes Mental Health Reform Bill (Without the HIPAA Changes)

A mental health bill that aims to improve mental healthcare in the United States has been passed by the House. The bill – H.R. 2646 – which was first introduced three years ago, was intended to usher in sweeping changes to improve the treatment of mental illness in the United States. While the bill was passed with an overwhelming majority of 422-2 last Wednesday, a number of the more contentious issues needed to be removed...

Read More
Philadelphia Business Associate Agrees to $650,000 OCR Settlement
Jun30

Philadelphia Business Associate Agrees to $650,000 OCR Settlement

On June 24, 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) published details of a resolution agreement that was reached with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).  CHCS has agreed to settle alleged HIPAA violations with the OCR and has agreed to implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS is the sole corporate...

Read More
Criminal HIPAA Case: Conviction for Respiratory Therapist
Jun28

Criminal HIPAA Case: Conviction for Respiratory Therapist

A former respiratory therapist has been convicted on criminal HIPAA violations by a federal jury in Ohio. The jury agreed with prosecutors that the protected health information of patients was wrongly obtained and that PHI was used to seek and obtain intravenous prescription drugs. Jamie Knapp was employed as a respiratory therapist at the ProMedica Bay Park Hospital in Oregon, Ohio. Over a period of 10 months Knapp improperly...

Read More