Dedicated to providing the latest
HIPAA compliance news

The HIPAA Journal legal news section contains details of the latest enforcement activities by the Department of Health and Human Services’ Office for Civil Rights, including settlements and civil monetary penalties, and legal actions taken against covered entities by state attorneys general.

You will also find brief details of class action lawsuits and other legal actions filed against covered entities for HIPAA violations, privacy violations, and data breaches, along with other legal news specifically relating to HIPAA or other legal matters of particular relevance to the healthcare industry.

Changes to HIPAA Rules are detailed in the HIPAA Updates category, although this section does include updates to state legislation, in particular any changes to breach notification and cybersecurity laws that are relevant to healthcare organizations.

3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group
Nov22

3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group

A man linked to the hacking group TheDarkOverlord has been sentenced to serve three years in jail for fraud and blackmail offenses, although not for any cyberattacks or extortion attempts related to the The Dark Overlord gang. Nathan Wyatt, 36, from Wellingborough, England, known online as the Crafty Cockney, pleaded guilty to 20 counts of fraud by false representation, a further two counts of blackmail, and one count of possession of a false identity document with intent to deceive. Last week, at Southwark Crown Court, Wyatt was sentenced to serve three years in jail by Judge Martin Griffiths. At the sentencing hearing, Judge Griffiths suggested Wyatt was responsible for many more crimes other than those pursued via the courts. Some of those offenses are related to the TheDarkOverlord. In September last year, Wyatt was arrested for attempting to broker the sale of photographs of Pippa Middleton, which had been obtained from a hack of her iPhone. Pippa Middleton is the sister of the Duchess of Cambridge. The charges in relation to that incident were dropped and Wyatt maintains he...

Read More
5 Year Jail Term Upheld for Clinic Worker Who Stole PHI
Nov15

5 Year Jail Term Upheld for Clinic Worker Who Stole PHI

A clinic worker who stole the protected health information of mentally ill patients and sold the data to identity thieves has failed to get his 5-year jail term reduced. Jean Baptiste Alvarez, 43, of Aldan, PA, stole daily census sheets from the Kirkbride Center, a 267-bed behavioral health care facility in Philadelphia. The census sheets contained all the information needed to steal the identities of patients and submit fraudulent tax returns in their names – Names, Social Security numbers, dates of birth and other personally identifiable information. Alvarez had the opportunity to steal the data undetected, as the floor where the sheets were kept did not have security cameras. Alvarez was paid $1,000 per census sheet by his to-co-conspirators, who used the information to submit 164 fraudulent tax returns in the names of the patients, resulting in a loss of $232,612 in tax revenue for the IRS. In early 2016, Alvarez was found guilty of conspiracy to defraud, misuse of Social Security numbers, and aggravated identity theft. The latter carried a minimum sentence of 2 years. The...

Read More
Can A Patient Sue for A HIPAA Violation?
Nov07

Can A Patient Sue for A HIPAA Violation?

Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules. So, if it is not possible for a patient to sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws. In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information....

Read More
Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG
Nov03

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. The aim of the act is to protect New Yorkers from needless breaches of their personal information and to ensure they are notified when such breaches occur. The program bill, which was sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is intended to improve protections for New York residents without placing an unnecessary burden on businesses. The introduction of the SHIELD Act comes weeks after the announcement of the Equifax data breach which impacted more than 8 million New Yorkers. In 2016, more than 1,300 data breaches were reported to the New York attorney general’s office – a 60% increase in breaches from the previous year. Attorney General Schneiderman explained that New York’s data security laws are “weak and outdated” and require an urgent update. While federal laws require some organizations to implement data security controls, in New York, there are no...

Read More
Employees Sue Lincare Over W2 Phishing Attack
Oct23

Employees Sue Lincare Over W2 Phishing Attack

In February 2017, Lincare Holdings Inc., a supplier of home respiratory therapy products, experienced a breach of sensitive employee data. The W2 forms of thousands of employees were emailed to a fraudster by an employee of the human resources department. The HR department employee was fooled by a business email compromise (BEC) scam. While health data was not exposed, names, addresses, Social Security numbers, and details of employees’ earnings were obtained by the attacker. This year has seen an uptick in W2 phishing scams, with healthcare organizations and schools extensively targeted by scammers. The scam involves the attacker using a compromised company email account – or a spoofed company email address – to request copies of W2 forms from HR department employees. Cyberattacks that result in the sensitive data of patients and consumers being exposed often results in class action lawsuits, although it is relatively rare for employees to take legal action against their employers. Lincare is one of few companies to face a lawsuit for failing to protect employee data. Three former...

Read More
Termination for Nurse HIPAA Violation Upheld by Court
Oct19

Termination for Nurse HIPAA Violation Upheld by Court

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’ The incident that resulted in her dismissal was an alleged impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was assisting with a transesophageal echocardiogram. At the time of the alleged HIPAA violation, the patient was in an examination area that was closed off with a curtain. Hereford was present along with a physician and an echocardiogram technician. Alleged Improper Disclosure of Sensitive Health Information Before the procedure took place, Hereford performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, checked to make sure the site of the procedure was clearly marked...

Read More
Former Nurse Convicted of Theft of Patient Information and Tax Fraud
Oct16

Former Nurse Convicted of Theft of Patient Information and Tax Fraud

A former nurse from Midway, FL has been convicted of wire fraud, theft of government funds, possession of unauthorized access devices and aggravated identity theft by a court in Tallahassee. 41-year old Tangela Lawson-Brown was employed as a nurse in a Tallahassee nursing home between October 2011 and December 2012. During her time at the nursing home, Lawson-Brown stole the personal information of 26 patients, although she was discovered to have a notebook containing the personal information of 150 individuals. According to a press release issued by the United States Attorney’s Office for the Northern District of Florida, Lawson-Brown’s husband was arrested in January 2013 and items were seized from Lawson-Brown’s vehicle by the Tallahassee Police Department, including the notebook. The police investigation revealed that in 2011, Lawson-Brown used the stolen credentials to file fraudulent tax returns in the names of 105 individuals, including 24 patients of the nursing home. Lawson-Brown filed claims totaling more than $1 million. The IRS detected many of the claims as fraudulent,...

Read More
Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement
Oct02

Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement

The 2016 SAManage USA data breach that saw the Social Security numbers of 660 Vermont residents exposed online has resulted in a settlement of $264,000 with the Vermont Attorney General. In 2016, SAManage USA, a technology company that provides business support services, failed to secure an Excel spreadsheet relating to the state health exchange, Vermont Health Connect. The spreadsheet was attached to a job ticket that was part of the firm’s cloud-based IT support system and was assigned a unique URL. The URL could theoretically have been guessed by anyone and accessed via a web browser without any need for authentication. The spreadsheet was also indexed by the Bing search engine and was displayed in the search results. Bing also displayed a preview of the contents of the spreadsheet, which clearly displayed names and Social Security numbers. Vermont Attorney General T.J Donovan said a Vermont resident found the spreadsheet via the search engine listings and reported the breach to his office, triggering an investigation. The Vermont Attorney General’s office contacted AWS and...

Read More
New York Hospital Sued for Disclosing Patient’s HIV Status to Employer
Sep14

New York Hospital Sued for Disclosing Patient’s HIV Status to Employer

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights settled a case with Mount Sinai St. Luke’s Hospital to resolve alleged HIPAA violations over a 2014 impermissible disclosure of a patient’s HIV positive status to his employer. St. Luke’s Hospital had faxed a document to the mailroom of the patient’s employer, rather than sending the information to a post office box as requested by the patient via his Authorization for Release of Medical Information form. The hospital, formerly known as the Spencer Cox Center for Health, also faxed the PHI of another patient to an office where he volunteered. St. Luke’s Hospital agreed to pay OCR $387,000 to resolve the case. St. Luke’s Hospital also agreed to a corrective action plan that required a review of its policies and procedures concerning PHI disclosures and further training of its employees. St. Luke’s Hospital accepted a mistake was made and the measures being undertaken will help to ensure similar incidents do not occur in the future. However, the hospital has refused to enter into a settlement...

Read More
CareFirst Data Breach Lawsuit May be Heading to the Supreme Court
Sep14

CareFirst Data Breach Lawsuit May be Heading to the Supreme Court

In June 2014, hackers succeeded in gaining access to a database maintained by CareFirst BlueCross BlueShield and the protected health information of 1.1 million of its members. The types of information exposed as a result of the hack included names, email addresses, dates of birth, and subscriber ID numbers. Lawsuits were filed following the breach, with the plaintiffs seeking damages for the elevated risk of identity theft and fraud they faced as a result of the breach. In 2016, the U.S. District Court for the District of Columbia and dismissed one punitive class action lawsuit against CareFirst – Chantal Attias vs. Carefirst, Inc. – for lack of standing. Further complaints were also dismissed by two federal district courts. However, on August 1, 2017, the case was revived when the U.S. District Court for the District of Columbia allowed the case to proceed, even though there was not a concrete, identifiable injury to plaintiffs. CareFirst submitted a motion for a stay to allow an appeal to be filed with the Supreme Court. Last week, U.S. District Court for the...

Read More
Healthcare Industry Tops List for Class Action Data Breach Lawsuits
Sep13

Healthcare Industry Tops List for Class Action Data Breach Lawsuits

In 2016, the healthcare industry faced the most class-action data breach lawsuits, according to a new analysis of data breach lawsuits by the law firm, Bryan Cave, LLP, although the risk of litigation following a breach is still relatively low. To produce the 2017 data breach litigation report, Bryan Cave conducted a comprehensive review and analysis of all class action lawsuits filed by victims of data security breaches in 2016. The report explains that while there is always a threat of legal action being taken by data breach victims, the risk of a company facing litigation following a data breach is fairly low due to the difficult plaintiffs have establishing an injury has been caused. Year over year, there was a slight (7%) increase in class action lawsuits filed against companies that have experienced a data breach although there was a fall in the number of breaches that resulted in lawsuits. The report shows only 3.3% of data breaches in 2016 resulted in class action lawsuits compared to between 4%-5% in previous years. In total, 76 class actions were filed in 2016 as a result...

Read More
Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients
Aug31

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. Details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses, in a recent mailing. The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed. Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused....

Read More
Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware
Aug24

Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware

For the first time in 10 years, Delaware has amended its data breach notification law and has now introduced some of the strictest requirements of any state. Any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information and must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws, with California also requiring the provision of credit monitoring services to breach victims. Breach victims must also be advised of security incidents involving their sensitive information ‘as soon as possible’ and no later than 60 days following the discovery of a breach. The new law also requires companies operating in the state to implement “reasonable” security measures to safeguard personal information – Delaware is the 14th state to require companies to adopt security measures to ensure sensitive information is protected. The definition of ‘personal information’ has also been expanded and now includes usernames/email addresses in combination with a...

Read More
$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching
Aug10

$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching

The importance of applying patches promptly to address critical security vulnerabilities has been highlighted by a recent $5.5 million data breach settlement. Yesterday, New York Attorney General Eric T. Schneiderman announced a settlement has been reached with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, to resolve a multi-state data breach investigation involving New York and 32 other states. Nationwide will pay a total of $5.5 million, $103,736.78 of which will go to New York State. The settlement will cover the costs of the investigation and litigation, with the remaining funds used for consumer protection law enforcement and other purposes. The investigation was launched following a 2012 breach of the sensitive data of 1.27 million individuals, some of whom were customers, although many had only obtained quotes from Nationwide and its subsidiary and did not go on to take out insurance policies. In 2012, hackers infiltrated Nationwide’s systems and stole the personal information of consumers along with highly...

Read More
U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses
Aug09

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient. Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months. Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use. The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed...

Read More
Maryland Data Breach Notification Law Updated
Aug07

Maryland Data Breach Notification Law Updated

Maryland data breach notification law has been updated, with the definition of personal information now expanded. The current data breach notification statute in Maryland does not include health insurance information or data covered under the definition of the Health Insurance Portability and Accountability Act (HIPAA), although from January 1, 2018 that will change. Maryland data breach notification law – specifically the Maryland Personal Information Protection Act – requires breach notification letters to be sent to all Maryland residents affected by a breach of personal information. Those notifications must be issued as soon as it is practicable to do so, but no later than 45 days after the discovery of a data breach that has resulted in personal information being misused or if it is likely that data could be misused. The current definition of personal information includes a Maryland resident’s first and last name or initial and last name along with either a driver’s license number, Social Security number, financial account number, credit or debit card number (with a security...

Read More
CareFirst Can Be Sued for Breach, Rules Court of Appeals
Aug02

CareFirst Can Be Sued for Breach, Rules Court of Appeals

The D.C. Circuit Court of Appeals has ruled that CareFirst can be sued for a 2014 data breach that saw the PHI of more than 1 million members exposed and potentially stolen. Following the announcement of the data breach, a lawsuit was filed by seven plaintiffs to recover damages, although in August last year the case was dismissed by a district court judge for lack of standing. The plaintiffs alleged that the breach had occurred as a result of the carelessness of CareFirst, and as a direct result of that carelessness, they faced an increased risk of suffering identity theft and fraud. The district court judge dismissed the case as the plaintiffs failed to establish harm, or a significant threat of future harm. The judge explained that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.” However, the three-judge panel overturned the previous ruling claiming the interpretation of the law was ‘unduly narrow’, explaining that all the plaintiffs were required to establish at that...

Read More
Massive Healthcare Fraud Takedown Sees 412 Charged for $1.3 Billion in Fraudulent Billings
Jul19

Massive Healthcare Fraud Takedown Sees 412 Charged for $1.3 Billion in Fraudulent Billings

Last week, the United States Department of Justice announced the largest healthcare fraud action to date. 412 individuals were charged, including 115 doctors, nurses and other medical professionals for their roles in healthcare fraud schemes. 120 doctors and other medical professionals were charged for prescribing opioids and other dangerous narcotics. The HHS has also initiated suspension actions against 295 doctors, nurses and pharmacists. The charges aggressively targeted individuals responsible for fraudulent Medicaid, Medicaid and TRICARE billings, although this year also saw a focus on doctors and other medical professionals that have been fueling the opioid epidemic by illegally distributing opioids and pother powerful narcotics. Approximately 91 Americans lose their lives each day due to opioid overdoses. The bust was a joint operation by the Department of Justice, FBI, Medicaid Fraud Strike Force, DEA, U.S Attorney’s Office and the Department of Health and Human Services. A joint announcement about the bust was made by Attorney General Jeff Sessions and HHS Secretary Tom...

Read More
Indiana Senate Passes New Law on Abandoned Medical Records
Jul13

Indiana Senate Passes New Law on Abandoned Medical Records

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information. HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely. For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or...

Read More
Pair Charged with Identity Theft in Relation to WVU Medicine Breach
Jun27

Pair Charged with Identity Theft in Relation to WVU Medicine Breach

A federal grand jury has charged a former healthcare worker and her accomplice with identity theft, aggravated identity theft, bank fraud and producing false documents. The charges relate to the theft of PHI from WVU Medicine University Healthcare. Angela Dawn Roberts, 41, of Stephenson, VA had previously worked at WVU Medicine Berkley Medical Center, where she is alleged to have accessed the WVU Medicine University Healthcare database to obtain sensitive patient information in order to steal the identities of patients. Court documents indicate names, addresses, dates of birth, Social Security numbers and driver’s license numbers were accessed and manually copied onto paper, with printouts of driver’s licenses also made. Angela Roberts is alleged to have disclosed the information to her accomplice, Ajarhi Savimi Roberts, 24, of Stephens City, VA. Ajarhi Roberts used the information to open bank accounts and obtain credit cards in victims’ names and used the accounts to steal thousands of dollars. The crimes occurred between March 1, 2016, and Jan. 31, 2017. The pair, who also used...

Read More
World’s Largest Data Breach Settlement Agreed by Anthem
Jun26

World’s Largest Data Breach Settlement Agreed by Anthem

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information. A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014. After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in...

Read More
Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG
Jun19

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications. An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details. The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual. However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of...

Read More
MDLive Privacy Lawsuit Voluntarily Dismissed
Jun06

MDLive Privacy Lawsuit Voluntarily Dismissed

The MDLive privacy lawsuit filed by law firm Edelson PC on behalf of plaintiff Joan Richards over alleged privacy violations has been voluntarily dropped without any settlement paid. The lawsuit was filed after following an alleged discovery that screenshots were repeatedly taken by MDLive and were passed to third-party Israeli firm Test Fairy. Test Fairy had been contracted to perform quality control checks and debugging services. However, the plaintiff alleged that the sending of screenshots, which contained sensitive information entered by users of MDLive, was a violation of patient privacy. Following the filing of the lawsuit on April 18, 2017, MDLive published a fact sheet explaining its relationship with the Israeli firm, stating the allegations were false, that there had not been a data breach and no HIPAA Rules had been violated. MDLive also said in the fact sheet that no data had been shared with unauthorized third parties. Some data had been disclosed to authorized third parties, although those firms were bound by contractual obligations and had agreed only to use data...

Read More
Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine
May11

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015. Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff. The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules. However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient...

Read More
MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations
Apr26

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients. App users are required to enter in a range of sensitive information into the MDLive app; however, the complainant alleges that during the first 15 minutes of use, the app takes an average of 60 screenshots and that those screenshots are sent to an Israeli company called Test Fairy, which conducts quality control tests for MDLive. The lawsuit alleges patients are not informed that their information is disclosed to a third-party company, and that all data entered into the app can be viewed by MDLive employees, even though there is no reason for those employees to be able to view the data. Users of the app enter their medical information during setup in order to find local healthcare providers. The types of information entered by users includes sensitive data such as health conditions, recent medical procedures, behavioral health histories,...

Read More
Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million
Apr24

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine. A $2.5 million settlement has been agreed with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider. While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures. In this case, the settlement relates to a data...

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients. OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from...

Read More
Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status
Mar24

Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status

A lawsuit filed by five plaintiffs following a breach of protected health information at Flowers Hospital in 2013 has finally been awarded class-action status. The lawsuit was filed against Triad of Alabama, the parent company of Flowers Hospital, in 2014. Triad of Alabama submitted motions to dismiss the lawsuit in 2014 and 2015, but the lawsuit survived. In contrast to many healthcare data breach lawsuits that are filed following cyberattacks by hackers, this incident involved an insider. A phlebotomist employed at Flowers Hospital – Kamarian Millender – stole non-hospital records stored at the hospital. The information in those records was used to file fraudulent tax returns in the names of 124 individuals over two years. Millender was arrested in 2014 and was found to be in possession of 54 patient records. Millender was subsequently charged with trafficking stolen identities and aggravated identity theft and pled guilty to stealing 73 identities for the purpose of filing fraudulent tax returns. In total, prosecutors alleged tax returns totaling around $536,000 were submitted...

Read More
Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft
Jan24

Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi. The incident which led to the lawsuit occurred between November 1 and 3, 2013. Two unencrypted laptop computers containing the personal information of 839,000 plan members were stolen from Horizon BCBS’s headquarters in Newark, NJ. Stored on the laptops were names, addresses, birth dates, Social Security numbers, medical histories, demographic data, lab test results, insurance information, and other care-related data. Four plaintiffs – Courtney Diana, Karen Pekelney, Mark Meisel, and Mitchell Rindner – are named on the lawsuit, which was filed on behalf of themselves and other customers whose personal information was exposed. The complainants maintain that the laptop computers were targeted...

Read More
Hospital Employee Jailed for Credit Card Theft
Dec12

Hospital Employee Jailed for Credit Card Theft

An employee of Banner Boswell Hospital in Sun City, AZ has been arrested and jailed for stealing credit card details from hospital patients. Filip Chudziak, 40, of Surprise, AZ was charged with identity theft, fraudulent schemes, and fraudulent use of credit cards by the Maricopa County Sheriff’s Office this weekend following an investigation into credit card fraud by Maricopa County detectives. The offenses were committed over a period of three months. Potentially fraudulent transactions were reported to law enforcement by Joe Bob’s Outfitters in Kansas and also reported to the Hays City Police Department by multiple patients who had noticed fraudulent charges on their credit card statements. Chudziak’s role at Banner Boswell Hospital involved moving patients and their possessions while they were receiving treatment at the hospital. Chudziak allegedly used access to patients’ possessions to obtain their credit cards. He then used those details to make online purchases at Joe Bob’s Outfitters. Using his mother-in-law’s name and a number of different billing addresses, Chudziak...

Read More
21st Century Cures Bill Sails Through Senate
Dec08

21st Century Cures Bill Sails Through Senate

Last week, the House of Representatives unanimously voted in favor of the 21st Century Cures Act. Yesterday, the bill sailed through the Senate with a vote of 94-5. All that remains is for President Obama to add his signature to the bill, which is expected to happen in the next few days. President Obama has already said he is happy to sign the new bill. The bill will provide funding for a number of initiatives that are intended to hasten the development of new cures and medical devices to treat cancer and other diseases. The bill makes more funds available for mental health treatment as well as for programs to tackle the growing problem of opioid abuse in the United States. $500 million per year will be made available for the latter to prevent new cases of opioid abuse and to fund treatment programs for addicts. The bill had originally called for changes to be made to the Health Insurance Portability and Accountability Act to improve data sharing for research purposes. By classifying research under healthcare operations, it would have been possible for the identifiable protected...

Read More
21st Century Cures Act Unanimously Passed by House
Dec01

21st Century Cures Act Unanimously Passed by House

The 21st Century Cures Act has been passed by the House of Representatives with a vote of 392-26. One Democrat and twenty Republicans voted against the bill. The legislation will now go to the Senate for the vote, which will take place early next week. The legislation was passed by the House last year, although the bill failed in the Senate in July 2015. Numerous revisions have been made since last summer and this time around the 21st Century Cures Act is expected to be passed by the Senate. However, not unanimously. Some senators are certain to vote against the legislation, including Senators Bernie Sanders (I-Vt.) and Elizabeth Warren (D-Mass.). Both strongly oppose the changes that have been made to the legislation to appease the pharmaceutical industry. The main purpose of the $6.3 billion bill is to advance medical innovation. A sizable chunk of cash will be given to a number of programs introduced by the Obama administration. NIH will receive $4.8 billion in funding over the next 10 years which will go towards programs such as the cancer moonshot research project, the...

Read More
HIPAA Breach Class-Action Dismissed for Lack of Evidence of Harm
Sep23

HIPAA Breach Class-Action Dismissed for Lack of Evidence of Harm

A class-action data breach lawsuit – Cox v. Valley Hope Association – has been dismissed by the U.S. District Court for The Western District of Missouri Central Division for lack of standing. In February 2016, Valley Hope Association, a healthcare organization providing drug, alcohol, and addiction treatment services, alerted patients to a breach of ePHI that occurred on December 30, 2015. The PHI of more than 52,000 patients was exposed when an unencrypted laptop computer was stolen from the vehicle of an employee. The data stored on the device included the personal and treatment information of 52,076 patients. While the laptop computer required a password to access the data, the device was not encrypted. After being notified of the breach, plaintiff Robert Cox filed the suit in Missouri state court on March 17, 2016. Cox and other members of the putative class sought damages for the exposure of personal information and increased risk of identity theft. In the suit, Cox claimed Valley Hope Association breached its fiduciary duty, breached its contract, violated the state...

Read More
Banner Health Class-Action Claims 12 Months ID Theft Protection is Insufficient Reparation
Aug10

Banner Health Class-Action Claims 12 Months ID Theft Protection is Insufficient Reparation

Following a healthcare data breach, a class-action lawsuit is almost guaranteed to be filed. However, the newsprint has barely dried, yet a class-action lawsuit has already been filed against Banner Health Network. The suit has not been filed by a patient, but on behalf of a former Banner Health physician whose information was exposed in the 3.7 million-record breach reported last week. The suit was filed three days after the breach was announced. Law firm Hagens Berman Sobol Shapiro filed the lawsuit on behalf of Dr. Howard Chen: A former Ophthalmologist at Banner Thunderbird Hospital in Glendale, Arizona. Chen used his Banner Health insurance while employed at the hospital between 2010 and 2013 and is concerned that his information was obtained by the hackers. The lawsuit is not being filed to recover damages related to identity theft, but in order to obtain compensation to cover the cost of paying for credit monitoring and identity theft protection services. Banner Health has offered these services to all affected individuals, but only for a period of 12 months. Dr. Chen’s...

Read More
CareFirst Inc. Data Breach Lawsuit Dismissed for Lack of Standing
Jul15

CareFirst Inc. Data Breach Lawsuit Dismissed for Lack of Standing

A class-action data breach lawsuit filed against CareFirst Inc., and CareFirst of Maryland Inc., following the 1.1 million-record data breach of 2015 – and a second breach in 2014 – has been dismissed by a Maryland federal court for lack of standing. The lawsuit, which was filed by two plaintiffs – Scott Adamson and Pamela Chambliss – was dismissed by Judge Richard Bennett after the pair were unable to allege facts sufficient to support the case. The pair alleged CareFirst had been negligent for failing to protect its computer hardware, resulting in the exposure of plan members’ names, ID numbers, and dates of birth. While any health insurer data breach could potentially place plan members at risk of harm or loss, in this case no Social Security numbers, credit card numbers, or financial information were exposed. The plaintiffs did not allege that their personal information had actually been used, but claimed their personal information had value and its exposure placed them at an increased risk of harm or loss. However, there was some doubt as to the amount of...

Read More
House Passes Mental Health Reform Bill (Without the HIPAA Changes)
Jul14

House Passes Mental Health Reform Bill (Without the HIPAA Changes)

A mental health bill that aims to improve mental healthcare in the United States has been passed by the House. The bill – H.R. 2646 – which was first introduced three years ago, was intended to usher in sweeping changes to improve the treatment of mental illness in the United States. While the bill was passed with an overwhelming majority of 422-2 last Wednesday, a number of the more contentious issues needed to be removed from the bill. One of the sticking points that was dropped from the bill were the changes to the Health Insurance Portability and Accountability Act (HIPAA). The bill introduces a number of important changes that will improve mental health care; however, the proposed changes to HIPAA were opposed by a number of Democrats and Republicans. In order for the bill to be passed, the HIPAA changes had to be dropped. In its original form, the bill would have changed HIPAA Rules to permit healthcare providers to share mental health data about patients with their caregivers. Instead, the Department of Health and Human Services is now required to clarify the law...

Read More
Philadelphia Business Associate Agrees to $650,000 OCR Settlement
Jun30

Philadelphia Business Associate Agrees to $650,000 OCR Settlement

On June 24, 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) published details of a resolution agreement that was reached with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).  CHCS has agreed to settle alleged HIPAA violations with the OCR and has agreed to implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS is the sole corporate parent of six nursing facilities – St. Francis Country House, Immaculate Mary Home, St. John Neumann Home, St. Mary’s Manor, St. Martha’s Manor, and St. Monica’s Manor – and provides management services to the nursing facilities. In its capacity as a HIPAA business associate, CHCS is required to comply with HIPAA Rules. In February 2014, each of the six nursing facilities submitted a breach notice to the OCR regarding a breach of ePHI. On April 17, 2014, the OCR launched an investigation into the breach. A large number of OCR investigations into ePHI breaches have revealed failures to comply with HIPAA administrative safeguards – specifically 45...

Read More
Criminal HIPAA Case: Conviction for Respiratory Therapist
Jun28

Criminal HIPAA Case: Conviction for Respiratory Therapist

A former respiratory therapist has been convicted on criminal HIPAA violations by a federal jury in Ohio. The jury agreed with prosecutors that the protected health information of patients was wrongly obtained and that PHI was used to seek and obtain intravenous prescription drugs. Jamie Knapp was employed as a respiratory therapist at the ProMedica Bay Park Hospital in Oregon, Ohio. Over a period of 10 months Knapp improperly accessed the medical records of 596 patients. Knapp was permitted access to patient records in order to conduct her work duties; however, she was only permitted access to the records of patients she was treating. Knapp abused her access rights and viewed the PHI of other patients without authorization, according to the prosecution. Sentencing has been tentatively scheduled for October and Knapp could be jailed for up to a year. It is relatively rare for individuals to be tried for HIPAA violations, even when violations of the Health Insurance Portability and Accountability Act clearly appear to have taken place. Criminal convictions are even rarer. In order...

Read More
Nurse Charged with Bank Fraud: HIPAA Breach Trial for Respiratory Therapist
Jun23

Nurse Charged with Bank Fraud: HIPAA Breach Trial for Respiratory Therapist

Healthcare workers can face lengthy jail terms and heavy fines for improperly accessing patient health information. This week, a nurse has been charged with fraud and identity theft and the trial of a respiratory therapist has commenced in Toledo. If found guilty, both could spend time behind bars. Virginia Nurse Charged with Bank Fraud and Identity Theft A nurse formerly employed at Commonwealth Primary Care in Richmond, VA., has been charged with bank fraud and identity theft and is expected to plead guilty to the charges at a plea agreement hearing scheduled for Friday morning. Capri Williams worked for at the West End branch of Commonwealth Primary Care for almost a year. During that time, she is believed to have accessed and copied the protected health information of hundreds of patients. Williams is alleged to have used patient information to fraudulently open bank and credit accounts in patients’ names. Williams has also been accused of making a fraudulent transfer of over $4,000 from one of the patients’ credit cards. According to WTVR, Commonwealth Primary Care received a...

Read More
Anthem Data Breach Lawsuit Heading for Trial
Jun06

Anthem Data Breach Lawsuit Heading for Trial

Following the mammoth 2015 data breach at Anthem Inc., around 100 lawsuits were filed by plan members seeking damages for the exposure of their protected health information. In June last year, the lawsuits were consolidated and moved to the Northern District of California and are being presided over by the Honorable Lucy H. Koh. The cyberattack on Anthem was the largest healthcare data breach ever reported, involving approximately 37 million records and affecting close to 78.8 million individuals. The persons responsible for the cyberattack have not been identified, although the security breach is widely believed to have been a state-sponsored attack by Chinese hackers. Class-action lawsuits are often filed by data breach victims following the exposure of personally identifiable information, although the cases are usually dismissed unless there is concrete evidence of actual harm of losses being suffered by the victims. However, the huge data breach case has survived motions to dismiss and looks set to be heading to trial. Last week, Koh indicated the latest motion by the defense...

Read More
Class-Action Lawsuit Filed Against Sharp Grossmont Hospital for Video Privacy Breach
May30

Class-Action Lawsuit Filed Against Sharp Grossmont Hospital for Video Privacy Breach

A class-action lawsuit has been filed against San Diego’s Sharp Grossmont Hospital for breaching the privacy of thousands of patients during and after a covert surveillance operation into drug theft at the hospital. Sharp Grossmont Hospital had installed hidden cameras in monitors in all three emergency rooms in the hospital in an attempt to obtain video evidence against a physician who was under investigation for the alleged theft of the sedative drug Propofol from operating room drug carts. While it was not the intention of the hospital to film patients, video clips were recorded of patients giving birth and undergoing other medical procedures. According to the lawsuit, approximately 15,000 videos were captured in total, of which 6,966 have been retained by the hospital. The hospital first installed the cameras in July 2012 as part of a year-long investigation into drug theft. The hidden cameras contained motion sensors which were triggered when individuals entered the operating rooms. The investigation ended in June 2013 and the cameras were removed. According to the lawsuit,...

Read More
ACLU Claims Myriad Genetics Violated HIPAA Rules by Withholding Genetic Data
May24

ACLU Claims Myriad Genetics Violated HIPAA Rules by Withholding Genetic Data

Late last week, a complaint was filed with the Department of Health and Human Services’ Office for Civil Rights by the American Civil Liberties Union after Myriad Genetics refused to provide four patients with copies of their full genetic records – an alleged breach of the HIPAA Privacy Rule. The patients in question had undergone genetic tests to assess hereditary risk for bladder, breast, and ovarian cancer. Myriad provided the patients with details of the genetic factors which were deemed to be significant and useful for healthcare providers. However, the data provided to the patients did not include information about all of the genetic variants Myriad’s testing had uncovered. The patients requested copies of all of their genetic data that was held by Myriad Genetics, including the genetic variants that Myriad deemed not to pose a risk to the patients. Myriad refused to provide copies saying the patients were not entitled to copies of the withheld data. It was claimed that the withheld data was not part of the designated record set which Myriad is required to provide to patients...

Read More
Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies
May20

Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies

The United States Department of Justice has charged an engineer with the theft and possession of trade secrets belonging to two medical device manufacturers. 43-year old Wenfeng Lu of Irvine, California, was indicted on 12 charges by a grand jury on Wednesday this week. Lu is alleged to have stolen proprietary trade secures from EV3 Covidien while employed at the company between January 2009 and October 2011, and from Edwards Lifesciences Corp., where he was employed between November, 2011 and November, 2012. Lu is alleged to have stolen information and emailed the confidential data to his personal email account. It has also been alleged that Lu took photographs of equipment and copied company reports, presentations, emails, and test results. Lu visited the People’s Republic of China (PRC) on multiple occasions after obtaining data. It is alleged that Lu was attempting to set up his own company with associates in PRC and planned to use the trade secrets to manufacture medical devices in PRC. Lu was arrested by the FBI in 2012 while preparing to board a plane bound for PRC. Lu was...

Read More
Illinois Data Breach Notification Law Updated
May20

Illinois Data Breach Notification Law Updated

Illinois data breach notification law has been updated, broadening the definition of personal information and changing the timescale for notifying the Attorney General of data breaches. A breach notification will need to be issued if a person’s full name or last name and initial is exposed in combination with any of the following data elements: Driver’s license number Social Security number Credit or debit card number Biometric data Usernames and email addresses (along with passwords or other data that would allow access to accounts to be gained) Medical information Health insurance information Notifications will not be required if a breach occurs and data are encrypted, or if exposed data are publicly available. The new law specifically mentions health insurance information which includes a subscriber ID number, health insurance policy number, or any other unique identifier used to identify an individual. Any medical data provided to a health insurer in an application, appeals records, or claims history, is also included in the new definition. The exposure of information relating...

Read More
Data Breach Class-Action Lawsuit Denied by Penn. Superior Court
May05

Data Breach Class-Action Lawsuit Denied by Penn. Superior Court

A proposed class-action lawsuit filed against two health plans for the exposure of members’ protected health information has been rejected by the Pennsylvania Supreme Court. Avrum Baum filed a lawsuit against Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in 2010 following the loss of a flash drive containing the data of approximately 286,000 patients. One of the patients affected by the data breach was Baum’s special needs daughter. Baum claimed in the suit that the loss of the device violated the privacy rights of patients. He also claimed the health plans had been negligent by failing to protect the data of patients, and the health plans had inaccurately told patients that their protected health information (PHI) was secured. Baum claimed that deceptive practices were used, which violated Uniform Trade Practices and Consumer Protection Law (UTPCPL). In July 2013, the class-action lawsuit was denied by a trial judge as Baum could not show that his daughter’s PHI was stored on the device and that the case did not have standing because Baum had not purchased his...

Read More
Chicago Hospital Council Files Lawsuit to Prevent Deletion of Patient Data
Apr28

Chicago Hospital Council Files Lawsuit to Prevent Deletion of Patient Data

A lawsuit has been filed against Sandlot Solutions, Inc., and its parent company Santa Rosa Consulting by the MCHC-Chicago Hospital Council in an attempt to prevent the deletion of more than 2 million patient records from Sandlot’s servers. The MCHC-Chicago Hospital Council (MCHC), which includes over 30 area hospitals, operates the MetroChicago Health Information Exchange (HIE). The HIE was formed to allow all participating hospitals to quickly and easily share patient health information and ensure that up-to-date medical records of patients could always be obtained by doctors and healthcare professionals. The HIE contains patient data collected over the past seven years. The HIE is hosted by healthcare information technology company Sandlot Solutions, Inc. On March 28, 2016., Sandlot notified MCHC that it would be winding down its operations and would soon be going out of business. Sandlot is alleged to have shut down access to the HIE a day later. MCHC was also advised that Sandlot would be deleting all HIE data from its servers within 24 hours of providing the council with a...

Read More
New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients
Apr22

New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from the patients. In 2011, an ABC crew was permitted to film inside NYP facilities for the show “NY Med” featuring Dr. Mehmet Oz. A number of patients were filmed including a dying man and another patient who was seriously distressed. The footage was aired in 2012. Authorization to film had been given by NYP, although not all patients gave their consent to be filmed. One of the patients was Mark Chanko . He had been rushed to hospital after being hit by a sanitation truck. He was filmed receiving treatment from chief surgery resident Sebastian Schubl. Despite the best efforts of Schubl, Chanko died from the injuries sustained in the accident. Chanko had not given NYP permission to film him. To hide his identity ABC used blurring and voice alteration software. This did not prevent the crew from viewing Chanko’s PHI and it was not sufficient to hide his identity from...

Read More
Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA
Apr20

Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. OCR launched an investigation into a data breach reported by Raleigh Orthopaedic on April 30, 2013. Raleigh Orthopaedic had agreed to provide a potential business associate (BA) with X-Ray films in order to have images transferred to a digital format. The company was allowed to recycle the original films to recover the silver after the images had been transferred to an electronic format. However, the agreement was reached over the telephone and no BAA was obtained. Prior to providing the company with the X-Rays Raleigh Orthopaedic should have issued a BAA and obtained a signed copy. The BAA should have detailed the responsibilities the company had to ensure...

Read More
Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation
Apr15

Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation

A lawsuit has been filed in Federal Court in San Jose, California by cancer patients who allege they have had their privacy violated after visiting the websites of cancer institutes. The plaintiffs claim that the websites of some cancer institutes contain secret code that captures data and passes the information to Facebook for marketing purposes. After visiting the websites, the plaintiffs claim they have been served advertisements relating to very specific types of cancer. It is alleged that in order for those advertisements to be served, Facebook must have been provided with site search data and the specific webpages that were visited. Lead plaintiff in the case, Winston Smith, claims to have visited cancer.org, a website of the American Cancer Society. Smith conducted searches on the site for information on lung cancer and claims those searches, and information about the webpages he visited, were provided to Facebook which used the information to serve him targeted adverts. Smith claims that Facebook’s privacy policy does not specifically mention that highly sensitive medical...

Read More
California Ransomware Bill Passed by State Senate Committee
Apr15

California Ransomware Bill Passed by State Senate Committee

Californian Senator Bob Hertzberg introduced a new bill (Senate Bill 1137) in February which proposes an amendment to the penal code in California to make it a crime to knowingly install ransomware on a computer. The bill has now been passed by the senate’s Committee on Public Safety, taking it a step closer to being introduced into the state legislature. The bill must now go before the state Senate Appropriations Committee; after which it will be considered by both houses. Currently, state law in California covers crimes relating to computer services including “knowingly introducing a computer contaminant,” as well as extortion, the latter being defined as “obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear.” Under existing laws, extortion is punishable with a prison term of 2,3, or 4 years. Ransomware is covered under current laws, although Senator Hertzberg believed an update was necessary given the extent to which ransomware is now being used to extort money from businesses. FBI figures suggest that in the first 3 months of...

Read More
Federal Court Rules Data Breach Covered by CGL Insurance Policy
Apr14

Federal Court Rules Data Breach Covered by CGL Insurance Policy

A federal appeals court ruled this week that Travelers Insurance has a duty to defend Portal Healthcare Solutions in a class-action lawsuit filed by patients whose medical records were exposed on the Internet in 2013. The lawsuit was filed following the exposure of 2,300 patients’ medical records in 2012/2013. The records were stored on computer server that could be accessed over the Internet, and the data of some patients had been indexed by the search engines. Two patients filed a class-action lawsuit after discovering their data could be accessed via Google. The patients claimed they both searched for their own names on Google and the first links that appeared were for their medical records. Both were patients of Glen Falls Hospital in New York. The lawsuit was filed against Portal Healthcare Solutions, which was contracted by Glen Falls Hospital to store patients’ medical records. The server on which doctors’ notes were stored should have been secured; however, a configuration error resulted in data being left unprotected. The files were accessible due to a misconfigured...

Read More
Anthem’s Request to Access Breach Victims’ Computers Denied
Apr13

Anthem’s Request to Access Breach Victims’ Computers Denied

Following any significant breach of protected health information HIPAA covered entities can expect breach victims to file lawsuits to recover damages. Last year’s 78.8 million-record data breach at Anthem Inc., is no exception. Over 100 lawsuits have been filed by plaintiffs to recover damages. Some of the suits are speculative, with plaintiffs attempting to recover damages for the increased risk of harm now faced, although some breach victims are claiming to have suffered actual losses as a result of the Anthem data breach. It is not surprising that the insurer’s legal team has attempted to determine whether the victims have actually suffered losses as a direct result of the Anthem breach. In 2015, over 113 million healthcare records were exposed or stolen. The majority of those records were stolen in the Anthem data breach, but it is conceivable that identity theft could have resulted from another healthcare – or non-healthcare – data breach, from a lack of basic security measures applied by the victims, or from the inadvertent installation of malware on victims’...

Read More
21st Century Oncology Patients Seek Damages After PHI Exposure
Mar25

21st Century Oncology Patients Seek Damages After PHI Exposure

Earlier this month, 21st Century Oncology reported a hacking incident that resulted in the exposure of 2,213,597 individuals’ protected health information (PHI). The security breach, which was discovered by the FBI in November last year, exposed patients’ Social Security numbers, health information, and insurance data. All affected patients were offered a year of credit monitoring and protection services without charge. According to the 21st Century Oncology’s substitute breach notice, in the four months since the discovery of the data breach, no evidence has been uncovered to suggest data have been used inappropriately. Four Class-Action Lawsuits Filed in the Past 3 Weeks Three weeks have passed since the announcement of the data breach and already four class action lawsuits have been filed against 21st Century by patients affected by the breach. Damages of $15 million are currently being sought for the failure to protect patients’ data from unauthorized access. The cancer care provider has also been accused of unjust enrichment, breach of implied covenant of good faith and fair...

Read More
St. Joseph Health Settles Class Action Data Breach Lawsuit
Mar15

St. Joseph Health Settles Class Action Data Breach Lawsuit

St. Joseph Health System has settled a class action lawsuit filed by two plaintiffs for the breach of 31,800 patient health records that took place in 2012. A settlement of $15 million will be split between patients and attorneys, with $7.5 million going to patients and $7.5 million covering attorneys’ fees and legal costs. All patients affected by the breach will receive a check for $242. A $3 million fund has also been set up to cover Identity theft losses that resulted from the exposure of patient health data. Each patient can potentially claim up to $25,000 if they can demonstrate they have suffered losses as a result of the data breach. The data breach in question lasted almost a year and affected patients from a number of hospitals and medical centers run by St. Joseph Health, including Queen of the Valley Medical Center in Napa, Santa Rosa Memorial Hospital, Petaluma Valley Hospital; St. Jude Medical Center in Fullerton, the Auxiliary of Mission Hospital in Mission Viejo and Laguna Beach, Redwood Memorial Hospital of Fortuna, Saint Joseph Hospital of Orange and Eureka. Full...

Read More
Healthcare Cyberattack Suspect Arrested After Being Rescued at Sea
Feb19

Healthcare Cyberattack Suspect Arrested After Being Rescued at Sea

A suspected hacktivist has been arrested after being rescued at sea off the coast of Cuba. Martin Gottesfeld, 31, from Somerville, Mass., is suspected of orchestrating two DDoS attacks on the computer network of a hospital in Boston last year, understood to the be Boston Children’s Hospital. Gottesfeld, who was under investigation for the cyberattacks, is believed to have fled Massachusetts recently to escape arrest. His home was searched by the FBI in October 2014 in connection with the distributed denial of service attack on the Boston Children’s hospital that occurred in April 2014. Somerville Police Department had recently been alerted to the disappearance of Gottesfeld and his wife after reports were received by concerned relatives and friends that the pair had not been seen for several weeks. Last week the police department visited Gottesfeld’s apartment to conduct a well-being check, but no one was home. Just a few days after the visit Gottesfeld turned up, although in a rather unusual place. He and his wife were found off the coast of Cuba in a small boat. They had issued a...

Read More
Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement
Feb18

Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement

OCR has announced it has arrived at a settlement with a Los Angeles-based provider of physical therapy services after the discovery of HIPAA Privacy Rule violations in 2012. Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Potential HIPAA Privacy Rule violations were reported to OCR on August 8, 2012 and an investigation into the complaint was launched. OCR concluded its investigation on January 15, 2013. OCR found that a number of patients had had their protected health information posted online, yet valid, HIPAA-compliant prior authorizations had not been obtained in writing from the patients before names and full-face photographs were uploaded to the website. OCR determined this to be a clear violation of the Privacy Rule, with CPT found to have violated HIPAA by failing to reasonably...

Read More
Cybersecurity Companies Be Found Liable for Healthcare Data Breaches
Feb13

Cybersecurity Companies Be Found Liable for Healthcare Data Breaches

When a cybersecurity company is contracted to investigate a data breach, that company is expected to conduct a thorough investigation, ensure the breach is contained, and make sure backdoors are found and removed. However, what happens if a security company fails to deliver on its promise? Cybersecurity Firm Sued for Failing to Remedy a Data Breach Chicago-based cybersecurity firm Trustwave was sued late last year by a company that had contracted it to investigate and remedy a data breach. The lawsuit was filed for the company’s alleged failure to adequately investigate and remedy the breach, leaving the computer system open to a further attack. The lawsuit was filed by Affinity Gaming in the U.S. District Court in Nevada with the lawsuit stating that Trustwave’s investigation and remediation efforts were “woefully inadequate.” The investigation into the suspected hacking of the company’s payment card system failed to prevent individuals from gaining access to payment system data two months later. According to the lawsuit, Trustwave had reported to Affinity Gaming that the breach...

Read More
Lincare Inc to Pay $239,800 CMP for HIPAA Violation
Feb03

Lincare Inc to Pay $239,800 CMP for HIPAA Violation

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc., is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. The Privacy Rule violation – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was granted and the decision to issue civil monetary penalties was sustained. HIPAA Privacy Rule Violation Uncovered by OCR Lincare Inc., doing business as United Medical, operates more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at its facilities, and via medical services delivered in-home. A complaint was filed with OCR about an Lincare employee who left documents containing the PHI of 278 patients at one of the locations where medical services were provided. The investigation by OCR confirmed that PHI had...

Read More
Prime Healthcare Services Hit with Privacy Breach Lawsuit
Feb03

Prime Healthcare Services Hit with Privacy Breach Lawsuit

Prime Healthcare Services has been hit with a lawsuit for repeatedly violating the privacy of a former patient of the Shasta Regional Medical Center. The lawsuit was filed in the Shasta County Superior Court last month by Medicare patient Darlene Courtois, 64. The plaintiff claims that her confidential medical files were shared with 785 employees of the Shasta Regional Medical Center in 2011 without her authorization. The medical information was allegedly emailed to medical center employees by the CEO of the medical center in what is believed by Courtois to be an attempt to discredit a news story published by California Watch. The story covered the healthcare chain’s “unusual and lucrative billing practices.” Reporters from California Watch investigated the unusually high number of Kwashiorkor cases dealt with by the hospital in 2009 and 2010. Kwashiorkor is a relatively rare form of protein malnutrition. Each year, fewer than 20,000 individuals are diagnosed with the condition in the United States. Kwashiorkor is more commonly associated with areas hit by famine, and is associated...

Read More
Survey Indicates Law Firms are not Complying with HIPAA Rules
Feb02

Survey Indicates Law Firms are not Complying with HIPAA Rules

The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health insurers, and healthcare clearinghouses, and all covered entities are required to comply with HIPAA Privacy, Security, and Breach Notification Rules. HIPAA also applies to vendors and other companies doing business with covered entities, which are classed as HIPAA Business Associates (BAs). If a BA is supplied with the Protected Health Information (PHI) of health plan members or patients, or their software or systems are capable of touching PHI/PII, those entities are also required to comply with HIPAA Rules. Are Attorneys Classed as Business Associates of HIPAA-Covered Entities? According to Legal Workspace, healthcare attorneys may fall under the classification of Business Associate, and as such, they must comply with HIPAA Rules.  If a healthcare attorney is provided with healthcare data, it is necessary for that attorney – or his or her law firm – to ensure the necessary technical, administrative, and physical controls are implemented to protect PHI supplied by...

Read More
Snapchat Video Posting Gets Nursing Assistant Fired
Jan20

Snapchat Video Posting Gets Nursing Assistant Fired

A nursing assistant from the Parkside Manor assisted-living facility in Kenosha, WI., has been fired for taking a video of a virtually naked 93-year-old Alzheimer’s patient and sharing the file on Snapchat. In recent months an unsavory trend has emerged involving nurses taking photographs and videos of elderly patients and sharing the files on social media networks. The images and videos show patients in various states of undress, performing degrading acts, or posing in compromising positions. An investigation conducted last year by ProPublica revealed the extent to which this is happening across the United States. Reporters discovered 35 separate cases had been reported, although numerous others have more than likely taken place. Snapchat was found to be the most popular site for image and video sharing, although it is far from the only social media network used for sharing degrading and demeaning images and videos of patients. The latest case involved a video of an Alzheimer’s patient who was recorded sitting on her bed wearing only a bra. Grace Riedlinger, 21, admitted taking...

Read More
New Oregon Breach Notification Law Comes Into Effect
Jan09

New Oregon Breach Notification Law Comes Into Effect

Organizations doing business in the state of Oregon must now comply with a new data breach law that came into effect on January 1, 2016. If a data breach is suffered that exposes the personal information of more than 250 state residents, a breach notice must be submitted to the Oregon Attorney General. On June 10 last year, Oregon Governor Kate Brown signed the new law (Oregon Revised Statutes 646A.604) updating the Oregon Consumer Identity Theft Protection Act of 2007. The amendment expanded the definition of “personal information” to include biometric data such as a retina or iris images and fingerprints, as well as medical and health insurance information. Other data classed as personal information include Social Security numbers, government ID numbers, Driver’s license numbers and financial information including credit or debit card number in combination with any required security code, access code or password. The exposure of any of those data elements along with a person’s full name or last name and initial requires a breach notice to be issued. Oregon is one of a few states...

Read More
Exposure of PHI Grounds to Sue for Damages, Rules Mass. Judge
Jan06

Exposure of PHI Grounds to Sue for Damages, Rules Mass. Judge

A data breach that exposes sensitive Protected Health Information may not necessarily result in patients coming to harm, or suffering an injury or loss. However, breach victims do face an elevated risk of suffering harm and losses. Many will even incur costs as a result of actions taken to reduce the risk of losses being suffered. It is not uncommon for data breach victims to attempt to recover damages from healthcare providers who have exposed their sensitive health data, but it is rare for those lawsuits to succeed or even be heard. In order to successfully sue a healthcare provider or health insurer for a data breach, the plaintiff must be able to produce evidence that losses have been suffered, or at the very least, that data have actually been viewed by unauthorized individuals. However, a Mass. Superior Court judge has recently ruled that a plaintiff does actually have grounds to sue for damages, even if evidence of harm or loss cannot be produced. The exposure of PHI alone can be grounds to claim damages. The ruling came on the case of Walker et al v. Boston Medical Center...

Read More
California Patient Privacy Law Enforcement is Inconsistent
Jan04

California Patient Privacy Law Enforcement is Inconsistent

Last week, California’s enforcement of data privacy rules was criticized after the Department of Public Health was found to be inconsistently enforcing state laws. Numerous healthcare organizations have committed serious privacy violations, yet have escaped fines. Two privacy bills were passed in California in 2008 in an effort to better protect the privacy of state residents. One of the aims was to make healthcare organizations more accountable when privacy violations occurred. The laws were introduced following a number of high profile privacy breaches involving hospital employees snooping on the medical records of celebrities (Britney Spears, Farrah Fawcett and Maria Shriver). Since the bills were passed, healthcare organizations in the state can receive heavy fines for privacy violations, although relatively few fines are issued. California Patient Privacy Laws Being Violated with Few Consequences The state of California has some of the strictest laws on data privacy in the country. While action is taken against healthcare organizations by the Department of Public Health when...

Read More
Pittsburgh Woman Arrested for $600K Medical Insurance Fraud
Dec23

Pittsburgh Woman Arrested for $600K Medical Insurance Fraud

A counselor from the Pittsburgh area has been arrested on suspicion of fraudulently billing over $600,000 for counseling services which were never provided to patients. The investigation was launched after a tip off was received by the Pennsylvania Office of Attorney General’s Insurance Fraud Division by Highmark Blue Cross Blue Shield. Highmark claimed that Lisa A. Wally, 33, also known as Lisa A. Smith Wally from McKeesport, PA, had inflated billings for services she provided to her clients, and billed the insurer for services that were never actually provided. Office of Attorney General investigators discovered Wally had billed for 9,746 office visits for 22 patients between 2011 and 2015. However, investigators only found evidence that 1,987 visits had occurred. In total, Wally had received $601,280 in payments for services that were allegedly provided at her offices in Uniontown, Fayette County, but no evidence could be produced to prove that those sessions had ever taken place. Wally was unable to produce any evidence that the sessions occurred as no patient records were kept...

Read More
HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time
Jul30

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time

For the first time, a HIPAA privacy complaint filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) has resulted in federal criminal prosecution. A complaint was filed with OCR over an impermissible disclosure of a patient’s protected health information by a doctor. The doctor, Richard Alan Kaye of Suffolk, Va., was alleged to have shared PHI with the patient’s employer without consent from the patient – A violation of the HIPAA Privacy Rule. The case against Kaye has been referred to the Department of Justice, which has pressed charges. While OCR has referred more than 500 HIPAA violation cases in the past, this if the first time that an investigation of a privacy complaint has resulted in criminal prosecution. Kaye had previously worked at Sentara Obici Hospital in Suffolk, Va., as Medical Director of its Psychiatric Care Center. The patient had been enrolled in a mental health treatment program at the hospital and Kaye treated and subsequently discharged the patient. On discharge, Kaye stated that the patient was not a threat to the public....

Read More