The HIPAA Journal legal news section contains details of the latest enforcement activities by the Department of Health and Human Services’ Office for Civil Rights, including settlements and civil monetary penalties, and legal actions taken against covered entities by state attorneys general.

You will also find brief details of class action lawsuits and other legal actions filed against covered entities for HIPAA violations, privacy violations, and data breaches, along with other legal news specifically relating to HIPAA or other legal matters of particular relevance to the healthcare industry.

Changes to HIPAA Rules are detailed in the HIPAA Updates category, although this section does include updates to state legislation, in particular any changes to breach notification and cybersecurity laws that are relevant to healthcare organizations.

Zoll Sues IT Vendor for 277,000-Record Server Migration Data Breach
Nov13

Zoll Sues IT Vendor for 277,000-Record Server Migration Data Breach

A lawsuit has been filed in the US District Court in Massachusetts by the medical device vendor Zoll which alleges its IT service vendor, Campbell, CA-based Barracuda Networks, was negligent for botching a server migration which resulted in the exposure of the protected health information of 277,139 patients. The breach in question involved archived emails that were being migrated to a new email archiving service. A configuration error resulted in the exposure of those emails for more than 2 months between November 8, 2018 and December 28, 2020. The configuration error was corrected, but Zoll was not informed about the breach until January 24, 2019. The breach investigation revealed the exposed emails contained patient information such as names, contact information, birth dates, medical information, and for certain patients, Social Security numbers. Zoll had contracted with a company called Apptix – now Fusion Connect – in 2012 and entered into a business associate agreement to provide hosted business communication solutions. Apptix then entered into a contract with a...

Read More
$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit
Nov09

$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit

A $350,000 settlement has been reached between Saint Francis Healthcare System and patients impacted by a September 2019 ransomware attack on Ferguson Medical Group (FMG). FMG was acquired by Saint Francis after a cyberattack that rendered data, including electronic medical records, on FMG systems inaccessible. The decision was taken to restore the encrypted data from backups rather than pay the ransom, and while patient data and other files were recovered, it was not possible to recover all data encrypted in the attack. FMG was unable to restore a batch of data related to medical services provided to patients between September 20, 2018 and December 31, 2018 which has been permanently lost. FMG announced the incident impacted around 107,000 patients, and those individuals were offered complimentary membership to credit monitoring services. A class action lawsuit was filed against Saint Francis Healthcare in January 2020 in the U.S. District Court of Eastern Missouri which alleged negligence per se, breach of express and implied contracts, invasion of privacy, and violations of the...

Read More
Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules
Oct06

Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules

A healthcare worker who was accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules and patient privacy by sending photographs of patients to unauthorized individuals has been cleared of any wrongdoing, following an investigation by federal law enforcement. A former acquaintance of the healthcare worker was discovered to have concocted a scheme to frame his former acquaintance for fictitious HIPAA violations and is now facing a prison sentence for making false statements. Jeffrey Parker, 43, of Richmond Hill, GA, concocted an elaborate scheme to frame the former acquaintance for violations of patient privacy. In U. S. District Court in the Southern District of Georgia, Parker pled guilty to one count of false statements and admitted creating fake email addresses and concocting information in an effort to harm a former acquaintance. Parker portrayed himself as a whistleblower and contacted the U.S. Department of Justice (DOJ), Federal Bureau of Investigation (FBI) and the hospital where the healthcare worker was employed to make false allegations of...

Read More
Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties
Oct01

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

The Indianapolis, IN-based health insurer Anthem Inc. has settled a multi-state investigation by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 43 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States. The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed...

Read More
Slew of Lawsuits Filed Over Recent Healthcare Data Breaches
Sep25

Slew of Lawsuits Filed Over Recent Healthcare Data Breaches

Individuals impacted by the recent data breaches at Blackbaud, Assured Imaging, and BJC Healthcare have taken legal action over the exposure and theft of their personal and protected health information. Multiple Lawsuits Filed Over Blackbaud Ransomware Attack The data breach at Blackbaud is one of the largest ever breaches of healthcare data to be reported. It is currently unclear exactly how many healthcare entities have been affected, as each affected entity is reporting the breach separately. As the deadline for reporting approaches, the extent of the breach is becoming clearer. Currently, at least 5 million individuals are known to have been affected and around 60 healthcare organizations have confirmed they have been impacted by the breach. As is now common in ransomware attacks, data were exfiltrated by the hackers prior to the use of ransomware. Blackbaud paid the ransom demand to obtain the keys to decrypt data and to ensure that all stolen data were permanently deleted. Blackbaud has received assurances that the stolen data have been deleted, but as a result of the breach,...

Read More
Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures
Sep23

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days. The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals. CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule. On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed...

Read More
Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Jail
Sep23

Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Jail

The U.S. Department of Justice has announced that a member of the notorious hacking group, The Dark Overlord, has been sentenced to 5 years in jail and has been ordered to pay $1.4 million in restitution. The Dark Overlord hacking group started targeting U.S. organizations in 2016. The hackers gained access to the networks of companies via brute force attacks on Remote Desktop Protocol, then stole data from victim companies and threatened to sell the stolen data on criminal marketplaces if the ransom demand was not paid. The hackers issued ransom demands of between $75,000 and $350,000 in Bitcoin and issued multiple threats if the ransom was not paid. In some instances, individuals in the victim companies received personal threats against them and their family members via the telephone, email, and text messages. Victims of The Dark Overlord included accounting firms, healthcare providers, and other companies. Healthcare provider victims included Farmington, MO-based Midwest Orthopedic Group, Swansea, IL-based Quest Records, Prosthetics & Orthotics Care in St. Louis, and Athens,...

Read More
Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals
Sep17

Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals

In 2019, a lawsuit was filed against Express Scripts by five independent pharmacies alleging improper use of patient data in violation of HIPAA. Express Scripts is the largest pharmacy benefits manager in the United States with its own retail pharmacies and pharmacy service. The five pharmacies were part of the Express Scripts network and were required to submit detailed claims to Express Scripts for processing and reimbursement before dispensing drugs. The pharmacies also needed to include information about the medications in their claims, along with the contact information of their customers. In the lawsuit, the pharmacies alleged that Express Scripts was in breach of contract and good-faith and fair-dealing covenants, and in violation of HIPAA and the HITECH Act. The pharmacies were required to provide Express Scripts with information about their customers, which it is alleged was then used to switch the customers to Express Script’s mail order service. The pharmacies alleged there was no need to supply that information to confirm coverage and for reimbursement. “The Pharmacies...

Read More
HealthAlliance Hospital and Ciox Health Facing Class Action Medical Records Lawsuit
Sep11

HealthAlliance Hospital and Ciox Health Facing Class Action Medical Records Lawsuit

A lawsuit has been filed against HealthAlliance Hospital and Ciox Health, its health record management vendor, for denying a widow from obtaining her deceased husband’s medical records. Sherry Russell, 62, from Woodstock NY, lost her husband of 42 years to lung cancer in October 2020. Mr. Russell visited HealthAlliance Hospital: Broadway Campus for a chest x-ray in March 2017 but lung cancer was not diagnosed. The cancer diagnosis came two years later when the tumor was 2 inches in diameter and it was too late to provide treatment. Mrs. Russell believes the radiologist failed to identify the tumor on the x-ray, resulting in a misdiagnosis. Had the tumor been found earlier, it is possible that treatment could have been provided in time to save her husband’s life. Mrs. Russell requested a copy of her husband’s medical records from HealthAlliance Hospital in order to obtain a copy of the chest x-ray report to support her malpractice lawsuit against the hospital over the failure to diagnose lung cancer; however, she has been unable to obtain a copy of the report. Under HIPAA, patients...

Read More
Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge
Sep09

Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge

A potential class action lawsuit filed against the University of Chicago, UChicago Medicine, and Google over an alleged privacy and HIPAA breach has been dismissed by a Federal judge. The lawsuit was filed in June 2019 in response to an alleged violation of HIPAA Rules related to a data sharing partnership between the University of Chicago Medicine and Google. In 2017, the University of Chicago Medicine sent the de-identified data of patients to Google as part of an initiative to use medical records to improve predictive analysis of hospitalizations, and by doing so, improve the quality of patient care. The aim of the partnership was to use machine learning techniques to identify when a patient’s health is declining, to allow timely interventions to prevent hospitalization. The University of Chicago Medicine sent hundreds of thousands of patient records dating from 2009 to 2016 to Google. The data shared with Google was deidentified but contained physicians’ notes and time stamps of dates of service. The lawsuit was filed by Edelson PC on behalf of lead plaintiff, Matt Dinerstein,...

Read More
Konica Minolta Settles EHR False Claims Case for $500,000
Sep01

Konica Minolta Settles EHR False Claims Case for $500,000

Konica Minolta Healthcare Americas Inc. has agreed to pay a $500,000 financial penalty to settle a case against its former subsidiary, Viztek LLC, to resolve False Claims Act violations related to its electronic health record (EHR) product. The American Recovery and Reinvestment Act of 2009 established the Medicare & Medicaid EHR Incentive Programs to encourage healthcare providers to adopt a certified EHR. Healthcare providers that adopted a certified EHR were entitled to claim incentive payments to offset the cost purchasing the solution, provided they were able to demonstrate meaningful use of the EHR technology. Companies that developed and marketed EHR solutions were required to demonstrate that their products met the HHS-adopted criteria and obtain certification for their solutions. According to a Viztek whistleblower, a former product manager at the company, Viztek and Konica Minolta Healthcare had falsified testing results of the Viztek solution, EXA EHR, in 2015 and misrepresented the capabilities of the product. Konica Minolta acquired Viztek in October 2015 during...

Read More
Federal Judge Dismisses Heritage Valley Health System NotPetya Lawsuit Against Nuance Communications
Aug24

Federal Judge Dismisses Heritage Valley Health System NotPetya Lawsuit Against Nuance Communications

In 2019, Beaver, PA-based Heritage Valley Health System filed a lawsuit against its vendor Nuance Communications over its NotPetya malware attack in 2017. The lawsuit was recently dismissed by a federal judge for the US District Court of the Western District of Pennsylvania. The NotPetya attacks occurred a short time after the WannaCry ransomware attacks in 2017 and targeted the same vulnerability in Windows Server Message Block (SMB). NotPetya encrypted the master boot record of infected computers, rendering them unusable. The attacks occurred in June 2017, more than three months after Microsoft released a patch to fix the SMB vulnerability that was exploited in the attacks. The cyberattack on Nuance Communications saw 14,800 servers and 26,000 workstations encrypted by NotPetya. The extent of the damage meant 7,600 servers and 9,000 workstations needed to be replaced. Heritage Valley Health System was also affected by the attack, with the investigation revealing the malware had spread to the health system’s computer network via a trusted virtual private network (VPN) connection...

Read More
What is HIPAA Certification?
Aug03

What is HIPAA Certification?

A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services. What is HIPAA Certification? Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors. Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services...

Read More
Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge
Jul23

Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge

A lawsuit filed against Sarrell Regional Dental Center for Public Health Inc. over a July 2019 ransomware attack has been dismissed by a Federal judge due to a lack of standing. Sarrell was able to recover from the attack and restore its computer systems and data without paying the ransom, although the dental center was forced to close for two weeks while its systems were restored. No evidence was found to indicate patient data was accessed or downloaded from its systems, although it was not possible to rule out a data breach with 100% certainty so notification letters were sent to the 391,000 patients whose personal and protected health information (PHI) was potentially compromised. A lawsuit was filed against Sarrell in 2019 on behalf of patients affected by the attack. The lawsuit sought class action status and damages for patients whose PHI was potentially compromised in the attack. The lawsuit alleged patients faced a higher risk of identity theft as a result of the attack and had to cover the cost of credit monitoring services. Judge R. Austin Huffaker Jr. stated in his...

Read More
Two Chinese Nationals Indicted for 10-Year Hacking Campaign on U.S. Organizations and Government Agencies
Jul22

Two Chinese Nationals Indicted for 10-Year Hacking Campaign on U.S. Organizations and Government Agencies

Two Chinese nationals have been indicted by the U.S. Department of Justice (DOJ) for targeting and hacking US companies, government agencies, and others to steal sensitive information, including COVID-19 research data. The hackers are alleged to have been working under the direction of the Chinese government and also hacking organizations for personal financial gain. LI Xiaoyu, 34, and Dong Jiazhi, 33, were trained in computer application technologies and have been operating as state-backed hackers for more than 10 years. The DOJ said the hackers were operating on behalf of the China’s Ministry of State Security, the Guangdong State Security Department (GSSD), and other government agencies, as well as conducting their own attacks. The hackers have been accused of stealing more than a terabyte of intellectual property estimated to be worth hundreds of millions of dollars. The hackers were prolific and conducted sophisticated hacks on companies and organizations in the United States, Australia, Belgium, Germany, Japan, Lithuania, Spain, the Netherlands, South Korea, Sweden, and the...

Read More
Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack
Jul07

Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack

It is becoming increasingly common for healthcare organizations to face legal action after experiencing a ransomware attack in which patient data is stolen. The Florida Orthopedic Institute, one of the largest orthopedic providers in the state, is one of the latest healthcare providers to face a class action lawsuit over a ransomware attack. The ransomware attack was detected on April 9, 2020 when staff were prevented from accessing computer systems and data due to the encryption of files. A third-party computer forensics firm was engaged to assist with the investigation and determined on May 6, 2020 that the attackers may have accessed and exfiltrated patient data. A range of sensitive data was potentially compromised including names, dates of birth, Social Security numbers, and health insurance information. Affected patients were notified about the breach on or around June 19, 2020 and were offered complimentary identity theft and credit monitoring services for 12 months. At the time of issuing notifications, no evidence had been found to suggest patient data had been misused....

Read More
The California Consumer Privacy Act is Now Being Enforced
Jul02

The California Consumer Privacy Act is Now Being Enforced

On July 1, 2020, enforcement of the California Consumer Privacy Act (CCPA) of 2018 began. The CCPA took effect on January 1, 2020 and all companies covered by the Act were given a 6 month grace period before compliance with the CCPA would be enforced, although compliance with the provisions of the Act have been mandatory since January 1, 2020. The grace period has now elapsed. California Attorney General Xavier Bercerra confirmed there will be no delay to enforcement, even though dozens of requests were made by companies and trade associations asking for the grace period to be extended for a further 6 months due to the 2019 Novel Coronavirus pandemic. The requests were acknowledged but no extension was given. “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” said Attorney General Bercerra in a statement to Forbes. “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security...

Read More
$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit
Jul02

$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit

A proposed settlement has been agreed between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit over a June 2019 ransomware attack that resulted in the encryption of patient data. The settlement was negotiated by the plaintiff and Grays Harbor to avoid the uncertainty of a trial and the costs of further litigation. The settlement was not decided in favor of either party by the Court. The ransomware attack that prompted the lawsuit was detected in June 2019. The Washington healthcare provider powered down its systems to contain the virus that had prevented servers from being accessed, but not in time to prevent its computer systems from being encrypted. Grays Harbor had backed up its data for such an eventuality, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for around two months. A ransom demand of $1 million was demanded by the attackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that provided cover of up to...

Read More
UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit
Jun30

UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit

Des Moines, Iowa-based UnityPoint Health has agreed to settle a proposed class action lawsuit filed by victims of two phishing attacks in 2017 and 2018 that saw the protected health information of 1.4 million patients exposed. The first phishing attack occurred in November 2017 and was discovered on February 15, 2018. The attackers had access to the email accounts of certain employees of its Madison campus for more than 3 months and potentially obtained the protected health information of approximately 16,429 patients. Patients were notified about the breach in April 2018. The second phishing attach was much more extensive. The campaign saw a UnityPoint executive impersonated in March 2018, and several employees responded to the message and disclosed their login credentials. The breach was detected in May 2018 and the investigation revealed the compromised email accounts contained the protected health information of 1.4 million patients, making it the second largest healthcare data breach to be reported in 2018.  The attackers had access to the email accounts for almost a month...

Read More
NY District Court Kicks Data Breach Lawsuit Against Episcopal Health Services Back to State Court
Jun23

NY District Court Kicks Data Breach Lawsuit Against Episcopal Health Services Back to State Court

A lawsuit filed by patients of Uniondale, N.Y-based Episcopal Health Services Inc., whose personal and protected health information was compromised in a phishing attack in 2018, has been kicked back to the New York State Supreme Court for further proceedings. The lawsuit alleges Episcopal Health Services had failed to protect the private information of its patients from unauthorized disclosures. As a result of those failures, Episcopal Health Services suffered a breach of some of its employee email accounts between August 28, 2018 and October 5, 2018. The email accounts contained a range of sensitive data including patients’ names, addresses, dates of birth, Social Security numbers, and financial information. The PHI of more than 218,000 patients was exposed in the email system breach. The lawsuit named three plaintiffs who were patients of St. John’s Episcopal Hospital. They claimed injuries had been suffered as a direct result of the disclosure of their confidential information. The lawsuit referenced the Health Insurance Portability and Accountability Act (HIPAA) and the...

Read More
Hacker Arrested and Charged Over 2014 UPMC Cyberattack
Jun22

Hacker Arrested and Charged Over 2014 UPMC Cyberattack

The United States Attorney’s Office of the Western District of Pennsylvania has announced a suspect has been arrested and charged over the 2014 hacking of the human resources databases of University of Pennsylvania Medical Center (UPMC). UPMC owns 40 hospitals around 700 outpatient sites and doctors’ offices and employs over 90,000 individuals. In January 2014, UPMC discovered a hacker had gained access to a human resources server Oracle PeopleSoft database that contained the personally identifiable information (PII) of 65,000 UPMC employees. Data was stolen in the attack and was allegedly offered for sale on the darknet. The stolen data included names, addresses, dates of birth, salary and tax information, and Social Security numbers. The suspect has been named as Justin Sean Johnson, a 29-year old man from Michigan who previously worked as an IT specialist at the Federal Emergency Management Agency. Johnson, who operated under the monikers TDS and DS, was indicted on 43 counts on May 20, 2020: One count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity...

Read More
New York Accounting Firm Facing Class Action Lawsuit Over Maze Ransomware Attack
Jun12

New York Accounting Firm Facing Class Action Lawsuit Over Maze Ransomware Attack

Patients whose protected health information was stolen in a manual ransomware attack on the New York accounting firm BST & Co. CPAs LLC in late 2019 have taken legal action against the company. The lawsuit alleges BST & Co. was negligent for failing to take appropriate and reasonable steps to prevent the attack and did not provide a prompt an accurate notice to affected patients. The lawsuit also alleges the company breached its fiduciary duty to protect sensitive patient information and violated state laws related to deceptive business practices. The ransomware attack was discovered by BST on December 7, 2019. The attack involved Maze ransomware and, prior to file encryption, the gang exfiltrated a range of data from the company and threatened to publish the data if the ransom was not paid. The gang then follow through with the threat and published sensitive data on its website when payment was not made. According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, the PHI of 170,000 individuals was potentially...

Read More
Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack
Jun04

Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack

The Atlanta, GA-based healthcare provider Aveanna Healthcare is facing a class action lawsuit over a data breach that occurred in the summer of 2019. Affecting 166,000 patients, it is one of the largest healthcare data breaches to be reported this year. Aveanna Healthcare provides healthcare services to adults and children in 23 states and is the largest provider of pediatric home care in the United States. In the summer of 2019, several email accounts were compromised in a phishing attack. Aveanna Healthcare discovered the attack on August 24, 2019 and immediately secured its email accounts. The investigation revealed the first email account was breached on July 9, 2019, giving the attackers access to protected health information for more than 6 weeks. Emails in the compromised accounts contained patient information such as names, health information, financial information, passport numbers, driver’s license numbers, Social Security numbers, and other sensitive data. It was not possible to determine whether emails and files were viewed by the attackers. No evidence was found to...

Read More
New Washington D.C. Data Breach Notification Law Takes Effect
May29

New Washington D.C. Data Breach Notification Law Takes Effect

On May 19, 2020, legislative changes to the Washington D.C. data breach notification law took effect. The changes were introduced in March and significantly updated existing breach notification requirements. There has been a major expansion of data classified as personal information that warrants breach notifications if subjected to unauthorized access and new data security requirements have been introduced. Prior to the change, notifications were required if personal information such as names, phone numbers, and addresses were exposed in combination with a Social Security number, driver’s license number, DC ID card, or credit/debit  card number or if numbers and codes were breached that allowed credit or finance accounts to be accessed. The change has seen several other data elements added to the list. Breach notifications are now required if any of the following data is breached, even in the absence of a name if the data could be used for identity theft: Medical information Health insurance information Genetic data and DNA profiles Biometric information Passport numbers Usernames...

Read More
Indiana Court of Appeals Reinstates Respondeat Superior Claim in HIPAA Breach Lawsuit
May21

Indiana Court of Appeals Reinstates Respondeat Superior Claim in HIPAA Breach Lawsuit

A patient who sued Parkview Health System Inc. after a medical assistant accessed her medical records and shared sensitive information with another individual has had her respondeat superior claim reinstated by the Indiana Court of Appeals. Haley SoderVick sued Parkview Health System after she was notified that a medical assistant had accessed her medical records and disclosed the information to her then husband. The medical assistant’s husband had posted a picture on Facebook that was liked by SoderVick, which prompted the disclosure. SoderVick had visited Parkview Health in October 2017 and underwent a medical examination in the OB/GYN department. While she was there, her medical records were accessed by the medical assistant, Alexi Christian. Christian texted her husband information about SoderVick, stating she was a patient at the facility, disclosed a potential diagnosis, and told her husband SoderVick was a dispatcher. She also told her husband that SoderVick was HIV-positive and had had more than 50 sexual partners, although both claims were false and that information had...

Read More
Legal Action Taken Against Lurie Children’s Hospital of Chicago Over Two Recent Data Breaches
May19

Legal Action Taken Against Lurie Children’s Hospital of Chicago Over Two Recent Data Breaches

Lurie Children’s Hospital of Chicago is facing legal action over two privacy breaches involving employees accessing the medical records of patients without consent. The lawsuit was filed on behalf of a mother and her 4-year-old child. On December 24, 2019, Lurie Children’s Hospital notified the mother that her daughter’s medical records had been accessed by a nursing assistant at the hospital when there was no legitimate work purpose for doing so. The employee had been discovered to be viewing patient records without authorization between September 10, 2018 and September 22, 2019. On May 4, 2020, the mother received a second letter explaining that her daughter’s medical records had been accessed without authorization by a different employee. In this case, the employee was discovered to have accessed patient records with no work reason for doing so between November 1, 2018 and February 29, 2020. In early 2019, the mother took her then 3-year-old child to the hospital for an examination as she had suspicious that her daughter may have been sexually abused. The mother sought legal...

Read More
Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches
May01

Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches

A LabCorp shareholder is taking legal action against LabCorp and its executives and directors over the loss in share value that was caused by two cyberattacks experienced by the company in the past 12 months. LabCorp was one of the companies worst affected by the data breach at the medical debt collection company, American Medical Collection Agency (AMCA) in 2019. The records of 10,251,784 patients who used LabCorp’s services were obtained by hackers who infiltrated AMCA’s systems. At least 24 of AMCA’s clients were affected by the breach. A second LabCorp data breach was reported by TechCrunch in January 2020 that involved around 10,000 LabCorp documents, which the lawsuit alleges was not publicly disclosed by the company nor mentioned in any SEC filings. The breach was the result of a website misconfiguration and allowed the documents to be accessed by anyone. The breach was also not reported to the HHS’ Office for Civil Rights, even though TechCrunch researchers confirmed that the documents contained patient data. Raymond Eugenio holds shares in LabCorp which lost value as a...

Read More
$8.9 Million Banner Health Data Breach Settlement Gets Final Approval
Apr27

$8.9 Million Banner Health Data Breach Settlement Gets Final Approval

A settlement proposed by Banner Health to resolve a class action lawsuit filed on behalf of victims of its 3.7 million-record data breach in 2016 has received final approval from a Federal judge. The $8.9 million settlement was proposed in December 2019 to cover claims from victims of the breach and legal fees. Banner Health has also agreed to invest money to improve its cybersecurity defenses to prevent data breaches in the future. The Arizona-based health system was attacked by hackers via the payment processing system used in the food and beverage outlets in its hospitals. The system was connected to servers used to store the protected health information of patients. The hackers were able to access and steal a large quantity of highly sensitive patient data, including demographic information, Social Security numbers, health insurance information, and claims data from current and former Banner Health patients. The food and beverage system contained the credit and debit card numbers of around 30,000 customers. The data breach was the largest to be reported by a healthcare...

Read More
Tandem Diabetes Care Facing Class Action Lawsuit over January 2020 Phishing Attack
Apr17

Tandem Diabetes Care Facing Class Action Lawsuit over January 2020 Phishing Attack

The San Diego medical device manufacturer, Tandem Diabetes Care Inc., is facing a class action lawsuit in California over a January 2020 data breach that resulted in the exposure and possible theft of the protected health information of more than 140,000 individuals. The breach was the result of a phishing attack that gave unauthorized individuals access to the email account of an employee between January 17 and January 20, 2020. The information in the email account varied from patient to patient but included a range of private and confidential information including names, dates of birth, insurance information, billing information, healthcare data, and Social Security numbers. The incident was reported to the HHS’ Office for Civil Rights on March 17, 2020 as affecting 140,781 individuals. Notification letters started to be sent to those individuals the same day. The lawsuit was filed in the United States District Court in the Southern District of California and alleges violations of the Confidentiality of Medical Information Act (CMIA). The plaintiff and class members seek damages...

Read More
Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers
Apr13

Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers

The McHenry County Health Department in Illinois has been refusing to provide the names of COVID-19 patients to 911 dispatchers to protect the privacy of patients, as is the case with patients that have contracted other infectious diseases such as HIV and hepatitis. The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule permits disclosures of PHI to law enforcement officers, paramedics, and 911 dispatchers under certain circumstances, which was clarified by the HHS’ Office for Civil Rights in a March 24, 2020 guidance document, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities. In the document, OCR explained that “HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 CFR 164.512(b)(1)(iv).” OCR also explained that “disclosing PHI such as patient names to first responders is...

Read More
$1 Million Settlement Agreed to Resolve American HomePatient Data Breach Lawsuit
Mar30

$1 Million Settlement Agreed to Resolve American HomePatient Data Breach Lawsuit

A $1 million settlement proposed by American HomePatient to resolve a class action lawsuit filed on behalf of victims of a 2017 data breach has received preliminary approval. The data breach that was the subject of the lawsuit occurred on January 6, 2017. The offices of American HomePatient in Delaware were burgled, and thieves stole several computers. The hard drives were not encrypted and contained sensitive information such as names, addresses, dates of birth, Social Security numbers, AHOM account information, financial information, diagnosis codes, and treatment information of 13,000 current and former patients and customers of American HomePatient and Lincare Holdings Inc. Following the breach, a class action lawsuit was filed on behalf of victims of the breach who claimed American HomePatient was negligent for failing to encrypt sensitive data and, that by failing to do so, the thieves had easy access to their sensitive information. The lawsuit also alleged invasion of privacy, breach of implied contract, negligence per se, unjust enrichment, breach of fiduciary duty, and a...

Read More
Law Firm Files Class Action Lawsuit After Being Charged Excessive Fees for Copy of Patient’s Medical Records
Mar18

Law Firm Files Class Action Lawsuit After Being Charged Excessive Fees for Copy of Patient’s Medical Records

A law firm is taking legal action against the healthcare release-of-information solution provider, Medical Records Online (MRO), for alleged overcharging for providing electronic copies of patients’ medical records. The lawsuit was filed by Cipriani & Werner of Pittsburgh in federal court in Camden, NJ. The lawsuit relates to MRO charges for providing a copy of a patient’s medical records for a personal injury case against the retailer Kohl’s, which the law firm represents. Cipriani & Werner obtained the medical records of the plaintiff in the suit from John F. Kennedy Medical Center, in Edison, NJ, and was charged $528 by MRO for 518 pages of the plaintiff’s medical records. The law firm was charged a $10 search fee and $1 per page, even though the records were provided electronically as a PDF file. Cipriani & Werner alleges MRO violated the New Jersey Declaratory Judgement Act by charging unlawful fees well in excess of the maximum limit. A claim was also made under the New Jersey Consumer Fraud Act for unconscionable commercial practices, and for a breach of New...

Read More
Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval
Mar04

Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval

A federal judge has given final approval of a settlement to resolve a class action lawsuit filed against the New Jersey-based medical laboratory company, Quest Diagnostics Inc., over its 2016 data breach. The $195,000 settlement provides up to $325 compensation for each breach victim. On November 26, 2016 hackers gained access to the Care360 MyQuest mobile app that is used by patients to store and share their electronic test results and make appointments. The health app contained names, dates of birth, telephone numbers, and lab test results which, for some patients, included their HIV test results. 34,000 patients were affected by the breach. A class action lawsuit was filed on behalf of patients affected by the breach in 2017. The lawsuit alleged Quest Diagnostics had been negligent and failed to protect the sensitive data of app users. The lawsuit states, “Despite the fact that it was storing sensitive Private Information that it knew or should have known was valuable to and vulnerable to cyber attackers, Quest and its fellow Defendants failed to take adequate measures that...

Read More
UW Medicine Faces Class Action Lawsuit Over 974,000-Record Data Breach
Feb24

UW Medicine Faces Class Action Lawsuit Over 974,000-Record Data Breach

Several lawsuits filed against healthcare organizations over data breaches in recent weeks, with University of Washington Medicine the latest to face legal action for exposing the protected health information of patients. The lawsuit has been filed over a December 2018 data breach that saw the personal information of 974,000 patients exposed over the internet as a result of a misconfigured server. The misconfigured server contained an accounting of disclosures database that included patient names, medical record numbers, a list of parties who had been provided with patient data, and the reason why that information was disclosed. Some individuals also had information exposed relating to a research study they were enrolled in, their health condition, and the name of a lab test that had been performed. For certain patients, sensitive information was exposed. According to the lawsuit, that included a patient’s HIV test-taking history and, in some cases, the patient’s HIV status. Social Security numbers, financial information, health insurance information, and medical records were not...

Read More
Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts
Feb21

Criminal HIPAA Violation Case Sees Healthcare Worker Arraigned on 430 Counts

A former employee of ACM Global Laboratories, part of Rochester Regional Health, has been accused of accessing the medical records of a patient, without authorization, on hundreds of occasions in an attempt to find information that could be used in a child custody battle. A criminal investigation was launched into the alleged HIPAA violations by Jessica Meier, 41, of Hamlin, NY, when it was suspected that she had been abusing her access rights to patient information for malicious purposes. Kristina Ciaccia was previously in a relationship with Meier’s half brother and has been in a lengthy child custody battle. In court, Ciaccia heard about a historic visit by her own brother to the emergency room at Rochester Regional Health, when she herself was unaware of the visit. Suspecting snooping on her family’s medical records, Ciaccia reported the matter to Rochester Regional Health. According to court documents, the Rochester Regional Health audit revealed Meier had accessed the private medical records of Ciaccia on more than 200 occasions between March 2017 and August 2019, without any...

Read More
Hackensack Meridian Health Faces Class-Action Lawsuit Over December Ransomware Attack
Feb19

Hackensack Meridian Health Faces Class-Action Lawsuit Over December Ransomware Attack

A lawsuit has been filed against the New Jersey Healthcare provider, Hackensack Meridian Health, over a December 2, 2019 ransomware attack that affected all 17 of its hospitals. The ransomware attack temporarily disrupted medical services while its systems were offline and access to medical records was prevented. Systems remained down for several days while data was recovered, and systems were restored. Medical services continued to be provided with staff reverting to pen and paper to record patient information. However, some non-emergent medical procedures had to be cancelled. Prompt action was taken to secure its systems and recover data and physicians, nurses, and clinical teams worked round the clock to ensure patient safety was maintained during the attack and recovery process. In order to restore systems in the fastest possible timeframe and prevent ongoing disruption to medical services, the decision was taken to pay the ransom. Hackensack Meridian Health had a comprehensive insurance policy in place, which helped cover the cost of the ransom payment, and its remediation and...

Read More
Florida Clinic Worker Facing 22 Years in Jail for Wire Fraud and Aggravated Identity Theft
Feb05

Florida Clinic Worker Facing 22 Years in Jail for Wire Fraud and Aggravated Identity Theft

A former medical clinic worker in Florida who impermissibly accessed the protected health information of patients and sold the information to identity thieves has pleaded guilty to wire fraud and aggravated identity theft. Stacey Lavette Hendricks, 49, of Leesburg, FL, had previously been employed as an administrative worker at several state medical clinics in Florida. Her role gave her access to the protected health information of patients. Hendrinks used her access to steal patient information from the unnamed medical clinics, including names, dates of birth, and Social Security numbers. That information was sold to identity thieves for cash and was also used to defraud businesses. The United States Secret Service investigated the case. Hendricks was apprehended after she attempted to sell stolen patient information to an undercover law enforcement officer. A warrant was obtained to search her home and car and law enforcement officers found patient information stolen from the clinics related to 113 different patients. Hendricks was charged in the United States District Court for...

Read More
Georgia Man Charged Over False Allegations of HIPAA Violations
Jan13

Georgia Man Charged Over False Allegations of HIPAA Violations

A Georgia man has been charged over an elaborate scheme to frame an acquaintance for violations of the Health Insurance Portability and Accountability Act (HIPAA) that never occurred. Jeffrey Parker, 43, of Richmond Hill, GA, claimed he was a whistleblower reporting HIPAA violations by a nurse. He reported the violations to the hospital where the person worked, and complaints also sent to the Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI). Parker was also interviewed by Fox28Media in October 2018 and told reporters that the nurse had been violating HIPAA privacy laws for an extensive period. The nurse worked at an unnamed hospital in Savannah, GA, which was part of a health system that also operated healthcare facilities in Nashville, TN and other areas. She was alleged to have emailed graphic photographs of patients with traumatic injuries such as gunshot wounds to other individuals outside the hospital. In the Fox28Media interview Parker explained that the sharing of images between employees and other individuals had been going on for a long time....

Read More
Second Lawsuit Filed Against Kalispell Regional Healthcare Over Phishing Attack
Jan03

Second Lawsuit Filed Against Kalispell Regional Healthcare Over Phishing Attack

A second lawsuit has been filed against Kalispell Regional Healthcare in Montana over a May 2019 phishing attack that saw the email accounts of some of its employees accessed by cybercriminals. Kalispell Regional Healthcare learned about the breach on August 28, 2019. The investigation revealed the hackers gained access to employee email accounts on May 24, 2019 and potentially accessed patient information. A forensic investigation revealed the accounts contained the protected health information of as many as 140,209 patients. According to Kalispell Regional Healthcare’s substitute breach notification on its website, the following information was compromised in the breach: Names, addresses, email addresses, telephone numbers, dates of service, treatment information, health insurance information, treating and referring physicians’ names, and medical bill account numbers. Kalispell Regional Healthcare said 250 or fewer patients had their Social Security number exposed. Patients affected by the breach were offered complimentary credit monitoring and identity theft protection services...

Read More
Georgia Supreme Court Overturns Ruling on Athens Orthopedic Clinic Data Breach Lawsuit
Dec27

Georgia Supreme Court Overturns Ruling on Athens Orthopedic Clinic Data Breach Lawsuit

A lawsuit filed against Athens Orthopedic Clinic over a June 2016 cyberattack by TheDarkOverlord has been revived by the Georgia Supreme Court. The cyberattack in question involved the theft of patient data from the clinic. A ransom demand was issued and the hacking group claimed the data would be returned if the ransom was paid.  The clinic refused to pay the ransom and, in response, the hacking group claimed to have sold some of the data. Later, the hacking group published a portions of the stolen data on Pastebin, where it was downloaded by others. Three victims of the data breach, Christine Collins, Paulette Moreland, and Kathryn Strickland, alleged that since their personal data had fallen into the hands of cybercriminals, was offered for sale on the dark net, and had been downloaded by some individuals, they were placed at risk of identity theft and other types of fraud.  One of the plaintiffs, Christine Collins, alleged there were fraudulent charges made to her credit card shortly after the cyberattack and that she had to spend time getting those charges reversed. She also...

Read More
Lawsuit Filed Against DCH Health System Over October Ransomware Attack
Dec26

Lawsuit Filed Against DCH Health System Over October Ransomware Attack

A lawsuit has been filed in the Western Division of U.S. District Court for the Northern District of Alabama against DCH Health System over a ransomware attack on October 1, 2019. The ransomware attack on the 3-hospital health system forced it to take its systems offline for a period of 10 days while systems were rebuilt and data was recovered. During that time, some non-emergency appointments had to be cancelled and patients experienced delays receiving treatment and, in some cases, had to seek medical services from other medical facilities in the state. It is the delay to treatment that has spurred the lawsuit. Four patients are named in the lawsuit and allege they have suffered harm as a result of the shutdown of its systems, which disrupted their daily lives and forced them to forego medical care and treatment or seek care and treatment from alternative facilities during the ten days when DCH Health System’s systems were offline. One of the plaintiffs, who filed on behalf of her daughter, was told that the ransomware attack was causing delays in the emergency room and that she...

Read More
Banner Health Agrees to Pay $6 Million to Settle Data Breach Lawsuit
Dec10

Banner Health Agrees to Pay $6 Million to Settle Data Breach Lawsuit

In June 2016, Banner Health suffered a data breach in which the protected health information of 2.9 million individuals was allegedly stolen by hackers. In August 2016, a class action lawsuit was filed by victims of the breach. A settlement has now been reached and Banner Health has agreed to pay $6 million to breach victims to resolve the lawsuit, according to documents filed in the U.S. District Court of Arizona on December 5, 2019. Plaintiffs alleged that the attack was financially motivated, and hackers gained access to systems containing patient information and exfiltrated the protected health information of approximately 2.9 million. The types of information stolen by the hackers included names, addresses, dates of birth, Social Security numbers, prescription information, medical histories and, for around 30,000 individuals, credit and debit card numbers. Individuals whose credit and debit card numbers were stolen had visited food and beverage outlets at Banner Health hospitals. Malware had been installed which exfiltrated card numbers when purchases were made. The hackers...

Read More
Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach
Dec05

Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach

Kalispell Regional Healthcare in Montana is being sued over a phishing attack in which hackers gained access to employee email accounts containing the protected health information of almost 130,000 patients. The compromised email accounts contained patient information such as names, contact information, medical bill account numbers, medical histories, and health insurance information. Approximately 250 individuals also had their Social Security number exposed. The phishing attack occurred in May 2019, but it was not initially clear which, if any, patients had been affected. It took until August for forensic investigators to determine that patient information had potentially been compromised. All affected patients were notified, and the health system offered 12 months of free credit monitoring and identity theft protection services to patients whose Social Security numbers had potentially been compromised. One of the patients whose personal and health information was compromised, William Henderson, has now taken legal action over the data breach. The lawsuit was filed in Cascade...

Read More
Solara Medical Supplies Sued Over 114,000-Record Data Breach
Dec04

Solara Medical Supplies Sued Over 114,000-Record Data Breach

Solara Medical Supplies is facing legal action over a June 2019 data breach that saw the protected health information of more than 114,000 customers exposed and potentially stolen by an unauthorized individual who gained access to its email system. Solara Medical Supplies, a supplier of medical devices and disposable medical products, discovered the breach on June 28, 2019. While initially believed to involve one email account, an investigation revealed several Office 365 email accounts had been compromised for a period of around 6 weeks, starting on April 2, 2019. The types of information exposed as a result of the attack included names, addresses, birth dates, employee ID numbers, Social Security numbers, health insurance information, financial information, credit card/debit card numbers, passport details, state ID numbers, driver’s license numbers, password/PIN or account login information, claims data, billing information, and Medicare/Medicaid IDs. Customers affected by the breach were notified in November and were offered complimentary credit monitoring and identity theft...

Read More
Exposure to Extreme Content at Work Sees Former Facebook Employees Sue for Psychological Injuries
Dec04

Exposure to Extreme Content at Work Sees Former Facebook Employees Sue for Psychological Injuries

Compensation is being sought by former Facebook content moderators who claim to have suffered psychological injuries as a direct result of the exposure to extreme online content at work. Several employees have started legal action against Facebook, first in California and now in Ireland, where Facebook has its EMEA headquarters. In September 2019, the Personal Injuries Assessment Board in Ireland gave the go-ahead for former employees to take their case against Facebook to the High Court. The legal action started on December 4, 2019 against Facebook and CPL Resources, one of the third-party companies Facebook uses to provide its content moderators. Former Facebook content moderator Chris Gray is named as lead plaintiff. Facebook content moderators perform a vital job for the social media platform. The job involves viewing content that had been posted by Facebook users and determining whether the content should remain on the social network or be filtered out or deleted. Without their efforts, the social media platform would be awash with extreme content. According to Facebook’s...

Read More
Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge
Oct30

Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge

Following a November 2016 cyberattack at Quest Diagnostics that resulted in an unauthorized individual accessing and stealing the personal information and medical test results of 34,000 individuals, a class action lawsuit was filed by the breach victims. Quest Diagnostics proposed a $195,000 settlement to resolve the case. The settlement has recently been approved by a New Jersey district court judge. The types of information obtained by the hacker included names, phone numbers, dates of birth, and the results of medical tests, including HIV test results. The lawsuit alleged Quest Diagnostics had violated New Jersey laws and had been negligent for failing to safeguard the sensitive health information of its clients, Quest Diagnostics had breached its contract with clients, and that the company failed to provide timely notifications to patients informing them about the hacking incident and theft of their data. Quest Diagnostics maintains the claims are meritless, but the decision was taken to settle the lawsuit to avoid ongoing litigation and further legal costs. Under the terms of...

Read More
California Amends CCPA and Expands Definition of Personal Information Warranting Data Breach Notifications
Oct15

California Amends CCPA and Expands Definition of Personal Information Warranting Data Breach Notifications

California Governor Gov. Gavin Newsom has signed a new bill that updates data breach notification law in California, expanding the definition of personal information requiring notifications in the event of a breach. Prior to the update, notifications were required if state residents had their Social Security number, driver’s license number, health information, financial information, or username/passwords compromised. The update means that entities that experience a breach that involves passport numbers, tax ID numbers, military ID numbers, other unique government ID numbers, or biometric information will also need to be notified of a data breach. The law applies to data breaches where personal information has been obtained by an unauthorized person or is reasonably believed to have been obtained by an unauthorized individual. The bill – AB-1130 – was introduced by California Assemblyman Marc Levine (D) and was co-sponsored by California Attorney General Xavier Bercerra. Governor Newsom signed the bill into law on October 11 and the bill will take effect on January 1, 2020....

Read More
New Data Breach Notification Requirements in Maryland for Health Insurers
Sep25

New Data Breach Notification Requirements in Maryland for Health Insurers

From October 1, 2019, providers of health insurance and associated services are required to notify the Maryland Insurance Administration (MIA) in the event of a breach of insureds’ personal information. The law change applies to health plans, health insurers, HMOs, managed care organizations, managed general agents and third-party health insurance administrators. The Compliance & Enforcement Unit at the MIA must be notified if the breach investigation determines there is a risk that insureds’ personal information has been or is likely to be misused. Personal information is defined as an individuals’ first name or first initial and last name in combination with one or more of the following data elements, if those data elements are not encrypted, redacted, or otherwise unreadable: Social Security number, Individual Taxpayer Identification Number, passport number, other federal ID number, driver’s license number, State identification card number, health information, biometric data, or health insurance policy/certificate number, health insurance subscriber identification...

Read More
UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit
Sep02

UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit

On June 26, a patient of University of Chicago Medical Center (UCMC) filed a lawsuit against the medical center and Google over an alleged privacy violation related to the sharing of protected health information (PHI) without first properly de-identifying the data. Patient information was shared with Google to assist with the development of its predictive medical data analytics technology. HIPAA does not prohibit the sharing of information with third parties such as technology companies, provided consent is obtained from patients prior to information being shared. Alternatively, healthcare organizations can share patient information provided it is de-identified. Under HIPAA, that means removing 18 identifiers to ensure patients cannot be identified. HIPAA calls for one of two methods to be used to de-identify PHI: Expert determination or the safe harbor method. The latter involves stripping PHI of all 18 identifiers, while the former requires an expert to determine, through recognized statistical and scientific principles, that the risk of patients being re-identified is...

Read More
Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages
Aug28

Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages

A class action lawsuit filed by victims of a June 2016 cyberattack on Athens Orthopedic in Georgia has gone before the Georgia Supreme Court to determine whether breach victims are entitled to recover damages. The cyberattack in question saw the personal information, Social Security numbers, and health insurance information of approximately 200,000 individuals stolen by the hacking group, Dark Overlord. The Dark Overlord has conducted numerous attacks on healthcare organizations in the United States over the past three years. Initially, attacks were conducted to steal sensitive data, which was subsequently sold on dark web marketplaces. More recently, attacks have involved data theft and extortion. A ransom demand is issued to breached entities that must be paid in order to prevent publication of the stolen data.  Athens Orthopedic did not pay the ransom demand. The Dark Overlord gained access to Athens Orthopedic’s systems via an attack on a “nationally-known health care information management contractor,” the login credentials of which were used to steal patient data. Athens...

Read More
MU Health Patients Take Legal Action Over May 2019 Phishing Attack
Aug13

MU Health Patients Take Legal Action Over May 2019 Phishing Attack

A lawsuit has been filed against University of Missouri Health Care (MU Health) over an April 2019 phishing attack. On May 1, 2019, MU Health learned that two staff email accounts had been compromised for a period of more than one week, starting on April 23, 2019. The email accounts contained a range of sensitive information including names, dates of birth, Social Security numbers, health insurance information, clinical and treatment information. MU Health’s investigation concluded on July 27 and notification letters were sent to individuals whose protected health information (PHI) had been exposed and potentially stolen. Approximately 14,400 patients had been impacted by the breach. The lawsuit was filed by MU Health patient Penny Houston around a week after the notifications were issued. The lawsuit states that, as a result of the breach, patients have been placed at an elevated risk of suffering identity theft and fraud. The types of data contained in the compromised accounts would allow criminals to steal identities, file fraudulent tax returns, and open financial accounts in...

Read More
Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case
Aug12

Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case

A preliminary settlement has been proposed by Allscripts Healthcare Solutions to resolve alleged violations of HIPAA, the HITECH Act’s electronic health record (EHR) incentive program, and the Anti-Kickback Statute related to the electronic health record (EHR) company Practice Fusion, which was acquired by Allscripts in 2018. Prior to the acquisition, Practice Fusion has been investigated by the Attorney’s Office for the District of Vermont in March 2017 and had provided documentation and information. Between April 2018 and January 2019, the company received further requests for documents and information through civil investigative demands and HIPAA subpoenas. Then in March 2019, the company received a grand jury subpoena over a Department of Justice (DOJ) investigation into the business practices of Practice Fusion, potential violations of the Anti-Kickback Statute, HIPAA, and the payments received under the HHS EHR incentive program. Scant information has been released about the nature of the alleged violations by Practice Fusion. The proposed settlement will see Allscripts pay...

Read More
UnityPoint Health Data Breach Lawsuit Partially Dismissed by Federal Judge
Aug09

UnityPoint Health Data Breach Lawsuit Partially Dismissed by Federal Judge

A class-action data breach lawsuit filed against UnityPoint Health has been partially dismissed by the US District Court for the Western District of Wisconsin. The lawsuit stems from a phishing attack on UnityPoint Health in February 2018. As a result of employees falling for phishing emails, the attackers were able to gain access to email accounts containing the protected health information (PHI) of 16,429 patients. The investigation into the breach showed access to patient data was first gained on November 1, 2017 and further email accounts were compromised up to February 7, 2018. The types of PHI in the compromised email accounts included names, contact information, diagnoses, medications, lab test results, and surgical information. Some patients also had their driver’s license number and/or Social Security number exposed. One month after the data breach was announced, four patients filed a lawsuit against UnityPoint Health claiming the company had mishandled the breach. The lawsuit also alleged UnityPoint Health had unnecessarily delayed the issuing of breach notification...

Read More
Judge Approves $74 Million Premera Blue Cross Data Breach Settlement
Aug05

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records. US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation. The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years. Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that...

Read More
New York Governor Signs SHIELD Act into Law
Jul30

New York Governor Signs SHIELD Act into Law

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act has been signed into state law by New York Governor Andrew M. Cuomo. The Act improves privacy protections for state residents and strengthens New York’s data breach notification laws to ensure they maintain pace with current technology. The SHIELD Act – S5575B/A5635B – was signed into law on July 25, 2019 and takes effect in 240 days. The Act makes several changes to existing state privacy and data breach notification laws: The definition of covered entities has been broadened to include any person or entity that holds the private information of a New York State resident, irrespective of whether that person or entity does business in New York State. All businesses must “develop, implement and maintain reasonable safeguards” to ensure the confidentiality, integrity, and availability of personal information. Those measures should reflect the size of the business. The SHIELD Act includes a list of factors considered to be ‘reasonable security protections’. A written information security program must be developed...

Read More
Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case
Jul23

Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case

Equifax has agreed to settle its federal data breach case for a minimum of $575 million. The settlement will potentially rise to $700 million and also requires considerable improvements to be made to enhance security and better protect consumer data. In 2017, Equifax experienced a colossal data breach in which the personal data of 147 million Americans was compromised. Names, dates of birth, addresses, and Social Security numbers were potentially stolen in the attack and the breach victims now have to face an elevated risk of suffering identity theft and fraud. Equifax announced the breach in September 2017. In the two years that followed, Equifax has been called before Congress on multiple occasions to explain how the breach occurred and how the response was being handled. Regulators also investigated Equifax to determine whether reasonable and appropriate security measures had been implemented to protect the vast amounts of consumer data that was stored on its network. The Federal Trade Commission (FTC) determined there had been security failures at Equifax that left the door...

Read More
Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine
Jul22

Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine

The GDPR data protection authority in the Netherlands –  Authoriteit Persoonsgegevens – has issued its first GDPR data breach fine. Haga Hospital in the Hague has been fined $460,000 ($516,000) for security failures that contributed to a privacy breach in 2018. The EU’s General Data Protection Regulation requires all entities that collect or process the personal data of EU citizens to implement appropriate security measures to ensure that information remains private and confidential. In the event of a data breach, the appropriate data protection authority must be notified within 72 hours and the breach will be investigated. In this case, the breach involved a single patient’s records – a well-known Dutch person. Those records were viewed, without authorization, by several employees at the hospital. The Dutch News website named the patient as Samantha de Jong, also known as ‘Barbie’. The GDPR investigation revealed the hospital had poor internal security controls for patient records, had failed to implement two-factor authentication, and was not regularly reviewing...

Read More
Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules
Jul19

Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules

New rules for hospitals have been implemented in Idaho that give patients new rights. The rules were implemented by the Idaho Department of Health and Welfare (IDHW) and are effective from July 1, 2019. The new rules were suggested by patient advocacy groups and “incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals,” according to IDHW. The policies align with the MyHealthEData initiative, which was launched in 2018 with the aim of removing the barriers to secure access to electronic medical records. Under previous state law, critical access hospitals (CAHs) were not required to comply with many of the regulatory conditions that applied to other healthcare providers. The new rules change that, which will mean new policies and procedures will need to be implemented by CAHs. That will come with a considerable administrative burden. The new rules apply to all hospitals in Idaho as well as any provider that renders services in hospitals. All hospitals and providers have been advised to check their policies...

Read More
Premera Blue Cross Settles Multi-State Action for $10 Million
Jul12

Premera Blue Cross Settles Multi-State Action for $10 Million

Premera Blue Cross has agreed to a $10 million settlement to resolve a multi-state data breach lawsuit involving 30 state attorneys general. The settlement resolves alleged violations of state and federal laws that contributed to its 10.4 million record data breach in 2014. A hacker gained access to Premera Health’s network on May 5, 2014 and remained undetected until March 6, 2015. For almost a year the hacker had access to highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers. Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit. Washington State Attorney General Bob Ferguson led the investigation and looked at the security vulnerabilities that had been exploited by the hacker to gain access to such a large amount of...

Read More
Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool
Jul04

Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool

A medical student is suing Marshall University and Cabell Huntington Hospital over the impermissible disclosure of some of his protected health information (PHI) to a class of students. The student, who is identified as J.M.A in the lawsuit, claims his x-rays were used as a teaching tool by a professor at Marshall University Joan C. Edwards School of Medicine, but information identifying J.M.A. as the patient had not been removed or redacted from the images. The matter had been brought to the attention of the university by another faculty member. On April 15, 2018, the dean of the medical school wrote to J.M.A to inform him of the privacy violation. The university was unaware that the professor was using the image as a teaching tool. J.M.A. claims he has suffered shame, embarrassment, humiliation, and severe anxiety as a direct result of the disclosure of his identity. It is unclear how many people viewed J.M.A’s x-rays and how many of those individuals disclosed what they saw to others. J.M.A is represented by Troy N. Giatras, Matthew W. Stonestreet, and Phillip A. Childs of The...

Read More
UChicago Accused of Illegally Sharing Patient Data with Google
Jul01

UChicago Accused of Illegally Sharing Patient Data with Google

A lawsuit has been filed by a former patient of UChicago Medicine who claims his medical records – and those of hundreds of thousands of other patients – have been shared with Google without authorization. UChicago Medicine, UChicago Medical Center, and Google have been named in the lawsuit. The suit claims patient information was shared with Google as part of study aimed to advance the use of artificial intelligence, but patient authorization was not obtained in advance and data were not properly deidentified. In 2017, UChicago Medicine started sending patient data to Google as part of a project to look at how historical health record data could be used to predict future medical events. Patient data were fed into a machine learning system which attempted to make health predictions about patients. The HIPAA Privacy Rule does not prohibit such disclosures, but prior to patient health information being disclosed, patients must either give their consent or protected health information must first be de-identified – Stripped of the 18 identifiers that allow protected health information...

Read More
Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation
Jun26

Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation

A former patient care coordinator at University of Pittsburgh Medical Center (UPMC) has received a 1-year jail term for accessing the medical records of patients and using that information to cause malicious harm. Sue Kalina, 62, of Butler, PA, had previously worked at UPMC Tri Rivers Musculoskeletal and Allegheny Health Network as a patient care coordinator. On March 30, 2016, while employed by UPMC, Kalina first started accessing patients’ medical records without authorization. She continued to do so until June 15, 2017. Kalina accessed the records of friends, old classmates, and individuals that she had a grievance with. She used information from the medical records in a campaign of vengeance against her former employer, Frank J. Zottola Construction. Kalina had worked at the firm as office manager for 24 years before losing the position and being replaced by a younger woman. Kalina accessed that woman’s medical records and disclosed gynecological information about the woman to the Zottola controller in June 2017. Kalina also left a voicemail message in which the medical...

Read More
AMCA Parent Company Files for Chapter 11 Protection
Jun19

AMCA Parent Company Files for Chapter 11 Protection

Following the massive data breach at American Medical Collection Agency (AMCA) which saw more than 20 million records compromised, AMCA’s parent company, Retrieval-Masters Creditors Bureau Inc., has filed for Chapter 11 protection. The data breach affected individuals who had received medical testing services from Quest Diagnostics, LabCorp, or BioReference Laboratories. Hackers gained access to the web payment portal used by AMCA and accessed and stole the sensitive personal and financial data of patients. The hackers had access to its payment page for more than 7 months before the breach was detected. The cost of recovering from a breach on this scale is considerable. So far, AMCA has mailed more than 7 million breach notification letters to affected individuals at a cost of $3.8 million. A further $400,000 has been spent on hiring IT consultants to assist with the breach response. The data breach caused a cascade of events that led to the bankruptcy filing. Retrieval-Masters Creditors Bureau CEO Russell Fuchs lent AMCA $2.5 million to help cover the cost of mailing the breach...

Read More
Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach
Jun14

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party. Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015. According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson. Deanna Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her ex husband in the custody battle. Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website and disclosed the information to her attorney, Gary Bradshaw.  Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules. After discovering that her...

Read More
AMCA Breach Sparks Flurry of Lawsuits and Investigations
Jun12

AMCA Breach Sparks Flurry of Lawsuits and Investigations

The dust has barely settled after the news of the massive data breach at American Medical Collection Agency (AMCA) broke last week, but already more than a dozen lawsuits have been filed by victims of the breach. The breach was officially announced by Quest Diagnostics on June 3, 2019 through a 8-K filing with the Securities and Exchange Commission (SEC), and a SEC filing by LabCorp on June 4, 2019, shortly followed by BioReference Laboratories. Currently, the personal of up to 20 million individuals has potentially been compromised. The data breach at AMCA was identified by security researchers at Gemini Advisory who found a batch of 200,000 payment card numbers for sale on a popular darknet marketplace. The numbers included dates of birth and Social Security numbers. AMCA and law enforcement were notified, and systems were secured. However, the investigation revealed hackers had access to its web payment portal for 7 months. It would appear that the hackers behind the breach have at least made an effort to monetize some of the stolen data so it is no surprise that there has been...

Read More
Oregon Updates Data Breach Notification Law to Include Vendors of Covered Entities
Jun07

Oregon Updates Data Breach Notification Law to Include Vendors of Covered Entities

Oregon has updated its breach notification laws and has broadened the definition of consumer information, updated the definition of covered entity, and expanded the law to cover vendors. The update (Senate Bill 684) renames The Oregon Consumer Identity Theft Protection Act as The Oregon Consumer Information Protection Act, which will come into effect on January 1, 2020. The update expands the definition of personal information to include usernames and other means of identifying a consumer which would allow access to be gained to a consumer’s account, along with any method used to authenticate a user. The definition of covered entity has been updated to “a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.” A vendor is defined as an individual or entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing...

Read More
Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts
Jun06

Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts

Coffey Health System has agreed to a $250,000 settlement with the U.S. Department of Justice to resolve alleged violations of the False Claims and HITECH Acts. The Kansas-based health system attested to having met HITECH Act risk analysis requirements during the 2012 and 2013 reporting period in claims to Medicare and Medicaid under the EHR Incentive Program. One of the main aims of the HITECH Act was to encourage healthcare organizations to adopt electronic health records. Under the then named Meaningful Use Program, healthcare organizations were required to demonstrate meaningful use of EHRs in order to receive incentive payments. In addition to demonstrating meaningful use of EHRs, healthcare organizations were also required to meet certain requirements related to EHR technology and address the privacy and security risks associated with EHRs. In 2016, Coffey Health System’s former CIO, Bashar Awad, and its former compliance officer, Cynthia McKerrigan, filed a lawsuit in federal court in Kansas against their former employer alleging violations of the False Claims Act. Both...

Read More
Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation
Jun06

Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation

The Supreme Court in Vermont has ruled that a patient can sue a hospital and one of its employees for a privacy violation, despite Vermont law and HIPAA not having a private cause of action for privacy violations. The lawsuit alleges negligence over the disclosure of personal information that was obtained while the patient was being treated in the emergency room. The woman had visited the ER room to receive treatment for a laceration on her arm. The ER nurse who provided care to the patient notified law enforcement that the patient was intoxicated, had driven to the hospital, and intended to drive home after receiving treatment. The nurse had detected an odor of alcohol on the patient’s breath. Using an alco-sensor, the nurse determined the patient had blood alcohol content of 0.215. In Vermont, that blood alcohol level is more than two and a half times the legal limit for driving. A police officer in the lobby of the hospital was notified and the patient was arrested, although charges were later dropped. The women subsequently sued the hospital and the employee for violating her...

Read More
$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit
Jun04

$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit

In March 2015, the Seattle-based health insurer Premera Blue Cross announced it had experienced a major data breach that impacted around 10.6 million plan members. The breach occurred in 2014 and resulted in the theft of a broad range of data, including Social Security numbers, bank account information, and health data. The cyberattack is thought to have been conducted by an APT group operating out of China. Shortly after the data breach was announced, several class action lawsuits were filed seeking damages for victims of the breach. More than 40 of those class action lawsuits were consolidated into a single class action lawsuit in the United States District Court in Oregon. The lawsuit alleged the cybersecurity practices at Premera Blue Cross were insufficient and vulnerabilities were exploited by threat actors to gain access to the sensitive information of its plan members. Premera Blue Cross has made the decision to settle the lawsuit and a $74 million settlement has been proposed. Under the terms of the settlement, Premera Blue Cross will pay $32 million to victims of the...

Read More
HHS Confirms When HIPAA Fines Can be Issued to Business Associates
May27

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules. On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate. Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.   You can download the HHS Fact Sheet on direct liability of business associates on this link. Penalties for HIPAA Violations by Business Associates The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the...

Read More
Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker
May13

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker

A lawsuit has been filed against Atchison Hospital in Kansas by a rape victim who alleges an x-ray technician at the hospital contacted her attacker and disclosed sensitive information about the treatment she received at the hospital. According to the Kansas City Star, after being raped, the woman sought treatment at the hospital. She underwent a rape kit examination, and allegedly made it clear to the hospital that she did not want her health information to be disclosed to third parties. Despite being against the patient’s wishes and a violation of the HIPAA Privacy Rule, information about the examination was disclosed to her attacker by a female X-ray technician at the hospital. The x-ray technician also told the man that he had been accused of sexually assaulting the patient. Following the disclosure, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff. A complaint was filed with the hospital over...

Read More
Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records
May10

Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records

Two Chinese nationals who were allegedly behind the 2015 hacking of Anthem Inc., have been charged by the U.S. Department of Justice. 32-year-old Fujie Wang and an unnamed man have been charged in a 4-count indictment in relation to the Anthem cyberattack and theft of 78.8 million health insurance records, along with cyberattacks on three other U.S. businesses between 2014 and 2015. “The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian A. Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.” The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer. According to the indictment, the international hacking scheme saw Wang and...

Read More
Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation
May02

Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation

An Arizona man who sued Costco over a privacy violation and had the lawsuit dismissed by the trial court has had the decision overturned by the Court of Appeals, which ruled that the patient can sue the pharmacy for negligence based on a violation of the Health Insurance Portability and Accountability Act (HIPAA). The privacy violation in question occurred in 2016. The man had received a sample of an erectile dysfunction drug in January 2016 and received a telephone call from Costco letting him know that his full prescription was ready to be collected. The man cancelled the prescription but when he contacted the pharmacy a month later about a separate prescription, he discovered the cancellation had not been processed. He then cancelled the prescription for a second time but, again, the prescription was not cancelled. The man subsequently authorized his ex-wife to collect his regular prescription. While at the pharmacy, the pharmacist joked with his ex-wife about the uncollected erectile dysfunction prescription. The man was attempting to reconcile with his ex-wife at the time. The...

Read More
Class Action Lawsuit Filed Over Baystate Health Phishing Attack
May01

Class Action Lawsuit Filed Over Baystate Health Phishing Attack

In February 2019, Baystate Health experienced a phishing attack that resulted in the exposure of the protected health information (PHI) of 12,000 patients. On April 11, a class action lawsuit was filed on behalf of individuals affected by the breach. The lawsuit was filed by attorney Kevin Chrisanthopoulos in the U.S. District Court in Springfield, MA, three days after Baystate Health announced the breach. The lawsuit alleges plaintiffs now face an elevated risk of identity theft and fraud as a result of the phishing attack and seeks monetary damages for all patients whose PHI was exposed. Upon discovery of the breach, Baystate Health secured its email system and launched an investigation. The investigation revealed the email accounts of nine employees had been compromised as a result of employees responding to phishing emails. The email accounts were subjected to unauthorized access and, as a result, the attacker(s) potentially gained access to patients’ PHI. For most patients, the information exposed was limited to names, birth dates, diagnoses, treatment information, and...

Read More
New Washington Breach Notification Law Unanimously Passed by Legislature
Apr24

New Washington Breach Notification Law Unanimously Passed by Legislature

A new data breach notification law (HB 1071 / SB 5064) has been unanimously passed by the Washington legislature and awaits Washington Governor Jay Inslee’s signature. The law broadens the definition of personal information and shortens the timescale for issuing notifications to 30 days. Currently, data breach notification laws in Washington only require entities to issue notifications in the event of a breach of a state resident’s name along with a Social Security number, state ID, driver’s license number, or credit/debit card number. The updated breach notification law will also require notifications to be issued in the event of a breach of the following data elements: Full date of birth Military ID numbers Biometric data Passport ID numbers Student ID numbers Medical histories Health insurance ID numbers Usernames and email addresses in combination with a password or answers to security questions that would allow an account to be accessed. Keys for electronic signatures With the exception of online account credentials, the new data elements could be classed as personal...

Read More
Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million
Apr23

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017. Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted. The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project. While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the...

Read More
Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations
Apr01

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed. According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego. During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped. A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts. The lawsuit states that, “At times,...

Read More
National Board of Examiners in Optometry Agrees to Settle 2016 Data Breach Lawsuit for $3.25 Million
Mar28

National Board of Examiners in Optometry Agrees to Settle 2016 Data Breach Lawsuit for $3.25 Million

A settlement has been reached to resolve a class action lawsuit filed on behalf of victims of an alleged data breach at the National Board of Examiners in Optometry (NBEO) in 2016. In the summer of 2016, hackers gained access to the sensitive information of optometrists and students, although it is unclear how the hackers obtained sensitive information and what database or system was hacked. Breach investigations did not uncover any evidence of unauthorized access to any databases containing sensitive credentials. The American Optometric Association (AOA), American Academy of Optometry (AAO) and NBEO all investigated the breach and claimed, and still do, that they were not the source of the breach. A breach certainly occurred as several optometrists and students had received Chase Amazon Visa credit cards in the mail that they had not applied for and many had credit card applications pending. Following the breach, legal action was taken by 13 doctors of optometry who claimed the targeted information was still available. The cases were consolidated, but were thrown out as the breach...

Read More
Class Action Lawsuit Filed Over UConn Health Phishing Attack
Mar26

Class Action Lawsuit Filed Over UConn Health Phishing Attack

A class action lawsuit has been proposed which seeks to recover damages for patients whose protected health information (PHI) was exposed in the UConn Health phishing attack that was discovered on December 24, 2018. The lawsuit has been filed against the University of Connecticut and UConn Health and seeks damages, equitable, declaratory, and injunctive relief to prevent a recurrence of a data breach. A jury trial is being sought. The email accounts of multiple employees were compromised as a result of the attack. In total, 326,000 UConn Health patients had some of their personal and health information exposed in the breach. Most of the individuals affected by the breach only had a limited amount of PHI exposed, although approximately 1,500 patients had their name, address, date of birth, and Social Security number, and some medical information compromised. The lawsuit alleges UConn Health was negligent for failing to protect the private information of its patients there was a failure to provide timely, accurate, and adequate notification of the breach. The lawsuit explains there...

Read More
D.C. Attorney General Proposes Tougher Breach Notification Laws
Mar25

D.C. Attorney General Proposes Tougher Breach Notification Laws

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach. On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach. Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers. If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information. Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches...

Read More
UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million
Mar22

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit. UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach. The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had...

Read More
Northwestern Medicine Sued Over Medical Information Disclosure on Twitter
Mar20

Northwestern Medicine Sued Over Medical Information Disclosure on Twitter

Northwestern Medicine Regional Medical Group is being sued by a patient whose sensitive medial information was disclosed on Twitter and Facebook. Gina Graziano discovered some of her sensitive medical information had been disclosed on social media websites and contacted Northwestern Medicine to complain about the privacy investigation. Northwestern Medicine investigated the complaint and determined that Graziano’s medical records had been accessed on two separate occasions by a hospital employee who had no treatment relationship with Graziano. The records were accessed on March 5 and 6, 2019, using an employee’s login credentials. Graziano’s medical file contained a range of sensitive information, including her personal details, the reason for a recent visit to the emergency department, lab test results, medications, medical history, imaging results, and other information. Sensitive information which Graziano did not want to be placed in the public domain was disseminated on social media sites causing her to be publicly humiliated. While Northwestern Medicine did not disclose the...

Read More
Lawmakers Propose Florida Biometric Information Privacy Act
Mar12

Lawmakers Propose Florida Biometric Information Privacy Act

Senator Gary Farmer (D-FL) and Representative Bobby DuBose (D-FL) have proposed new bills (SB 1270 /HB 1153) that require all private entities to obtain written consent from consumers prior to collecting or using their biometric data. The Florida Biometric Information Privacy Act is similar to the Illinois Biometric Information Privacy Act which was signed into law in 2008 and would require private entities to notify consumers about the reasons for collecting biometric information and the proposed uses of that information when obtaining consent. Policies covering data retention and disposal of the information would also need to be made available to the public. Private entities would also be prohibited from profiting from an individual’s biometric information and must not sell, lease, or trade biometric information. Private entities will be required to implement safeguards to protect stored biometric information to ensure the information remains private and confidential. When the purpose for collecting the information has been achieved, or after three years following the last...

Read More
Former Patient Care Coordinator Pleads Guilty to Disclosing Patients’ PHI with Intent to Cause Harm
Mar07

Former Patient Care Coordinator Pleads Guilty to Disclosing Patients’ PHI with Intent to Cause Harm

A former employee of an affiliate of University of Pittsburgh Medical Center (UPMC) who was discovered to have accessed the medical records of patients without authorization has pleaded guilty to one count of wrongful disclosure of health information with intent to cause harm and now faces a fine and jail term for the HIPAA violation. Ms. Linda Sue Kalina, 61, of Butler, PA, had previously worked as a patient care coordinator at Tri Rivers Musculoskeletal (TRM) between March 7, 2016 and June 23, 2017 before moving to Allegheny Health Network (AHN) where she worked from July 24, 2017 to August 17, 2017. Between December 2016 and August 2017, Ms. Kalina was accused of accessing the files of 111 UPMC patients and 2 AHN patients without authorization or any legitimate work reason for doing so. According to her indictment, she also disclosed the PHI of four of those patients to individuals not authorized to receive the information. Prior to working at TRM, Ms. Kalina had been employed at Frank J. Zottola Construction for 24 years until she was fired from the position of office manager....

Read More
New Jersey Expands Definition of Personal Information Requiring Breach Notifications
Mar05

New Jersey Expands Definition of Personal Information Requiring Breach Notifications

The New Jersey Assembly has unanimously passed a bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach. New Jersey breach notification laws require businesses and public entities to send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that allows the account to be accessed. The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act expands the definition of personal information to include email addresses and usernames along with a password or answers to security questions that would allow accounts to be accessed. The bill – A-3245 – was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. An identical bill – S-52- was passed by the Senate and Assembly in 2018, but it was not signed by then state governor Chris Christie....

Read More
New Cybersecurity Requirements for Ohio Health Insurers
Feb27

New Cybersecurity Requirements for Ohio Health Insurers

From March 20, 2019, insurance companies in Ohio will be subject to a new law (Senate Bill 273) that requires them to develop and implement a written information security program to safeguard business and personal information. The information security program must include a comprehensive internal risk assessment to identify risk and threats to systems and data. Following the risk assessment, safeguards must be implemented to protect all nonpublic information that would cause a material adverse impact to business operations or could cause harm to customers if the information were to be exposed or accessed by unauthorized individuals. Nonpublic information includes financial information, health information, and identifiers such as Social Security numbers, driver’s license numbers, state ID cards, biometric information, account numbers, credit/debit card numbers, security/access codes that permit access to a financial account, and any information (except age or gender) that is created by or derived from a healthcare provider or consumer that could be used to identify an individual in...

Read More
California Bill Seeks to Expand State Data Breach Notification Law
Feb22

California Bill Seeks to Expand State Data Breach Notification Law

The data breach notification laws in California are already some of the toughest in the United States, although they could soon become even tougher if a new bill is signed into law. Currently, California law requires data breach notifications to be issued to consumers when there has been a breach of financial/banking information, Social Security numbers, health insurance information, medical information, driver’s license numbers, passwords, and data collected through automated license plate recognition systems. The new bill seeks to expand that list to include passport numbers and biometric data such as fingerprints, iris/retina scans, and facial recognition data. The bill – AB 1130 – was introduced by Assemblymember Marc Levine (D-San Rafael) and seeks to close a loophole in the current data breach notification law which could see breaches of highly sensitive information go unreported. The massive data breach at Marriott in 2018 prompted the bill. A database containing the sensitive information of guests of the Starwood Hotels chain was stolen, resulting in the theft of guests’...

Read More
Maryland Considers Tougher Penalties for Ransomware Attacks
Feb20

Maryland Considers Tougher Penalties for Ransomware Attacks

Following a spate of ransomware attacks on businesses and hospitals in Maryland, a new bill (Senate Bill 151) has been introduced which seeks to increase the penalties for ransomware attacks. It is hoped that tougher penalties for ransomware attacks would discourage individuals from conducting attacks in the state. The bill defines ransomware as a computer or data contaminant, encryption, or lock that is introduced without authorization on a computer, computer network, or computer system that restricts access to the computer, data, network, or system and is accompanied by a demand for payment to remove the contaminant, encryption or lock. Currently in Maryland, a ransomware attack is classed as a misdemeanor if the attacker causes losses of less than $10,000 and a felony if the attack results in losses of $10,000 or more. The bill seeks to reclassify a ransomware attack as a felony if it results in aggregate losses of more than $1,000. Aggregate losses include “the value of any money, property, or service lost, stolen, or rendered unrecoverable by the crime,” along with reasonable...

Read More
OCR Settles Cottage Health HIPAA Violation Case for $3 Million
Feb08

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000. Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital. In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients. In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information. Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed...

Read More
Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case
Feb05

Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case

Community Health Systems’ (CHS) patients whose protected health information (PHI) was stolen in a cyberattack in 2014 have been offered compensation for the theft of their PHI. Tennessee-based Community Health Systems operates over 200 hospitals, making it one of the largest healthcare systems in the U.S. In 2014, CHS discovered malware had been installed on its network. The malware allowed unauthorized individuals to gain access to patient information between April and June 2014. The cyberattack is believed to have been conducted by threat actors based in China. An advanced malware variant was used in the attack, which had the sole purpose of obtaining sensitive information. An investigation into the breach confirmed that patient data including names, addresses, phone numbers, dates of birth, and Social Security numbers had been exfiltrated. The PHI of 4.5 million patients was stolen by the attackers. At the time it was the largest healthcare data breach to be reported to the Department of Health and Human Services’ Office for Civil Rights and still ranks as one of the top six...

Read More
Legal Action Over Illinois Biometric Information Privacy Act Violations Possible Without Actual Harm
Feb01

Legal Action Over Illinois Biometric Information Privacy Act Violations Possible Without Actual Harm

The Illinois Supreme Court has ruled that individuals whose privacy has been violated through a breach of the Illinois Biometric Information Privacy Act can take legal action against a private entity, even if the violation of BIPA has not resulted in actual harm. The Illinois Biometric Information Privacy Act, enacted in 2008, requires private entities to inform a person in writing that their biometric information will be collected or stored. The purpose for the collection or storage of that data and the length of time the information will be retained must also be explained. The entity must also obtain written authorization from an individual or that individual’s legal representative before biometric data can be collected or stored. Biometric data includes fingerprints, voiceprints, hand scans, iris scans, and other biometric means of identifying a person. In contrast to HIPAA, which has no private cause of action, individuals can sue companies for Illinois Biometric Information Privacy Act (BIPA) violations. Illinois is unique in that respect. Other states such as Texas and...

Read More
Aetna Settles HIV Status Breach Case with California AG for $935,000
Feb01

Aetna Settles HIV Status Breach Case with California AG for $935,000

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy breach that exposed state residents’ HIV status. On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California. The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution. In...

Read More
Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data
Jan31

Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data

The Oregon Health Information Property Act proposes patients should be allowed to authorize their healthcare providers to sell their health data and for them to be financially compensated if their health information is sold to a third party. Currently, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule limits the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered entities are only permitted to use or disclose PHI for purposes related to the provision of treatment, payment for healthcare, or healthcare operations. While there are some exceptions, other uses and disclosures are prohibited unless consent is first obtained from patients. The HIPAA Privacy Rule covers PHI, which is identifiable patient information. If PHI is stripped of information that allow an individual to be identified, it is no longer considered PHI and is no longer subject to Privacy Rule controls. That means that if a HIPAA-covered entity de-identifies PHI, they can then sell that information on for profit. That information can be valuable to research...

Read More
State AG Proposes Tougher Data Breach Notification Laws in North Carolina
Jan21

State AG Proposes Tougher Data Breach Notification Laws in North Carolina

Following an increase in data breaches affecting North Carolina residents in 2017, state Attorney General Josh Stein and state representative Jason Saine introduced a bill to update data breach notification laws in North Carolina and increase protections for state residents. The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed changes to state laws that would have made North Carolina breach notification laws some of the toughest in the country. The January 2018 version of the bill proposed an expansion of the definition of a breach, changes to the definition of personal information, and a maximum of 15 days from the discovery of a breach to issue notifications to breach victims. Attorney General Stein and Rep. Saine unveiled a revised version of the bill on January 17, 2019. While some of the proposed updates have been scaled back, new requirements have also been introduced to increase protections for state residents. The updated bill coincides with the release of the state’s annual security breach report for 2018. The report shows...

Read More
Physician Receives Probation for Criminal HIPAA Violation
Jan18

Physician Receives Probation for Criminal HIPAA Violation

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation and has escaped a jail term and fine. The case concerned the wrongful disclosure of patients’ PHI to a pharmaceutical firm. The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion. In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug. Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability. The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules...

Read More
New Massachusetts Data Breach Notification Law Enacted
Jan16

New Massachusetts Data Breach Notification Law Enacted

A new Massachusetts data breach notification law has been enacted. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019 and will come into effect on April 11, 2019. The new legislation updates existing Massachusetts data breach notification law and introduces new requirements for notifications. Under Massachusetts law, a breach is defined as the unauthorized acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. Notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name. Social Security number Driver’s license number State issued ID card number Financial account number, or credit/ debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. As with the previous law, there is no set timescale for issuing breach...

Read More
10 Year Jail Term for Boston Children’s Hospital Hacker
Jan14

10 Year Jail Term for Boston Children’s Hospital Hacker

The hacker behind a Distributed Denial of Service (DDoS) attack on Boston Children’s Hospital in 2014 has been handed a jail term of 10 years and must pay $443,000 in restitution. Martin Gottesfeld, 34, of Somerville, MA, launched attacks on the Framingham, MA, Wayside Youth and Family Support Network and Boston Children’s Hospital in 2014 as a protest over the handling of a case of suspected child abuse. In 2013, teenager Justina Pelletier was admitted to Boston Children’s Hospital after a physician at Tufts Medical Center recommended she was transferred in order for her to see her longtime gastroenterologist. Justina suffered from mitochondrial disease; however, Boston Children’s Hospital believed Justina’s condition was psychological rather than physical. Justina’s parents tried to get their daughter transferred back to Tufts Medical Center but the hospital believed the actions of the parents and interference in their daughter’s care amounted to medical abuse. In the subsequent custody case, the parents lost custody of their daughter to the state of Massachusetts. Justina spent...

Read More
Flowers Hospital Data Breach Settlement Approved by Judge
Dec28

Flowers Hospital Data Breach Settlement Approved by Judge

A class action data breach lawsuit filed against Flowers Hospital in Dothan, AL, in 2014 has finally been settled. In 2014, an employee of Flowers Hospital stole the personal information of patients from the hospital laboratory and used the information to file fraudulent tax returns in the names of patients. A deputy sheriff discovered patient files in the vehicle of laboratory employee, Karmarian Millender, during a traffic stop. The investigation revealed that Millender had been stealing patient records from the laboratory and had sold the information to tax fraudsters who filed fraudulent tax returns in patients’ names. Millender pleaded guilty to the theft of patient data and was sentenced to two years in prison. Many patients incurred out-of-pocket expenses from paying for credit monitoring services, lost earnings from arranging those services and combatting identity theft, and lost interest from delayed tax refunds. A class action lawsuit was filed against the hospital to recover those costs. The lawsuit alleged the hospital had been negligent by failing to implement adequate...

Read More
LifeBridge Health Sued for 18-Month Malware That Allowed Theft of 530,000 Patients’ PHI
Dec24

LifeBridge Health Sued for 18-Month Malware That Allowed Theft of 530,000 Patients’ PHI

A lawsuit has been filed on behalf of patients who had their protected health information stolen as a result of a malware infection at the Baltimore-based healthcare provider LifeBridge Health. LifeBridge Health discovered the malware infection in March 2018; however, an investigation of the breach revealed the malware had been installed on one of its servers on or around September 27, 2016. The server hosted LifeBridge Health electronic medical records and its patient registration and billing systems. During the 18 months that the malware was on its server, the protected health information of approximately 530,000 patients was allegedly stolen – Information such as names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses, and treatment information. According to the lawsuit, filed by law firm Murphy, Falcon & Murphy, the malware was installed as a result of “LifeBridge’s failure to ensure the integrity of its servers and to properly safeguard patients’ highly sensitive and confidential information.” The lawsuit claims the...

Read More
$853,000 Awarded to Patient Whose PHI Was Impermissibly Disclosed to Former Boyfriend
Dec21

$853,000 Awarded to Patient Whose PHI Was Impermissibly Disclosed to Former Boyfriend

An 11-year lawsuit that was filed following the release of a woman’s medical records to her former boyfriend has finally come to an end and a jury has ruled in favor of the plaintiff. Emily Byrne took legal action against Avery Center for Obstetrics and Gynecology in Westport, CT, following the release of her medical records to her former boyfriend’s attorneys. Emily Byrne broke up with her boyfriend, Andro Mendoza, after she discovered she was pregnant. Mendoza took legal action to obtain Byrne’s medical records. His attorneys issued a subpoena to Avery Center to release Byrne’s medical records and Avery Center complied. According to Byrne’s lawsuit, Mendoza viewed her medical records and used the information to try to gain custody of the baby. The information was also allegedly also used to harass and extort money from Byrne. The lawsuit claimed that as a result of the disclosure of her medical records, Byrne suffered emotional distress, trauma, and anxiety, was harassed by exposure to civil claims in federal district court, received threats from Mendoza of criminal charges, and...

Read More
Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital
Dec21

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients. McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center. The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an...

Read More
Federal GDPR-Style Data Privacy Bill Introduced
Dec17

Federal GDPR-Style Data Privacy Bill Introduced

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act. The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm. The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions. As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data. The bill would also require companies...

Read More
Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400
Dec12

Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400

OCR has fined a Colorado hospital $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI. Pagosa Springs Medical Center (PSMC) is a critical access hospital, part of the Upper San Juan Health Service District, which provides more than 17,000 hospital and clinic visits a year. As a HIPAA-covered entity, PSMC is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. One of the provisions of the HIPAA Privacy Rule is to limit access to protected health information to authorized individuals. When an employee is terminated, leaves the organization, or changes job role and is no longer required to have access to PHI, access rights must be terminated. The failure to terminate remote access is a violation of HIPAA Rules and could potentially result in an impermissible disclosure of ePHI. On June 7, 2013, OCR received a complaint about a former employee of PSMC who continued to have remote access to a web-based scheduling calendar after leaving PSMC....

Read More
EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach
Dec11

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members. On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members. The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents. The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised. That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed...

Read More
First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine
Dec07

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system. Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system. CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data. The failure to implement appropriate access controls is a violation of...

Read More
12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering
Dec05

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals. Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures. A Failure to Implement Adequate Security Controls The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data...

Read More
DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks
Nov29

DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks

The U.S. Department of Justice has announced significant progress has been made in the investigation of the threat actors behind the SamSam ransomware attacks that have plagued the healthcare industry over the past couple of years. The DOJ, assisted the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, have identified two Iranians who are believed to be behind the SamSam ransomware attacks. Both individuals – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been operating out of Iran since 2016 and have been indicted on four charges: Conspiracy to commit fraud and related computer activity Conspiracy to commit wire fraud Intentional damage to a protected computer Transmitting a demand in relation to damaging a protected computer The DOJ reports that this is the first ever U.S. indictment against criminals over a for-profit ransomware, hacking, and extortion scheme. In contrast to many threat actors who use ransomware for extortion, the SamSam ransomware group conducts targeted, manual attacks on...

Read More
UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court
Nov28

UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court

A lawsuit filed by employees affected by a data breach at University of Pennsylvania Medical Center (UPMC) has been revived by the Pennsylvania Supreme Court. The lawsuit was filed after hackers stole the information of approximately 62,000 current and former UPMC employees in a data breach discovered by UPMC in February 2014. The stolen information included names, addresses, Social Security numbers, tax information, and bank account numbers. The information was used to file fraudulent tax returns in employees’ names to receive tax refunds. According the lawsuit, “As a result of UPMC’s negligence, employees incurred damages relating to fraudulently filed tax returns and are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.” UPMC argued that there is no cause of action for negligence as no property damage or physical injury was alleged by its employees. In Pennsylvania, no cause of action exists for negligence that solely results in economic losses. The lawsuit was thrown out by two lower courts; however, last week the lawsuit was...

Read More
Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI
Nov13

Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI

A former IT worker at Chilton Medical Center in New Jersey has been sentenced to 5 years’ probation for the theft of IT equipment that contained the protected health information of some of its patients. Sergiu Jitcu, of Saddle Brook, NJ, had previously been employed by Chilton Medical Center. On October 31, 2017, Chilton Medical Center learned that one of its hard drives had been sold on eBay. The purchaser discovered databases on the hard drive that appeared to include the protected health information (PHI) of some of its patients. The subsequent investigation revealed the hard drive contained the PHI of 4,600 patients who had received medical services at Chilton Medical Center between May 1, 2008 and October 15, 2017. The types of information on the hard drive included names, addresses, dates of birth, allergy information, medical record numbers, and medications. The theft was reported to the Morris County Prosecutor’s Office and was linked to Jitcu. The Morris County Prosecutor’s Office Specialized Crime Division obtained a search warrant for Jitcu’s home and vehicle and...

Read More
Virginia Superior Court Partially Reverses Lower Court Decision in Employee Snooping Case
Nov06

Virginia Superior Court Partially Reverses Lower Court Decision in Employee Snooping Case

When healthcare employees access patient data without authorization it is a clear violation of the Health Insurance Portability and Accountability Act’s Privacy Rule, but is the employer liable for the privacy breach? In 2016, Lindsey Parker, a patient of Carilion Healthcare Corp’s Carilion Clinic in Virginia, took legal action against the clinic and Carilion Healthcare Corp after it was discovered that two employees of the clinic had accessed her medical records and impermissibly disclosed a past diagnosis. The privacy breach occurred in 2012 which parker was a patient of the Carillion Rocky Mount Obstetrics & Gynecology clinic. Parker was visiting the clinic about a matter unrelated to her previous diagnosis and while waiting for treatment, Parker spoke with an acquaintance in the waiting room – Trevor Flava. Parker alleged that a Carillion employee, Christy Davis, saw the couple talking and accessed Parker’s medical record and saw her previous diagnosis. Davis is then alleged to have contacted her friend, Lindsey Young, who worked in another Carillion facility and disclosed...

Read More
$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach
Nov05

$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach

New Jersey Attorney General Gurbir S. Grewal has announced a $200,000 settlement has been agreed with Best Medical Transcription to resolve violations of the Health Insurance Portability and Accountability Act that were discovered during an investigation of a 2016 breach of 1,650 individuals’ protected health information. Protected Health Information of 1,654 Patients Was Accessible Through Search Engines Best Medical Transcription was a business associate of Virtua Medical Group, a network of medical and surgical practices in southern New Jersey. Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians. In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website that was accessible over the Internet without the need for any authentication. The files had been indexed by Google and could be found using search terms including information contained in the files. Password-protection had been removed when software on the website was...

Read More
$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark
Oct16

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark

OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals. Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation. The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino. Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted...

Read More
California HIV Patient PHI Breach Lawsuit Allowed to Move Forward
Oct08

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss. The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco. In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information. A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities. It was alleged...

Read More
Massachusetts Gynecologist Spared Jail Time for Criminal HIPAA Violation
Sep25

Massachusetts Gynecologist Spared Jail Time for Criminal HIPAA Violation

In April 2018, the former Massachusetts-based gynecologist Rita Luthra, 65, of Longmeadow, was convicted of criminally violating the HIPAA Privacy Rule and obstructing a federal investigation into a nationwide kickback scheme. At her sentencing on September 19, 2018, Luthra was spared jail time and a fine and was given one year of probation. Luthra was accused of being paid $23,500 to prescribe Warner Chilcott’s osteoporosis drugs, although Luthra maintained she had been paid the money as ‘speaker fees’ for speaking at medical educational events, which took place in her office, and for writing a research paper, although that paper was never finished. The jury found that Luthra lied to federal agents about money she had received from the pharmaceutical firm. Luthra also denied providing a pharmaceutical sales representative with access to patient health information in order to complete pre-authorization forms for insurance companies that were refusing to approve prescriptions for two osteoporosis drugs that Warner Chilcott was pushing. She also allegedly instructed her assistant to...

Read More
$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations
Sep20

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules. This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients. Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a). Brigham and Women’s Hospital (BWH) settled its HIPAA violations...

Read More
NY Attorney General Fines Arc of Erie County $200,000 for Security Breach
Sep04

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients. In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines. The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained. In total, 3,751 clients in New York had...

Read More
Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure
Aug27

Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure

Following the accidental drowning of their adopted son, Denise and Wayne Russell were contacted by the child’s birth mother who made threats against their family. The phone call from the birth mother came shortly after their son was admitted to McAlester Regional Health Center following a tragic swimming pool accident. Their 2-year old child had fallen into the pool after the gate to the pool area had been accidentally left open. The parents administered CPR at the scene until the paramedics arrived and the child was rushed to hospital where he was later confirmed to have died. Shortly after their son died, the Russells received the telephone call from the birth mother. When asked how she knew about the accident and death of the child, she confirmed that she had been informed by the hospital. The birth month screamed at the Russells and made multiple threats, according to Denise Russell, including a threat to kill their other son. The situation became so bad that a protective order was filed against their son’s birth mother. The Russells had taken care of their adopted son Keon...

Read More
Court Approves Anthem $115 Million Data Breach Settlement
Aug20

Court Approves Anthem $115 Million Data Breach Settlement

The $115 million settlement proposed by Anthem Inc., in 2017 to resolve the class action lawsuits filed by victims of its 78.8 million-record data breach in 2015 received final approval on Thursday, August 16. The Anthem cyberattack resulted in plan members’ names, dates of birth, health insurance information, Social Security numbers and other data elements stolen by cybercriminals. Several class-action lawsuits were filed in the wake of the breach, which were consolidated into a single lawsuit by the Judicial Panel for Multidistrict Litigation in June 2015. The case was assigned to the U.S District Court for the Northern District of California, where a large proportion of the class members reside. While 78.8 million individuals had protected health information (PHI) exposed when Anthem’s network was hacked, there are only 19.1 million members of the class action lawsuit, all of whom were able to demonstrate that their personal information was stored in the data center that was attacked by hackers. Following the data breach, Anthem offered breach victims 24 months of credit...

Read More
Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital
Aug07

Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital

A hacktivist who conducted a Distributed Denial of Service (DDoS) attack on Boston’s Children’s Mercy Hospital in 2014 has been convicted on two counts – conspiracy to intentionally damage protected computers and damaging protected computers – by a jury in the U.S. District Court in Boston. Martin Gottesfeld, 32, of Somerville, MA, conducted the DDoS attacks in March and April of 2014. He first conducted a DDoS attack on Wayside Youth and Family Support Network in Framingham, MA. The attack crippled its systems and took them out of action for more than a week. The attack cost the healthcare facility $18,000 to resolve. Following that attack, Gottesfeld conducted a much larger attack on Boston Children’s Hospital using 40,000 malware-infected network routers that he controlled from his home computer. The attack was planned for a week and occurred on April 19, 2014. Such was the scale of the attack that the hospital and several others in the Longwood medical area were knocked off the internet. 65,000 IP addresses used by the hospital and other healthcare facilities in the area were...

Read More
Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach
Jul26

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight. In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes. The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail. In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital...

Read More
Children’s Mercy Hospital Sued for 63,000-Record Data Breach
Jul13

Children’s Mercy Hospital Sued for 63,000-Record Data Breach

Legal action has been taken over a phishing attack on Children’s Mercy that resulted in the theft of 63,049 patients’ protected health information. In total, five email accounts were compromised between December 2017 and January 2018. On December, 2, 2017  two email accounts were discovered to have been accessed by an unauthorized individual as a result of employees responding to phishing emails. Links in the emails directed the employees to a website where they were fooled into disclosing their email account credentials. Two weeks later, two more email accounts were compromised in a similar attack, with a fifth and final account compromised in early January. The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, resulting in the unauthorized disclosure of patients’ protected health information. Patients were notified of the breach via a substitute breach notice on the Children’s Mercy website and notification letters were sent by mail. Due to the number of people impacted, the letters were sent out in batches. According to a recent...

Read More
Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation
Jul09

Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation

In 2016, Radnor, PA-based Main Line Health Inc., terminated an employee for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by accessing the personal records of a co-worker without authorization on two separate occasions. In such cases, when employee or patient records are accessed without authorization, employees face disciplinary action which can include termination. Gloria Terrell was one such employee who was terminated for violating company policies and HIPAA Rules. Main Line Health fired Terrell for “co-worker snooping.” Terrell filed an internal appeal over her termination and maintained she accessed the records of a co-worker in order to obtain a contact telephone number. Terrell said she needed to contact the co-worker to make sure a shift would be covered, and this constituted a legitimate business reason for the access as she was unable to find the phone list with employees’ contact numbers. After firing Terrell, Main Line Health appointed a significantly younger person to fill the vacant position. Terrell took legal action against Main Line...

Read More
District Court Ruling Confirms No Private Cause of Action in HIPAA
Jun25

District Court Ruling Confirms No Private Cause of Action in HIPAA

Patients who believe HIPAA Rules have been violated can submit a compliant to the Department of Health and Human Services’ Office for Civil Rights, but they do not have the right to take legal action, at least not for the HIPAA violation. There is no individual private cause of action under HIPAA law. Several patients have filed lawsuits over alleged HIPAA violations, although the cases have not proved successful. A recent case has confirmed once again that there is no private cause of action in HIPAA, and lawsuits filed solely on the basis of a HIPAA violation are extremely unlikely to succeed. Ms. Hope Lee-Thomas filed the lawsuit for an alleged HIPAA violation that occurred at Providence Hospital in Washington D.C., where she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, claims that while at the hospital on June 15, 2017, a LabCorp employee instructed her to enter her protected health information at a computer intake station. Ms. Lee-Thomas told the LabCorp employee that the information was in full view of another person at a different...

Read More
3-Year Jail Term for VA Employee Who Stole Patient Data
Jun18

3-Year Jail Term for VA Employee Who Stole Patient Data

A former employee of the Veteran Affairs Medical Center in Long Beach, CA who stole the protected health information (PHI) of more than 1,000 patients has been sentenced to three years in jail. Albert Torres, 51, was employed as a clerk in the Long Beach Health System-run medical center – a position he held for less than a year. Torres was pulled over by police officers on April 12 after a check of his license plates revealed an anomaly – plates had been used on a private vehicle, which were typically reserved for commercial vehicles. The police officers found prescription medications which Torres’ did not have a prescription for and the Social Security numbers and other PHI of 14 patients in his vehicle. A subsequent search of Torres’ apartment revealed he had hard drives and zip drives containing the PHI of 1,030 patients and more than $1,000 in cleaning supplies that had been stolen from the hospital. After pleading guilty to several crimes, including identity theft and grand theft, Torres was sentenced to three years in state penitentiary on June 4. Sutter Health Fires...

Read More
Lawsuits Filed Over Alleged HIPAA Violations
Jun05

Lawsuits Filed Over Alleged HIPAA Violations

Two lawsuits have recently been filed in relation to alleged breaches of Health Insurance Portability and Accountability Act (HIPAA) Rules, one by a former hospital employee and another by a patient whose privacy was allegedly violated by a CVS pharmacy employee. Former Employee of Mosaic Life Care Medical Center Takes Legal Action over Dismissal A former employee of Mosaic Life Care Medical Center in St. Joseph, MO is taking legal action over wrongful discharge and retaliation for her taking steps to avoid a violation of the False Claims Act. Debra Conard, 57, alleges she was wrongfully terminated for raising concerns about unlawful, unethical, and fraudulent billing practices. According to the lawsuit, in April 2017, Conard was instructed by hospital officials to release charges for billing even though the documentation did not support the claims. Multiple charges were required to be pushed through, which would induce payment by Medicare and other third parties, even though Conrad could not verify that the claims were correct. Conrad raised her concerns about potential violations...

Read More
Colorado Governor Signs Data Protection Bill into Law
Jun05

Colorado Governor Signs Data Protection Bill into Law

Colorado Governor John Hickenlooper has signed a bill – HB 1128 – into law that strengthens protections for consumer data in the state of Colorado. The bipartisan bill, sponsored by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously passed by the Legislature. The bill will take effect from September 1, 2018. The bill requires organizations operating in the state of Colorado to implement reasonable security measures and practices to ensure the personal identifying information (PII) of state residents is protected. The bill also reduces the time for notifying the state attorney general about breaches of PII and introduces new rules for disposing of PII when it is no longer required. Personal information is classed as first name and last name or first initial and last name in combination with any of the following data elements (when not encrypted, redacted, or secured by another means that renders the information unreadable): Social Security number Student ID number Military ID number Passport number Driver’s license number or...

Read More
Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach
Jun01

Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach

There have been further developments in the ongoing legal battles over a 2017 privacy breach experienced by Aetna involving the exposure of patients’ sensitive health information. A further lawsuit has been filed by the insurer in an attempt to recover the costs incurred as a result of the breach. Ongoing Legal Battles Over the Exposure of Patients’ HIV Statuses In 2017, the health insurer Aetna experienced a data breach that saw highly sensitive patient information impermissibly disclosed to other individuals. A mailing vendor sent letters to patients using envelopes with clear plastic windows and information about HIV medications were allegedly visible. The mailings related to HIV medications used to treat patients who had already contracted HIV and individuals who were taking drugs as pre-exposure prophylaxis. Approximately 12,000 patients received the mailing. Lawsuits were filed on behalf of patients whose HIV positive status was impermissibly disclosed, which were settled in January for $17.2 million. A settlement was agreed with the New York state attorney general for a...

Read More
Jury Must Decide Whether Psychiatrist was Sacked for a HIPAA Violation
May22

Jury Must Decide Whether Psychiatrist was Sacked for a HIPAA Violation

Boston-based Steward Healthcare System terminated a psychiatrist for violating HIPAA Rules but must now prove to a jury that was the case. The psychiatrist claims he was fired in retaliation over taking extended disability leave, not for a HIPAA violation. Dr. Alexander Lipin contracted pneumonia and requested extended disability leave under the Family Medical Leave Act (FMLA). Extended leave was granted by Steward Healthcare System and Lipin was due to return to work on March 2, 2016. However, Lipin was fired on February 23 while still on disability leave over a HIPAA violation, which his attorney, Kavita M. Goyal, claims was used as an excuse for the termination. Steward Healthcare System alleged Lipin had violated HIPAA Rules by providing patients’ protected health information to law enforcement. According to Steward Medical Group President, George Clairmont, the decision had been taken to fire Lipin over the HIPAA violation before he took leave. Clairmont also stated Lipin was fired after it was discovered he was working for Anna Jaques Hospital while on leave. Lipin sued...

Read More
South Carolina Insurance Data Security Act Signed into Law
May21

South Carolina Insurance Data Security Act Signed into Law

On May 14, 2018, South Carolina Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law. The Act closely follows the Insurance Data Security Model law drafted by the National Association of Insurance Commissioners (NAIC) in 2017.  South Carolina is the first state to implement a comprehensive cybersecurity law covering the insurance industry. From January 1, 2019, when the South Carolina Insurance Data Security Act becomes effective, all licensees of the South Carolina Department of Insurance will be required to comply with the Act. The Act requires all insurers, agents, and other licensed entities to develop a comprehensive written information security program within six months of the compliance date. The cybersecurity program should be commensurate with the size and complexity of the company, the nature and scope of its activities, and the sensitivity of nonpublic information used/stored by the company. The cybersecurity program should be guided by a comprehensive risk analysis and should mitigate all risks identified by that risk analysis. The Act...

Read More
Lincare Settles W-2 Phishing Scam Lawsuit for $875,000
May18

Lincare Settles W-2 Phishing Scam Lawsuit for $875,000

The respiratory therapy supplier Lincare Inc., has agreed to settle a class-action lawsuit filed by employees whose W-2 information was sent to cybercriminals when an employee responded to a phishing scam. On February 3, 2017, a member of Lincare’s human resources department received an email from a high-level executive requesting copies of W-2 information for all employees of the firm. Believing the email was a genuine request, the employee responded and attached W-2 information for ‘a certain number of employees of Lincare and its affiliates.’ After discovering the accidental disclosure of sensitive information, Lincare contacted affected employees and offered them two years of credit monitoring, identity theft insurance, and remediation services without charge. On October 16, 2017, three employees – Andrew Giancola, Raymond T. Scott, and Patricia Smith – took legal action against Lincare alleging negligence, breach of implied contract, breach of fiduciary duty, and violation of Florida’s Deceptive and Unfair Trade Practices Act. The lawsuit survived a motion to dismiss and...

Read More
Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack
May08

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals. As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018. HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights. Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for...

Read More
Massachusetts Physician Convicted for Criminal HIPAA Violation
May04

Massachusetts Physician Convicted for Criminal HIPAA Violation

Criminal penalties for HIPAA violations are relatively rare, although the Department of Justice does pursue criminal charges for HIPAA violations when there has been a serious violation of patient privacy, such as an impermissible disclosure of protected health information for financial gain or malicious purposes. One such case has resulted in two criminal convictions – a violation of the Health Insurance Portability and Accountability Act and obstructing a criminal healthcare investigation. The case relates to the DOJ investigation of the pharmaceutical firm Warner Chilcott over healthcare fraud. In 2015, Warner Chilcott plead guilty to paying kickbacks to physicians for prescribing its drugs and for manipulating prior authorizations to induce health insurance firms to pay for prescriptions. The case was settled with the DOJ for $125 million. Last week, a Massachusetts gynecologist, Rita Luthra, M.D., 67, of Longmeadow, was convicted for violating HIPAA by providing a Warner Chilcott sales representative with access to the protected health information of patients for a period of...

Read More
Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft
Apr17

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft

In federal court on Monday, Chief U.S. District Judge Gina M. Groh sentenced a former Berkeley Medical Center worker to 5 years’ probation for her role in an identity theft scam. In addition to probation, Angela Dawn Roberts, 42, of Stephenson, VA, must pay $22,000 in restitution. Angela Dawn Roberts, also known as Angela Dawn Lee, had been working for WVU University Healthcare since 2014. Roberts was employed to schedule appointments for patients at two medical centers – Berkeley Medical Center and Jefferson Medical Center – which provided her with access to patients’ protected health information. Roberts copied sensitive information onto paper, including names, birth dates, and Social Security numbers, and in some cases printed copies of identity documents. On January 19, 2017, Roberts was suspended following an internal investigation into data theft which was alleged to have occurred on June 27, 2016. She was fired on January 27, 2017 and was prosecuted for stealing patient health information. Approximately 7,000 patients whose information was accessed by Roberts were...

Read More
2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office
Apr11

2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office

A former receptionist at a New York dental practice has been sentenced to serve 2 to 6 years in state penitentiary for stealing the protected health information of hundreds of patients. Annie Vuong, 31, was given access to the computer system and dental records of patients in order to complete her work duties. Vuong abused the access rights and stole the PHI of more than 650 patients. That information was passed to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items. Vuong was arrested on February 2, 2015, following a two-and-a-half-year investigation into identity theft by the New York District Attorney’s Office. The theft of data occurred between May and November 2012, when the PHI of 653 patients was taken from the dental office. The types of information stolen included names, birth dates, and Social Security numbers. That information was shared with co-defendant Devin Bazile in an email. Bazile used the information to obtain credit lines from Barclaycard in the victims’ names. Credit ranged from $2,000 to $7,000 per...

Read More
HHS Files Motion to Dismiss Ciox Health Lawsuit
Apr10

HHS Files Motion to Dismiss Ciox Health Lawsuit

The Department of Health and Human Services has filed a motion to dismiss a lawsuit filed by the healthcare information management company Ciox Health claiming the lawsuit lacks standing. Early this year, Ciox Health filed a lawsuit challenging changes to HIPAA in 2013 and subsequent enforcement guidance issued by the HHS in 2016. The changes to the HIPAA Privacy Rule in 2013 in question placed a limit on the amount that could be charged by covered entities for providing patients with copies of their health records. The charges must be limited to a reasonable cost-based fee. In 2016, the HHS issued guidance for the public explaining the rulemaking and providing answers to commonly asked questions about medical record access. Ciox Health claims the changes threaten to upend the medical records industry and that the updates and guidance are ultra vires, arbitrary and capricious. Ciox Health is also seeking injunctive relief to stop the HHS from unlawfully enforcing the regulations. In its motion to dismiss the lawsuit, filed in the U.S. District Court in Washington, D.C., HHS...

Read More
Oregon Data Breach Notification and Information Security Laws Updated
Apr06

Oregon Data Breach Notification and Information Security Laws Updated

Oregon has updated its data breach notification law to improve protections for state residents whose personal information is exposed in a data breach. State governor Kate Brown added her signature to Senate Bill (SB 1551) last month, which updates several regulations, notably Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become effective in June 2018. Prior to the update, Oregon data breach notification law only applied to persons who own or license personal information. Now, the definition of a person is “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.” A data breach is defined as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” The definition of personal information has been expanded to include a first...

Read More
Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law
Apr05

Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law

Virtua Medical Group – A network of physicians affiliated to over 50 medical practices in New Jersey – has been financially penalized by the New Jersey Attorney General’s Office for failing to protect the privacy of more than 1,650 patients whose medical information was accessible online without the need for any authentication. The electronic protected health information was exposed as a result of a misconfigured server. The error occurred at a business associate of the medical group – Best Medical Transcription – which had been provided with audio files to transcribe medical notes. Best Medical Transcription was contracted to transcribe dictations of medical notes, reports, and letters from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport. The transcribed notes were uploaded to a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was accidentally removed allowing patient...

Read More
Alabama Governor Enacts Data Breach Notification Act
Apr04

Alabama Governor Enacts Data Breach Notification Act

Alabama has become the 50th state to require companies to issue breach notifications to individuals whose personal information has been exposed or compromised as a result of a data breach. Governor Kay Ivey signed the act into law on March 28. The effective date is May 1, 2018. The data breach notification law has taken a long time to be enacted although Alabama residents will now have some of the best protections in the country, with the law one of the strictest introduced in any state. While every state now has a data breach notification law that requires notifications to be issued to all individuals impacted by a data breach, only 28% of U.S. states – including Alabama – also require ‘covered entities’ to maintain reasonable security measures to protect the confidentiality of sensitive personally identifying information of state residents. Service providers must also be contractually required to maintain appropriate safeguards. Sensitive personally identifying information is classed as a state resident’s first name or first initial and last name in combination with any of...

Read More
South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill
Mar28

South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill

South Dakota has been slow to introduce legislation to improve protections for consumers affected by breaches of their personal information. Laws have already been introduced in 48 states that require individuals and companies that store personal information to issue notifications to breach victims when that information is compromised. Last week, South Dakota residents were given similar protections to those in place in neighboring states. On March 21, 2018, South Dakota attorney general Marty Jackley issued a statement confirming SB 62 had been signed by Governor Daugaard and will take effect on July 1, 2018. The bipartisan bill requires entities that experience a breach of personal information to issue notifications to affected state residents within 60 days of discovery of the breach – The same time frame as HIPAA. Personal information is classed as the full name or first initial and last name of a state resident in combination with either a government ID number, Social Security number, driver’s license number, credit/debit card number (with an associated code that allows the...

Read More
Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach
Mar26

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv. The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients. In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions. In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications. In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates....

Read More
EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach
Mar07

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General. While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members. Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information. The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law §...

Read More
1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware
Feb22

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection. The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients. The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician. Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23,...

Read More
Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days
Feb22

Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days

In January, a new data breach notification bill was introduced in Colorado that proposed updates to state laws to improve protections for residents affected by data breaches. The bill introduced a maximum time frame of 45 days for companies to notify individuals whose personal information was exposed or stolen as a result of a data breach. The definition of personal information was also updated to include a much wider range of information including data covered by HIPAA – medical information, health insurance information, and biometric data. Last week, Colorado’s House Committee on State, Veterans, and Military Affairs unanimously passed an updated version of the bill, which has now been passed to the Committee on Appropriations for consideration. The updated bill includes further new additions to the list of data elements classed as personal information – passport numbers, military, and student IDs. There has also been a shortening of the time frame organizations have to issue notifications. Instead of the 45 days proposed in the original bill, the time frame has been cut to just...

Read More
What is FINRA Compliance?
Feb15

What is FINRA Compliance?

FINRA compliance is often mentioned in relation to the securities industry, but what is FINRA and what does FINRA compliance entail? Find out more about the FINRA, the role it plays, how the agency exerts control over brokers and brokerage firms, and the penalties for noncompliance with FINRA rules and regulations. What is FINRA? FINRA, an acronym of the Financial Industry Regulatory Authority, is a non-profit self-regulatory organization or SRO which is overseen by the Securities Exchange Commission (SEC). An SRO is a non-government agency that has a degree of regulatory authority over an industry, which in the case of FINRA is the securities industry and the New York Stock Exchange. The SEC’s role is to ensure fairness for investors whereas FINRA is also concerned with monitoring and regulating stockbrokers and brokerage firms, deterring misconduct, and ensuring the financial markets are fair. FINRA ensures transparency in the industry transaction and develops and enforces rules for the securities industry. FINRA also helps enforce SEC rules and other regulations. FINRA is...

Read More
Texas HB300 Compliance
Feb10

Texas HB300 Compliance

Texas HB300 (Texas House Bill 300) was signed into law by State governor Rick Perry in June 2011. The Bill made significant changes to state laws covering the privacy and security of protected health information (PHI) for individuals and organizations that assemble, collect, analyze, store, or transmit PHI. The Texas HB300 compliance date was September 1, 2012. Texas HB300 Introduced Stricter Privacy and Security Protections than HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) already requires covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and protect the privacy of patients and health plan members. Texas HB300 takes those requirements a step further, introducing even stricter requirements for covered entities, which under the new laws, also includes individuals and organizations not covered by HIPAA Rules. The existing laws updated by Texas HB300 were: Texas Health Code,...

Read More
Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach
Feb08

Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach

Aetna has taken legal action against an administrative support company over a July 2017 data breach that saw details of HIV medications visible through the clear plastic windows of envelopes in a mailing. Letters inside some of the envelopes had slipped, making the words ““when filling prescriptions for HIV medications” clearly visible to anyone who saw the envelopes. The privacy breach was condemned by the Legal Action Center and AIDS Law Project of Pennsylvania, who along with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking damages for breach victims. In January, Aetna settled the lawsuit for $17.16 million. Last month, Aetna also settled violations of HIPAA and state laws for $1.15 million with the New York attorney general over the same breach. The class action was only one of seven filed against the health insurer, and further fines from state attorneys general are to be expected. Several other attorneys general have opened investigations into the breach and may also determine that state laws have been violated. The costs associated with the...

Read More
Nebraska Personal Information Bill Advances After 34-0 First Round Vote
Feb05

Nebraska Personal Information Bill Advances After 34-0 First Round Vote

On January 3, 2018, Senator Adam Morfield introduced a bill that aims to improve protections for Nebraska residents whose personal information is exposed as a result of a data breach. The first round of voting has seen the bill unanimously passed by Nebraska lawmakers. The bill was introduced in the wake of the massive data breach at Equifax in 2017 that saw the personal information of more than 145 Americans – and almost 700,000 Nebraskans – compromised as a result of a cyberattack. The bill – Legislative Bill 757 – seeks to make changes to the Credit Report Protection Act and the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 to improve protections for state residents, both by helping to prevent data breaches and ensuring appropriate action is taken by the breached entity when a breach is experienced. According to Sen. Morfield, his bill “ensures that the hard-earned dollars and credit of every Nebraskan is put before crediting reporting agencies like Equifax.” Sen. Morfield has made the bill his number one priority. It...

Read More
Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss
Feb02

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information. CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules. CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings. CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident. The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million. A lawsuit was filed by the CVS Pharmacy seeking...

Read More
Breach Notification Bill Passes South Dakota Senate Judiciary Committee
Jan30

Breach Notification Bill Passes South Dakota Senate Judiciary Committee

At present, South Dakota is one of two states that do not have breach notification laws (Alabama being the other), but that could soon change if proposals passed by the Senate Judiciary Committee last Tuesday are enacted by the South Dakota State Legislature. The proposed bill – SB 62 (PDF) – would amend Chapter 22-40 of the Codified Laws relating to identity crimes, and require companies maintaining computerized information about South Dakota residents to inform consumers of “unauthorized acquisition” of their personal data. If enacted, the bill stipulates residents have to be informed within sixty days of discovery of a breach unless the company and the State Attorney General´s Office determine the breach will unlikely cause harm to those whose data has been acquired without authorization. Under the proposed laws, extensions to the sixty-day limit are allowed if more time is required for law enforcement agencies to investigate the breach; and, if the breach involves more than 250 South Dakota residents, companies must notify consumer reporting agencies of the timing,...

Read More
New Bill Proposes to Amend Iowa Breach Notification Act
Jan29

New Bill Proposes to Amend Iowa Breach Notification Act

A new bill introduced by Iowa Attorney General Tom Miller will, if implemented, extend the definition of a data breach to include medical information, health insurance information and personal information that previously had to be combined with other individual identifiers before a breach was classified as a breach. Since 2014, data breaches affecting more than five hundred Iowa residents have had to be reported to the director of the consumer protection division of the office of the Iowa Attorney General. More than 120 breaches have been notified in the past four years including those at Anthem Blue Cross, Banner Health and Medical Informatics Engineering. The relatively low number of reported breaches implies that either the personal data of Iowa residents is remarkably secure, or that hacked entities are failing to notify the Attorney General´s office as required. AG Tom Miller intends to find out which by introducing an amendment to the state´s current Breach Notification Act that extends the definition of a data breach. Medical and Health Insurance Information to be Included...

Read More