The Federal Trade Commission (FTC) has proposed a $1.9 million settlement to resolve claims that Evoke Wellness, a Florida-based substance use disorder treatment clinic, engaged in deceptive business practices and deliberately misled consumers who were seeking substance use disorder treatment by pretending to be other clinics.

According to the January 2025 complaint, Evoke Wellness, LLC, Evoke Health Care Management, and their officers, Jonathan Mosley and James Hull, conducted a deceptive Google Ads campaign targeting consumers conducting online searches for substance use disorder treatment clinics. According to the FTC, the campaign used the specific names of other clinics as keywords to ensure Evoke’s ads appeared when searches were made for those clinics. The ads prominently displayed the names of the impersonated clinics, misleading consumers into calling the telephone number for Evoke’s telemarketing call center.

When the number was called, the Evoke telemarketers would explain that they had reached a centralized admissions office or an addiction treatment hotline, rather than an Evoke call center. Even when the caller maintained that they wanted to deal with the specific clinic they were trying to reach, the telemarketers continued with the deception, falsely claiming they had a relationship with that clinic.

In the complaint, the FTC alleged that the campaign ran over 2 years from 2021 through 2023 and involved at least 68,510 misleading Google search ads. The campaign is alleged to have generated at least 3,500 calls from individuals seeking treatment for substance use disorder. The FTC alleges that Evoke’s conduct violated the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018.

The consent order imposes a $7 million civil monetary penalty on the defendants to resolve the FTC’s claims; however, only $1.9 million is payable due to the defendants’ financial position. The consent order prohibits Evoke from impersonating other businesses and substance use disorder clinics, and engaging in deceptive advertising practices such as using competitors’ names in search engine advertisements and making misrepresentations related to their substance use disorder services. Evoke is also required to establish a compliance program that must include monitoring its call centers for misrepresentations and taking corrective action against any agent who violates the consent order.

Should Evoke be later found to have violated the terms of the consent order, the suspended portion of the civil monetary penalty will become immediately payable. The proposed consent order was filed in the U.S. District Court for the Southern District of Florida and now awaits approval from the District Court Judge. “Opioids have ravaged American communities, killing well over one hundred Americans per day and ruining the lives of countless others,” said FTC Chairman Andrew N. Ferguson. “Today’s settlement helps consumers affected by opioid addiction navigate their path to recovery by preventing fraudsters from leading them astray.”

The post FTC Imposes $1.9 Million Penalty on Evoke Wellness for Deceptive Marketing Campaign appeared first on The HIPAA Journal.

Companion bills have recently been introduced in the House of Representatives and the Senate that seek to make violent attacks on employees of hospitals and healthcare organizations a federal crime. Data released by the U.S. Bureau of Labor Statistics in 2018 revealed that healthcare workers are five times more likely to experience violence in the workplace than workers in other industries. In 2018, healthcare workers accounted for 73% of all nonfatal workplace injuries and illnesses due to violence, and there was an increase in violent incidents during the COVID-19 pandemic.

In January 2024, a poll conducted by the American College of Emergency Physicians revealed that 91% of respondents had either personally experienced violence in the workplace or were aware of a colleague who was a victim of violence in the past year. 40% of respondents said they knew of an attack on a healthcare worker in a trauma center that resulted in moderate to severe disability or death. Last year, the American College of Surgeons reported an increase in violence against surgeons. Jay J. Doucet, MD, MSc, FRCSC, FACS, director of the trauma division at the University of California (UC) San Diego Health, said, “We’ve had six surgeons killed in the last few years.”

While many incidents are perpetrated by patients in emergency rooms and psychiatric units, healthcare workers are also assaulted in other settings, including home health, doctor’s surgeries, maternity units, and elsewhere, and not just by patients. There have been reports of violent behavior from visitors, intimate partners, outsiders, and coworkers.

Violence in the workplace is contributing to an increase in work-related stress, burnout, and job dissatisfaction, and has led many workers to quit the profession. The risk of violence is also making recruitment more difficult. A 2024 National Nurses United Report warned that high and rising rates of workplace violence and employer failure to implement effective prevention strategies are contributing to the current staffing crisis. A 2023 survey revealed that almost half of nurses (45.5%) reported an increase in workplace violence in the past year, and six in 10 nurses reported having either changed or left their job or profession or considered doing so due to workplace violence.

The increase in violence against healthcare workers has prompted bipartisan legislation to make attacks on healthcare workers a federal crime. The bipartisan Save Healthcare Workers Act was introduced last month in the Senate (S.1600) by Sens. Cindy Hyde-Smith (R-MI) and Angus King (I-ME), and the companion House bill (H.R. 3178) by Reps. Mariannette Miller-Meeks (R-IA) and Madeleine Dean (D-PA).  The proposed legislation would give healthcare workers similar protections as workers in the airline industry.

There have been previous attempts to introduce similar legislation, such as the Safety from Violence for Healthcare Employees (SAVE) Act in 2023, but none have been successful. While around thirty states have introduced laws that make attacks on healthcare workers a felony, federal legislation is required to discourage attacks and ensure the perpetrators face appropriate justice.

“State and local authorities are now and will continue to be responsible for prosecuting the overwhelming majority of violent crimes in the United States, including assault and intimidation against hospital employees,” according to the bill. “These authorities can address the problem of assault and intimidation against hospital employees more effectively with greater Federal law enforcement involvement… existing Federal law is inadequate to address the problem.”

The legislation calls for federal prison sentences of up to 10 years for attacks on healthcare workers, and enhanced penalties for acts of violence against healthcare workers involving a deadly or dangerous weapon or inflicting bodily injury. Those more serious attacks, as well as violent acts committed during emergency declarations, would be punishable with a jail term of up to 20 years. The legislation has exemptions from prosecution for individuals with intellectual or physical disabilities.

“I believe the federal government can help deter violence and keep our healthcare workers safe by establishing stronger penalties for those who assault hospital employees,” Hyde-Smith said. “Our legislation will protect these workers and, importantly, the people who rely on their care.”

The post Legislation Introduced to Make Violence Against Healthcare Workers a Federal Crime appeared first on The HIPAA Journal.

There have been a further two appointments to leadership positions at the U.S. Department of Health and Human Services (HHS). Robert F. Kennedy, Jr., has sworn in Jim O’Neill as Deputy HHS Secretary, and Thomas Keane, MD, MBA, has been named as the new Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology. Last week, the HHS appointed Paula M Stannard as the new Director of the HHS’ Office for Civil Rights (OCR).

Jim O’Neill, Deputy Secretary, Department of Health and Human Services.

Jim O’Neill is a HHS veteran, having served in the department for almost six years between 2002 and 2008, first as Director of the Speech and Editorial Division, then Associate Deputy Secretary and Senior Advisor to the Deputy Secretary, and as Principal Associate Deputy Secretary between 2007 and 2008. In the latter role, O’Neill led reforms at the U.S. Food and Drug Administration (FDA) to overhaul food safety regulations and implemented the FDA Amendments Act to improve the safety of drugs and medical devices.

After leaving the HHS, O’Neill oversaw the development of tools and techniques for enhancing background checks as a member of the Suitability and Security Clearance Performance Accountability Council, served as Managing Director at the global macro hedge fund Clarium Captial Management, Acting CEO of the Thiel Foundation supporting nonprofits promoting technology and freedom, and co-founded the Thiel Fellowship, which has helped many young entrepreneurs found science and tech firms.

O’Neill has also served on the Board of Directors at Advantage Therapeutics Inc., as Board Observer at Oisin Biotechnologies, and was on the Board of Directors at the SENS Research Foundation, where as CEO he led efforts to research and develop regenerative medicine solutions for age-related diseases such as Alzheimer’s, heart disease, and cancer.

“Jim O’Neill’s extensive experience in Silicon Valley and government makes him ideally suited to transition HHS into a technological innovation powerhouse. He will help us harness cutting-edge AI, telemedicine, and other breakthrough technologies to deliver the highest quality medical care for Americans,” said Secretary Kennedy. “As my deputy, he will lead innovation and help us reimagine how we serve the public. Together, we will promote outcome-centric medical care, champion radical transparency, uphold gold-standard science, and empower Americans to take charge of their own health.”

“I am deeply honored to return to HHS,” said Deputy Secretary O’Neill. “All Americans deserve to be healthy, happy, and prosperous, and President Trump and Secretary Kennedy have the right vision and leadership to get us there.”

Thomas Keane, MD. Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology.

Thomas Keane, MD, MBA, has also rejoined the HHS, becoming the second Assistant Secretary for Technology Policy and the ninth National Coordinator for Health Information Technology (ASTP/ONC). Dr. Keane, a physician, engineer, and interventionalist radiologist, previously served at the HHS as Senior Advisor to the Deputy Secretary of Health and Human Services.

Keane was an administrator of the COVID-19 Provider Relief Fund and led the development of the AHRQ National Nursing Home COVID Action Network, which helped improve infection control and safety practices in nursing facilities. Dr. Keane has also served as CEO of Radiology Associates of Southeastern Ohio, an interventional radiology fellow at Johns Hopkins Hospital, and a radiology resident at New York Presbyterian Hospital. In the new role, DR. Keane will play a key role in shaping the future of Health IT and the HHS technology strategy.

The post Trump Administration Appoints Deputy HHS Secretary & National Coordinator for Health IT appeared first on The HIPAA Journal.

The Michigan House of Representatives has passed a bill (HB 4242) that seeks to protect the sensitive health data of state residents from foreign entities of concern by requiring electronic medical records to be stored in the United States or Canada.

If signed into law, Michigan residents will have peace of mind that their sensitive healthcare data will be protected from all foreign entities of concern on the federal watch list, namely The People’s Republic of China, the Russian Federation, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, the Republic of Cuba, the Venezuelan regime of Nicolas Maduro, and the Syrian Arab Republic.

The bill was introduced by Rep. Jamie Thompson (R) and requires licensees that use off-site physical or virtual environments for electronic medical records to ensure that the physical or virtual environment is physically maintained in a U.S. state or Canadian province, including if the medical records are maintained by a third-party medical records company.  If passed, healthcare regulatory compliance fines of up to $10,000 can be imposed if the failure was due to gross negligence or willful and wanton misconduct.

“Ensuring our health care record technology is physically maintained in the US or Canada, as my bill does, is a needed step Michigan should take to protect the personal and private health information of people we all represent,” explained Thompson. “Our adversaries abroad frequently try to compromise our national security and access information within our country. We should be updating our laws to reflect this reality and installing commonsense safeguards to protect residents.”

Under federal HIPAA law, healthcare providers are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information; however, HIPAA does not require medical records to be maintained in the United States or Canada.

In 2023 and 2024, more than 700 large healthcare data breaches were reported to the HHS’ Office for Civil Rights, with large data breaches reported at a rate of more than two per day. “If these breaches come from a foreign adversary of the United States, the fallout could be profound,” Rep. Thompson said. “In addition, the lack of trust resulting from a privacy breach can cause patients to potentially withhold serious information that may help get them needed care. As a licensed practical nurse, I find this element very concerning as well.”

Several other bills have been introduced with requirements to protect data from foreign influence (House Bills 4233-35 and 4238-42). They include provisions that prevent foreign entities of concern from collecting sensitive information by blocking prohibited apps on government devices; prevent public bodies from entering into constraining agreements with foreign entities of concern; ensure public economic incentives are not awarded to foreign entities of concern; and prevent entities of concern from purchasing land and surveilling military bases and other critical infrastructure. The bills will now be considered by the Senate.

The post Michigan House Passes Bill Requiring Medical Records to be Stored Domestically appeared first on The HIPAA Journal.

The New York multi-site medical practice, Albany ENT & Allergy Services, has agreed to pay a $500,000 financial penalty to the state of New York and will invest $2.25 million to strengthen its information security practices after suffering two ransomware attacks that saw threat actors gain access to the medical records of more than 213,000 New York patients. Under the agreement, a further $500,000 in penalties must be paid if Albany ENT & Allergy Services fails to invest the required $2.25 million in upgrades and maintenance of its information security program over the next 5 years.

An investigation was launched by the Office of the New York Attorney General (OAG) following an intrusion of Albany ENT & Allergy Services’ network by two different threat actors between March 23, 2023, and April 4, 2023. The first intrusion involved ransomware and was discovered on March 27, 2023, when files were encrypted. Systems and data were restored by the healthcare provider’s IT vendor; however, the source of the intrusion was not identified before the restoration of external network access.

A different threat actor conducted a second ransomware attack 10 days later on April 2, 2023. A digital forensics firm was engaged to conduct a thorough investigation and remediate any vulnerabilities before the restoration process began. The compromised systems contained the records of 213. 935 patients, including names, addresses, birth dates, driver’s license numbers, Social Security numbers, diagnoses, test results, and treatment information.  Both threat actors provided evidence of data exfiltration when attempting to extort Albany ENT & Allergy Services; however, ransoms were not paid. The file review was completed in May 2023 and the affected individuals were notified and offered complimentary credit monitoring services.

The failure to identify the initial access vector was due to insufficient server logs. While server logs were created, they were not retained for a reasonable period, and there were no security programs in place to monitor and analyze server traffic. The company that conducted the forensic investigation after the second attack concluded that the initial access vector was likely the exploitation of an unpatched vulnerability in a Cisco VPN firewall.

The OAG investigation revealed the breach involved the protected health information of around 80,000 individuals more than the 120,000 individuals stated in the initial breach report. The additional affected individuals had their driver’s license numbers posted online by the threat actors when the ransom was not paid. OAG also determined that the threat actors gained access to six devices that hosted unencrypted personal information and some of those devices continued to store unencrypted personal information for months after the ransomware attacks. While an encryption policy had been implemented for laptop computers, it did not apply to personal information stored on other systems. Multi-factor authentication (MFA) had been implemented, but not consistently, with some remote access systems not protected by MFA.

Albany ENT & Allergy Services did not have an in-house information technology team and outsourced those functions to two third-party vendors. Outsourcing IT functions is acceptable under state law; however, a single Albany ENT & Allergy Services employee was responsible for liaising with those vendors and ensuring appropriate policies and procedures were followed and recommended practices were implemented. That employee did not have any IT or InfoSec experience or training. The lack of effective oversight meant critical security updates were not implemented in a timely manner, logs of activity in information systems were not retained for sufficiently long, MFA was not consistently implemented, and a reasonable information security program was not maintained. The security failures were determined to violate New York Business and Executive Law.

Under the agreement, Albany ENT & Allergy Services is required to implement a range of security measures including establishing a comprehensive information security program and ensuring effective oversight of its information security vendors. “Health care facilities need to take protecting patients’ private information seriously, and that means investing to protect data and responding quickly if breaches occur. Today’s agreement with AENT will strengthen its cybersecurity and protect the private information of New Yorkers who rely on this Capital Region medical provider,” said Attorney General Letitia James. “I urge all health care facilities and general companies to follow guidance from my office on how to have more secure systems to protect New Yorkers’ data.”

The post Albany ENT & Allergy Services Pays $500K Penalty and Commits to $2.25M Cybersecurity Investment appeared first on The HIPAA Journal.

In April, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) issued a Notice of Proposed Rulemaking (NPRM) introducing new requirements for critical infrastructure entities to report certain cybersecurity incidents. CISA sought comment from the public, and several healthcare stakeholders have provided feedback on the proposed rule.

Background

The proposed rule requires critical infrastructure entities to report cybersecurity incidents to CISA within 72 hours of detecting a cybersecurity incident and within 24 hours of making a ransomware payment. The types of covered incidents include:

• Unauthorized system access
• Denial of Service (DOS) attacks with a duration of more than 12 hours
• Malicious code on systems, including variants if known
• Targeted and repeated scans against services on systems
• Repeated attempts to gain unauthorized access to systems
• Email or mobile messages associated with phishing attempts or successes
• Ransomware attacks against critical infrastructure, including the variant and ransom details if known

The types of information that must be submitted to CISA include:

• Incident date and time
• Incident location
• Type of observed activity
• Detailed narrative of the event
• Number of people or systems affected
• Company/Organization name
• Point of Contact details
• Severity of event
• Critical infrastructure sector
• Anyone else who has been informed

CISA will share the information with federal and non-federal partners to improve detection and the minimization of the harmful impacts on critical infrastructure entities, accelerate mitigation of exploited vulnerabilities, and allow software developers and vendors to develop more secure products. The information will also be shared with law enforcement to help with the investigation, identification, capture, and prosecution of the perpetrators of cybercrime.

Healthcare Industry Groups Give Feedback to CISA

The Workgroup for Electronic Data Interchange (WEDI) and the Medical Group Management Association (MGMA) have called for CISA to align the reporting time frame with the HHS’ Office for Civil Rights, as having to submit reports to multiple agencies will place a considerable administrative burden on healthcare organizations. MGMA believes the new reporting requirements will be overly burdensome for medical groups, and the duplicative reporting requirements may affect the ability of those groups to operate effectively, especially when dealing with a cyberattack.

MGMA explained that under HIPAA, covered entities must report cybersecurity incidents to the HHS’ Office for Civil Rights within 60 days for HIPAA compliance. Rather than layering different reporting requirements on each other, MGMA suggests that CISA should work closely with the HHS to seamlessly incorporate data that must reported under HIPAA. This will promote collaboration and prevent covered entities from reporting the same incident multiple times in different formats. MGMA said the sized-based criteria for reporting means small medical groups will not have the burden of reporting incidents but using the SBA definition means that many small physician offices will be impacted, even practices with annual revenues as low as $9 million.

The short timeframe for reporting incidents was criticized by WEDI, which said it could take longer than 72 hours to gather all the necessary information for the initial report. WEDI has called for CISA to be flexible with the reporting timeframe, such as allowing the initial report to be submitted with as much information as it has been possible to gather within 72 hours and allowing additional information to be submitted after that deadline as it becomes available. WEDI also proposes a carve-out for certain ransomware attacks. WEDI has requested that CISA not consider an attack to be a data breach if no protected health information has been accessed, provided the entity has made a good faith effort to deploy a recognized security program and has implemented security policies and procedures.

CHIME/AEHIS Members Express Concern

The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) have urged CISA to consider that the core mission of healthcare is patient safety and not to implement regulatory requirements that could jeopardize that mission.

One concern from their members is the reporting requirements under HIPAA, which require security breaches to be reported to OCR within 60 days of the discovery of a data breach. They are concerned that the clock would start ticking for reporting under HIPAA on the date of submission of the incident report to CISA, and that could create considerable additional burdens for HIPAA-regulated entities. CHIME and AEHIS have asked CISA to clarify the reporting requirements for managed service providers and other third-party service providers that provide products or services to HIPAA-covered entities, requesting that the service provider be considered the covered entity for reporting under CIRCIA.

After the initial incident report, critical infrastructure entities are required to submit supplemental reports following a significant cybersecurity incident, with those supplemental reports submitted without delay or as soon as possible. There is concern that with the threat of enforcement, HIPAA-covered entities may feel compelled to prioritize reporting of incidents over patient safety. CHIME/AEHIS have requested that the supplemental reports be submitted every 72 hours at a minimum or every 5 days, and for those reports to only be required if substantial new or different information becomes available.

CHIME/AEHIS point out that the definition of larger hospitals – those with 100 or more beds – is inadequate and that a more nuanced approach is required with other factors considered other than bed count, and not require reporting of incidents by critical access hospitals (CAHs), which are already under considerable financial strain. Making CAHs report incidents could increase the financial strain on the hospitals, leading to more closures and reduced access to healthcare for patients.

CHIME/AEHIS have received feedback from their members about the level of detail required by CISA about the security architecture of breached entities. “If CISA requires hospitals and healthcare systems to define their entire security architecture, that is a tremendous amount of information to include in a report,” explained the industry groups. “Our members do not believe that CISA needs to know an entire description of an organization’s security program – as it is not helpful to fulfill the purpose of CIRCIA, is potentially considered intellectual property (IP), and/or sensitive for the organization.”

The post Industry Groups Give Feedback on CISA’s Proposed Cybersecurity Reporting Requirements appeared first on The HIPAA Journal.

On April 22, 2024, the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) released Version 2.0 of the Trusted Exchange Framework and Common Agreement (TEFCA).

TEFCA establishes the technical infrastructure model and governing approach for different health information networks and their users and allows them to share clinical information with each other. The ONC requires health information networks that participate in TEFCA to begin implementing the new version and support the Health Level Seven Fast Healthcare Interoperability Resources standard. ONC has also published Participant and Subparticipant Terms of Participation, which details the requirements for Participants and Subparticipants, compliance with which is required for participation in TEFCA. Version 2.0 of the Common Agreement will make it easier for participating health information networks to share data with each other and will also make it easier for patients to access their health data through digital health apps.

“We have long intended for TEFCA to have the capacity to enable FHIR API exchange. This is in direct response to the health IT industry’s move toward standardized APIs with modern privacy and security safeguards, and allows TEFCA to keep pace with the advanced, secure data services approaches used by the tech industry,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “I want to commend the effort put forth by the TEFCA and FHIR communities to help get us there with the release of CA v2.0.”

The post ONC Releases Common Agreement Version 2.0 appeared first on HIPAA Journal.

New York Attorney General, Letitia James, has announced a settlement with New York’s largest health network, Northwell Health, to resolve allegations it deceptively advertised its emergency departments as COVID-19 testing sites during the COVID-19 public health emergency. Northwell Health claimed in advertisements that three emergency departments in New York City and Long Island were COVID-19 testing sites; however, when patients visited to be tested they were billed for emergency room visits.

The Office of the Attorney General (OAG) investigated Northwell Health after complaints were received from patients who claimed they had been overcharged for testing. OAG investigated and found that Lenox Hill Hospital, Lenox Health Greenwich, and Huntington Hospital had signs advertising their emergency departments as COVID-19 testing sites between March 2020 and March 2021. Hundreds of patients visited the emergency departments solely to be tested for COVID-19 but were billed standard emergency department charges. In the case of Huntington Hospital, even patients who used the drive-in testing facility were charged for emergency room visits. OAG determined that Northwell Health collected $81,761.46 in out-of-pocket payments from 559 New Yorkers for COVID-19 tests and related services, and patients visiting the emergency department for other reasons were also charged for COVID-19 tests.

OAG found that the actions of Northwell Health violated New York Executive Law § 63(12) and General Business Law §§ 349 and 350. Under the terms of the settlement, Northwell Health has issued more than $400,000 in refunds to 2,048 patients and will pay a civil monetary penalty of $650,000 to the state. “During a time of great stress at the height of the pandemic, Northwell Health caused more worry and frustration for New Yorkers who were sent emergency room bills for simply taking a COVID-19 test,” said Attorney General James. “Today we are putting money back in New Yorkers’ pockets after Northwell Health misled them. New York patients should not get surprise fees, and I encourage anyone who thinks they’ve been taken advantage of through deceptive advertising to file a complaint with my office.”

The post NY Attorney General Finds Northwell Health Deceptively Advertised COVID-19 Testing Sites appeared first on HIPAA Journal.