Healthcare Compliance News

Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data

Users of the Flo Period & Ovulation Tracker app (Flo App) who sued Facebook (Meta) and others over the alleged collection and interception of their sensitive data without consent have won a landmark victory after a jury ruled in their favor and found that Meta had violated the California Invasion of Privacy Act.

The Flo App, developed and owned by Flo Health, is one of the most popular health and wellness apps. According to Flo Health, the app is the #1 mobile product for women’s health. At the time the lawsuit was filed, the app had been downloaded more than 180 million times and had over 38 million active monthly users. When individuals download the Flo App, they are asked to enter personal data and answer a series of personal questions about their sexual health, gynecological health, general health and well-being, and menstruation cycles. As they continue to use the app, they are asked to provide further sensitive information, including when they have their period, if they have had sex, whether they masturbated, any health symptoms, and their mood. Flo Health uses the information provided to predict their likely ovulation date and offers tailored health and wellness advice.

Flo Health provided repeated assurances that the information provided would remain private and confidential and would not be shared with any third parties, unless the user provided explicit consent; however, that was not the case, as sensitive data was shared with third parties via software development kits (SDKs) incorporated into the Flo App.

Several class action lawsuits were filed in response to the data disclosures against Flo Health, Facebook, Google, Appflyer, and Flurry. The lawsuits were consolidated in 2021, Frasco v. Flo Health, in the U.S. District Court for the Northern District of California. The plaintiffs alleged that “Flo Health knowingly collected, transmitted, and disclosed Plaintiffs’ and Class members’ intimate health data to third parties, including the non-Flo defendants,” through SDKs incorporated into the app. Data was shared with third parties such as Facebook, and could be used to assist with targeted advertising.

Flo Health was also alleged to have incorporated non-Flo defendants’ SDKs into the app and transmitted sensitive information to those companies. According to the lawsuit, “the Non-Flo Defendants, including two of the largest digital advertisers in the world, incorporated this information into their existing data analytics and research segments to compile profiles and target users for advertisements, with the plaintiffs alleging occurred without their knowledge or consent.”

The lawsuit asserted fourteen claims for relief against Flo Health, the Flo defendants, and non-Flo defendants. Google and Flurry previously chose to settle with the plaintiffs, and Flo Halth followed suit last Thursday, settling for an undisclosed sum. Meta chose not to settle, and the trial proceeded to a jury verdict. The jury was asked to answer three questions, unanimously answering yes to the first two questions and no to the last.

  • Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that Meta intentionally eavesdropped on and/or recorded their conversation by using an electronic device?
  • Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that they had a reasonable expectation that the conversation was not being overheard and/or recorded?
  • Did Meta have the consent of all parties to the conversation to eavesdrop on and/or record it?

The verdict could help to rein in tech firms’ collection of sensitive user data for use in targeted advertising. “Companies like Meta that covertly profit from users’ most intimate information must be held accountable,” explained the plaintiffs’ lawyers in a statement about the verdict. “Today’s outcome reinforces the fundamental right to privacy — especially when it comes to sensitive health data.”

Meta vigorously disagrees with the outcome of the trial and is exploring all legal options and will likely appeal. “The plaintiffs’ claims against Meta are simply false,” according to a statement from Meta. “User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.

Hundreds of class action lawsuits have been filed over the use of tracking tools on websites and health apps, and there has been a flurry of settlements in recent weeks. It is rare for these lawsuits to proceed to trial due to the risk of verdicts such as this, with most defendants opting to limit their financial exposure by settling the litigation. Many of those lawsuits have yet to be resolved, including several complaints against Meta.

The post Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data appeared first on The HIPAA Journal.

Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data

Users of the Flo Period & Ovulation Tracker app (Flo App) who sued Facebook (Meta) and others over the alleged collection and interception of their sensitive data without consent have won a landmark victory after a jury ruled in their favor and found that Meta had violated the California Invasion of Privacy Act.

The Flo App, developed and owned by Flo Health, is one of the most popular health and wellness apps. According to Flo Health, the app is the #1 mobile product for women’s health. At the time the lawsuit was filed, the app had been downloaded more than 180 million times and had over 38 million active monthly users. When individuals download the Flo App, they are asked to enter personal data and answer a series of personal questions about their sexual health, gynecological health, general health and well-being, and menstruation cycles. As they continue to use the app, they are asked to provide further sensitive information, including when they have their period, if they have had sex, whether they masturbated, any health symptoms, and their mood. Flo Health uses the information provided to predict their likely ovulation date and offers tailored health and wellness advice.

Flo Health provided repeated assurances that the information provided would remain private and confidential and would not be shared with any third parties, unless the user provided explicit consent; however, that was not the case, as sensitive data was shared with third parties via software development kits (SDKs) incorporated into the Flo App.

Several class action lawsuits were filed in response to the data disclosures against Flo Health, Facebook, Google, Appflyer, and Flurry. The lawsuits were consolidated in 2021, Frasco v. Flo Health, in the U.S. District Court for the Northern District of California. The plaintiffs alleged that “Flo Health knowingly collected, transmitted, and disclosed Plaintiffs’ and Class members’ intimate health data to third parties, including the non-Flo defendants,” through SDKs incorporated into the app. Data was shared with third parties such as Facebook, and could be used to assist with targeted advertising.

Flo Health was also alleged to have incorporated non-Flo defendants’ SDKs into the app and transmitted sensitive information to those companies. According to the lawsuit, “the Non-Flo Defendants, including two of the largest digital advertisers in the world, incorporated this information into their existing data analytics and research segments to compile profiles and target users for advertisements, with the plaintiffs alleging occurred without their knowledge or consent.”

The lawsuit asserted fourteen claims for relief against Flo Health, the Flo defendants, and non-Flo defendants. Google and Flurry previously chose to settle with the plaintiffs, and Flo Halth followed suit last Thursday, settling for an undisclosed sum. Meta chose not to settle, and the trial proceeded to a jury verdict. The jury was asked to answer three questions, unanimously answering yes to the first two questions and no to the last.

  • Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that Meta intentionally eavesdropped on and/or recorded their conversation by using an electronic device?
  • Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that they had a reasonable expectation that the conversation was not being overheard and/or recorded?
  • Did Meta have the consent of all parties to the conversation to eavesdrop on and/or record it?

The verdict could help to rein in tech firms’ collection of sensitive user data for use in targeted advertising. “Companies like Meta that covertly profit from users’ most intimate information must be held accountable,” explained the plaintiffs’ lawyers in a statement about the verdict. “Today’s outcome reinforces the fundamental right to privacy — especially when it comes to sensitive health data.”

Meta vigorously disagrees with the outcome of the trial and is exploring all legal options and will likely appeal. “The plaintiffs’ claims against Meta are simply false,” according to a statement from Meta. “User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.

Hundreds of class action lawsuits have been filed over the use of tracking tools on websites and health apps, and there has been a flurry of settlements in recent weeks. It is rare for these lawsuits to proceed to trial due to the risk of verdicts such as this, with most defendants opting to limit their financial exposure by settling the litigation. Many of those lawsuits have yet to be resolved, including several complaints against Meta.

The post Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data appeared first on The HIPAA Journal.

New Data Breach Notification Requirements in Oklahoma

Oklahoma has enacted a bill that amends its data breach notification statute. The definition of personal information warranting notifications has been broadened, and the state Attorney General must be notified about any breach of the personal information of 500 or more state residents, or 1,000 or more residents for a breach of credit bureau systems.

Individual notifications must be issued without unreasonable delay, and the state Attorney General must be notified within 60 days of individual notifications being mailed. The Attorney General must be informed of the date of the breach, the date it was determined that a data breach had occurred, the nature of the breach, the type(s) of information exposed or stolen, the number of state residents affected, any reasonable safeguards that the entity has implemented, and the estimated monetary impact of the breach, if it can be determined.

Entities that are compliant with the Health Insurance Portability and Accountability Act (HIPAA), the Oklahoma Hospital Cybersecurity Protection Act, and/or the Gramm-Leach-Bliley Act (GBLA) will be deemed to be compliant with the new data breach notification requirements provided that notify the state Attorney General about any breach of personal information within 60 days of issuing individual notifications.

Notifications are required when there has been a breach of unencrypted computerized personal information, which is an individual’s first name or first initial and last name in combination with one or more of the following: Social Security number, driver’s license number, other unique identification number created or collected by a government entity, financial information (financial account or debit/credit card number when combined with an expiration date, security code, access code, or password that would permit access).

The update adds the following other types of information to the list:

  • Unique electronic identifier or routing code plus a required security code, access code, or password that permits access to a financial account.
  • Unique biometric data (e.g., fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual).

If the cost of notification exceeds $50,000, or if sufficient contact information is not held to allow notifications to be issued, then a substitute notice is acceptable, which can be an email notice (if email addresses are held), a conspicuous posting on the breached entity’s website (if a website is owned), and a notice to statewide media. Two of those three options are required to meet the substitute notice requirements.

Entities will be shielded from civil monetary penalties, which are up to $150,000 per breach, if they employ “reasonable safeguards” and issue breach notifications. Reasonable safeguards are defined as “policies and practices that ensure personal information is secure, taking into consideration an entity’s size and the type and amount of personal information.” These can include risk assessments, technical and physical layered defenses, employee training on secure data handling, and having an incident response plan. The new law, as implemented by Senate Bill 626, will take effect on January 1, 2026.

The post New Data Breach Notification Requirements in Oklahoma appeared first on The HIPAA Journal.

FTC Imposes $1.9 Million Penalty on Evoke Wellness for Deceptive Marketing Campaign

The Federal Trade Commission (FTC) has proposed a $1.9 million settlement to resolve claims that Evoke Wellness, a Florida-based substance use disorder treatment clinic, engaged in deceptive business practices and deliberately misled consumers who were seeking substance use disorder treatment by pretending to be other clinics.

According to the January 2025 complaint, Evoke Wellness, LLC, Evoke Health Care Management, and their officers, Jonathan Mosley and James Hull, conducted a deceptive Google Ads campaign targeting consumers conducting online searches for substance use disorder treatment clinics. According to the FTC, the campaign used the specific names of other clinics as keywords to ensure Evoke’s ads appeared when searches were made for those clinics. The ads prominently displayed the names of the impersonated clinics, misleading consumers into calling the telephone number for Evoke’s telemarketing call center.

When the number was called, the Evoke telemarketers would explain that they had reached a centralized admissions office or an addiction treatment hotline, rather than an Evoke call center. Even when the caller maintained that they wanted to deal with the specific clinic they were trying to reach, the telemarketers continued with the deception, falsely claiming they had a relationship with that clinic.

In the complaint, the FTC alleged that the campaign ran over 2 years from 2021 through 2023 and involved at least 68,510 misleading Google search ads. The campaign is alleged to have generated at least 3,500 calls from individuals seeking treatment for substance use disorder. The FTC alleges that Evoke’s conduct violated the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018.

The consent order imposes a $7 million civil monetary penalty on the defendants to resolve the FTC’s claims; however, only $1.9 million is payable due to the defendants’ financial position. The consent order prohibits Evoke from impersonating other businesses and substance use disorder clinics, and engaging in deceptive advertising practices such as using competitors’ names in search engine advertisements and making misrepresentations related to their substance use disorder services. Evoke is also required to establish a compliance program that must include monitoring its call centers for misrepresentations and taking corrective action against any agent who violates the consent order.

Should Evoke be later found to have violated the terms of the consent order, the suspended portion of the civil monetary penalty will become immediately payable. The proposed consent order was filed in the U.S. District Court for the Southern District of Florida and now awaits approval from the District Court Judge. “Opioids have ravaged American communities, killing well over one hundred Americans per day and ruining the lives of countless others,” said FTC Chairman Andrew N. Ferguson. “Today’s settlement helps consumers affected by opioid addiction navigate their path to recovery by preventing fraudsters from leading them astray.”

The post FTC Imposes $1.9 Million Penalty on Evoke Wellness for Deceptive Marketing Campaign appeared first on The HIPAA Journal.

Legislation Introduced to Make Violence Against Healthcare Workers a Federal Crime

Companion bills have recently been introduced in the House of Representatives and the Senate that seek to make violent attacks on employees of hospitals and healthcare organizations a federal crime. Data released by the U.S. Bureau of Labor Statistics in 2018 revealed that healthcare workers are five times more likely to experience violence in the workplace than workers in other industries. In 2018, healthcare workers accounted for 73% of all nonfatal workplace injuries and illnesses due to violence, and there was an increase in violent incidents during the COVID-19 pandemic.

In January 2024, a poll conducted by the American College of Emergency Physicians revealed that 91% of respondents had either personally experienced violence in the workplace or were aware of a colleague who was a victim of violence in the past year. 40% of respondents said they knew of an attack on a healthcare worker in a trauma center that resulted in moderate to severe disability or death. Last year, the American College of Surgeons reported an increase in violence against surgeons. Jay J. Doucet, MD, MSc, FRCSC, FACS, director of the trauma division at the University of California (UC) San Diego Health, said, “We’ve had six surgeons killed in the last few years.”

While many incidents are perpetrated by patients in emergency rooms and psychiatric units, healthcare workers are also assaulted in other settings, including home health, doctor’s surgeries, maternity units, and elsewhere, and not just by patients. There have been reports of violent behavior from visitors, intimate partners, outsiders, and coworkers.

Violence in the workplace is contributing to an increase in work-related stress, burnout, and job dissatisfaction, and has led many workers to quit the profession. The risk of violence is also making recruitment more difficult. A 2024 National Nurses United Report warned that high and rising rates of workplace violence and employer failure to implement effective prevention strategies are contributing to the current staffing crisis. A 2023 survey revealed that almost half of nurses (45.5%) reported an increase in workplace violence in the past year, and six in 10 nurses reported having either changed or left their job or profession or considered doing so due to workplace violence.

The increase in violence against healthcare workers has prompted bipartisan legislation to make attacks on healthcare workers a federal crime. The bipartisan Save Healthcare Workers Act was introduced last month in the Senate (S.1600) by Sens. Cindy Hyde-Smith (R-MI) and Angus King (I-ME), and the companion House bill (H.R. 3178) by Reps. Mariannette Miller-Meeks (R-IA) and Madeleine Dean (D-PA).  The proposed legislation would give healthcare workers similar protections as workers in the airline industry.

There have been previous attempts to introduce similar legislation, such as the Safety from Violence for Healthcare Employees (SAVE) Act in 2023, but none have been successful. While around thirty states have introduced laws that make attacks on healthcare workers a felony, federal legislation is required to discourage attacks and ensure the perpetrators face appropriate justice.

“State and local authorities are now and will continue to be responsible for prosecuting the overwhelming majority of violent crimes in the United States, including assault and intimidation against hospital employees,” according to the bill. “These authorities can address the problem of assault and intimidation against hospital employees more effectively with greater Federal law enforcement involvement… existing Federal law is inadequate to address the problem.”

The legislation calls for federal prison sentences of up to 10 years for attacks on healthcare workers, and enhanced penalties for acts of violence against healthcare workers involving a deadly or dangerous weapon or inflicting bodily injury. Those more serious attacks, as well as violent acts committed during emergency declarations, would be punishable with a jail term of up to 20 years. The legislation has exemptions from prosecution for individuals with intellectual or physical disabilities.

“I believe the federal government can help deter violence and keep our healthcare workers safe by establishing stronger penalties for those who assault hospital employees,” Hyde-Smith said. “Our legislation will protect these workers and, importantly, the people who rely on their care.”

The post Legislation Introduced to Make Violence Against Healthcare Workers a Federal Crime appeared first on The HIPAA Journal.

Trump Administration Appoints Deputy HHS Secretary & National Coordinator for Health IT

There have been a further two appointments to leadership positions at the U.S. Department of Health and Human Services (HHS). Robert F. Kennedy, Jr., has sworn in Jim O’Neill as Deputy HHS Secretary, and Thomas Keane, MD, MBA, has been named as the new Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology. Last week, the HHS appointed Paula M Stannard as the new Director of the HHS’ Office for Civil Rights (OCR).

Deputy HHS Secretary, Jim O'Neill

Jim O’Neill, Deputy Secretary, Department of Health and Human Services.

Jim O’Neill is a HHS veteran, having served in the department for almost six years between 2002 and 2008, first as Director of the Speech and Editorial Division, then Associate Deputy Secretary and Senior Advisor to the Deputy Secretary, and as Principal Associate Deputy Secretary between 2007 and 2008. In the latter role, O’Neill led reforms at the U.S. Food and Drug Administration (FDA) to overhaul food safety regulations and implemented the FDA Amendments Act to improve the safety of drugs and medical devices.

After leaving the HHS, O’Neill oversaw the development of tools and techniques for enhancing background checks as a member of the Suitability and Security Clearance Performance Accountability Council, served as Managing Director at the global macro hedge fund Clarium Captial Management, Acting CEO of the Thiel Foundation supporting nonprofits promoting technology and freedom, and co-founded the Thiel Fellowship, which has helped many young entrepreneurs found science and tech firms.

O’Neill has also served on the Board of Directors at Advantage Therapeutics Inc., as Board Observer at Oisin Biotechnologies, and was on the Board of Directors at the SENS Research Foundation, where as CEO he led efforts to research and develop regenerative medicine solutions for age-related diseases such as Alzheimer’s, heart disease, and cancer.

“Jim O’Neill’s extensive experience in Silicon Valley and government makes him ideally suited to transition HHS into a technological innovation powerhouse. He will help us harness cutting-edge AI, telemedicine, and other breakthrough technologies to deliver the highest quality medical care for Americans,” said Secretary Kennedy. “As my deputy, he will lead innovation and help us reimagine how we serve the public. Together, we will promote outcome-centric medical care, champion radical transparency, uphold gold-standard science, and empower Americans to take charge of their own health.”

“I am deeply honored to return to HHS,” said Deputy Secretary O’Neill. “All Americans deserve to be healthy, happy, and prosperous, and President Trump and Secretary Kennedy have the right vision and leadership to get us there.”

Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology, Thomas Keane, MD.

Thomas Keane, MD. Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology.

Thomas Keane, MD, MBA, has also rejoined the HHS, becoming the second Assistant Secretary for Technology Policy and the ninth National Coordinator for Health Information Technology (ASTP/ONC). Dr. Keane, a physician, engineer, and interventionalist radiologist, previously served at the HHS as Senior Advisor to the Deputy Secretary of Health and Human Services.

Keane was an administrator of the COVID-19 Provider Relief Fund and led the development of the AHRQ National Nursing Home COVID Action Network, which helped improve infection control and safety practices in nursing facilities. Dr. Keane has also served as CEO of Radiology Associates of Southeastern Ohio, an interventional radiology fellow at Johns Hopkins Hospital, and a radiology resident at New York Presbyterian Hospital. In the new role, DR. Keane will play a key role in shaping the future of Health IT and the HHS technology strategy.

The post Trump Administration Appoints Deputy HHS Secretary & National Coordinator for Health IT appeared first on The HIPAA Journal.

Michigan House Passes Bill Requiring Medical Records to be Stored Domestically

The Michigan House of Representatives has passed a bill (HB 4242) that seeks to protect the sensitive health data of state residents from foreign entities of concern by requiring electronic medical records to be stored in the United States or Canada.

If signed into law, Michigan residents will have peace of mind that their sensitive healthcare data will be protected from all foreign entities of concern on the federal watch list, namely The People’s Republic of China, the Russian Federation, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, the Republic of Cuba, the Venezuelan regime of Nicolas Maduro, and the Syrian Arab Republic.

The bill was introduced by Rep. Jamie Thompson (R) and requires licensees that use off-site physical or virtual environments for electronic medical records to ensure that the physical or virtual environment is physically maintained in a U.S. state or Canadian province, including if the medical records are maintained by a third-party medical records company.  If passed, healthcare regulatory compliance fines of up to $10,000 can be imposed if the failure was due to gross negligence or willful and wanton misconduct.

“Ensuring our health care record technology is physically maintained in the US or Canada, as my bill does, is a needed step Michigan should take to protect the personal and private health information of people we all represent,” explained Thompson. “Our adversaries abroad frequently try to compromise our national security and access information within our country. We should be updating our laws to reflect this reality and installing commonsense safeguards to protect residents.”

Under federal HIPAA law, healthcare providers are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information; however, HIPAA does not require medical records to be maintained in the United States or Canada.

In 2023 and 2024, more than 700 large healthcare data breaches were reported to the HHS’ Office for Civil Rights, with large data breaches reported at a rate of more than two per day. “If these breaches come from a foreign adversary of the United States, the fallout could be profound,” Rep. Thompson said. “In addition, the lack of trust resulting from a privacy breach can cause patients to potentially withhold serious information that may help get them needed care. As a licensed practical nurse, I find this element very concerning as well.”

Several other bills have been introduced with requirements to protect data from foreign influence (House Bills 4233-35 and 4238-42). They include provisions that prevent foreign entities of concern from collecting sensitive information by blocking prohibited apps on government devices; prevent public bodies from entering into constraining agreements with foreign entities of concern; ensure public economic incentives are not awarded to foreign entities of concern; and prevent entities of concern from purchasing land and surveilling military bases and other critical infrastructure. The bills will now be considered by the Senate.

The post Michigan House Passes Bill Requiring Medical Records to be Stored Domestically appeared first on The HIPAA Journal.

Albany ENT & Allergy Services Pays $500K Penalty and Commits to $2.25M Cybersecurity Investment

The New York multi-site medical practice, Albany ENT & Allergy Services, has agreed to pay a $500,000 financial penalty to the state of New York and will invest $2.25 million to strengthen its information security practices after suffering two ransomware attacks that saw threat actors gain access to the medical records of more than 213,000 New York patients. Under the agreement, a further $500,000 in penalties must be paid if Albany ENT & Allergy Services fails to invest the required $2.25 million in upgrades and maintenance of its information security program over the next 5 years.

An investigation was launched by the Office of the New York Attorney General (OAG) following an intrusion of Albany ENT & Allergy Services’ network by two different threat actors between March 23, 2023, and April 4, 2023. The first intrusion involved ransomware and was discovered on March 27, 2023, when files were encrypted. Systems and data were restored by the healthcare provider’s IT vendor; however, the source of the intrusion was not identified before the restoration of external network access.

A different threat actor conducted a second ransomware attack 10 days later on April 2, 2023. A digital forensics firm was engaged to conduct a thorough investigation and remediate any vulnerabilities before the restoration process began. The compromised systems contained the records of 213. 935 patients, including names, addresses, birth dates, driver’s license numbers, Social Security numbers, diagnoses, test results, and treatment information.  Both threat actors provided evidence of data exfiltration when attempting to extort Albany ENT & Allergy Services; however, ransoms were not paid. The file review was completed in May 2023 and the affected individuals were notified and offered complimentary credit monitoring services.

The failure to identify the initial access vector was due to insufficient server logs. While server logs were created, they were not retained for a reasonable period, and there were no security programs in place to monitor and analyze server traffic. The company that conducted the forensic investigation after the second attack concluded that the initial access vector was likely the exploitation of an unpatched vulnerability in a Cisco VPN firewall.

The OAG investigation revealed the breach involved the protected health information of around 80,000 individuals more than the 120,000 individuals stated in the initial breach report. The additional affected individuals had their driver’s license numbers posted online by the threat actors when the ransom was not paid. OAG also determined that the threat actors gained access to six devices that hosted unencrypted personal information and some of those devices continued to store unencrypted personal information for months after the ransomware attacks. While an encryption policy had been implemented for laptop computers, it did not apply to personal information stored on other systems. Multi-factor authentication (MFA) had been implemented, but not consistently, with some remote access systems not protected by MFA.

Albany ENT & Allergy Services did not have an in-house information technology team and outsourced those functions to two third-party vendors. Outsourcing IT functions is acceptable under state law; however, a single Albany ENT & Allergy Services employee was responsible for liaising with those vendors and ensuring appropriate policies and procedures were followed and recommended practices were implemented. That employee did not have any IT or InfoSec experience or training. The lack of effective oversight meant critical security updates were not implemented in a timely manner, logs of activity in information systems were not retained for sufficiently long, MFA was not consistently implemented, and a reasonable information security program was not maintained. The security failures were determined to violate New York Business and Executive Law.

Under the agreement, Albany ENT & Allergy Services is required to implement a range of security measures including establishing a comprehensive information security program and ensuring effective oversight of its information security vendors. “Health care facilities need to take protecting patients’ private information seriously, and that means investing to protect data and responding quickly if breaches occur. Today’s agreement with AENT will strengthen its cybersecurity and protect the private information of New Yorkers who rely on this Capital Region medical provider,” said Attorney General Letitia James. “I urge all health care facilities and general companies to follow guidance from my office on how to have more secure systems to protect New Yorkers’ data.”

The post Albany ENT & Allergy Services Pays $500K Penalty and Commits to $2.25M Cybersecurity Investment appeared first on The HIPAA Journal.

Industry Groups Give Feedback on CISA’s Proposed Cybersecurity Reporting Requirements

In April, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) issued a Notice of Proposed Rulemaking (NPRM) introducing new requirements for critical infrastructure entities to report certain cybersecurity incidents. CISA sought comment from the public, and several healthcare stakeholders have provided feedback on the proposed rule.

Background

The proposed rule requires critical infrastructure entities to report cybersecurity incidents to CISA within 72 hours of detecting a cybersecurity incident and within 24 hours of making a ransomware payment. The types of covered incidents include:

  • Unauthorized system access
  • Denial of Service (DOS) attacks with a duration of more than 12 hours
  • Malicious code on systems, including variants if known
  • Targeted and repeated scans against services on systems
  • Repeated attempts to gain unauthorized access to systems
  • Email or mobile messages associated with phishing attempts or successes
  • Ransomware attacks against critical infrastructure, including the variant and ransom details if known

The types of information that must be submitted to CISA include:

  • Incident date and time
  • Incident location
  • Type of observed activity
  • Detailed narrative of the event
  • Number of people or systems affected
  • Company/Organization name
  • Point of Contact details
  • Severity of event
  • Critical infrastructure sector
  • Anyone else who has been informed

CISA will share the information with federal and non-federal partners to improve detection and the minimization of the harmful impacts on critical infrastructure entities, accelerate mitigation of exploited vulnerabilities, and allow software developers and vendors to develop more secure products. The information will also be shared with law enforcement to help with the investigation, identification, capture, and prosecution of the perpetrators of cybercrime.

Healthcare Industry Groups Give Feedback to CISA

The Workgroup for Electronic Data Interchange (WEDI) and the Medical Group Management Association (MGMA) have called for CISA to align the reporting time frame with the HHS’ Office for Civil Rights, as having to submit reports to multiple agencies will place a considerable administrative burden on healthcare organizations. MGMA believes the new reporting requirements will be overly burdensome for medical groups, and the duplicative reporting requirements may affect the ability of those groups to operate effectively, especially when dealing with a cyberattack.

MGMA explained that under HIPAA, covered entities must report cybersecurity incidents to the HHS’ Office for Civil Rights within 60 days for HIPAA compliance. Rather than layering different reporting requirements on each other, MGMA suggests that CISA should work closely with the HHS to seamlessly incorporate data that must reported under HIPAA. This will promote collaboration and prevent covered entities from reporting the same incident multiple times in different formats. MGMA said the sized-based criteria for reporting means small medical groups will not have the burden of reporting incidents but using the SBA definition means that many small physician offices will be impacted, even practices with annual revenues as low as $9 million.

The short timeframe for reporting incidents was criticized by WEDI, which said it could take longer than 72 hours to gather all the necessary information for the initial report. WEDI has called for CISA to be flexible with the reporting timeframe, such as allowing the initial report to be submitted with as much information as it has been possible to gather within 72 hours and allowing additional information to be submitted after that deadline as it becomes available. WEDI also proposes a carve-out for certain ransomware attacks. WEDI has requested that CISA not consider an attack to be a data breach if no protected health information has been accessed, provided the entity has made a good faith effort to deploy a recognized security program and has implemented security policies and procedures.

CHIME/AEHIS Members Express Concern

The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) have urged CISA to consider that the core mission of healthcare is patient safety and not to implement regulatory requirements that could jeopardize that mission.

One concern from their members is the reporting requirements under HIPAA, which require security breaches to be reported to OCR within 60 days of the discovery of a data breach. They are concerned that the clock would start ticking for reporting under HIPAA on the date of submission of the incident report to CISA, and that could create considerable additional burdens for HIPAA-regulated entities. CHIME and AEHIS have asked CISA to clarify the reporting requirements for managed service providers and other third-party service providers that provide products or services to HIPAA-covered entities, requesting that the service provider be considered the covered entity for reporting under CIRCIA.

After the initial incident report, critical infrastructure entities are required to submit supplemental reports following a significant cybersecurity incident, with those supplemental reports submitted without delay or as soon as possible. There is concern that with the threat of enforcement, HIPAA-covered entities may feel compelled to prioritize reporting of incidents over patient safety. CHIME/AEHIS have requested that the supplemental reports be submitted every 72 hours at a minimum or every 5 days, and for those reports to only be required if substantial new or different information becomes available.

CHIME/AEHIS point out that the definition of larger hospitals – those with 100 or more beds – is inadequate and that a more nuanced approach is required with other factors considered other than bed count, and not require reporting of incidents by critical access hospitals (CAHs), which are already under considerable financial strain. Making CAHs report incidents could increase the financial strain on the hospitals, leading to more closures and reduced access to healthcare for patients.

CHIME/AEHIS have received feedback from their members about the level of detail required by CISA about the security architecture of breached entities. “If CISA requires hospitals and healthcare systems to define their entire security architecture, that is a tremendous amount of information to include in a report,” explained the industry groups. “Our members do not believe that CISA needs to know an entire description of an organization’s security program – as it is not helpful to fulfill the purpose of CIRCIA, is potentially considered intellectual property (IP), and/or sensitive for the organization.”

The post Industry Groups Give Feedback on CISA’s Proposed Cybersecurity Reporting Requirements appeared first on The HIPAA Journal.