HIPAA Breach News

Former Executive Sentenced to Probation for HIPAA Violation

Posted by Steve Alder

Mark Kevin Robison, a former vice president of Commonwealth Health Corporation (now Med Center Health) in Kentucky has been sentenced to 2 years’ probation and ordered to pay $140,000 in restitution after reaching a plea agreement with federal prosecutors over a HIPAA violation.

Robison pled guilty to knowingly disclosing the protected health information of patients of Commonwealth Health Corporation (CHC) under false pretenses to an unauthorized third party between 2014 and 2015. Robison did not have authorization from the patients concerned nor from CHC to disclose the records.

While Vice President of CHC, Robison hired Randy Dobson as a patient account collection vendor for CHC. In March 2011, Robison and Dobson set up a corporation – OPTA LLC – in Kentucky. The pair were the only registered members and Robison was the registered agent. Dobson was developing a software solution and together the pair hoped to market the software to healthcare companies.

OPTA Kentucky was dissolved in 2014, and Delaware OPTA was incorporated the same year with Dobson listed as the sole owner. Delaware OPTA continued to develop the same software, and Robison hoped to share in the profits from the sale of the software when he left CHC. In 2014, Robison instructed the CHC IT department to share patient data with Dobson to test the software. The disclosures occurred between 2014 and 2015 without authorization from CHC or the patients concerned.

CHC learned of the relationship between Robison and Dobson, Robison was fired by CHC in December 2016, and the HIPAA violation was reported to law enforcement. Dobson is not believed to have disclosed the patient data to any other individuals and only used the data to test the software. While patients appear not to have suffered any harm, the potential penalty for the violation was severe.

Robison faced a maximum penalty of five years imprisonment and a fine of up to $100,000 for the HIPAA violation. Robison pled guilty to one count of impermissibly disclosing protected health information in a plea deal that saw him avoid jail and instead be placed on probation for 2 years. Robison was also ordered to pay CHC $140,000 in restitution. Half of that amount has already been paid and Robison intends to pay the remainder by the end of January.

The post Former Executive Sentenced to Probation for HIPAA Violation appeared first on HIPAA Journal.

Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment

Posted by Steve Alder

New York Attorney General Letitia James has announced that an agreement has been reached with Refuah Health Center Inc. to resolve allegations it failed to maintain reasonable and appropriate cybersecurity controls to protect and limit access to sensitive patient data stored on its network. Under the terms of the agreement, Refuah Health Center has agreed to invest $1.2 million in cybersecurity and will pay $450,000 in penalties and costs.

The NY AG launched an investigation of Refuah Health Center after being notified about a May 2021 ransomware attack that compromised the personal and protected health information of 260,740 individuals, including 175,077 New Yorkers.  The Lorenz ransomware group gained access to internal systems in late May 2021, initially compromising a system that was used for viewing videos from internal cameras monitoring its facilities. That system was only protected with a four-digit code.

The attackers stole administrator credentials that were used by a former IT vendor to remotely access the network. The credentials had not been changed for 11 years and had not been deleted or disabled, even though they had not been used by the IT vendor in 7 years. The account did not have multifactor authentication enabled. The credentials allowed access to a large number of files containing patient information that had not been encrypted at the file level.

The Lorenz group exfiltrated data and encrypted files with ransomware. They contacted Refuah and issued a ransom demand and provided proof of data theft, including a list of files that were copied and a screenshot of patient data consistent with a database associated with Refuah’s dental practice. The third-party forensic investigation concentrated on the files that were stored on the shared network space but Refuah did not investigate to determine whether the database had been accessed, even though the attackers provided a screenshot of that database that displayed the records of 34 patients.

Refuah completed its analysis of the files on March 2, 2022, then mailed notification letters on April 29, 2022. The data compromised in the attack included patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account numbers, and health insurance policy numbers.

Multiple HIPAA Security Rule Failures Identified

The NY AG looked at the administrative and technical safeguards that had been implemented and identified widespread noncompliance with the HIPAA Security Rule. Refuah Health Center had not conducted a risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information since March 2017 in violation of 45 C.F.R § 164.308(a)(1)(ii)(A) and (B) and had not addressed vulnerabilities that were identified in that risk analysis in the four years since it was conducted, in violation of § 164.306(a).

There were insufficient policies and procedures to prevent, detect, contain, and correct security violations, in violation of § 164.308(a)(1)(i), a lack of policies and procedures authorizing access to ePHI in violation of § 164.308(a)(4)(i), and no procedures for regularly reviewing logs of information system activity, in violation of § 164.308(a)(1)(ii)(D).

Policies and procedures for granting right of access based on access authorization policies were not present, in violation of § 164.308(a)(4)(ii)(B) and (C), there were no procedures for monitoring log-in attempts and reporting discrepancies nor procedures for creating, changing, and safeguarding passwords, in violation of § 164.308(a)(5)(ii)(C) and (D), and insufficient policies and procedures to address security incidents, and identifying and responding to suspected or known security incidents, in violation of § 164.308(a)(6)(i) and (ii).

Further, there were insufficient periodic technical and nontechnical evaluations of security policies and procedures (§ 164.308(a)(8)), insufficient technical policies and procedures for systems that maintain ePHI to allow access to persons granted access rights and no mechanism to encrypt ePHI (§ 164.312(a)(1) and (2)(iv)), insufficient controls for recording and examining activity in systems that contain or use ePHI (§ 164.312(b)), and insufficient verification of persons seeking access to ePHI to ensure they are who they claim to be (§ 164.312(d)).

The NY AG also determined there had been two violations of New York General Business Law, which requires the implementation and maintenance of reasonable safeguards to protect consumer information (§ 899-bb), and the  disclosure of a data breach in the most expedient time possible and without unreasonable delay (§ 899-aa). The later was also determined to be a violation of the HIPAA Breach Notification Rule (§ 164.404).

The agreement with the NY AG includes the requirement to invest $1.2 million in cybersecurity and make substantial improvements to its information security program, data retention policies, and incident response policies and procedures. Refuah is also required to issue notifications to all individuals whose data was compromised within 90 days.

“New Yorkers should receive medical care and trust that their personal and health information is safe,” said Attorney General James. “This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

The post Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment appeared first on HIPAA Journal.

Orrick, Herrington & Sutcliffe Data Breach Affected 637,000 Individuals

Posted by Steve Alder

The Californian law firm Orrick, Herrington & Sutcliffe has recently confirmed that a cyberattack that was detected in March 2023 has affected more than 637,000 individuals. The Orrick, Herrington & Sutcliffe data breach was reported to the HHS’ Office for Civil Rights on June 30, 2023, as affecting 40,823 individuals, then on July 20, 2023, the law firm notified the Maine Attorney General that the breach had affected 152,818 individuals. An updated notification was sent to the Maine Attorney General on August 18, 2023, with an increased total of 461,100 affected individuals. Another update was issued on December 29, 2023, with an increased total of 637,620 individuals. This appears to be the final total, as the law firm said it does not anticipate providing notifications on behalf of any further affected businesses.

The services provided by Orrick, Herrington & Sutcliffe include legal counsel for companies that have suffered security incidents and data breaches, including handling regulatory requirements such as notifications to state authorities and the individuals whose sensitive data was exposed. The law firm’s experience in issuing notifications has grown considerably in 2023 with its own consumer notifications, which were sent in July, August, September, and November.

The nature of the services provided by the law firm means many of the individuals affected by the data breach had been affected by data breaches at other companies who availed of Orrick, Herrington & Sutcliffe’s services for their own breach responses. For instance, individuals who had vision plans from EyeMed Vision Care, dental plans from Delta Dental, and health insurance from MultiPlan and Beacon Health Options (Carelon). Another client affected was the U.S. Small Business Administration.

Settlement Proposed to Resolve Class Action Data Breach Lawsuits

Several lawsuits were filed in response to the data breach that Orrick, Herrington & Sutcliffe has chosen to settle quickly. Four of those lawsuits made similar claims and were consolidated into a single class action lawsuit in California Federal Court – In Re: Orrick, Herrington & Sutcliffe LLP Data Breach Litigation. The lawsuits alleged the law firm should have been well aware of the risk of ransomware attacks and data breaches due to extensive media reports, warnings from the Federal Bureau of Investigation, and the attacks suffered by the law firm’s clients. They claimed the cyberattack and data breach could have and should have been prevented had the law firm implemented necessary and appropriate cybersecurity measures and followed industry best practices for cybersecurity.

In a court filing on December 21, 2023, Orrick, Herrington & Sutcliffe said a settlement is being finalized and an agreement in principle has been reached. The law firm said it expects to present the settlement to U.S. District Judge Susan Illston for approval in early January. Orrick, Herrington & Sutcliffe issued a statement saying it regretted the “inconvenience and distraction that this malicious incident caused,” and that the law firm is happy to have reached a settlement within a year to bring the matter to a close. Details of the settlement have yet to be made public; however, attorney William Federman, who is representing the plaintiffs, confirmed that the settlement is reasonable and fair and will resolve all pending litigation.

The post Orrick, Herrington & Sutcliffe Data Breach Affected 637,000 Individuals appeared first on HIPAA Journal.

Email Accounts Compromised at The Foleck Center, Mountain Dermatology Specialists

Posted by Steve Alder

The Foleck Center in Virginia and Mountain Dermatology Specialists in Colorado have discovered unauthorized access to employee email accounts and the exposure of patient data.

The Foleck Center Discovers Forwarding Rule on Employee Email Account

The Foleck Center, a provider of cosmetic, implant, and general dentistry services in Norfolk, Hampton, and Virginia Beach, has recently notified 6,965 patients that some of their protected health information has been acquired by an unauthorized individual.

On October 26, 2023, The Foleck Center was made aware that one of its employees had a forwarding rule on their email account that sent emails to a Gmail account. The Foleck Center contacted its managed IT service provider, which performed a forensic investigation. Rather than this being a HIPAA violation by the employee, the forensic investigation revealed that an unauthorized third party had gained access to the email account and set up the forwarding rule on September 4, 2023.

Copies of all emails sent to the employee’s account between September 4, 2023, and October 31, 2023, were forwarded to the Gmail account. The Gmail account had not been sent up by the employee or anyone else at The Foleck Center. The IT company secured the account and implemented additional safeguards to prevent mailbox rules from being set up for external forwarding.

While it was possible to tell which emails had been forwarded between September 4, 2023, and October 31, 2023, it was not possible to determine if any other emails in the account had been read or copied. All emails were reviewed to check which patient data had been exposed or stolen, and all individuals whose PHI was present in the account were notified. The information exposed varied from individual to individual and may have included names, addresses, dates of birth, employer name and address, dates and office locations of treatment/appointments, employer name and address, our patient and system ID numbers, and insurance information. A limited number of patients also had their Social Security numbers and/or driver’s licenses exposed.

The Foleck Center said it already provides HIPAA and security awareness training for employees several times a year, and additional training is now being provided to improve password and network security further.

Email Account Breach Reported by Mountain Dermatology Specialists

Mountain Dermatology Specialists in Edwards and Dillion, CO, has also recently reported an email account breach that was detected on October 26, 2023. An unauthorized individual gained access to the email account of one of its employees and used the account to send phishing emails to contacts within the mailbox.

The forensic investigation confirmed there had been unauthorized access to the email account between October 24, 2023, and October 26, 2023. A review of the emails in the account confirmed that the protected health information of 2,705 patients was exposed, including full names, addresses, dates of birth, phone numbers, email addresses, dates of treatment, types of treatment, conditions/diagnoses, medications, health insurance information, and cost/billing information/amount paid. A limited number of individuals also had their Social Security numbers and/or compensation/benefits information exposed.

Mountain Dermatology Specialists said it has implemented additional technical safeguards, performed password resets, and reinforced security awareness training for the workforce.

The post Email Accounts Compromised at The Foleck Center, Mountain Dermatology Specialists appeared first on HIPAA Journal.

Parathon by JDA eHealth Systems Confirms July 2023 Cyberattack

Posted by Steve Alder

Parathon by JDA eHealth Systems, a revenue cycle management company in Naperville, Illinois, has recently notified state attorneys general that it suffered a cyberattack on July 27, 2023. In its December 22, 2023, notification to the Montana Attorney General, Parathon explained that unauthorized individuals were able to access the protected health information of patients of its clients. The types of information involved varied from individual to individual and may have included names in combination with one or more of the following: address, date of birth, and/or protected health information, including but not limited to diagnosis, claims information, and health insurance information.

The notification does not state whether files were encrypted in the attack, but Parathon said data was stolen and a ransom payment was demanded. Parathon said, “We have taken all efforts possible to mitigate any further exposure of your personal information and related identity theft.” The Akira threat group claimed responsibility for the attack and added Parathan to its data leak site but has since removed the listing which suggests the ransom was paid. Akira claimed to have stolen 560GB of data.

In its breach notification letters, Parathon said, “We are committed to doing everything we can to protect the privacy and security of the personal information in our care.” Additional safeguards have been implemented, security measures have been enhanced to better protect the data in its systems, and Parathon has reviewed its policies and procedures relating to data security. Parathon said it has found no evidence to indicate any misuse of the stolen data, but as a precaution, has offered three complimentary services to the affected individuals: single bureau credit monitoring, single bureau credit report, and single bureau credit score, which are being provided by Cyberscout.

It is unclear how many clients were affected. The HIPAA Journal has been able to confirm that one of the affected clients is NorthShore University Health System. While state attorneys general have been notified, the incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

31,000 Individuals Affected by Cyberattack on Eye Physicians of Central Florida

Eye Physicians of Central Florida, PLLC, has recently announced that the protected health information of 31,189 patients has been exposed and potentially stolen in a recent cyberattack. Eye Physicians of Central Florida, a division of Florida Pediatric Associates, identified suspicious network activity on November 5, 2023. Steps were immediately taken to prevent further unauthorized access to its systems and a forensic investigation was launched to determine the nature and scope of the incident.

The investigation confirmed there had been unauthorized access to parts of its network where patient information was stored. At the time of issuing notification letters to the affected individuals on December 6, 2023, no evidence had been found to indicate any actual or attempted misuse of patient data; however, out of an abundance of caution, affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The types of data exposed included names, addresses, dates of birth, medical diagnosis and treatment information, provider names, patient ID numbers, procedure codes, dates of service, treatment cost information, financial account information, state ID, health insurance information, and/or prescription information.

Eye Physicians of Central Florida said it is reviewing its current policies and procedures related to data security and will make improvements, as necessary to harden security.

The post Parathon by JDA eHealth Systems Confirms July 2023 Cyberattack appeared first on HIPAA Journal.

At Least 141 Were Hospitals Directly Affected by Ransomware Attacks in 2023

Posted by Steve Alder

Last year was a particularly bad year for ransomware attacks. According to an analysis by the cybersecurity firm Emsisoft, 46 hospital systems suffered ransomware attacks in 2023, up from 25 in 2022 and 27 in 2021. Across those 46 attacks, at least 141 hospitals were directly affected and experienced disruption due to the lack of access to IT systems and patient data.

It is difficult to accurately report on ransomware attacks in the healthcare sector, as many victims fail to disclose whether ransomware was used. Breach notification letters to the affected individuals and state Attorneys General often describe ransomware attacks as cyberattacks, unauthorized access, hacking incidents, security incidents, or encryption events, and as such, the number of attacks experienced in the sector is likely to be significantly understated. Emsisoft’s State of Ransomware in the U.S.: Report and Statistics 2023 reveals 2,207 U.S. hospitals, schools, and governments were directly impacted by ransomware in 2023 and many others were indirectly impacted via attacks on their supply chains.

Without access to patient records and essential IT systems, hospitals are often forced to put their emergency departments on redirect, with ambulances sent to neighboring healthcare facilities. Other hospitals in the region are placed under an increased strain due to the sharp increase in the number of patients, and the resource constraints caused by the increase in patients has a negative impact on time-sensitive conditions such as acute stroke.

The outages caused by these attacks mean scheduled appointments often need to be canceled and rescheduled and bottlenecks occur with lab testing and radiology, resulting in delays to diagnosis and treatment, longer patient stays, a slowing of patient throughput, and the disruption inevitably results in poorer patient outcomes. While there have been no reported deaths in the United States as a direct result of ransomware attacks, studies have shown that following a ransomware attack, there is an increase in medical complications and mortality rates. One study, conducted by McGlave, Neprash, and Nikpay of the University of Minnesota School of Public Health, found that in-hospital mortality for patients already admitted at the time of a ransomware attack increased. The attacks also caused a 17%-25% reduction in hospital volume during the initial attack week, and they estimated that between 2016 and 2021, ransomware attacks killed between 42 and 67 Medicare patients.

These attacks naturally have a significant financial impact. According to the Verizon Cost of a Data Breach Report, the average cost of a healthcare data breach increased to its highest ever level in 2023, costing an average of $11 million, a 53% increase since 2020. Emsisoft said 32 of the 46 attacks on health systems resulted in sensitive data, including protected health information, being stolen.

The average ransom payment in 2028 was $5,000, but by 2023 the average payment increased by 29,900% to around $1.5 million. The increased profits from ransomware attacks allow ransomware groups to scale their operations, pay initial access brokers, and purchase zero-days, which means even more attacks can be conducted. Fewer victims are now paying ransoms which means ransom demands need to increase to make up for the shortfall. Some ransomware groups have also started engaging in more aggressive tactics, such as contacting patients and demanding payment. Some attacks on plastic surgery centers have resulted in intimate images being publicly posted and patients being told they needed to pay to have those images removed from the Internet. One group contacted individual patients and threatened them with the release of their sensitive data and demanded $50 per patient to delete their data.

Many ransomware groups operate out of countries that turn a blind eye to the attacks, and some nation states are thought to use ransomware groups as proxies. While international law enforcement operations have successfully disrupted some ransomware groups, the individuals involved are rarely brought to justice. With so much money involved and a low risk of being caught, attacks are unlikely to reduce and may even continue to increase. The solution suggested by Emsisoft and many other experts is simple. Since ransomware attacks are conducted by financially motivated threat actors, making attacks unprofitable is the easiest way of tackling the problem. Governments should therefore ban ransom payments and cut off this very lucrative income stream.

“Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles. The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either. For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them,” said Emsisoft Threat Analyst, Brett Callow. “The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”

The post At Least 141 Were Hospitals Directly Affected by Ransomware Attacks in 2023 appeared first on HIPAA Journal.

Class Action Lawsuits Filed Over HealthEC Data Breach

Posted by Steve Alder

January 12, 2024: Class Action Lawsuits Filed Over HealthEC Data Breach

Multiple class action lawsuits have been filed against HealthEC LLC over a recently disclosed data breach that affected almost 4.5 million individuals. Hackers gained access to HealthEC’s population health management platform between July 14, and July 23, 2024, and obtained the sensitive data of patients of its healthcare provider clients, per The HIPAA Journal report below.

One of the class action lawsuits – Victoria Lempinen v. Health EC LLC – was filed in the U.S. District Court of New Jersey on behalf of Victoria Lempinen and similarly situated individuals who had their personal and protected health information compromised in the data breach.  The lawsuit alleges that HealthEC lost control of the sensitive data of almost 4.5 million individuals as a direct result of the failure to maintain reasonable and appropriate cybersecurity protocols and the lack of encryption of sensitive data on its network. The security failures are alleged to violate the FTC Act and Health Insurance Portability and Accountability Act (HIPAA). Further, the plaintiff argues that HealthEC did not have policies and procedures in place to ensure that sensitive data was deleted in a timely manner when it was no longer needed.

In addition to suffering a preventable data breach, HealthEC is alleged to have unnecessarily delayed issuing notifications, which were issued in December 2023, more than 5 months after the data breach occurred. This, it is argued, denied the opportunity for victims of the breach to take steps to protect themselves against identity theft and fraud. When notification letters were issued, the lawsuit alleges HealthEC failed to disclose important details about the breach, such as when the cyberattack and data breach were first detected, the dates of the investigation, the vulnerabilities that were exploited by the hackers, and the measures undertaken in response to the cyberattack to ensure that similar breaches are prevented in the future.

The lawsuit claims the plaintiff and class have suffered injuries including invasion of privacy, theft of private information, loss or diminished value of private information, lost time and opportunity costs, loss of benefit of the bargain, and an increase in spam calls, texts, and emails, and the plaintiff and class members now face an increased risk of identity theft and fraud. The 75-page lawsuit alleges negligence, breach of third-party beneficiary contract, breach of confidence, invasion of privacy, and unjust enrichment and seeks class action certification, a jury trial, and damages, restitution, and injunctive relief, including an order from the court to compel HealthEC to implement a raft of measures to improve data security. The plaintiffs and class are represented by Vicki J.  Maniatis and Gary M. Klinger of Millberg Coleman Bryson Phillips Grossman LLC.

A second lawsuit was filed against HealthEC LLC on behalf of plaintiff Bree Marano and similarly situated individuals that makes similar claims, including the failure to comply with FTC guidelines, industry standards, and HIPAA. Those failures include inadequate cybersecurity measures given the level or risk of a cyberattack, insufficient monitoring of its network for intrusions, and the failure to issue adequate and timely individual notifications about the data breach. The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and breach of confidence, and claims the defendant has done absolutely nothing of value to provide the plaintiff and class with relief for the damages they have suffered as a result of the data breach.

January 3, 2024: HealthEC Data Breach Affects Almost 4.5 Million Individuals

HealthEC, an Edison, New Jersey-based analytics software vendor, has recently confirmed that the protected health information of 4,452,782 individuals has been exposed and potentially stolen in a recent cyberattack. HealthEC is the developer of a platform that healthcare organizations use to identify high-risk patients, close care gaps, and recognize barriers to optimal care. More than 1 million healthcare professionals in 18 U.S. states use the platform’s analytics to gain insights to improve patient outcomes.

HealthEC started mailing data breach notification letters to the affected individuals on December 22, 2023; however, the data breach occurred several months earlier. According to the notification letters, unauthorized individuals had access to HealthEC’s systems between July 14, 2023, and July 23, 2023. The forensic investigation revealed that during that time, files were removed.

HealthEC conducted a review of the affected files and determined that they contained the protected health information of its clients’ patients. HealthEC started notifying the affected clients on October 26, 2023, which included MD Valuecare in Virginia (112,005 records)  and Corewell Health in Michigan (1 million+ records). On December 21, 2023, the breach was reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 4.52 million individuals.

The information compromised in the attack varied from patient to patient and may have included names along with one or more of the following: address, date of birth, Social Security number, medical record number, diagnosis and diagnosis codes, mental/physical condition, prescription information, provider name, beneficiary number, subscriber number, Medicaid/Medicare identification number, patient account number, patient identification number, and treatment cost information. HealthEC is offering the affected individuals complimentary credit monitoring services and has taken steps to improve security to prevent further data breaches in the future.

HealthEC is the second vendor to experience a data breach that has affected more than 1 million Corewell Health patients this year. Michigan Attorney General, Dana Nassel, has called for new legislation to be introduced in the state mandating prompt notifications in the event of a data breach, as in each case, Michiganians had to wait several months to discover that their sensitive health data had been stolen.

Entities Impacted by HealthEC Data Breach

The entities known to have been affected by the HealthEC data breach, as disclosed by HEalthEC on December 22, 2023 are:

  • Alliance for Integrated Care of New York, LLC
  • Advantage Care Diagnostic & Treatment Center, Inc.
  • Beaumont ACO
  • Community Health Care Systems
  • Compassion Health Care
  • Corewell Health
  • East Georgia Healthcare Center
  • HonorHealth
  • Hudson Valley Regional Community Health Centers
  • Illinois Health Practice Alliance, LLC
  • KidneyLink
  • Long Island Select Healthcare
  • Metro Community Health Centers
  • Mid Florida Hematology & Oncology Centers, P.A, d/b/a Mid-Florida Cancer Centers
  • TennCare
  • State of Tennessee
  • University Medical Center of Princeton Physicians’ Organization
  • Upstate Family Health Center, Inc.

The post Class Action Lawsuits Filed Over HealthEC Data Breach appeared first on HIPAA Journal.

Michigan Attorney General Calls for New Data Breach Notification Law

Posted by Steve Alder

Michigan Attorney General Dana Nessel has called for legislative changes to hold companies in the state more accountable for data breaches after Corewell Health failed to disclose a data breach promptly. Corewell Health has been affected by two massive data breaches this year, both of which occurred at vendors and affected more than a million Corewell Health patients. The first breach occurred at Corewell Health vendor Welltok, which had data stolen in May when the Clop hacking group exploited a vulnerability in Progress Software’s MOVEit Transfer solution. Corewell Health patients were notified about the breach on December 1, 2023, more than 6 months after the breach occurred.

Michigan Attorney General, Dana Nessel

AG Nessel’s comments came in response to a second such breach, which occurred at HealthEC, a vendor used by Corewell Health for analyzing patient data. HealthEC discovered the breach in July 2023 and notified Corewell Health in October that the data of its patients had been compromised. AG Nessel explained that the department in the state that is responsible for consumer protection did not hear about the breach until December 27, 2023, more than 5 months after the breach was detected.

It often takes several months for individual data breach notification letters to be issued, but when sensitive data is stolen it can be misused immediately. Individuals need to know that their data has been stolen quickly so they can take steps to protect themselves against identity theft and fraud. In both cases, complimentary credit monitoring and identity theft protection services have been offered but some of the affected individuals have already fallen victim to identity theft and fraud. Had those individuals been made aware of the breaches sooner, losses could have been prevented. Nessel is advocating for legislation that requires companies to notify the state immediately when a data breach is discovered.

Currently, 34 U.S. states have laws that require the state Attorney General or state agencies to be issued with timely notifications about data breaches that exceed certain thresholds, but there are no such requirements in Michigan. Without mandatory data breach reporting to improve transparency, there is little the state can do regarding enforcement.

“What we would like to be able to do is to say, ‘You know, look, if you don’t properly secure and store data, or if you don’t report a data breach, you’re going to be subjected to significant fines.’ That’s what they do in other states, but not here in Michigan,” said Nessel. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection.”

Regarding data security failures that result in data breaches, Michigan could take action and fine companies that are discovered to have violated the Health Insurance Portability and Accountability Act. Several state Attorneys General have imposed financial penalties for HIPAA violations, including Connecticut, Indiana, Massachusetts, Minnesota, New York, and New Jersey.

The post Michigan Attorney General Calls for New Data Breach Notification Law appeared first on HIPAA Journal.

Transformative Healthcare Sued Over Fallon Ambulances Service Data Breach

Posted by Steve Alder

Transformative Healthcare is facing legal action over a recently disclosed data breach that affected 911,757 patients of the Fallon Ambulance Service. The lawsuit also names Coastal Medical Transportation Systems, LLC, as a defendant. Coastal Medical Transportation Systems acquired Fallon Ambulance Services in September 2022, although the data breached was an archive copy of data from before the acquisition.

The lawsuit – Daniel Durgin v. Transformative Healthcare, LLC, and Coastal Medical Transportation Systems, LLC – was filed in the U.S. District Court for the District of Massachusetts on January 18, 2023, on behalf of Daniel Durgin, who received emergency medical transportation from the Fallon Ambulance Service before it ceased operations in December 2022. The lawsuit alleges the defendants should have known how to keep sensitive data protected, yet failed to implement reasonable and appropriate cybersecurity measures and comply with industry security standards, which allowed hackers to gain access to the plaintiff’s and class members’ sensitive data.

The lawsuit claims the plaintiff and class have incurred costs and expenses associated with the time spent mitigating the consequences of the data breach, including checking credit reports for signs of misuse of their data, purchasing credit monitoring services, and having to deal with withdrawal and purchase limits on their accounts, as well as the loss of property value of their personal information, and stress, nuisance, and aggravation of having to deal with the issues caused by the data breach.

The plaintiff and class asset claims of negligence, breach of implied contract, unjust enrichment/quasi-contract, and breach of fiduciary duty. The lawsuit seeks class-action status, a jury trial, monetary and statutory damages, and injunctive relief.

The plaintiff and class are represented by David Pastor of Pastor Law Office, PC, and Nicholas A. Migliaccio and Jason Rathod of Migliaccio & Rathod LLP.

January 2, 2024: More Than 911,000 Individuals Affected by Fallon Ambulance Service Data Breach

Legal counsel for Transformative Healthcare, a Newton MA-based medical, transportation & logistics company, has notified the HHS’ Office for Civil Rights about a data breach that has affected 911,757 individuals. The data breach affected individuals who had previously received services from the Fallon Ambulance Service, the Massachusetts medical transportation arm of Transformative Healthcare. Fallon responded to patient emergencies in the greater Boston area and provided administrative services for affiliated medical transportation companies.

In September 2022, Fallon Ambulance Service was acquired by Coastal Medical Transportation Systems and ceased business operations in December 2022. In order to comply with legal data retention requirements, Transformative Healthcare retained an archived copy of data that was previously stored on Fallon’s computer systems. On or around April 21, 2023, Transformative Healthcare detected unauthorized activity in its archive environment. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the extent of the breach. The forensic investigation confirmed that an unauthorized third party gained access to the archive on February 17, 2023, and retained access to the archive environment until April 22, 2023. During that time, files were copied from the archive.2

The affected files were reviewed and that process was completed on December 27, 2023, when it was confirmed that the files contained names, addresses, Social Security numbers, medical information including COVID-19 testing/ vaccination information, and information provided to Fallon in connection with employment or application for employment.

While data was removed from the archive, neither Fallon nor Transformative Healthcare have found any evidence to indicate misuse of the data. Affected patients were notified by mail on December 27, 2023, and credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Transformative Healthcare Sued Over Fallon Ambulances Service Data Breach appeared first on HIPAA Journal.