HIPAA Compliance News

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Posted by HIPAA Journal

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents.

A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information.

In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names.

It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security laws, the Consumer Protection Act, and the Health Insurance Portability and Accountability Act.

UMass Memorial Health Care cooperated fully with the state attorney general’s investigation into the data breaches and agreed to settle the resulting lawsuit. In addition to paying the $230,000 fine, UMass Memorial Health Care will ensure that employee background checks are conducted prior to hiring new staff, all employees will receive further training on the correct handling of PHI, employee access to patient health information will be limited, risk analyses will be conducted to identify potential security issues, and any issues that are found will be subjected to a HIPAA-compliant risk management process. UMass Memorial Health Care will also ensure proper employee discipline and any suspected cases of improper accessing of ePHI will be investigated promptly.

Both UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., are also required to hire an independent firm to conduct a thorough review of data security policies and procedures and must report back to the Mass attorney general’s office on the findings of those reviews.

“Massachusetts residents rely on their health care providers to keep private health information safe and secure,” said Maura Healey. “This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again.”

“In the four years since [these breaches] took place we have taken steps aimed at further strengthening our privacy and information security program,” said a UMass Memorial Health Care spokesperson in a written statement. “This includes the implementation of additional technical tools that safeguard patient information, and enhancement of our existing privacy and information security procedures.”

State Attorneys General Pick Up the Slack in HIPAA Enforcement

After two years of increased enforcement of HIPAA Rules the HHS’ Office for Civil Rights has eased up on settlements and civil monetary penalties to resolve HIPAA violations, with only five settlements reached in 2018 and one civil monetary penalty issued. While OCR has eased up on financial penalties for HIPAA violations, state attorneys general fines are on track to make 2018 a record year for HIPAA enforcement.

UMass Memorial Health Care is the fifth healthcare organization to settle a HIPAA violation case with a state attorney general in 2018, joining The Arc of Erie County ($200,000), EmblemHealth ($575,000), and Aetna ($1,150,000) which have all been fined by the New York AG this year, and Virtua Medical Group which settled HIPAA violations with the New Jersey AG for $417,816 in April.

The post UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations appeared first on HIPAA Journal.

August 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches.

Healthcare Data Breaches by Month

There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached.

HEalthcare Records Exposed by Month

Causes of Healthcare Data Breaches in August 2018

Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks.

Causes of Healthcare Data Breaches in August 2018

Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare records – 2.96% of the monthly total.

There were two breaches involving the loss of PHI, one case of lost physical records and one lost portable electronic device containing electronic protected health information. The two theft incidents in August involved paper records.

Largest Healthcare Data Breaches in August 2018

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
AU Medical Center, INC Healthcare Provider 417000 Hacking/IT Incident
Fetal Diagnostic Institute of the Pacific Healthcare Provider 40800 Hacking/IT Incident
Legacy Health Healthcare Provider 38000 Hacking/IT Incident
Acadiana Computer Systems, Inc. Business Associate 31151 Hacking/IT Incident
Carpenters Benefit Funds of Philadelphia Health Plan 20015 Hacking/IT Incident
University Medical Center Physicians Healthcare Provider 18500 Hacking/IT Incident
Simon Orthodontics Healthcare Provider 15129 Hacking/IT Incident
Wells Pharmacy Network Healthcare Provider 10000 Unauthorized Access/Disclosure
St. Joseph’s Medical Center Healthcare Provider 4984 Loss
Central Colorado Dermatology, PC Healthcare Provider 4065 Hacking/IT Incident

Location of Breached PHI

Email-related data breaches continue to dominate the healthcare data breach reports. A further 14 email-related data breaches were reported in August, the majority of which saw email accounts accessed by unauthorized individuals as a result of healthcare employees falling for phishing emails. Phishing attacks on healthcare providers are being reported regularly, highlighting just how important it is for healthcare organizations to provide ongoing security awareness training for employees to teach them the skills they need to identify phishing attempts.
There were six incidents involving PHI stored on network servers in August, including two confirmed ransomware attacks. There were five breaches involving paper records.
Location of Breached PHI in August 2018 Healthcare Data Breaches

August Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of data breaches in August with 21 reported breaches. There were two health plan breaches and business associates of HIPAA-covered entities reported 5 breaches, with one further breach having some business associate involvement.

 

August Healthcare Data Breaches by State

Healthcare organizations based in 19 states experienced data breaches in August. While California and Texas usually top the list for data breaches due to the number of healthcare organizations based in those states, atypically, in August Oregon was the worst affected state with four breaches reported.

California and Florida each had three breaches reported, Colorado and Texas had two, and there was one breach reported in Arizona, Georgia, Hawaii, Illinois, Indiana. Louisiana, Maryland, Michigan, Nevada, New York, Ohio, Pennsylvania, Tennessee, and Virginia.

HIPAA Enforcement Actions in August

In 2016 and 2017, the HHS’ Office for Civil Rights took a hard line on enforcement of HIPAA Rules and agreed 21 settlements with HIPAA-covered entities and issued two civil monetary penalties. There have only been three financial settlements reached between OCR and HIPAA-covered entities in 2018 and no further fines or settlements were announced in August.  While OCR enforcement activity appears to have slowed, that is not the case with state attorneys general, in particular New York. The New York attorney general’s office has agreed two settlements with HIPAA-covered entities in 2018 with a third agreed in August.

The Arc of Erie County resolved violations of HIPAA Rules and state laws by paying a penalty of $200,000 to the New York attorney general’s office following the exposure of 3,751 individual’s PHI. The PHI had been uploaded to a website and could be accessed without authentication.

The post August 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Posted by HIPAA Journal

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules.

This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients.

Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital

Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a).

Brigham and Women’s Hospital (BWH) settled its HIPAA violations with OCR for $384,000. BWH allowed an ABC film crew to record footage between October 2014 and January 2015. Prior to filming, BWH conducted a review of patient privacy issues and provided the ABC film crew with HIPAA privacy training – The same training that was provided to its workforce. BWH also obtained written authorizations from patients. However, OCR determined that despite those measures, HIPAA Rules were still violated. In the resolution agreement, OCR wrote, “Based on the timing of when BWH received some written patient authorizations, BWH impermissibly disclosed the PHI of patients to ABC employees,” in violation of 45 C.F.R. § I64.502(a). BWH also failed to reasonably safeguard the PHI of patients: A violation of 45 C.F.R. § 164.530(c).

Massachusetts General Hospital (MGH) settled its HIPAA violations with OCR for $515,000. The hospital similarly allowed a film crew to record footage between October 2014 and January 2015. A review of patient privacy issues was also conducted, and the film crew was provided with the same HIPAA privacy training that MGH provides to its employees.

As was the case with BWH, OCR determined that 45 C.F.R. § I64.502(a) was violated as authorizations were received after an impermissible disclosure and MGH failed to appropriately and reasonably safeguard patients’ PHI from disclosure during the filming of the series in violation of 45 C.F.R. § 164.530(c).

In addition to covering the financial penalty, each of the three hospitals must adopt a corrective action plan which includes providing further training to staff on the allowable uses and disclosures of PHI to film and media.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

HIPAA Enforcement in 2018

OCR had a record year for HIPAA penalties in 2016 when it agreed 12 settlements to resolve HIPAA violations and issued one civil monetary penalty. 2017 saw 9 settlements reached with HIPAA-covered entities and one civil monetary penalty issued.

2018 has seen a reduction in financial penalties for HIPAA violations, with only three penalties issued prior the September 20, 2018 announcement. These latest three settlements bring the total number of OCR HIPAA violation penalties for the year up to six.

HIPAA Penalties and Settlements Agreed with OCR in 2018

Entity Penalty Penalty Type Reason for Penalty
Boston Medical Center $100,000 Settlement Filming patients without consent
Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
Massachusetts General Hospital $515,000 Settlement Filming patients without consent
University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Lack of encryption and impermissible disclosure of ePHI
Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
Fresenius Medical Care North America $3,500,000 Settlement Multiple HIPAA Violations

 

HIPAA Settlements with State Attorneys General in 2018

In addition to the penalties issued by OCR, there have been four settlements reached between HIPAA covered entities and state attorneys general in 2018.

State Covered Entity Amount Reason for Penalty
New York Arc of Erie County $200,000 Online Exposure of PHI
New Jersey Virtua Medical Group $417,816 Online Exposure of PHI
New York EmblemHealth $575,000 Exposure of PHI in Mailing
New York Aetna $1,150,000 Exposure of PHI in Mailing

The post $999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations appeared first on HIPAA Journal.

CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent

Posted by HIPAA Journal

The HHS’ Centers for Medicare and Medicaid Services (CMS) has investigated Fairview Southdale Hospital in Edina, MN over an alleged violation of patient privacy and discovered that some patients were videotaped during psychiatric evaluations in the emergency department without their knowledge or consent. The hospital was cited for violating patient privacy.

According to the Star Tribune, the CMS launched an investigation following a complaint from a patient who had been taken to the hospital for a psychiatric evaluation against her will in May 2017. The patient was escorted to the hospital as police officers were concerned about her state of mental health and feared she may cause harm to herself or others.

After being released, the patient took legal action over her admission to the hospital and how she was treated by the police. As part of that lawsuit, the patient requested a copy of the security camera footage from the hospital. While the patient expected to receive a copy of the videotape from the front of the hospital showing her entering the facility, the videotape showed her entire visit, including her psychiatric evaluation and her changing into hospital scrubs. The videotape only showed the patient’s back as she was getting changed.

The patient was horrified that the entire visit had been recorded without her knowledge and claimed that there were no warning signs in the emergency room advising patients that they were being recorded.

Fairview Southdale Hospital does indicate on its consent form for treatment that patients may be videotaped for the purpose of medical education, but in this case the patient refused to read to sign the consent form as she was not in the hospital of her own free will and had refused treatment.

Fairview Southdale Hospital cooperated fully with the investigation and informed the CMS that an additional 8 video cameras had been installed in rooms in the emergency department that were used for psychiatric evaluations following an increase in the number of incidents in which patients had become violent.

CMS found that cameras were used in those rooms, although there were no signs warning patients that they were being videotaped. The camera footage was visible in the nursing station but was out of public view.

Typically, footage from the cameras is permanently erased, although in this case the footage was retained as the patient had also made a complaint to the hospital about her visit.

Sue Abderholden, executive director of the Minnesota chapter of the National Alliance on Mental Illness, told the Star Tribune, “Healthcare facilities that videorecord patients for security reasons should notify them… If you’re going to do it, there should be a sign and you should orally tell the person.”

Following the investigation, the hospital retrained staff and informed its nurses to instruct patients that they may be filmed during their emergency room visits. Privacy screens have now been installed to prevent patients from being filmed while changing and from September, the hospital has discontinued recording video footage, but will continue to use the cameras for medical education purposes and for safety reasons.

The post CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent appeared first on HIPAA Journal.

Texas Nurse Fired for Social Media HIPAA Violation

Posted by HIPAA Journal

A nurse at a Texas children’s hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website.

The pediatric ICU/ER nurse worked at Texas Children’s Hospital and posted a series of comments on Facebook about a rare case of measles at the hospital. The nurse was an anti-vaxxer and posted about the experience of seeing a boy at the hospital suffering from the disease – a disease that could have been prevented through vaccination.

Her comments explained how the disease was much worse that she expected it to be, having not encountered anyone with the measles in the past.  She explained that it was a “rough” experience seeing the boy suffering from the disease.

She also explained in one of her posts, “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” according to the Houston Chronicle, which obtained screenshots of her Facebook posts. “By no means have I changed my vax stance, and I never will. But this poor kid was bad off and as a parent, I could see vaccinating out of fear.”

Due to a high rate of vaccination (94.5%) in Houston, a measles case is very rare. Over the past ten years there have fewer than 10 confirmed cases in the city. While the nurse did not post the child’s name on Facebook, her job was listed on her profile, along with the hospital where she worked, and information about the boy and his condition. Due to the information contained in the posts and the rarity of the disease, it is possible that the child could have been identified.

Texas Children’s Hospital suspended the nurse when officials found out about her social media posts and an investigation was launched. After receiving the suspension, the nurse appeared to realize that she had shared too much information and deleted several of her posts. Four days after the nurse was suspended the decision was taken to fire her for the HIPAA violation. An official from Texas Children’s Hospital confirmed the nurse lost her job as a result of violating hospital policies and federal laws by posting protected health information on a social media website, and not for her anti-vaxxing views.

The HIPAA Privacy Rule places restrictions on the allowable uses and disclosures of protected health information. Most healthcare professionals will be well aware that the posting of any protected health information on a social media website constitutes a HIPAA violation.

However, as this incident shows, the patient does not need to be mentioned by name in order for them to potentially be identified. If any personally identifiable protected health information is posted on social media without consent first being obtained from the patient, it constitutes a violation of the HIPAA Privacy Rule.

A good rule of thumb is to keep work and private lives separate, and never to post any information about patients on a social media platform, even if you do not think that a patient could be identified from the post.

At HIMSS 2017, the former deputy director of health information privacy at the HHS’ Office for Civil Rights (OCR) explained that OCR plans to issue guidance on HIPAA and social media and what is and is not acceptable.

The post Texas Nurse Fired for Social Media HIPAA Violation appeared first on HIPAA Journal.

Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information

Posted by HIPAA Journal

On Wednesday, September 12, 2018, President Trump approved a request for a federal emergency declaration in the state of Virginia and made FEMA resources available for the state.

The Secretary of the U.S. Department of Health and Human Services, Alex Azar, has also declared a Public Health Emergency in Virginia, North Carolina, and South Carolina.

The Secretarial declaration eases certain HIPAA restrictions and helps Centers for Medicare & Medicaid Services’ (CMS) beneficiaries and their healthcare providers prepare for the possible impact of Hurricane Florence and provides greater flexibility to meet emergency health needs.

During severe disasters and public emergencies healthcare providers face increased challenges and may struggle to continue to meet all requirements of the HIPAA Privacy Rule.

In emergency situations, such as during hurricanes, the HIPAA Privacy Rule still applies; however, Alex Azar’s declaration of a Public Health Emergency means certain provisions of the Privacy Rule have been relaxed under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) of the Social Security Act.

During the period of the Public Health Emergency, sanctions and penalties against healthcare providers are waived for the following provisions of the HIPAA Privacy Rule.

  • 45 CFR 164.510(b) – The requirement to obtain authorization from a patient to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – The requirement to honor requests to opt out of the facility directory
  • 45 CFR 164.520 – The requirement to distribute a notice of privacy practices
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications

Sanctions and penalties for healthcare organizations have not been waived for all other requirements of the HIPAA Privacy, Security, and Breach Notification Rules.

The waiver only exists in the areas covered by the public health emergency declaration for the period identified in the declaration, and only when hospitals have initiated their disaster protocol. The waiver only lasts for 72 hours following the declaration of the emergency.

When the Presidential or Secretarial declaration terminates, the waiver no longer applies, even to those patients still in the care of a hospital and even if the 72-hour time period has not elapsed.

The HHS’ Office for Civil Rights has responded to the declaration by issuing guidance on appropriate sharing of health information in emergency situations, confirming how the HIPAA Privacy Rule applies to healthcare providers in the disaster emergency zone.

OCR has also made a HIPAA Emergency Preparedness Decision Tool available to help healthcare providers determine how the HIPAA Privacy Rule applies.

The post Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information appeared first on HIPAA Journal.

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

Posted by HIPAA Journal

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices.

Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen.

Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions jeopardize the confidentiality, integrity, or availability of ePHI.

HIPAA – 45 CFR § 164.310(a)(1) – requires covered entities and their business associates to implement policies and procedures to restrict access to electronic devices and media and the facilities in which they are housed. 45 CFR § 164.310(d)(1) of the HIPAA Security Rule requires policies and procedures to be implemented to govern the receipt and removal of those devices into and out of an organization’s facility, as well as movement within the facility. Robust policies and procedures must be developed to ensure ePHI is appropriately protected at all times.

When developing policies and procedures covering portable electronic devices and media, OCR recommends that HIPAA covered entities and their business associates consider the following questions:

  • Are records tracking the location, movements, alterations, repairs, and disposition of devices and media in place covering the entire life cycle of the devices/media?
  • Does the organization’s record of device and media movement include the individual(s) responsible for such devices and media?
  • Have members of the workforce (including management) received training on the correct handling of devices/media to ensure ePHI is safeguarded at all times?
  • Have appropriate technical controls been implemented to ensure the confidentiality, integrity, and availability of ePHI, such as encryption, access controls and audit controls?

There are several methods for tracking electronic devices and media. Smaller healthcare organizations that only use a limited number of devices/media may be able to manually track the movement of their devices/media, although this becomes a major challenge if large numbers of devices are in use. In such cases, specialized inventory management software and databases may be more appropriate. OCR suggests the use of a bar-code system or RFID tags may make it easier to organize, identify, and track the movement of devices and media.

When deciding on the most appropriate device and media controls to implement, healthcare organizations and their business associates should be guided by their risk analysis and risk management processes. Full consideration should be given to size, complexity and capabilities; hardware and software capabilities; technical infrastructure; the cost of implementing security measures; and the probability and criticality of potential risks to ePHI.

Policies and procedures must also be developed and implemented to ensure that when devices/media reach end of life, all ePHI stored on the devices is permanently erased to prevent the information from being retrieved or reconstructed. OCR covered the secure disposal of ePHI in its July 2018 cybersecurity newsletter.

Organizations that fail to track electronic devices and media and ensure that ePHI is appropriately protected at all times run the risk of HIPAA fines for non-compliance.

The most recent example is University of Texas MD Anderson Cancer Center’s failure to encrypt ePHI on portable electronic devices. That violation resulted in a civil monetary penalty of $4,348,000.

The August 2018 cybersecurity newsletter can be downloaded on this link (PDF – 140KB)

The post Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.