Latest HIPAA News

The High Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta

Posted by HIPAA Journal

The SamSam ransomware attack on the City of Atlanta was initially expected to cost around $6 million to resolve: Substantially more than the $51,000 ransom demand that was issued. However, city officials now believe the final cost could be around $11 million higher, according to a “confidential and privileged” document obtained by The Atlanta Journal-Constitution.

The attack has prompted a complete overhaul of the city’s software and systems, including system upgrades, new software, and the purchasing of new security services, computers, tablets, laptops, and mobile phones.

The Colorado Department of Transportation was also attacked with SamSam ransomware this year and was issued with a similar ransom demand. As with the City of Atlanta, the ransom was not paid. In its case, the cleanup is expected to cost around $2 million.

When faced with extensive disruption and a massive clean up bill it is no surprise that many victims choose to pay the ransom. Now new figures have been released that confirm just how many victims have paid to recover their files and regain control of their computer systems.

223 SamSam Ransoms Paid: Almost $6 Million Generated

A recent analysis of the cryptocurrency wallets used by the threat actor behind the SamSam ransomware has shown there have been 223 ransom payments made by victims in the two and a half years since the release of the first SamSam ransomware variant. The payments almost total $6 million, more that six times the amount previously thought to have been earned by the threat actor behind the attacks.

The figures come from Sophos, which has recently teamed up with a leading cryptocurrency tracking firm, to investigate the attacks.

It was initially thought that the attacks were primarily being conducted on healthcare organizations, educational institutions, and government agencies, although the recent analysis has shown the private sector has attracted the majority of attacks. Healthcare organizations are obliged to report the attacks under HIPAA Rules, which is why it seemed like they were extensively targeted.

26% of all attacks have been on healthcare firms. The majority of attacks have been on private companies and have not been reported. Many attacked firms have chosen to quietly pay the ransom demand.

No Sign of SamSam Ransomware Attacks Slowing Down

Several cybersecurity firms have reported a slowdown in ransomware attacks as threat actors switch to spreading cryptocurrency mining malware due to the higher potential for profits. However, there has not been any slowdown in SamSam ransomware attacks.

On average, one SamSam ransomware attack is conducted a day and the attacks have a high success rate. With ransom demands of around $50,000 issued for each infection, and an average of $187,500 earned each month, it is unlikely that the attacks will stop any time soon.

SamSam ransomware infections do not occur via spam or phishing emails, instead companies are attacked through the exploitation of vulnerabilities and recently through brute force attacks on remote desktop protocol connections.

Access is gained to the network and the attacker manually moves laterally using standard administration tools rather than NSA exploits. The malicious payload is deployed on as many computers and servers as possible before the encryption routine is started. The attacks tend to take place at night when there is less chance of them being detected and blocked.

This quiet, stealthy method of attack ensures a high rate of success compared to the noisy spam-delivered campaigns. Sophos believes the attacks are the work of a single individual.

How to Block SamSam Ransomware Attacks

Vulnerability scans and penetration testing can help to identify vulnerabilities before they are exploited and prompt patching is essential. Multi-factor authentication should be implemented, intrusion detection systems deployed and correctly configured, access logs should be routinely checked, admin privileges should be limited, and regular backups should be made with at least one copy stored off-site and offline.

Access to RDP needs to be restricted and remote connections should ideally only be made through VPNs, which also need to be kept up to date. If RDP is not required it should be disabled.

If RDP is enabled, rate limiting should be used to lock out users after a set number of failed attempts to block brute force attempts to gain access. Naturally practicing good password hygiene is also important, default passwords should be changed, strong passwords or passphrases used, and passwords should be changed at regular intervals.

It is also wise to change RDP connections from the standard TCP/3389 port and it is similarly advisable not to have RDP connections public-facing to the internet.

Sophos notes that the nature of SamSam ransomware attacks mean that simply backing up files is not enough to ensure a quick recovery. SamSam ransomware not only encrypts files, but also application configuration files. Even if files are restored it is likely that applications will fail to work.

The only way of ensuring a full recovery apart from paying the ransom is to rebuild affected machines. It is therefore important that companies have a plan for such an eventuality if they are to avoid having to pay the ransom.

The post The High Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta appeared first on HIPAA Journal.

OCR Reminds Healthcare Organizations of HIPAA Rules for Disposing of Electronic Devices and Media

Posted by HIPAA Journal

In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media.

Prior to electronic equipment being scrapped, decommissioned, returned to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a secure manner.

HIPAA Rules for disposing of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes.

Healthcare organizations also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which store data on internal hard drives. These devices in particular carry a high risk of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI.

If electronic devices are not disposed of securely and a data breach occurs, the costs to a healthcare organization can be considerable. Patients must be notified, it may be appropriate to pay for credit monitoring and identity theft protection services, and third-party breach response consultants, forensic investigators, and public relations consultants may need to be hired. OCR and/or state attorneys generals may conduct investigations and substantial financial penalties may be applied. Breach victims may also file lawsuits over the exposure of their financial information.

The costs all add up. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute/IBM Security highlighted the high cost of data breaches, in particular healthcare data breaches. The average cost of a breach of up to 100,000 records was determined to be $3.86 million. Healthcare data breaches cost an average of $408 per exposed record to mitigate, while the cost of data breaches of one million or more records was estimated to be between $40 million and $350 million.

It is not possible to ensure that all ePHI is disposed of securely if an organization does not know all systems and devices where PHI is stored. A full inventory of all equipment that stores ePHI must be created and maintained. When new equipment is purchased the list must be updated.

A full risk analysis should be conducted to determine the most appropriate ways to protect data stored on electronic devices and media when they reach the end of their lifespan.

Organizations must develop a data disposal plan that meets the requirements of 45 C.F.R. §164.310(d)(2)(i)-(ii). Paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. OCR notes that “Redaction is specifically excluded as a means of data destruction.”

Electronic devices should be “cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization,” to ensure that ePHI cannot be retrieved. If reusable media are in use, it is important to ensure that all data on the devices are securely erased prior to the devices being reused. Before electronic devices are scrapped or disposed of, asset tags and corporate identifying marks should be removed.

Third party contractors can be used to dispose of electronic devices, although they would be considered business associates and a business associate agreement would need to be in place. All individuals required to handle the devices must be aware of their responsibilities with respect to ePHI and its safe handling and should be subjected to workforce clearance processes.

Organizations should also consider the chain of custody of electronic equipment prior to destruction. Physical security controls should be put in place to ensure the devices cannot be stolen or accessed by unauthorized individuals and security controls should cover the transport of those devices until all data has been destroyed and is no longer considered ePHI.

The OCR newsletter, together with further information on secure disposal of ePHI and PHI, can be found on this link (PDF).

The post OCR Reminds Healthcare Organizations of HIPAA Rules for Disposing of Electronic Devices and Media appeared first on HIPAA Journal.

NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices

Posted by HIPAA Journal

The HIPAA Security Rule requires HIPAA-covered entities to ensure the confidentiality, integrity, and availability of electronic protected health information at all times. Healthcare organizations must ensure patients’ health is not endangered, their privacy is protected, and their identities are not compromised.

A range of physical, technical, and administrative controls can be implemented to secure ePHI on servers and desktop computers, but ensuring the same level of security for mobile devices can be a major challenge.

Mobile devices offer many benefits for healthcare providers. They can improve access to protected health information, ensure that data can be accessed anywhere, and they help healthcare providers improve coordination of care.

However, when ePHI is stored on mobile devices such as laptops, tablets and mobile phones, or is transmitted using those devices, it is particularly vulnerable. Mobile devices are easy to lose, are often stolen, and data transmitted through mobile devices can also be vulnerable to interception. In healthcare, mobile device security is a major concern.

Despite security concerns, the majority of healthcare providers are either using mobile devices or plan to implement a mobile device initiative. Mobile device usage by healthcare providers is expected to increase significantly over the next two years.

To help healthcare organizations take advantage of mobile devices without violating the HIPAA Security Rule and patient privacy, the National Institute of Standards and Technology (NIST) and The National Cybersecurity Center of Excellence (NCCoE) has produced a new guideSecuring Electronic Health Records on Mobile Devices.

The guide focuses on healthcare organizations that use mobile devices to review, update, and exchange electronic health records and addresses risks such as the loss or theft of devices, the hacking of devices, connecting to untrusted networks, and interaction between mobile devices and other systems.

The guide explains how ePHI can be secured on mobile devices without having a negative impact on delivering quality care and offers straightforward and detailed advice on securing electronic health records on mobile devices.

The guide explains how IT professionals can implement a security architecture to improve device security and better protect ePHI that is accessed, stored, or transmitted through mobile devices. The guide explains how commercially available and open-source technologies and tools can be deployed as part of a layered cybersecurity strategy to ensure ePHI can be accessed and shared securely.

The guide maps security characteristics to NIST standards and best practices and to the HIPAA Security Rule and includes a detailed architecture and capabilities that address security controls. The guide provides detailed information on automated configuration of security controls for ease of use and addresses both in-house and outsourced implementations.

The guide serves as a how-to guide to implement NIST’s security solution, or it can be taken as a starting point and customized to suit each individual organization. Since the guide is modular, healthcare providers can choose to implement the parts to suit their own needs.

”All healthcare organizations need to fully understand the potential risk posed to their information systems, the bottom-line implications of those risks, and the lengths that attackers will go to exploit them,” wrote NIST/NCCoE in the guide. “Assessing risks and making decisions about how to mitigate them should be continuous to account for the dynamic nature of business processes and technologies, the threat landscape, and the data itself. The guide describes [NIST’s] approach to risk assessment. We recommend that organizations implement a continuous risk management process as a starting point for adopting this or other approaches that will increase the security of EHRs. It is important for management to perform regular periodic risk review, as determined by the needs of the business.”

The post NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices appeared first on HIPAA Journal.

Email Account Compromises Continue Relentless Rise

Posted by HIPAA Journal

There has been a steady rise in the number of reported email data breaches over the past year. According to the July edition of the Beazley Breach Insights Report, email compromises accounted for 23% of all breaches reported to Beazley Breach Response (BBR) Services in Q2, 2018.

In Q2, 2018 there were 184 reported cases of email compromises, an increase from the 173 in Q1, 2018 and 120 in Q4, 2017. There were 45 such breaches in Q1, 2017, and each quarter has seen the number of email compromise breaches increase.

In Q2, 2018, the email account compromises were broadly distributed across a range of industry sectors, although the healthcare industry experienced more than its fair share.

Healthcare email accounts often contain a treasure trove of sensitive data that can be used for identity theft, medical identity theft, and other types of fraud. The accounts can contain the protected health information of thousands of patients. The recently discovered phishing attack on Boys Town National Research Hospital resulted in the attackers gaining access to the PHI of more than 105,000 patients.

Email Accounts Used for Further Attacks on an Organization

If hackers gain access to an email account, not only do they have access to the data stored in that mailbox, the account provides the hacker with a platform for conducting further attacks. The email account can be used to send messages to other employees, and since the messages are sent internally, they are unlikely to be flagged as malicious by email security solutions.

These internal emails are carefully crafted based on information gathered from the compromised mailbox. Rather than just sending a standard phishing email from the compromised account to other employees, targets are identified through reconnaissance, the account holder’s message style is copied, and messages are crafted based on past conversations between the account holder and the targets. This allows the attacker to conduct highly convincing spear phishing campaigns that are much more likely to be successful.

Once access to a single account is gained, it is difficult to prevent further email accounts from being compromised, although it is relatively easy to prevent the initial attack. Spam filtering solutions are a must, as they will block the vast majority of malicious messages and prevent them from reaching inboxes. Security awareness training is also essential for preparing employees for attacks and training them how to recognize phishing emails and other email threats. If two-factor authentication is used, an additional form of authentication is required in order for the account to be accessed remotely.

Beazley notes that organizations that use Office 365 are more susceptible to email account compromises. Microsoft’s PowerShell is often exploited and used to login to email accounts for reconnaissance, and if an email account is compromised with the right administrative privileges, the attacker could potentially be able to search every single inbox in an organization.

Beazley also recommends preventing third-party applications from accessing Office 365, as this can reduce the potential for PowerShell to be used for reconnaissance.

The High Cost of Email Account Compromises

BBR Services often discovers that organizations are only aware of half the inboxes that are compromised in an attack, and that it is not uncommon for hundreds of inboxes to have been compromised in a single phishing campaign.

These breaches can be extremely costly to resolve, as each message must be checked to determine whether it contains PHI or PHI. Even a small-scale email breach may cost $100,000 to resolve, while larger breached can easily cost in excess of $2 million. “Business email compromise attacks are among the more expensive data breaches we see,” said Katherine Keefe, head of BBR Services.

A case study was included in the report detailing the high cost of healthcare phishing attacks. An employee received a phishing email with a link to a website that appeared official, which required that person to enter their email account credentials. That gave the attacker access to that individual’s email account, which was then used in further attacks on the organization.

A forensic investigation revealed the attacker gained access to 20 email accounts and that the method used would have allowed all 20 of those mailboxes to have been downloaded. The messages were programmatically searched for PHI, although 350,000 documents in the email accounts could not be searched and required a manual check. The cost of paying a vendor to search those documents cost $800,000. A further $150,000 was spent on notifications and credit monitoring services.

Main Causes of Data Breaches in Q2, 2018

Across all industry sectors, the main causes of data breaches were hacks and malware attacks (39%) and accidental disclosures (22%). Even though the number of email attacks increased, hacks and malware attacks decreased by 3% compared to Q1, 2018. The decline was attributed to a fall in ransomware attacks.

The Beazley report shows the main cause of healthcare data breaches was accidental disclosures, which accounted for 38% of all breaches reported to BBR Services in Q2, 2018. That represents an increase of 29% since Q1, 2018. Hacking and malware attacks accounted for 26% of healthcare data breaches. 14% of breaches were insider incidents, 7% involved loss of physical PHI, 6% were due to the loss/theft of portable devices and 4% were due to social engineering attacks.

The post Email Account Compromises Continue Relentless Rise appeared first on HIPAA Journal.

1.4 Million Patients Warned About UnityPoint Health Phishing Attack

Posted by HIPAA Journal

A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers.

This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May.

This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016.

Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials

The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled by email impersonation scams.

Business email compromise scams involve hackers gaining access to the email account of a senior executive and using that email account to send internal emails to try to obtain sensitive data such as W-2 Forms or to convince employees top make fraudulent wire transfers. However, access to an executive’s email account is not always necessary. If the attackers spoof an executive’s email account, it may be sufficient to fool employees into responding.

That is what appears to have happened in the UnityPoint Health phishing attack. A trusted executive’s email account was spoofed and several employees responded to the messages and disclosed their email credentials.

UnityPoint Health investigated the breach with assistance provided by a third-party digital forensics firm. The investigation suggested the primary purpose of the attack was to divert vendor payments and payroll funds to accounts controlled by criminals.

An analysis of the compromised email accounts revealed they contained a wide range of protected health information in the body of messages and attachments. That information could have been accessed by the hackers and downloaded.

The types of information exposed varied patient to patient, but may have included names, addresses, birth dates, medical record numbers, diagnosis information, treatment information, lab test results, health insurance information, surgical information, provider names, dates of service, driver’s license numbers, Social Security numbers and, for a limited number of patients, financial information such as credit card numbers.

A year of credit monitoring services has been offered to affected patients whose social security number, driver’s license numbers, or financial information has been exposed. UnityPoint Health says it has not received any reports of PHI misuse to date.

Second Major UnityPoint Health Phishing Attack to Be Detected in 2018

This is not the first UnityPoint Health phishing attack to be reported in 2018. In April, UnityPoint Health announced it had discovered several email accounts had been compromised resulting in the exposure of 16,400 patients’ PHI. Unauthorized individuals gained access to employees’ email accounts between November 1, 2017 and February 7, 2018. In response to that attack, UnityPoint Health said it had strengthened security controls to prevent further attacks. Whatever additional controls had been implemented clearly were not effective at protecting against email impersonation attacks.

The latest breach has prompted UnityPoint Health to implement further security controls, which include the use of two-factor authentication on employee’s email accounts, additional technological controls to detect suspicious emails from external sources, and further training has been conducted to help employees recognize phishing attempts.

When multiple data breaches are reported by a healthcare provider, especially breaches that involve large numbers of patient records, the Department of Health and Human Services’ Office for Civil Rights takes a keen interest. An investigation into these phishing attacks is likely to be conducted, with the UnityPoint Health’s security controls and security awareness training programs likely to be carefully scrutinized for evidence of compliance failures.

Even without fines for non-compliance, data breaches on this scale can prove incredibly costly. Recently, the Ponemon Institute/IBM Security released the results of its 2018 Cost of a Data Breach Study. This year’s study showed the average cost of a data breach has risen to $3.86 million for a breach of up to 100,000 records. The healthcare industry has the highest breach costs at an average of $408 per record.

For the first time, the study investigated the cost of ‘mega’ data breaches – Those that involve the exposure of more than 1 million records. The cost of resolving these mega data breaches was estimated to be $40 million when more than 1 million records have been exposed.

The post 1.4 Million Patients Warned About UnityPoint Health Phishing Attack appeared first on HIPAA Journal.

HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules

Posted by HIPAA Journal

At a July 27 address at The Heritage Foundation, Secretary of the Department of Health and Human Services (HHS), Alex Azar, explained that the HHS will be undertaking several updates to health privacy regulations over the coming months, including updates to the Health Insurance Portability and Accountability Act (HIPAA) and 45 CFR Part 2 (Part 2) regulations.

The process is expected to commence in the next couple of months. Requests for information on HIPAA and Part 2 will be issued, following which action will be taken to reform both sets of rules to remove obstacles to value-based care and support efforts to combat the opioid crisis. Rule changes are also going to be made to remove some of the barriers to data sharing which are currently hampering efforts by healthcare providers to expand the use of electronic health technology.

These requests for information are part of a comprehensive review of current regulations that are hampering the ability of doctors, hospitals, and payers to improve the quality healthcare services and coordination of care while helping to reduce healthcare costs.

That process has already commenced with the Centers for Medicare & Medicaid Services (CMS) already having proposed one of the most fundamental changes to Medicare in recent years – A change to how physicians are paid for basic evaluation visits.

At present there are currently five tiers of payments for visits, with payments increasing for visits of increasing complexity. While this system makes sense, in practice in involves a considerable administrative burden on physicians, requiring them to justify why they are claiming for a visit at a higher tier. The CMS has proposed reducing the five tiers to two. That simple change is expected to save physicians more than 50 hours a year – more than a week’s work – with that time able to be diverted to providing better care to patients.

The CMS has also submitted a request for information of issues with Stark’s Law, which prevents physicians from referring patients to other physicians/practices with which they have a financial relationship, except in certain situations. Requests for information on HIPAA, Part 2, and the Anti-Kickback Statute will follow.

Healthcare providers that wish to voice their concerns about issues with HIPAA, Part 2, and the Anti-Kickback Statute should consider preparing comments and suggestions for policy updates to address those issues, ready for submission when the HHS issues its requests for information.

The post HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules appeared first on HIPAA Journal.

Warnings Issued Following Increase in ERP System Attacks

Posted by HIPAA Journal

The United States Computer Emergency Readiness Team (US-CERT) has warned businesses about the increasing risk of cyberattacks on enterprise resource planning (ERP) systems such as the cloud-based ERPs developed by SAP and Oracle.

These web-based applications are used to manage a variety of business operations, including finances, payroll, billing, logistics, and human resources functions. Consequently, these systems contain a treasure trove of sensitive data – The exact types of data sought by cybercriminals for fraud and cyber espionage.

Further, many businesses rely on their ERP systems to function. A cyberattack that takes those systems out of action can have catastrophic consequences, making the systems an attractive target for sabotage by hacktivists and nation state backed hacking groups.

The US-CERT warning follows a joint report on the increasing risk of ERP system attacks by cybersecurity firms Digital Shadows and Onapsis. The report focused on two of most widely used ERP systems: SAP HANA and Oracle E-Business.

The authors explained that the number of publicly available exploits for SAP and Oracle E-Business have increased by 100% over the past three years and detailed information on how to attack these systems is being exchanged on darknet forums.

“ERP applications are being actively targeted by a variety of cyber-attackers across different geographies and industries,” wrote the authors. Some hackers have repurposed banking malware (Dridex) to obtain ERP system logins as demand for stolen credentials has increased significantly.

Access to ERP servers is often sought in order to mine cryptocurrencies. The researchers note that one cybercriminal group used a publicly available exploit for WebLogic to gain access to servers to install Monero mining software. Through that single attack the group managed to generate $226,000 in Monero coins. The researchers note that there is plenty of chat about using SAP servers to mine cryptocurrency on Internet Relay Chat (IRC) channels.

When ERP systems are connected to the Internet they are much more vulnerable to attack. The researchers note that internet-connected ERP systems are not difficult to find. More than 17,000 internet-connected ERPs were identified by the researchers that could potentially be accessed using dictionary or brute force tactics to guess logins. Many exploits are available for vulnerabilities that allow remote code execution, with more than 50 SAP exploits and 30 Oracle exploits being actively traded on darknet forums.

ERP system developers regularly release patches to address flaws in the software. As with any software solution, patches should be applied promptly. However, all too often patching is delayed due to the complexity of system architectures and customized functionality, which can make patching problematic. Those delays or the failure to apply patches plays into cybercriminals’ hands.

The researchers explain that prompt patching is critical. Additionally, strong, unique passwords should be used, and users should only have the privileges they need for their job role. ERP applications should be checked for uninstalled patches and insecure configurations, and unused APIs and unnecessary internet-facing logins should be disabled. Companies need to do as much as they can to reduce the attack surface.

The report is essential reading for IT security teams at all businesses that use ERP systems. The ERP Applications Under Fire report can be downloaded on this link.

The post Warnings Issued Following Increase in ERP System Attacks appeared first on HIPAA Journal.

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

Posted by HIPAA Journal

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight.

In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes.

The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail.

In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital and could have been taken by employees or third parties. In the case of Millender, that is exactly what happened.

Flowers Hospital attempted to have the lawsuit dismissed, although that attempt failed and the lawsuit was awarded class action status in 2017. The decision has now been taken to settle the case. The hospital has offered a fund of up to $150,000 to cover out-of-pocket expenses incurred by the 1,208 victims of the breach. The settlement would provide each class member with up to $250 each, although claims up to a total value of $5,000 would be considered.

In order to be eligible to receive the compensation, class members would need to submit valid claims. A valid claim would require a breach victim to prove that they purchased credit monitoring or identity theft protection services in response to being notified about the breach.

Additionally, breach victims would be allowed to claim money for the time they spent arranging those services – up to four hours of documented lost time – the cost of obtaining credit reports, and any un-reimbursed interest as a result of a delayed tax refund as a result of there being a fraudulent tax return filed between June 2013 and the claims deadline. The settlement does not include any punitive damages.

In the event that valid claims are received, and the total claims amount exceeds the allocated $150,000, all claims would be reduced, pro rata, so that the total claims value would not exceed $150,000.

The post Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach appeared first on HIPAA Journal.

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

Posted by HIPAA Journal

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight.

In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes.

The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail.

In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital and could have been taken by employees or third parties. In the case of Millender, that is exactly what happened.

Flowers Hospital attempted to have the lawsuit dismissed, although that attempt failed and the lawsuit was awarded class action status in 2017. The decision has now been taken to settle the case. The hospital has offered a fund of up to $150,000 to cover out-of-pocket expenses incurred by the 1,208 victims of the breach. The settlement would provide each class member with up to $250 each, although claims up to a total value of $5,000 would be considered.

In order to be eligible to receive the compensation, class members would need to submit valid claims. A valid claim would require a breach victim to prove that they purchased credit monitoring or identity theft protection services in response to being notified about the breach.

Additionally, breach victims would be allowed to claim money for the time they spent arranging those services – up to four hours of documented lost time – the cost of obtaining credit reports, and any un-reimbursed interest as a result of a delayed tax refund as a result of there being a fraudulent tax return filed between June 2013 and the claims deadline. The settlement does not include any punitive damages.

In the event that valid claims are received, and the total claims amount exceeds the allocated $150,000, all claims would be reduced, pro rata, so that the total claims value would not exceed $150,000.

The post Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach appeared first on HIPAA Journal.