Legal News about HIPAA and Healthcare Compliance

Boss of Gang Behind Attack on University of Vermont Medical Center Facing 40 Years in Jail

A Ukrainian man accused of leading racketeering groups who conspired to infect thousands of business computers with malware has pleaded guilty in federal court in Nebraska to one count of conspiracy to commit wire fraud and one count of conspiracy to break U.S. anti-racketeering laws. One of the victims, the University of Vermont Medical Center, was infected with ransomware resulting in IT systems being taken offline for more than two weeks. The attack prevented the medical center from providing critical patient services for more than two weeks. The Department of Justice said the attack on the medical center created a risk of death or serious bodily injury for patients and cost the medical center more than $30 million.

Vyacheslav Igorevich Penchukov, 37, aka Vyacheslav Igoravich Andreev and known online as Tank and Father, was accused of leading two cybercriminal groups, JabberZeus and IcedID, between 2009 and 2021. JabberZeus distributed the Zeus banking trojan and IcedID distributed the IcedID banking trojan. Both of these popular malware variants were used to steal usernames, passwords, and other information that allowed access to be gained to online bank accounts.

According to the Department of Justice, “Penchukov and his co-conspirators then falsely represented to banks that they were employees of the victims and authorized to make transfers of funds from the victims’ bank accounts, causing the banks to make unauthorized transfers of funds from the victims’ accounts, resulting in millions of dollars in losses to the victims.” The groups then hired money mules in the United States to receive the fraudulent transfers, withdraw the funds, and then wire the money to overseas accounts under the control of Penchukov and his co-conspirators.

Penchukov was indicted in 2012 for his role in the JabberZeus group and was placed on the Federal Bureau of Investigation’s (FBI) Most Wanted List, where he remained for almost a decade. While on the FBI’s Most Wanted List, Penchukov led the IcedID gang from November 2018 to February 2021. IcedID also infected devices with malware to steal banking information. The IcedID trojan could also be used to deliver other malware payloads, including ransomware, as was the case with the attack on the University of Vermont Medical Center in October 2020.

Penchukov was arrested in Switzerland in 2022 and was extradited to the United States in 2023. On February 15, 2024, Penchukov appeared in court in Lincoln, Nebraska, and pleaded guilty to one count of conspiracy to commit a Racketeer Influenced and Corrupt Organizations (RICO) Act offense for his role in the JabberZeus gang, and one count of conspiracy to commit wire fraud for his role in the IcedID group. Penchukov faces a maximum of 40 years in jail – up to 20 years for each count – and will be sentenced on May 9, 2024.

The post Boss of Gang Behind Attack on University of Vermont Medical Center Facing 40 Years in Jail appeared first on HIPAA Journal.

Connexin Software Proposes Class Action Lawsuit Settlement to Avoid Bankruptcy

Connexin Software, which does business as Office Practicum, has proposed a $4 million settlement to resolve a consolidated class action lawsuit stemming from a 2022 data breach that affected almost 3 million individuals. Office Practicum provides pediatric-specific health information technology solutions to healthcare providers, including electronic health records, practice management software, billing services, and business analytics tools.

On August 26, 2022, Connexin Software said it detected a data anomaly within its internal network and the subsequent forensic investigation confirmed that an unauthorized third party had obtained an offline set of patient data that was used for data conversion and troubleshooting. The compromised data included the protected health information of 2,675,934 patients, the majority of whom were children. The compromised data included names, guarantor names, parent/guardian names, addresses, email addresses, dates of birth, Social Security numbers, health insurance information, medical and treatment information, and billing and claims data.

Several class action lawsuits were filed against Connexin Software shortly after the company announced the breach, nine of which were consolidated into a single class action lawsuit as they all made similar claims, including an alleged failure to implement reasonable and appropriate security measures to protect patient data. Children’s data is particularly valuable to cybercriminals as it can be misused for years. The affected individuals suffered an invasion of privacy and immediate and long-term risks of identity theft, fraud, medical identity theft, misappropriation of health insurance benefits, and other misuses. The plaintiffs argued that the threat actor behind the attack could also sell the data of children to human trafficking groups.

The settlement is in the best interests of all parties concerned. The plaintiffs will be able to claim for reimbursement of out-of-pocket expenses and Connexin Software will avoid further legal costs. Connexin Software explained to the judge when filing the preliminary settlement that if the lawsuit had progressed much further, the company would have no option other than to file for bankruptcy protection.

All parties have agreed to the proposed settlement, which has received preliminary approval from a Pennsylvania federal court judge. The plaintiffs and class members have been given three options: Expanded identity theft protection services for three years and coverage by a $1,000,000 identity theft insurance policy; reimbursement for unreimbursed out-of-pocket expenses up to a maximum of $7,500 per class member; or a flat-fee cash payment, the amount of which will be determined based on the claims received. Connexin Software has also agreed to invest $1.5 million in its information security program to better protect patient data in the future. Attorneys for the plaintiffs and class members are seeking around $1.3 million in fees.

“The parties were well-aware of each other’s strengths and weaknesses by virtue of the court’s ruling on Connexin’s partial motion to dismiss, their exchange of thousands of pages of documents, nearly a dozen depositions, and mediation-related discovery and analysis directed at Connexin’s finances,” states the settlement document. “Rather than prolonging the litigation, plaintiffs have reached a settlement that will immediately provide them and class members with significant benefits for their injuries arising from the data security incident.” The settlement now awaits a final hearing, the date for which has not yet been set.

The post Connexin Software Proposes Class Action Lawsuit Settlement to Avoid Bankruptcy appeared first on HIPAA Journal.

Fortra GoAnywhere Hacking Lawsuits Consolidated in the Southern District of Florida

Dozens of lawsuits that were filed in response to the mass exploitation of a vulnerability in Fortra’s GoAnywhere MFT file transfer solution have recently been consolidated into a single lawsuit that will be heard in the Southern District of Florida.

The lawsuits stem from the mass exploitation of a vulnerability by the Clop group. The Clop group, aka Cl0p, is a financially motivated threat actor known for ransomware and extortion-only attacks, which has a history of exploiting vulnerabilities in file transfer solutions. Clop exploited flaws in the Accellion File Transfer Appliance in December 2020, SolarWinds Serv-U Managed File Transfer and Secure FTC software in November 2021, and Fortra’s GoAnywhere MFT solution between January and February 2023. Later in the year, Clop went on to exploit a zero-day vulnerability in Progress Software’s MoveIT Transfer solution.

More than 2,700 users of MOVEit software suffered attacks, the Fortra GoAnywhere vulnerability was exploited to attack around 130 organizations, and Accellion attacks affected more than two dozen organizations. In these attacks, Clop opted for data theft and extortion and chose not to encrypt files, even though the group claimed that it could have done so. Without encryption, attacks are faster and more efficient and there were no apparent attempts at wider compromises. The attacks have certainly proven to be profitable for Clop, which has raked in over $100 million in ransom payments this year from its mass exploitation attacks.

While these mass hacking incidents were similar and the subsequent lawsuits in each made similar claims, the U.S. Judicial Panel on Multidistrict Litigation opted not to consolidate the lawsuits against Accellion and its customers but did consolidate lawsuits related to the GoAnywhere and MoveIT hacking incidents. Organizations that were against consolidation in the Fortra lawsuits argued that the Judicial Panel on Multidistrict Litigation should similarly rule against consolidation as it did with the Accellion actions.

The decision to deny centralization in the Accellion actions, of which there were 26, was due to most parties opposing centralization organizing the litigation and preferring to cooperate informally, and because there were likely to be allegations specific to each defendant’s role in the breach of plaintiffs’ data since the vulnerability was present in a legacy file transfer solution that Accellion had been encouraging customers to migrate away from. The Fortra GoAnywhere solution is actively used by more than 100 organizations and is not a legacy product, therefore, there are likely to be significant questions about Fortra’s role in the ultimate exploitation of the vulnerability.

All of the GoAnywhere lawsuits are expected to share common and complex factual questions surrounding how the vulnerability occurred, the unauthorized access and data exfiltration, Fortra’s role in the vulnerability and the response to it, and the plaintiffs bringing largely overlapping putative nationwide class actions. Centralization of the actions offers substantial opportunities to streamline pretrial proceedings, reduce duplicative discovery and conflicting pretrial obligations, prevent inconsistent rulings on common evidentiary challenges and summary judgment motions, and conserve the resources of the parties, their counsel, and the judiciary.

The decision to centralize 46 actions across seven districts was supported by several of the organizations named in the lawsuits, including Aetna, Community Health Systems, Brightline, and Fortra. Anthem Insurance Companies Inc. was named in a single action and was against centralization, and plaintiffs in the District of Minnesota held no position on consolidation, although favored Minnesota if consolidated. The Judicial Panel on Multidistrict Litigation chose the Southern District of Florida to hear the case as that is where 18 of the lawsuits were filed, more than in any other appropriate transferee district.

The consolidated data breach litigation includes 18 actions against NationBenefits LLC/NationBenefits Holdings in the Southern District of Florida, 8 against Community Health Systems Inc./CHSPSC LLC in the Middle District of Tennessee, 7 against Intellihartx in the Northern District of Ohio, 4 actions against Brightline Inc in the Northern District of California, 4 against Aetna Inc/Aetna International and 3 against NationBenefits LLC in the District of Connecticut, 1 against Anthen Insurance Companies Inc in the Southern District of Indiana, and 1 against Fortra LLC in the District of Minnesota.

The post Fortra GoAnywhere Hacking Lawsuits Consolidated in the Southern District of Florida appeared first on HIPAA Journal.

HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations

The U.S. Department of Health and Human Services (HHS) has finalized the proposed modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (Part 2). “The Final Rule strengthens confidentiality protections while improving care coordination for patients and providers. Patients can seek needed treatment and care for substance use disorder knowing that greater protections are in place to keep their records private, and providers can now better share information to improve patient care,” said OCR Director Melanie Fontes Rainer.

The Part 2 regulations have been in effect since 1975 and protect “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder [SUD] education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” These records are subject to strict protections due to the sensitivity of the information contained in those records and avoid deterring people from seeking treatment for SUD due to fears about discrimination and prosecution.

The bipartisan Coronavirus Aid, Relief, and Economic Security Act (CARES Act) called for the Part 2 regulations to be more closely aligned with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Breach Notification, and Enforcement Rules. On December 2, 2022, the HHS, via the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), published a Notice of Proposed Rulemaking (NPRM) to implement the changes required by the CARES Act. The comments received from industry stakeholders in response to the NPRM have been considered and appropriate modifications have been made before finalizing the changes.

The modifications include permitting the use and disclosure of Part 2 records based on a single patient consent. Once that consent has been given by a patient it covers all future uses and disclosures for treatment, payment, and health care operations. The final rule also permits disclosure of records without patient consent to public health authorities, provided the records are first deidentified using the methods stated in HIPAA. Redisclosure of Part 2 records by HIPAA-covered entities and business associates is permitted, provided those disclosures are in accordance with the HIPAA Privacy Rule, with certain exceptions. Separate consent is required for the disclosure of SUD clinician notes, which will be handled in the same way that psychotherapy notes are handled under HIPAA.

Patients’ SUD treatment records were already protected and could not be used to investigate or prosecute the patient unless written consent is obtained from the patient or as required by a court order that meets Part 2 requirements. Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have also been expanded in the final rule. The final rule clarifies the steps that investigative agencies must follow to be eligible for safe harbor. Before any request for records is made, the agency is required to search the SAMHSA treatment facility directory and check the provider’s Notice of Privacy Practices to determine if they are subject to Part 2.

The final rule gives patients new rights to obtain an “accounting of disclosures,” request restrictions on certain disclosures, and opt out of receiving fundraising communications, as is the case under the HIPAA Privacy Rule. Patients will also be able to file a complaint about Part 2 violations directly with the Secretary. In the event of a breach of Part 2 records, the requirements for notifications are now the same as the HIPAA Breach Notification Rule. The HHS has also been given enforcement authority, including the ability to impose civil monetary penalties for Part 2 violations. The criminal and civil penalties for Part 2 violations will be the same as those for violations of the HIPAA Rules.  Other changes that have been introduced based on comments received on the NPRM include a statement confirming that Part 2 records do not need to be segregated and that it is not permitted to combine patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.

“Patient confidentiality is one of the bedrock principals in health care. People who are struggling with substance use disorders must have the same ability to keep their information private as anyone else. This new rule helps to ensure that happens, by strengthening confidentiality protections and improving the integration of behavioral health with other medical records,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration has made it a priority to end the stigmatization of those living with substance use disorders and give health care providers the tools they need so they can treat the whole patient while continuing to protect patient privacy. We will not rest until behavioral health is fully integrated into health care and those struggling with behavioral health challenges get the best treatment available.”

The final rule is due to be published in the Federal Register in mid-February. The compliance date has been set as 2 years from the date of publication. A fact sheet has been published by the HHS summarizing the changes that have been made in the Final Rule.

The post HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations appeared first on HIPAA Journal.

U.S. Fertility Proposes $5.75 Million Settlement to Resolve Class Action Data Breach Lawsuit

US Fertility LLC, the operator of more than 100 fertility clinics across the United States, has proposed a $5.75 million settlement to resolve a class action lawsuit that was filed in response to a data breach that exposed the data of around 900,000 patients.

U.S. Fertility announced in November 2020 that hackers had gained access to its network and installed malware (ransomware) that rendered certain systems inaccessible. The breach was detected on September 14, 2020; however, the hackers first gained access to the network on August 12, 2020. Before encrypting files, the hackers exfiltrated sensitive patient data including names, addresses, dates of birth, MPI numbers, Social Security numbers, medical information, and financial information.

A class action lawsuit was filed that alleged U.S. Fertility was negligent by failing to implement reasonable and appropriate cybersecurity measures to protect highly sensitive patient data from unauthorized access. Had those measures been implemented, the breach could have been prevented or its severity would have been severely reduced. U.S. Fertility maintains there was no wrongdoing but decided to settle the lawsuit.

Under the settlement terms, all class members are entitled to a $50 cash payment. Class members whose data was stolen from a California clinic will be entitled to claim an additional cash payment of $200. Claims may also be submitted for up to 4 hours of lost time at $25 per hour, and unreimbursed out-of-pocket losses can be claimed and will be paid up to a maximum of $15,000 per claimant. Claims for reimbursement of losses must be supported by receipts, account statements, IRS documents, police reports, FTC reports, professional invoices, and other documentation. The cash payments may be reduced and paid pro-rata depending on the number of claims submitted.

Individuals who wish to object to the settlement or exclude themselves have until February 20, 2024, to do so. All claims must be submitted by March 19, 2024. The final settlement hearing has been scheduled for April 18, 2024.

The post U.S. Fertility Proposes $5.75 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Montefiore Medical Center has agreed to settle the investigation and has paid a $4.75 million penalty to resolve the alleged HIPAA violations. With this one penalty, OCR has already exceeded its total collections from its HIPAA enforcement actions in 2023 and this is the largest financial penalty to be imposed by OCR since January 2021’s $5.1 million penalty for Excellus Health Plan.

Like the Excellus investigation, OCR uncovered multiple failures to comply with the HIPAA Security Rule; however, the Excellus investigation was in response to a breach of the PHI of 9.35 million individuals. Montefiore Medical Center’s penalty stemmed from a report of a breach of the PHI of 12,517 patients. The scale of a data breach is taken into consideration by OCR when determining an appropriate penalty, but it is the nature of the underlying HIPAA violations that has the biggest impact on the size of a penalty, and Montefiore Medical Center’s HIPAA violations were deemed to be severe.

Montefiore Medical Center, a non-profit hospital system based in New York City, was notified by the New York Police Department in May 2015 that evidence had been uncovered of criminal HIPAA violations at the medical center. A patient’s protected health information had been stolen by an employee. An investigation was launched which revealed the employee had unlawfully accessed the medical records of 12,517 patients, copied their information, and sold the information to identity thieves. The former employee had been accessing the records without authorization for 6 months between January 1, 2013, through June 30, 2013.

Montefiore Medical Center notified OCR about the breach on July 22, 2015, and OCR informed Montefiore Medical Center on November 23, 2015, that it had initiated an investigation to assess whether the medical center was compliant with the HIPAA Rules. OCR determined that Montefiore Medical Center had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; failed to implement procedures to review records of activity in information systems, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems.

The insider incident investigated by OCR was not the last time that the medical center has had to deal with malicious insiders. There was an incident involving an employee accessing patient records without authorization between January 2018 and July 2020. The employee had accessed the records of 4,000 patients in connection with a vendor as part of a billing scam. In 2021, the medical center confirmed that another employee had accessed the medical records of patients without authorization over a period of 5 months in 2020. The Medical Center has since implemented a system to monitor patient records for unauthorized access by employees.

Montefiore Medical Center chose to settle the allegations with no admission of wrongdoing and agreed to implement a corrective action plan which includes the following requirements:

  • Conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
  • Develop a written risk management plan or plans sufficient to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
  • Develop and implement a plan to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.
  • Distribute the revised policies and procedures to the workforce and provide training to the workforce on those revised policies and procedures.
  • Review and revise current Privacy and Security Rules policies and procedures based on the findings of the risk analysis.

OCR will monitor Montefiore Medical Center for compliance with the HIPAA Rules for 2 years. “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”

In the announcement about the settlement, OCR reminded HIPAA-regulated entities of their obligations under HIPAA to implement safeguards to mitigate or prevent cyber threats, including threats that originate inside as well as outside the organization. This settlement makes clear the consequences of failing to implement those safeguards.

The post Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty appeared first on HIPAA Journal.

FTC Orders Blackbaud to Improve Security and Enforce Data Retention Policies

The Federal Trade Commission (FTC) has ordered South Carolina-based Blackbaud to implement a raft of security measures and enforce its data retention policies to ensure that customer data is not retained any longer than it is needed. Blackbaud is a customer relationship management software provider, whose software is used by 35,000 fundraising entities, including many nonprofit healthcare organizations to increase philanthropic revenue. In early 2020, a hacker used a Blackbaud customer’s login name and password to access the customer’s Blackbaud-hosted database. Once access was gained, the hacker was able to move laterally by exploiting security vulnerabilities to access multiple Blackbaud-hosted environments and remained undetected in Blackbaud’s environment for 3 months.

Over those 3 months, the hacker exfiltrated a vast amount of unencrypted data from tens of thousands of customers, which included the personal and protected health information of millions of individuals. The stolen data included names, contact information, medical information, health insurance information, Social Security numbers, and bank account details. The hacker threatened to publish the stolen data and Blackbaud negotiated a 24 Bitcoin ($235,000) payment for the data to be deleted. Blackbaud was, however, unable to conclusively verify that the stolen data had been deleted.

A Catalog of Security Failures

According to the FTC complaint, the acts and practices of Blackbaud constituted unfair and/or deceptive practices in violation of Section 5(a) of the Federal Trade Commission (FTC) Act. The FTC alleged that Blackbaud had failed to implement reasonable and appropriate security practices to protect the sensitive personal information of consumers. The lack of safeguards allowed an unauthorized individual to gain access to customer data and deficient security practices and the failure to enforce its data retention policies magnified the severity of the data breach.

The FTC alleged that Blackbaud allowed customers to store highly sensitive information such as Social Security numbers and bank account information in unencrypted fields and customers could upload attachments containing sensitive personal information which were not encrypted. Further, Blackbaud did not encrypt its database backup files which contained complete customer records from the products’ databases.

While Blackbaud had data retention policies, these were not enforced, which meant the company retained the data of its customers for years longer than was necessary, even the data of former customers and prospective customers. The FTC also slammed Blackbaud for waiting for 2 months to notify customers about the data breach and misrepresenting the scope and severity of the data breach in those notifications due to “an exceedingly inadequate investigation.”

Blackbaud explained in the July 16, 2023, notification letters that financial information and Social Security numbers were not compromised and said no action was required because no personal information was accessed. Blackbaud’s post-breach investigation determined on July 31, 2020, that the hacker had exfiltrated customer data, but then waited until October 2020 to disclose that information to its customers.

The affected consumers were denied the opportunity to take steps to protect against identity theft and fraud, and since the breach, Blackbaud has received multiple complaints from consumers about identity theft and fraud using their personal information, indicating the hacker did not delete the data. Blackbaud did agree to pay for credit monitoring services, but those services were offered months after the breach and only to a limited subset of the affected customers.

Blackbaud made explicit representations about its information security practices which led customers to believe that personal information would be protected; however, the FTC alleged that there were insufficient password controls, a lack of multifactor authentication, a failure to monitor logs for signs of unauthorized system activity,  a failure to enforce its data retention policies, a failure to patch outdated software and systems promptly, a failure to implement appropriate firewall controls, a failure to implement appropriate network segmentation, and a failure to test, audit, assess, or review its products’ or applications’ security features. Blackbaud also failed to conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases.

FTC Orders Major Security Updates and Data Deletion

The FTC alleged unfair information security practices, unfair data retention practices, unfair inaccurate breach notifications, deceptive initial breach notifications, and deceptive security statements. The FTC’s proposed order requires Blackbaud to implement and maintain a comprehensive information security program that complies with industry best practices. The order includes 14 security requirements and Blackbaud is also required to delete all customer data that is not required and undergo independent security assessments.

“Today’s action builds on a series of cases that have made clear that maintaining a data retention and deletion schedule is a critical part of protecting consumers’ data security,” said FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya in a joint statement about the consent order. “The Commission has also made clear that efforts to downplay the extent or severity of a data breach run afoul of the law.”

Blackbaud previously settled a multistate action with the attorneys general in 48 states and the District of Columbia and paid a $49.5 million penalty, and was ordered to pay a $3 million civil monetary penalty by the U.S. Securities and Exchange Commission for omitting important facts about the data breach in its August 2020 quarterly report. Blackbaud is also being sued by consumers whose personal information was stolen.

The post FTC Orders Blackbaud to Improve Security and Enforce Data Retention Policies appeared first on HIPAA Journal.

Florida Bill Seeks Safe Harbor for Organizations with Robust Cybersecurity Programs

Healthcare organizations and businesses in Florida could soon be given protection against data breach lawsuits if they implement and maintain cybersecurity measures that meet government and industry standards. The Florida Cybersecurity Incident Liability Act (H.B 473) has been introduced in the Florida legislature and aims to introduce a “safe harbor” that limits liability for all businesses that implement reasonable and appropriate cybersecurity measures that meet industry standards and cybersecurity frameworks.

Businesses can make significant investments in cybersecurity to protect their networks and sensitive data from unauthorized access, but the sophisticated nature of cyber threats means that cyberattacks may still succeed. It is now common for multiple lawsuits to be filed over data breaches that allege a failure to implement appropriate cybersecurity measures, irrespective of the cybersecurity measures that have been implemented. The Florida Cybersecurity Incident Liability Act is intended to provide businesses with a legal defense against tort claims in data breach lawsuits and encourage the adoption of security frameworks.

The Florida Cybersecurity Incident Liability Act will place limitations on liability for cybersecurity incidents. Counties, municipalities, and businesses that acquire, maintain, store, or use personal information will not be liable in connection with a cybersecurity incident provided they have adopted a cybersecurity program that substantially aligns with any standards, guidelines, or regulations that implement any of the following:

  • The NIST Framework for Improving Critical Infrastructure Cybersecurity
  • NIST Special Publication 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • NIST Special Publication 800-53 and 800-53A – Security and Privacy Controls for Information Systems and Organizations / Assessing Security and Privacy Controls in Information Systems and Organizations
  • The Federal Risk and Authorization Management Program 42 security assessment framework
  • The Center for Internet Security (CIS) Critical Security Controls.
  • The International Organization for Standardization/International Electrotechnical Commission 27000 series (ISO/IEC 27000) family of standards

There will also be limitations on liability for entities that are regulated by the state or Federal Government or that are otherwise subject to the following laws and regulations:

  • The Health Insurance Portability and Accountability Act’s security requirements (45 C.F.R. part 160 and part 164 55 subparts A and C)
  • The Health Information Technology for Economic and Clinical Health (HITECH) Act requirements (45 C.F.R. parts 160 and 164.)
  • Title V of the Gramm-Leach-Bliley Act
  • The Federal Information Security Modernization Act of 2014

The scale and scope of substantial alignment of a cybersecurity program with these laws reflect the size, complexity, and nature of the business activities, as well as the sensitivity of the personal information collected and stored, the availability and cost of security improvement tools, and the available resources for cybersecurity. In data breach lawsuits, the defendant will have the burden of proof to establish substantial compliance with these laws, cybersecurity frameworks, and standards.

The post Florida Bill Seeks Safe Harbor for Organizations with Robust Cybersecurity Programs appeared first on HIPAA Journal.

Russian National Sanctioned for Medibank Ransomware Attack

A Russian national who was involved in a ransomware attack on the Australian health insurance provider Medibank in 2022 has been sanctioned by the governments on Australia, the United States, and the United Kingdom.

Alexander Ermakov (aka blade_runner, GistaveDore, GustaveDore, or JimJones), 33, is believed to have been a member of the now-disbanded ransomware group REvil. REvil was one of the most notorious cybercriminal groups until July 2021 when the group ceased operations and disappeared. Prior to that, the group was a ransomware-as-a-service group that encrypted appropriately 175,000 computers and was paid an estimated $200 million in ransom payments from its attacks.

In October 2022, REvil gained access to the Medibank network and stole the data of approximately 9.7 million of its customers and then used ransomware to encrypt files. The stolen data included names, dates of birth, Medicare numbers, and highly sensitive medical information including mental health, sexual health and drug use data.

As a Russian national, Ermakov is unlikely to face justice for the Revil attacks as there is no extradition treaty with Australia, the United States, or the United Kingdom and Ermakov is unlikely to travel to any country where there is a risk of arrest. The U.S. Department of the Treasury criticized Russia for allowing ransomware gangs to operate within its borders and freely conduct attacks around the world, and for enabling ransomware attacks by cultivating and co-opting criminal hackers. The Treasury has called for Russia to take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.

The sanctions mean that it is a criminal offence to provide any assets to Ermakov or to use or deal with any of his assets, which includes making ransom payments through cryptocurrency wallets. Australia was the first to sanction Ermakov, closely followed by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the UK government. OFAC said all property and interests in property of Ermakov that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. Any entities that are directly or indirectly 50% or more owned by Ermakov are also blocked. Violation of the sanctions is punishable by up to 10 years’ imprisonment.

“Russian cyber actors continue to wage disruptive ransomware attacks against the United States and allied countries, targeting our businesses, including critical infrastructure, to steal sensitive data,” said Under Secretary of the Treasury Brian E. Nelson. “Today’s trilateral action with Australia and the United Kingdom, the first such coordinated action, underscores our collective resolve to hold these criminals to account.”

The post Russian National Sanctioned for Medibank Ransomware Attack appeared first on HIPAA Journal.