The Houston, TX-based medical device company, LivaNova, is facing multiple class action lawsuits over an October 2023 cyberattack that exposed the protected health information of 180,000 patients.

The attack was detected on November 19, 2023, and the investigation confirmed that unauthorized individuals first accessed its network on October 26, 2023. The data compromised in the incident included names, addresses, phone numbers, Social Security numbers, birth dates, diagnoses, treatment information, prescriptions, physician names, medical record numbers, device serial numbers, and health insurance information. Notifications were issued in May 2024, and complimentary credit monitoring services were offered to the affected individuals.

At least two lawsuits have now been filed by patients whose information was exposed in the incident. One of those lawsuits was filed in the U.S. District Court for the Southern District of Texas, Houston Division, on behalf of J.W., by and through her guardian, Angela Johnson. The lawsuit alleges LivaNova maintained sensitive information in a reckless manner and despite its legal obligations and promises to secure the data it held, failed to implement reasonable and appropriate cybersecurity measures. The lawsuit alleges the cyberattack and data breach were foreseeable and preventable, and occurred as a result of inadequate cybersecurity measures.

The lawsuit also accuses the defendant of failing to issue prompt and accurate breach notifications to the affected individuals. The notification letters were sent 6 months after the security breach was detected and 7 months after it occurred. The lawsuit alleges the plaintiff and class members face an ongoing risk of fraud, identity theft, and other misuses of their sensitive information as a result of the data breach.

The lawsuit alleges negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and a violation of the Illinois Consumer Fraud Act and seeks damages, injunctive relief, an award of attorneys’ fees, court costs, and litigation costs, and equitable relief, including an order from the court compelling LivaNove to implement a long list of security measures to prevent similar breaches in the future. The plaintiff and class are represented by Joe Kendall of Kendall Law Group PLLC and Mariya Weekes of Millberg, Coleman, Bryson, Phillips, Grossman PLLC.

Another lawsuit was filed by plaintiff Arthur Podroykin in the U.S. District Court for the Southern District of Texas that alleges LivaNova breached its duties under common law, contract, the Federal Trade Commission Act, and the Health Insurance Portability and Accountability Act.

The post LivaNova Facing Multiple Class Action Lawsuits Over October 2023 Cyberattack appeared first on The HIPAA Journal.

Pennsylvania has updated its data breach notification law, narrowing the definition of personal information, adding the requirement to notify the state Attorney General, and requiring credit monitoring services to be provided to data breach victims in certain circumstances. The Breach of Personal Information Notification Act was amended by Senate Bill 824 and was signed into law by state Governor Josh Shapiro on June 28, 2024. The amended law takes effect on September 26, 2024.

The law requires organizations that maintain computerized data that includes personal information to issue notifications to the affected individuals in the event of a breach of their unencrypted and unredacted personal information, or if personal information is reasonably believed to have been accessed or obtained by an unauthorized individual. Notifications must be sent without unreasonable delay, but there is no fixed time frame for issuing those notifications unless the breach occurs at a Pennsylvania state agency or state agency contractor, in which case the notifications must be issued within 7 days of the determination of a data breach.

Personal information is defined as an individual’s name combined with any of the following: Social Security number, driver’s license number, state identification card number, financial account /credit card/debit card number along with information that would allow the account to be accessed, medical information, health insurance information, or a username/email address and password combination that would allow the online account to be accessed. The amendment changes the term “medical information” to “medical information in the possession of a state agency or state agency contractor.”

In addition to issuing individual notifications, entities are now required to notify the Pennsylvania Attorney General at the same time that individual notifications are sent if the breach requires notification to more than 500 individuals in the Commonwealth, with exemptions for certain insurance companies. The Attorney General should be informed about the date of the breach, the known or estimated number of affected individuals, the known or estimated number of affected Pennsylvania residents, and a summary of the breach incident.

Previously, entities that suffered a breach subject to the Breach of Personal Information Notification Act were required to notify consumer reporting agencies about the breach if it affected more than 1,000 individuals. The threshold for notification has now been reduced to 500 individuals. The most important change for Pennsylvania residents is the legal requirement for a breached entity to provide credit monitoring services for 12 months, under certain circumstances.

Credit monitoring services must be provided if a consumer reporting agency is required to be notified by law and if the breach involved an individual’s Social Security number, bank account number, driver’s license number, or state identification number. The services must include access to an independent credit report from a consumer reporting agency if the individual is not eligible to obtain a free credit report and access to credit monitoring services for 12 months from the date of notification. If the individual is eligible to receive those services free of charge for 12 months, it is an acceptable alternative to advise them of the availability of those free services.

The post Pennsylvania’s Updated Breach Notification Law Requires Credit Monitoring Services for Breach Victims appeared first on The HIPAA Journal.

A Seattle, WA, plastic surgery practice has been ordered to pay a financial penalty of $5 million to the Office of the Washington Attorney General to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), Washington Consumer Protection Act (CPA), and the federal Consumer Review Fairness Act (CRFA).

Dr. Javad Sajan, the owner of Allure Esthetic, has offices in Washington and other states and provides surgical and non-surgical plastic and cosmetic surgery procedures operating as Allure Esthetic, Gallery of Cosmetic Surgery, Seattle Plastic Surgery, Alderwood Surgical Center, Northwest Nasal Sinus Center, and Northwest Face and Body.

Washington Attorney General, Bob Ferguson, filed a lawsuit against Allure Esthetic and Dr. Sajan alleging the practice falsified online reviews to inflate the plastic surgeon’s reputation. According to the lawsuit, between 2017 and 2019, Dr. Sajan forced patients to sign illegal non-disclosure agreements that prohibited them from posting any negative online comments about Allure Esthetic. Those non-disclosure agreements were only provided after a $100 non-refundable consultation fee was paid. The non-disclosure agreements also required some patients to waive their HIPAA rights to allow the practice to respond to negative reviews using their personal health information.

Patients who were unhappy with their treatment and posted negative reviews were offered money and free services if they agreed to take down their reviews, and were threatened with fines if they posted negative reviews in the future. Some patients were sued when they refused to take down their truthful reviews. Dr. Sajan was also accused of instructing employees to set up fake email accounts posing as patients to post fake, positive reviews on sites such as Yelp and Google, and altering before and after photographs before they were added to the company’s social media accounts. Dr. Sajan was also accused of rigging “best doctor” competitions hosted by local media outlets, and applying for and retaining tens of thousands of dollars in rebates that should have been provided to patients.

In April 2024, a federal judge ruled that Allure’s non-disclosure agreements violated the Consumer Review Fairness Act (CRFA), which protects consumers’ rights to post truthful reviews about a business, and that Allure Esthetic’s practices violated HIPAA and the CPA. The consent decree issued by the U.S. District Court for the Western District of Washington requires Allure to pay $1.5 million in restitution to around 21,000 Washington residents. Each of those individuals will receive a check for $50 or $120, based on their circumstances. If they were forced to sign a non-disclosure agreement they will receive $50, and if they paid the non-refundable fee, they will receive $120 as a refund of the fee plus interest.

Allure is required to notify all individuals by mail that they will be receiving a check as a result of the Attorney General’s lawsuit and that they have been freed from the terms of their illegal NDAs. Allure must also send them their checks along with a letter from the Attorney General’s Office. The remaining $3.5 million of the settlement will go to the Attorney General’s Office to cover attorneys’ fees, investigation and prosecution costs, future monitoring, and enforcement of the decree and Washington’s consumer protection laws.

Allure is also required to conduct an audit of all review sites and request the removal of any review that Allure was involved in creating, posting, or shaping, and must remove any misleading photographs from its social media platforms. Allure is prohibited from altering future before and after photographs and using and attempting to enforce illegal non-disclosure agreements. Allure must also pay for a third-party forensic accounting company to conduct a full audit of its consumer rebate program to identify all consumers owed rebates that were illegally claimed by Allure.

“Writing a truthful review about a business should not subject you to threats or intimidation,” said AG Ferguson. “Consumers rely on reviews when determining who to trust, especially services that affect their health and safety. This resolution holds Allure accountable for brazenly violating that trust — and the law — and ensures the clinic stops its harmful conduct. We will take action against any business that attempts to silence and intimidate honest Washingtonians.”

The post Seattle Plastic Surgery Practice to Pay $5 Million to Resolve False Review and Illegal NDA Lawsuit appeared first on The HIPAA Journal.

A Seattle, WA, plastic surgery practice has been ordered to pay a financial penalty of $5 million to the Office of the Washington Attorney General to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), Washington Consumer Protection Act (CPA), and the federal Consumer Review Fairness Act (CRFA).

Dr. Javad Sajan, the owner of Allure Esthetic, has offices in Washington and other states and provides surgical and non-surgical plastic and cosmetic surgery procedures operating as Allure Esthetic, Gallery of Cosmetic Surgery, Seattle Plastic Surgery, Alderwood Surgical Center, Northwest Nasal Sinus Center, and Northwest Face and Body.

Washington Attorney General, Bob Ferguson, filed a lawsuit against Allure Esthetic and Dr. Sajan alleging the practice falsified online reviews to inflate the plastic surgeon’s reputation. According to the lawsuit, between 2017 and 2019, Dr. Sajan forced patients to sign illegal non-disclosure agreements that prohibited them from posting any negative online comments about Allure Esthetic. Those non-disclosure agreements were only provided after a $100 non-refundable consultation fee was paid. The non-disclosure agreements also required some patients to waive their HIPAA rights to allow the practice to respond to negative reviews using their personal health information.

Patients who were unhappy with their treatment and posted negative reviews were offered money and free services if they agreed to take down their reviews, and were threatened with fines if they posted negative reviews in the future. Some patients were sued when they refused to take down their truthful reviews. Dr. Sajan was also accused of instructing employees to set up fake email accounts posing as patients to post fake, positive reviews on sites such as Yelp and Google, and altering before and after photographs before they were added to the company’s social media accounts. Dr. Sajan was also accused of rigging “best doctor” competitions hosted by local media outlets, and applying for and retaining tens of thousands of dollars in rebates that should have been provided to patients.

In April 2024, a federal judge ruled that Allure’s non-disclosure agreements violated the Consumer Review Fairness Act (CRFA), which protects consumers’ rights to post truthful reviews about a business, and that Allure Esthetic’s practices violated HIPAA and the CPA. The consent decree issued by the U.S. District Court for the Western District of Washington requires Allure to pay $1.5 million in restitution to around 21,000 Washington residents. Each of those individuals will receive a check for $50 or $120, based on their circumstances. If they were forced to sign a non-disclosure agreement they will receive $50, and if they paid the non-refundable fee, they will receive $120 as a refund of the fee plus interest.

Allure is required to notify all individuals by mail that they will be receiving a check as a result of the Attorney General’s lawsuit and that they have been freed from the terms of their illegal NDAs. Allure must also send them their checks along with a letter from the Attorney General’s Office. The remaining $3.5 million of the settlement will go to the Attorney General’s Office to cover attorneys’ fees, investigation and prosecution costs, future monitoring, and enforcement of the decree and Washington’s consumer protection laws.

Allure is also required to conduct an audit of all review sites and request the removal of any review that Allure was involved in creating, posting, or shaping, and must remove any misleading photographs from its social media platforms. Allure is prohibited from altering future before and after photographs and using and attempting to enforce illegal non-disclosure agreements. Allure must also pay for a third-party forensic accounting company to conduct a full audit of its consumer rebate program to identify all consumers owed rebates that were illegally claimed by Allure.

“Writing a truthful review about a business should not subject you to threats or intimidation,” said AG Ferguson. “Consumers rely on reviews when determining who to trust, especially services that affect their health and safety. This resolution holds Allure accountable for brazenly violating that trust — and the law — and ensures the clinic stops its harmful conduct. We will take action against any business that attempts to silence and intimidate honest Washingtonians.”

The post Seattle Plastic Surgery Practice to Pay $5 Million to Resolve False Review and Illegal NDA Lawsuit appeared first on The HIPAA Journal.

An Iowa emergency room doctor has pleaded guilty to violating HIPAA by knowingly accessing the medical records of two patients without authorization when there was no treatment relationship with the patients. Dr. Gabriel Alejandro Hernandez Roman, 30, was a resident at two University of Iowa hospitals between 2020 and 2023, one in Cedar Rapids and another in Iowa City. During that time, Hernandez Roman knowingly and without authorization obtained the medical records of two individuals without their knowledge or consent. The two individuals did not have a treatment relationship with Hernandez Roman and were former romantic partners.

University of Iowa Hospitals and Clinics (UIHC) launched an investigation in early 2023 into the alleged privacy violations, confirmed that the patient records had been accessed, and questioned Hernandez Roman about why he had accessed the medical records.  Hernandez Roman confirmed he was in a relationship with the first woman and said he accessed her records because he was concerned that she was having a psychotic breakdown. He also admitted to accessing the records of another former partner to check lab results for any sexually transmitted infections.

In another incident in January 2022, Hernandez Roman took a photograph of a patient’s prolapsed rectum when there was no legitimate medical reason for taking the photo and sent it via Snapchat to a woman he was dating at the time along with an unprofessional commentary. Hernandez Roman lied to the investigator about the reason for sharing the photo, which he claimed was sent to his mother to remind her of the importance of fiber intake. Following the investigation, Hernandez Roman’s Emergency Medicine Residency was terminated.

Hernandez Roman was also investigated by the Iowa Board of Medicine over his performance and privacy violations. The Board of Medicine investigation revealed Hernandez Roman’s performance fell below what was expected, his recordkeeping was poor, and concerns had been raised about the amount of time he spent on his phone. Numerous patients had requested they be treated by a different physician, and complaints had been made by nurses about his lack of professionalism with staff, patients, and patients’ families. The board also learned that he had been moonlighting at a hospital in Ottumwa when he had not received authorization from UIHC and had not completed the required coursework.

Hernandez Roman blamed his unprofessional behavior on poor mental health and cultural and language barriers; however, those arguments were rejected by the Board of Medicine which found the justification he provided for accessing the private health information of women he had a sexual/romantic relationship with was blatantly untruthful and he had a history of dishonesty. In February 2024, the Board of Medicine issued an emergency order suspending his license indefinitely due to unprofessional conduct and alleged incompetence and imposed a $7,500 financial penalty. Before the suspension can be lifted, the Board of Medicine requires Dr. Hernandez Roman to complete a comprehensive psychological evaluation, complete any recommended treatment, and provide proof of completion of a board-approved course on ethics, professional boundaries, recordkeeping, and patient privacy.

Hernandez Roman was also charged with criminal HIPAA violations. Under the plea agreement, he pled guilty to one count of wrongfully obtaining individually identifiable health information relating to an individual under false pretenses and faces a jail term of up to 5 years, three years of supervised release, and a fine of up to $250,000.

The post Iowa Doctor Pleads Guilty to HIPAA Violations appeared first on The HIPAA Journal.