Legal News about HIPAA and Healthcare Compliance

BioPlus Specialty Pharmacy Services Proposes Settlement to Resolve Data Breach Lawsuit

BioPlus Specialty Pharmacy Services has proposed a settlement to resolve a class action lawsuit that was filed in response to a 2021 data breach that exposed the data of up to 350,000 patients. Hackers gained access to the BioPlus network for more than 2 weeks between October and November 2021, and potentially stole names, dates of birth, contact information, health insurance information, prescription information, and Social Security numbers. The Florida specialty pharmacy chain notified the affected individuals within a month and offered them complimentary credit monitoring services.

A lawsuit was filed over the data breach alleging BioPlus should have prevented the breach and could have if reasonable cybersecurity measures had been implemented and industry-standard security best practices had been followed. BioPlus disagreed with the allegations; however, a settlement has been proposed to bring the legal action to an end. BioPlus has not admitted liability or any wrongdoing related to the cyberattack and data breach.

Under the terms of the proposed settlement, class members may submit claims of up to $7,550 and will be reimbursed for out-of-pocket expenses incurred as a result of the data breach. The maximum claim permitted depends on whether Social Security numbers were compromised. If they were, class members can claim a cash payment of $50 and can claim up to $7,500 for documented expenses incurred as a result of the data breach, including 3 hours of lost time at $25 per hour, and any unreimbursed losses to identity theft and fraud.

Class members whose Social Security numbers were not breached cannot claim a cash payment and claims will be limited to a maximum of $750, including 2 hours of lost time at $25 per hour. Any individual who wishes to object to or be excluded from the settlement must do so by June 18, 2024, and all claims must be submitted by the same date. The settlement has received preliminary approval from the court and the final settlement hearing is scheduled for August 22, 2024. The plaintiff and class were represented by attorneys at Morgan & Morgan and Markovits, Stock, & DeMarco LLC.

The post BioPlus Specialty Pharmacy Services Proposes Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

BakerHostetler Report Identifies Healthcare Data Breach and Litigation Trends

BakerHostetler has released the 10th edition of its Data Security Incident Response Report, which shares data from the incidents the law firm has helped to manage. The report provides insights into the current cyber threat landscape and litigation trends.

Data Breach Insights

Healthcare accounted for 28% of data breach incidents, followed by finance and insurance (17%), business and professional services (15%), and education (13%). The biggest known root cause of all incidents was the exploitation of unpatched vulnerabilities (23% of incidents) followed by phishing (20%). By far the most common cause of security incidents in 2023 was network intrusions, which accounted for 51% of security incidents the law firm helped to manage, followed by business email compromise incidents (26%), and inadvertent disclosures (26%).

Cybercriminals are getting better at covering their tracks, as the root cause of 36% of network intrusions could not be determined. The main known cause of these incidents was vulnerability exploitation (25% of attacks). Phishing was involved in 9% of network intrusions, 5% involved brute force or credential stuffing, 4% were due to misconfigurations, 3% were due to RDP compromise, and 3% due to social engineering. 72% of successful network intrusions involved the deployment of ransomware, 57% involved data exfiltration, and 46% saw malware installed.

The average ransom demand was $2,644,647 and the average ransom payment was $747,651 but these were considerably higher in healthcare with an average demand of $3,492,434 and an average ransom payment of $857,933. In healthcare, it took an average of 13.4 days to acceptable data restoration and an average of 158,362 notifications had to be sent. As has been seen in other data, the percentage of victims paying a ransom is falling. 27% of attacked companies paid a ransom in 2023, compared to 40% in 2022.

The was a significant increase in data breaches at vendors. In 2023, business associates were responsible for 60% of the breaches of 500 or more records that were reported to the HHS’ Office for Civil Rights (OCR), compared to 35% in 2022. There was also a major increase in the size of healthcare data breaches, jumping by almost 200% from 2022 to 2023, from 56.9 million individuals to 144.5 million in 2023. The median time from incident to discovery was 2 days, 0 days to containment, 33 days to complete the forensic investigation, and 60 days from discovery to notification. The average time from occurrence to detection was 42 days and from detection to notice was 75 days.

Phishing and social engineering attacks have been getting more sophisticated. New social engineering scams that have become common involve threat actors contacting IT helpdesks to request password resets and enroll new devices to accept MFA codes. Several business email compromise attacks occurred as a result of QR code phishing attacks (Quishing), and many phishing attacks occurred via SMS messages (smishing). While multifactor authentication was sufficient to keep threat actors out of email accounts, MFA is increasingly bypassed in attacks. 43% of incidents required notifications to be issued, with an average of 98,504 notifications required. Out of the 493 incidents that required notifications to be issued, 58% resulted in lawsuits being filed, up from 42 in 2022.

Class Action Lawsuits Over Tracking Technologies Soar

Class action lawsuits over website tracking technology breaches are increasingly being filed, especially against healthcare organizations following guidance from the HHS’ Office for Civil Rights warning that the technologies violated HIPAA. The Federal Trade Commission (FTC) is also cracking down on organizations that use the technology without informing consumers.

BakerHostetler is currently defending more than 300 privacy or data security lawsuits and over 100 of those lawsuits involve data breaches due to the use of tracking technologies. More than 200 lawsuits have now been filed against healthcare organizations as a result of the use of tracking technologies, 75% of which were filed in the past year. Many of these lawsuits are still in the early stages, with only one case so far granted class certification and one that has had class certification denied. The first trial in a healthcare website tracking technology lawsuit is due to take place this summer. Several lawsuits have been quickly settled, with each individual due to receive an average of between $4 and $5. Since those settlements have been announced there has been an increase in the initial demands for damages.

OCR Enforcement Insights

After three years of relatively high numbers of enforcement actions, 2023 saw a fall in OCR enforcement activity. In 2023 there was a notable reduction in enforcement actions over HIPAA Right of Access violations (4) than the average of 14 over the previous three years. While there was an increase in enforcement actions for other HIPAA violations – 10 in 2023 vs 5 in 2022 and 3 in 2021 – OCR only imposed 11 penalties in 2023 to resolve HIPAA violations, compared to an average of 19 in the three previous years. BakerHostetler suggests the drop off in enforcement actions may be due to OCR focusing on another enforcement priority. OCR has issued guidance on HIPAA compliance with respect to website tracking technologies, and BakerHostelter suggests that may now be an enforcement focus for OCR.

The post BakerHostetler Report Identifies Healthcare Data Breach and Litigation Trends appeared first on HIPAA Journal.

Federal Judge Tosses CommonSpirit Health Data Breach Lawsuit Due to Lack of Standing

A federal court judge has recommended a class action lawsuit against CommonSpririt Health over its 2022 data breach should be dismissed due to the failure of the plaintiff to demonstrate that they had been harmed by the data breach.

CommonSpirit Health suffered a ransomware attack on October 2, 2022, that affected more than 100 CommonSpirit Health facilities across the United States. A threat actor gained access to its systems on September 16, 2022, and had access to those systems until October 3, 2022. The forensic investigation and document review confirmed that the protected health information of more than 623,000 patients had been exposed. The exposed data included full names, addresses, healthcare providers, medical record numbers, treatment/prescription information, dates of medical services, other health insurance information, and patient’s facility/account numbers.

Multiple class action lawsuits were filed against CommonSpririt Health over the cyberattack and data breach which made similar claims. The lawsuits alleged CommonSpirit Health was negligent due to the failure to implement reasonable and appropriate safeguards to ensure the privacy of the protected health information it held and delayed issuing breach notifications, which were not sent until April 5, 2023.

One of those lawsuits, Bonnie Maser v. CommonSpirit Health, alleged that the plaintiff suffered injuries as a result of the breach, including more than $3,000 in bank account fraud that led to the closure of her account. As a result of the fraud, the plaintiff could not afford to pay her rent, lost her housing, her credit score dropped 60 points, and she claimed to continue to suffer harm, including panic attacks caused by the stress of the data breach. Maser’s lawsuit alleged negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and unjust enrichment.

CommonSpirit Health argued that the plaintiff failed to allege a concrete or imminent harm to support Article III standing, failed to adequately allege the minimum amount in controversy under the Class Action Fairness Act, and failed to state a claim upon which relief could be granted. U.S. Magistrate Judge Suan Prose recommended that the lawsuit be dismissed due to a lack of Article III standing, as the plaintiff failed to demonstrate that the fraudulent charges were fairly traceable to the data breach.

This was the second such lawsuit against CommonSpirit Health to be tossed due to a lack of standing.  Two lawsuits against CommonSpirit Health that were filed in Illinois and were consolidated into a single lawsuit – Jose Antonio Koch individually and on behalf of his two minor children, and another by Leeroy Perkins – was also dismissed due to a lack of standing by District Court Judge Harry D. Leineweber.

The post Federal Judge Tosses CommonSpirit Health Data Breach Lawsuit Due to Lack of Standing appeared first on HIPAA Journal.

Multiple Class Action Lawsuits Filed Against City of Hope National Medical Center Over Data Breach

Several class action lawsuits have been filed against City of Hope National Medical Center, a National Cancer Institute (NCI)-designated cancer treatment and research center, over a recently disclosed data breach that exposed the protected health information of more than 827,000 individuals.

City of Hope National Medical Center identified suspicious activity within its network on October 13, 2023, and the forensic investigation confirmed there had been unauthorized access by a third party between September 19, 2023, and October 12, 2023. During that time, files containing patient data were exfiltrated from its network. The exposed and stolen data included contact information, Social Security numbers, driver’s license numbers, financial information, health insurance information, medical records, medical histories, diagnoses/conditions, and health insurance information. City of Hope National Medical Center issued notification letters on April 2, 2024, and offered the affected individuals complimentary credit monitoring services.

Class action lawsuits started to be filed soon after notification letters were mailed. The lawsuits make similar claims, that City of Hope National Medical Center failed to implement reasonable and appropriate cybersecurity safeguards, did not follow industry best practices for cybersecurity, and that the cyberattack that exposed their sensitive data could have been prevented. The plaintiffs allege that City of Hope National Medical Center should have been aware that it was a likely target for cybercriminals due to the high value of healthcare data on the black market and numerous warnings from federal agencies about the high risk of cyberattacks on the sector. The plaintiffs also allege an unnecessary delay in issuing notifications – five months after the cyberattack was detected.

The plaintiffs allege that injuries have been sustained as a result of the data breach. They face an imminent and increased risk of identity theft and fraud since their sensitive data is now in the hands of cybercriminals, and have and will continue to need to spend time and money protecting themselves from fraud, identity theft, and medical identity theft. At least 8 lawsuits have been filed to date in response to the data breach that make claims of negligence, breach of fiduciary duty, breach of implied contract, and invasion of privacy. The lawsuits seek class action certification, a jury trial, damages, and injunctive relief.

The post Multiple Class Action Lawsuits Filed Against City of Hope National Medical Center Over Data Breach appeared first on HIPAA Journal.

Ernest Health Sued Over 2024 Ransomware Attack and Data Breach

The Texas health system Ernest Health is being sued by patients who had their protected health information compromised in a recent cyberattack. This is likely to be one of many lawsuits filed against Ernest Health over the theft of at least 94,747 patients’ data. Ernest Health operates hospitals in Arizona, California, Colorado, Idaho, Indiana, Montana, New Mexico, Ohio, South Carolina, Texas, Utah, Wisconsin, and Wyoming. On February 1, 2024, suspicious activity was detected in its networks, with the investigation confirming there had been unauthorized access to its network between January 16, 2024, and February 4, 2024. The LockBit ransomware group claimed responsibility for the attack and threatened to publish the stolen data on its leak site. Ernest Health said the compromised information included names, contact information, dates of birth, health plan IDs, health data, Social Security numbers, and driver’s license numbers.

A lawsuit has been filed by Joe Lara and Lauri Cook on behalf of themselves and similarly situated individuals who had their personal and protected health information compromised in the Ernest Health cyberattack. The lawsuit alleges that Ernest Health lost control of the data of current and former patients due to insufficient cybersecurity safeguards and a lack of cybersecurity training for its employees, which meant it had no effective means to prevent, detect, or stop the attack. The plaintiffs argue that it took 73 days from the initial compromise for Ernest Health to issue individual notifications, which denied them the opportunity to mitigate their injuries in a timely manner.

While Ernest Health said it has implemented additional safeguards in response to the breach, the plaintiffs claim the health system has done too little, too late, and that the offer of credit monitoring and identity theft protection services is wholly insufficient. The lawsuit alleges negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty and seeks a jury trial, declaratory and other equitable relief, injunctive relief, and compensatory, exemplary, punitive damages, and statutory damages. The plaintiffs and class are represented by Joe Kendall of the Kendall Law Group, and Samuel J. Strauss and Raina Borrelli of the law firm, Turke & Strauss.

The post Ernest Health Sued Over 2024 Ransomware Attack and Data Breach appeared first on HIPAA Journal.

MedData Settles Class Action Data Breach Lawsuit for $7 Million

Last month, the Spring, TX-based revenue cycle management firm MedData agreed to a $7 million settlement to resolve a class action lawsuit filed following the exposure of the personal and health information of 136,000 individuals on a public-facing website.

MedData helps healthcare providers and health plans by processing Medicaid eligibility, third-party liability, workers’ compensation, and patient billing, including healthcare providers and health plans such as Memorial Hermann, Aspirus Health Plan, OSF HealthCare, and the University of Chicago Medical Center. All of those HIPAA-covered entities had member and patient data exposed by MedData.

Between December 2018 and September 2019, a MedData employee inadvertently uploaded the data to personal folders on GitHub Arctic Code Vault, which is a public-facing part of the GitHub website. The data remained there unprotected and exposed for more than a year. MedData was informed about the data exposure by a security researcher on December 10, 2020, and the files were removed from GitHub on December 17, 2020.

MedData has faced 5 class action lawsuits over the data breach, four of which have been dismissed. This amended lawsuit is the last remaining action against MedData over the data breach. Under the terms of the settlement, class members can choose one of two payment tiers. The first option allows class members to claim back documented, unreimbursed out-of-pocket expenses fairly traceable to the data breach up to a maximum of $5,000 per class member. Alternatively, class members can claim up to $500 for “de-minimis” or minimal affirmative action in response to being notified about the data breach. Regardless of the option chosen, class members can also claim 36 months of health data and fraud monitoring services at no cost. Those services include a $1 million identity theft insurance policy.

The settlement also requires MedData to implement and maintain an enhanced cybersecurity program, which must include robust monitoring and auditing for data security issues, annual cybersecurity testing, training on data privacy for employees, data encryption, enhanced access controls, annual penetration testing, a data deletion policy, and a monitored internal whistleblowing mechanism. The board must also consider appropriate cybersecurity spending annually, and regularly update internal security policies and procedures.

The post MedData Settles Class Action Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.

FTC Prohibits Alcohol Addiction Firm from Sharing Consumer Data with Third Parties

The Federal Trade Commission (FTC) has ordered the alcohol addiction treatment firm Monument to stop disclosing consumers’ health data to third parties for advertising purposes without obtaining affirmative consent. A $2.5 million civil monetary penalty has also been imposed but the penalty has been suspended due to the inability of Monument to pay.

The FTC’s proposed order settles FTC charges that Monument disclosed consumers’ personal and health information to third parties such as Google and Meta between 2020 and 2022 without obtaining consent. The data disclosed revealed that customers were receiving help with alcohol addiction when Monument had informed its customers that their data would remain 100% confidential.

When customers sign up for Monument’s services, they disclose sensitive information including their name, email address, date of birth, phone number, address, information about their alcohol consumption, medical history, copies of their government-issued IDs, and their IP address and device IDs are collected. According to the complaint, between 2020 and 2022, Monument informed consumers on its website and in communications that the personal and health information provided to the company would be 100% confidential and would not be disclosed to third parties without user consent. Monument also claimed that it was compliant with the Health Insurance Portability and Accountability Act (HIPAA).

However, Monument added tracking technologies to its website, also known as pixels and application programming interfaces (APIs), which were used to collect information that allowed it to target ads for its services to new consumers and current customers who had signed up for the lowest-cost memberships. Monument classified website interactions under standard and custom events, with the latter given descriptive titles such as “Paid: Weekly Therapy” or “Paid: Med Management,” when a user signed up for a service.

The “custom events” information was disclosed to advertising platforms along with users’ email addresses, IP addresses, and other identifiers, that allowed individuals to be identified and associated with the custom events. The descriptions confirmed that the individuals were receiving treatment for alcohol addiction. Monument did not track the disclosures nor maintain an inventory of the information it collected and disclosed to third parties; however, according to the FTC, as many as 84,000 of its users had their information disclosed to third parties without consent.

These disclosures were deemed to constitute unfair and deceptive practices that violated the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA). The $2.5 million civil monetary penalty will have to be paid if the company is found to have misrepresented its finances. Monument must also identify the user data it has sent to third parties and instruct them to delete the data, implement a comprehensive privacy program with strong safeguards to protect consumer data and address the issues the FTC identified in its complaint, and inform consumers whose information has been disclosed to third parties for advertising purposes. The FTC order now awaits approval from a District Court judge.

“This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”

The FTC has also recently taken action against the mental health telehealth company Cerebral and has ordered the company to pay a $7.1 million penalty.

The post FTC Prohibits Alcohol Addiction Firm from Sharing Consumer Data with Third Parties appeared first on HIPAA Journal.

FTC Fines Mental Health Company Cerebral $7.1 Million for Consumer Privacy Violations

The Federal Trade Commission (FTC) has fined the mental health startup Cerebral $7.1 million for consumer privacy violations and deceptive trading practices. The $7.1 million financial penalty resolves allegations that the mental health telehealth company and its former CEO, Kyle Robertson, broke its privacy promise to consumers by impermissibly disclosing their sensitive personal and health information to third parties for advertising purposes, misled consumers about its cancellation process, and failed to protect sensitive health data. The proposed FTC order includes a requirement for Cerebral to refrain from disclosing consumers’ data to third parties for advertising purposes without consent and for the company to provide an easy way for consumers to cancel its services.

One of the most important factors for consumers when choosing a mental health care provider is privacy. Consumers need to be able to discreetly discuss highly sensitive mental health problems and be sure that the information disclosed is kept private and confidential. The FTC alleged that Cerebral claimed it provided safe, secure, and discreet services but failed to clearly inform consumers that their sensitive data would be shared with third parties. As a result of the information sharing, consumers could be targeted with advertisements related to the information they disclosed to Cerebral in confidence.

Cerebral had disclosed its data sharing practices in its privacy policies; however, those privacy policies were dense and the information about data sharing practices was deeply buried making it likely that consumers would not see it. Further, Cerebral claimed in multiple areas that it would not share consumer data with third parties for advertising purposes without their consent. According to the FTC complaint, Cerebral shared the sensitive data of almost 3.2 million consumers with third parties such as Snapchat, LinkedIn, and TikTok via tracking tools embedded in its websites and apps, which amounted to a deceptive business practice that violated the FTC Act.

The information disclosed to those third parties included names, addresses, email addresses, phone numbers, birth dates, IP addresses, medical and prescription histories, pharmacy and health insurance information, other types of health information, and other personal data such as religious and political beliefs and sexual orientation. That information was also available internally to Cerebral staff, with access to customer data not restricted to the employees who needed to view that information. Between May 2021 and December 2021, former employees could continue to access consumer information and the company failed to ensure that healthcare providers could only access their own patients’ records.

The FTC complaint alleged that Cerebral engaged in sloppy marketing practices. For instance, 6,000 postcards were mailed to patients that included patients’ names and language that would reveal their diagnosis and treatment to others, rather than using envelopes and Cerebral used a Single Sign-on solution that exposed patient data to other patients when they signed into the patient portal at the same time.

The FTC also alleged that Cerebral and its CEO violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) due to engaging in unfair and deceptive practices regarding substance use disorder treatment services and violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to clearly disclose all material terms of its cancellation policies before charging consumers. The alleged deceptive practices started while Robertson was CEO and continued after his tenure.

The FTC order has yet to be approved by the U.S. District Court for the Southern District of Florida. If approved, in addition to the financial penalty and ban on disclosing sensitive data for advertising purposes, Cerebral is required to post a notice on its website alerting consumers about the FTC order, delete consumer data that is not being used for either treatment, payment, or healthcare operations if users have not consented to those uses, provide consumers with a mechanism to request that their data is deleted, and adopt a data retention schedule.

The financial penalty includes $5.1 million to provide partial refunds to customers affected by its deceptive cancellation policies. A $10 million civil monetary penalty has also been imposed, which will be suspended after $2 million has been paid due to the inability of the company to pay the full amount.

“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC Chair Lina M. Khan. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.”

“Cerebral has been transparent and fully cooperative throughout the investigation and remains committed to providing excellent care for our valued patients while upholding the highest standards of customer service, data protection, and client privacy,” explained Cerebral in a statement about the FTC order.

The post FTC Fines Mental Health Company Cerebral $7.1 Million for Consumer Privacy Violations appeared first on HIPAA Journal.

Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit

The San Francisco, CA-based law firm Orrick, Herrington & Sutcliffe has agreed to a $8 million settlement to resolve a class action lawsuit filed in response to a 2023 cyberattack and data breach.

In March 2023, the law firm that specializes in helping companies that have experienced security breaches suffered one of its own. On March 13, 2023, hackers were discovered to have gained access to its network, with the forensic investigation revealing they had access for around two weeks between February 28 and March 13, 2023, before the intrusion was detected. The personal and protected health information of 637,620 individuals was compromised; however, it took months to determine how many individuals had been affected with the last batch of notification letters mailed to affected individuals in January 2024. The affected individuals were offered 2 years of complimentary credit monitoring services.

A lawsuit was filed against Orrick, Herrington & Sutcliffe in the U.S. District Court for the Northern District of California shortly after the announcement about the breach. The lawsuit made several allegations, including the failure to secure its systems, the failure to prevent and stop the breach, the failure to detect the breach in a timely manner, and the failure to disclose material facts that adequate system security measures were not in place to prevent data breaches. The lawsuit also alleged Orrick, Herrington & Sutcliffe did not honor repeated promises and representations to protect the information of the breach victims and failed to provide timely notifications. Several other lawsuits were filed over the breach that made similar claims, and they were consolidated into a single action – In re Orrick Herrington & Sutcliffe LLP Data Breach Litig.

The plaintiffs alleged they had been harmed by the data breach, including receiving a flood of spam emails and phone calls, actual and attempted identity theft, and other misuse of their personal information. Orrick, Herrington & Sutcliffe has denied liability and wrongdoing and said it regretted the inconvenience and distraction that the malicious incident caused. The proposed settlement was deemed to be reasonable and fair by class counsel and has received preliminary approval from the court. Under the terms of the settlement, class counsel may claim up to 25% of the settlement amount and after costs of up to $50,000 and $2,500 service awards for the lead plaintiffs have been deducted, the remainder of the settlement will cover claims from individuals affected by the data breach.

The settlement includes up to 5 hours of compensation for lost time at $25 per hour, reimbursement of up to $2,500 for unreimbursed out-of-pocket expenses, reimbursement of up to $7,500 for extraordinary losses such as identity theft and fraud, and three years of three-bureau credit monitoring services. California residents are entitled to a cash payment of $150. If class members choose not to submit a claim for lost time and reimbursement for out-of-pocket expenses and extraordinary losses, a claim may instead be submitted for a cash payment of $75.

The post Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.