Legal News about HIPAA and Healthcare Compliance

Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit

Posted by Steve Alder

Novant Health has agreed to settle a class action lawsuit that stemmed from its use of tracking pixels on its MyChart patient portal. The pixel code on the patient portal collected the personally identifiable information of users with the goals of “improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” however the information collected was also transferred to third-party technology companies that were not authorized to receive the data.

The North Carolina Health System was the first healthcare provider to report a pixel-related HIPAA violation to the HHS Office for Civil Rights (OCR). In the summer of 2022, Novant Health said the protected health information of up to 1,362,296 individuals had been disclosed to third parties such as Meta (Facebook) between May 1, 2020, to Aug. 12, 2022. The HIPAA breach was reported several months before OCR issued guidance on HIPAA and tracking pixels confirming that pixel-related disclosures of protected health information to third parties violated HIPAA. Novant Health was one of many health systems to use the code on its patient portal. According to one study, 99% of hospitals in the United States used pixels or other tracking technologies on their websites, apps, or patient portals that collected visitor information and transferred that data to third parties.

The lawsuit against Novant Health was filed on behalf of 10 Novant Health patients and similarly situated individuals who used the patient portal while the Meta Pixel code was present and alleged invasion of privacy, breach of contract, and violations of the Health Insurance Portability and Accountability Act. Novant Health maintains there was no wrongdoing and the decision to settle the lawsuit was taken to put an end to the litigation and avoid further legal costs and the uncertainty of trial.

“Novant Health takes privacy and the care of personal information very seriously and values patient trust to keep patients’ medical information private. Novant Health will continue to be as transparent as possible and provide information to patients,” said a spokesperson for Novant Health regarding the proposed settlement. “The proposed settlement is not admission of wrongdoing, and the court did not find any wrongdoing on the part of Novant Health.”

Under the terms of the settlement, class members – individuals who used the MyChart portal between May 1, 2020, to Aug. 12, 2022 – will be eligible to submit claims for a share of the $6.6 million settlement fund. Claims will be paid pro rata once legal costs, expenses, and attorneys’ fees have been paid. Novant Health is one of several healthcare providers to have been sued over the use of pixels and other tracking technologies, including Advocate Aurora Health, which chose to settle its lawsuit for $12.225 million.

The post Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit appeared first on HIPAA Journal.

LockBit Ransomware Group Behind Capital Health Cyberattack

Posted by Steve Alder

Capital Health Systems in New Jersey has recently announced that it fell victim to a cyberattack in late November that temporarily disrupted its IT systems. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell – and an outpatient facility in Hamilton Township. While the attack caused a network outage, care continued to be provided to patients at its hospitals and their emergency rooms continued to receive patients.

Capital Health has confirmed that all systems have now been restored and all services are available at Capital Health facilities; however, the investigation into the cyberattack is ongoing and it has yet to be determined to what extent patient and employee data was involved. Capital Health said law enforcement was immediately notified about the attack and third-party forensic and information technology experts were engaged to assist with the investigation and breach response.

Capital Health has yet to confirm the extent of any data breach but the hacking group behind the attack claims to have stolen more than 10 million files, including 7 TB of medical confidentiality data, and threatened to publish the stolen data if the ransom is not paid. The LockBit ransomware group usually engages in double extortion tactics, where sensitive data are stolen and files are encrypted using ransomware. A ransom demand is issued, and payment is required to obtain the keys to decrypt files and to prevent the publication of the stolen data. In this attack, the group said it deliberately did not encrypt files and only stole patient data as it was not its intention to cause any disruption to patient care. While ransomware was not used, these attacks can still cause network outages as part of incident response processes and therefore still have the potential to disrupt patient care.

Capital Health was given a deadline of January 9, 2024, to prevent the release of the stolen data. While Capital Health was added to the LockBit 3.0 data leak site, the listing has since been removed. Further information on the extent of the data breach will be released as the investigation progresses and notification letters will be issued if data theft is confirmed.

Lawsuit Filed Over Capital Health Cyberattack

The extent of the data breach has yet to be confirmed and notification letters have not yet been mailed by Capital Health but a lawsuit has already been filed against Capital Health over an alleged data breach. The lawsuit was filed on behalf of Capital Health patient Bruce Graycar and similarly situated individuals by attorney Ken Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert.

The lawsuit alleges the plaintiff has suffered injuries as a result of the attack and that the failure of Capital Health to issue prompt notifications to the affected individuals has exacerbated the injuries, as the plaintiff and class were unaware that it was necessary to take steps to protect themselves against misuse of their private healthcare information. The lawsuit alleges injuries have been suffered including damage to and the diminution in the value of private information, invasion of privacy, and a present, imminent, and impending injury due to an increased risk of identity theft and fraud.

The post LockBit Ransomware Group Behind Capital Health Cyberattack appeared first on HIPAA Journal.

ReproSource Fertility Diagnostics Proposes $1.25 Million Class Action Data Breach Settlement

Posted by Steve Alder

ReproSource Fertility Diagnostics has proposed a settlement to resolve litigation stemming from a 2021 ransomware attack that potentially resulted in the theft of the sensitive health data of up to 350,000 patients. The Marlborough, MA-based fertility testing laboratory, which is owned by Quest Diagnostics, had its network breached on August 8, 2021. The intrusion was detected on August 10 when ransomware was deployed. The forensic investigation confirmed that the parts of the network that the threat actors could access included files that contained sensitive health information.

The data exposed included names, addresses, phone numbers, email addresses, dates of birth, billing, and health information, such as CPT codes, diagnosis codes, test requisitions, and results, test reports and/or medical history information, health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians, and for a limited number of individuals, Social Security numbers, financial account numbers, driver’s license numbers, passport numbers, and/or credit card numbers.

While no evidence of data exfiltration was found, data theft could not be ruled out, so ReproSource notified approximately 350,000 individuals on October 21, 2023, and was promptly sued. Two class action lawsuits were consolidated into a single lawsuit as they made similar allegations – that ReproSource was negligent by failing to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to patient data. The lawsuits alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and data breach notification and consumer protection laws in Massachusetts.

The decision was taken to settle the litigation with no admission of wrongdoing. Under the terms of the settlement, class members may submit claims for up to $3,000 to cover out-of-pocket, unreimbursed losses that are reasonably traceable to the data breach, including up to 8 hours of lost time, three years of credit monitoring services, and a $1 million identity theft insurance policy. Alternatively, class members can claim a cash payment of $50. $1.25 million has been set aside to cover claims, which will be paid pro rata if that total is reached. Class members who were California residents at the time of the breach will be entitled to an additional $50 payment.

The consolidated lawsuit also sought injunctive relief, which included major upgrades to data security to prevent similar cyberattacks and data breaches in the future. The settlement also includes the requirement for ReproSource to make significant improvements to its information security program, including enhancing its monitoring and detection tools. The settlement will need to receive final approval from a Massachusetts judge.

The post ReproSource Fertility Diagnostics Proposes $1.25 Million Class Action Data Breach Settlement appeared first on HIPAA Journal.

Former Executive Sentenced to Probation for HIPAA Violation

Posted by Steve Alder

Mark Kevin Robison, a former vice president of Commonwealth Health Corporation (now Med Center Health) in Kentucky has been sentenced to 2 years’ probation and ordered to pay $140,000 in restitution after reaching a plea agreement with federal prosecutors over a HIPAA violation.

Robison pled guilty to knowingly disclosing the protected health information of patients of Commonwealth Health Corporation (CHC) under false pretenses to an unauthorized third party between 2014 and 2015. Robison did not have authorization from the patients concerned nor from CHC to disclose the records.

While Vice President of CHC, Robison hired Randy Dobson as a patient account collection vendor for CHC. In March 2011, Robison and Dobson set up a corporation – OPTA LLC – in Kentucky. The pair were the only registered members and Robison was the registered agent. Dobson was developing a software solution and together the pair hoped to market the software to healthcare companies.

OPTA Kentucky was dissolved in 2014, and Delaware OPTA was incorporated the same year with Dobson listed as the sole owner. Delaware OPTA continued to develop the same software, and Robison hoped to share in the profits from the sale of the software when he left CHC. In 2014, Robison instructed the CHC IT department to share patient data with Dobson to test the software. The disclosures occurred between 2014 and 2015 without authorization from CHC or the patients concerned.

CHC learned of the relationship between Robison and Dobson, Robison was fired by CHC in December 2016, and the HIPAA violation was reported to law enforcement. Dobson is not believed to have disclosed the patient data to any other individuals and only used the data to test the software. While patients appear not to have suffered any harm, the potential penalty for the violation was severe.

Robison faced a maximum penalty of five years imprisonment and a fine of up to $100,000 for the HIPAA violation. Robison pled guilty to one count of impermissibly disclosing protected health information in a plea deal that saw him avoid jail and instead be placed on probation for 2 years. Robison was also ordered to pay CHC $140,000 in restitution. Half of that amount has already been paid and Robison intends to pay the remainder by the end of January.

The post Former Executive Sentenced to Probation for HIPAA Violation appeared first on HIPAA Journal.

Class Action Lawsuits Filed Over HealthEC Data Breach

Posted by Steve Alder

January 12, 2024: Class Action Lawsuits Filed Over HealthEC Data Breach

Multiple class action lawsuits have been filed against HealthEC LLC over a recently disclosed data breach that affected almost 4.5 million individuals. Hackers gained access to HealthEC’s population health management platform between July 14, and July 23, 2024, and obtained the sensitive data of patients of its healthcare provider clients, per The HIPAA Journal report below.

One of the class action lawsuits – Victoria Lempinen v. Health EC LLC – was filed in the U.S. District Court of New Jersey on behalf of Victoria Lempinen and similarly situated individuals who had their personal and protected health information compromised in the data breach.  The lawsuit alleges that HealthEC lost control of the sensitive data of almost 4.5 million individuals as a direct result of the failure to maintain reasonable and appropriate cybersecurity protocols and the lack of encryption of sensitive data on its network. The security failures are alleged to violate the FTC Act and Health Insurance Portability and Accountability Act (HIPAA). Further, the plaintiff argues that HealthEC did not have policies and procedures in place to ensure that sensitive data was deleted in a timely manner when it was no longer needed.

In addition to suffering a preventable data breach, HealthEC is alleged to have unnecessarily delayed issuing notifications, which were issued in December 2023, more than 5 months after the data breach occurred. This, it is argued, denied the opportunity for victims of the breach to take steps to protect themselves against identity theft and fraud. When notification letters were issued, the lawsuit alleges HealthEC failed to disclose important details about the breach, such as when the cyberattack and data breach were first detected, the dates of the investigation, the vulnerabilities that were exploited by the hackers, and the measures undertaken in response to the cyberattack to ensure that similar breaches are prevented in the future.

The lawsuit claims the plaintiff and class have suffered injuries including invasion of privacy, theft of private information, loss or diminished value of private information, lost time and opportunity costs, loss of benefit of the bargain, and an increase in spam calls, texts, and emails, and the plaintiff and class members now face an increased risk of identity theft and fraud. The 75-page lawsuit alleges negligence, breach of third-party beneficiary contract, breach of confidence, invasion of privacy, and unjust enrichment and seeks class action certification, a jury trial, and damages, restitution, and injunctive relief, including an order from the court to compel HealthEC to implement a raft of measures to improve data security. The plaintiffs and class are represented by Vicki J.  Maniatis and Gary M. Klinger of Millberg Coleman Bryson Phillips Grossman LLC.

A second lawsuit was filed against HealthEC LLC on behalf of plaintiff Bree Marano and similarly situated individuals that makes similar claims, including the failure to comply with FTC guidelines, industry standards, and HIPAA. Those failures include inadequate cybersecurity measures given the level or risk of a cyberattack, insufficient monitoring of its network for intrusions, and the failure to issue adequate and timely individual notifications about the data breach. The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and breach of confidence, and claims the defendant has done absolutely nothing of value to provide the plaintiff and class with relief for the damages they have suffered as a result of the data breach.

January 3, 2024: HealthEC Data Breach Affects Almost 4.5 Million Individuals

HealthEC, an Edison, New Jersey-based analytics software vendor, has recently confirmed that the protected health information of 4,452,782 individuals has been exposed and potentially stolen in a recent cyberattack. HealthEC is the developer of a platform that healthcare organizations use to identify high-risk patients, close care gaps, and recognize barriers to optimal care. More than 1 million healthcare professionals in 18 U.S. states use the platform’s analytics to gain insights to improve patient outcomes.

HealthEC started mailing data breach notification letters to the affected individuals on December 22, 2023; however, the data breach occurred several months earlier. According to the notification letters, unauthorized individuals had access to HealthEC’s systems between July 14, 2023, and July 23, 2023. The forensic investigation revealed that during that time, files were removed.

HealthEC conducted a review of the affected files and determined that they contained the protected health information of its clients’ patients. HealthEC started notifying the affected clients on October 26, 2023, which included MD Valuecare in Virginia (112,005 records)  and Corewell Health in Michigan (1 million+ records). On December 21, 2023, the breach was reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 4.52 million individuals.

The information compromised in the attack varied from patient to patient and may have included names along with one or more of the following: address, date of birth, Social Security number, medical record number, diagnosis and diagnosis codes, mental/physical condition, prescription information, provider name, beneficiary number, subscriber number, Medicaid/Medicare identification number, patient account number, patient identification number, and treatment cost information. HealthEC is offering the affected individuals complimentary credit monitoring services and has taken steps to improve security to prevent further data breaches in the future.

HealthEC is the second vendor to experience a data breach that has affected more than 1 million Corewell Health patients this year. Michigan Attorney General, Dana Nassel, has called for new legislation to be introduced in the state mandating prompt notifications in the event of a data breach, as in each case, Michiganians had to wait several months to discover that their sensitive health data had been stolen.

Entities Impacted by HealthEC Data Breach

The entities known to have been affected by the HealthEC data breach, as disclosed by HEalthEC on December 22, 2023 are:

  • Alliance for Integrated Care of New York, LLC
  • Advantage Care Diagnostic & Treatment Center, Inc.
  • Beaumont ACO
  • Community Health Care Systems
  • Compassion Health Care
  • Corewell Health
  • East Georgia Healthcare Center
  • HonorHealth
  • Hudson Valley Regional Community Health Centers
  • Illinois Health Practice Alliance, LLC
  • KidneyLink
  • Long Island Select Healthcare
  • Metro Community Health Centers
  • Mid Florida Hematology & Oncology Centers, P.A, d/b/a Mid-Florida Cancer Centers
  • TennCare
  • State of Tennessee
  • University Medical Center of Princeton Physicians’ Organization
  • Upstate Family Health Center, Inc.

The post Class Action Lawsuits Filed Over HealthEC Data Breach appeared first on HIPAA Journal.

Michigan Attorney General Calls for New Data Breach Notification Law

Posted by Steve Alder

Michigan Attorney General Dana Nessel has called for legislative changes to hold companies in the state more accountable for data breaches after Corewell Health failed to disclose a data breach promptly. Corewell Health has been affected by two massive data breaches this year, both of which occurred at vendors and affected more than a million Corewell Health patients. The first breach occurred at Corewell Health vendor Welltok, which had data stolen in May when the Clop hacking group exploited a vulnerability in Progress Software’s MOVEit Transfer solution. Corewell Health patients were notified about the breach on December 1, 2023, more than 6 months after the breach occurred.

Michigan Attorney General, Dana Nessel

AG Nessel’s comments came in response to a second such breach, which occurred at HealthEC, a vendor used by Corewell Health for analyzing patient data. HealthEC discovered the breach in July 2023 and notified Corewell Health in October that the data of its patients had been compromised. AG Nessel explained that the department in the state that is responsible for consumer protection did not hear about the breach until December 27, 2023, more than 5 months after the breach was detected.

It often takes several months for individual data breach notification letters to be issued, but when sensitive data is stolen it can be misused immediately. Individuals need to know that their data has been stolen quickly so they can take steps to protect themselves against identity theft and fraud. In both cases, complimentary credit monitoring and identity theft protection services have been offered but some of the affected individuals have already fallen victim to identity theft and fraud. Had those individuals been made aware of the breaches sooner, losses could have been prevented. Nessel is advocating for legislation that requires companies to notify the state immediately when a data breach is discovered.

Currently, 34 U.S. states have laws that require the state Attorney General or state agencies to be issued with timely notifications about data breaches that exceed certain thresholds, but there are no such requirements in Michigan. Without mandatory data breach reporting to improve transparency, there is little the state can do regarding enforcement.

“What we would like to be able to do is to say, ‘You know, look, if you don’t properly secure and store data, or if you don’t report a data breach, you’re going to be subjected to significant fines.’ That’s what they do in other states, but not here in Michigan,” said Nessel. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection.”

Regarding data security failures that result in data breaches, Michigan could take action and fine companies that are discovered to have violated the Health Insurance Portability and Accountability Act. Several state Attorneys General have imposed financial penalties for HIPAA violations, including Connecticut, Indiana, Massachusetts, Minnesota, New York, and New Jersey.

The post Michigan Attorney General Calls for New Data Breach Notification Law appeared first on HIPAA Journal.

FTC Prohibits Rite Aid from Using Facial Technology System for Surveillance for 5 Years

Posted by Steve Alder

Rite Aid has been banned from using facial recognition technology for security surveillance for five years as part of a settlement with the Federal Trade Commission (FTC), which determined the pharmacy chain failed to mitigate potential risks to consumers from misidentification.

Between 2012 and 2020, Rite Aid used artificial intelligence-based facial recognition technology in hundreds of its stores to identify customers who may have been engaged in shoplifting or other problematic behaviors. While the system correctly identified many individuals who had engaged in these behaviors, the system also recorded thousands of false positives, where the facial recognition technology incorrectly matched individuals with others who had previously been identified as shoplifters or had engaged in other problematic behaviors. The misidentified individuals were then erroneously accused of wrongdoing by Rite Aid employees.

The FTC found that the facial recognition technology was more likely to record false positives in communities that were predominantly Black or Asian, compared to plurality-White communities, indicating bias in the technology and heightened risks to certain consumers because of race or gender. According to the FTC, Rite Aid contracted with two technology firms to build a database of images and videos of “persons of interest,” who were thought to have engaged in shoplifting or other problematic behaviors in Rite Aid stores, and that database was used for the AI-based facial recognition system. Tens of thousands of images and videos were collected along with names and background information, including background criminal data. Many of the images in the database were of low quality and had been collected from store security cameras, the mobile devices of employees, and in some cases, from news stories. “The technology sometimes matched customers with people who had originally been enrolled in the database based on activity thousands of miles away, or flagged the same person at dozens of different stores all across the United States”, according to the FTC.

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”

Rite Aid was alleged to have failed to consider and mitigate risks to consumers from misidentification, failed to take into account the limitations of the technology and the high risk of misidentifying Black and Asian individuals, did not properly test, assess, measure, document, or inquire about the accuracy of the technology before deployment, failed to prevent low-quality images from being fed into the system, failed to monitor or test the accuracy of the technology after deployment, and failed to adequately train employees tasked with operating the technology and flag that it could generate false positives.

The FTC also said Rite Aid violated a previous 2010 data security order with the FTC that resolved a complaint that Rite Aid failed to protect the medical privacy of customers and employees, which required Rite Aid to implement a comprehensive information security program. As an example, the FTC alleged that Rite Aid conducted many security assessments of service providers orally and did not obtain or possess backup documentation of those assessments, including those that were considered by Rite Aid to be high-risk.

Rite Aid has been ordered to delete or destroy all photos and videos of consumers used in connection with the operation of the facial recognition or analysis system within 45 days, and within 60 days, to identify all third parties that received photos or videos as part of the facial recognition and analysis and instruct them to also delete the photos and videos.

In addition to the ban on facial recognition technology, Rite Aid is prohibited from using any automated biometric security or surveillance system that is not otherwise prohibited by the order unless a comprehensive automated biometric security or surveillance system monitoring program is established and maintained to identify and address risks that could result in physical, financial, or reputational harm to consumers, stigma, or severe emotional distress.

Rite Aid must also notify consumers when their biometric information is enrolled in a database used in connection with a biometric security or surveillance system and when Rite Aid takes some kind of action against them based on an output generated by such a system, and must investigate and respond to consumer complaints about actions taken against them based on automated biometric security or surveillance system.

Rite Aid said it is pleased to have reached an agreement with the FTC which means the company can put the matter behind it; however, said, “We fundamentally disagree with the facial recognition allegations in the agency’s complaint.” Rite Aid also explained that the allegations related to a facial recognition technology pilot program that was deployed in a limited number of stores. “Rite Aid stopped using the technology in this small group of stores more than three years ago, before the FTC’s investigation regarding the Company’s use of the technology began.” All parties have agreed to the consent order but it has yet to be approved by a judge.

The post FTC Prohibits Rite Aid from Using Facial Technology System for Surveillance for 5 Years appeared first on HIPAA Journal.

Fred Hutchinson Cancer Center Lawsuits Mount After Cyberattack and Data Breach

Posted by Steve Alder

More than half a dozen lawsuits have been filed against the Fred Hutchinson Cancer Center over a cyberattack and data breach that occurred over the Thanksgiving weekend. Unauthorized individuals gained access to its network where patient data was stored and removed files containing names, contact information, medical information, and Social Security numbers. The Hunters International hacking group claimed responsibility for the attack, and when the Fred Hutchinson Cancer Center refused to pay the ransom demand, they turned their attention to patients and started contacting them directly demanding payment of $50 to have their stolen data deleted. The hacking group claimed to have stolen the data of 800,000 patients.

Class action lawsuits are commonly filed after large data breaches, and it was inevitable that the affected individuals would take legal action given that they had been directly threatened by the individuals behind the attack. The lawsuits make similar claims, and it is therefore likely that they will be consolidated into a single class action lawsuit. The most common claims are that the Fred Hutchinson Cancer Center was negligent by failing to implement reasonable and appropriate safeguards to protect its internal networks and patient data against unauthorized access and that the breach occurred as a result of those security failures.

One of the lawsuits – Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and University of Washington – was filed in the Superior Court of the State of Washington in King County, and claims that the plaintiffs believed that the defendants had implemented and maintained reasonable and appropriate security practices due to the representations of the defendants, when that was not the case. Both of the named plaintiffs claim they first learned about the data breach when they were contacted directly by the hackers and threatened with the public release/sale of their sensitive data. They claim that the Fred Hutchinson Cancer Center failed to issue prompt notifications to allow them to take steps to protect themselves against identity theft and fraud.

The lawsuit claims the plaintiffs and class members now face grave and lasting consequences from the attack and have suffered injury and damages including a substantial and imminent risk of identity theft and medical identity theft, loss of confidentiality of highly sensitive PII/PHI, deprivation of the value of PII/PHI, and overpayment for services that did not include adequate data security, and other harms. In addition to negligence, the lawsuit alleges negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and a violation of the Washington Consumer Protection Act. The lawsuit seeks a jury trial and actual, statutory, and punitive damages, restitution, disgorgement, and nominal damages, and equitable, injunctive, and declaratory relief. Another lawsuit, Shawna Arneson v. Fred Hutchinson Cancer Center, was filed in the same court and makes similar claims, and alleges the actions of Fred Hutchinson Cancer Center violated HIPAA.

A third lawsuit – Doe v. Fred Hutchinson Cancer Center et al – was filed in the US District Court for the Western District of Washington by John Doe, the father of Jack Doe, and similarly situated individuals. Other defendants named in the lawsuit include UW School of Medicine, UW Medical Center, Harborview Medical Center, Valley Medical Center, UW Physicians, UW Neighborhood Clinics (dba UW Medicine Primary Care), Airlift Northwest, and Children’s University Medical Group.

Jack Doe received healthcare services from UW Medicine but was never a patient of the Fred Hutchinson Cancer Center; however, his data was shared with the Fred Hutchinson Cancer Center as both health systems work together to advance cancer research. The lawsuit alleges that the defendants failed to implement appropriate cybersecurity measures and failed to protect patients from “a flood of extortionary threats by cybercriminals.” The lawsuit alleges long-standing security failures, as the Fred Hutchinson Cancer Center also failed to prevent a breach of an employee email account in March 2022. The lawsuit seeks a jury trial and an award of damages, relief, and restitution.

Fred Hutchinson Cancer Center Data Breach Lawsuits

  • Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and University of Washington – The plaintiffs are represented by Alexander F. Strong of Stobaugh & Strong P.C., Ben Barnow, Anthony L. Parkhill, and Riley W. Prince of Barnow and Associates.
  • Doe v. Fred Hutchinson Cancer Center et al – The plaintiffs and class are represented by Turke & Strauss LLP.
  • Shawna Arneson v. Fred Hutchinson Cancer Center – The plaintiffs are represented by Kim D. Stephens & Cecily C. Jordan of Tousley Brain Stephens PLLC.

The post Fred Hutchinson Cancer Center Lawsuits Mount After Cyberattack and Data Breach appeared first on HIPAA Journal.

Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital

Posted by Steve Alder

New York Presbyterian Hospital has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule with the New York Attorney General and will pay a financial penalty of $300,000.

NYP operates 10 hospitals in New York City and the surrounding metropolitan area and serves approximately 2 million patients a year. In June 2016, NYP added tracking pixels and tags to its nyp.org website to track visitors for marketing purposes. In early June 2022, NYP was contacted by a journalist from The Markup and was informed that these tools were capable of transmitting sensitive information to the third-party providers of the tools, including information classified as protected health information under HIPAA.

On June 16, 2023, The Markup published an article about the use of these tools by NYP and other U.S. hospitals, by which time NYP had already taken steps to remove the tools from its website and had initiated a forensic investigation to determine the extent of any privacy violations.  NYP determined that PHI had potentially been impermissibly disclosed and reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on March 20, 2023, as involving the protected health information (PHI) of up to 54,396 individuals.

NY Attorney General Launches HIPAA Investigation

NY Attorney General, Letitia James opened an investigation of NYP in response to the reported breach to determine whether NYP had violated HIPAA and New York laws. The investigation confirmed that NYP had added several tracking tools to its website that were provided by third parties such as Bing, Google, Meta/Facebook, iHeartMedia, TikTok, The Trade Desk, and Twitter. These tools were configured to trigger on certain user events on its website. Most were configured to send information when a webpage loaded, and some sent information in response to clicks on certain links, the transmission of forms, and searches conducted on the site. The snippets of information sent to third parties included information about the user’s interactions on the website, including the user’s IP address, URLs visited, and searches. The tools provided by Google, Meta, and the Trade Desk also received unique identifiers that had been stored in cookies on the user’s devices.

Meta/Facebook also received information such as first and last name, email address, mailing address, and gender information, if that information was entered on a webpage where the Meta pixel was present. In some cases, the information sent to third parties included health information, such as if the user researched health information, performed a search for a specialist doctor, or scheduled an appointment. Certain URLs also revealed information about a specific health condition.

The tracking tools from Meta, Google, and the Trade Desk were used to serve previous website visitors with targeted advertisements based on their previous interactions on the website. NYP and its digital marketing vendor also used Meta pixel data to categorize website visitors based on the pages they visited and used Meta pixel to serve advertisements to other individuals with similar characteristics, known as “lookalike audiences.” For example, NYP identified individuals who visited webpages related to prostate cancer, and those individuals were then served targeted advertisements on other third-party websites related to prostate cancer.

Commonly Used Website Tracking Tools Violate HIPAA

These tracking tools are widely used by businesses of all types and sizes for marketing, advertising, and data collection purposes; however, in contrast to most businesses with an online presence, hospitals are HIPAA-covered entities and are required by federal law to ensure the privacy of personal and health information. As confirmed by the HHS’ Office for Civil Rights in December 2022 guidance, third-party tools that are capable of collecting and transmitting PHI may only be used if there is a business associate agreement (BAA) in place and the disclosure of PHI is permitted by HIPAA or if HIPAA-compliant authorizations have been obtained from patients. NYP, like many other HIPAA-covered entities that used these tools, had no BAAs in place with the tracking tool vendors and did not obtain consent from patients to disclose their PHI to those vendors.

The New York Attorney General determined that while NYP had policies and procedures relating to HIPAA compliance and patient privacy, they did not include appropriate policies and procedures for vetting third-party tracking tools. The New York Attorney General determined that the use of these tools violated § 164.502(a) of the HIPAA Privacy Rule, which prohibits disclosure of PHI, and § 164.530(c) and (i), which requires administrative, technical, and physical safeguards to protect the privacy of PHI and policies and procedures to comply with those requirements. NYP was also found to have violated New York Executive Law § 63 (12), by misrepresenting the manner and extent to which it protects the privacy, security, and confidentiality of PHI.

Settlement Agreed to Resolve Alleged Violations of HIPAA and State Laws

NYP fully cooperated with the investigation and chose to settle the alleged violations with no admission or denial of the findings of the investigation. In addition to the financial penalty, NYP has agreed to comply with Executive Law § 63 (12), General Business Law § 899-aa, and the HIPAA Privacy Rule Part 164 Subparts E and the HIPAA Breach Notification Rule 45 C.F.R. Part 164 Subpart D concerning the collection, use, and maintenance of PHI. NYP is also required to contact all third parties that have been sent PHI and request that information be deleted and NYP has agreed to conduct regular audits, reviews, and tests of third-party tools before deploying them to an NYP website or app, and conduct regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools.

NYP is also required to clearly disclose on all websites, mobile applications, and other online services it owns or operates, all third parties that receive PHI as the result of a pixel, tag, or other online tool, and provide a clear description of the PHI that is received.  The notice must be placed on all unauthenticated web pages that allow individuals to search for doctors or schedule appointments, as well as any webpage that addresses specific symptoms or health conditions.

OCR’s guidance on tracking technologies is being challenged in court due to doubts about whether the types of information collected by tracking tools fall under the HIPAA definition of PHI. The requirements of the settlement concerning the use of tracking technologies and the restrictions imposed will remain in effect until the relevant sections of OCR’s guidance are amended, superseded, withdrawn, revoked, supplanted by successive guidance, or temporarily or permanently enjoined and/or rejected by a court ruling applicable to HIPAA-covered entities in New York.

“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James. “Hospitals and medical facilities must uphold a high standard for protecting their patients’ personal information and health data. New York-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that New York-Presbyterian is not negligent in protecting its patients’ information.”

A spokesperson for NYP responded to the resolution of the investigation and provided the following statement, “We are pleased to have reached a resolution with the New York State Attorney General on this matter. The privacy and security of our patients’ health information is of paramount importance, and the protection of this confidential information remains a top priority. We continually assess our data collection, data privacy, and digital monitoring tools and practices so that they meet or exceed the highest standards.”

The post Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital appeared first on HIPAA Journal.