Legal News

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed.

According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego.

During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped.

A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts.

The lawsuit states that, “At times, defendants’ patients had their most sensitive genital areas visible.” The position of the laptop cameras was such that patients’ faces could be seen in the recordings and, as such, patients could be identified from the recordings.

The lawsuit alleges the video recordings could be accessed by multiple individuals including medical and non-medical staff and strangers via desktop computers. Controls had not been implemented to log which users had gained access to the video recordings or why the videos had been viewed.

The plaintiffs allege that many of the computers on which the videos were stored have since been replaced or refreshed and that Sharp has destroyed many of the videos; however, Sharp could not confirm whether those files were securely erased and if they could potentially be recovered.

The lawsuit was originally filed in 2016 but was denied class certification. The case has now been re-filed. 81 women who received surgical procedures in the operating rooms during the period in which the cameras were active have been included in the lawsuit and hundreds more women are expected to join.

The plaintiffs allege their privacy was violated as a result of the unlawful recording of video footage, there was a breach of fiduciary duty, negligent infliction of emotional distress, and that the failure to secure the video footage and ensure it was permanently destroyed amounts to gross negligence.

As a result of the actions of Sharp, “Plaintiffs suffered harm including, but not limited to, suffering, anguish, fright, horror, nervousness, grief, anxiety, worry, shock, humiliation, embarrassment, shame, mortification, hurt feelings, disappointment, depression and feelings of powerlessness,” states the lawsuit.

The plaintiffs are seeking a jury trial.

The post Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations appeared first on HIPAA Journal.

National Board of Examiners in Optometry Agrees to Settle 2016 Data Breach Lawsuit for $3.25 Million

A settlement has been reached to resolve a class action lawsuit filed on behalf of victims of an alleged data breach at the National Board of Examiners in Optometry (NBEO) in 2016.

In the summer of 2016, hackers gained access to the sensitive information of optometrists and students, although it is unclear how the hackers obtained sensitive information and what database or system was hacked.

Breach investigations did not uncover any evidence of unauthorized access to any databases containing sensitive credentials. The American Optometric Association (AOA), American Academy of Optometry (AAO) and NBEO all investigated the breach and claimed, and still do, that they were not the source of the breach.

A breach certainly occurred as several optometrists and students had received Chase Amazon Visa credit cards in the mail that they had not applied for and many had credit card applications pending.

Following the breach, legal action was taken by 13 doctors of optometry who claimed the targeted information was still available. The cases were consolidated, but were thrown out as the breach could not be traced to NBEO and any allegations of harm were deemed speculative. However, the 4th Circuit U.S. Court of Appeals overturned the ruling of the lower court and allowed the case to proceed, ruling that it was “plausible and likely” that NBEO was the source of the breach and that it was clear that personal information had been misused.

NBEO still disputes it was the source of the breach but has now agreed to settle the case and will make $3.25 million available to compensate the 61,000 victims of the breach. Individuals eligible for a proportion of the settlement include those whose personal information was stored by NBEO in its systems as of November 15, 2018 along with individuals who have received notification that they have been named as class members.

The settlement will provide reimbursement for documented, out-of-pocket expenses traceable to the data breach, associated professional/legal fees, and the costs of credit repair services and other charges incurred after June 1, 2016 in relation to the breach. Claims will be considered up to a maximum of $7,500.

Claims can also be submitted for reimbursement for the time spent remedying issues related to the breach, up to a maximum of $1,000 per class member.

All breach victims will be entitled to three years of three-bureau credit monitoring services at no cost and free access to identity theft restoration services, all of which will be provided through Identity Guard. Victims will also be protected by a $1,000,000 insurance policy to cover losses due to identity theft and fraud.

NBEO has also agreed to overhaul its data security measures and will be retaining a third-party security firm to conduct a risk assessment of data security, encryption will be used on personal information, and the board will no longer store Social Security numbers in its database.

The settlement has received preliminary approval and the final hearing is scheduled for July 12, 2019.

The post National Board of Examiners in Optometry Agrees to Settle 2016 Data Breach Lawsuit for $3.25 Million appeared first on HIPAA Journal.

Class Action Lawsuit Filed Over UConn Health Phishing Attack

A class action lawsuit has been proposed which seeks to recover damages for patients whose protected health information (PHI) was exposed in the UConn Health phishing attack that was discovered on December 24, 2018.

The lawsuit has been filed against the University of Connecticut and UConn Health and seeks damages, equitable, declaratory, and injunctive relief to prevent a recurrence of a data breach. A jury trial is being sought.

The email accounts of multiple employees were compromised as a result of the attack. In total, 326,000 UConn Health patients had some of their personal and health information exposed in the breach. Most of the individuals affected by the breach only had a limited amount of PHI exposed, although approximately 1,500 patients had their name, address, date of birth, and Social Security number, and some medical information compromised.

The lawsuit alleges UConn Health was negligent for failing to protect the private information of its patients there was a failure to provide timely, accurate, and adequate notification of the breach. The lawsuit explains there were major deficiencies in UConn Health’s security protocols, which allowed the breach to go undetected for months. According to the lawsuit, the first email accounts were breached in August 2018, but UConn Health only detected the breach in December 2018. It then took until February 25, 2019 for patients to be informed of the breach of their PHI.

For four months the attackers had access to the accounts and could have viewed and stolen patient information. “UConn failed to recognize its systems had been breached and that intruders were stealing data on hundreds of thousands of current and former patients. Timely action by UCONN would likely have significantly reduced the consequences of the breach,” states the lawsuit.

The lawsuit also alleges security awareness training was inadequate and UConn Health did not teach employees how to identify a potential phishing email.

The lawsuit names Yoselin Martinez as the plaintiff and there are more than 100 putative class members who were similarly affected by the breach. The lawsuit seeks damages in excess of $5 million.

Yoselin Martinez was alerted to the breach on February 25, 2019 and checked her bank account and found that an unauthorized transaction had placed her in overdraft. She alleges the transaction was the result of the fraudulent use of her information that was stolen from UConn Health.

Plaintiffs are being represented by law firm Glancy, Prongay, & Murray LLP.

The post Class Action Lawsuit Filed Over UConn Health Phishing Attack appeared first on HIPAA Journal.

D.C. Attorney General Proposes Tougher Breach Notification Laws

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach.

On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach.

Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers.

If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information.

Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches similar to the one experienced by Equifax. That breach affected 143 million individuals globally and 350,000 D.C. residents.

Additionally, the Security Breach Protection Amendment Act requires companies that collect, own, license, handle, or otherwise possess the ‘personal information’ of District residents to implement safeguards to ensure personal information remains private and confidential.

The Security Breach Protection Amendment Act also requires companies to explain to consumers the types of information that have been breached and the steps consumers can take to protect their identities, including the right to place a security freeze on their accounts at no cost.

In the event of a breach of Social Security numbers, companies would be required to offer a minimum of two years membership to identity theft protection services free of charge. The D.C. attorney general would also need to be notified about a breach of personal information, although the timescale for doing so is not stated in the bill.

Violations of the Security Breach Protection Amendment Act would be considered a violation of the D.C. Consumer Protection Procedures Act and could attract a significant financial penalty.

This is not the first time that Attorney General Racine has sought to increase protections for consumers in the event of a data breach. A similar bill was introduced in 2017 but it failed to be passed by the D.C Council.

The Security Breach Protection Amendment Act must first be approved by the Mayor and D.C. Council, then it will be passed to Congress which will have 30 days to complete its review.

The update follows similar amendments that have been proposed in several states and territories over the past few months. While the updates are good news for Americans whose sensitive information is exposed, the current patchwork of state laws can be complicated for businesses, especially those that operate in multiple states.

What is needed is a federal breach notification law that standardizes data breach notification requirements and uses a common definition for ‘personal information’. Such a bill has been proposed in the House and Senate on three occasions in the past three years, but each time it has failed to be passed and signed into law.

The post D.C. Attorney General Proposes Tougher Breach Notification Laws appeared first on HIPAA Journal.

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit.

UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach.

The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had been implemented post-breach to improve security.

UCLA Health avoided a financial penalty, but a class action lawsuit was filed on behalf of patients affected by the breach. The plaintiffs alleged UCLA Health failed to inform them about the breach in a timely manner, there had been breach of contract, violations of California’s privacy laws, and that UCLA Health’s failure to protect the privacy of patients constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015, and while this was in line with HIPAA requirements – under 60 days from the discovery that PHI had been compromised – the plaintiffs believed they should have been notified more quickly, given the fact that the breach had occurred 9 months previously.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be allowed to submit a claim to recover costs that have been incurred protecting themselves against unauthorized use of their personal and health information and they can also submit a claim to recover losses from fraud and identity theft.

Patients can claim up to $5,000 to cover the costs of protecting their identities and up to $20,000 for any losses or damage caused by identity theft and fraud. $2 million of the $7.5 million settlement has been set aside to cover patients’ claims.  The remaining $5.5 million will be paid into a cybersecurity fund which will be used to improve cybersecurity defenses at UCLA Health.

Patients have until May 20, 2019 to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019 and patients must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. The deadline for submitting claims for the reimbursement of losses is June 18, 2021. The final court hearing on the settlement is scheduled for June 18, 2019.

The post UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million appeared first on HIPAA Journal.

Northwestern Medicine Sued Over Medical Information Disclosure on Twitter

Northwestern Medicine Regional Medical Group is being sued by a patient whose sensitive medial information was disclosed on Twitter and Facebook.

Gina Graziano discovered some of her sensitive medical information had been disclosed on social media websites and contacted Northwestern Medicine to complain about the privacy investigation.

Northwestern Medicine investigated the complaint and determined that Graziano’s medical records had been accessed on two separate occasions by a hospital employee who had no treatment relationship with Graziano. The records were accessed on March 5 and 6, 2019, using an employee’s login credentials.

Graziano’s medical file contained a range of sensitive information, including her personal details, the reason for a recent visit to the emergency department, lab test results, medications, medical history, imaging results, and other information.

Sensitive information which Graziano did not want to be placed in the public domain was disseminated on social media sites causing her to be publicly humiliated. While Northwestern Medicine did not disclose the name of the employee in the letter sent in response to her complaint, Graziano learned that the individual was Jessica Wagner, the current girlfriend of her ex-boyfriend David Wirth. Both individuals have also been named in the legal action.

In her lawsuit, Wagner is alleged to have accessed Graziano’s medical records for a period of 37 minutes, then impermissibly disclosed some of her medical information to Wagner, who then posted the information on social media sites with intent to cause Graziano harm.

Northwestern Medicine has confirmed that appropriate disciplinary action has been taken against the employee over the HIPAA violation and the Department of Health and Human Services has been notified of the HIPAA breach. It is unclear whether criminal charges have been filed against Wagner. CBS Chicago reports that Wagner was fired over the HIPAA violation.

Northwestern Medicine has issued an apology and has offered Graziano 12 months of credit monitoring services as a precaution against identity theft and fraud.

The post Northwestern Medicine Sued Over Medical Information Disclosure on Twitter appeared first on HIPAA Journal.

Lawmakers Propose Florida Biometric Information Privacy Act

Senator Gary Farmer (D-FL) and Representative Bobby DuBose (D-FL) have proposed new bills (SB 1270 /HB 1153) that require all private entities to obtain written consent from consumers prior to collecting and using their biometric data.

The Florida Biometric Information Privacy Act is similar to the Illinois Biometric Information Privacy Act which was signed into law in 2008 and would require private entities to notify consumers about the reasons for collecting biometric information and the proposed uses of that information when obtaining consent. Policies covering data retention and disposal of the information would also need to be made available to the public. Private entities would also be prohibited from profiting from an individual’s biometric information and must not sell, lease, or trade biometric information.

Private entities will be required to implement safeguards to protect stored biometric information to ensure the information remains private and confidential. When the purpose for collecting the information has been achieved, or after three years following the last interaction with an individual, the data must be securely destroyed.

Biometric data is classed as any information based on an individual’s biometric identifiers that can be used to identify an individual, such as an iris/retina scan, fingerprint, voice print, or face scan. It does not include information such as handwriting samples, signatures, biological samples, medical images, or photographs. The Act would also not apply to any information captured, used, or stored by HIPAA-covered entities for the provision of treatment, payment for healthcare, or operations covered by the HIPAA Privacy Rule.

The Florida Biometric Information Privacy Act includes a private right of action which would allow consumers to take legal action against entities that have violated their privacy and recover damages of between $1,000 and $5,000 as well as reasonable attorney fees.

“This common-sense legislation will give Floridians the peace of mind to know that their most valuable information is being handled responsibly and that these private companies will be held accountable for the improper use or unauthorized distribution of their information,” explained DuBose.

If the Florida Biometric Information Privacy Act is passed, it is due to take effect from October 1, 2019.

The post Lawmakers Propose Florida Biometric Information Privacy Act appeared first on HIPAA Journal.

Former Patient Care Coordinator Pleads Guilty to Disclosing Patients’ PHI with Intent to Cause Harm

A former employee of an affiliate of University of Pittsburgh Medical Center (UPMC) who was discovered to have accessed the medical records of patients without authorization has pleaded guilty to one count of wrongful disclosure of health information and now faces a fine and jail term for the HIPAA violation.

Ms. Linda Sue Kalina, 61, of Butler, PA, had previously worked as a patient care coordinator at Tri Rivers Musculoskeletal (TRM) between March 7, 2016 and June 23, 2017 before moving to Allegheny Health Network (AHN) where she worked from July 24, 2017 to August 17, 2017.

Between December 2016 and August 2017, Ms. Kalina was accused of accessing the files of 111 UPMC patients and 2 AHN patients without authorization or any legitimate work reason for doing so. According to her indictment, she also disclosed the PHI of four of those patients to individuals not authorized to receive the information.

Prior to working at TRM, Ms. Kalina had been employed at Frank J. Zottola Construction for 24 years until she was fired from the position of office manager. While at TRM and AHN, Ms. Kalina had impermissibly accessed the medical records of employees of the construction firm, including the gynecological records of the woman who replaced her.

Ms. Kalina was accused of sending an email to the company controller in June 2017 in which she disclosed the woman’s gynecological records and also left a voicemail revealing information from those records to another Zottola employee in August 2017.

Zottola contacted UPMC to complain about the privacy violation, and after an internal investigation, Ms. Kalina was fired. The HIPAA violation case was then pursued by the Department of Justice.

Ms. Kalina was indicted on six counts in the summer of 2018 in relation to wrongfully obtaining and disclosing PHI in violation of HIPAA, including disclosing PHI with intent to cause malicious harm.

In federal court, Ms. Kalina pleaded guilty to one count of wrongful disclosure of ePHI with intent to cause harm – leaving the voicemail message and admitted having accessed the medical records of more than 100 individuals without authorization.

U.S. District Judge Arthur Schwab agreed to release Ms. Kalina on bond pending sentencing on June 25, 2019. Ms. Kalina was ordered not to make contact with any of the victims and the victims were instructed not to make contact with Ms. Kalina.

Ms. Kalina faces a fine of up to $250,000 for the HIPAA violations and a sentence of up to 10 years in jail.

The post Former Patient Care Coordinator Pleads Guilty to Disclosing Patients’ PHI with Intent to Cause Harm appeared first on HIPAA Journal.

New Jersey Expands Definition of Personal Information Requiring Breach Notifications

The New Jersey Assembly has unanimously passed a bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach.

New Jersey breach notification laws require businesses and public entities to send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that allows the account to be accessed.

The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act expands the definition of personal information to include email addresses and usernames along with a password or answers to security questions that would allow accounts to be accessed.

The bill – A-3245 – was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. An identical bill – S-52- was passed by the Senate and Assembly in 2018, but it was not signed by then state governor Chris Christie. Current state governor Phil Murphy is expected to sign the bill.

The bill closes a gap in current laws that would allow businesses to avoid notifying consumers of breaches of online information. If online accounts are compromised, criminals can gain access to a range of sensitive information that can be used for identity theft and fraud. If an online account can be accessed by someone else as a result of a data breach, consumers have the right to be informed so they can take steps to secure their accounts.

Under the new law, breach notifications can be mailed to consumers or electronic notices can be provided. A substitute breach notice can be issued if the cost of providing notices would exceed $250,000 or if more than 500,000 individuals have been affected. In such cases, breach victims should be emailed, and a notice should be posted in a prominent position on the company’s website.

However, a business or public entity that furnishes an email account is prohibited from issuing email notifications to breached accounts and must deliver notices by other means, such as providing a conspicuous notice when the user logs into their account from an IP address or location that has previously been used by the user to access their account.

Any business or public entity found to have willfully violated state data breach notification laws can be fined up to $10,000 for a first offense and up to $20,000 for any subsequent offenses. There is also a private right of action for individuals who have suffered ascertainable losses as a result of a data breach.

The post New Jersey Expands Definition of Personal Information Requiring Breach Notifications appeared first on HIPAA Journal.