Legal News

Pennsylvania Department of Health and Insight Global Sued over 72,000-Record Data Breach

The Pennsylvania Department of Health and its COVID-19 contact tracing vendor are being sued over a breach of the personal and health data of 72,000 Pennsylvanians.

The breach in question was announced by Insight Global and the Department of Health on April 29, 2021. Insight Global, an IT service management and staffing firm, had been awarded the contract for the state’s contact tracing program and had been given access to personal and health data to provide those services.

The information was used to contact individuals potentially exposed to COVID-19 to identify and address the need for specific support services and to help slow the spread of COVID-19. Insight Global had implemented secure communication channels for its contact tracers and had security protocols in place, but it was discovered that some employees had “disregarded security protocols established in the contract and created unauthorized documents.” Those documents, including spreadsheets, had been shared between contact tracers using personal email accounts and consumer versions of cloud services such as Google Sheets, which lacked appropriate security controls. That meant sensitive information was transferred to servers outside the state’s secure data system.

Individuals whose personal information was exposed had been contacted for the purpose of contact tracing between September 2020 and April 21, 2020. The exposed data included names, emails, phone numbers, ages, genders, COVID-19 diagnoses, and individuals’ exposure status. The Department of Health has confirmed that the contract with Insight Global expires at the end of July and will not be renewed.

The Department of Health is alleged to have been aware about the breach several months before any notification was issued. State Rep. Jason Ortitay said he was made aware of the breach on April 1, 2021 and contacted the state governor to voice concerns. The governor confirmed that the matter had been raised several months previously and the claims were found to be invalid.

Now a lawsuit has been filed in Federal court against Department of Health and Insight Global. The lawsuit alleges the 72,000 individuals whose information was exposed are now at risk of identity theft, fraud, and credit problems due to the exposure of their personal data.

The lead plaintiff, Lisa Chapman from New Kensington, initiated the legal action after discovering her information had been exposed. The lawsuit alleges both the Department of Health and Insight Global were negligent for failing to implement appropriate cybersecurity procedures and did not follow industry standards for protecting the private health information of individuals. The lawsuit alleges the state Department of Health was made aware of the breach as early as November 2020 yet did not take action over the breach until April and failed to notify individuals impacted by the breach until April 29, 2021.

The lawsuit alleges documents were put in the public domain where they could have been accessed by anyone. “These documents were widely available to the public through a Google search and did not require a password, log in, or any kind of authentication in order to be viewed,” according to the lawsuit. “Insight was aware that its employees were using unsecured data storage and communications methods as early as November 2020.”

The lawsuit seeks class action status, a jury trial, equitable relief, payment of credit monitoring and identity theft protection services for several years, reimbursement of legal costs, and for the Department of Health and Insight Global to implement appropriate security measures.

While information was transferred to unsecured services where it could potentially have been accessed by unauthorized individuals, the Department of Health and Insight Global are not aware of any cases of actual or attempted misuse of any personal and health information.

The post Pennsylvania Department of Health and Insight Global Sued over 72,000-Record Data Breach appeared first on HIPAA Journal.

Pennsylvania Department of Health and Insight Global Sued over 72,000-Record Data Breach

The Pennsylvania Department of Health and its COVID-19 contact tracing vendor are being sued over a breach of the personal and health data of 72,000 Pennsylvanians.

The breach in question was announced by Insight Global and the Department of Health on April 29, 2021. Insight Global, an IT service management and staffing firm, had been awarded the contract for the state’s contact tracing program and had been given access to personal and health data to provide those services.

The information was used to contact individuals potentially exposed to COVID-19 to identify and address the need for specific support services and to help slow the spread of COVID-19. Insight Global had implemented secure communication channels for its contact tracers and had security protocols in place, but it was discovered that some employees had “disregarded security protocols established in the contract and created unauthorized documents.” Those documents, including spreadsheets, had been shared between contact tracers using personal email accounts and consumer versions of cloud services such as Google Sheets, which lacked appropriate security controls. That meant sensitive information was transferred to servers outside the state’s secure data system.

Individuals whose personal information was exposed had been contacted for the purpose of contact tracing between September 2020 and April 21, 2020. The exposed data included names, emails, phone numbers, ages, genders, COVID-19 diagnoses, and individuals’ exposure status. The Department of Health has confirmed that the contract with Insight Global expires at the end of July and will not be renewed.

The Department of Health is alleged to have been aware about the breach several months before any notification was issued. State Rep. Jason Ortitay said he was made aware of the breach on April 1, 2021 and contacted the state governor to voice concerns. The governor confirmed that the matter had been raised several months previously and the claims were found to be invalid.

Now a lawsuit has been filed in Federal court against Department of Health and Insight Global. The lawsuit alleges the 72,000 individuals whose information was exposed are now at risk of identity theft, fraud, and credit problems due to the exposure of their personal data.

The lead plaintiff, Lisa Chapman from New Kensington, initiated the legal action after discovering her information had been exposed. The lawsuit alleges both the Department of Health and Insight Global were negligent for failing to implement appropriate cybersecurity procedures and did not follow industry standards for protecting the private health information of individuals. The lawsuit alleges the state Department of Health was made aware of the breach as early as November 2020 yet did not take action over the breach until April and failed to notify individuals impacted by the breach until April 29, 2021.

The lawsuit alleges documents were put in the public domain where they could have been accessed by anyone. “These documents were widely available to the public through a Google search and did not require a password, log in, or any kind of authentication in order to be viewed,” according to the lawsuit. “Insight was aware that its employees were using unsecured data storage and communications methods as early as November 2020.”

The lawsuit seeks class action status, a jury trial, equitable relief, payment of credit monitoring and identity theft protection services for several years, reimbursement of legal costs, and for the Department of Health and Insight Global to implement appropriate security measures.

While information was transferred to unsecured services where it could potentially have been accessed by unauthorized individuals, the Department of Health and Insight Global are not aware of any cases of actual or attempted misuse of any personal and health information.

The post Pennsylvania Department of Health and Insight Global Sued over 72,000-Record Data Breach appeared first on HIPAA Journal.

Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack

The Philadelphia-based health system, Einstein Healthcare Network, is facing a class action lawsuit over an August 2020 phishing attack that resulted in multiple employee email accounts being accessed by an unauthorized individual.

Einstein Healthcare is a non-profit health system that operates four hospitals – Einstein Medical Center Philadelphia, Elkins Park Hospital, MossRehab in Elkins Park, and Einstein Medical Center Montgomery –   and multiple outpatient and primary care clinics throughout the greater Philadelphia area.

The investigation into the breach determined the email accounts were subjected to unauthorized access for 12 days between August 5 and August 17, 2020. A review of the compromised email accounts revealed they contained the protected health information of 353,616 patients, including names, dates of birth, account/medical record numbers, medical information such as diagnosis and treatment information and, for some individuals, Social Security numbers and health insurance information.

Patients affected by the breach were notified by mail starting October 9, 2020 while the incident was still being investigated, then further notifications were sent to patients between January 21 and February 8, 2021 when it became clear that more individuals had been affected.

Following the breach, the health system implemented additional security measures to prevent further breaches and retrained the workforce on how to identify suspicious emails. Individuals whose Social Security number was exposed were offered complimentary credit monitoring and identity theft protection services for 12 months.

The lawsuit was filed by law firm Morgan & Morgan with Einstein Healthcare patient Nanette Katz of Blue Bell, PA named as lead plaintiff.  The lawsuit alleges Einstein Healthcare failed to secure and safeguard the protected health information of patients and had not implemented or followed basic security procedures. As a result of that negligence, the lawsuit alleges sensitive patient information is now in the hands of cybercriminals and patients now face a substantial risk of identity theft. As a result of the breach, patients have had to spend, and will continue to have to spend, a significant amount of time and money protecting themselves against identity theft and fraud.

The lawsuit also alleges the healthcare provider failed to provide timely notifications to patients, with the lead plaintiff first receiving notification about the breach in January 2021, more than 6 months after the breach and alleged theft of her PHI. The lawsuit says the breach response was “untimely and woefully deficient, failing to provide basic details concerning the data breach.”

The lawsuit seeks monetary damages for the patient and class members, requests the courts order the health system to fully disclose details of the nature and extent of data compromised, and requires the health system to implement reasonably sufficient safeguards to prevent further data breaches in the future.

It is now relatively common for patients affected by data breaches to take legal action when their personal and protected health information is exposed or stolen; however, for these cases to succeed, victims of the data breach generally need to provide evidence that they have suffered harm. Many lawsuits are dismissed as the claims are deemed too speculative.

The nature of the harm and injuries suffered must also be sufficient to warrant damages. A recent lawsuit filed by a victim of an Envision Healthcare data breach – Pruchnicki v. Envision Healthcare Corp.- has recently been dismissed by the U.S. Court of Appeals for the Ninth Circuit.

In that case, the alleged harm and injuries were for time spent dealing with the breach, stress, nuisance, and annoyance from dealing with the aftereffects of the breach, worry, anxiety, and hesitation when applying for new credit cards, imminent and impending injury of potential fraud and identity theft, and diminution in value of the plaintiffs personal and financial information. The allegations of harm were sufficient for the District Court for standing purposes but were insufficient for compensable damages to be awarded.

The post Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack appeared first on HIPAA Journal.

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension is growing between Russian and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR).

The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks.

The NSA, CISA, and the FBI have previously shared mitigations that can be implemented to defend against the exploitation of these vulnerabilities and patches are available to address all the software flaws. While many organizations have now patched the flaws, they may have already been exploited and networks been compromised. Steps should be taken to identify whether systems have been compromised and actions taken to mitigate the loss of sensitive information that could allow Russia to gain a strategic or competitive advantage.

The 5 software vulnerabilities most commonly exploited by the SVR hackers are:

Vulnerability Products Description Affected Versions
CVE-2018-13379 Fortinet FortiGate VPNs Unauthenticated attackers can download system files via HTTP resource requests Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
CVE-2019-9670 Synacor Zimbra Collaboration Suite XML External Entity injection (XXE) vulnerability 8.7.x before 8.7.11p10.
CVE-2019-11510 Pulse Secure VPNs An unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. PCS 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
CVE-2019-19781 Citrix Application Delivery Controller and Gateway Directory traversal vulnerability allowing an unauthenticated attacker to execute arbitrary code. Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
CVE-2020-4006 VMware Workspace One Access Command injection vulnerability that allows an attacker with a valid password to execute commands with unrestricted privileges on the underlying operating system VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” according to the alert (PDF).

Formal Attribution of SolarWinds Orion Supply Chain Attack

The United States government has also formally accused the Russian government of orchestrating and conducting the massive SolarWinds Orion supply chain attack, which saw the SVR gain access to around 18,000 computers worldwide and conduct more extensive attacks on cybersecurity companies of the United States and its allies – FireEye, Malwarebytes, Mimecast – and federal agencies in the United States.  Russia has also been formally accused of engaging in activities with the intent of disrupting the U.S. presidential election in November 2020.

Sanctions Imposed on Russia by President Biden

President Biden has signed an executive order blocking property and placing new restrictions of Russia’s sovereign debt to make it harder for the government to raise money. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action against 16 entities and 16 individuals for their role in the campaign to influence the 2020 U.S. presidential election, under the direction of the Russian government.

All property and assets of those entities and individuals that are subject to U.S. jurisdiction have been blocked and the entities and individuals have been added to OFAC’s SDN list. U.S. persons have been prohibited from engaging in transactions with them. Russian Technology companies covered by the sanctions include SVA, Neobit, AST, Positive Technologies, Pasit, and ERA Technologies.

The post NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities appeared first on HIPAA Journal.

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension is growing between Russian and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR).

The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks.

The NSA, CISA, and the FBI have previously shared mitigations that can be implemented to defend against the exploitation of these vulnerabilities and patches are available to address all the software flaws. While many organizations have now patched the flaws, they may have already been exploited and networks been compromised. Steps should be taken to identify whether systems have been compromised and actions taken to mitigate the loss of sensitive information that could allow Russia to gain a strategic or competitive advantage.

The 5 software vulnerabilities most commonly exploited by the SVR hackers are:

Vulnerability Products Description Affected Versions
CVE-2018-13379 Fortinet FortiGate VPNs Unauthenticated attackers can download system files via HTTP resource requests Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
CVE-2019-9670 Synacor Zimbra Collaboration Suite XML External Entity injection (XXE) vulnerability 8.7.x before 8.7.11p10.
CVE-2019-11510 Pulse Secure VPNs An unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. PCS 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
CVE-2019-19781 Citrix Application Delivery Controller and Gateway Directory traversal vulnerability allowing an unauthenticated attacker to execute arbitrary code. Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
CVE-2020-4006 VMware Workspace One Access Command injection vulnerability that allows an attacker with a valid password to execute commands with unrestricted privileges on the underlying operating system VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” according to the alert (PDF).

Formal Attribution of SolarWinds Orion Supply Chain Attack

The United States government has also formally accused the Russian government of orchestrating and conducting the massive SolarWinds Orion supply chain attack, which saw the SVR gain access to around 18,000 computers worldwide and conduct more extensive attacks on cybersecurity companies of the United States and its allies – FireEye, Malwarebytes, Mimecast – and federal agencies in the United States.  Russia has also been formally accused of engaging in activities with the intent of disrupting the U.S. presidential election in November 2020.

Sanctions Imposed on Russia by President Biden

President Biden has signed an executive order blocking property and placing new restrictions of Russia’s sovereign debt to make it harder for the government to raise money. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action against 16 entities and 16 individuals for their role in the campaign to influence the 2020 U.S. presidential election, under the direction of the Russian government.

All property and assets of those entities and individuals that are subject to U.S. jurisdiction have been blocked and the entities and individuals have been added to OFAC’s SDN list. U.S. persons have been prohibited from engaging in transactions with them. Russian Technology companies covered by the sanctions include SVA, Neobit, AST, Positive Technologies, Pasit, and ERA Technologies.

The post NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities appeared first on HIPAA Journal.

Adventist Health Physicians Network Fined $40,000 for Privacy Breach

Adventist Health Physicians Network in Simi Valley, California has been ordered to pay $40,000 in civil momentary penalties by the Ventura County District Attorney as part of a civil privacy settlement to resolve a patient privacy case that affected 3,797 patients.

The privacy breach occurred in 2018 and involved an impermissible disclosure of physical documents containing private and confidential medical data. The Simi Valley hospital had used a storage facility Simi Valley for storing physical patient records; however, when payments stopped being to the storage facility, the hospital lost access to the storage unit and the contents were put up for sale at a public auction in October 2018.

The individual who bought the contents of the storage unit at the auction discovered boxes of paperwork in the unit that contained the sensitive medical data of patients of Adventist Health. The hospital was notified, and the files were promptly collected and secured.

Adventist Health conducted an investigation into the incident and was satisfied that none of the information in the storage unit had been made public or further disclosed. To prevent similar incidents from occurring in the future, Adventist Health reviewed and updated its policies and procedures to ensure that physical patient records were properly safeguarded and were disposed of securely when the paperwork was no longer required.

The breach was investigated by the Consumer and Environmental Protection Unit of the Ventura County District Attorney’s Office, which determined Adventist Health had violated California Unfair Competition Law as the healthcare provider had failed to protect patient privacy, had not reasonably maintained and safeguarded medical data, and had failed to correctly dispose of confidential information.

The post Adventist Health Physicians Network Fined $40,000 for Privacy Breach appeared first on HIPAA Journal.

Roper St. Francis Healthcare Faces Class Action Lawsuit Over Data Breach

Roper St Francis Healthcare is facing a class action lawsuit over an October 2020 data breach in which patient data was allegedly stolen. The lawsuit alleges negligence for the failure to protect the private data of its patients.

Between October 14 and 29, 2020, unauthorized individuals gained access to the email accounts of three of its employees. Those accounts contained the protected health information of around 190,000 patients. PHI in the compromised email accounts included financial and medical information.

This was far from the only data breach to have affected Roper St. Francis Healthcare in the past 18 months. Prior to the October 2020 phishing attack, Roper St. Francis reported two data breaches in September, one of which was a phishing attack that affected 6,000 individuals and the other was a ransomware attack on its vendor Blackbaud, which affected around 92,963 Roper St. Francis patients. Prior to those breaches, a breach was reported on January 29, 2010 as affecting 35,253 individuals.

According to the lawsuit, “At all relevant times, Roper knew the data it stored was vulnerable to cyberattack based upon these repeated and ongoing data breaches.”

The lawsuit, which was filed by The Richter Firm, The Solomon Law Group, Slotchiver & Slotchiver, LLC and Brent Souther Halversen, LLC, seeks economic and non-economic damages for the plaintiff and class members, compensatory, consequential, and actual damages, statutory and injunctive relief, punitive damages, and reimbursement for interest, costs, and reasonable attorneys’ fees.

“We merely seek to hold Roper accountable for its continued negligent actions in allowing these preventable data breaches from happening and to compensate current and former patients for the harm inflicted,” said Attorney Brent Halversen. “We seek to provide all patients whose private data was compromised credit monitoring services as partial compensation for the harm each has suffered, not just the hand full that Roper thinks are the worst cases.”

The post Roper St. Francis Healthcare Faces Class Action Lawsuit Over Data Breach appeared first on HIPAA Journal.

SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach

SalusCare, a provider of behavioral healthcare services in Southwest Florida, experienced a cyberattack in March that saw patient and employee data exfiltrated from its systems. The exact method used to gain access to its servers has not been confirmed, although the cyberattack is believed to have started with a phishing email that was used to deliver malware. The malware was used to exfiltrated its entire database to an Amazon AWS storage account.

The attack occurred on March 16, 2021 and the investigation into the breach established that the attacker, an individual who appeared to be based in Ukraine, gained access to its Microsoft 365 environment, downloaded sensitive data, and uploaded the stolen data to two Amazon S3 storage buckets.

Amazon was notified about the illegal activity and it suspended access to the S3 buckets to stop the attacker accessing the stolen data.  SalusCare requested access to the audit logs, which it requires to continue to investigate the breach and determine exactly what data was stolen. SalusCare also wants to make sure that the suspension is permanent and will not be lifted by Amazon.

The S3 buckets may have been used to store SalusCare data, but Amazon will not voluntarily provide copies of audit logs or a copy of the data stored in the S3 buckets as they do not belong to SalusCare. The two S3 buckets are understood to include almost 86,000 files that were stolen in the attack.

To get access to the audit logs and data, SalusCare filed a lawsuit in federal court seeking injunctive relief under Florida’s Computer Abuse and Recovery Act. SalusCare seeks a ruling that will compel Amazon to provide the audit logs and a copy of the content of the two S3 buckets. SalusCare also wants the courts to order Amazon to make the suspension of access permanent to prevent the attacker from accessing the data or copying the stolen information to another online storage service. SalusCare has also sued the individual behind the attacks – John Doe.

The lawsuit argued that the data stolen in the attack and hosted by Amazon is extremely sensitive and could be used to commit identity theft, could be sold by the hacker on darknet marketplaces, or leaked to the public.

“The files contain extremely personal and sensitive records of patients’ psychiatric and addiction counseling and treatment,” explained SalusCare in its petition to the U.S. District Court in Fort Myers. “The files also contain sensitive financial information such as social security numbers and credit card numbers of SalusCare patients and employees.”

The lawsuit requests that after Amazon provides a copy of the data and audit logs to SalusCare the S3 buckets should be purged to prevent any further unauthorized access.

Amazon did not oppose any injunctive relief sought by SalusCare and The News-Press reports that a District Court federal judge granted the requests on March 25, 2021.

The post SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach appeared first on HIPAA Journal.

Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access

The former CEO of Novus and Optimum Health Services, which operates two hospices in Texas, has pleaded guilty in a fraud case that saw Medicare and Medicaid defrauded out of tens of millions of dollars through the submission of falsified health care claims.

Prerak Shah, Acting U.S. Attorney for the Northern District of Texas, recently announced that Bradley Harris, 39, pleaded guilty to conspiracy to commit healthcare fraud and healthcare fraud and is now awaiting sentencing.

In addition to defrauding federal healthcare programs out of tens of millions of dollars, the actions of Harris resulted in vulnerable patients being denied the medical oversight they deserved, saw prescriptions for pain medication written without physician input for his financial benefit, and allowed terminally ill patients to go unexamined.

Harris admitted billing Medicare and Medicaid for hospice services between 2012 and 2016 that were not provided, not directed by medical professional, or were provided to individuals who were not eligible for hospice services. Harris also admitted to using blank, pre-signed prescriptions for controlled substances and providing the drugs without any involvement from physicians.

Two coconspirators – Dr. Mark Gibbs and Dr. Laila Hirjee – were paid $150 for each false order they signed and would regularly certify that hospice patients had terminal illnesses with a life expectancy of 6 months or less, without having conducted any examinations. Dr. Gibbs, Dr. Hirjee, and a third physician, Dr. Charles Leach, provided blank prescriptions for controlled substances which allowed Harris to prescribe schedule II-controlled substances to Medicare and Medicaid beneficiaries in the hospice without guidance from a medical professional.

Harris also violated the Health Insurance Portability and Accountability Act (HIPAA) Rules when he accessed the medical records of patients to identify individuals who could be contacted and offered Novus hospice services. In the summer of 2014, Harris negotiated an agreement with Express Medical which allowed him to access the medical records of potential patients in return for using the company for lab services and home health visits. Previous patients of Express Medical were then contacted by Harris’s wife and other hospice staff to recruit them, regardless of whether they were actually eligible for hospice services. This allowed Harris to recruit new hospice patients to avoid exceeding Medicare’s aggregate hospice cap.

The HHS’ Centers for Medicare and Medicaid Services received multiple reports of potential fraud and suspended Novus; however, Harris then transferred patients from Novus to a new hospice company, which then transferred reimbursements for hospice services back to Novus. Dr. Gibbs was registered as the medical director of the new hospice company.

Harris is scheduled to be sentenced on August 3, 2021 and faces up to 14 years in jail. The trial of Dr. Gibbs, Dr. Hirjee and two other coconspirators is scheduled for April 5, 2021. 10 codefendants have already pleaded guilty and are awaiting sentencing for their roles in the scam. Dr. Charles Leach previously pleaded guilty to one count of conspiracy to commit healthcare fraud in 2018, for his role in the $60 million fraud case. According to court documents, the blank prescriptions Dr. Leach signed were used to obtain controlled substances, high doses of which were then administered to patients by nurses to hasten their deaths.

“The Justice Department cannot allow unscrupulous business people to interfere with the practice of medicine. We are determined to root out healthcare fraud,” said Acting U.S. Attorney Prerak Shah. “We will continue to work tirelessly with our state and federal partners to hold those who commit health care fraud accountable and seek justice for patients that are harmed in furtherance of fraud schemes,” said FBI Dallas Special Agent in Charge Matthew DeSarno.

The post Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access appeared first on HIPAA Journal.