Legal News

Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months

A Georgia man who falsely claimed a former acquaintance had violated patient privacy and breached the HIPAA Rules has been fined $1,200 and sentenced to 6 months in jail.

In October 2019, Jeffrey Parker, 44, of Rincon, GA, claimed to be a HIPAA whistleblower and alerted the authorities about serious privacy violations by a nurse at a Savannah, GA hospital, including emailing graphic pictures of traumatic injuries of hospital patients internally and externally.

According to court documents, Parker “engaged in an intricate scheme” to frame a former acquaintance for violations of the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To back up the fake claims, Parker created multiple email accounts in the names of real patients and used those accounts to send false accusations of privacy violations. Emails were sent to the hospital where the nurse worked, the Federal Bureau of Investigation (FBI), and the Department of Justice (DOJ).

Parker also alleged that he had been threatened for his actions as a whistleblower and law enforcement took steps to ensure his safety. When questioned about the threats and the HIPAA violations, an FBI agent identified irregularities in his story and upon further questioning, Parker admitted making fake accusations to frame the former acquaintance for fictional HIPAA violations.

“Falsely accusing others of criminal activity is illegal, and it hinders justice system personnel with the pursuit of unnecessary investigations,” said U.S. Attorney Bobby L. Christine, when Parker was charged. “This fake complaint caused a diversion of resources by federal investigators, as well as an unnecessary distraction for an important health care institution in our community.”

Parker pleaded guilty to one case of making false statements and potentially faced a 5-year jail term. He was sentenced to serve 6 months in jail by U.S. District Court Judge Lisa Godbey Wood.

“Many hours of investigation and resources were wasted determining that Parker’s whistleblower complaints were fake, meant to do harm to another citizen,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “Before he could do more damage, his elaborate scheme was uncovered by a perceptive agent and now he will serve time for his deliberate transgression.”

Parker is not eligible for parole and will serve the full term, followed by 3 years of supervised release.

The post Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months appeared first on HIPAA Journal.

Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack

Wilmington Surgical Associates in North Carolina is facing a class action lawsuit over a Netwalker ransomware attack and data breach that occurred in October 2020.

As is now common in ransomware attacks, files were exfiltrated prior to the deployment of ransomware. In this case, the Netwalker ransomware gang stole 13GB of data from two Wilmington Surgical Associates’ servers that were used for administration purposes. Some of the stolen was published on the threat actors’ data leak site where it could be accessed by anyone.

The leaked data was spread across thousands of files and included financial information related to the practice, employee information, and patient data such as photographs, scanned documents, lab test results, Social Security numbers, health insurance information, and other sensitive patient information.

Wilmington Surgical Associates sent notifications to affected individuals in December 2020 and reported the data breach to the HHS’ Office for Civil Rights on December 17, 2020 as affecting 114,834 patients.

The lawsuit – Jewett et al. v. Wilmington Surgical Associates – was filed by Rhine Law Firm; Morgan & Morgan; and Mason Lietz & Klinger on February 10, 2021 and was recently removed to the US District Court for the Eastern District of North Carolina.

Plaintiffs Katherine Teal, Sherry Bordeaux, and Philip Jewett allege in the lawsuit that their sensitive personal and health information is now in the hands of cybercriminals, which places them at an elevated risk of identity theft and fraud and other damages such as the lowering of credit scores and higher interest rates. The plaintiffs also allege they have suffered ascertainable losses as a result of the security incident in terms of out-of-pocket expenses and time spent remediating the effects of the data breach.

The lawsuit alleges Wilmington Surgical Associates was negligent for failing to adequately safeguard patient data when it had been put on notice about the elevated risk of ransomware attacks. In addition, it is alleged that the North Carolina healthcare provider failed to adequately monitor its systems for network intrusions and failed to provide timely breach notifications to patients and adequate information on the types of information compromised in the attack.

The plaintiffs seek reimbursement of out-of-pocket expenses, compensation for time spent dealing with the aftereffects of the breach, restitution, injunctive relief, and adequate credit monitoring services for breach victims. The lawsuit also requires the courts to order Wilmington Surgical Associates to improve data security and undergo annual security audits.

The post Wilmington Surgical Associates Facing Class Action Lawsuit Over Netwalker Ransomware Attack appeared first on HIPAA Journal.

21st Century Oncology Data Breach Settlement Receives Preliminary Approval

A settlement proposed by 21st Century Oncology to resolve a November 2020 class action lawsuit has received preliminary approval from the court. The class action lawsuit was filed in District Court for the Middle District of Florida on behalf of victims of a 2015 cyberattack that potentially affected 2.2 million individuals.

21st Century Oncology was notified about a breach of its systems by the Federal Bureau of Investigation on November 13, 2015. An unauthorized individual had gained access to its network and may have accessed or obtained one of its databases on October 3, 2015. The database contained patients’ names, diagnoses, treatment information, Social Security numbers, and insurance information. Notifications to affected individuals were delayed at the request of the FBI so as not to interfere with the investigation. Patients affected by the breach started to be notified in March 2016.

The Department of Health and Human Services’ Office for Civil Rights launched an investigation into the breach and found potential HIPAA violations. 21st Century Oncology settled the case in December 2017 with no admission of liability and agreed to pay a $2.3 million penalty.

The class action lawsuit sought compensation for breach victims who suffered losses as a result of the breach, including reimbursement of out-of-pocket expenses, time spent attempting to remedy issues, and losses to identity theft and fraud.

Under the terms of the proposed settlement, all victims of the breach will be entitled to claim two years of credit monitoring and identity theft protection services through Total Identity, which may be deferred for up to two years.

In addition, the 21st Century Oncology settlement will see breach victims reimbursed for default time spent remedying issues fairly traceable to the data breach, which is based on two hours at $20 per hour up to a maximum of $40. Alternatively, a claim can be made for documented time spent, up to 13 hours at $20 per hour to a maximum of $260.

Any individual who can provide proof of out-of-pocket expenses incurred as a result of the breach or documented fraud will be entitled to submit a claim up to $10,000.

All individuals notified about the breach in or around March 2016 are covered by the settlement and can submit a claim. The deadline for claiming is May 10, 2021. Any class member who wishes to object or exclude themselves from the settlement have until March 9, 2021 to do so.

While the court has granted preliminary approval of the settlement, final approval has not yet been granted. A fairness hearing has been scheduled for June 15, 2021.

The post 21st Century Oncology Data Breach Settlement Receives Preliminary Approval appeared first on HIPAA Journal.

Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack

US Fertility is facing a class action lawsuit over a September 2020 ransomware attack and data breach that affected 878,550 individuals.

US Fertility provides IT platforms and administrative, clinical, and business information services, and is one of the largest providers of support services to infertility clinics in the United States. On September 14, 2020, US Fertility discovered ransomware had been used to encrypt files on its network. The investigation revealed the threat actors behind the attack exfiltrated files between August 12 and September 14, 2020, some of which contained protected health information.

The types of data obtained by the hackers included names, addresses, dates of birth, driver’s license and state ID numbers, passport numbers, medical treatment/diagnosis information, medical record information, health insurance and claims information, credit and debit card information, and financial account information.

The class action lawsuit, brought by Plaintiffs Alec Vinsant and Marla Vinsant, alleges US Fertility failed to implement adequate data security measures which caused them to suffer irreparable harm and placed them at an increased risk of identity theft and fraud.

The harm suffered by the breach victims that the lawsuit seeks to address includes the theft of personal data and its exposure to cybercriminals, unauthorized charges on credit/debit card accounts, costs associated with the detection and prevention of identity theft and unauthorized use of financial accounts, damages due to accounts being suspended or rendered unusable, inability to withdraw funds, costs and time associated with mitigating the breach and preventing future negative consequences, and imminent and impending injury from potential fraud and identity theft as a result of personal information being sold on the dark web.

Class action lawsuits often allege harm, although in many cases the lawsuits fail as the plaintiffs are unable to provide evidence of injuries or losses sustained as a direct result of the data breach. That was the case with the proposed class action lawsuit against Brandywine Urology, which was recently dismissed by the Delaware Superior Court. Whether the lawsuit succeeds is likely to depend to a large extent on whether the plaintiffs can provide sufficient evidence that they have suffered actual harm due to the ransomware attack and data breach.

Plaintiff Alec Vinsant alleges someone used his Social Security number to fraudulently apply for unemployment benefits in Nevada one month after the data breach occurred and plaintiff Marla Vinsant said her credit score had unexpectedly fallen by 50 points following the attack.

The lawsuit alleges US Fertility was on notice that the healthcare industry was being targeted by ransomware gangs and was aware of the need to encrypt data, yet failed to do so, and US Fertility failed to comply with Federal Trade Commission requirements for data security. The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and violations of the Nevada Deceptive Trade Practices Act.

The lawsuit seeks class action status, a jury trial, damages for plaintiffs and class members, reimbursement of out-of-pocket expenses and legal costs, and other relief. The lawsuit also requires US Fertility to implement proper data security policies and practices including encryption of sensitive data, deletion or destruction of class members PII, proper network segmentation, penetration tests, to provide further security awareness training for the entire workforce, and to undergo third-party security audits, database scanning, and firewall tests.

The post Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack appeared first on HIPAA Journal.

Hospital Researcher Jailed for Stealing and Selling Research Data to China

A woman who worked in a medical research lab at the Nationwide Children’s Hospital in Columbus, OH has been jailed for stealing sensitive research data and selling the information to the People’s Republic of China.

Li Chen, 47, and her husband Yu Zhou, 50, were both employed as medical researchers and worked in separate labs at the hospital’s Research Institute for more than 10 years. The former Dublin, OH residents were arrested in California in July 2019 and were subsequently charged over the alleged theft of cutting-edge scientific research.

Zhou was working on a novel technique that allowed exosomes to be isolated from small quantities of blood. Exosomes are used in the research, identification, and treatment of several medical conditions, such as necrotizing enterocolitis. The novel exosome isolation method was a vital process in the research into necrotizing enterocolitis, as the condition affects premature babies and only small blood samples can be taken safely.

The couple set up a company in China, stole at least five trade secrets related to exosome isolation, and then monetized the trade secrets by creating and selling exosome isolation kits. They then provided them to China and received benefits from the State Administration of Foreign Expert Affairs and the National Natural Science Foundation of China. Chen also applied to several government talent plans in China, which are used to transfer foreign research and technology to the Chinese government.

“For far too long, the People’s Republic of China (PRC) has encouraged the outright theft of American trade secrets through Chinese government programs that reward researchers for stealing what China cannot produce through its own ingenuity,” said Assistant Attorney General John C. Demers for the National Security Division. “These programs, like the Thousand Talents, are not innocuous platforms for academic collaboration.”

In July 2020, Chen pleaded guilty to conspiracy to commit wire fraud and the theft of scientific trade secrets for personal financial gain. Chen was recently sentenced to a 30-month jail term and, as part of her plea deal, agreed to pay $2.6 million in restitution, and forfeit around $1.4 million, 500,000 shares of common stock of Avalon GloboCare Corp. and 400 shares of common stock of GenExosome Technologies Inc. Zhou also pleaded guilty to conspiracy to commit wire fraud and is currently awaiting sentencing.

“The FBI will not stop its efforts to identify people who steal technology for their own financial benefit or for the benefit of a foreign government,” said Assistant Director Alan E. Kohler Jr. of the FBI’s Counterintelligence Division.

Chinese Government Targeting Health and Genetic Data of U.S. Citizens

China is not only trying to obtain sensitive medical research data. The National Counterintelligence and Security Center (NCSC) has recently drawn attention to efforts by China to obtain the healthcare data and DNA sets of Americans through cyberattacks, and partnerships between Chinese companies and U.S. states and healthcare organizations.

National Security laws in China require all Chinese companies to share any data they collect with the government. According to the NCSC, by 2019, 15 Chinese companies had been licensed to conduct genetic testing or genetic sequencing on patients in the United States. They had access to genetic data which could have been provided to the Chinese government.

The NSCS said genetic and healthcare data are being used to advance China’s AI and precision medicine industries, yet foreign companies are prevented from accessing the medical data of its own citizens. “Over time, this dynamic could allow China to outpace U.S. biotech firms with important new drugs and health treatments and potentially displace American firms as global biotech leaders,” explained NCSC in a February 2021 report.

The post Hospital Researcher Jailed for Stealing and Selling Research Data to China appeared first on HIPAA Journal.

Brandywine Urology Consultants Data Breach Lawsuit Dismissed Due to Lack of Harm

A lawsuit filed on behalf of victims of a Brandywine Urology Consultants data breach has been dismissed by the Delaware Superior Court after plaintiffs failed to provide evidence demonstrating they had suffered harm as a result of the breach.

Brandywine Urology Consultants experienced a ransomware attack on January 27, 2020 The attack was detected after two days and the subsequent investigation confirmed the attackers had access to a network which contained patient information.

Brandywine Urology Consultants concluded from its investigation that the attack was conducted to extort money rather than to obtain patient data, although unauthorized data access and data theft could not be ruled out. The attackers potentially accessed the protected health information of 130,000 patients, and may have viewed or obtained names, medical record numbers, Social Security numbers, financial data, claims data, and other information.

The lawsuit was filed in May 2020 alleging Brandywine Urology Consultants was negligent for failing to prevent the attack, had breached its fiduciary duty, and was in violation of the Delaware Computer Security Breach Act and the Delaware Consumer Fraud Act.

The lawsuit alleged victims of the breach were at imminent risk of harm, had suffered a loss of privacy, anxiety as a result of the theft of their protected health information, a failure to receive the benefit of a bargain, and disruption to medical care. The lawsuit sought damages to cover the cost of mitigations and out of pocket expenses that had been incurred.

Brandywine Urology Consultants filed a motion to dismiss the lawsuit due to lack of standing. The defendant claimed the plaintiffs failed to allege an injury in fact, the economic loss doctrine bars any recovery, and the court lacked subject matter jurisdiction for the breach of fiduciary duty claim.

Brandywine Urology Consultants argued that the claim it had violated the Delaware Computer Security Breach Act lacked standing as it had satisfied the statute’s notice requirement, and the Delaware Consumer Fraud Act violation claim should be dismissed because the plaintiffs failed to state a claim under the statute.

“A plaintiff alleging that it will suffer future injuries from a defendant’s allegedly improper conduct must show that such injuries are certainly impending,” and must demonstrate “a likelihood that the injury will be redressed by a favorable decision,” said the Honorable Mary M. Johnston in the ruling.

Since the plaintiffs were unable to provide evidence of harm, there was only a possibility that their sensitive data had been compromised, and the swift and appropriate measures that were taken by the defendant to investigate and mitigate the breach, the motion to dismiss was granted.

While the plaintiffs claimed to have incurred expenses as a result of the breach, the judge ruled that costs incurred in response to a speculative threat is not sufficient, in itself, to create an injury sufficient to confer standing.

The post Brandywine Urology Consultants Data Breach Lawsuit Dismissed Due to Lack of Harm appeared first on HIPAA Journal.

Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data

On January 28, 2021, democratic senators introduced the Public Health Emergency Privacy Act to protect the privacy of Americans and ensure data security measures are applied to protect COVID-19 related health data collected for public health purposes.

The Public Health Emergency Privacy Act was introduced by Sens. Mark Warner, D-Va., Richard Blumenthal, D-Conn. and U.S. representatives Anna Eshoo, D-CA., Jan Schakowsky, D-IL., and Suzan DelBene, D-WA and requires strong and enforceable privacy and data security rights for health information to be set.

“Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” said Sen. Blumenthal. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19.”

The Public Health Emergency Privacy Act will ensure strict privacy protections are implemented to ensure any health data collected for public health purposes will only ever be used to achieve the public health purpose for which it was collected.

The Public Health Emergency Privacy Act restricts the use of data collected for public health purposes to public health uses, prohibits the use of the data for discriminatory, unrelated, or intrusive purposes, and prevents government agencies that play no role in public health from misusing the data.

The Act requires data security and data integrity protections to be applied to safeguard health data, for the data collected to be restricted to the minimum necessary information to achieve the purpose for which it is collected and requires tech firms to ensure the data is deleted once the public health emergency is over.

Americans’ voting rights are protected by not permitting conditioning the right to vote on any medical condition or use of contact tracing apps. The Act will also give Americans control over participation in public health efforts by ensuring transparency and requiring opt-in consent. The Act also requires regular reports on the impact of digital collection tools on civil rights.

The Public Health Emergency Privacy Act will not supersede the requirements of HIPAA, the Privacy Act of 1974, or federal and state medical record retention and health information privacy regulations.

“Strong privacy protections for COVID health data will only be more vital as we move forward with vaccination efforts and companies begin experimenting with things like ‘immunity passports’ to gate access to facilities and services,” said Sen. Warner. “Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations and discriminatory uses of health data could become the new status quo in health care and public health.”

This is not the first time legislation of this nature has been proposed. A similar bill was introduced in 2020, but it failed to win congressional support.

The post Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data appeared first on HIPAA Journal.

Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent

A lawsuit has been filed against Burr Ridge, IL-based Easy Healthcare Corp. over the alleged sharing of sensitive user data with third-party firms based in China.

Easy Healthcare Corp is the developer of Premom, a popular smartphone fertility app for tracking users’ ovulation cycles to identify their most fertile days. The lawsuit alleges a range of sensitive user data has been shared with at least three Chinese companies without obtaining users’ consent. Since the data is stored on servers in China, the lawsuit alleges sensitive information could potentially be accessed or seized by the Chinese government.

The data transmitted to the Chinese companies includes sensitive healthcare information, geolocation data, user and advertiser IDs, device activity data, and device hardware identifiers. Since the identifiers do not change, combining them with information where it was observed would allow data collectors to reconstruct app users’ activities.

Identifiers shared with the Chinese firms include Wi-Fi media access controls or MAC addresses, which are unique identifiers for network interface controllers; router MAC/BSSID addresses, which provide geographical location data; and router SSID (Service Set IDs), which provide information about Wi-Fi networks. It is also possible for information to be gathered about users interests, health, political views, religion, and other sensitive data.

The lawsuit alleges user data was sent to Jiguang (Aurora Mobile Ltd), Umeng, and UMSNS, which provide activity analysis, precision marketing, financial risk control, and location-based analysis services to their clients.

According to the lawsuit, the Premom privacy policy states, “We will not share or sell your personal data to advertising platforms, data brokers, or information resellers,” so the sharing of the data is in direct violation of those policies. While the privacy policy does state that non-identifiable user data may be collected, users are told that the information would not be shared with outside parties without user consent.

The plaintiff discovered that her personal data had been shared with the three Chinese companies for three years without her knowledge or consent. She claims to have been deceived by Easy Healthcare as she was not informed that her data would be provided to the Chinese entities. The lawsuit also alleges Easy Healthcare shared the data in exchange for monetary compensation and that the firm has been misrepresenting its data sharing practices, in what the lawsuit says is “an unfair, immoral, and unscrupulous business practice.” The lawsuit also claims user data is recorded whenever users unlock or use their phone, even if they are not using the app, which is in violation of Google Play’s developer policies.

The lawsuit was filed a few months after a bipartisan group of senators wrote to the Federal Trade Commission (FTC) to request an investigation of the data security and privacy practices of the Premom app, following the discovery of unauthorized data sharing by the watchdog group International Digital Accountability Council.

The lawsuit was filed in the US Northern District Court of Illinois, Eastern Division and seeks class action status and damages for app users. The lawsuit also calls for Easy Healthcare to stop sharing user data with companies without first obtaining consent from app users. Easy Healthcare has denied any wrongdoing.

Premom is not the only health app found to be sharing user data without obtaining informed consent from app users. The FTC settled a data privacy and security case with Flo Health in January 2021 after it was discovered to have misrepresented privacy practices for its fertility app and shared user data with a data analytics company without consent. Flo Health was ordered to review and revise its privacy policies and obtain consent from app users prior to sharing their data.

The post Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent appeared first on HIPAA Journal.

Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack

In May 2020, the cloud software company Blackbaud suffered a ransomware attack. As is common in human operated ransomware attacks, data was exfiltrated prior to file encryption. Some of the stolen data included the fundraising databases of its healthcare clients.

One of the affected healthcare providers was Rady Children’s Hospital-San Diego, the largest children’s hospital in California in terms of admissions. A class action lawsuit has been proposed that alleges Rady was negligent for failing to protect the sensitive information of 19,788 individuals which was obtained by the hackers through Blackbaud’s donor management software solution.

The lawsuit alleges Rady failed to implement adequate security measures and failed to ensure Blackbaud had adequate security measures in place to protect ePHI and ensure it remained private and confidential. The lawsuit alleges individuals affected by the breach now face “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud as a result of the breach and Rady’s negligence.

Blackbaud discovered the ransomware attack in May 2020. The company’s investigation revealed the hackers had access to the fundraising databases of its healthcare clients between February 7 and June 4, 2020. Blackbaud said the hackers were expelled from the network as soon as the breach was discovered but had discovered a subset of client data had been obtained by the attackers.

Blackbaud took the decision to pay the ransom to ensure the stolen data was deleted. Assurances were received from the attackers that the data had been permanently destroyed. In its breach notification letters, Rady explained that the types of information potentially obtained by the hackers included patients’ names, addresses, dates of birth, physicians’ names, and the department where medical services were provided.

The lawsuit alleges Rady cannot reasonably maintain that the hackers destroyed the plaintiffs’ personal information. According to the complaint, “On information and belief, Blackbaud has not provided verification or further details regarding the disposition of the data to confirm that the stolen data has been destroyed.” The lawsuit also alleges neither Rady nor Blackbaud are aware how the hackers exfiltrated data, and whether it was transmitted in a secure manner and could not have been intercepted by other individuals.

According to the lawsuit, Rady had the necessary resources to protect patient data but neglected to implement appropriate security. The plaintiffs seek compensation, long -term protection against identity theft and fraud, and a court order to enforce changes to Rady’s security policies to ensure breaches such as this, and several others cited in the report, do not happen again.

Blackbaud is also facing multiple class action lawsuits over the breach. At least 23 putative class action lawsuits have filed against Blackbaud according to its 2020 Q3 Quarterly Filing with the U.S. Securities and Exchange Commission. The lawsuits have been filed in 17 federal courts, 4 state courts, and 2 Canadian courts.  Each alleges victims of the breach have suffered harm as a result of the theft of their personal data.

Blackbaud also said more than 160 claims have been received from its customers and their attorneys in the U.S., U.K., and Canada. Blackbaud is also being investigated by government agencies and regulators, including 43 state Attorneys General and the District of Columbia, the Department of Health and Human Services, Federal Trade Commission, Office of the Privacy Commissioner of Canada, and the U.K GDPR data protection authority, the Information Commissioner’s Office.

The post Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack appeared first on HIPAA Journal.