Legal News

Mass General Brigham Settles ‘Cookies Without Consent’ Lawsuit for $18.4 Million

An $18.4 million settlement has been approved that resolves a class action lawsuit against Mass General Brigham over the use of cookies, pixels, website analytics tools, and associated technologies on several websites without first obtaining the consent of website visitors.

The defendants in the case operate informational websites that provide information about the healthcare services they provide and the programs they operate. Those websites can be accessed by the general public and do not require visitors to register or create accounts.

The lawsuit was filed against Partners Healthcare System, now Mass General Brigham, by two plaintiffs – John Doe and Jane Doe – who alleged the websites contained third party analytics tools, cookies, and pixels that caused their web browsers to divulge information about their use of the Internet, and that the information was transferred and sold to third parties without their consent.

While it is normal for websites to use third-party analytics tools like those on the defendants’ websites, the plaintiffs alleged they were not informed that their information would be collected and transferred and that they did not provide consent to have their data harvested.

The defendants denied any wrongdoing or liability and maintained the plaintiffs and class members suffered no damages or injuries as a result of visiting the websites. No protected health information was disclosed, there was no data breach, and the defendants denied all allegations in the class action lawsuit; however, the plaintiffs maintained they were prepared to vigorously defend the lawsuit and the decision was taken to settle the case to avoid the costs and uncertainty of a trial and any related appeals.

The settlement names 38 healthcare providers including Massachusetts General Hospital, Brigham and Women’s Hospital, Dana-Farber Cancer Institute, and Wentworth-Douglass Hospital, and covers visitors to the website between May 23, 2016, and July 31, 2021. The $18.4 million settlement will cover attorneys’ fees and other expenses, and class members are eligible to receive a payment of up to $100, based on the number of claims filed.

The post Mass General Brigham Settles ‘Cookies Without Consent’ Lawsuit for $18.4 Million appeared first on HIPAA Journal.

Accellion Proposes $8.1 Settlement to Resolve Class Action FTA Data Breach Lawsuit

The Palo Alto, CA-based technology firm Accellion has proposed an $8.1 million settlement to resolve a class action data breach lawsuit filed on behalf of victims of the December 2020 cyberattack on the Accellion File Transfer Appliance (FTA).

The Accellion FTA is a legacy solution that is used for securely transferring files that are too large to be sent via email. The Accellion FTA had been in use for more than 20 years and was at end-of-life, with support due to end on April 30, 2021. Accellion had developed a new platform, Kiteworks, and customers were encouraged to upgrade from the legacy solution; however, a significant number of entities were still using the FTA solution at the time of the cyberattack.

In December 2020, two previously unknown Advanced Persistent Threat (APT) groups linked to FIN11 and the CLOP ransomware gang exploited unaddressed vulnerabilities in the Accellion FTA, gained access to the files of its clients, and exfiltrated a significant amount of data. Following the breach, four vulnerabilities associated with the breach were disclosed and issued CVEs.

Accellion clients affected by the breach included banks, law firms, universities, and healthcare organizations. Many of the files belonging to healthcare organizations contained sensitive patient and health plan member data. Healthcare organizations affected by the breach include Health Net Community Solutions, Health Net of California, California Health & Wellness, Trinity Health, The University of California, Stanford University School of Medicine, University of Miami Health, Kroger, Trillium, Community Health Plan, Arizona Complete Health, CalViva Health, and Health Employees’ Pension Plan.

Following the attack, several lawsuits were filed against Accellion and its clients over the data breach. The class action lawsuit against Accellion alleged the company had failed to implement and maintain appropriate data security practices to protect the sensitive data of its clients, failed to detect security vulnerabilities in the Accellion FTA, failed to disclose its security practices were inadequate and failed to prevent the data breach. As a result of the attack, highly sensitive information was stolen, including names, contact information, dates of birth, Social Security numbers, driver’s license numbers, and healthcare data.

Accellion denied all of the allegations in the lawsuit and accepts no liability for the data breach. The company said in the settlement agreement that it is not responsible for managing, updating, and maintaining customers’ instances of the FTA software. Accellion also said the company does not collect any customer data, does not access the content of files shared or stored via the FTA solution, and provided no guarantees to customers that the FTA software was secure.

It is unclear how many individuals will be covered by the settlement, but the number is certainly in excess of 9.2 million individuals. Accellion will attempt to obtain up-to-date contact information for those individuals in order to send notices of the proposed settlement. The proposed settlement includes a cash fund of $8.1 million to cover claims, notices, administration costs, and service awards to affected users of the Accellion FTA. $4.6 million of the fund will be made available within 10 days, with the remainder made available within 10 days of the settlement being approved.

Affected individuals will be entitled to sign up for 24 months of three-bureau credit monitoring and insurance services, or receive reimbursement for documented losses up to a maximum value of $10,000, or receive a cash payment, which is expected to be in the region of $15 to $50. Accellion will also fully retire the Accellion FTA and take steps to ensure the security of its replacement Kiteworks solution. Those measures include increasing its bug bounty program, maintaining FedRAMP certification, employing individuals with responsibility for cybersecurity, providing cybersecurity training to its workforce, and undergoing regular assessments to confirm continued compliance with the cybersecurity measures outlined in the settlement.

The proposed settlement will resolve all claims against Accellion only. There are still lawsuits and settlements outstanding against clients affected by the breach. The supermarket chain Kroger has proposed a $5 million settlement to resolve lawsuits filed on behalf of the 3.8 million employees and customers affected by the breach.

The post Accellion Proposes $8.1 Settlement to Resolve Class Action FTA Data Breach Lawsuit appeared first on HIPAA Journal.

EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach

QRS, a Tennessee-based healthcare technology services company and EHR vendor, is facing a class action lawsuit over an August 2021 cyberattack in which the protected health information (PHI) of almost 320,000 patients was exposed and potentially stolen.

The investigation into the data breach confirmed a hacker had gained access to one of its dedicated patient portal servers between August 23 and August 26, 2021, and viewed and possibly obtained files containing patients’ PHI. Sensitive data stored on the server included patients’ names, addresses, birth dates, usernames, medical information, and Social Security numbers. QRS started sending notification letters to affected individuals in late October and offered identity theft protection services to individuals who had their Social Security number exposed.

On January 3, 2022, Matthew Tincher, a Frankfurt, KY resident, filed a class action complaint in the U.S. District Court for the Eastern District of Tennessee against QRS. The lawsuit alleges QRS was negligent for failing to reasonably secure, monitor, and maintain the PHI and personally identifiable information (PII) stored on its patient portal.

As a result of those failures, the lawsuit alleges Tincher and class members have suffered actual, concrete, and imminent injury, including present injury and damages from identity theft, loss or diminished value of their PHI and PII, and have incurred out-of-pocket expenses from attempting to remedy the exposure of their sensitive information and have had to spend time mitigating the effects of the unauthorized data access. They also face a continued and increased risk to their PHI and PII, which were unencrypted and remain available to unauthorized parties to access and abuse.

The lawsuit also takes issue with the speed at which QRS issued breach notification letters, which were issued almost 2 months after the discovery of the breach. During those two months, the plaintiffs and class embers were unaware they had been placed at significant risk of identity theft, fraud, and personal, social, and financial harm.

The lawsuit alleges QRS had a responsibility to ensure the PHI and PII within its patient portal were appropriately protected, and the breach of its duties to protect that information amounts to negligence and/or recklessness, which violates federal and state statutes. The lawsuit claims QRS signed business associate agreements (BAAs) with its healthcare provider clients, so was aware or should have been aware of its responsibilities to ensure PHI was protected against cyberattacks. The lawsuit also lists cybersecurity measures recommended by the Cybersecurity and Infrastructure Security Agency (CISA) which should have been implemented in that regard and maintains QRS should have been aware of the high risk of being attacked due to the large number of healthcare data breaches that have been reported in recent years.

Lawsuits are often filed against healthcare organizations over data breaches that exposed sensitive information. Whether the lawsuits succeed often depends on whether the plaintiffs are able to demonstrate they have suffered actual harm as a direct consequence of the data breach. Tincher claims to have been notified about the breach on October 22, 2021, and within 3 days was the victim of actual identity theft, and that it is more likely than not that his sensitive information was exfiltrated from the QRS patient portal during the data breach.

The lawsuit alleges the total damages incurred by the plaintiff and class members exceed the minimum $5 million jurisdictional amount required by the Court, and that the Court has jurisdiction over the defendant because QRS operates and is incorporated in the district. The plaintiff and class members seek a jury trial, unspecified damages, and injunctive and equitable relief.

The post EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach appeared first on HIPAA Journal.

BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach

A Florida specialty pharmacy is facing a class action lawsuit over an October 2021 cyberattack in which the personally identifiable information (PII) and protected health information (PHI) of up to 350,000 patients were stolen.

Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services said a hacker had access to its network from October 25, 2021, until November 11, 2021, and during that time viewed files containing sensitive patient data. A computer forensics firm investigated the breach and confirmed patient data had been accessed. Since it was not possible to determine how many patients had been affected, the decision was taken to send notification letters to all 350,000 patients on or around December 10, 2021, one month after the breach was discovered.

Data potentially compromised in the attack included names, contact information, dates of birth, medical record numbers, health insurance and claims information diagnoses, prescription information, and Social Security numbers. Affected individuals were offered a 12-month subscription to credit monitoring services at no cost.

In late December, BioPlus patient Bonnie Gilbert and her attorneys filed a lawsuit in the U.S. District Court of the Middle District of Florida alleging BioPlus had violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to ensure the confidentiality, integrity, and availability of the PHI of its patients.

The lawsuit alleges negligence for failing to maintain reasonable data security safeguards, failing to implement industry-standard data security practices, and failing to exercise reasonable care in the hiring and supervision of its employees and agents. The lawsuit also claims BioPlus failed to detect the attack and the exfiltration of sensitive data from its network, and delayed breach notifications. The lawsuit claims that if a reasonable amount of care had been taken and appropriate data security measures had been in place, the attack could have been detected sooner and/or prevented.

The lawsuit alleges the plaintiff and class members have suffered “numerous actual and imminent injuries” as a direct result of the data breach, including the theft of their PII and PHI, invasion of privacy, a reduction in the economic value of their PII and PHI, emotional distress and stress, and a significant present and future risk of identity theft and financial fraud, as well as incurring costs attempting to mitigate and deal with the consequences of the data breach.

The lawsuit seeks class action certification, a jury trial, injunctive relief, declaratory relief, and monetary damages. The plaintiff is represented by Morgan & Morgan and Markovits, Stock, & DeMarco LLC.

The post BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach appeared first on HIPAA Journal.

Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General

The Rhode Island Public Transit Authority (RIPTA) has recently notified the Department of Health and Human Services’ Office for Civil Rights about a data breach involving the protected health information (PHI) of 5,015 members of its group health plan.

RIPTA explained in a breach notice on its website that the cyberattack was detected and blocked on August 5, 2021, and the forensic investigation determined hackers had access to its network from August 3, 2021. A comprehensive review of files on the compromised parts of its network identified files related to the RIPTA health plan, which were found to contain the names, addresses, dates of birth, Social Security numbers, Medicare ID numbers, qualification information, health plan ID numbers, and claims information of health plan members. It was also confirmed that those files had been exfiltrated from its systems by the attackers.

RIPTA sent notification letters to affected individuals on December 22, 2021, and offered a complimentary membership to Equifax’s identity monitoring services. RIPTA also explained in its website breach notice that it has implemented additional security measures to prevent further data breaches.

In the days following the mailing of notification letters, the office of the Rhode Island attorney general received a high number of calls from individuals who had received a notification letter who had no direct connection to RIPTA informing them that their personal and health information had been compromised in the data breach. Several complaints were also made to the Rhode Island American Civil Liberties Union (ACLU).

On December 28, 2021, Steve Brown, Executive Director of the Rhode Island ACLU, wrote to Scott Avedisian, CEO of RIPTA seeking answers about the data breach and why the personal data of individuals with no relationship whatsoever with RIPTA had been notified about the breach. Brown also said in the letter that “The information that has been provided publicly by RIPTA about this security breach is, in many ways, significantly and materially different from the information RIPTA has provided the affected individuals about it.”

The public notice on the RIPTA website made two references to a breach of RIPTA health plan data, specifically stating the breach involved “the personal information of our health plan” and “files pertaining to RIPTA’s health plan.” Brown said the letters are “extremely misleading and seriously downplays the extensive nature of the breach.” Brown said all of the complainants said they had never been employed by RIPTA and some even said they had never even ridden on a RIPTA bus.

Further, the breach notice submitted to the HHS’ Office for Civil Rights indicates 5,015 health plan members were affected, when the notification letters stated the breach affected 17,378 individuals in Rhode Island, which raises the question of why RIPTA was storing the data of an additional 12,363 individuals.

Brown also pointed out that the notification letters explained the breach was detected on August 5, 2021, yet it took RIPTA two and a half months to identify the individuals that had been affected, and then a further two months for notification letters to be issued.

RIPTA senior executive Courtney Marciano explained to the Providence Journal that the files obtained by the hackers included the data of individuals with no connection to RIPTA because RIPTA’s previous health insurance provider had sent files that contained the personal and health data of individuals with no connection to RIPTA. RIPTA had previously used UnitedHealthcare for its group health plan but then switched to Horizon BlueCross/Blue Shield of Rhode Island. The files sent to RIPTA by UnitedHealthcare allegedly contained details of health claims of all state employees.

The reason for the delay in issuing notifications was explained as being due to the labor-intensive process of determining which individuals had been affected and verifying contact information, and also sorting through the files to determine which claims were for current or former RIPTA employees.

Rhode Island Attorney General Peter Neronha told The Providence Journal that he will be opening an investigation into the data breach to determine if any state laws have been violated, such as the Identity Theft Protection Act of 2015. The HHS’ Office for Civil Rights may also choose to investigate UnitedHealthcare over the apparent impermissible disclosure of the PHI of state employees to RIPTA. The OCR breach portal has no corresponding breach report from UnitedHealthcare.

The post Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General appeared first on HIPAA Journal.

Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures

The Chicago, IN-based certified public accounting firm Bansley & Kiener LLP is facing a class action lawsuit over a data breach that was reported to regulators this December.

The breach in question occurred in the second half of 2020, with the investigation indicating hackers accessed its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener discovered the breach on December 10, 2020, when ransomware was used to encrypt files. Bansley & Kiener explained in its breach notification letters that it was confirmed on May 24, 2021, that the attackers had exfiltrated data from its systems prior to encrypting files.

Bansley & Kiener manages payroll, health insurance, and pension plans for its clients. In total, the sensitive information of 274,000 individuals was exposed or compromised, including names, dates of birth, Social Security numbers, passport numbers, tax IDs, military IDs, driver’s license numbers, financial account information, payment card numbers, health information, and complaint claims.

While the attack was detected in December 2020, it took until December 2021 for notification letters to be issued to affected individuals and for state attorneys general and the HHS’ Office for Civil Rights to be notified about the breach, 6 months after it was confirmed that sensitive data was stolen in the attack.

The lawsuit was filed by Mason Lietz & Klinger LLP in the Circuit Court, First Judicial Circuit of Cook County, Illinois on behalf of plaintiff Gregg Nelson. The lawsuit alleges Bansley & Kiener failed to safeguard the sensitive data of its clients and failed to provide timely, accurate, and adequate notice of the data breach to individuals whose sensitive information was stolen.

According to the lawsuit, Bansley & Kiener unnecessarily delayed the issuing of notifications about the data breach, even though the individuals whose data was stolen were placed at significant risk of identity theft and various other forms of personal, social, and financial harm. When the notifications were sent, they failed to fully explain the nature of the breach. They did not explain that this was a ransomware attack and referred to the incident as an unauthorized person gaining access to its network that resulted in the encryption of systems.

The lawsuit also takes issue with the response to the data breach. After discovering the attack, files were restored from backups and normal business operations were resumed, and it was only when it was discovered that data had been exfiltrated from its systems, 5 months after the attack, that cybersecurity experts were retained to investigate the breach.

The lawsuit alleges Bansley & Kiener suffered a data breach due to “negligent and/or careless acts and omissions” relating to the safeguarding of sensitive data, and failed to monitor its systems for security vulnerabilities. The lawsuit alleges victims of the breach have incurred out-of-pocket expenses related to the prevention, detection, and resolution of identity theft and/or unauthorized use of their data, have spent time trying to mitigate the effects of the data breach, and have suffered from the lost or diminished value of their personal data.

The lawsuit seeks actual, nominal, and consequential damages, punitive damages, injunctive relief, legal costs, and a jury trial.

The post Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures appeared first on HIPAA Journal.

New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations

The New Jersey Division of Consumer Affairs has agreed to settle a data breach investigation that uncovered violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA)

Hackensack, NJ-based Regional Cancer Care Associates is an umbrella name for three healthcare providers that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC.

Between April and June 2019, several employee email accounts were compromised. Employees had responded to targeted phishing emails and disclosed their credentials, which allowed the scammers to access their email accounts and the protected health information (PHI) of more than 105,000 individuals. The email accounts contained PHI such as names, Social Security numbers, driver’s license numbers, health records, bank account information, and credit card details.

In July 2019, notification letters were sent to 13,047 individuals by a third-party vendor; however, the letters were mismailed to the individuals’ next-of-kin. The notification letters disclosed sensitive information such as the patient’s medical conditions, including cancer diagnoses, when consent to disclose that information had not been provided by the patients.

Across the two incidents, the PHI of more than 105,000 individuals was exposed or impermissibly disclosed, including the PHI of more than 80,000 New Jersey residents.

“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said New Jersey Acting Attorney General Bruck. “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”

The companies are alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, did not protect against reasonably anticipated threats to the security/integrity of patient data, did not implement security measures to reduce risks and vulnerabilities to an acceptable level, did not conduct an accurate and comprehensive risk assessment, and had not implemented a security awareness and training program for all members of its workforce.

Under the terms of the settlement, three companies will pay a financial penalty of $425,000 and are required to implement further privacy and security measures to ensure the confidentiality, integrity, and availability of PHI.

The companies are required to implement and maintain a comprehensive information security program, a written incident response plan and cybersecurity operations center, employ a CISO to oversee cybersecurity, conduct initial training for employees and annual training on information privacy and security policies, and obtain a third-party assessment on policies and procedures relating to the collection, storage, maintenance, transmission, and disposal of patient data.

“Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Our investigation revealed RCCA failed to fully comply with HIPAA requirements, and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”

New Jersey has been one of the most active states in HIPAA enforcement. In the past few months, settlements have been reached with two other companies for violations of HIPAA and the Consumer Fraud Act. In October, a New Jersey fertility clinic was fined $495,000, and two printing companies were fined $130,000 in November.

The post New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations appeared first on HIPAA Journal.

Planned Parenthood Los Angeles Facing Class Action Lawsuit Over October 2021 Ransomware Attack

Planned Parenthood Los Angeles (PPLA) is facing a class action lawsuit over a ransomware attack that was discovered on October 17, 2021. The cyberattack exposed the protected health information of more than 409,759 patients. In the notification letters sent to affected individuals on November 30, 2021, PPLA explained that its systems were breached on October 9, 2021, and the hackers had access to files containing PHI until October 17, when they were ejected from the network.

The files on the affected systems contained names, addresses, birth dates, diagnoses, treatment, and prescription information, and some files were exfiltrated from its network prior to file encryption. PPLA said it has found no evidence to suggest patient data has been misused.

A PPLA patient whose PHI was exposed in the data breach has taken legal action over the incident. The lawsuit was filed in the U.S. District Court of Central California and alleges the patient, and class members, have been placed at imminent risk of harm as a result of the theft of their sensitive health data, which included electronic health records that detail the procedures performed by PPLA such as abortions, treatment of sexually transmitted diseases, emergency contraception prescriptions, cancer screening information, other highly sensitive health data.

The lawsuit also references the timing of the attack, which coincided with Supreme Court debates on abortion, and says the exposure of information on abortion procedures at such a time makes it more likely that patients will suffer harm. In addition to facing an imminent risk of harm, affected individuals are likely to continue to suffer economic and actual harm and have lost control of their healthcare data. They have also incurred out-of-pocket expenses as a direct result of the data breach such as costs and time spent securing their accounts, monitoring for identity theft and fraud, and taking action to prevent misuse of their personal information. The lead plaintiff alleges she has suffered actual harm as a result of the breach, including stress and anxiety, and has also suffered damage and diminution in the value of her personal information.

While there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA), the lawsuit alleges PPLA has violated HIPAA by failing to ensure the confidentiality of patient data and insufficient cybersecurity measures had been put in place to prevent unauthorized PHI access. The lawsuit also states that this is the third data breach PPLA has suffered in the past three years.

In addition to the HIPAA violations, the lawsuit claims PPLA also violated the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA).

The lawsuit seeks compensatory and statutory damages, injunctive relief, investment in cybersecurity measures to ensure further breaches do not occur, and for affected individuals to be provided with identity theft protection and restoration services and to be covered by an identity theft insurance policy.

The post Planned Parenthood Los Angeles Facing Class Action Lawsuit Over October 2021 Ransomware Attack appeared first on HIPAA Journal.

Medical Biller Faces Decades in Jail for Healthcare Fraud, Identity Theft, and Tax Offenses

A medical biller in the Tampa Bay area of Florida has pleaded guilty to four counts of healthcare fraud, four counts of aggravated identity theft, two counts of failing to file a tax return, and one count of filing a false tax return.

Joshua Maywalt, 40, of Tampa, worked as a medical biller at a Clearwater company that provided credentialing and medical billing services to a range of healthcare provider clients in Florida. In his capacity as a medical biller, Maywalt was able to access the company’s financial, medical provider, and patient information.

Maywalt was assigned to a Tampa Bay area physician’s account and submitted claims to Florida Medicaid HMOs for services provided by that physician to recipients of Medicaid. Maywalt wrongfully accessed the company’s patient information and used the name and identification number of the physician to submit false and fraudulent claims to a Florida Medicaid HMO for services that Maywalt claimed were provided by the physician when they had not been. The “pay to” information on the claims for the fictitious medical services was changed to account numbers under Maywalt’s control.

In the tax years of 2017 and 2018, Maywalt failed to file a tax return with the Internal Revenue Service and filed a false tax return for the 2019 tax in which he substantially underreported his income as he did not include the amounts he paid into his bank accounts from his fraudulent billing activities.

According to the United States Attorney’s Office, Middle District of Florida, Maywalt will forfeit $2.2 million in funds and real estate property that are directly traceable to his offenses. He now faces a maximum jail term of 53 years – 10 years for each healthcare fraud count, up to 3 years for filing a false tax return, up to 2 years for each count of a failure to file a tax return and a mandatory 2 years for each count of aggravated identity theft. The aggravated identity theft sentences will run consecutively.

The case was investigated by the Department of Health and Human Services’ Office of the Inspector General, the Federal Bureau of Investigation, the Florida Attorney General’s Medicaid Fraud Control Unit, and the Internal Revenue Service – Criminal Investigation.

The post Medical Biller Faces Decades in Jail for Healthcare Fraud, Identity Theft, and Tax Offenses appeared first on HIPAA Journal.