Legal News

30 Month Jail Term for Texas Woman Who Stole and Sold Patients’ PHI

The U.S. Department of Justice has announced a Texas woman has been sentenced by a federal court in the Eastern District of Texas to serve 30 months in federal prison for conspiring to obtain protected health information from a protected computer.

Amanda Lowry, 40, or Sherman, TX, was a member of a fraud ring that used stolen protected health information to create fraudulent physician orders. The proceeds from the sale of the data were used to purchase a range of luxury items.

Lowry, along with co-conspirators Demetrius Cervantes and Lydia Henslee, were named in a federal indictment on Sept. 11, 2019. The three defendants were charged with conspiracy to obtain information from a protected computer and conspiracy to unlawfully possess and use a means of identification. Lowry pleaded guilty to the charges on December 4, 2020.

According to court documents, the defendants are alleged to have accessed a healthcare provider’s electronic health record system to steal the personal and protected health information of patients. The stolen data were repackaged as false and fraudulent physician orders, which were then sold to durable medical equipment providers and contractors. The proceeds from the sale of the data were used to purchase items such as off-road vehicles, jet skis, and sport utility vehicles. The defendants were paid around $1.4 million from the sale of the data.

Demetrius Cervantes of McKinney, TX, was sentenced to serve 48 months in jail on July 8, 2021 for his role in the fraud ring after pleading guilty to the charges. Henslee also pleaded guilty to the charges on March 25, 2021 and is awaiting sentencing. Henslee was also named in a separate indictment along with three men from Florida, who have been charged with conspiracy to commit illegal remunerations.

“Today’s sentence is another example of the Eastern District’s commitment to vigorously defending protected health information and prosecuting those who exploit such information for their personal gain,” said Acting U.S. Attorney Nicholas J. Ganjei.  “The defendant’s actions not only compromised victims’ sensitive information, exposing them to fraudulent schemes; but, also ultimately resulted in unnecessary costs to federal healthcare programs.”

The post 30 Month Jail Term for Texas Woman Who Stole and Sold Patients’ PHI appeared first on HIPAA Journal.

Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case

Overlake Hospital Medical Center in Bellevue, WA has proposed a settlement to resolve a class action lawsuit filed by victims of a December 2019 data breach that exposed patients’ demographic information, health insurance information, and health data.

The breach in question was a phishing attack that was discovered on December 9, 2019. The investigation revealed unauthorized individuals gained access to the email accounts of several employees, with one of the email accounts compromised between December 6, 2019 and December 9, 2019, and the others compromised for several hours on December 9.

The investigation did not uncover evidence of data theft or misuse of patient data, but it was not possible to rule unauthorized access to protected health information (PHI) and the exfiltration of data. The PHI of up to 109,000 patients was contained in the compromised email accounts.

Affected individuals were notified starting on February 4, 2020 and Overlake Hospital Medical Center took several steps to improve security, including implementing multi-factor authentication, changing email retention policies, and providing further training to employees. Overlake Hospital Medical Center has spent $148,590 on improvements to bolster security since the breach and has committed to further enhancements totalling $168,000 per year for the next 3 years.

The lawsuit – Richardson V. Overlake Hospital Medical Center – was filed in the Superior Court of King County in Washington, and alleged Overlake Hospital was negligent for failing to prevent unauthorized individuals from gaining access to its systems. The lawsuit also alleged intrusion upon seclusion/invasion of privacy, breach of fiduciary duty, breach of confidence, breach of express contract, and breach of implied contract. While 109,000 individuals were notified about the breach, only 24,000 individuals are included in the class as all other patients did not have their PHI exposed.

The lawsuit alleged the hospital failed to implement reasonable safeguards to ensure the privacy of HIPAA-covered data and failed to provide adequate notice about the data breach. Overlake Hospital Medical Center has denied all claims made in the lawsuit and all charges of wrongdoing. The decision was made to settle the lawsuit with no admission of liability.

Under the terms of the settlement, two types of claims can be submitted. Class members are entitled to claim up to $250 for certain out-of-pocket expenses incurred as a result of the breach, including bank fees, phone calls, postage costs, fuel for local travel, and up to three hours of documented time at $20 per hour, provided at least one full hour was spent on mitigations. It is also possible to recover the cost of credit report fees, and credit monitoring and identity theft protection services taken out between February 4, 2020 and the date of the Court’s preliminary approval of the settlement.

Claims for extraordinary expense reimbursement may be submitted for up to $2,500. These claims must include evidence of losses that were more likely than not suffered as a result of the breach between December 1, 2019 and the end of the claim period.

A fairness hearing has been scheduled for Sept. 10, 2021.

The post Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case appeared first on HIPAA Journal.

CaptureRx Facing Multiple Class Action Lawsuits Over Ransomware Attack Involving PHI of 2.4 Million Patients

The healthcare administrative services provider CaptureRx is facing multiple class action lawsuits for failing to protect patient data, which was obtained by unauthorized individuals in a February 2021 ransomware attack.

NEC Networks, doing business as CaptureRx, provides IT services to hospitals to help them manage their 340B drug discount programs. Through the provision of those services, CaptureRx is provided with the protected health information of patients.

Around February 6, 2021, CaptureRx identified suspicious activity in some of its IT systems, which included the encryption of files. The investigation confirmed that files containing the protected health information of 2,400,000 or more patients were compromised in the attack.

CaptureRx said in its breach notification letters that, “all policies and procedures are being reviewed and enhanced and additional workforce training is being conducted to reduce the likelihood of a similar future event.” Affected individuals were advised to “remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors.”

On July 21, 2021, a lawsuit was filed in the U.S. District Court for the Western District of Texas by plaintiff Michelle Rodgers. Rodgers is a patient of ARcare in Augusta, AR, whose personal and protected health information was compromised in the attack.

Rodgers, and the class members, allege that CaptureRx was negligent for failing to implement and maintain reasonable safeguards and had not complied with industry-standard data security practices to ensure the confidentiality of their protected health information, in violation of federal and state laws. The plaintiff and class members seek monetary damages and injunctive and declaratory relief.

A similar lawsuit had previously been filed in the District Court for the Western District of Texas naming Mark Vereen as plaintiff, which names NEC Networks, CaptureRx, and Midtown Health Center in Los Angeles as defendants. The lawsuit alleges the defendants were negligent for failing to take the necessary steps to prevent a data breach, the risk of which should have been well-known. The plaintiffs in that lawsuit allege they are at risk harm that could be “long lasting and severe,” which “may continue for years,” and that the defendants violated the Federal Trade Commission regulations and HIPAA. The lawsuit sees over $5 million in damages.

A lawsuit has also been filed by a Missouri resident in federal court in Kansas City on behalf of all Missouri residents affected by the breach, seeking at least $5 million in damages.

The post CaptureRx Facing Multiple Class Action Lawsuits Over Ransomware Attack Involving PHI of 2.4 Million Patients appeared first on HIPAA Journal.

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims.

Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments.

In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims.

The San Diego Sheriff’s’ Department had initiated a traffic stop on Konrad Piekos for driving without a license plate. When police officers approached the vehicle, they saw an assault rifle in plain sight in his vehicle. Piekos admitted possessing an unregistered assault rifle, and the subsequent vehicle search revealed several loaded firearms and ammunition. A warrant was obtained to search Piekos’ properties and police officers found several other firearms and ammunition, quantities of heroin and fentanyl, and mobile phones. After obtaining warrants to search the phones, detectives identified text messages between Piekos, Genetti, and Lombardo discussing the illicit distribution of narcotics, firearms, and a scheme to obtain unemployment benefits using other persons’ personal identifying information (PII).

Piekos and Genetti had conspired together to fraudulently obtain PUA benefits in July 2020, with Lombardo joining the scheme in August 2020. Lombardo is alleged to have used his position as a patient financial service representative to access patients’ PII, which he then distributed to Piekos, Genetti, and Milosavljevic starting on August 15,2020, according to the indictment. Scripps Health terminated Lombardo on April 14, 2021.

In a separate case, Genetti and three other defendants – Lindsay Renee Henning, Garrett Carl Tuggle, and Salvatore Compilati – were charged with conspiracy to commit wire fraud. Henning and Tuggle were also charged with aggravated identity theft, and Henning, Tuggle, and a fourth defendant, Juan Landon, were charged with possession of methamphetamine, cocaine, and heroin with intent to distribute. The defendants had submitted more than 108 separate claims for PUB benefits, totaling $1,615,000.

Lombardo faces a maximum jail term of 10 years in prison for the HIPAA violation along with a fine and penalty assessment. The conspiracy to commit wire fraud charges carry a maximum jail term of 20 years in prison with a fine and penalty assessment, and there is a mandatory minimum 2-year jail term for the aggravated identity theft charges, with the aggravated identity theft jail term consecutive to any other sentences.

“Pandemic unemployment insurance programs are a critical part of our safety net designed to support hardworking citizens who are suffering during an unprecedented economic downturn,” said Acting U.S. Attorney Randy Grossman. “Our office and our law enforcement partners will investigate and prosecute individuals who attempt to steal from these programs designed to assist deserving recipients.”

The post Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case appeared first on HIPAA Journal.

UPMC Settles Employee Data Breach Lawsuit for $2.65 Million

UPMC has proposed a $2.65 million settlement to resolve a data breach lawsuit filed by employees affected by a February 2014 data breach.

Pittsburg, PA-based UPMC announced the data breach in February 2021 and initially believed the attackers had only obtained the tax-information of a few hundred of its employees; however, in April 2014, UPMC determined that the breach was far more extensive and had affected 27,000 of its 66,000 employees. In May 2014, UPMC confirmed that the personal data of all of its employees had likely been compromised.

The data compromised in the attack included names and Social Security numbers, some of which were used by the attackers to file fraudulent tax returns. Four individuals involved in the cyberattack have been charged and pleaded guilty to tax fraud and identity theft charges. They attempted to obtain around $2.2 million in tax refunds and received $1.7 million from the IRS.

Under the terms of the settlement, current and former employees whose personal information was compromised in the data breach will be able to submit claims for fraud-related losses and claim reimbursement for time spent preventing losses. The 66,000 class members will be able to claim up to $250 as reimbursement for fraud-related inconveniences or submit a claim for up to $5,000 as reimbursement for out-of-pocket losses related to identity theft or fraud. Any class member who does not file a claim will receive a payment of between $10 and $20. UPMC will establish a $1.68 million settlement fund and will pay up to $200,000 to a settlement administrator. UPMC will also cover court costs and attorneys’ fees.

The settlement also requires UPMC to implement a range of cybersecurity measures to improve security and ensure the personal data of employees is protected. Those measures include undergoing a third-party security assessment, adding additional cybersecurity professionals to its security team, improving authentication measures, increasing the use of encryption, ensuring compliance with cybersecurity best practices, disabling all unnecessary and unused services, and updating its system security plans. The settlement does not require UPMC to implement additional cybersecurity measures that have not already been taken in response to the breach.

UPMC has not admitted liability for the breach. The decision to settle the lawsuit was made to prevent further expense, inconvenience, and the distraction of burdensome and protracted litigation. A motion for preliminary approval of the settlement was filed on July 15.

It has taken a long time for a settlement to be reached. In 2015, a trial court dismissed the plaintiffs’ negligence claim; however, that decision was reversed by the Pennsylvania Supreme Court in November 2018 when the court declared employers have a Common Law duty to implement reasonable safeguards to protect the personal information of employees.

“We are pleased that we’ve been able to negotiate a proposed resolution with UPMC that will provide meaningful relief to those who suffered financial losses, increased risks of fraud and other inconveniences when their data was compromised,” said the plaintiffs’ attorney, Jamisen Etzel.

The post UPMC Settles Employee Data Breach Lawsuit for $2.65 Million appeared first on HIPAA Journal.

Cyber Incident Notification Act of 2021 Introduced in the Senate

In June, a bipartisan group of senators circulated a draft federal breach notification bill – the Cyber Incident Notification Act of 2021 – that requires all federal agencies, contractors, and organizations considered critical to U.S. national security to report data breaches and security incidents to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery. On Wednesday this week, an amended bill was formally introduced in the Senate.

The draft bill was introduced by Senators Mark Warner (D-VA) and Marco Rubio (R-FL), and Susan Collins (R-ME). Another 12 senators across both parties have now added their names to the bill.

The bill seeks to address some of the key issues that have come to light in the wake of recent cyberattacks that impacted U.S. critical infrastructure, including the SolarWinds Orion supply chain attack and the ransomware attacks on JBS and Colonial Pipeline.

“The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target,” said Sen. Warner. “We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”

The purpose of the new bill is to ensure timely federal government awareness of cyber intrusions that pose a threat to national security, with the bill enabling the development of a common operating picture of national-level cyber threats.

Security incidents that warrant notifications to be sent to CISA are those that:

  • Involve or are believed to involve a nation state.
  • Involve or are believed to involve an Advanced Persistent Threat (APT) actor.
  • Involve or are believed to involve a transnational organized crime group.
  • Could harm U.S. national security interests, foreign relations, or the U.S. economy.
  • Likely to be of significant national consequence.
  • Has potential to affect CISA systems.
  • Involve ransomware

Reportable ransomware attacks are those that are assessed to involve a nation state actor, advanced persistent threat (APT) actor, transnational organized crime group, or an attack that has the potential to result in demonstrable harm to national security, foreign relations, the economy of the United States, the public confidence, civil liberties, or public health and safety of U.S. residents.

When reporting a security incident or cyber threat, organizations are required include a description of the incident, detail the systems and networks affected, provide an estimate of when the incident is likely to have occurred, provide information about any vulnerabilities that were exploited, any tactics, techniques, and procedures (TTPs) known to have been used. Actionable cyber threat information will be made available to government and private sector entities and the public to allow prompt action to be taken to counter threats. The bill gives CISA 48 hours to respond to reports of an intrusion and request information about the security incident.

To encourage organizations to report data breaches, the bill includes liability protections for breached entities to protect against potential lawsuits that could arise from disclosing security breaches and allows anonymized personal data to be submitted when reporting breaches.

The bill requires the Department of Homeland Security to work with other federal agencies to draw up a set of reporting criteria and to harmonize those criteria with the regulatory requirements in effect on the date of enactment.

The failure to report a security incident to CISA can attract a financial penalty, which will be determined by the Administrator of the General Services Administration. The maximum financial penalty will be 0.5% of gross revenue for the previous fiscal year. Other possible sanctions include removal from federal contracting schedules.

“It is critical that American organizations act immediately once an attack occurs. The longer an attack goes unreported, the more damage can be done. Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible,” said Sen. Rubio.

The post Cyber Incident Notification Act of 2021 Introduced in the Senate appeared first on HIPAA Journal.

Ohio Personal Privacy Act Introduced to Improve Privacy Protections for Ohioans

A comprehensive new privacy framework has been introduced in Ohio to better protect the privacy of Ohioans. The Ohio Personal Privacy Act aligns closely with recently introduced legislation in Virginia (CDPA) and gives Ohio residents a host of new rights over the personal data collected, stored, maintained, and transmitted by businesses.

Similar to Virginia’s CDPA, the Ohio Personal Privacy Act has a narrow definition of consumers and does not cover individuals acting in a business capacity or employment context. Personal data covered by the Ohio Personal Privacy Act is classed as “any information that relates to an identified or identifiable consumer processed by a business for a commercial purpose.”

The Ohio Personal Privacy Act only applies to organizations that conduct business in the state of Ohio that meet one or more of the following criteria:

  • Generates annual gross revenues in excess of $25 million;
  • Controls or processes the personal data of 100,000 or more Ohio residents in a calendar year;
  • Derives more than 50% of gross revenue from the sale of personal data and processes or controls the personal data of 25,000 or more Ohio consumers.

There is a long list of exemptions, which include:

  • Covered entities and business associates subject to and compliant with HIPAA
  • Protected health information under HIPAA
  • Activities regulated by the Fair Credit Reporting Act
  • Data subject to the Children’s Online Privacy Protection Act,
  • Financial institutions and data subject to the Gramm-Leach-Bliley Act if compliant
  • Higher educational institutions
  • Business-to-business transactions
  • Insurers and independent insurance agents

Consumers must be informed about how their personal data will be collected and used. Consumers have the right to access the personal data held by an organization and have that information deleted. Consumers must be informed about data collection and processing activities via a clear and conspicuous notice and are permitted to opt out of the sale of their personal data. Businesses are not permitted to discriminate against any individual based on them exercising their rights under the Ohio Personal Privacy Act.

The Ohio Attorney General has the authority to enforce compliance with the Ohio Personal Privacy Act and bring legal actions against any covered entity if there is reasonable cause to believe a covered entity has violated the Act. The state Attorney General can seek a declaratory judgment, injunctive relief, and civil penalties, with triple damages applying to knowing violations.

Prior to any action being taken, a 30-day period will be provided to allow all issues are corrected. Businesses may also utilize an affirmative defense from an enforcement action by the OAG or a lawsuit filed by a consumer, if the business creates, maintains, and complies with a written privacy program that confirms to the National Institute of Standards and Technology (NIST) privacy framework.

Consumers who feel the rights given to them by the Ohio Personal Privacy Act have been violated are not permitted to take legal action against a business over any violation.

The post Ohio Personal Privacy Act Introduced to Improve Privacy Protections for Ohioans appeared first on HIPAA Journal.

Radiology Specialists Facing Class Action Lawsuit Over PACS Data Breach

A class action lawsuit has been filed in the New York Southern District Court against a radiology company and its vendor. The radiology specialists are alleged to have failed to secure their Picture Archiving Communication System (PACS) which contained the protected health information and medical images of patients.

In 2019, security researchers identified vulnerabilities in the PACS used by hospitals, clinics, and radiology companies to share medical images and data. The researchers analyzed more than 2,300 medical images, which were found to contain sensitive patient data. Northeast Radiology and its vendor Alliance Health were among the companies affected and were notified about the exposed data by the researchers in December 2019.

Both radiology firms used medical imaging archiving software that permitted unauthorized individuals to gain access to medical images and protected health information. The researchers identified 61 million X-rays, CT scans, and MRIs that had been exposed, which included protected health information such as names, test results, medical record numbers, dates of service and, in some cases, Social Security numbers.

In March 2020, Northeast Radiology reported a PACS-related data breach to the Department of Health and Human Services Office for Civil Rights as affecting 298,532 individuals. The breach report explained that Alliance Health had exposed medical images and that its PACS was accessed by hackers between April 2019 and January 2020.

The lawsuit was filed by two patients against Northeast Radiology and Alliance HealthCare and alleges patient data was exposed for more than 9 months. According to the lawsuit, both companies were notified about the exposed data by the security researchers but failed to take any action to secure their PACS.

The lawsuit alleges the defendants were negligent and violated the Health Insurance Portability and Accountability Act (HIPAA) and state data protection laws by carelessly handling patient data and medical images, and also violated Federal Trade Commission (FTC) requirements. As a result of the failures, direct injury is alleged to have been caused to the plaintiffs and class members, including placing them at an increased risk of identity theft and fraud. In addition to exposing their protected health information, the lawsuit alleges insufficient notification was provided to victims of the data breach.

The patients seek compensatory and consequential damages and injunctive relief, including requiring the companies to make improvements to data security and monitoring, and submitting to future audits of their systems to ensure they are secured. The lawsuit also seeks credit monitoring and identity theft protection services for all class members.

In late June, the U.S. Department of Health and Human Services warned 130 hospitals and health systems about vulnerabilities in PACS that exposed sensitive healthcare data and urged them to take prompt action to ensure their PACS are correctly configured and patient data protected. The PACS used by those hospitals contained 275 million medical images, which included the protected health information of more than 2 million patients.

The post Radiology Specialists Facing Class Action Lawsuit Over PACS Data Breach appeared first on HIPAA Journal.

Texas Man Sentenced to 48 Months for Fraud Scheme Involving Theft of Electronic Health Records

A Texas man has been sentenced to 48 months in prison after pleading guilty to one count of conspiracy to obtain information from a protected computer.

Demetrius Cervantes of McKinney, TX, was one of three defendants indicted over the theft and misuse of protected health information. Prosecutors alleged the defendants unlawfully gained access to an unnamed healthcare provider’s EHR system, stole information, then repackaged that data to create false and fraudulent physician orders, which were sold to durable medical equipment providers and contractors. The defendants are alleged to have obtained $1.4 million from the sale of the data, which they subsequently used to purchase high value items such as vehicles and jet skis.

“Today’s sentence sends the message that the theft of protected health information, the fabrication of physicians’ orders, and the sale of prescriptions will not be tolerated in the Eastern District of Texas,” said Acting U.S. Attorney Nicholas J. Ganjei. “This office will continue to pursue those who place profits over patients and manipulate the healthcare system for their personal gain.”

The other two defendants named in the Sept. 11, 2019 federal indictment are Amanda Lowry and Lydia Henslee. Lowry, also of Texas, pleaded guilty to conspiracy to obtain information from a protected computer and is due to be sentenced later this month.

Henslee, also of Texas, was charged in a superseding indictment with one count of conspiracy to unlawfully transfer, possess and use a means of identification and nine counts of unlawfully transferring, possessing and using a means of identification. In March, Henslee pleaded guilty to conspiring to possess and use a means of identification in connection with various offenses and will be sentenced later this year, although no date for sentencing has been set.

Henslee was also charged in a separate superseding indictment along with three men from Florida – Samson Solomon of Palm Beach and Steven Churchill and David Warren of Boca Raton – and Daniel Stadtman of Allen, Texas. The defendants were charged with one count of conspiracy to commit illegal remunerations. The defendants were allegedly involved in conspiring to pay and receive kickbacks in exchange for physician orders that were used to obtain payments from federal healthcare programs. In total, around $2.9 million is alleged to have been illegally obtained over an 8-month period.

If convicted on the charges, the four men face a maximum of 5 years in jail while Henslee faces a maximum jail term of 15 years.

The cases were investigated by the U.S. Department of the Treasury, Internal Revenue Service, Criminal Investigation, U.S. Department of Health and Human Services, Office of Inspector General, and the U.S. Department of Defense, Office of Inspector General, and Defense Criminal Investigative Service.

The post Texas Man Sentenced to 48 Months for Fraud Scheme Involving Theft of Electronic Health Records appeared first on HIPAA Journal.