Legal News

AMCA Parent Company Files for Chapter 11 Protection

Following the massive data breach at American Medical Collection Agency (AMCA) which saw more than 20 million records compromised, AMCA’s parent company, Retrieval-Masters Creditors Bureau Inc., has filed for Chapter 11 protection.

The data breach affected individuals who had received medical testing services from Quest Diagnostics, LabCorp, or BioReference Laboratories. Hackers gained access to the web payment portal used by AMCA and accessed and stole the sensitive personal and financial data of patients. The hackers had access to its payment page for more than 7 months before the breach was detected.

The cost of recovering from a breach on this scale is considerable. So far, AMCA has mailed more than 7 million breach notification letters to affected individuals at a cost of $3.8 million. A further $400,000 has been spent on hiring IT consultants to assist with the breach response.

The data breach caused a cascade of events that led to the bankruptcy filing. Retrieval-Masters Creditors Bureau CEO Russell Fuchs lent AMCA $2.5 million to help cover the cost of mailing the breach notification letters. Fuchs explained in the court filing that the firm had incurred “enormous expenses that were beyond the ability of the debtor to bear.”

Retrieval-Masters was formed in 1977 by Russell Fuchs and was initially focused on small-dollar debt collections for direct mail marketers but has since moved into patient receivables. The company now helps companies recover non-medical and medical debt. Retrieval-Masters stated in the filing that it had reduced staff numbers from 113 to 25 at the end of 2018.

The Chapter 11 filing in the Southern District of New York stated the company is seeking to liquidate assets and liabilities as high as $10 million to cover the rising costs of the cyberattack.

The filing also sheds some light on how the breach was detected.

The breach was first reported on databreaches.net, which had been contacted by researchers at Gemini Advisory who had identified a batch of stolen credit cards and Social Security numbers on a darknet marketplace. Gemini Advisory analysts were able to tie the data to AMCA and issued a notification.

The filing stated AMCA learned about the breach after being notified that a large number of credit cards tied to its payment portal had been used to make fraudulent purchases.

There are still many questions that have not yet been answered related to how access was gained to the payment page and whether the breach was the result of cybersecurity failures. Several state attorneys general have written to AMCA demanding answers.

The post AMCA Parent Company Files for Chapter 11 Protection appeared first on HIPAA Journal.

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party.

Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015.

According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson.

Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her husband in the custody battle. The information was disclosed to Mortenson’s attorney, Gary Bradshaw.

Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website. Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules.

After discovering that her health information had been disclosed, Pertuit lodged a complaint with the Department of Health and Human Services’ Office for Civil Rights which put the hospital on notice. However, the hospital failed to implement appropriate sanctions against Diefendfer. Dr. Diefendfer is alleged to have accessed further health information in 2016 and again disclosed that information to Bradshaw.

The plaintiff’s lawyers also said that the hospital’s privacy officer had investigated Dr. Diefendfer and discovered 22 separate violations of hospital policies and HIPAA Rules.

The lawsuits filed against Dr. Diefender, Deanna Mortensen, and Gary Bradshaw were all settled out of court. The case against MCE went to a jury trial.

The jury unanimously found that MCE had failed to take appropriate action against Dr. Diefender after the discovery of the privacy violation, and awarded the plaintiff $295,000 in punitive damages and a further $5,000 as compensation for pain, suffering, and humiliation.

The post Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach appeared first on HIPAA Journal.

AMCA Breach Sparks Flurry of Lawsuits and Investigations

The dust has barely settled after the news of the massive data breach at American Medical Collection Agency (AMCA) broke last week, but already more than a dozen lawsuits have been filed by victims of the breach.

The breach was officially announced by Quest Diagnostics on June 3, 2019 through a 8-K filing with the Securities and Exchange Commission (SEC), and a SEC filing by LabCorp on June 4, 2019, shortly followed by BioReference Laboratories. Currently, the personal of up to 20 million individuals has potentially been compromised.

The data breach at AMCA was identified by security researchers at Gemini Advisory who found a batch of 200,000 payment card numbers for sale on a popular darknet marketplace. The numbers included dates of birth and Social Security numbers. AMCA and law enforcement were notified, and systems were secured. However, the investigation revealed hackers had access to its web payment portal for 7 months.

It would appear that the hackers behind the breach have at least made an effort to monetize some of the stolen data so it is no surprise that there has been a flurry of class action lawsuits filed on behalf of victims of the breach. Plaintiffs in the lawsuits claim to have been harmed as a result of the data breach.

Most of the lawsuits name one or more of the laboratories where testing occurred – Quest Diagnostics, LabCorp and BioReference Laboratories. A small number also name AMCA and the company Optum360. Optum360 was a business associate of Quest Diagnostics. Under certain circumstances, when a patient did not pay a bill, Quest Diagnostics sent the patient’s information to Optum360, which passed the data to AMCA for collection.

Several of the class action lawsuits allege negligence and breach of implied contract for failing to secure personal information. One complaint alleges the use of encryption and the adoption of national and industry standards were warranted to prevent reasonably foreseeable harm to patients. However, even though the defendants had the funds available to implement controls to prevent the breach, they failed to adequately invest in their security programs.

The lawsuits allege various violations of state laws and are seeking damages, monetary relief, and penalties to be issued over the privacy violation.

Only a small percentage of the individuals have been notified about the breach by AMCA – mostly individuals who had their financial information exposed. The healthcare organizations that provided AMCA with health information are still waiting to receive details of all individuals affected. As more notification letters are sent, is likely that the numbers of affected individuals in these class-action lawsuits will swell and further lawsuits will be filed.

In addition to battling the class action lawsuits, all of the entities involved now face scrutiny by state and federal regulators and Congress. The breach will certainly be investigated by the HHS’ Office for Civil Rights to determine whether HIPAA Rules have been violated. So far, at least six state attorneys general have launched investigations into the breach: Michigan, New York, Minnesota, North Carolina, Illinois and Connecticut and have demanded answers about the breach.

If the investigations do uncover noncompliance with state or federal laws, financial penalties may be pursued. Already this year, state attorneys general have joined forces and filed a multi-state HIPAA lawsuit against Medical Informatics Engineering over its 2014 data breach. That breach resulted in a settlement of $900,000.

The post AMCA Breach Sparks Flurry of Lawsuits and Investigations appeared first on HIPAA Journal.

Oregon Updates Data Breach Notification Law to Include Vendors of Covered Entities

Oregon has updated its breach notification laws, broadening the definition of consumer information, updating the definition of covered entity, expanding the law to cover vendors, and has clarified how the data breach notification law applies to entities covered by HIPAA, the HITECH Act, and the Gramm-Leach-Bliley Act.

The update (Senate Bill 684) renames The Oregon Consumer Identity Theft Protection Act as The Oregon Consumer Information Protection Act, which will come into effect on January 1, 2020.

The update expands the definition of personal information to include usernames and other means of identifying a consumer which would allow access to be gained to a consumer’s account, along with any method used to authenticate a user.

The definition of covered entity has been updated to “a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.”

A vendor is defined as an individual or entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”

Vendors are now required to notify the covered entity of a breach within 10 days of that breach being discovered. If the vendor is a subcontractor of another vendor that deals with a covered entity, the subcontractor must notify its vendor about a breach within 10 days. Vendors are also required to send a notification to the Oregon Attorney General if a breach impacts more than 250 consumers or “a number of consumers that the vendor could not determine.”

The Oregon Consumer Identity Theft Protection Act already required covered entities to implement an information security program and reasonable safeguards to protect any data maintained, stored, managed, processed, collected, received, or otherwise acquired.

Under the new Oregon Consumer Information Protection Act, covered entities and vendors that are able to demonstrate compliance with the security requirements of federal laws such as HIPAA and the HITECH Act can use that as an affirmative defense in actions and proceeding that allege noncompliance with the security requirements of the Oregon Consumer Information Protection Act to maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information. That exception applies even if the types of data are covered by the Oregon Consumer Information Protection Act but are not covered by the requirements of those federal acts.

The post Oregon Updates Data Breach Notification Law to Include Vendors of Covered Entities appeared first on HIPAA Journal.

Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts

Coffey Health System has agreed to a $250,000 settlement with the U.S. Department of Justice to resolve alleged violations of the False Claims and HITECH Acts.

The Kansas-based health system attested to having met HITECH Act risk analysis requirements during the 2012 and 2013 reporting period in claims to Medicare and Medicaid under the EHR Incentive Program.

One of the main aims of the HITECH Act was to encourage healthcare organizations to adopt electronic health records. Under the then named Meaningful Use Program, healthcare organizations were required to demonstrate meaningful use of EHRs in order to receive incentive payments. In addition to demonstrating meaningful use of EHRs, healthcare organizations were also required to meet certain requirements related to EHR technology and address the privacy and security risks associated with EHRs.

In 2016, Coffey Health System’s former CIO, Bashar Awad, and its former compliance officer, Cynthia McKerrigan, filed a lawsuit in federal court in Kansas against their former employer alleging violations of the False Claims Act.

Both alleged Coffey Health System had falsely claimed it had conducted risk analyses in order to receive incentive payments and was aware that those claims were false when they were submitted. As a result of the false claims, Coffey Health System received payments of $3 million under the Meaningful Use program which it did not qualify for.

Awad found no documentation that demonstrated risk analyses had been performed and had personally conducted some basic tests on network security and made an alarming discovery: The health system shared a firewall with Coffey County municipalities. That security failure allowed anyone to login to its system and see patient records from locations protected by the same firewall, including schools and libraries, by using its IP address and logging in. Any attempt to do so required no username or password – A major security failure and violation of the HIPAA Security Rule.

In 2014, Awad arranged for a third-party firm to conduct a risk analysis for the 2014 attestation. The risk analysis revealed several security issues including 5 critical vulnerabilities that had been allowed to persist unchecked. While some attempts were made to correct the issues identified in the risk analysis, Awad was not provided with sufficient resources to ensure those vulnerabilities were properly addressed. He claimed that few of the identified vulnerabilities had been corrected.

When the time came to submit the 2014 attestation, Awad refused to do so as several vulnerabilities had not been addressed. As a result of the failure to support the attestation, Awad was terminated. Awad and McKerrigan then sued Coffey Health System.

Under the whistleblower provisions of the False Claims Act, individuals can sue organizations on behalf of the government and receive a share of any settlement. Awad and McKerrigan will share $50,000 of the $250,000 settlement.

Coffey Health System settled the case with no admission of liability.

The post Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts appeared first on HIPAA Journal.

Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation

The Supreme Court in Vermont has ruled that a patient can sue a hospital and one of its employees for a privacy violation, despite Vermont law and HIPAA not having a private cause of action for privacy violations.

The lawsuit alleges negligence over the disclosure of personal information that was obtained while the patient was being treated in the emergency room. The woman had visited the ER room to receive treatment for a laceration on her arm. The ER nurse who provided care to the patient notified law enforcement that the patient was intoxicated, had driven to the hospital, and intended to drive home after receiving treatment.

The nurse had detected an odor of alcohol on the patient’s breath. Using an alco-sensor, the nurse determined the patient had blood alcohol content of 0.215. In Vermont, that blood alcohol level is more than two and a half times the legal limit for driving. A police officer in the lobby of the hospital was notified and the patient was arrested, although charges were later dropped.

The women subsequently sued the hospital and the employee for violating her privacy by disclosing her health information to law enforcement.

The HIPAA Privacy Rule limits uses and disclosures of protected health information to treatment, payment, and healthcare operations, but there are exceptions. One of those exceptions is when a disclosure is made when there is a perceived serious threat to health or safety. The Privacy Rule permits such a disclosure if the disclosure is made to a person who could prevent or lessen a threat to either to the patient or the public.

Under the circumstances, the disclosure was reasonable and appropriate, which is what the Supreme Court ultimately concluded, affirming the Superior Court’s judgement. The disclosure was determined to have been made in order to mitigate an imminent threat to both the patient and the public. The Court rules “no reasonable factfinder could determine the disclosure was for any other purpose.” The plaintiff failed to prove that the disclosure had been made for any other purpose, such as in order for the patient to be arrested and charged.

The ruling is perfectly understandable; however, what is atypical is the case was given standing when state and HIPAA laws do not include a private cause of action. Patients do not have the right to sue their providers over violations of HIPAA laws and laws in Vermont also do not give patients that right. The case was ruled to have standing under a common-law private right of action for damages.

While the lawsuit was not successful, it could be cited in other lawsuits filed by patients who allege their privacy has been violated by their healthcare providers.

The post Vermont Supreme Court Ruled Patient Can Sue Hospital and Employee for Privacy Violation appeared first on HIPAA Journal.

$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit

In March 2015, the Seattle-based health insurer Premera Blue Cross announced it had experienced a major data breach that impacted around 10.6 million plan members. The breach occurred in 2014 and resulted in the theft of a broad range of data, including Social Security numbers, bank account information, and health data. The cyberattack is thought to have been conducted by an APT group operating out of China.

Shortly after the data breach was announced, several class action lawsuits were filed seeking damages for victims of the breach. More than 40 of those class action lawsuits were consolidated into a single class action lawsuit in the United States District Court in Oregon.

The lawsuit alleged the cybersecurity practices at Premera Blue Cross were insufficient and vulnerabilities were exploited by threat actors to gain access to the sensitive information of its plan members.

Premera Blue Cross has made the decision to settle the lawsuit and a $74 million settlement has been proposed. Under the terms of the settlement, Premera Blue Cross will pay $32 million to victims of the breach.

Most of the fund will cover the cost of an additional two years of credit monitoring and identity theft protection services. Victims of the data breach will also be able to claim back provable out-of-pocket expenses relating to the breach and can claim for the time spent remedying issues related to the breach.

A cash payment of up to $50 will be available to individuals who do not submit out-of-pocket expenses claims and up to $50 can be claimed as compensation by California residents under the California Confidentiality of Medical Information Act. The fund will also cover attorneys’ fees and administrative and notification costs.

The remaining $42 million will be invested by Premera Blue Cross in its information security program over the next three years. Some of the measures that Premera Blue Cross will be implementing are encryption for sensitive types of personal information, improved data security controls, annual third-party security audits, enhanced network logging and monitoring, and the migration of certain data into archived, secure databases with strict access controls. Premera Blue Cross will also be strengthening its passwords, enhancing email security, and will reduce employee access to sensitive data.

Premera Blue Cross has already taken steps to improve security and has recently achieved HITRUST certification. HITRUST certification demonstrates the ability of the company to identify risks, protect data, detect cyberattacks, and respond to data breaches.

“Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state and federal regulators and their information security experts,” said Premera’s Executive Vice President and Chief Information Officer, Mark Gregory. “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack.”

The settlement agreement will resolve the litigation with no admission of wrongdoing by Premera Blue Cross nor any acceptance that harm has been experienced by victims of the breach.

“This is a great result that will provide real and meaningful relief to the class,” said Keith Dubanevich, interim liaison counsel for the plaintiffs. A motion for preliminary approval has already been filed. The settlement now awaits court approval.

The post $74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit appeared first on HIPAA Journal.

$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit

In March 2015, the Seattle-based health insurer Premera Blue Cross announced it had experienced a major data breach that impacted around 10.6 million plan members. The breach occurred in 2014 and resulted in the theft of a broad range of data, including Social Security numbers, bank account information, and health data. The cyberattack is thought to have been conducted by an APT group operating out of China.

Shortly after the data breach was announced, several class action lawsuits were filed seeking damages for victims of the breach. More than 40 of those class action lawsuits were consolidated into a single class action lawsuit in the United States District Court in Oregon.

The lawsuit alleged the cybersecurity practices at Premera Blue Cross were insufficient and vulnerabilities were exploited by threat actors to gain access to the sensitive information of its plan members.

Premera Blue Cross has made the decision to settle the lawsuit and a $74 million settlement has been proposed. Under the terms of the settlement, Premera Blue Cross will pay $32 million to victims of the breach.

Most of the fund will cover the cost of an additional two years of credit monitoring and identity theft protection services. Victims of the data breach will also be able to claim back provable out-of-pocket expenses relating to the breach and can claim for the time spent remedying issues related to the breach.

A cash payment of up to $50 will be available to individuals who do not submit out-of-pocket expenses claims and up to $50 can be claimed as compensation by California residents under the California Confidentiality of Medical Information Act. The fund will also cover attorneys’ fees and administrative and notification costs.

The remaining $42 million will be invested by Premera Blue Cross in its information security program over the next three years. Some of the measures that Premera Blue Cross will be implementing are encryption for sensitive types of personal information, improved data security controls, annual third-party security audits, enhanced network logging and monitoring, and the migration of certain data into archived, secure databases with strict access controls. Premera Blue Cross will also be strengthening its passwords, enhancing email security, and will reduce employee access to sensitive data.

Premera Blue Cross has already taken steps to improve security and has recently achieved HITRUST certification. HITRUST certification demonstrates the ability of the company to identify risks, protect data, detect cyberattacks, and respond to data breaches.

“Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state and federal regulators and their information security experts,” said Premera’s Executive Vice President and Chief Information Officer, Mark Gregory. “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack.”

The settlement agreement will resolve the litigation with no admission of wrongdoing by Premera Blue Cross nor any acceptance that harm has been experienced by victims of the breach.

“This is a great result that will provide real and meaningful relief to the class,” said Keith Dubanevich, interim liaison counsel for the plaintiffs. A motion for preliminary approval has already been filed. The settlement now awaits court approval.

The post $74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit appeared first on HIPAA Journal.

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules.

On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate.

Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.

 

You can download the HHS Fact Sheet on direct liability of business associates on this link.

business associate liability for HIPAA violations

Penalties for HIPAA Violations by Business Associates

The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the HHS determined that the language of the HITECH Act called for a maximum financial penalty of $1.5 million for violations of an identical provision in a single year. That maximum penalty amount was applied across the four penalty tiers, regardless of the level of culpability.

A re-examination of the text of the HITECH Act in 2019 saw the HHS interpret the penalty requirements differently. The $1.5 million maximum penalty was kept for the highest penalty tier, but each of the other penalty tiers had the maximum possible fine reduced to reflect the level of culpability.

Subject to further rulemaking, the HHS will be using the penalty structure detailed in the infographic below.

 

The post HHS Confirms When HIPAA Fines Can be Issued to Business Associates appeared first on HIPAA Journal.