Legal News

MU Health Patients Take Legal Action Over May 2019 Phishing Attack

A lawsuit has been filed against University of Missouri Health Care (MU Health) over an April 2019 phishing attack.

On May 1, 2019, MU Health learned that two staff email accounts had been compromised for a period of more than one week, starting on April 23, 2019. The email accounts contained a range of sensitive information including names, dates of birth, Social Security numbers, health insurance information, clinical and treatment information.

MU Health’s investigation concluded on July 27 and notification letters were sent to individuals whose protected health information (PHI) had been exposed and potentially stolen. Approximately 14,400 patients had been impacted by the breach.

The lawsuit was filed by MU Health patient Penny Houston around a week after the notifications were issued. The lawsuit states that, as a result of the breach, patients have been placed at an elevated risk of suffering identity theft and fraud. The types of data contained in the compromised accounts would allow criminals to steal identities, file fraudulent tax returns, and open financial accounts in the victims’ names.

As a result of the exposure of personal information, breach victims could face long-term issues and have to cover the cost of credit monitoring and identity theft protection services, as none were offered by MU Health.

The lawsuit also argues that patients have been paying for medical services and a proportion of that cost should have covered securing their information. Since sufficient protections had not been implemented, the plaintiffs claim they have been overpaying for medical services at MU Health.

At least 19 other patients have now added their names to the lawsuit. The plaintiffs seek reimbursement of out-of-pocket expenses to cover costs incurred as a direct result of the breach and for MU Health to pay for credit monitoring services for all victims of the breach.  Additionally, the plaintiffs want MU Health to invest more money in cybersecurity to strengthen its data security defenses, monitoring systems, and also to agree to undergo audits of its systems and procedures in the future.

The post MU Health Patients Take Legal Action Over May 2019 Phishing Attack appeared first on HIPAA Journal.

Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case

A preliminary settlement has been proposed by Allscripts Healthcare Solutions to resolve alleged violations of HIPAA, the HITECH Act’s electronic health record (EHR) incentive program, and the Anti-Kickback Statute related to the electronic health record (EHR) company Practice Fusion, which was acquired by Allscripts in 2018.

Prior to the acquisition, Practice Fusion has been investigated by the Attorney’s Office for the District of Vermont in March 2017 and had provided documentation and information. Between April 2018 and January 2019, the company received further requests for documents and information through civil investigative demands and HIPAA subpoenas.

Then in March 2019, the company received a grand jury subpoena over a Department of Justice (DOJ) investigation into the business practices of Practice Fusion, potential violations of the Anti-Kickback Statute, HIPAA, and the payments received under the HHS EHR incentive program. Scant information has been released about the nature of the alleged violations by Practice Fusion.

The proposed settlement will see Allscripts pay $145 million to the DOJ to resolve the company and Practice Fusion of all civil and criminal liability related to the investigation. Allscripts President Rick Poulton hopes the settlement will be sufficient to resolve the case. Since Practice Fusion was acquired, Allscripts has had to devote an increasing amount of resources the investigation. Poulton wants to reach an agreement as soon as possible so the company can move on.

“While the amount we have agreed to pay of $145 million is not insignificant, it is in line with other settlements in the industry, and we are happy to have reached the agreement in principle,” said Poulton. “We will work with the DOJ to finalize the details of the settlement over the coming months”.

Last year, the HHS agreed a settlement with EHR vendor eClinicalWorks over alleged false claims related to the HITECH Act EHR incentive program. eClinicalWorks paid $155 million to resolve the case.

The post Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case appeared first on HIPAA Journal.

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records.

US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation.

The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years.

Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that its systems had been compromised

“Improved data security benefits all class members, even if they are no longer insured by Premera or a related Blue Cross entity, because sensitive information remains stored on Premera’s servers,” wrote Judge Simon.

Considering the data breach affected 10.6 million individuals, a fund of $10 million to reimburse costs may not seem that much. However, Judge Simon determined the figure to be fair because relatively few of the plaintiffs had suffered identity theft as a result of the data breach and the settlement includes $3.5 million to cover the cost of additional credit monitoring services.

The case against Premera was complex and involved a considerable amount of technical information about the data security protections that were put in place. The evidence also spanned several years. “Whether Premera breached its contractual promises, was negligent, or engaged in unfair practices under Washington’s Consumer Protection Act with respect to Premera’s provision of data security are relatively strong claims,” wrote Judge Simon.

The settlement resolves the lawsuit with no admission of liability. In addition to the $74 million, Premera also settled a multi-state lawsuit with 30 states for $10 million over the failure to address known data security risks.

The Premera data breach was also investigated by the HHS’ Office for Civil Rights. It remains to be seen whether a financial penalty will be deemed appropriate.

The post Judge Approves $74 Million Premera Blue Cross Data Breach Settlement appeared first on HIPAA Journal.

New York Governor Signs SHIELD Act into Law

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act has been signed into state law by New York Governor Andrew M. Cuomo. The Act improves privacy protections for state residents and strengthens New York’s data breach notification laws to ensure they maintain pace with current technology.

The SHIELD Act – S5575B/A5635B – was signed into law on July 25, 2019 and takes effect in 240 days. The Act makes several changes to existing state privacy and data breach notification laws:

The definition of covered entities has been broadened to include any person or entity that holds the private information of a New York State resident, irrespective of whether that person or entity does business in New York State.

All businesses must “develop, implement and maintain reasonable safeguards” to ensure the confidentiality, integrity, and availability of personal information. Those measures should reflect the size of the business. The SHIELD Act includes a list of factors considered to be ‘reasonable security protections’.

A written information security program must be developed which incorporates all SHIELD Act requirements. The responsibility for implementing and administrating the program must be assigned to an individual, who must also oversee employee receive training on SHIELD Act requirements.

The definition of a data breach has been expanded to include any unauthorized accessing of private information. Previously, notifications were only required when personal information had been acquired by an unauthorized individual.

The definition of a personal information has been expanded to include email addresses and usernames along with the associated password or security question answers that would allow the account to be accessed. The new law requires notifications to be issued if a financial account number is exposed along with any method of gaining access to the account. Biometric information is also now included in the definition of personal information warranting notifications.

As is the case with HIPAA, inadvertent and good faith disclosures of personal information are exempt from notifications provided there is little risk of harm.

Organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act, and financial service providers covered by the New York Department of Financial Services Cybersecurity Rule are given a safe harbour if they are in compliance with their respective regulations.

There is no change to the time scale for issuing notifications. They must be sent “in the most expedient time possible and without unreasonable delay.”

The post New York Governor Signs SHIELD Act into Law appeared first on HIPAA Journal.

Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case

Equifax has agreed to settle its federal data breach case for a minimum of $575 million. The settlement will potentially rise to $700 million and also requires considerable improvements to be made to enhance security and better protect consumer data.

In 2017, Equifax experienced a colossal data breach in which the personal data of 147 million Americans was compromised. Names, dates of birth, addresses, and Social Security numbers were potentially stolen in the attack and the breach victims now have to face an elevated risk of suffering identity theft and fraud.

Equifax announced the breach in September 2017. In the two years that followed, Equifax has been called before Congress on multiple occasions to explain how the breach occurred and how the response was being handled. Regulators also investigated Equifax to determine whether reasonable and appropriate security measures had been implemented to protect the vast amounts of consumer data that was stored on its network.

The Federal Trade Commission (FTC) determined there had been security failures at Equifax that left the door open to hackers. FTC chairman Joe Simons said, “Equifax failed to take basic steps that may have prevented the breach.” A financial penalty was therefore appropriate.

Under the terms of the settlement, Equifax has committed to pay up to $700 million and is required to implement a much stronger cybersecurity program. The company must undergo annual security audits and submit to external data security audits every two years. Any third party that is provided with access to Equifax’s consumer data must also be vetted to ensure they also have appropriate data security measures in place.

The settlement includes a $300 million fund to provide monetary relief to victims of the breach. The fund will be used for credit monitoring services and to cover victims’ out of pocket expenses that have arisen from the breach. A further $125 million must be added to the fund if the $300 million is not sufficient to cover all of the claims. Claims have been capped at $20,000 per person.

The Consumer Financial Protection Bureau (CFPB) will receive $100 million in civil penalties and $175 million will be split between the 48 states, Washington D.C., and Puerto Rico. From 2020, Equifax must provide consumers with 6 free credit reports a year for the next 7 years, in addition to the three years already provided.

The settlement is certainly sizeable, but there has been considerable criticism of the level of the fine. Many believe the penalty is not nearly severe enough for a publicly traded company the size of Equifax, especially considering the breach exposed the data of almost half of all Americans.

“This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers,” said Rep. Frank Pallone, (D-N.J), Chairman of the House Energy and Commerce Committee. “It also shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail.”

“We don’t have a general privacy legislation like the GDPR in Europe. Our authority is actually pretty limited in privacy,” said FTC Chairman Joseph Simons. “We can’t go out and tell companies, ‘You can’t collect this, you can’t use it this way, you can’t use it that way.”

Equifax is pleased to have finally resolved the case. Equifax CEO Mark Begor said the settlement is a positive step for U.S. consumers and Equifax. “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter.”

In addition to the $700 million settlement, Equifax was fined £500,000 by the UK Information Commissioner’s Office – The maximum fine permitted prior to the introduction of GDPR. Had the breach occurred a year later, the fine could have been as high as 4% of the company’s global annual turnover.

Equifax announced in Mary 2019 that so far the company has spent $1.4 billion remediating the breach, updating its computer systems, and strengthening security.

The post Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case appeared first on HIPAA Journal.

Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine

The GDPR data protection authority in the Netherlands –  Authoriteit Persoonsgegevens – has issued its first GDPR data breach fine to Haga Hospital in the Hague. Haga Hospital has been fined $460,000 ($516,000) for security failures that contributed to a privacy breach in 2018.

The EU’s General Data Protection Regulation requires all entities that collect or process the personal data of EU citizens to implement appropriate security measures to ensure that information remains private and confidential. In the event of a data breach, the appropriate data protection authority must be notified within 72 hours and the breach will be investigated.

In this case, the breach involved a single patient’s records – a well-known Dutch person. Those records were viewed, without authorization, by several employees at the hospital. The Dutch News website named the patient as Samantha de Jong, also known as ‘Barbie’.

The GDPR investigation revealed the hospital had poor internal security controls for patient records, had failed to implement two-factor authentication, and was not regularly reviewing log files to identify unauthorized data access. The lack of appropriate security measures to protect personal data was in violation of GDPR requirements and a fine was deemed necessary. The hospital will now be monitored to make sure that security is improved. Further fines will be issued if security is not brought up to the standards demanded by GDPR.

The hospital has been given until October 2, 2019 to make the necessary improvements or a further fine will be issued at a rate of €100,000 every two weeks up to a maximum of €300,000. Haga Hospital has agreed to implement additional security measures to improve its security posture.

Last year, a similar fine was issued to Centro Hospitalar Barreiro Montijo in Portugal by the Portuguese data protection authority. The hospital had also failed to secure records and prevent unauthorized access from within the hospital. The Portuguese hospital was fined €400,000 for its security failures.

The post Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine appeared first on HIPAA Journal.

Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules

New rules for hospitals have been implemented in Idaho that give patients new rights. The rules were implemented by the Idaho Department of Health and Welfare (IDHW) and are effective from July 1, 2019.

The new rules were suggested by patient advocacy groups and “incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals,” according to IDHW. The policies align with the MyHealthEData initiative, which was launched in 2018 with the aim of removing the barriers to secure access to electronic medical records.

Under previous state law, critical access hospitals (CAHs) were not required to comply with many of the regulatory conditions that applied to other healthcare providers. The new rules change that, which will mean new policies and procedures will need to be implemented by CAHs. That will come with a considerable administrative burden.

The new rules apply to all hospitals in Idaho as well as any provider that renders services in hospitals. All hospitals and providers have been advised to check their policies and procedures to make sure they are compliant with the new rules.

The main purpose of the new rules is to improve patient rights and make it easier – and quicker – for patients to obtain copies of their health information and access to their EHRs.

As required by HIPAA, patients must be provided with a copy of their medical records on request within 30 days of the request being received. Under the new rules in Idaho, access to EMRs must be provided within 3 days of the request being received. The copy must also be provided in a readily readable format on a popular portable media storage device.

HIPAA limits the amount that can be charged for providing patients with copies of their health information. The new Idaho rules further protect patients by only permitting hospitals to charge a reasonable fee for labor and restricting the charges for copies to the cost of copying at the local library.

A patient’s right to privacy has been further protected. Patients have the right to privacy when personal care is being provided, which extends to continuous observation and video and audio monitoring of patients. As of July 1, 2019, hospitals are not permitted to record video or audio, except in common areas, without first obtaining written consent from the patient. Those recordings must then be included in a patient’s medical record.

The new rules also cover notices of discontinuation of care, advance directives, obtaining and documenting informed consent, patient safety, patient grievances, restraint and seclusion, and law enforcement restraints.

The post Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules appeared first on HIPAA Journal.

Premera Blue Cross Settles Multi-State Action for $10 Million

Premera Blue Cross has agreed to a $10 million settlement to resolve a multi-state data breach lawsuit involving 30 state attorneys general.

The settlement resolves alleged violations of state and federal laws that contributed to its 10.4 million record data breach in 2014. A hacker gained access to Premera Health’s network on May 5, 2014 and remained undetected until March 6, 2015. For almost a year the hacker had access to highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers.

Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit.

Washington State Attorney General Bob Ferguson led the investigation and looked at the security vulnerabilities that had been exploited by the hacker to gain access to such a large amount of sensitive data and how the attack went undetected for almost a year.

The Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule requires all HIPAA-covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). The investigators determined that Premera Health violated HIPAA by failing to meet minimum standards for security.

This was not an oversight. Premera Health had been repeatedly told by its own auditors that its security program was inadequate. The risks of a data breach were accepted without any corrections being made to address vulnerabilities.

“We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” said New Jersey Attorney General Gurbir S. Grewal. “As today’s settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers.”

In addition to the financial penalty, Premera Blue Cross is required to implement further security controls to ensure the electronic protected health information of its plan members is better protected. Annual cybersecurity reviews must also be conducted by a third-party cybersecurity expert and data security reports must be sent to the attorneys general.

Premera Blue Cross must also hire a CISO with experience in HIPAA compliance and data security who will be responsible for implementing and maintaining Premera Health’s security program. The CISO is required to attend regular meetings with executive management and must meet with the CEO at least every 2 months. The CISO is also required to report any network breaches within 48 hours of discovery.

It has been an expensive four weeks for Premera Blue Cross. Last month, Premera Blue Cross agreed to pay $74 million to settle a class action lawsuit filed by plan members affected by the breach.

The post Premera Blue Cross Settles Multi-State Action for $10 Million appeared first on HIPAA Journal.

Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool

A medical student is suing Marshall University and Cabell Huntington Hospital over the impermissible disclosure of some of his protected health information (PHI) to a class of students.

The student, who is identified as J.M.A in the lawsuit, claims his x-rays were used as a teaching tool by a professor at Marshall University Joan C. Edwards School of Medicine, but information identifying J.M.A. as the patient had not been removed or redacted from the images.

The matter had been brought to the attention of the university by another faculty member. On April 15, 2018, the dean of the medical school wrote to J.M.A to inform him of the privacy violation. The university was unaware that the professor was using the image as a teaching tool.

J.M.A. claims he has suffered shame, embarrassment, humiliation, and severe anxiety as a direct result of the disclosure of his identity. It is unclear how many people viewed J.M.A’s x-rays and how many of those individuals disclosed what they saw to others.

J.M.A is represented by Troy N. Giatras, Matthew W. Stonestreet, and Phillip A. Childs of The Giatras Law Firm, and is seeking compensatory and punitive damages.

Three motions to dismiss the lawsuit have been submitted by the defendants Cabell Huntington Hospital; Marshall University Joan C. Edwards School of Medicine and Marshall University Board of Governors; and Radiology Inc.

They are seeking to have the case dismissed as it was not filed in the proper venue and because they say the plaintiff failed to state a claim on which relief can be granted.

PHI Exposed in Break in at Pardee UNC Health Care

Pardee UNC Health Care is notifying certain patients that some of their PHI has potentially been compromised during a break in at its facility at 2029 Asheville Hwy, Hendersonville, NC. The break-in was discovered on May 9, 2019. Thieves gained entry to the basement of the building and stole electronic equipment.

No electronic protected health information was exposed as the computers did not have hard drives, but while searching the basement a stack of 590 Federal Drug Testing Custody and Control forms were found. The forms contained names, phone numbers, birth dates, social security numbers, employers’ name, driver’s license numbers, and results of the drug screening test and dated from October 2003 to December 2004.

Officials at Pardee did not find any evidence to suggest information had been viewed or stolen, but the stack of files had been moved to a place where they would have been in full view of the thieves as they entered the basement, so there is a possibility that PHI has been compromised.

All files have now been removed from the basement and are in a secure storage facility. Pardee UNC had previously stored paperwork in several locations. The paperwork has now been retrieved and been moved to a single, secure storage facility.

“We are reviewing existing employee training and record retention protocols and policies and will reinforce and revise as needed, said Jennifer Melia, Compliance & Privacy Officer for Pardee UNC Health Care.

UNC Health Care is offering 12 months of free credit monitoring protection services to affected individuals. It is unclear how many individuals have been affected.

The post Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool appeared first on HIPAA Journal.