Legal News

California Amends CCPA and Expands Definition of Personal Information Warranting Data Breach Notifications

California Governor Gov. Gavin Newsom has signed a new bill that updates data breach notification law in California, expanding the definition of personal information that requires notifications to be sent to state residents affected by a data breach.

Prior to the update, notifications were required if state residents had their Social Security number, driver’s license number, health information, financial information, or username/passwords compromised. The update means that entities that experience a breach that involves passport numbers, tax ID numbers, military ID numbers, other unique government ID numbers, or biometric information will also need to be notified of a data breach.

The law applies to data breaches where personal information has been obtained by an unauthorized person or is reasonably believed to have been obtained by an unauthorized individual.

The bill – AB-1130 – was introduced by California Assemblyman Marc Levine (D) and was co-sponsored by California Attorney General Xavier Bercerra. Governor Newsom signed the bill into law on October 11 and the bill will take effect on January 1, 2020.

Updates Made to California Consumer Privacy Act

Governor Newsom also signed six amendments to the California Consumer Privacy Act (CCPA) into law. CCPA introduced a range of new privacy protections for California residents giving them new rights over the data collected on them by businesses.

CCPA is due to take effect on January 1, 2020, although the new law will not be enforceable until 6 months after the California Attorney General publishes final regulations on CCPA. The first draft of those regulations has now been issued by Attorney General Bercerra.

Public hearing dates have been scheduled between December 2, 2019 and December 6, 2019 and the final set of regulations are due to be released in the spring of 2020. CCPA will become enforceable 6 months after the publication of the implementing regulations or on July 1, 2020, whichever is sooner. However, if the final regulations are published between July 1, 2020 and December 31, 2020, enforcement cannot commence until 6 months after the publication date.

The updates to CCPA that have now been signed into law are:

AB-25 – CCPA no longer includes data collected on job applicants, employees, directors, officers, business owners, medical staff, and contractors for the first year.

AB-874 – Update to “publicly available information” clarifying that the information is lawfully made available from federal, state, or local government records.

AB-1146 – Vehicle information collected under a warranty or recall programs is now exempt from CCPA.

AB-1202 – Data brokers are required to register with the California Attorney General’s office.

AB-1355 – Aggregated consumer data and deidentified data are exempted from the CCPA definition of personal information.

AB-1564 – Businesses are required to provide two methods for consumers to contact them, unless the business only operates online, in which case only an email address needs to be offered.

The post California Amends CCPA and Expands Definition of Personal Information Warranting Data Breach Notifications appeared first on HIPAA Journal.

New Data Breach Notification Requirements in Maryland for Health Insurers

From October 1, 2019, providers of health insurance and associated services are required to notify the Maryland Insurance Administration (MIA) in the event of a breach of insureds’ personal information.

The law change applies to health plans, health insurers, HMOs, managed care organizations, managed general agents and third-party health insurance administrators.

The Compliance & Enforcement Unit at the MIA must be notified if the breach investigation determines there is a risk that insureds’ personal information has been or is likely to be misused.

Personal information is defined as an individuals’ first name or first initial and last name in combination with one or more of the following data elements, if those data elements are not encrypted, redacted, or otherwise unreadable:

Social Security number, Individual Taxpayer Identification Number, passport number, other federal ID number, driver’s license number, State identification card number, health information, biometric data, or health insurance policy/certificate number, health insurance subscriber identification number, or an account number, credit/debit card number, username or e-mail address along with a password/access code or security question and answer that allows the account to be accessed.

Article §4-406 of the Annotated Code of Maryland states that the carrier must provide the notification at the same time that a notification is sent to the Maryland Office of the Attorney General, as required under Subtitle 35 of the Maryland Personal Information Protection Act (§ 14–3504(h)).

Notifications must be sent by mail or email using the breach notification form on the MIA website. Notifications must include the company name, name and contact details of the person supplying the notification, and a brief description of the circumstances of the data breach.

The MIA must also be supplied with a copy of the breach notification letter sent to affected individuals and a copy of the breach notification letter sent to the Maryland Attorney General.

The post New Data Breach Notification Requirements in Maryland for Health Insurers appeared first on HIPAA Journal.

UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit

On June 26, a patient of University of Chicago Medical Center (UCMC) filed a lawsuit against the medical center and Google over an alleged privacy violation related to the sharing of protected health information (PHI) without first properly de-identifying the data.

Patient information was shared with Google to assist with the development of its predictive medical data analytics technology. HIPAA does not prohibit the sharing of information with third parties such as technology companies, provided consent is obtained from patients prior to information being shared.

Alternatively, healthcare organizations can share patient information provided it is de-identified. Under HIPAA, that means removing 18 identifiers to ensure patients cannot be identified. HIPAA calls for one of two methods to be used to de-identify PHI: Expert determination or the safe harbor method. The latter involves stripping PHI of all 18 identifiers, while the former requires an expert to determine, through recognized statistical and scientific principles, that the risk of patients being re-identified is sufficiently low.

The lawsuit alleges UCMC failed to remove all the necessary information from the data prior to it being shared with Google. In addition to the dates and times when patients checked in/out of hospital, the lawsuit alleges “copious free-text notes” were also shared with Google.

The time stamps place each patient at the hospital at a specific time, which places patient privacy at risk. The lawsuit alleges the inclusion of time stamps violates the provisions of the safe harbor de-identification method and that UCMC did not obtain consent from patients to share their data with Google.

The main issue is Google already stores vast quantities of user data from its “prolific data mining” activities and that the tech giant is in a position where it could identify all individuals from the medical records provided by UCMC.

The lawsuit even goes as far as to suggest the collaboration between the medical center and the hospital is an attempt to “pull off what is likely the greatest heist of consumer medical records in history.”

Last week, UCMC and Google filed motions to have the lawsuit dismissed. The defendants claim that a secure process was employed to de-identify patient data and that the process was fully compliant with HIPAA Rules. Further, Google argues that the plaintiff and other class members do not allege Google has used its data to re-identify patients, only that the company has the capability of doing so. Consequently, no injury has been sustained as a result of the sharing of information and even if an injury had been sustained, the case should be dismissed as there is no private right of action under HIPAA.

The defendants also argue that the definition of the intrusion provided by the plaintiffs does not fall under HIPAA as each patient voluntarily provided their medical information to the medical center. Instead, it falls under the Consumer Fraud and Deceptive Business Practices Act.

The post UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit appeared first on HIPAA Journal.

Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages

A class action lawsuit filed by victims of a June 2016 cyberattack on Athens Orthopedic in Georgia has gone before the Georgia Supreme Court to determine whether breach victims are entitled to recover damages.

The cyberattack in question saw the personal information, Social Security numbers, and health insurance information of approximately 200,000 individuals stolen by the hacking group, Dark Overlord.

The Dark Overlord has conducted numerous attacks on healthcare organizations in the United States over the past three years. Initially, attacks were conducted to steal sensitive data, which was subsequently sold on dark web marketplaces. More recently, attacks have involved data theft and extortion. A ransom demand is issued to breached entities that must be paid in order to prevent publication of the stolen data.  Athens Orthopedic did not pay the ransom demand.

The Dark Overlord gained access to Athens Orthopedic’s systems via an attack on a “nationally-known health care information management contractor,” the login credentials of which were used to steal patient data.

Athens Orthopedic monitored websites to determine whether patient data had been published and took steps to take down a list containing the PHI of 500 of its patients, which had been posted on PasteBin. The information was eventually removed, but during the time it was accessible online it is possible that multiple individuals copied the data. The Dark Overlord also listed data for sale online, although it is unclear whether anyone bought the dataset.

Athens Orthopedic notified its patients about the breach and advised them to contact one of the three credit reporting agencies to place a fraud alert on their credit file. Even though Social Security numbers were stolen, affected patients were not offered credit monitoring or identity theft restoration services.

A class action lawsuit was filed on behalf of three victims of the breach – Christine Collins, Paulette Moreland, and Kathryn Strickland – shortly after the breach was announced. The plaintiffs seek compensation for the time spent protecting their identifies and reimbursement of legal fees and the cost of past and future credit monitoring services.

The plaintiffs allege negligence, breach of implied contract, unjust enrichment, and violation of the Georgia Uniform Deceptive Trade Practices Act.

While victims of the breach have incurred costs, there is the issue of whether an injury has been suffered. Collins alleges she had fraudulent charges on her credit card shortly after the breach but failed to allege they were the result of the cyberattack and did not demonstrate PHI had been misused as a direct result of the breach.

The case was dismissed by the Trial Court and the Georgia Court of Appeals as the plaintiffs could demonstrate no financial loss or harm as a direct result of the cyberattack. Consequently, they are not entitled to claim damages under Georgia law. The decision was appealed, and it is now down to the Georgia Supreme Court to determine whether there are any compensable  injuries. Oral arguments were heard this week.

“By ruling that the plaintiffs have failed to allege a compensable injury, the message delivered thus far in this case has been that data-breach victims in Georgia have no legal rights, regardless of how careless the defendant’s data security practices may have been,” argued the plaintiffs’ attorneys.

The plaintiffs allege Athens Orthopedic Clinic as not taken any steps to improve security and that “It continues to store the plaintiffs’ personally identifiable information on computer systems that employ the same lax security measures that permitted the hacker to access and steal the plaintiffs’ information.”

They also maintain their claims should not have been dismissed as “a present injury is not a required element for the plaintiffs’ breach of contract, unjust enrichment, declaratory judgment, or injunctive relief claims under Georgia law.”

The Supreme Court is expected to issue a ruling on the case – Collins Et Al. Vs. Athens Orothpedic Clinic, P.A – within the next six months. Should the Supreme Court overturn the decision of the Court of Appeals, it will have implications for data breach victims not only in the state of Georgia, but throughout the United States.

The post Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages appeared first on HIPAA Journal.

MU Health Patients Take Legal Action Over May 2019 Phishing Attack

A lawsuit has been filed against University of Missouri Health Care (MU Health) over an April 2019 phishing attack.

On May 1, 2019, MU Health learned that two staff email accounts had been compromised for a period of more than one week, starting on April 23, 2019. The email accounts contained a range of sensitive information including names, dates of birth, Social Security numbers, health insurance information, clinical and treatment information.

MU Health’s investigation concluded on July 27 and notification letters were sent to individuals whose protected health information (PHI) had been exposed and potentially stolen. Approximately 14,400 patients had been impacted by the breach.

The lawsuit was filed by MU Health patient Penny Houston around a week after the notifications were issued. The lawsuit states that, as a result of the breach, patients have been placed at an elevated risk of suffering identity theft and fraud. The types of data contained in the compromised accounts would allow criminals to steal identities, file fraudulent tax returns, and open financial accounts in the victims’ names.

As a result of the exposure of personal information, breach victims could face long-term issues and have to cover the cost of credit monitoring and identity theft protection services, as none were offered by MU Health.

The lawsuit also argues that patients have been paying for medical services and a proportion of that cost should have covered securing their information. Since sufficient protections had not been implemented, the plaintiffs claim they have been overpaying for medical services at MU Health.

At least 19 other patients have now added their names to the lawsuit. The plaintiffs seek reimbursement of out-of-pocket expenses to cover costs incurred as a direct result of the breach and for MU Health to pay for credit monitoring services for all victims of the breach.  Additionally, the plaintiffs want MU Health to invest more money in cybersecurity to strengthen its data security defenses, monitoring systems, and also to agree to undergo audits of its systems and procedures in the future.

The post MU Health Patients Take Legal Action Over May 2019 Phishing Attack appeared first on HIPAA Journal.

Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case

A preliminary settlement has been proposed by Allscripts Healthcare Solutions to resolve alleged violations of HIPAA, the HITECH Act’s electronic health record (EHR) incentive program, and the Anti-Kickback Statute related to the electronic health record (EHR) company Practice Fusion, which was acquired by Allscripts in 2018.

Prior to the acquisition, Practice Fusion has been investigated by the Attorney’s Office for the District of Vermont in March 2017 and had provided documentation and information. Between April 2018 and January 2019, the company received further requests for documents and information through civil investigative demands and HIPAA subpoenas.

Then in March 2019, the company received a grand jury subpoena over a Department of Justice (DOJ) investigation into the business practices of Practice Fusion, potential violations of the Anti-Kickback Statute, HIPAA, and the payments received under the HHS EHR incentive program. Scant information has been released about the nature of the alleged violations by Practice Fusion.

The proposed settlement will see Allscripts pay $145 million to the DOJ to resolve the company and Practice Fusion of all civil and criminal liability related to the investigation. Allscripts President Rick Poulton hopes the settlement will be sufficient to resolve the case. Since Practice Fusion was acquired, Allscripts has had to devote an increasing amount of resources the investigation. Poulton wants to reach an agreement as soon as possible so the company can move on.

“While the amount we have agreed to pay of $145 million is not insignificant, it is in line with other settlements in the industry, and we are happy to have reached the agreement in principle,” said Poulton. “We will work with the DOJ to finalize the details of the settlement over the coming months”.

Last year, the HHS agreed a settlement with EHR vendor eClinicalWorks over alleged false claims related to the HITECH Act EHR incentive program. eClinicalWorks paid $155 million to resolve the case.

The post Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case appeared first on HIPAA Journal.

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records.

US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation.

The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years.

Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that its systems had been compromised

“Improved data security benefits all class members, even if they are no longer insured by Premera or a related Blue Cross entity, because sensitive information remains stored on Premera’s servers,” wrote Judge Simon.

Considering the data breach affected 10.6 million individuals, a fund of $10 million to reimburse costs may not seem that much. However, Judge Simon determined the figure to be fair because relatively few of the plaintiffs had suffered identity theft as a result of the data breach and the settlement includes $3.5 million to cover the cost of additional credit monitoring services.

The case against Premera was complex and involved a considerable amount of technical information about the data security protections that were put in place. The evidence also spanned several years. “Whether Premera breached its contractual promises, was negligent, or engaged in unfair practices under Washington’s Consumer Protection Act with respect to Premera’s provision of data security are relatively strong claims,” wrote Judge Simon.

The settlement resolves the lawsuit with no admission of liability. In addition to the $74 million, Premera also settled a multi-state lawsuit with 30 states for $10 million over the failure to address known data security risks.

The Premera data breach was also investigated by the HHS’ Office for Civil Rights. It remains to be seen whether a financial penalty will be deemed appropriate.

The post Judge Approves $74 Million Premera Blue Cross Data Breach Settlement appeared first on HIPAA Journal.

New York Governor Signs SHIELD Act into Law

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act has been signed into state law by New York Governor Andrew M. Cuomo. The Act improves privacy protections for state residents and strengthens New York’s data breach notification laws to ensure they maintain pace with current technology.

The SHIELD Act – S5575B/A5635B – was signed into law on July 25, 2019 and takes effect in 240 days. The Act makes several changes to existing state privacy and data breach notification laws:

The definition of covered entities has been broadened to include any person or entity that holds the private information of a New York State resident, irrespective of whether that person or entity does business in New York State.

All businesses must “develop, implement and maintain reasonable safeguards” to ensure the confidentiality, integrity, and availability of personal information. Those measures should reflect the size of the business. The SHIELD Act includes a list of factors considered to be ‘reasonable security protections’.

A written information security program must be developed which incorporates all SHIELD Act requirements. The responsibility for implementing and administrating the program must be assigned to an individual, who must also oversee employee receive training on SHIELD Act requirements.

The definition of a data breach has been expanded to include any unauthorized accessing of private information. Previously, notifications were only required when personal information had been acquired by an unauthorized individual.

The definition of a personal information has been expanded to include email addresses and usernames along with the associated password or security question answers that would allow the account to be accessed. The new law requires notifications to be issued if a financial account number is exposed along with any method of gaining access to the account. Biometric information is also now included in the definition of personal information warranting notifications.

As is the case with HIPAA, inadvertent and good faith disclosures of personal information are exempt from notifications provided there is little risk of harm.

Organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act, and financial service providers covered by the New York Department of Financial Services Cybersecurity Rule are given a safe harbour if they are in compliance with their respective regulations.

There is no change to the time scale for issuing notifications. They must be sent “in the most expedient time possible and without unreasonable delay.”

The post New York Governor Signs SHIELD Act into Law appeared first on HIPAA Journal.

Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case

Equifax has agreed to settle its federal data breach case for a minimum of $575 million. The settlement will potentially rise to $700 million and also requires considerable improvements to be made to enhance security and better protect consumer data.

In 2017, Equifax experienced a colossal data breach in which the personal data of 147 million Americans was compromised. Names, dates of birth, addresses, and Social Security numbers were potentially stolen in the attack and the breach victims now have to face an elevated risk of suffering identity theft and fraud.

Equifax announced the breach in September 2017. In the two years that followed, Equifax has been called before Congress on multiple occasions to explain how the breach occurred and how the response was being handled. Regulators also investigated Equifax to determine whether reasonable and appropriate security measures had been implemented to protect the vast amounts of consumer data that was stored on its network.

The Federal Trade Commission (FTC) determined there had been security failures at Equifax that left the door open to hackers. FTC chairman Joe Simons said, “Equifax failed to take basic steps that may have prevented the breach.” A financial penalty was therefore appropriate.

Under the terms of the settlement, Equifax has committed to pay up to $700 million and is required to implement a much stronger cybersecurity program. The company must undergo annual security audits and submit to external data security audits every two years. Any third party that is provided with access to Equifax’s consumer data must also be vetted to ensure they also have appropriate data security measures in place.

The settlement includes a $300 million fund to provide monetary relief to victims of the breach. The fund will be used for credit monitoring services and to cover victims’ out of pocket expenses that have arisen from the breach. A further $125 million must be added to the fund if the $300 million is not sufficient to cover all of the claims. Claims have been capped at $20,000 per person.

The Consumer Financial Protection Bureau (CFPB) will receive $100 million in civil penalties and $175 million will be split between the 48 states, Washington D.C., and Puerto Rico. From 2020, Equifax must provide consumers with 6 free credit reports a year for the next 7 years, in addition to the three years already provided.

The settlement is certainly sizeable, but there has been considerable criticism of the level of the fine. Many believe the penalty is not nearly severe enough for a publicly traded company the size of Equifax, especially considering the breach exposed the data of almost half of all Americans.

“This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers,” said Rep. Frank Pallone, (D-N.J), Chairman of the House Energy and Commerce Committee. “It also shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail.”

“We don’t have a general privacy legislation like the GDPR in Europe. Our authority is actually pretty limited in privacy,” said FTC Chairman Joseph Simons. “We can’t go out and tell companies, ‘You can’t collect this, you can’t use it this way, you can’t use it that way.”

Equifax is pleased to have finally resolved the case. Equifax CEO Mark Begor said the settlement is a positive step for U.S. consumers and Equifax. “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter.”

In addition to the $700 million settlement, Equifax was fined £500,000 by the UK Information Commissioner’s Office – The maximum fine permitted prior to the introduction of GDPR. Had the breach occurred a year later, the fine could have been as high as 4% of the company’s global annual turnover.

Equifax announced in Mary 2019 that so far the company has spent $1.4 billion remediating the breach, updating its computer systems, and strengthening security.

The post Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case appeared first on HIPAA Journal.