Legal News

Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach

Mayo Clinic is facing multiple class action lawsuits over an insider data breach reported in October 2020. Mayo Clinic discovered a former employee had accessed the medical records of 1,600 patients without authorization and viewed information such as patient names, demographic information, dates of birth, medical record numbers, medical images, and clinical notes.

The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA-covered entities to implement safeguards to ensure the privacy, confidentiality, and integrity of protected health information and limits the disclosures and uses of that information when patient consent is not obtained.

Healthcare employees are permitted to access PHI in the course of their work duties, but in this case the former employee had no legitimate work reason for viewing the records. The unauthorized access is in violation of the HIPAA Rules; however, there is no private cause of action in HIPAA, so individuals affected by such a breach cannot take legal action for any HIPAA violation that results in their medical records being exposed or compromised.

Two lawsuits have recently been filed in Minnesota state courts alleging violations of the Minnesota Health Records Act (MHRA), which introduced stricter regulations covering the privacy of healthcare data in Minnesota. MHRA applies to all applies to all Minnesota-licensed physicians and the legislation does have a private cause of action, so patients whose providers violate MHRA can be sued.

The lawsuit alleges Mayo Clinic did not implement systems or procedures to ensure plaintiffs’ and similarly situated individuals’ health records would be protected and not subject to unauthorized access, and that the former employee accessed the plaintiffs’ medical records without first obtaining their consent.

Under MHRA, healthcare providers must obtain a signed and dated consent form from a patient or the patient’s legal representative authorizing the release of their medical records, unless there is a specific authorization in law, or when there is a representation from a provider holding a signed and dated consent form from the patient in question authorizing the release of their medical records.

The lawsuit also brings common law tort claims for the invasion of privacy, negligent infliction of emotional distress, and vicarious liability. A major contributory factor to the emotional distress was some of the medical images that were accessible included nude photographs of patients taken in connection with their cancer treatments. The plaintiffs seek monetary damages and other relief deemed appropriate by the courts.

The post Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach appeared first on HIPAA Journal.

Zoll Sues IT Vendor for 277,000-Record Server Migration Data Breach

A lawsuit has been filed in the US District Court in Massachusetts by the medical device vendor Zoll which alleges its IT service vendor, Campbell, CA-based Barracuda Networks, was negligent for botching a server migration which resulted in the exposure of the protected health information of 277,139 patients.

The breach in question involved archived emails that were being migrated to a new email archiving service. A configuration error resulted in the exposure of those emails for more than 2 months between November 8, 2018 and December 28, 2020. The configuration error was corrected, but Zoll was not informed about the breach until January 24, 2019. The breach investigation revealed the exposed emails contained patient information such as names, contact information, birth dates, medical information, and for certain patients, Social Security numbers.

Zoll had contracted with a company called Apptix – now Fusion Connect – in 2012 and entered into a business associate agreement to provide hosted business communication solutions. Apptix then entered into a contract with a company called Sonian to provide services such as email archiving. Sonian was acquired by Barracuda Networks in 2017.

According to the lawsuit, Barracuda Networks learned of the breach on January 1, 2019. Its investigation revealed an error had been made and a data port had been left open, which exposed the email search function of the migration tool on a small portion of the indices. The port remained open for almost 7 weeks before the error was identified and the port was closed. While the port was open an unauthorized individual gained access to email data and “consistently executed an automated search of the archive.”

A breach of protected health information of this nature has implications for patients. Affected patients suffered injury and damages as a result of the exposure and theft of their personal and healthcare data. A lawsuit was filed against Zoll in April 2019 on behalf of patients affected by the breach. Zoll sought indemnification from Apptix; however, the company did not respond. The lawsuit has since been settled.

In addition to settlement and legal costs incurred, Zoll expended internal and external resources investigating and mitigating the breach, sending breach notification letters to affected patients, and providing free access to services to protect patients against loss and harm. The lawsuit seeks to recover those costs from Baracuda Networks.

Zoll alleges Barracuda Networks was negligent for failing to implement reasonable precautions and safeguards to protect Zoll’s data and that Barracuda Networks did not fully cooperate with Zoll’s investigation. Zoll alleges its investigators were not provided with access to Barracuda Networks’ online environment and that many of the investigators’ questions were not answered. Zoll said it was not told the dates when patient data was exposed, the types of data accessed, and whether any information had been exfiltrated by the attackers.

The lawsuit states that Barracuda Networks did respond to the breach and implemented additional safeguards, policies and procedures to prevent similar incidents from occurring in the future, but breached its duties to implement reasonable protections prior to the breach to protect Zoll data. Zol also alleges a breach of implied warranty of merchantability, as the email archiving solution was warranted to be suitable for secure email archiving, when security flaws allowed unauthorized individuals to access confidential archived data. Zoll also alleges the email archiving solution was flawed and not fit for purpose and consequently Barracuda Networks breached the implied warranty for fitness for a particular purpose.

The post Zoll Sues IT Vendor for 277,000-Record Server Migration Data Breach appeared first on HIPAA Journal.

$350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit

A $350,000 settlement has been reached between Saint Francis Healthcare System and patients impacted by a September 2019 ransomware attack on Ferguson Medical Group (FMG).

FMG was acquired by Saint Francis after a cyberattack that rendered data, including electronic medical records, on FMG systems inaccessible. The decision was taken to restore the encrypted data from backups rather than pay the ransom, and while patient data and other files were recovered, it was not possible to recover all data encrypted in the attack. FMG was unable to restore a batch of data related to medical services provided to patients between September 20, 2018 and December 31, 2018 which has been permanently lost. FMG announced the incident impacted around 107,000 patients, and those individuals were offered complimentary membership to credit monitoring services.

A class action lawsuit was filed against Saint Francis Healthcare in January 2020 in the U.S. District Court of Eastern Missouri which alleged negligence per se, breach of express and implied contracts, invasion of privacy, and violations of the Missouri Merchandise Practices Act. Almost 90,000 of the affected patients added their name to the lawsuit.

While credit monitoring services had been offered to affected individuals, the plaintiffs sought compensation for costs incurred as a result of the data breach and attorneys’ fees. The lawsuit also demanded Saint Francis Healthcare implement additional safeguards to improve data security.

A motion to dismiss the lawsuit was filed by Saint Francis Healthcare in March 2020 as it was claimed the plaintiffs failed to state a plausible cause for relief. The plaintiffs maintained the motion to dismiss lacked merit; however, if the case were to go to trial, the outcome would be unpredictable. Both parties agreed to attempt to settle the case out of court.

The proposed settlement will see all plaintiffs provided with a maximum of $280 to cover out-of-pocket expenses incurred as a result of the breach, additional credit monitoring services, and compensation for time spent protecting their identities.

Saint Francis Healthcare has also agreed to make improvements to security, including reviewing firewall rules, automatically updating its firewall to the latest version and applying patches promptly, restricting remote access to legacy systems, developing and implementing new password management policies, adding multi-factor authentication to its VPN access points, removing RDP from its vendor access solution, implementing geo-blocking for traffic to certain IP addresses, implementing a vulnerability scanning program, and providing more comprehensive cybersecurity training to the workforce.

The settlement now awaits approval from a judge. A conference with District Judge Stephen R. Clark of the District Court of Eastern Missouri is scheduled for November 17, 2020.

The post $350,000 Settlement Reached to Resolve Saint Francis Healthcare Data Breach Lawsuit appeared first on HIPAA Journal.

Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules

A healthcare worker who was accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules and patient privacy by sending photographs of patients to unauthorized individuals has been cleared of any wrongdoing, following an investigation by federal law enforcement. A former acquaintance of the healthcare worker was discovered to have concocted a scheme to frame his former acquaintance for fictitious HIPAA violations and is now facing a prison sentence for making false statements.

Jeffrey Parker, 43, of Richmond Hill, GA, concocted an elaborate scheme to frame the former acquaintance for violations of patient privacy. In U. S. District Court in the Southern District of Georgia, Parker pled guilty to one count of false statements and admitted creating fake email addresses and concocting information in an effort to harm a former acquaintance. Parker portrayed himself as a whistleblower and contacted the U.S. Department of Justice (DOJ), Federal Bureau of Investigation (FBI) and the hospital where the healthcare worker was employed to make false allegations of HIPAA violations.

Several email addresses were created using the real names of individuals. Parker impersonated each to accuse the healthcare worker of violating patient privacy and the HIPAA Rules. Parker also claimed to have been threatened for reporting the HIPAA violations and acting as a whistleblower. The FBI investigated the case promptly to ensure Parker’s safety but identified inconsistencies in his account of events. After further investigation, Parker admitted he had concocted the scheme to harm the former acquaintance.

“This fake complaint not only caused potential harm for an innocent victim, but it also unnecessarily diverted resources from federal investigators whose diligent work shredded his web of lies,” said Bobby L. Christine, U.S. Attorney for the Southern District of Georgia.

“Many hours of investigative resources were wasted determining Parkers’ whistleblower claims were a scheme to damage a former acquaintance,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “Now he will pay for his deliberate transgression and we can affirm that these types of actions will be exposed and punished.”

Parker faces a maximum sentence of 5 years in jail.

The post Georgia Man Pleads Guilty to Attempting to Frame a Former Acquaintance for Violating HIPAA Rules appeared first on HIPAA Journal.

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

The Indianapolis, IN-based health insurer Anthem Inc. has settled multi-state actions by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 41 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States.

The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed accomplice were charged in connection with the cyberattack in May 2019.

A breach on that scale naturally attracted the attention of the HHS’ Office for Civil Rights (OCR), which investigated the breach and discovered multiple potential violations of the HIPAA Rules. Anthem settled the HIPAA violation case with OCR for $16 million in October 2018. The HIPAA violation penalty was, and still is, the largest ever financial penalty imposed on a covered entity or business associate for violations of the HIPAA Rules.

Many lawsuits were filed on behalf of victims of the data breach over the theft of their protected health information. Anthem settled the consolidated class action lawsuit for in 2018 for $115 million.

State Attorneys General investigated the breach to determine whether HIPAA and state laws had been violated. The multi-state investigation has taken 5 years to come to a conclusion, but the settlements now draw a line under the breach. Anthem has now paid $179.2 million to settle lawsuits and legal actions over the 2014 cyberattack.

In addition to the $48.2 million financial penalty, Anthem agreed to take a number of corrective actions to improve data security practices. These include implementing a comprehensive information security program based on the principles of zero trust architecture. Regular security reports are now sent to the board of directors and significant security events are reported promptly to the CEO.

Anthem has implemented multi-factor authentication, network segmentation, access controls, data encryption, is logging and monitoring information system activity. Anthem is conducting regular security risk assessments and penetration tests and provides regular security awareness training to its workforce. The corrective action plan also includes the requirement to undergo third-party security audits and assessments for three years, and to provide the results of those audits to a third-party assessor.

Anthem issued a statement in relation to the settlements saying, “[Anthem] does not believe it violated the law in connection with its data security and is not admitting to any such violations,” and also said that there had been no evidence uncovered to indicate any information stolen in the attack has been used to commit fraud or identity theft.

“When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data,” said California Attorney General Xavier Becerra. “Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return.”

The post Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties appeared first on HIPAA Journal.

Slew of Lawsuits Filed Over Recent Healthcare Data Breaches

Individuals impacted by the recent data breaches at Blackbaud, Assured imaging, and BJC Healthcare have taken legal action over the exposure and theft of their personal and protected health information.

Multiple Lawsuits Filed Over Blackbaud Ransomware Attack

The data breach at Blackbaud is one of the largest ever breaches of healthcare data to be reported. It is currently unclear exactly how many healthcare entities have been affected, as each affected entity is reporting the breach separately. As the deadline for reporting approaches, the extent of the breach is becoming clearer. Currently, at least 5 million individuals are known to have been affected and around 60 healthcare organizations have confirmed they have been impacted by the breach.

As is now common in ransomware attacks, data were exfiltrated by the hackers prior to the use of ransomware. Blackbaud paid the ransom demand to obtain the keys to decrypt data and to ensure that all stolen data were permanently deleted. Blackbaud has received assurances that the stolen data have been deleted, but as a result of the breach, individuals whose information was stolen in the attack have still had to take steps to protect their identities and many have incurred out-of-pocket expenses as a result of the breach.

At least 10 lawsuits have now been filed against Blackbaud and seek class action status. The lawsuits allege negligence, breach of contract, invasion of privacy, and violations of several state laws.

Blackbaud may have received assurances that stolen data have been deleted, but there is concern that a copy could have been made and is still in the hands of the hackers. According to one lawsuit filed in California federal court, “ [Blackbaud] cannot reasonably maintain that the data thieves destroyed the subset copy simply because the defendant paid the ransom and the data thieves confirmed the copy was destroyed.” Blackbaud maintains the allegations in the lawsuits are without merit.

Lawsuit Filed Over Assured Imaging Ransomware Attack

Assured Imaging similarly suffered a ransomware attack in which patient data were stolen prior to the use of ransomware. The hackers first gained access to Assured Imaging’s systems on May 15, 2020 and deployed their ransomware on May 19, 2020. Notification letters sent to the 244,813 patients affected by the attack on August 26, 2020. While it has been confirmed that the attackers stole data, Assured Imaging was unable to determine what information was obtained.

The threat actors behind the attack later published a portion of data stolen in the attack in an attempt to pressure Assured Imaging into paying the ransom. The ransomware used in the attack was Pysa, aka Mespinoza.

A lawsuit has been filed in the US District Court of Arizona on behalf of plaintiffs Angela T. Travis, Kerri G. Peters, and Geraldine Pineda and others affected by the breach. The plaintiffs are represented by attorney Hart. L. Robinovitch of Zimmerman Reed.

The lawsuit alleges Assured Imaging maintained patient data “in a reckless manner” on a computer network that was vulnerable to cyberattacks and that there was a known risk of improper disclosure of PHI due to the lack of appropriate cybersecurity protections.

The lawsuit also alleges the failure to secure the network left patient data “in a dangerous condition” and that there was improper monitoring of its network, resulting in a delay in identifying the intrusion.

The lawsuit also alleges Assured Imaging was in breach of FTC guidelines and had failed to comply with the minimum industry standards for data security, such as applying security updates promptly, training the workforce, implementing appropriate policies and procedures with regard to data security, and the failure to encrypt data.

The lawsuit alleges patients face an increased risk of fraud and identity theft for many years to come as a result of the theft of their data and the actual or potential release of their information on the black market. Affected patients have also “suffered ascertainable losses in the form of disruption of medical services, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.

BJC Healthcare Facing Class Action Lawsuit over Phishing Attack

A lawsuit has been filed in the St. Louis Circuit Court over a March 2020 phishing attack on BJC Healthcare in which the personal and protected health information of 287,876 individuals was potentially compromised. The breach affected 19 hospitals associated with BJC Healthcare.

Three employees responded to phishing emails and disclosed their credentials and their email accounts were accessed by the attackers. BJC Healthcare claims the breach was detected the same day but could not determine whether any data in the email accounts were accessed or stolen by the attackers.

A lawsuit was filed by attorney Jack Garvey on behalf of BJC patient Brian Lee Bauer claiming BJC’s approach to patient privacy was negligent. The lawsuit alleges the health system failed to implement and follow basic security procedures which made the protected health information of its patients accessible to thieves. The lawsuit alleges BJC failed to encrypt – or did not sufficiently encrypt – patient data and that it failed to meet its data security obligations under HIPAA and the HITECH Act.

The lawsuit claims breach victims face an increased risk of identity theft and fraud and are “immediately and imminently in danger of sustaining some or further direct injury/injuries.” As a result of the breach, patients have incurred significant out-of-pocket costs related to the prevention, detection, recovery, and remediation from identity theft and fraud and that the breach “is taking a significant emotional and physical toll” on the individuals affected.

The post Slew of Lawsuits Filed Over Recent Healthcare Data Breaches appeared first on HIPAA Journal.

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days.

The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals.

CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule.

On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed CHSPSC’s information systems via its virtual private network (VPN) solution. CHSPSC failed to detect the intrusion and was notified by the Federal Bureau of Investigation on April 18, 2014 that its systems had been compromised.

During the time the hackers had access to CHSPSC systems, the ePHI of 6,121,158 individuals was exfiltrated. The data had been provided to CHSPSC through 237 covered entities that used CHSPSC’s services. The types of information stolen in the attack included the following data elements: name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information.

OCR launched an investigation into the breach and uncovered systemic noncompliance with the HIPAA Security Rule. While it may not always be possible to prevent cyberattacks by sophisticated threat actors, when an intrusion is detected action must be taken quickly to limit the harm caused. Despite being notified by the FBI in April 2014 that its systems had been compromised, the hackers remained active in its systems for 4 months, finally being eradicated in August 2014. During that time, CHSPSC failed to prevent unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the hackers continued to steal ePHI.

The failure to respond to a known security incident between April 18, 2014 and June 18, 2014 and mitigate harmful effects of the security breach, document the breach, and its outcome, was in violation of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators found CHSPSC had failed to conduct an accurate and thorough security risk analysis to identify the risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical policies and procedures permitting access to information systems containing ePH maintained by CHSPSC only by authorized individuals and software programs had not been implemented, in violation of 45 C.F.R. § 164.312(a).

Procedures had not been implemented to ensure information system activity records such as logs and system security incident tracking reports were regularly reviewed, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D).

“The health care industry is a known target for hackers and cyberthieves.  The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino. A sizeable financial penalty was therefore appropriate.

CHSPSC chose not to contest the case and agreed to pay the financial penalty and settled with OCR. The settlement also requires CHSPSC to adopt a robust and extensive corrective action plan to address all areas of noncompliance, and CHSPSC will be closely monitored by OCR for 2 years.

The post Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures appeared first on HIPAA Journal.

Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Jail

The U.S. Department of Justice has announced that a member of the notorious hacking group, The Dark Overlord, has been sentenced to 5 years in jail and has been ordered to pay $1.4 million in restitution.

The Dark Overlord hacking group started targeting U.S. organizations in 2016. The hackers gained access to the networks of companies via brute force attacks on Remote Desktop Protocol, then stole data from victim companies and threatened to sell the stolen data on criminal marketplaces if the ransom demand was not paid. The hackers issued ransom demands of between $75,000 and $350,000 in Bitcoin and issued multiple threats if the ransom was not paid. In some instances, individuals in the victim companies received personal threats against them and their family members via the telephone, email, and text messages.

Victims of The Dark Overlord included accounting firms, healthcare providers, and other companies. Healthcare provider victims included Farmington, MO-based Midwest Orthopedic Group, Swansea, IL-based Quest Records, Prosthetics & Orthotics Care in St. Louis, and Athens, GA-based Athens Orthopedic Clinic. Athens Orthopedic Clinic was recently fined $1.5 million for HIPAA failures discovered by the HHS’ Office for Civil Rights when investigating The Dark Overlord hacking incident.

The UK national, Nathan Wyatt, 39, was arrested by UK police in September 2017 over the hacking of the iCloud account of Pippa Middleton, the sister of the Duchess of Cambridge. Around 3,000 photographs were stolen and a ransom demand of £50,000 was issued for their return. He was released without charge but was later charged on 20 counts of fraud by false representation, two counts of blackmail, and one count of possession of an identity document with intent to deceive. One of the attacks involved the blackmailing a law firm in the UK as part of the Dark Overlord hacking group. Wyatt was sentenced to 3 years in jail in the UK for the offenses.

Wyatt was then indicted by a grand jury in November 2017 over his role in the Dark Overlord attacks on 5 victim companies in the United States and was extradited to the United States in December 2019 where he has remained in custody.

Wyatt was indicted on 6 counts.  1 count of conspiracy, 2 counts of aggravated identity theft, and 3 counts of threatening to damage a protected computer. Wyatt entered into a plea arrangement and agreed to plead guilty to the conspiracy charge if the remaining five counts were dropped.

Wyatt admitted being part of The Dark Overlord hacking group and that he and his co-conspirators obtained sensitive data from victim companies, including patient medical records, and threatened to publish or sell the data if the ransom demand was not paid.

Wyatt did not orchestrate the attacks and was not one of the leaders of the group. Wyatt’s role was “creating, validating, and maintaining communication, payment, and virtual private network accounts that were used in the course of the scheme to, among other things, send threatening and extortionate messages to victims,” according to the Department of Justice.

U.S. District Judge Ronnie White, of the Eastern District of Missouri, sentenced Wyatt to 60 months in jail less time already served and ordered Wyatt to pay $1,467,048 in restitution to the victim companies.

“Nathan Wyatt used his technical skills to prey on Americans’ private data and exploited the sensitive nature of their medical and financial records for his own personal gain,” said Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division.  “Today’s guilty plea and sentence demonstrate the department’s commitment to ensuring that hackers who seek to profit by illegally invading the privacy of Americans will be found and held accountable, no matter where they may be located.”

The post Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Jail appeared first on HIPAA Journal.

Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals

In 2019, a lawsuit was filed against Express Scripts by five independent pharmacies alleging improper use of patient data in violation of HIPAA.

Express Scripts is the largest pharmacy benefits manager in the United States with its own retail pharmacies and pharmacy service. The five pharmacies were part of the Express Scripts network and were required to submit detailed claims to Express Scripts for processing and reimbursement before dispensing drugs. The pharmacies also needed to include information about the medications in their claims, along with the contact information of their customers.

In the lawsuit, the pharmacies alleged that Express Scripts was in breach of contract and good-faith and fair-dealing covenants, and in violation of HIPAA and the HITECH Act. The pharmacies were required to provide Express Scripts with information about their customers, which it is alleged was then used to switch the customers to Express Script’s mail order service. The pharmacies alleged there was no need to supply that information to confirm coverage and for reimbursement.

“The Pharmacies maintain that [Express Scripts] is using their confidential customer information without authorization to switch their customers to [Express Scripts] own mail-order service when [Express Scripts] should only use the information to confirm customers’ coverage and to reimburse the Pharmacies,” according to the court filing. The pharmacies also alleged the pharmacy benefits manager was engaged in unfair competition and “shared the Pharmacies’ trade secrets with its affiliates in order to steal the Pharmacies’ customers.”

The district court dismissed the lawsuit stating the information provided was not protected and the agreements the pharmacies entered into with Express Scripts allowed the pharmacy benefits manager to pursue mail-order prescription arrangements without violating any good faith agreements or contracts. The district court also ruled that the pharmacies could not sue for a HIPAA violation as there is no private cause of action in HIPAA.

In their appeal against the decision of the district court to dismiss the lawsuit, the pharmacies explained that the decision to dismiss the lawsuit for lack of standing was incorrect as they were not attempting to sue for a HIPAA violation. They also asked for the courts alternative reasoning – “that HIPAA only allows the Pharmacies’ customers, not the Pharmacies, to authorize the use of their confidential health information” – be disregarded. Express Scripts argued that even if it were possible to state a claim under HIPAA, the pharmacies had failed to provide sufficient facts to demonstrate a past or ongoing HIPAA violation.

The pharmacies also claimed in their appeal that Express Scripts was only entitled to received information after claims had been processed, and that the collection of customer information was unnecessary and was only being collected out of self-interest.

The 8th U.S. Circuit Court of Appeals affirmed the lower court’s ruling that it is not possible to sue for a HIPAA violation, that the information provided to Express Scripts was not protected, and the terms of the pharmacies contracts with Express Scripts allowed the pharmacy benefits manager to offer mail-order prescription arrangements to the pharmacies’ customers. The contracts entered into by the pharmacies stated they agreed to cooperate with Express Scripts for the coordination of their customers’ benefits, and mail service dispensing – even through Express Script’s own service – falls within the category of benefits provided to any member.

The Court of Appeals also affirmed the lower courts dismissal of the pharmacies attempted monopolization claim, ruling “the Pharmacies did not plead sufficient facts to meet their “burden of alleging a relevant market in order to state a plausible antitrust claim.”

The post Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals appeared first on HIPAA Journal.