Legal News

Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital

A hacktivist who conducted a Distributed Denial of Service (DDoS) attack on Boston’s Children’s Mercy Hospital in 2014 has been convicted on two counts – conspiracy to intentionally damage protected computers and damaging protected computers – by a jury in the U.S. District Court in Boston.

Martin Gottesfeld, 32, of Somerville, MA, conducted the DDoS attacks in March and April of 2014. He first conducted a DDoS attack on Wayside Youth and Family Support Network in Framingham, MA. The attack crippled its systems and took them out of action for more than a week. The attack cost the healthcare facility $18,000 to resolve.

Following that attack, Gottesfeld conducted a much larger attack on Boston Children’s Hospital using 40,000 malware-infected network routers that he controlled from his home computer. The attack was planned for a week and occurred on April 19, 2014.

Such was the scale of the attack that the hospital and several others in the Longwood medical area were knocked off the internet. 65,000 IP addresses used by the hospital and other healthcare facilities in the area were prevented from being available for legitimate communications. The attack affected the hospitals’ ability to communicate, use the internet, and even provide care to certain patients.

The attack disrupted operations at Boston Children’s Hospital for two weeks and cost an estimated $300,000. A further $300,000 was lost donations as its fundraising portal was also taken offline as a result of the attack.

Gottesfeld claimed he conducted the DDoS attacks on behalf of the hacktivist group Anonymous in response to the way the hospital had behaved over a child custody case.

The custody case in question received national media attention and resulted in the parents of Connecticut teenager Justina Pelletier losing custody of their daughter. Children’s Mercy Hospital alleged Justina’s parents were medically abusing their daughter and custody was passed over to the commonwealth of Massachusetts.

Justina was receiving treatment for mitochondrial disease at Boston’s New England Medical Center but was transferred to Children’s Mercy Hospital where she was diagnosed as having somatoform disorder. Justina’s parents disagreed with the diagnosis and attempted to get their daughter discharged. The hospital refused, and in the subsequent legal battle, Justina’s parents lost custody of their child.

Gottesfeld was suspected of conducting the DDoS attacks and his home was searched by federal law enforcement officers in October 2014. Several servers, computers and hard drives were seized although Gottesfeld was not officially charged at the time.

Gottesfeld went missing in February 2016 but was found after getting into difficulty when sailing in a small boat. He was rescued off the coast of Cuba by a passing cruise ship and was arrested when the cruise ship docked in Miami. The FBI claimed Gottesfeld was attempting to flee the United States.

Gottesfeld will be sentenced on Nov. 14, 2018 and potentially faces a fine of up to $500,000, plus restitution, and up to 15 years in jail – A maximum of 5 years for the conspiracy charge and up to 10 years for the criminal damage charge, with a further 3 years of supervised release.

The post Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital appeared first on HIPAA Journal.

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight.

In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes.

The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail.

In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital and could have been taken by employees or third parties. In the case of Millender, that is exactly what happened.

Flowers Hospital attempted to have the lawsuit dismissed, although that attempt failed and the lawsuit was awarded class action status in 2017. The decision has now been taken to settle the case. The hospital has offered a fund of up to $150,000 to cover out-of-pocket expenses incurred by the 1,208 victims of the breach. The settlement would provide each class member with up to $250 each, although claims up to a total value of $5,000 would be considered.

In order to be eligible to receive the compensation, class members would need to submit valid claims. A valid claim would require a breach victim to prove that they purchased credit monitoring or identity theft protection services in response to being notified about the breach.

Additionally, breach victims would be allowed to claim money for the time they spent arranging those services – up to four hours of documented lost time – the cost of obtaining credit reports, and any un-reimbursed interest as a result of a delayed tax refund as a result of there being a fraudulent tax return filed between June 2013 and the claims deadline. The settlement does not include any punitive damages.

In the event that valid claims are received, and the total claims amount exceeds the allocated $150,000, all claims would be reduced, pro rata, so that the total claims value would not exceed $150,000.

The post Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach appeared first on HIPAA Journal.

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight.

In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes.

The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail.

In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital and could have been taken by employees or third parties. In the case of Millender, that is exactly what happened.

Flowers Hospital attempted to have the lawsuit dismissed, although that attempt failed and the lawsuit was awarded class action status in 2017. The decision has now been taken to settle the case. The hospital has offered a fund of up to $150,000 to cover out-of-pocket expenses incurred by the 1,208 victims of the breach. The settlement would provide each class member with up to $250 each, although claims up to a total value of $5,000 would be considered.

In order to be eligible to receive the compensation, class members would need to submit valid claims. A valid claim would require a breach victim to prove that they purchased credit monitoring or identity theft protection services in response to being notified about the breach.

Additionally, breach victims would be allowed to claim money for the time they spent arranging those services – up to four hours of documented lost time – the cost of obtaining credit reports, and any un-reimbursed interest as a result of a delayed tax refund as a result of there being a fraudulent tax return filed between June 2013 and the claims deadline. The settlement does not include any punitive damages.

In the event that valid claims are received, and the total claims amount exceeds the allocated $150,000, all claims would be reduced, pro rata, so that the total claims value would not exceed $150,000.

The post Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach appeared first on HIPAA Journal.

Children’s Mercy Hospital Sued for 63,000-Record Data Breach

Legal action has been taken over a phishing attack on Children’s Mercy that resulted in the theft of 63,049 patients’ protected health information.

In total, five email accounts were compromised between December 2017 and January 2018. On December, 2, 2017  two email accounts were discovered to have been accessed by an unauthorized individual as a result of employees responding to phishing emails. Links in the emails directed the employees to a website where they were fooled into disclosing their email account credentials. Two weeks later, two more email accounts were compromised in a similar attack, with a fifth and final account compromised in early January.

The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, resulting in the unauthorized disclosure of patients’ protected health information. Patients were notified of the breach via a substitute breach notice on the Children’s Mercy website and notification letters were sent by mail. Due to the number of people impacted, the letters were sent out in batches. According to a recent article in the Kansas City Star, some patients have only just been notified that their PHI was stolen.

In addition to the phishing attack, Children’s Mercy Hospital reported a further breach of 1,463 patients’ PHI to the Department of Health and Human Services’ Office for Civil Rights on June 27, 1018 – an unauthorized access disclosure incident. That incident related to the interception of unencrypted pages sent by physicians at the hospital. The pages were viewed by a radio hobbyist using an antenna and a software-defined radio (SDR) on a laptop computer. Children’s Mercy was not the only hospital affected by that incident.

An unauthorized access/disclosure incident was also reported to OCR by Children’s Mercy Hospital on May 19, 2017. That incident impacted 5,511 patients. In that case, PHI had been uploaded to a website by a physician. The website was unauthorized and lacked appropriate security controls.

Earlier this week, Kansas City law firm McShane and Brady filed a class action lawsuit over the phishing incident. In the lawsuit it is claimed that Children’s Mercy violated Missouri law and breached its fiduciary duty to patients.

“Patients trust health care providers with our medical information and when that is released without our authorization, they’re breaking our trust and breaching what we’ve asked them to do,” said Maureen Brady, partner at McShane and Brady. “When we pay them for our treatment, part of that price point goes to training and computer software and records maintenance and making sure our privacy is kept.”

While the lawsuit seeks damages for all patients impacted by the breach, those damages have not been stated in the lawsuit.

This is not the first time that legal action has been taken against Children’s Mercy Hospital over a privacy breach, and neither is it the first time McShane and Brady has sued the hospital. The law firm also filed a class action lawsuit over the 5,511-record breach in 2017.

There is no private cause of action in HIPAA, so it is not possible for patients to take legal action for the exposure of protected health information as a result of a HIPAA violation, although it is possible to sue healthcare providers over violations of state laws.

The post Children’s Mercy Hospital Sued for 63,000-Record Data Breach appeared first on HIPAA Journal.

Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation

In 2016, Radnor, PA-based Main Line Health Inc., terminated an employee for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by accessing the personal records of a co-worker without authorization on two separate occasions.

In such cases, when employee or patient records are accessed without authorization, employees face disciplinary action which can include termination. Gloria Terrell was one such employee who was terminated for violating company policies and HIPAA Rules. Main Line Health fired Terrell for “co-worker snooping.”

Terrell filed an internal appeal over her termination and maintained she accessed the records of a co-worker in order to obtain a contact telephone number. Terrell said she needed to contact the co-worker to make sure a shift would be covered, and this constituted a legitimate business reason for the access as she was unable to find the phone list with employees’ contact numbers.

After firing Terrell, Main Line Health appointed a significantly younger person to fill the vacant position. Terrell took legal action against Main Line Health in September 2016 claiming age discrimination. In the lawsuit, Terrell claimed Main Line Health had experienced similar snooping incidents in the past and failed to apply the same rules for younger employees. Terrell claimed she knew of three younger co-workers who were not terminated following the discovery of HIPAA violations. However, Terrell could not substantiate those assertions and all three employees denied they had been involved in any improper accessing of patient records.

Main Line Health explained appropriate training on HIPAA Rules and company policies had been provided to staff on multiple occasions and that there were established policies related to the protection of confidential employee and patient information. Those policies clearly state disciplinary action will be taken if company policies and HIPAA Rules are violated, which may include immediate discharge from employment.

Main Line Health maintained Terrell was terminated for a legitimate, non-discriminatory reason, and since the case failed to raise a triable issue, Main Line Health was entitled to a summary judgement.

Terrell’s case (Gloria Terrell v. Main Line Health, Inc., et al – Civil action No. 17-3102) went to federal court in the Eastern District of Pennsylvania. U.S District Court Judge Richard Barclay Surrick recently granted Main Line Health’s summary judgement, ruling Terrell failed to establish a viable age discrimination claim.

“In short, other than her own subjective beliefs, Plaintiff has offered no evidence from which a reasonable factfinder could conclude that Defendant’s proffered reason for terminating her lacks credibility. She has provided no evidence to support a finding of discrimination,” wrote Judge Barclay Surrick. “Although one may have reservations about the wisdom of terminating an employee with Plaintiff’s experience and tenure for electronically accessing a phone number that had already been made available to co-workers in paper form, it is not for this Court to sit as a super-personnel department that re-examines an entity’s business decisions.”

The post Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation appeared first on HIPAA Journal.

District Court Ruling Confirms No Private Cause of Action in HIPAA

Patients who believe HIPAA Rules have been violated can submit a compliant to the Department of Health and Human Services’ Office for Civil Rights, but they do not have the right to take legal action, at least not for the HIPAA violation. There is no individual private cause of action under HIPAA law.

Several patients have filed lawsuits over alleged HIPAA violations, although the cases have not proved successful. A recent case has confirmed once again that there is no private cause of action in HIPAA, and lawsuits filed solely on the basis of a HIPAA violation are extremely unlikely to succeed.

Ms. Hope Lee-Thomas filed the lawsuit for an alleged HIPAA violation that occurred at Providence Hospital in Washington D.C., where she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, claims that while at the hospital on June 15, 2017, a LabCorp employee instructed her to enter her protected health information at a computer intake station.

Ms. Lee-Thomas told the LabCorp employee that the information was in full view of another person at a different computer intake station and took a photograph of the two computer intake stations.

On July 3, 2017, Ms. Lee-Thomas submitted a complaint with the hospital alleging a violation of HIPAA and filed a complaint with the HHS’ Office for Civil Rights. Later, a complaint was filed with the District of Columbia Office of Human Rights (OHR) claiming the hospital had failed to make appropriate accommodations for patients to preserve their privacy.

On November 15, 2017, the HHS informed Ms. Lee-Thomas that her claim would not be pursued and OHR similarly dismissed her complaint on November 28, 2017, in both cases on the grounds that she failed to state a claim. OHR suggested Ms. Lee-Thomas had the right to bring a private action before the D.C. Superior Court and she proceeded to do so.

LabCorp removed the case to the U.S. Court of Appeals for the District of Columbia Circuit, and filed a motion to dismiss, again for the failure to state a claim. Ms. Lee-Thomas failed to respond to the motion to dismiss.

In a June 15 ruling, District Court Judge Rudolph Contreras confirmed that HIPAA does permit financial penalties to be issued when patients’ privacy is violated in breach of HIPAA Rules, but civil and criminal penalties are pursued by the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. In his ruling, Judge Contreras confirmed there is no private cause of action in HIPAA.

Even if there was a private cause of action, it would be unlikely that this case would have proved successful as no harm appears to have been caused as a result of the alleged HIPAA violation.

While lawsuits are likely to be dismissed when based on HIPAA violations alone, that does not mean legal action cannot be taken by patients whose privacy has been violated. There is no private cause of action in HIPAA, but the privacy of personal information is covered by state laws.

Laws have been passed in all 50 states that require notifications to be issued to consumers when their personal information has been exposed, and several states also require companies to implement ‘reasonable safeguards’ to ensure personal data of state residents are protected.

A HIPAA violation can be reported to OCR to investigate, and action may be taken against the covered entity in question by OCR, but if the sole basis of any legal action is a violation of HIPAA Rules, the case is unlikely to be successful.

Victims of privacy violations who wish to take legal action should look at potential violations of state laws rather than HIPAA violations.

The post District Court Ruling Confirms No Private Cause of Action in HIPAA appeared first on HIPAA Journal.

3-Year Jail Term for VA Employee Who Stole Patient Data

A former employee of the Veteran Affairs Medical Center in Long Beach, CA who stole the protected health information (PHI) of more than 1,000 patients has been sentenced to three years in jail.

Albert Torres, 51, was employed as a clerk in the Long Beach Health System-run medical center – a position he held for less than a year. Torres was pulled over by police officers on April 12 after a check of his license plates revealed an anomaly – plates had been used on a private vehicle, which were typically reserved for commercial vehicles.

The police officers found prescription medications which Torres’ did not have a prescription for and the Social Security numbers and other PHI of 14 patients in his vehicle. A subsequent search of Torres’ apartment revealed he had hard drives and zip drives containing the PHI of 1,030 patients and more than $1,000 in cleaning supplies that had been stolen from the hospital.

After pleading guilty to several crimes, including identity theft and grand theft, Torres was sentenced to three years in state penitentiary on June 4.

Sutter Health Fires Employees for Attempted PHI Access

An undisclosed number of employees of Sutter Health have been fired for accessing the medical records of patients without authorization.

CBS 13 Sacramento reported that an anonymous source had confirmed that Sutter Health had fired two employees for searching for the medical records of the suspected Golden State Killer, Joseph DeAngelo.

Following the news report from CBS 13, Sutter Health spokesperson Gary Zavoral issued a statement confirming action had been taken in response to the improper accessing of PHI, according to the Sacramento Business Journal.

While Zavoral did not confirm the number of employees that had been terminated, nor the patient or patients whose medical records were accessed, he did confirm that the employees concerned had been terminated.

Sutter Health has a system in place that generates alerts when employees access medical records without authorization. When improper access is detected, it usually results in termination.

In addition to firing the employees concerned, Sutter Health has reminded all staff that the accessing of medical records is only permitted when there is a legitimate work reason for doing so. The person or persons whose medical records were accessed are being notified of the privacy breach.

The post 3-Year Jail Term for VA Employee Who Stole Patient Data appeared first on HIPAA Journal.

Lawsuits Filed Over Alleged HIPAA Violations

Two lawsuits have recently been filed in relation to alleged breaches of Health Insurance Portability and Accountability Act (HIPAA) Rules, one by a former hospital employee and another by a patient whose privacy was allegedly violated by a CVS pharmacy employee.

Former Employee of Mosaic Life Care Medical Center Takes Legal Action over Dismissal

A former employee of Mosaic Life Care Medical Center in St. Joseph, MO is taking legal action over wrongful discharge and retaliation for her taking steps to avoid a violation of the False Claims Act.

Debra Conard, 57, alleges she was wrongfully terminated for raising concerns about unlawful, unethical, and fraudulent billing practices. According to the lawsuit, in April 2017, Conard was instructed by hospital officials to release charges for billing even though the documentation did not support the claims. Multiple charges were required to be pushed through, which would induce payment by Medicare and other third parties, even though Conrad could not verify that the claims were correct.

Conrad raised her concerns about potential violations of the False Claims Act and told her supervisor of the possibility of substantial fines. Under instruction, Conrad processed the claims but also included notes stating that the claims were not supported by the documentation and the claims had been authorized to be released even though she believed them to be fraudulent claims.

Conrad was subjected to disciplinary action, including suspension, which was due to her opposition to fraudulent billing. She complained about the disciplinary actions and was later accused of violating HIPAA Rules. She also complained about that allegation and was fired shortly after.

The lawsuit states, “Merely because plaintiff could see patient information while performing duties in the coding program (that she needed to access to perform her job), she was subject to discipline and suspension.” Conrad is seeking $75,000 in compensatory damages, lost wages, lost benefits, attorneys’ fees, and reinstatement.

Lawsuit Filed over Alleged Disclosure of Viagra Prescription

A New York man is taking legal action against CVS Pharmacy over an alleged privacy violation in which details of his prescriptions were disclosed over the telephone to his wife. The man had visited a Long Island branch of the pharmacy chain to fill a prescription for 100 mg of Viagra with five refills. The man wanted to pay for the drug personally rather than have it covered by his insurance.

The man’s wife contacted the same pharmacy by telephone a few days later about an unrelated matter and was allegedly told about her husband’s Viagra prescription over the telephone by a CVS Pharmacy employee. As a result of the disclosure, the main claims his marriage is broken and he has suffered a “genuine, severe mental injury and emotional harm”.

The man, identified as Michael Feinberg, claims his wife had no right to be told about his medication and that by disclosing the information to a third party (his wife) the pharmacy violated the HIPAA Privacy Rule.

Legal Action Being Considered Over EMS Worker’s Facebook Post

A woman from Roane County, TN, is considering taking legal action over a Facebook post made by an EMS worker who visited her property to provide treatment to her husband who had collapsed after suffering a heart attack while in his chicken coop.

Kathy Raymond attempted to save her husband’s life by providing cardiopulmonary resuscitation until the emergency services team arrived. They took over but were unable to save her husband’s life.

Following the visit, an EMS worker posted a message on Facebook about the incident. The message was – “well, we had a first … We worked a code in a chicken coop! Knee deep in chicken droppings.” WATE reports that further comments were added to the post by the worker, who stated, “it was awful” and that “I’m pretty sure y’all could smell us in dispatch.”

Raymond contacted Roane County EMS to complain about the EMS worker’s unprofessional and insensitive behavior and the matter was investigated internally.

No PHI was mentioned in the post although questions have been raised over a possible HIPAA violation. Since no PHI was disclosed, the county attorney does not believe HIPAA has been violated, but did say that the post should not have been made on social media.

The employee concerned has been reprimanded and talks have been scheduled with EMS workers to explain that no work matters should be discussed or posted on Facebook.

Raymond was not happy with the response to the incident and said, “this is wrong for her to just get a slap on the wrist. I don’t want her to be able to have a job as an EMS worker if she does not have more compassion than that. Even though she did not mention his name, she said it was the first time they had ever had a call in a chicken coop. Everybody knows where my husband died.”

The post Lawsuits Filed Over Alleged HIPAA Violations appeared first on HIPAA Journal.

Colorado Governor Signs Data Protection Bill into Law

Colorado Governor John Hickenlooper has signed a bill – HB 1128 – into law that strengthens protections for consumer data in the state of Colorado. The bipartisan bill, sponsored by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously passed by the Legislature. The bill will take effect from September 1, 2018.

The bill requires organizations operating in the state of Colorado to implement reasonable security measures and practices to ensure the personal identifying information (PII) of state residents is protected. The bill also reduces the time for notifying the state attorney general about breaches of PII and introduces new rules for disposing of PII when it is no longer required.

Personal information is classed as first name and last name or first initial and last name in combination with any of the following data elements (when not encrypted, redacted, or secured by another means that renders the information unreadable):

  • Social Security number
  • Student ID number
  • Military ID number
  • Passport number
  • Driver’s license number or ID card number
  • Medical information
  • Health insurance ID number
  • Biometric data
  • Email addresses in combination with passwords or security Q&As
  • Financial account numbers, and credit cards and debit cards with associated security codes that would permit access/use

Reasonable Security Measures Must be Implemented

Covered entities will be required to implement and maintain “Reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” Those measures should protect PII from unauthorized access, modification, disclosure, and destruction. In cases where PII is passed to a third party, the covered entity must ensure the third party also has reasonable security measures in place.

A written policy must be developed by all businesses that maintain the personal information of Colorado residents covering the disposal of that information when it is no longer required. Electronic data and physical documents containing PII must be disposed of securely. The bill suggests “Shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.”

30-Day Maximum Time Limit for Issuing Breach Notifications

When the bill was first introduced, it required the state attorney general to be notified of a breach of PII within 7 days of discovery. Such a short time frame for issuing notifications can help to ensure prompt action is taken to prevent harm or loss, although such a short time frame means notifications would need to be issued before it would be possible, in many cases, to determine whether there had been any misuse of data. This requirement of the bill attracted considerable criticism from large businesses operating in Colorado.

After careful consideration, this requirement was amended and the time limit for issuing notifications has been extended to 30 days following the discovery of the breach. Even so, this makes the notification requirements the strictest of any state.  The state attorney general only needs to be notified of the breach if it has impacted more than 500 Colorado residents. Regardless of the scale of the breach, affected individuals must be notified within 30 days.

HIPAA-covered entities should note that the 30-day time limit will apply even though HIPAA allows up to 60 days to issue notifications. HIPAA-covered entities and entities covered by the Gramm-Leach-Bliley Act are not exempt.

Breach notices are required for any security breach that exposes personal information, except a good faith acquisition of personal information by an employee or agent of a covered entity if the information is not used for a purpose unrelated to the lawful operation of the business and if that information is not subject to further unauthorized disclosure.

A notice must also be placed on the website of the breached entity and a notification issued to statewide media.

The post Colorado Governor Signs Data Protection Bill into Law appeared first on HIPAA Journal.