Legal News

$1 Million Settlement Agreed to Resolve American HomePatient Data Breach Lawsuit

A $1 million settlement proposed by American HomePatient to resolve a class action lawsuit filed on behalf of victims of a 2017 data breach has received preliminary approval.

The data breach that was the subject of the lawsuit occurred on January 6, 2017. The offices of American HomePatient in Delaware were burgled, and thieves stole several computers. The hard drives were not encrypted and contained sensitive information such as names, addresses, dates of birth, Social Security numbers, AHOM account information, financial information, diagnosis codes, and treatment information of 13,000 current and former patients and customers of American HomePatient and Lincare Holdings Inc.

Following the breach, a class action lawsuit was filed on behalf of victims of the breach who claimed American HomePatient was negligent for failing to encrypt sensitive data and, that by failing to do so, the thieves had easy access to their sensitive information. The lawsuit also alleged invasion of privacy, breach of implied contract, negligence per se, unjust enrichment, breach of fiduciary duty, and a violation of the state Unfair and Deceptive Trade Practices Act.

Under the terms of the settlement, American HomePatient will provide monetary and non-monetary relief for class members in seven areas: Complimentary credit monitoring services for 12 months, reimbursement for identity theft protection services up to $150, payment of $350 for false tax returns filed with the IRS after January 6, 2017, payment of $150 for unauthorized IRS tax transcripts requested from the IRS after January 6, 2017, an identity theft payment of $350, and reimbursement for expenses incurred as a result of the breach up to $500 for out-of-pocket expenses and up to 3 hours at $15/hour.

Plaintiffs can submit a claim for enrollment in the Equifax Credit Watch Silver program but must submit documentation supporting claims under all other categories. Class members have until June 6, 2020 to submit their claims. The final hearing has been scheduled for June 26, 2020.

In addition to the monetary settlement, American HomePatient has agreed to implement and maintain security measures for two years which include conducting an external HIPAA risk assessment at least every two years and an annual risk analysis. American HomePatient will also maintain a head of IT to coordinate the security program for 2 years and will provide ongoing employee education on information security and protecting personally identifiable information.

The post $1 Million Settlement Agreed to Resolve American HomePatient Data Breach Lawsuit appeared first on HIPAA Journal.

Law Firm Files Class Action Lawsuit After Being Charged Excessive Fees for Copy of Patient’s Medical Records

A law firm is taking legal action against the healthcare release-of-information solution provider, Medical Records Online (MRO), for overcharging law firms and insurers for providing electronic copies of patients’ medical records.

The lawsuit was filed by Cipriani & Werner of Pittsburgh in federal court in Camden, NJ. The lawsuit relates to MRO charges for providing a copy of a patient’s medical records for a personal injury case against the retailer Kohl’s, which the law firm represents.

Cipriani & Werner obtained the medical records of the plaintiff in the suit from John F. Kennedy Medical Center, in Edison, NJ, and was charged $528 by MRO for 518 pages of the plaintiff’s medical records. The law firm was charged a $10 search fee and $1 per page, even though the records were provided electronically as a PDF file.

Cipriani & Werner alleges MRO violated the New Jersey Declaratory Judgement Act by charging unlawful fees well in excess of the maximum limit. A claim was also made under the New Jersey Consumer Fraud Act for unconscionable commercial practices, and for a breach of New Jersey common law for a breach of contract for a violation of the implied covenant of good faith and fair dealing.

The New Jersey Administrative Code allows a $10 search fee to be charged for providing copies of medical records to third parties, a charge of $1 per page, and the actual cost of postage and media for sending the records (e.g. a CD). Cipriani & Werner claims the charge should have solely consisted of a $10 search fee and no per-page fee should have been charged as the records were not printed.

The lawsuit states, “Regardless of whether MRO was providing copies of only a few pages of records or hundreds of pages, the cost to MRO of copying electronically stored records and transmitting them to the purchaser took the same amount of time and effort.” Cipriani & Werner suggests the entire process took less than 5 minutes.

Law firm, Schnader Harrison Segal & Lewis of Cherry Hill, NJ, which represents MRO, maintains fee were entirely lawful and were in line with state regulations.

The lawsuit references a 2015 memo from the New Jersey State Department which forbids medical record providers from charging per-page fees for electronically transmitted copies of medical records and for per-page charges to be applied when records are sent to purchasers through computer equipment. However, in this case the state department memo does not apply as the department of Health in New Jersey does not have any authority over MRO and the memo did not go through official rule-making processes in the State of New Jersey.

The class members are primarily attorneys and insurance companies who purchased copies of electronic medical records from MRO from September 2015 to February 2020, who were similarly charged for electronic copies of medical records in civil cases. The lawsuit only names MRO, not any healthcare providers that use MRO for managing requests for medical records.

The post Law Firm Files Class Action Lawsuit After Being Charged Excessive Fees for Copy of Patient’s Medical Records appeared first on HIPAA Journal.

Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval

A federal judge has given final approval of a settlement to resolve a class action lawsuit filed against the New Jersey-based medical laboratory company, Quest Diagnostics Inc., over its 2016 data breach. The $195,000 settlement provides up to $325 compensation for each breach victim.

On November 26, 2016 hackers gained access to the Care360 MyQuest mobile app that is used by patients to store and share their electronic test results and make appointments. The health app contained names, dates of birth, telephone numbers, and lab test results which, for some patients, included their HIV test results. 34,000 patients were affected by the breach.

A class action lawsuit was filed on behalf of patients affected by the breach in 2017. The lawsuit alleged Quest Diagnostics had been negligent and failed to protect the sensitive data of app users. The lawsuit states, “Despite the fact that it was storing sensitive Private Information that it knew or should have known was valuable to and vulnerable to cyber attackers, Quest and its fellow Defendants failed to take adequate measures that could have protected user’s information.” The plaintiffs also alleged Quest Diagnostics did not provide timely, accurate, and adequate notification about the breach.

In the fall of 2019, Quest Diagnostics proposed a settlement that provided compensation for the breach victims in order to avoid further legal costs and the risks of continuing litigation. A maximum of $325 per breach victim was proposed, which reflected the strengths and weaknesses of the claims and defenses in the case. Quest Diagnostics and the other defendants in the case have not admitted any wrongdoing.

The settlement received preliminary approval from a federal court judge in October 2019. Final approval was issued on February 25, 2020.

Each class member can claim up to $325, which is comprised of up to $250 to cover provable out-of-pocket expenses incurred as a result of the breach. A further $75 can be claimed by each patient whose HIV test results were exposed, even if patients did not incur any losses. Plaintiffs are required to submit a claim in order to receive a share of the settlement and claims must be submitted by May 22, 2020.

Another class action lawsuit has been filed against Quest Diagnostics and Care360 over the theft of almost 12 million patient records from its business associate, American Medical Collection Agency (AMCA) in 2019. The plaintiffs in that case similarly allege the defendants were negligent for failing to protect their personal and protected health information and did not provide timely and accurate notifications.

The post Quest Diagnostics 2016 Data Breach Settlement Receives Final Approval appeared first on HIPAA Journal.

UW Medicine Faces Class Action Lawsuit Over 974,000-Record Data Breach

Several lawsuits filed against healthcare organizations over data breaches in recent weeks, with University of Washington Medicine the latest to face legal action for exposing the protected health information of patients.

The lawsuit has been filed over a December 2018 data breach that saw the personal information of 974,000 patients exposed over the internet as a result of a misconfigured server. The misconfigured server contained an accounting of disclosures database that included patient names, medical record numbers, a list of parties who had been provided with patient data, and the reason why that information was disclosed. Some individuals also had information exposed relating to a research study they were enrolled in, their health condition, and the name of a lab test that had been performed. For certain patients, sensitive information was exposed. According to the lawsuit, that included a patient’s HIV test-taking history and, in some cases, the patient’s HIV status. Social Security numbers, financial information, health insurance information, and medical records were not exposed.

The server misconfiguration occurred on December 4, 2018. UW Medicine was alerted to the breach when a patient discovered a file containing their records that had been indexed by Google. UW Medicine found and corrected the misconfiguration on December 26, 2018.

UW Medicine explained in a press release issued on February 20, 2019 that the database was accessible for a period of three weeks and UW Medicine worked closely with Google to have all indexed information removed from Google’s servers. That process was completed by January 10, 2019.

The lawsuit, filed in King County Superior Court, alleges UW Medicine was negligent and failed to properly safeguard the protected health information of its patients and did not inform patients promptly that their PHI had been exposed. The lawsuit alleges patients have suffered “real, significant, and continuing injury,” have suffered distress and loss of reputation as a result of the breach, and have been placed at an increased risk of identity theft, fraud, and abuse.

The lawsuit also references an earlier UW Medicine data breach as further evidence of inadequate information security practices: A 2013 malware infection that occurred as a result of an employee opening an infected email attachment. That incident impacted 90,000 patients.

The investigation of the breach by the HHS’ Office for Civil Rights found UW Medicine had violated the HIPAA Security Rule by failing to implement adequate policies and procedures to prevent, detect, contain, and correct security violations. In 2015, UW Medicine settled the case with OCR for $750,000 and agreed to adopt a corrective action plan that included conducting “a comprehensive risk analysis of security risks and vulnerabilities and develop an organization-wide risk management plan.”

“[UW Medicine’s] substandard security practices have now compromised nearly one million patients’ PHI, greatly exceeding the scope of the 2013 breach, in violation of its statutory and professional standard of care obligations, in breach of Plaintiffs and the Class’ reasonable expectations when they decided to form a patient physician relationship with UW Medicine, and thereby diminishing the value of the services UW Medicine provided and that its patients paid for,” argue the plaintiffs in the lawsuit.

The lawsuit seeks full disclosure about the information that was compromised, statutory damages and legal fees, and calls for UW Medicine to adopt sufficient secure practices and safeguards to prevent further data breaches in the future.

The post UW Medicine Faces Class Action Lawsuit Over 974,000-Record Data Breach appeared first on HIPAA Journal.

Criminal HIPAA Violation Case Sees Healthcare Worker Charged on 415 Counts

A former employee of ACM Global Laboratories, part of Rochester Regional Health, has been accused of accessing the medical records of a patient, without authorization, on hundreds of occasions in an attempt to find information that could be used in a child custody battle.

A criminal investigation was launched into the alleged HIPAA violations by Jessica Meier, 41, of Hamlin, NY, when it was suspected that she had been abusing her access rights to patient information for malicious purposes.

Kristina Ciaccia was previously in a relationship with Meier’s half brother and has been in a lengthy child custody battle. In court, Ciaccia heard about a historic visit by her own brother to the emergency room at Rochester Regional Health, when she herself was unaware of the visit. Suspecting snooping on her family’s medical records, Ciaccia reported the matter to Rochester Regional Health.

According to court documents, the Rochester Regional Health audit revealed Meier had accessed the private medical records of Ciaccia on more than 200 occasions between March 2017 and August 2019, without any legitimate work purpose for doing so. It was also confirmed that Meier had accessed the medical records of members of Ciaccia’s family.

Ciaccia reported the criminal HIPAA violations to the police and an investigation was launched. Meier was arraigned in Gates Town Court on Tuesday, February 11, 2019 on 215 felony counts of computer trespass and 215 counts of misdemeanor unauthorized use of a computer. Meier pleaded not guilty to all counts and the case is expected to go before a grand jury.

“If you go in somebody’s medical records, you deserve to be charged. You deserve to be held accountable,” Ciaccia told News 10 NBC. Ciaccia also believes Rochester Regional Health should be held accountable, not for the breach itself, but for the failure to identify an ongoing privacy violation that spanned more than two years.

The unauthorized medical record access was only discovered after Ciaccia reported the potential privacy violation to Rochester Regional Health. “I feel like Rochester Regional pay her all year to go in my medical records, said Ciaccia.” Upon discovery of unauthorized access, Rochester Regional Health took disciplinary action against Meier.

HIPAA requires healthcare organizations to implement safeguards to ensure the confidentiality, integrity, and availability of patient information. Even if access controls and other measures are implemented, it is not possible to prevent all cases of improper accessing of medical records by employees. However, when instances occur, they should be identified quickly.

HIPAA requires audit logs to be maintained to track access to protected health information. Those logs allow audits to take place, as was the case when the matter was brought to the attention of Rochester Regional Health by Ciaccia.

HIPAA also requires audit logs to be regularly checked to identify unauthorized accessing of PHI. Had the audit logs been monitored more closely, the privacy violation could have been identified and sanctions could have been applied against Meier sooner.

The post Criminal HIPAA Violation Case Sees Healthcare Worker Charged on 415 Counts appeared first on HIPAA Journal.

Hackensack Meridian Health Faces Class-Action Lawsuit Over December Ransomware Attack

A lawsuit has been filed against the New Jersey Healthcare provider, Hackensack Meridian Health, over a December 2, 2019 ransomware attack that affected all 17 of its hospitals.

The ransomware attack temporarily disrupted medical services while its systems were offline and access to medical records was prevented. Systems remained down for several days while data was recovered, and systems were restored. Medical services continued to be provided with staff reverting to pen and paper to record patient information. However, some non-emergent medical procedures had to be cancelled.

Prompt action was taken to secure its systems and recover data and physicians, nurses, and clinical teams worked round the clock to ensure patient safety was maintained during the attack and recovery process. In order to restore systems in the fastest possible timeframe and prevent ongoing disruption to medical services, the decision was taken to pay the ransom. Hackensack Meridian Health had a comprehensive insurance policy in place, which helped cover the cost of the ransom payment, and its remediation and recovery efforts.

Forensic experts were engaged to assist with the investigation and determine whether any patient information had been compromised. No evidence was found to indicate any patient information was stolen by the attackers.

While it would appear that Hackensack Meridian Health took reasonable steps to limit the harm caused to patients and restore systems and data in the shortest possible time frame, it was not enough to prevent legal action.

Two plaintiffs have been named in a proposed class-action lawsuit filed in a district court in Newark that seeks compensation, reimbursement of out-of-pocket expenses, statutory damages and penalties, and injunctive relief requiring Hackensack Meridian Health to make improvements to its security systems, undergo annual data security audits, and provide three years of complimentary credit monitoring services to breach victims.

The plaintiffs allege Hackensack Meridian Health maintained its network in a “reckless manner” which left its systems vulnerable to attack and that the health system failed to adequately protect patient information. The lawsuit also alleges the attack caused major disruption to the medical care provided to patients, forcing them to seek alternative care and treatment.

Hackensack Meridian Health’s investigation uncovered no evidence to suggest data theft, but the plaintiffs allege their personal and protected health information has been stolen by the attackers and disclosed to “other unknown thieves,” which has placed them at heightened and imminent risk of identity theft and fraud.

The plaintiffs also allege the ransomware attack was not been reported the Department of Health and Human Services’ Office for Civil Rights, as is required by HIPAA and affected patients have not been notified about the attack.

As of February 19, 2020, the incident yet to appear on the OCR breach portal, although that does not necessarily mean the incident has not been reported as there is often a delay between a report being submitted to OCR and it being uploaded to the breach portal.

Breach notifications are often delayed while data breaches are investigated. It can take some time to determine which patients have been affected and to obtain up to date contact information in order to mail notifications. Patient notifications are usually required for ransomware attacks per previous OCR guidance, but they are not mandatory, provided covered entities can demonstrate there was a low probability that PHI has been compromised.

It is becoming increasingly common for patients to take legal action against covered entities over ransomware attacks. Several lawsuits have been filed in recent weeks on behalf of patients that have been affected by ransomware attacks. With more threat groups opting to steal data prior to the encryption of files, the number of lawsuits will undoubtedly increase.

The post Hackensack Meridian Health Faces Class-Action Lawsuit Over December Ransomware Attack appeared first on HIPAA Journal.

Florida Clinic Worker Facing 22 Years in Jail for Wire Fraud and Aggravated Identity Theft

A former medical clinic worker in Florida who impermissibly accessed the protected health information of patients and sold the information to identity thieves has pleaded guilty to wire fraud and aggravated identity theft.

Stacey Lavette Hendricks, 49, of Leesburg, FL, had previously been employed as an administrative worker at several state medical clinics in Florida. Her role gave her access to the protected health information of patients. Hendrinks used her access to steal patient information from the unnamed medical clinics, including names, dates of birth, and Social Security numbers. That information was sold to identity thieves for cash and was also used to defraud businesses.

The United States Secret Service investigated the case. Hendricks was apprehended after she attempted to sell stolen patient information to an undercover law enforcement officer. A warrant was obtained to search her home and car and law enforcement officers found patient information stolen from the clinics related to 113 different patients.

Hendricks was charged in the United States District Court for the Middle District of Florida in Ocala and pleaded guilty to one count of wire fraud and two counts of fraud with identification documents: Aggravated identity theft and possession of means of identification with intent to commit felony. No date has currently been set for sentencing.

Hendricks now faces a maximum jail term of up to 20 years for the wire fraud charge and a mandatory 2-year consecutive term for aggravated identity theft.

The post Florida Clinic Worker Facing 22 Years in Jail for Wire Fraud and Aggravated Identity Theft appeared first on HIPAA Journal.

Georgia Man Charged Over False Allegations of HIPAA Violations

A Georgia man has been charged over an elaborate scheme to frame an acquaintance for violations of the Health Insurance Portability and Accountability Act (HIPAA) that never occurred.

Jeffrey Parker, 43, of Richmond Hill, GA, claimed he was a whistleblower reporting HIPAA violations by a nurse. He reported the violations to the hospital where the person worked, and complaints also sent to the Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI). Parker was also interviewed by Fox28Media in October 2018 and told reporters that the nurse had been violating HIPAA privacy laws for an extensive period.

The nurse worked at an unnamed hospital in Savannah, GA, which was part of a health system that also operated healthcare facilities in Nashville, TN and other areas. She was alleged to have emailed graphic photographs of patients with traumatic injuries such as gunshot wounds to other individuals outside the hospital. In the Fox28Media interview Parker explained that the sharing of images between employees and other individuals had been going on for a long time.

Parker requested that his identity remain hidden out of fear for his personal safety. He also claimed he had received threats as a result of reporting the HIPAA violations.

In additions to claiming the nurse had violated HIPAA, Parker set up email accounts using the names of real hospital employees. Those email accounts were used to send further reports of HIPAA violations to the hospital as well as the DoJ and the FBI to make it appear that the nurse’s co-workers were also reporting HIPAA violations.

The FBI responded quickly to the threats over his personal safety and interviewed Parker about the alleged crimes. An FBI agent found inconsistencies in Parker’s story and, upon further questioning, Parker admitted making false statements and creating the email addresses to support his story. According to the Fox28Media story, the nurse was a former lover of Parker.

“Falsely accusing others of criminal activity is illegal, and it hinders justice system personnel with the pursuit of unnecessary investigations,” said U.S. Attorney Bobby L. Christine. “This fake complaint caused a diversion of resources by federal investigators, as well as an unnecessary distraction for an important health care institution in our community.”

Parker was charged with one count of false statements by the U.S. Attorney for the Southern District of Georgia. Parker now faces up to five years imprisonment for the crime.

“Hopefully the quick uncovering of this alleged scheme by our investigators will send a message that these types of actions will be exposed, and justice will be served,” said Chris Hacker, Special Agent in Charge of FBI Atlanta.

The post Georgia Man Charged Over False Allegations of HIPAA Violations appeared first on HIPAA Journal.

Second Lawsuit Filed Against Kalispell Regional Healthcare Over Phishing Attack

A second lawsuit has been filed against Kalispell Regional Healthcare in Montana over a May 2019 phishing attack that saw the email accounts of some of its employees accessed by cybercriminals.

Kalispell Regional Healthcare learned about the breach on August 28, 2019. The investigation revealed the hackers gained access to employee email accounts on May 24, 2019 and potentially accessed patient information. A forensic investigation revealed the accounts contained the protected health information of as many as 140,209 patients.

According to Kalispell Regional Healthcare’s substitute breach notification on its website, the following information was compromised in the breach: Names, addresses, email addresses, telephone numbers, dates of service, treatment information, health insurance information, treating and referring physicians’ names, and medical bill account numbers. Kalispell Regional Healthcare said 250 or fewer patients had their Social Security number exposed. Patients affected by the breach were offered complimentary credit monitoring and identity theft protection services and steps have been taken to improve email security.

The first lawsuit was filed on November 25, 2019 in the Cascade County District Court in Great Falls, MT by attorney John Heenan on behalf of William Henderson, whose personal information was exposed in the breach. The lawsuit alleges the healthcare provider was negligent for failing to take appropriate steps to secure patient data and that industry best practices for securing patient data were not followed. Henderson claims he faces an increased risk of identity theft and fraud as a result of the breach, but it does not appear that his personal information has been misused at the time that the lawsuit was filed. The lawsuit alleges violations of the Montana Uniform Health Care Information Act.

The second lawsuit was filed on December 24, 2019 by attorney William Rossbach on behalf of two patients who were impacted by the breach. The lawsuit also claims Kalispell Regional Healthcare violated the Montana Uniform Health Care Information Act. One of the patients, Annette Nevidomsky, claims she was a victim of fraud and had unauthorized charges on her accounts in the wake of the breach.

Both attorneys are seeking class action status for their lawsuits.

The post Second Lawsuit Filed Against Kalispell Regional Healthcare Over Phishing Attack appeared first on HIPAA Journal.