Legal News

Georgia Man Charged Over False Allegations of HIPAA Violations

A Georgia man has been charged over an elaborate scheme to frame an acquaintance for violations of the Health Insurance Portability and Accountability Act (HIPAA) that never occurred.

Jeffrey Parker, 43, of Richmond Hill, GA, claimed he was a whistleblower reporting HIPAA violations by a nurse. He reported the violations to the hospital where the person worked, and complaints also sent to the Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI). Parker was also interviewed by Fox28Media in October 2018 and told reporters that the nurse had been violating HIPAA privacy laws for an extensive period.

The nurse worked at an unnamed hospital in Savannah, GA, which was part of a health system that also operated healthcare facilities in Nashville, TN and other areas. She was alleged to have emailed graphic photographs of patients with traumatic injuries such as gunshot wounds to other individuals outside the hospital. In the Fox28Media interview Parker explained that the sharing of images between employees and other individuals had been going on for a long time.

Parker requested that his identity remain hidden out of fear for his personal safety. He also claimed he had received threats as a result of reporting the HIPAA violations.

In additions to claiming the nurse had violated HIPAA, Parker set up email accounts using the names of real hospital employees. Those email accounts were used to send further reports of HIPAA violations to the hospital as well as the DoJ and the FBI to make it appear that the nurse’s co-workers were also reporting HIPAA violations.

The FBI responded quickly to the threats over his personal safety and interviewed Parker about the alleged crimes. An FBI agent found inconsistencies in Parker’s story and, upon further questioning, Parker admitted making false statements and creating the email addresses to support his story. According to the Fox28Media story, the nurse was a former lover of Parker.

“Falsely accusing others of criminal activity is illegal, and it hinders justice system personnel with the pursuit of unnecessary investigations,” said U.S. Attorney Bobby L. Christine. “This fake complaint caused a diversion of resources by federal investigators, as well as an unnecessary distraction for an important health care institution in our community.”

Parker was charged with one count of false statements by the U.S. Attorney for the Southern District of Georgia. Parker now faces up to five years imprisonment for the crime.

“Hopefully the quick uncovering of this alleged scheme by our investigators will send a message that these types of actions will be exposed, and justice will be served,” said Chris Hacker, Special Agent in Charge of FBI Atlanta.

The post Georgia Man Charged Over False Allegations of HIPAA Violations appeared first on HIPAA Journal.

Second Lawsuit Filed Against Kalispell Regional Healthcare Over Phishing Attack

A second lawsuit has been filed against Kalispell Regional Healthcare in Montana over a May 2019 phishing attack that saw the email accounts of some of its employees accessed by cybercriminals.

Kalispell Regional Healthcare learned about the breach on August 28, 2019. The investigation revealed the hackers gained access to employee email accounts on May 24, 2019 and potentially accessed patient information. A forensic investigation revealed the accounts contained the protected health information of as many as 140,209 patients.

According to Kalispell Regional Healthcare’s substitute breach notification on its website, the following information was compromised in the breach: Names, addresses, email addresses, telephone numbers, dates of service, treatment information, health insurance information, treating and referring physicians’ names, and medical bill account numbers. Kalispell Regional Healthcare said 250 or fewer patients had their Social Security number exposed. Patients affected by the breach were offered complimentary credit monitoring and identity theft protection services and steps have been taken to improve email security.

The first lawsuit was filed on November 25, 2019 in the Cascade County District Court in Great Falls, MT by attorney John Heenan on behalf of William Henderson, whose personal information was exposed in the breach. The lawsuit alleges the healthcare provider was negligent for failing to take appropriate steps to secure patient data and that industry best practices for securing patient data were not followed. Henderson claims he faces an increased risk of identity theft and fraud as a result of the breach, but it does not appear that his personal information has been misused at the time that the lawsuit was filed. The lawsuit alleges violations of the Montana Uniform Health Care Information Act.

The second lawsuit was filed on December 24, 2019 by attorney William Rossbach on behalf of two patients who were impacted by the breach. The lawsuit also claims Kalispell Regional Healthcare violated the Montana Uniform Health Care Information Act. One of the patients, Annette Nevidomsky, claims she was a victim of fraud and had unauthorized charges on her accounts in the wake of the breach.

Both attorneys are seeking class action status for their lawsuits.

The post Second Lawsuit Filed Against Kalispell Regional Healthcare Over Phishing Attack appeared first on HIPAA Journal.

Georgia Supreme Court Overturns Ruling on Athens Orthopedic Clinic Data Breach Lawsuit

A lawsuit filed against Athens Orthopedic Clinic over a June 2016 cyberattack by TheDarkOverlord has been revived by the Georgia Supreme Court.

The cyberattack in question involved the theft of patient data from the clinic. A ransom demand was issued and the hacking group claimed the data would be returned if the ransom was paid.  The clinic refused to pay the ransom and, in response, the hacking group claimed to have sold some of the data. Later, the hacking group published a portions of the stolen data on Pastebin, where it was downloaded by others.

Three victims of the data breach, Christine Collins, Paulette Moreland, and Kathryn Strickland, alleged that since their personal data had fallen into the hands of cybercriminals, was offered for sale on the dark net, and had been downloaded by some individuals, they were placed at risk of identity theft and other types of fraud. 

One of the plaintiffs, Christine Collins, alleged there were fraudulent charges made to her credit card shortly after the cyberattack and that she had to spend time getting those charges reversed. She also had to place fraud alerts on her credit file to prevent further harm.

The plaintiffs sought damages based on the costs they had incurred arranging credit monitoring and identity theft protection services – which were not offered by the clinic – attorneys fees, and also sought injunctive relief under the Georgia Uniform Deceptive Trade Practices Act.

The lawsuit was granted standing by the lower court, but Athens Orthopedic clinic filed a motion to dismiss, which was granted by the Court of Appeals. The Court of Appeals found the negligence claim was invalid, as the plaintiffs were attempting to recover damages for “an increased risk of harm.” This was considered speculative harm and did not constitute a cognizable injury under Georgia tort law.

The Supreme Court has now overturned that decision and has ruled that the plaintiffs had alleged sufficient harm for the case to survive a motion to dismiss.

“The plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is “imminent and substantial.” This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach. As this case comes before us on a motion to dismiss, we must accept this factual allegation as true,” wrote the Supreme Court in its ruling.

The Supreme Court determined the Court Of Appeals based its ruling on two other cases that were far different from the Athens Orthopedic Clinic cyberattack. In both of the cases there was no evidence to suggest that any stolen data had been obtained by cybercriminals, therefore there was no imminent and substantial risk of identity theft and fraud.

In the case of the Athens Orthopedic Clinic cyberattack, the plaintiffs’ data was stolen by a cybercriminal who threatened to sell the data, attempted to do so, and the data was downloaded by others. “At this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs’ data and has at least attempted to sell at least some of the data to other wrongdoers.” Consequently, there is an “imminent and substantial risk” of identity theft and fraud. The Supreme Court ruled that “These allegations are sufficient to survive a motion to dismiss the plaintiffs’ negligence claims.”

The post Georgia Supreme Court Overturns Ruling on Athens Orthopedic Clinic Data Breach Lawsuit appeared first on HIPAA Journal.

Lawsuit Filed Against DCH Health System Over October Ransomware Attack

A lawsuit has been filed in the Western Division of U.S. District Court for the Northern District of Alabama against DCH Health System over a ransomware attack on October 1, 2019.

The ransomware attack on the 3-hospital health system forced it to take its systems offline for a period of 10 days while systems were rebuilt and data was recovered. During that time, some non-emergency appointments had to be cancelled and patients experienced delays receiving treatment and, in some cases, had to seek medical services from other medical facilities in the state.

It is the delay to treatment that has spurred the lawsuit. Four patients are named in the lawsuit and allege they have suffered harm as a result of the shutdown of its systems, which disrupted their daily lives and forced them to forego medical care and treatment or seek care and treatment from alternative facilities during the ten days when DCH Health System’s systems were offline.

One of the plaintiffs, who filed on behalf of her daughter, was told that the ransomware attack was causing delays in the emergency room and that she would be required to wait around 5 hours for her daughter to receive treatment for an allergic reaction that had caused severe swelling and forced her daughter’s eyes shut. If she was unable to wait, she was told that she could travel from Tuscaloosa to Birmingham to receive medical treatment or visit Walgreens. The patient claims that as a result of the delay receiving treatment it took 3 days before the swelling started to go down.

One patient who was staying at the hospital after surgery said that as a result of her medical records being inaccessible, she was unable to be prescribed medications during her stay. Another patient had gone to the emergency room and had x-rays taken a few days before the attack, but her orthopedic treatment was delayed as a result of the attack. The lawsuit also alleges that the plaintiffs’ protected health information was potentially compromised in the attack.

The plaintiffs claim that DCH Health System violated state laws and HIPAA and the failure to implement appropriate cybersecurity measures to safeguard its systems and data amounted to negligence. The lawsuit also alleges an invasion of privacy, breach of contract, and breach of fiduciary duty.

The post Lawsuit Filed Against DCH Health System Over October Ransomware Attack appeared first on HIPAA Journal.

Banner Health Agrees to Pay $6 Million to Settle Data Breach Lawsuit

In June 2016, Banner Health suffered a data breach in which the protected health information of 2.9 million individuals was allegedly stolen by hackers. In August 2016, a class action lawsuit was filed by victims of the breach. A settlement has now been reached and Banner Health has agreed to pay $6 million to breach victims to resolve the lawsuit, according to documents filed in the U.S. District Court of Arizona on December 5, 2019.

Plaintiffs alleged that the attack was financially motivated, and hackers gained access to systems containing patient information and exfiltrated the protected health information of approximately 2.9 million. The types of information stolen by the hackers included names, addresses, dates of birth, Social Security numbers, prescription information, medical histories and, for around 30,000 individuals, credit and debit card numbers. Individuals whose credit and debit card numbers were stolen had visited food and beverage outlets at Banner Health hospitals. Malware had been installed which exfiltrated card numbers when purchases were made. The hackers had access to Banner Health systems for approximately 2 weeks.

The lawsuit alleges Banner Health failed to implement appropriate safeguards to protect against cyberattacks, such as multi-factor authentication, firewalls, and data encryption.

The plaintiffs argued that the cyberattack on Banner Health placed them at “a significantly increased risk of suffering devastating and expensive financial and medical identity theft.” Some plaintiffs claimed to have suffered identity theft and fraud as a direct result of the data breach.

Under the terms of the settlement, plaintiffs will be able to submit reimbursement claims for expenses incurred as a result of the data breach. Claims will be accepted up to a maximum of $500 per person for standard expenses, and up to $10,000 for extraordinary expenses. Banner Health has placed an overall cap of $6 million on expenses claims.

Additionally, individuals affected by the breach have been offered an additional 2 years of credit monitoring and identity theft protection services. The plaintiffs have filed a motion for preliminary approval of the settlement.

The post Banner Health Agrees to Pay $6 Million to Settle Data Breach Lawsuit appeared first on HIPAA Journal.

Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach

Kalispell Regional Healthcare in Montana is being sued over a phishing attack in which hackers gained access to employee email accounts containing the protected health information of almost 130,000 patients.

The compromised email accounts contained patient information such as names, contact information, medical bill account numbers, medical histories, and health insurance information. Approximately 250 individuals also had their Social Security number exposed.

The phishing attack occurred in May 2019, but it was not initially clear which, if any, patients had been affected. It took until August for forensic investigators to determine that patient information had potentially been compromised.

All affected patients were notified, and the health system offered 12 months of free credit monitoring and identity theft protection services to patients whose Social Security numbers had potentially been compromised.

One of the patients whose personal and health information was compromised has now taken legal action over the data breach. The lawsuit was filed in Cascade County District Court in Great Falls, MT on November 25 by attorney John Heenan. Heenan is seeking class action status for the lawsuit.

The lawsuit alleges Kalispell Regional Healthcare failed to take the necessary steps to keep patients’ personal and health information private and confidential, it did not abide by best practices and industry standards for securing patient data, and that the health system failed to notify patients about the breach in a timely manner. As a result of the alleged failures, it the lawsuit alleges patients have been placed at risk of identity theft and fraud.

It does not appear that Henderson’s personal and health information has been misused at the time the lawsuit was filed; however, he claims that he is at risk of identity theft and fraud, which could occur at any time now that his information is in the hands of hackers.

Patients cannot sue healthcare providers for damages under HIPAA as there is no private cause of action, but it is possible to take legal action in many states over healthcare data breaches, as is the case in Montana.

The Montana Uniform Health Care Information Act allows victims of healthcare data breaches to sue healthcare providers for violations of the Act. The lawsuit alleges Kalispell Regional Healthcare is in violation of the Act.

After it was learned that patient information had potentially been compromised, the health system issued notifications to affected patients and reported the breach local media outlets.  in the areas

Kalispell Regional Healthcare’s director of information technology, Melanie Swenson, explained that “This wasn’t your everyday, average hacker. They were very sophisticated at disguising their tracks.” She also explained that protecting the privacy of patients is a key priority for the health system and that email security solutions had been implemented prior to the attack to block spam and phishing emails. The security solutions were blocking around 50,000 inbound email threats each day. She also stated that CynergisTec had conducted an audit of the health system in 2018 and found it to be in the top 9% of healthcare industry organizations for cybersecurity compliance.

Since the attack, email security has been improved and the health system has increased training for employees to help them recognize phishing attacks and other email threats.

The post Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach appeared first on HIPAA Journal.

Solara Medical Supplies Sued Over 114,000-Record Data Breach

Solara Medical Supplies is facing legal action over a June 2019 data breach that saw the protected health information of more than 114,000 customers exposed and potentially stolen by an unauthorized individual who gained access to its email system.

Solara Medical Supplies, a supplier of medical devices and disposable medical products, discovered the breach on June 28, 2019. While initially believed to involve one email account, an investigation revealed several Office 365 email accounts had been compromised for a period of around 6 weeks, starting on April 2, 2019.

The types of information exposed as a result of the attack included names, addresses, birth dates, employee ID numbers, Social Security numbers, health insurance information, financial information, credit card/debit card numbers, passport details, state ID numbers, driver’s license numbers, password/PIN or account login information, claims data, billing information, and Medicare/Medicaid IDs.

Customers affected by the breach were notified in November and were offered complimentary credit monitoring and identity theft protection services; however, that was not enough to prevent legal action being taken over the exposure of customers’ sensitive information.

Multiple law firms are now seeking clients who have had their sensitive information exposed as a result of the phishing attack and one lawsuit has already been filed with the U.S District Court of the Southern District of California.

The plaintiff, Juan Maldonado, is a customer of Solara Medical Supplies who uses products supplied by the company to help manage his medical condition. The lawsuit states that the sensitive, personal information of Maldonado is now in the hands of cybercriminals which has placed him at considerable risk of identity theft and fraud and alleges Solara Medical Supplies was negligent for failing to protect the sensitive data of its customers.

While the lawsuit cites HIPAA, there is no private right of action under HIPAA so individuals affected by a data breach do not have the right to sue a HIPAA-covered entity for the exposure of their data or for any HIPAA violations that are believed to have occurred. Legal action can only be taken against covered entities by the HHS’ Office for Civil Rights and state attorneys general. The lawsuit alleges Solara Medical Supplies has violated state laws, including the California Consumer Privacy Act.

The lawsuit alleges Solara Medical Supplies did not have adequate computer systems and security practices in place to safeguard customers’ personal and medical information, did not have systems in place to allow data breaches to be detected promptly, and that the company failed to notify affected customers in a timely manner

It took more than 7 months from the date of the initial email account compromise for affected individuals to be notified, and more than 4 months after the breach was first detected. The lawsuit claims that Solara made no efforts during that time to warn customers about the risks they faced from the exposure of their data. During those four months, the lawsuit states that the attackers had ample opportunity to defraud its customers.

Solara found no evidence to suggest any data was stolen by the attackers and, at the time of issuing notifications, no reports had been received to indicate any customer information had been misused.

The lawsuit seeks class action status and appropriate monetary relief, injunctive relief, actual damages, punitive damages, attorneys’ fees, and payment for extended credit monitoring and identity theft protection services.

The lawsuit raises an important issue about breach notifications to individuals whose protected health information has been exposed or stolen. It is now common for HIPAA-covered entities to wait until they have completed the investigation of a breach before notifications are issued.

The HIPAA Breach Notification Rule states that notifications must be issued without undue delay and no later than 60 days after the discovery of a breach. Despite the HHS’ Office for Civil Rights having previously issued guidance on breach notifications, many covered entities are interpreting the notification requirement as 60 days from the date when they are informed by the forensics company they engaged to investigate the breach that patient information could have been accessed. That date can be several months after the breach was initially discovered.

Even then, notifications are often delayed further, with covered entities waiting up to 60 more days before notifications are sent to affected individuals. By taking this approach, covered entities are risking regulatory fines for unnecessary delaying breach notifications.

The post Solara Medical Supplies Sued Over 114,000-Record Data Breach appeared first on HIPAA Journal.

Exposure to Extreme Content at Work Sees Former Facebook Employees Sue for Psychological Injuries

Compensation is being sought by former Facebook content moderators who claim to have suffered psychological injuries as a direct result of the exposure to extreme online content at work.

Several employees have started legal action against Facebook, first in California and now in Ireland, where Facebook has its EMEA headquarters.

In September 2019, the Personal Injuries Assessment Board in Ireland gave the go-ahead for former employees to take their case against Facebook to the High Court. The legal action started on December 4, 2019 against Facebook and CPL Resources, one of the third-party companies Facebook uses to provide its content moderators. Former Facebook content moderator Chris Gray is named as lead plaintiff.

Facebook content moderators perform a vital job for the social media platform. The job involves viewing content that had been posted by Facebook users and determining whether the content should remain on the social network or be filtered out or deleted. Without their efforts, the social media platform would be awash with extreme content.

According to Facebook’s Community Standards Enforcement Report, in the first quarter of 2019 its content moderators removed 5.4 million posts that violated its standards on child sexual abuse and exploitation and 33.6 million posts were removed from the platform that depicted violent and graphic content. All of that content must be manually reviewed by an army of content moderators.

Facebook content moderators are often paid little more than minimum wage and working conditions are difficult. Many workers struggle with the job due to the pressure to meet targets and the relentless stream of extremely disturbing content they must moderate. Facebook maintains that its content moderators are provided with access to support services and wellness resources due to the nature of the job. The Facebook content moderators in Ireland are telling a different story and say they are not properly trained to deal with the content they see and they do not have the necessary support, such as access to counselors and mental health services, both on the job and after they leave.

Chris Gray claims his job involved repeated exposure to graphic and often violent content, which in many cases was extremely disturbing. Gray was employed by CPL Resources as a contractor for 10 months between 2017 and 2018 and claims he has suffered psychological injuries at work as a result of the relentless images and videos he was having to view on a daily basis. Gray was later diagnosed as suffering from PTSD.

Gray had to make decisions on extreme content and faced a barrage of highly distressing content every day. He was exposed to a wide range of extreme material, including stonings, stabbings, beatings, beheadings, child abuse videos, animal torture, and extreme sexual content, including bestiality and child porn.

For instance, he had to view people being shot at point blank range with machine guns, saw videos of the massacre of the Rohingya people in Myanmar, and the torture and abuse of migrants from Libya. The extreme content was relentless.

The viewing of such extreme content left Gray numb and desensitized and it started to have a major impact on his life. He found that his personal and political views were changing “in a slow creep,” he experienced extreme emotions from sensitivity to irritability to anger. He found he was becoming more and more aggressive and argumentative outside of work.

There was no release while asleep, as Gray found himself dreaming about some of the things he had seen at work. The situation became so bad that he could not discuss his concerns and struggles with his superiors at work in a reasonable, calm, and professional manner.

On top of the content he had to view, he faced extreme pressure at work to ensure content was correctly categorized. Facebook demanded a 98% accuracy rate. As Gray explained, that equated to just 4 misclassifications a month. The pressure from achieving that level of accuracy and the huge volume of content he was required to assess also affected his mental health and stress levels, often disrupting his sleep. He often found himself waking up frightened that he had made a mistake at work.

A spokesperson for Facebook said, “reviewing certain types of content can sometimes be difficult,” but maintained that all staff had been provided with extensive training and that all content moderators were given full-time support. Measures had also been implemented to limit exposure to graphic, extreme content as far as was possible. However, Gray claims he was not given adequate support or training.

He also claims that there is no screening process for employees to determine whether they are right for the job and if viewing such extreme content is likely to affect their mental well-being. He says there was also a lack of monitoring on the job to identify individuals who are struggling to cope with either the content or stress from the workload and working conditions.

Gray is not an isolated example. Sean Burke, another former Facebook content moderator, told Vice in an interview, “My first day on the job, I witnessed someone being beaten to death with a plank of wood with nails in it and repeatedly stabbed.” At least a dozen former Facebook content moderators are taking legal action against Facebook in Ireland.

This is the first case of its type to go before the European Court, but it is unlikely to be the last given the number of individuals employed to perform the job. Gray’s legal team say he is one of around 15,000 individuals who are employed as Facebook content moderators around the world through third party companies.

Many former Facebook content moderators are now speaking out about the poor working conditions, extreme pressure to reach targets, and the psychological effects of viewing extreme content day in, day out. Some of those employees have had to take antidepressants to help them cope, others speak of alcohol abuse to help them sleep and block out the images that plague them at night, and several have been diagnosed with PTSD.

One of the reasons why so few former employees have spoken out is because they have signed non-disclosure agreements. Violating the terms of the NDA could result in legal action and would make it difficult for them to find other work in the tech industry. Those NDAs are also placing the mental health of employees at risk, as they feel they cannot even talk about their work and problems with to friends and family and end up bearing the burden on their own.

Gray and other plaintiffs are seeking compensation for psychological distress, but they also want Facebook to take action to prevent others from suffering psychological injuries. They want to ensure that working conditions change, exposure to extreme content is limited, better support is provided and, given the nature of the job, greater care is taken selecting the right individuals for the job.

Gray’s legal team is attempting to get Facebook to provide data on the content employees have been exposed to and the volume of extreme content they had to moderate on a daily basis. If that information is disclosed, which is likely in Ireland, Facebook could well be forced to pay out a considerable amount of compensation to its content moderators. Another question that will need to be answered is who at Facebook knew that the job was causing post traumatic stress disorder and what, if anything, was being done to address the injuries in the workplace.

As more people speak out and the case receives wider press coverage, the number of individuals seeking social media content moderator compensation is expected to grow, not just in Ireland but throughout Europe. Gray’s legal team is already liaising with groups of content moderators in Barcelona and Berlin. They have also heard from former Facebook content moderators in Sweden who are interested in seeking compensation for psychological injuries sustained due to their work.

The post Exposure to Extreme Content at Work Sees Former Facebook Employees Sue for Psychological Injuries appeared first on HIPAA Journal.

Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge

Following a November 2016 cyberattack at Quest Diagnostics that resulted in an unauthorized individual accessing and stealing the personal information and medical test results of 34,000 individuals, a class action lawsuit was filed by the breach victims. Quest Diagnostics proposed a $195,000 settlement to resolve the case. The settlement has recently been approved by a U.S district court judge in New Jersey.

The types of information obtained by the hacker included names, phone numbers, dates of birth, and the results of medical tests, including HIV test results.

The lawsuit alleged Quest Diagnostics had violated New Jersey laws and had been negligent for failing to safeguard the sensitive health information of its clients, Quest Diagnostics had breached its contract with clients, and that the company failed to provide timely notifications to patients informing them about the hacking incident and theft of their data.

Quest Diagnostics maintains the claims are meritless, but the decision was taken to settle the lawsuit to avoid ongoing litigation and further legal costs. Under the terms of the settlement, all individuals who can demonstrate they have suffered monetary losses as a direct result of the breach will be entitled to claim $250. The payment is intended to compensate individuals for having to take action to secure their accounts and pay for credit monitoring and identity theft protection services.

Any individual whose HIV test results were included in the stolen data will be entitled to claim $75, in addition in the $250 if they have also suffered monetary losses.

Quest Diagnostics has also been named as a co-defendant in several lawsuits filed by victims of the data breach at American Medical Collection Agency (AMCA) earlier this year. The hacking of the AMCA payment portal enabled the attacker to steal the protected health information of more than 26 million individuals, 11,500,000 of whom had received medical tests at Quest Diagnostics and their PHI had been passed to AMCA for collection.

The post Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge appeared first on HIPAA Journal.