Legal News

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000.

Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital.

In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients.

In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information.

Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed patients’ ePHI over the internet. Patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information could all be accessed without a username or password.

OCR investigated the breaches and Cottage Health’s HIPAA compliance efforts. OCR determined that Cottage Health had failed to conduct a comprehensive, organization-wide risk analysis to determine risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. § 164.308(a)(l)(ii)(A).

Risks and vulnerabilities had not been reduced to a reasonable and acceptable level, as required by 45 C.F.R. § 164.308(a)(l )(ii)(B).

Periodic technical and non-technical evaluations following environmental or operational changes had not been conducted, which violated 45 C.F.R. § 164.308(a)(8).

OCR also discovered Cottage Health had not entered into a HIPAA-complaint business associate agreement (BAA) with a contractor that maintained ePHI: A violation of 45 C.F.R. § 164.308(b) and 164.502(e).

In addition to the financial penalty, Cottage Health has agreed to adopt a 3-year Corrective Action Plan (CAP). The CAP requires Cottage Health to conduct a comprehensive, organization-wide risk analysis to determine all risks to the confidentiality, integrity, and availability of ePHI. Cottage Health must also develop and implement a risk management plan to address all security risks and vulnerabilities identified during the risk analysis. The risk analysis must be reviewed annually and following any environmental or operational changes. A process for evaluating environmental or operational changes must also be implemented.

Cottage Health must also develop, implement, and distribute written policies and procedures covering the HIPAA Privacy and Security Rules and must train all staff on the new policies and procedures. Cottage Health must also report to OCR annually on the status of its CAP for the following three years.

“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino. “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”

A Record Year for HIPAA Fines and Settlements

It has been a busy year of HIPAA enforcement for OCR. In 2018, 10 settlements have been agreed with HIPAA-covered entities and business associates in response to violations of HIPAA Rules and one civil monetary penalty has been issued. The 11 financial penalties totaled $28,683,400, which exceeded the previous record of $23,505,300 set in 2016 by 22%.

2018 also saw OCR agree the largest ever HIPAA settlement in history. Anthem Inc., settled alleged violations of HIPAA Rules for $16,000,000. The settlement was almost three times larger than the previous record – The $5.5 million settlement with Advocate Health Care Network in 2016.

Further Information: 2018 HIPAA Fines and Settlements

The post OCR Settles Cottage Health HIPAA Violation Case for $3 Million appeared first on HIPAA Journal.

Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case

Community Health Systems’ (CHS) patients whose protected health information (PHI) was stolen in a cyberattack in 2014 have been offered compensation for the theft of their PHI.

Tennessee-based Community Health Systems operates over 200 hospitals, making it one of the largest healthcare systems in the U.S.

In 2014, CHS discovered malware had been installed on its network. The malware allowed unauthorized individuals to gain access to patient information between April and June 2014. The cyberattack is believed to have been conducted by threat actors based in China.

An advanced malware variant was used in the attack, which had the sole purpose of obtaining sensitive information. An investigation into the breach confirmed that patient data including names, addresses, phone numbers, dates of birth, and Social Security numbers had been exfiltrated. The PHI of 4.5 million patients was stolen by the attackers.

At the time it was the largest healthcare data breach to be reported to the Department of Health and Human Services’ Office for Civil Rights and still ranks as one of the top six healthcare data breaches of all time.

Following the breach, many lawsuits were filed by patients seeking compensation for the theft of their personal information. The lawsuits were consolidated into a single lawsuit, which survived attempts by CHS to have the case dismissed. A settlement has now been reached to resolve the lawsuit.

The settlement specifies two different payments for breach victims. Individuals who can prove they have incurred out-of-pocket expenses as a result of the breach and/or can show evidence of time lost securing their accounts, can claim up to $250 in compensation. Individuals who have suffered identity theft or fraud as a result of the breach can recover up to $5,000 in losses.

Legal fees totaling $900,000 have also been covered by the settlement agreement along with a payment of $3,500 for each representative class member.

In order to qualify for payment, a compensation claim must be submitted by August 1, 2019. Individuals who do not want to be included in the settlement and those who wish to file an objection, have until May 18 to notify CHS.

The settlement must still be assessed for fairness and approved by a judge. A hearing has been scheduled for August 13, 2019.

The post Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case appeared first on HIPAA Journal.

Legal Action Over Illinois Biometric Information Privacy Act Violations Possible Without Actual Harm

The Illinois Supreme Court has ruled that individuals whose privacy has been violated through a breach of the Illinois Biometric Information Privacy Act can take legal action against a private entity, even if the violation of BIPA has not resulted in actual harm.

The Illinois Biometric Information Privacy Act, enacted in 2008, requires private entities to inform a person in writing that their biometric information will be collected or stored. The purpose for the collection or storage of that data and the length of time the information will be retained must also be explained. The entity must also obtain written authorization from an individual or that individual’s legal representative before biometric data can be collected or stored.

Biometric data includes fingerprints, voiceprints, hand scans, iris scans, and other biometric means of identifying a person.

In contrast to HIPAA, which has no private cause of action, individuals can sue companies for Illinois Biometric Information Privacy Act (BIPA) violations. Illinois is unique in that respect. Other states such as Texas and Washington have similar laws, but in those states, there is no private cause of action. Further, according to a ruling by the Illinois Supreme Court on January 25, 2019, legal action can be taken without an allegation of actual injury or an adverse event as a result of the violation.

Plaintiff Stacy Rosenbach took legal action against Six Flags Entertainment Corp., following a visit to a Six Flags amusement park by her 14-year-old son. He was required to provide his fingerprint to access the amusement park. Nether Stacy Rosenbach nor her son were informed in writing about the reason for collecting her son’s fingerprint or the length of time it would be stored. Written authorization to collect the fingerprint was also not obtained by Six Flags.

The plaintiff did not allege harm in the case, which was filed solely over the violation of BIPA. Six Flags sought to have the case dismissed for lack of standing as the plaintiff had not suffered actual harm or threatened injury. The circuit court denied the motion to dismiss, that decision was reversed by the court of appeal, and the Supreme Court reversed the court of appeal’s decision.

The court’s held that a technical violation of BIPA is, in itself, sufficient to support an individual’s statutory cause of action. No proof of an actual injury or damage as a result of the BIPA violation is required and consumer’s need not wait until they have suffered harm as a result of the violation to take legal action.

If it can be established and proven that a violation of BIPA has occurred due to negligence, individuals could receive up to $1,000 for each violation. In cases of reckless or intentional violations of BIPA, up to $5,000 could be received per violation.

According to the ruling, ensuring compliance with BIPA is not difficult and the costs of compliance are likely to be insignificant compared to the substantial and irreversible harm that could be caused to consumers if their biometric identifiers are not appropriately safeguarded and kept private and confidential.

The post Legal Action Over Illinois Biometric Information Privacy Act Violations Possible Without Actual Harm appeared first on HIPAA Journal.

Aetna Settles HIV Status Breach Case with California AG for $935,000

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy violation that exposed state residents’ HIV status.

On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California.

The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution.

In addition to the financial penalty, the settlement agreement requires Aetna to designate an employee to implement and maintain its mailing program, oversee compliance with state and federal laws, and the management of external vendors to ensure they handle medical data in compliance with state and federal laws and Aetna’s policies and procedures. Aetna is also required to complete an annual privacy risk assessment to evaluate compliance with the terms of the settlement for the next three years.

“A person’s HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry,” said Attorney General Bercerra. “Aetna violated the public’s trust by revealing patients’ private and personal medical information.”

The privacy violation has proven expensive for Aetna. In January 2018, Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200. Also in January, Aetna agreed to pay the New York Attorney General $1,150,000 to settle its case and resolve alleged HIPAA violations and breaches of state law.

A further $640,170.59 was paid to settle a multi-state action by Attorneys General in New Jersey, Connecticut, Washington, and the District of Columbia. The latest settlement brings the total financial penalties issued to date in relation to the breach to $2,725,170.59.

The post Aetna Settles HIV Status Breach Case with California AG for $935,000 appeared first on HIPAA Journal.

Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data

The Oregon Health Information Property Act proposes patients should be allowed to give authorization to their healthcare providers to sell on their health data and to receive payment in exchange for allowing their data to be used by third parties.

Currently, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule limits the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered entities are only permitted to use or disclose PHI for purposes related to the provision of treatment, payment for healthcare, or healthcare operations. While there are some exceptions, other uses and disclosures are prohibited unless consent is first obtained from patients.

The HIPAA Privacy Rule covers PHI, which is identifiable patient information. If PHI is stripped of information that allow an individual to be identified, it is no longer considered PHI and is no longer subject to Privacy Rule controls. That means that if a HIPAA-covered entity de-identifies PHI, they can then sell that information on for profit. That information can be valuable to research organizations and other entities.

Senate Bill 703, dubbed the Oregon Health Information Property Act, is sponsored by Senator Floyd Prozanski (D-Eugene) and has the support of than 40 co-sponsors. Essentially, the bill would see consumers health information treated in a similar way to property and would allow them to profit from its sale.

The Oregon Health Information Property Act

The Oregon Health Information Property Act has three main components:

  1. It would require HIPAA-covered entities and their business associates and subcontractors to obtain a signed authorization from consumers before they de-identify PHI to sell on to third parties.
  2. Consumers could choose if they want to receive payment in exchange for giving authorization to allow their health data to be sold.
  3. The bill also prevents consumers from being discriminated against for refusing to sign an authorization or choosing to receive payment.

HIPAA-covered entities are able to profit from selling de-identified data so it is argued that patients should receive a cut of the payment; however, despite having attracted considerable support, concern has been voiced about the impact of these authorizations.

The bill, in its current form, does not place any limitations on the uses of health data once authorization has been provided. Information could therefore be used for a wide range of purposes once authorization has been given – Reasons that may not necessarily be listed on the authorization form.

The bill also makes no distinction between an individual’s protected health information, health information or de-identified data. By signing a form to receive a small payment, consumers would be relinquishing their privacy and important protections afforded by HIPAA, which could have various unintended repercussions.

The post Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data appeared first on HIPAA Journal.

State AG Proposes Tougher Data Breach Notification Laws in North Carolina

Following an increase in data breaches affecting North Carolina residents in 2017, state Attorney General Josh Stein and state representative Jason Saine introduced a bill to update data breach notification laws in North Carolina and increase protections for state residents

The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed changes to state laws that would have made North Carolina breach notification laws some of the toughest in the country. The January 2018 version of the bill proposed an expansion of the definition of a breach, changes to the definition of personal information, and a maximum of 15 days from the discovery of a breach to issue notifications to breach victims.

Attorney General Stein and Rep. Saine unveiled a revised version of the bill on January 17, 2019. While some of the proposed updates have been scaled back, new requirements have also been introduced to increase protections for state residents.

The updated bill coincides with the release of the state’s annual security breach report for 2018. The report shows there were 1,057 data breaches affecting state residents in 2018. Those breaches impacted 1.9 million state residents. While there was a 63% decrease in individuals affected by data breaches from 2017, the number of breaches increased 3.4% year over year.

The proposed update to the definition of a data breach remains unchanged from the 2018 version of the bill and defines a breach as “Any incident of unauthorized access to or acquisition of someone’s personal information that may harm the person.” As such, the new definition broadens the definition to include ransomware attacks.

Ransomware is typically used only to extort money from victims. However, in recent months there has been a growing trend of combining ransomware with other malware variants such as information stealers, making data theft more likely. Regardless of the nature of the ransomware attack, the bill requires notifications to be issued to allow state residents to make an informed decision about the actions that need to be taken to reduce the risk of harm.

The bill also requires businesses that own or license personal information to implement and maintain reasonable security procedures and practices, which must be appropriate to the nature of information collected and maintained. Of note to HIPAA-covered entities, the definition of personal information has been expanded to include medical information, genetic information, and insurance account numbers.

The 2018 version of the bill called for breach notifications to be issued within 15 days of the discovery of a breach. The latest incarnation has seen the timescale for issuing notifications changed to within 30 days of discovery of a breach.

Any business that experiences a data breach that is found to have failed to implement appropriate security measures or fails to issue notifications within the 30-day deadline will be in violation of the Unfair and Deceptive Trade Practices Act, and could be issued with a civil monetary penalty.

If the legislation is passed, state residents will be allowed to place a credit freeze on their credit reports free of charge. Credit agencies will be required to put in place “A simple, one-stop shop for freezing and unfreezing credit reports across all major consumer reporting agencies, without the person having to take any additional action.”

Companies doing business in the state of North Carolina will be required to provide breach victims with 2 years of free credit monitoring services in the event of a breach of Social Security numbers, and four years of free credit monitoring services for breaches at credit agencies.

Any business that wants to access or use a person’s credit report or credit score will be required to obtain consent from the person in advance and must explain why access to the information is required. State residents will also be given the right to submit a request to a consumer reporting agency for a list of all information the agency maintains, including credit and non-credit related information, and a list of all entities to which that information has been disclosed.

The post State AG Proposes Tougher Data Breach Notification Laws in North Carolina appeared first on HIPAA Journal.

Physician Receives Probation for Criminal HIPAA Violation

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation rather than a jail term and fine for the wrongful disclosure of patients’ PHI to a pharmaceutical firm.

The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion.

In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug.

Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability.

The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules for allowing a sales representative of Aegerion to access the confidential health information of patients without first obtaining patient consent. The sales rep was allowed to view the information of patients who had not been diagnosed with a medical condition that could be treated with Juxtapid (lomitapide) in order to identify new potential candidates for the drug.

This is the second such criminal HIPAA violation case in Massachusetts in the past four months to result in probation rather than a jail term or fine. In September, Massachusetts gynecologist Rita Luthra was given 1 year of probation over payments received by a pharmaceutical firm (Warner Chilcott) for providing sales reps with access to the individually identifiable health information of patients for financial gain. While prosecutors were pushing for a fine and a jail term to act as a deterrent, Judge Mastroianni explained in his ruling, “Her loss of license and ability to practice is a substantial deterrent.”

While probation was received in both of these cases, a substantial fine, jail term, and loss of license are real possibilities for physicians found to have criminally violated HIPAA Rules. Both physicians could have received a fine of up to $50,000 for the violations and up to one year in jail.

The post Physician Receives Probation for Criminal HIPAA Violation appeared first on HIPAA Journal.

New Massachusetts Data Breach Notification Law Enacted

A new Massachusetts data breach notification law has been enacted. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019 and will come into effect on April 11, 2019.

The new legislation updates existing Massachusetts data breach notification law and introduces new requirements for notifications.

Under Massachusetts law, a breach is defined as the unauthorized acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. Notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name.

  • Social Security number
  • Driver’s license number
  • State issued ID card number
  • Financial account number, or credit/ debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

As with the previous law, there is no set timescale for issuing breach notifications. They must be issued “as soon as is practicable and without unreasonable delay,” after it has been established that a breach of personal information has occurred.

That said, one change to the timescale for issuing breach notifications is individuals and companies that have experienced a data breach can no longer wait until the total number of individuals impacted by the breach has been determined. The legislation states “In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.”

One notable update to Massachusetts data breach notification law is the requirement to offer breach victims complimentary credit monitoring services, as is the case in Connecticut and Delaware. The minimum term for complimentary credit monitoring services is 18 months or, in the case of a consumer reporting agency, a minimum of 42 months.

Notifications are required to be issued to all individuals impacted by the breach, the Office of Consumer Affairs and Business Regulation, and the Massachusetts Attorney General’s Office.

The Office of Consumer Affairs and Business Regulation and the Attorney General’s Office must be provided with a detailed description of the nature and circumstances of the breach, the number of Massachusetts residents affected, the steps that have been taken relative to the security breach, steps that will be taken in the future in response to the breach, and whether law enforcement is investigating the breach. If the breach has been experienced by a parent company or affiliated organization, the name of that company must be detailed in the notification.

The post New Massachusetts Data Breach Notification Law Enacted appeared first on HIPAA Journal.

10 Year Jail Term for Boston Children’s Hospital Hacker

The hacker behind a Distributed Denial of Service (DDoS) attack on Boston Children’s Hospital in 2014 has been handed a jail term of 10 years and must pay $443,000 in restitution.

Martin Gottesfeld, 34, of Somerville, MA, launched attacks on the Framingham, MA, Wayside Youth and Family Support Network and Boston Children’s Hospital in 2014 as a protest over the handling of a case of suspected child abuse.

In 2013, teenager Justina Pelletier was admitted to Boston Children’s Hospital after a physician at Tufts Medical Center recommended she was transferred in order for her to see her longtime gastroenterologist. Justina suffered from mitochondrial disease; however, Boston Children’s Hospital believed Justina’s condition was psychological rather than physical.

Justina’s parents tried to get their daughter transferred back to Tufts Medical Center but the hospital believed the actions of the parents and interference in their daughter’s care amounted to medical abuse. In the subsequent custody case, the parents lost custody of their daughter to the state of Massachusetts. Justina spent the following 16 months in state custody.

Gottesfeld took issue with the treatment of Justina. Operating as a hacker under the banner of the hacking group Anonymous, Gottesfeld launched DDoS attacks on the medical facilities. An attack was launched on the Wayside Youth and Family Support Network in March 2014, where Justina was a resident after her discharge from hospital. In April 2014, Gottesfeld attacked Boston Children’s Hospital. The attack caused significant disruption to day-to-day operations at the hospital over a period of two weeks.

According to the Department of Justice, “[Gottesfeld] unleashed a DDoS attack that directed so much hostile traffic at the Children’s Hospital computer network that he not only knocked Boston Children’s Hospital off the internet, but knocked several other hospitals in the Longwood Medical Area off the internet as well.”

Prosecutors claim the attacks not only caused disruption to patient care at Boston Children’s Hospital, but also hampered its research capabilities, disrupted communications with other healthcare facilities, and resulted in a loss of around $300,000 in donations while its fundraising portal was disabled. The Wayside Youth and Family Support Network spent around $18,000 mitigating and responding to the DDoS attacks.

Gottesfeld was suspected of being behind the DDoS attacks and in October 2014, the FBI executed a warrant and seized Gottesfeld’s computer and hard drives. Gottesfeld was not charged at the time, but with charges pending, fled the country with his wife in February 2016. The pair got into trouble in a small boat off the coast of Cuba and sent out a distress signal. They were picked up by a passing Disney cruise ship and Gottesfeld was arrested by the FBI when the ship made port in Miami.

In August 2018, Gottesfeld was charged with two counts of conspiracy and two counts of causing damage to protected computers and was recently sentenced in Boston. Gottesfeld claimed he had no regrets over the attacks and said “I wish I could have done more.”

Assistant U.S. Attorney David D’Addio claimed the attacks put children’s lives at risk and suspected Gottesfeld would commit further attacks in the future when released from prison. “It is terrifying to contemplate what he will do with the next cause he adopts,” said D’Addio.

U.S. District Judge Nathaniel Gorton said Gottesfeld’s crimes were “contemptible, invidious and loathsome,” and warranted a long custodial sentence.

Gottesfeld, who has been in custody since February 2016, is planning to appeal.

The post 10 Year Jail Term for Boston Children’s Hospital Hacker appeared first on HIPAA Journal.