The Nashville, TN-based health system, Advent Health Partners, has proposed a $500,000 settlement to resolve claims related to a September 2021 data breach involving the protected health information of 61,072 patients.

Advent Health Partners detected a breach of its email environment in early September 2021. The investigation confirmed hackers had access to, and potentially stole, the protected health information of patients such as names, Social Security numbers, driver’s license information, dates of birth, health insurance, medical treatment information, and financial account information. Affected individuals were notified about the breach in March 2022, and were offered credit monitoring services for 12 months.

A lawsuit – McHenry v. Advent Health Partners, Inc. – was filed in the U.S. District Court for the Middle District of Tennessee against Advent Health Partners over the breach. The lawsuit alleged the health system failed to implement reasonable and appropriate cybersecurity measures, despite being aware of the high risk of phishing attacks on healthcare providers. The lawsuit also took issue with the length of time taken to notify affected individuals. The breach was detected in early September 2021, yet Advent Health Partners did not announce the breach on its website until February 2022, and notifications were sent in March 2022, 6 months after the breach was detected. The lawsuit also alleges the notifications were ‘woefully deficient’ and lacked even basic details about the data breach, and that the 12 months of credit monitoring services were insufficient.

The lawsuit alleges the failure to protect patient data and the delay in issuing notifications violated Tennessee law. The lawsuit also claims the health system failed to comply with the federal standards of HIPAA and had not followed FTC guidelines for protecting sensitive data. The lawsuit alleged negligence, breach of third-party beneficiary contract, and unjust enrichment.

Advent Health Partners chose to settle the lawsuit to avoid further legal costs and has admitted no wrongdoing. Under the terms of the settlement, a $500,000 fund will be created to cover claims and legal costs. Claims may be submitted for reimbursement of ordinary expenses up to $750 per class member, which can include documented losses such as out-of-pocket expenses, fees for credit reports and credit monitoring between September 1, 2021, and April 20, 2023, and up to four hours of lost time at $18 per hour. Claims may also be submitted up to a maximum of $5,000 per class member for reimbursement of extraordinary losses that have not already been reimbursed, such as losses to identity theft and fraud. Class members will also be provided with 3 years of credit monitoring services.

The deadline for objection to or exclusion from the settlement is March 21, 2023. Claims must be submitted by April 20, 2023, and the final approval hearing has been scheduled for April 14, 2023.

The post Advent Health Partners Proposes $500,000 Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Two Louisiana health are being sued over the use of pixels on their websites, which allegedly captured and impermissibly disclose patient data to third parties such as Facebook and Instagram. New Orleans-based LCMC Health System operates 9 hospitals in Southern Louisiana and Shreveport-based Willis-Knighton Health System operates 5 hospitals in Northwestern Louisiana. Both health systems are named as defendants in a lawsuit recently filed by law firm Herman Herman & Katz on behalf of plaintiff John Doe, and similarly situated individuals.

The lawsuit alleges the health systems added Metal Pixel code to their websites, which allows the sensitive personal and protected health information of website users to be captured. The code is typically used for tracking user activity on websites to improve website performance and the user experience; however, the tracking code also transmits data to Meta and that information is potentially made available to third parties for advertising purposes on its Facebook and Instagram social media platforms.

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently confirmed that the use of tracking technologies on websites without a business associate agreement or patient authorization violates HIPAA. Many health systems have used Metal Pixel code and other tracking technologies on their websites and web apps, some of which have since reported the impermissible disclosures to OCR, as required under the HIPAA Breach Notification Rule. At the time of writing, neither health system has reported such a breach to OCR.

The lawsuit alleges the health systems failed to obtain authorization from website users before adding the code, and that the privacy violation has most likely persisted for several years. The lawsuit claims the code transmitted the sensitive data of hundreds of thousands of individuals without the knowledge of website users and that the information may have been used to serve targeted advertisements related to the medical conditions disclosed via the websites, such as when entering information to schedule appointments.

While OCR has confirmed that such disclosures are HIPAA violations, there is no private cause of action in HIPAA, so patients cannot sue for HIPAA violations. The lawsuit does not reference HIPAA, instead says the disclosures violate Louisiana law, which generally prohibits the sharing of personal health information with third parties without consent. The lawsuit claims the use of these technologies without consent is a gross violation of privacy and calls for the health systems to stop using the tracking technologies, for any profit from the transfer of data to be paid to victims, and for an award of damages. Both health systems have confirmed they are aware of the lawsuit, plan to vigorously defend against the plaintiffs’ claims, and confirmed they are deeply committed to protecting patient privacy.

The post Louisiana Health Systems Sued for Pixel-Related Disclosures of Patient Information appeared first on HIPAA Journal.

The medical device manufacturer Electromed has proposed a $850,000 settlement to resolve claims related to a June 2021 ransomware attack and data breach involving the protected health information of 47,200 individuals. The attack was detected and blocked by Electromed on June 16, 2021, and the forensic investigation confirmed that files were accessed – and potentially stolen – that included customers’ first and last names, mailing addresses, medical information, and health insurance information. Associates affected by the breach had their Social Security numbers, driver’s license numbers, and financial account information exposed. Affected individuals were notified about the ransomware attack in August and were offered complimentary credit monitoring and identity theft protection services.

A lawsuit – Lutz, et al. v. Electromed Inc., – was filed against Electromed that alleged a failure to implement reasonable and appropriate cybersecurity measures to protect customers’ data, despite being aware of the risk of ransomware attacks. Electromed has not admitted any wrongdoing and chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. The settlement will see a $850,000 fund established to cover claims for reimbursement of losses traceable to the data breach. Class members can submit claims for up to $250 for the reimbursement of ordinary expenses, which include bank fees, communication charges, and up to 4 hours of lost time at $25 per hour. Claims may be submitted for reimbursement of documented, unreimbursed extraordinary losses due to identity theft and fraud, up to a maximum of $5,000.

In addition to any claims, class members are entitled to receive a cash payment of $30, and residents of California at the time of the data breach are entitled to claim a cash payment of $100. Claims and cash payments will be paid pro rata if the settlement total is reached. The deadline for objection to and exclusion from the settlement is March 2, 2023. Claims must be submitted by April 1, 2023, and the final approval hearing for the settlement has been scheduled for June 5, 2023.

The post Electromed Proposes $825,000 Class Action Data Breach Settlement appeared first on HIPAA Journal.

Umass Memorial Health has proposed a $1.2 million settlement to resolve a class action lawsuit that was filed on behalf of individuals affected by its 2020 hacking incident and data breach.

Hackers gained access to Umass Memorial Health’s email environment between June 24, 2020 and January 7, 2021, as a result of responses to phishing emails. The compromised email accounts contained patient names, medical record numbers, driver’s license numbers, financial account information, Social Security numbers, health insurance information, and clinical or treatment information.

Notification letters were sent to affected individuals in October 2021 and complimentary credit monitoring and identity theft protection services were offered to individuals whose Social Security numbers were exposed. The breach affected almost 3,000 Massachusetts residents and was reported to the HHS’ Office for Civil Rights as affecting 209,048 individuals.

The lawsuit, Kesner, et al. v. UMass Memorial Health Care Inc., alleged Umass Memorial Health failed to implement appropriate safeguards to protect patient data and did not issue timely notifications. Umass Memorial Health chose to settle the lawsuit to prevent further legal costs and avoid the uncertainty of trial.  Umass Memorial Health has not admitted to any wrongdoing.

Under the terms of the settlement, class members are entitled to submit claims for reimbursement of ordinary expenses up to $150, which include bank fees, communications charges, and up to three hours of lost time at $25 per hour. Claims may also be submitted for extraordinary losses up to a maximum of $5,000, which can include documented, unreimbursed losses to fraud and identity theft. Class members will also be provided with two years of credit monitoring services. Class members not wishing to take advantage of the benefits will be able to receive a cash payment of $40 in lieu of those benefits.

The deadline for objection to the settlement is March 15, 2023. Claims for the benefits or cash payment must be submitted by April 14, 2023. The final approval hearing is scheduled for May 23, 2023.

The post Umass Memorial Health Proposes $1.2 Million Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Another lawsuit has been filed against Connexin Software over its August 2022 ransomware attack and data breach, which affected more than 2.2 million individuals. Connexin Software does business as Office Practicum and is a provider of electronic medical records and practice management software for pediatric practices. On August 26, 2022, Connexin discovered hackers had gained access to its systems and used ransomware to encrypt files. The forensic investigation confirmed the threat actor behind the attack exfiltrated files containing protected health information. Those files contained information such as names, parents’ and guardians’ names, addresses, email addresses, dates of birth, Social Security numbers, health insurance information, medical and/or treatment information, and billing and claims information. Connexin Software reported the data breach to the HHS’ Office for Civil Rights as affecting up to 2,216,365 individuals. 199 healthcare insurance companies and service providers are known to have been affected by the incident.

The lawsuit, Green v. Connexin Software, Inc., was filed in the U.S. District Court of the Eastern District of Pennsylvania on behalf of plaintiff Amiyah Green and similarly situated individuals. The lawsuit alleges that, as a HIPAA-regulated entity, Connexin is required to implement safeguards to ensure the privacy of protected health information and prevent unauthorized access, yet failed to implement reasonable and appropriate cybersecurity measures such as data encryption.

The lawsuit also alleges a violation of the HIPAA Breach Notification Rule, which requires notifications to be issued within 60 days of the discovery of a data breach. The breach was detected on August 26, 2022, yet notifications were not sent to affected individuals until November 2022, which meant the plaintiff and class members did not know that their sensitive information was at risk, so they were unaware that they should take action to mitigate harm. The lawsuit also alleges that insufficient information was included in the notifications, such as the means and mechanism of the breach, and other important information such as how Connexin planned to prevent further incidents of this nature.

Connexin offered affected individuals a 12-month membership to an identity theft protection service; however, the lawsuit claims this is inadequate, as the plaintiff and class members will be required to pay for identity theft protection for years to come to ensure their personal and protected health information is not misused. The lawsuit claims the plaintiff and class members now face a substantial risk of being targeted in future phishing, data intrusion, and other illegal schemes, will incur out-of-pocket expenses protecting themselves against identity theft and fraud, and have or will suffer actual injury as a direct result of the data breach.

The lawsuit alleges negligence, negligence per se, and unjust enrichment, and seeks a jury trial, an award of appropriate monetary relief – including actual damages, statutory damages, punitive damages, restitution, and disgorgement – and equitable, injunctive, and declaratory relief, including the requirement for Connexin to adopt and implement data security best practices to safeguard private information and an extension of the identity theft and credit monitoring services.

The post Another Lawsuit Filed Against Connexin Software Over 2.2 Million-Record Data Breach appeared first on HIPAA Journal.

iCare Acquisitions has proposed a $3 million settlement to resolve claims from individuals affected by a 2021 data breach that affected almost 3.3 million 20/20 Eye Care Network and 20/20 Hearing Care Network health plan members.

A security breach was detected in January 2021, when suspicious activity was identified in its AWS cloud storage environment. The forensic investigation confirmed that AWS S3 storage buckets were accessed by the attackers, the contents of those buckets were downloaded, then the data in the buckets were deleted. The environment contained the protected health information of health plan members, including names, Social Security numbers, dates of birth, member ID numbers, and health insurance information.

The nature of the attack meant it was not possible to determine which individuals had been affected and the extent to which data were stolen, so notification letters were sent to the 3,253,822 individuals potentially affected by the breach. Notifications were sent to affected individuals in May 2021 and complimentary credit monitoring and identity theft protection services were offered. The breach was attributed to insider wrongdoing, which left plan members’ data exposed over the Internet.

A lawsuit – Desue, et al. v. 20/20 Eye Care Network Inc., et al. – was filed in the U.S District Court for the Southern District of Florida against 2020/ Eye Care Network and iCare Acquisitions that alleged the data breach occurred as a result of the defendants’ failure to implement reasonable and appropriate cybersecurity measures. The lawsuit alleged a failure to comply with its obligations under HIPAA and a failure to adhere to industry standard cybersecurity best practices. The lawsuit also took issue with the length of time it took to issue notifications to affected individuals, which were sent more than 3 months after the data breach was discovered.

The plaintiff claims that shortly after being notified about the data breach her credit card was used to make fraudulent purchases over the Internet, she experienced a significant increase in voice phishing calls, and her mail was diverted to a different address.

iCare Acquisitions and the 20/20 Eye Care Network admitted no wrongdoing and accept no liability for the data breach. The settlement was proposed to avoid ongoing legal costs and the uncertainty of trial. Under the terms of the settlement, a fund of $3,000,000 will be created to cover claims from individuals affected by the data breach.

Claims will be paid after legal fees have been deducted from the settlement amount and may be paid pro rata depending on the number of claims received. Class members are entitled to submit claims of up to $2,500 to recover out-of-pocket losses, including up to 10 hours of lost time at $25 per hour. Individuals who suffered documented losses to identity theft and fraud that have not already been reimbursed will be entitled to claim for those losses up to a maximum of $5,000, up to an aggregate maximum of $600,000. 36 months of credit monitoring services will also be provided, or alternatively a cash payment can be claimed in lieu of those services.

The deadline for objecting to or exclusion from the settlement is April 3, 2023. Claims must be submitted by May 1, 2023. The final approval hearing has been scheduled for June 22, 2023.

The post $3 Million Settlement Proposed to Resolve 20/20 Eye Care Network Data Breach Lawsuit appeared first on HIPAA Journal.

Last week, the Federal Trade Commission (FTC) announced its first-ever financial penalty for a violation of the FTC Health Breach Notification Rule. GoodRx was alleged to have failed to issue notification letters to customers whose PHI was disclosed to third parties such as Google and Facebook via tracking technologies on its website and mobile app. GoodRx said it decided to settle the case and pay a $1.5 million financial penalty to avoid the time and expense of protracted litigation, and that proactive steps were taken to address the issue prior to the FTC investigation. The settlement has yet to be approved by a federal judge.

Several healthcare data breaches have been reported over the past few months that involved impermissible disclosures of protected health information to third parties such as Google, Meta, and others due to the use of tracking technologies on websites and mobile apps. Multiple lawsuits have been filed over those impermissible disclosures, and the GoodRx data breach is no exception.

A lawsuit was filed in the U.S. District Court of the Northern District of California on February 2, 2023, just a few days after the FTC announced the financial penalty. The lawsuit names GoodRx and three of the companies referenced in the FTC announcement as defendants – Google, Meta, and Criteo – and makes similar allegations to the FTC complaint. The lawsuit takes issue with the promise GoodRx made never to disclose the personal and health information of its customers to advertisers and other third parties, and only to use the personal medical data of its customers to fulfill customers’ requests, such as for providing coupons for prescription medications. The lawsuit also takes issue with GoodRx’s claim that the company adheres to Digital Advertising Alliance principles, which include not disclosing health information for online behavioral advertising without content, and for displaying a HIPAA seal on its website suggesting compliance with the Health Insurance Portability and Accountability Act (HIPAA).

The plaintiff and others represented in the lawsuit allege that their personal and health information was disclosed to third parties without their consent, when they had been informed that no such disclosures would occur and that defendants Google, Meta, and Criteo “knowingly and intentionally intercepted plaintiff and class members’ personal information, including health information relating to their medical conditions, symptoms, and prescriptions, communicated through the GoodRx Platform.” The lawsuit claims GoodRx monetized customer data and used the information to serve targeted advertisements based on previous prescriptions and visits to web pages related to birth control and erectile dysfunction medications, that Google, Meta, and Criteo profited from the customer data transmitted by GoodRx, and that the disclosures constituted “an extreme invasion of plaintiff’s and class members’ privacy.”

The lawsuit alleges common law invasion of privacy, intrusion upon seclusion, unjust enrichment, violations of the California Confidentiality of Medical Information Act (CMIA), aiding and abetting violations of CMIA, violations of the California Invasion of Privacy Act, violations of the California Consumers Legal Remedies Act, and violations of the California Business and Professional Code. The lawsuit seeks class action certification, an award of declaratory relief, statutory, actual, compensatory, consequential, punitive, and nominal damages, as well as restitution and/or disgorgement of profits unlawfully obtained.

GoodRx maintains there was no wrongdoing. “Before the FTC reached out to us, we proactively made updates consistent with our commitment to being at the forefront of safeguarding users’ privacy… While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations – and that remains common practice among many health, consumer and government websites – we are proud that we took action to be an industry leader on privacy practices.”

Google confirmed that it prohibits personalized advertising based on sensitive data such as health information and that it has strict policies in place regarding the types of information that can be shared. While Meta has not commented on the GoodRx case, statements have been issued in response to Meta Pixel-related data breaches at HIPAA-regulated entities, confirming Meta prohibits such disclosures and has mechanisms in place that automatically remove sensitive personal data to ensure the information is not sent to advertisers. While Criteo has not commented on the lawsuit, a statement was provided to HIPAA Journal about the FTC allegations. “Criteo’s data policies and privacy practices on our platform prohibit most of the targeted advertising campaigns and programs referenced in the FTC complaint against GoodRx. Consistent with our policies and practices in place with our clients, we can confirm that in connection with our digital advertising services with GoodRx, Criteo never received any personally identifiable information, such as name or email address, or prescription and medical information, such as a user looking at a particular prescription.”

The post Lawsuit Seeks Damages for GoodRx Users for Invasion of Privacy appeared first on HIPAA Journal.