Legal News

Banner Health Settles Alleged HIPAA Security Rule Violations for $1.25 Million

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced its second financial penalty of 2023 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Banner Health has agreed to pay a financial penalty of $1,250,000 and adopt a corrective action plan to resolve the alleged HIPAA Security Rule violations.

Phoenix, AZ-based Banner Health is one of the largest non-profit health systems in the United States. The health system includes 30 hospitals and more than 69 affiliated healthcare facilities in 6 U.S. states and employs more than 50,000 individuals.  On July 13, 2016, Banner Health detected a security breach, with the subsequent investigation confirming hackers gained access to its systems on June 17, 2016. The hackers were able to access systems containing the protected health information (PHI) of 2.81 million individuals, including names, addresses, dates of birth, Social Security numbers, claims information, lab results, medications, diagnoses, and health insurance information. After being informed about the impermissible disclosure of PHI, OCR initiated a review of HIPAA Security Rule compliance to determine if noncompliance was a contributory factor to the data breach.

OCR’s investigators determined that Banner Health had failed to conduct an accurate and thorough analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI. The administrative safeguards of the HIPAA Security Rule include a requirement to conduct regular reviews of information system activity to identify unauthorized access to PHI. OCR determined that Banner Health had not implemented sufficient procedures to conduct regular reviews.

The HIPAA Security Rule requires covered entities to implement technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Banner Health failed to implement sufficient procedures to verify the identity of persons seeking access to ePHI to ensure they are who they claim to be, and insufficient technical security measures had been implemented to protect against unauthorized access to ePHI transmitted over an electronic communications network.

OCR said its investigators found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across the Banner Health organization, which was a serious concern given the size of the covered entity, and the HIPAA violations were sufficiently severe to warrant a financial penalty. In addition to paying a financial penalty, Banner Health has agreed to adopt a corrective action plan (CAP) that includes the requirement to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization and develop a risk management plan to address any vulnerabilities identified by the risk analysis. Policies and procedures must be developed, implemented, and distributed to the workforce covering risk analyses, risk management, system activity reviews, authentication processes, and security measures to protect against unauthorized PHI access. OCR will monitor Banner Health for compliance with the CAP for 2 years.

“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. The Office for Civil Rights provides help and support to health care organizations to protect against cyber security threats and comply with their obligations under the HIPAA Security Rule. Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

The post Banner Health Settles Alleged HIPAA Security Rule Violations for $1.25 Million appeared first on HIPAA Journal.

FTC Issues First Financial Penalty for a Health Breach Notification Rule Violation

Posted by HIPAA Journal

The Federal Trade Commission’s Health Breach Notification Rule requires vendors of personal health records and related entities to issue notifications to consumers in the event of a breach of unsecured personal records. The rule took effect in 2009, yet compliance has not been enforced. That has now changed. Yesterday, the FTC issued its first penalty for noncompliance with the Health Breach Notification Rule to the prescription drug provider, GoodRx Holdings Inc, which has been ordered to pay a financial penalty of $1.5 million.

In September 2021, the FTC issued a policy statement announcing its intention to start actively enforcing the Health Breach Notification Rule with a focus on health apps, which are generally not covered by HIPAA and data breaches are therefore not subject to the notification requirements of the HIPAA Breach Notification Rule. Two guidance documents – Health Breach Notification Rule: The Basics for Business – and Complying with FTC’s Health Breach Notification Rule – were published in January 2022 that clearly explained which entities are covered by the Health Breach Notification Rule, the types of events that require notifications to consumers, and how notifications should be issued. The first financial penalty was imposed almost a year to the day after the guidance was issued for the failure to notify consumers about unauthorized disclosures of their personal health information to Facebook, Google, Criteo, and others for advertising purposes.

GoodRx is a Santa Monica, CA-based provider of a telemedicine platform that includes a free-to-use website and mobile app that consumers can use to track prescription drug prices and obtain coupons that provide discounts on medications. The platform can also be used to arrange telehealth visits and access other health services. Users of the service provide personal and health information GoodRx, which also collects data from pharmacy benefit managers when users make purchases using GoodRx coupons. Since January 2017 more than 55 million consumers have used the GoodRx website and mobile app.

Multiple Privacy Violations and Deceptive Businesses Practices

According to the FTC complaint, GoodRx violated the FTC Act and its own privacy policy by sharing the sensitive personal and health information of its users with tech firms and social media websites without notifying users about those disclosures or obtaining consent to do so.

GoodRx told users of its website and mobile app that their personal health information would never be shared with advertisers or other third parties; however, the FTC determined that since at least 2017 GoodRx repeatedly violated that promise and shared personal health information with third parties such as Facebook, Google, Criteo, Branch, Twilio, and others for advertising purposes, including information about users’ health conditions and their prescription medications.

The personal health information of users was monetized and the data shared with Facebook was used to target its own users with adverts on Meta platforms such as Facebook and Instagram. The FTC cited one such example from 2019 where GoodRx compiled lists of users who had purchased certain medications for heart disease and blood pressure, then uploaded their email addresses, phone numbers, and advertising IDs to Facebook to allow those users to be identified in order to serve them with targeted health-related advertisements.

GoodRx also permitted third parties such as Facebook to use the shared data for their own internal purposes, while falsely claiming compliance with Digital Advertising Alliance principles, which require consent to be obtained before using health information for advertising purposes. GoodRx also misrepresented HIPAA compliance by displaying a seal on its telehealth services homepage falsely claiming it was in compliance with the HIPAA Rules. The company also failed to implement appropriate policies and procedures to protect the personal and health information of its users, and only implemented formal, written, privacy, and data-sharing policies when its data practices were publicly revealed by a consumer watchdog in February 2020.

The FTC said GoodRx was in violation of the Health Breach Notification Rule for failing to notify consumers of the impermissible disclosures of their personal health information, and the severity of those violations warranted a financial penalty. In addition to the financial penalty, GoodRx is prohibited from sharing the health data of its users for advertising purposes, must obtain consent from users for any other data sharing, must direct the third parties to whom health data were disclosed to delete that information, and must implement a comprehensive privacy program. The proposed penalty is now awaiting approval from the federal court.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

The post FTC Issues First Financial Penalty for a Health Breach Notification Rule Violation appeared first on HIPAA Journal.

San Andreas Regional Center Agrees to Settle 2021 Ransomware Attack Lawsuit

Posted by HIPAA Journal

San Andreas Regional Center has agreed to settle a class action lawsuit that was filed in response to a July 2021 ransomware attack in which hackers gained access to the personal information of more than 57,000 patients

The San Jose, CA-based healthcare provider supports individuals with developmental disabilities through its facilities in the Santa Clara, Santa Cruz, San Benito, and Monterey counties. The ransomware attack occurred on or around July 5, 2021, and prior to encrypting files, the threat actor potentially accessed and exfiltrated sensitive patient data such as names, addresses, dates of birth, telephone numbers, Social Security numbers, email addresses, health plan beneficiary numbers, health insurance information, full-face photos, and medical information. Affected individuals were notified about the cyberattack in August 2021 and were offered complimentary credit monitoring and identity theft protection services.

A lawsuit – Lopez, et al. v. San Andreas Regional Center – was filed in the Superior Court of California in response to the breach alleging the healthcare provider was negligent for failing to implement reasonable cybersecurity measures to protect against ransomware attacks, despite being aware of the high risk of attacks on the healthcare sector. The lawsuit alleged the plaintiff and class members now face a high risk of identity theft and fraud as a result of the data breach and have incurred out-of-pocket expenses and lost time securing their accounts and protecting against the misuse of their personal and protected health information.

San Andreas Regional Center denies all claims related to the data breach but decided to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the proposed settlement, class members are entitled to submit claims of up to $500 for documented ordinary expenses that are reasonably traceable to the data breach, such as bank fees, credit costs, and communication charges, and up to 3 hours of lost time at $20 per hour. Claims of up to $2,500 will be accepted for documented extraordinary losses due to identity theft and fraud.

Individuals wishing to object to or exclude themselves from the proposed settlement have until March 13, 2023, to do so. Claims must be submitted by August 2, 2023. The final approval hearing is scheduled for August 2, 2023. The class is represented by attorneys Michael Anderson Berry of Clayeo C Arnold PC and David k Lietz of Milberg Coleman, Bryson, Phillips Grossman PLLC.

The post San Andreas Regional Center Agrees to Settle 2021 Ransomware Attack Lawsuit appeared first on HIPAA Journal.

Katherine Shaw Bethea Hospital Proposes $380K Settlement to Resolve Data Breach Lawsuit

Posted by HIPAA Journal

Katherine Shaw Bethea (KSB) Hospital in Dixon, IL, has proposed a $380,000 settlement to resolve claims related to a September 2021 data breach at a business associate of the hospital. KSB Hospital used the Scottsbluff, NE-based healthcare accounts receivables service provider, Magnet Solutions, for billing-related services. Between September 17 and September 20, 2021, Magnet Solutions processed and mailed billing statements to KSB patients; however, a software error caused statements to be mailed to incorrect individuals. The statements included names, encounter numbers, names of treating physicians, dates of service, and locations of service. According to the breach notice submitted to the HHS’ Office for Civil Rights, the breach affected 1,553 individuals, who were notified about the breach by Magnet Solutions in November 2021. Complimentary credit monitoring and identity theft protection services were offered to affected individuals.

A lawsuit – John Doe, et al. v. Katherine Shaw Bethea Hospital, et al – was filed in response to the breach. The plaintiff alleged that his billing statements had been impermissibly disclosed to other patients via mail and online portals and those statements contained information about medical treatments at KSB Hospital that were very sensitive in nature. The lawsuit alleged a breach of fiduciary duty and violations of Illinois statutes and federal law.

KSB Hospital and KSB Medical Group, which operates the hospital, admitted no wrongdoing but chose to settle the lawsuit. The class consists of all individuals who received a notification about the data breach from Magnet Solutions on behalf of KSB Medical Group informing them that their information had been impermissibly disclosed in September 2021. Under the terms of the proposed settlement, class members are entitled to submit claims for a cash payment of up to $250. If claims are submitted totaling more than the settlement amount, they will be paid pro rata.

Class members wishing to object to or exclude themselves from the settlement have until February 8, 2023, to do so. Claims for the cash payment must be submitted no later than March 22, 2023. The final approval hearing has been scheduled for March 28, 2023.

The post Katherine Shaw Bethea Hospital Proposes $380K Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Lawsuit Alleges Christ Hospital Website Has Sent Patient Data to Meta

Posted by HIPAA Journal

Earlier this month, a lawsuit was filed against The Christ Hospital in Cincinnati, OH, alleging third-party tracking code had been added to its website that was transmitting sensitive patient data to Meta and other third parties, without obtaining authorization from patients.

An investigation by The Markup last summer revealed one-third of the top 100 hospitals in the United States had Meta pixel tracking code on their websites, several of which were confirmed as having added the code to their password-protected patient portals. In some instances, the code was transmitting patient data to Meta, such as if website visitors were logged into their Facebook accounts while browsing the hospital websites. Tracking code is also provided by others, such as Google, which can similarly transmit data based on the interactions of users on websites.

Following the investigation, several healthcare organizations announced data breaches related to tracking technologies that have resulted in the impermissible disclosure of patient information. The HHS’ Office for Civil Rights recently issued guidance on the use of tracking technologies on hospital websites, confirming that these technologies have the potential to violate the HIPAA Rules, and the use of these technologies without patient authorizations or a business associate agreement is likely to be a reportable data breach. The Christ Hospital does not appear to have announced any such breach to date.

The lawsuit – Doe v. The Christ Hospital – was filed on January 10, 2023, by attorney James Eugene Burke III in Hamilton County Court but has since been moved to federal court. According to the lawsuit, The Christ Hospital website has a search engine that patients are encouraged to use to find physicians within its network, and patients can schedule appointments with those physicians online. The hospital website allegedly includes Meta Pixel and other third-party code, which collects information about the activities of website users and transmits that information to Meta and others, with the information potentially used to serve patients with targeted adverts on Facebook and other Meta platforms.

The lawsuit alleges patients who searched for cancer transmits, mental health care, and even sexually transmitted infections could be targeted with adverts related to their searches on the site. The lawsuit also alleges third party code was included on the MyChart patient portal, which could potentially transmit communications with physicians to third parties without patient authorization, in violation of the HIPAA Rules.

The lawsuit names Jane Doe as plaintiff and seeks class action status to cover all similarly affected patients. The lawsuit seeks a jury trial, punitive charges, and damages in excess of $25,000. The Christ Hospital maintains it is not selling patient data to Meta or other third parties and is investigating the claims made in the lawsuit.

The post Lawsuit Alleges Christ Hospital Website Has Sent Patient Data to Meta appeared first on HIPAA Journal.

Logan Health Proposes $4.3 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Logan Health has agreed to settle a class action lawsuit related to a 2021 hacking incident that exposed the protected health information of 213,543 individuals. Under the terms of the settlement, Logan Health has agreed to create a fund of $4.3 million to cover claims from individuals affected by the breach.

Logan Health, formerly Kalispell Regional Medical Center, is a 622-bed health system based in Kalispell, MT, which operates six hospitals and more than 68 provider clinics in the state. On February 18, 2022, Logan Health announced that it was the victim of a sophisticated cyberattack in which hackers gained access to a file server containing patient data. The breach was detected on November 22, 2021, and the investigation confirmed that access to its systems was gained on November 18, 2021. On January 5, 2022, Logan Health learned that the attackers accessed files containing patient information such as names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, insurance claim information, date(s) of service, treating/referring physician, medical bill account number, and/or health insurance informa­tion. Affected individuals were offered complimentary credit monitoring services.

A lawsuitTafelski, et al. v. Logan Health Medical Center – was filed against Logan Health in the Montana Eighth Judicial District Court shortly after notification letters were mailed. The lawsuit alleged Logan Health had failed to implement reasonable and appropriate cybersecurity measures and had not provided sufficient security awareness training to its workforce. Had those measures been implemented, the data breach would have been prevented. In addition to this breach, Logan Health had experienced others while operating as Kalispell Regional Medical Center, which had affected 2,081 state residents in 2021 and 126.805 individuals in 2019. The lawsuit alleged the plaintiffs and class members have suffered damages including the compromise, publication, theft and/or unauthorized use of their PII/PHI, out-of-pocket costs from the prevention, detection, recovery, and remediation from identity theft or fraud, lost opportunity costs and lost wages, that they faced a continued risk to their PII/PHI.

Logan Health chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, affected individuals can submit claims up to a maximum of $25,000 for reimbursement of out-of-pocket expenses that are reasonably traceable to the data breach and were not reimbursable by a third party. Claims can also include lost time up to a maximum of $125 per class member. In addition to claims for reimbursement of losses, class members can choose to claim three years of credit monitoring services or a cash payment in lieu of the credit monitoring services.

The deadline for exclusion from or objections to the settlement is February 13, 2023. Claims must be submitted by April 3, 2023, and the final approval hearing for the settlement has been scheduled for March 9, 2023.

The post Logan Health Proposes $4.3 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Second Class Action Lawsuit Filed Against CommonSpirit Health Over Ransomware Attack

Posted by HIPAA Journal

Another lawsuit has been filed against CommonSpirit Health over its 2022 ransomware attack and data breach that alleges the nation’s largest catholic health system failed to implement reasonable and appropriate safeguards to prevent unauthorized access to sensitive patient data.

CommonSpirit Health announced in early October that it was dealing with a cyberattack that took down its IT systems, then in December confirmed that the individuals behind the ransomware attack had access to certain parts of its network from September 16 through October 3, 2022, during which time they may have accessed or obtained the protected health information of 623,774 patients including names, contact information, birth dates, and internal patient identifiers.

The latest lawsuit was filed on January 13, 2022, in the U.S. District Court for the Northern District of Illinois on behalf of plaintiff Jose Antonio Koch, his two minor children (John/James Doe), and other similarly affected individuals. Koch and his children received medical care at St. Michael Medical Center in Silverdale, WA, a CommonSpirit Health member hospital operated by Virginia Mason Franciscan Health, that was affected by the attack.

CommonSpirit Health provided regular updates on its website about the cyberattack and data breach and notified patients in December when the extent of the breach had been determined, approximately two and a half months after the breach occurred and two months after the breach was detected. The lawsuit alleges CommonSpirit Health “intentionally, willfully, recklessly or negligently” failed to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions, and that “CommonSpirit has not been forthcoming about the data breach.” The lawsuit also suggests the actual number of individuals affected may be much higher, potentially as high as 20 million, and takes issue with the time it took CommonSpirit Health to detect the data breach, which started on September 16, 2022, but was not detected until October 2, 2022.

The lawsuit alleges the plaintiffs and class members have been exposed to a heightened and imminent risk of fraud, financial identity theft, and medical identity theft, and must now cover the cost of credit monitoring services, credit freezes, credit reports, and other protective measures, as that they have had to spend time monitoring their accounts, changing passwords, and taking other measures to protect their identities.

The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and negligence per se, and seeks class action status, at least 7 years of complimentary credit monitoring services, and an award of actual damages, compensatory damages, statutory damages, and statutory penalties, as determined and allowable by law, and an award of punitive damages and attorneys’ fees.

An earlier lawsuit was filed in the U.S. District Court for the Northern District of Illinois on December 29, 2022, by Washington resident, Leeroy Perkins, which makes similar claims that industry-standard cybersecurity measures had not been implemented. That lawsuit seeks damages exceeding $5 million and injunctive relief, which includes the requirement for CommonSpirit Health to implement stronger data security measures to prevent further data breaches.

The post Second Class Action Lawsuit Filed Against CommonSpirit Health Over Ransomware Attack appeared first on HIPAA Journal.

Mayo Clinic Settles Lawsuit Alleging Former Employee Viewed Nude Patient Images

Posted by HIPAA Journal

Mayo Clinic has settled another lawsuit that stemmed from a data breach involving a former employee, who was discovered to have accessed the records of patients without authorization, including nude images.

In October 2020, Mayo Clinic notified 1,614 patients that some of their protected health information had been viewed by a former employee. That information included demographic information, birth dates, medical record numbers, and clinical notes. The employee was also discovered to have viewed photographs of patients that had been taken for medical purposes, which included nude images.

The employee in question, Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, was a doctor at Mayo Clinic, and terminated his employment in August 2022 around the time that the privacy violations were discovered. The Olmsted County Attorney’s Office opened a criminal investigation into Alsughayer over the privacy violations after a complaint was received from a patient who obtained a copy of her records and discovered they included three nude images that were in her medical records at the time the alleged privacy violations occurred. She obtained the records in response to being notified about the breach.

Alsughayer faces a gross misdemeanor charge for unauthorized computer access. His legal team sought to dismiss the case on the grounds that there was no probable cause to believe the defendant committed the alleged privacy violations; however, those efforts have been unsuccessful. Alsughayer pleaded not guilty to the charges in August 2021. A date has yet to be set for the trial.

At least three lawsuits were filed against Mayo Clinic over the privacy violations. One of those lawsuits was settled out of court with the complainant last year and another – filed in May 2021 – is scheduled to go to trial in September 2023. The third lawsuit, which was filed in November 2020 on behalf of Mayo Clinic patient Olga Ryabchuk, sought class action status for the 1,614 patients whose privacy was violated. That lawsuit was dismissed by an Olmsted County Judge in December after all parties agreed to a settlement, the details of which have not been publicly disclosed.

The post Mayo Clinic Settles Lawsuit Alleging Former Employee Viewed Nude Patient Images appeared first on HIPAA Journal.

Rehoboth McKinley Christian Health Care Patients to Be Compensated Up to $4,000 for Data Breach

Posted by HIPAA Journal

A settlement proposed by Rehoboth McKinley Christian Health Care Services to resolve claims related to February 2021 cyberattack has been approved by a New Mexico federal judge. The settlement will compensate affected individuals for lost time and out-of-pocket expenses incurred in response to the data breach up to a maximum of $4,000 per person.

Rehoboth McKinley Christian Health Care Services operates a 60-bed acute care hospital and outpatient clinics and provides home health care services in New Mexico and Arizona. In February 2021, a security breach was detected, with the investigation revealing unauthorized individuals had access to its network from January 21 to February 5, 2021, during which time they had access to the protected health information of approximately 191,000 patients, including names, contact information, Social Security numbers, medical information, and health insurance information. Patients were notified about the data breach in May 2021.

In June 2021, a lawsuit – Charlie et al. v. Rehoboth McKinley Christian Health Care Services – was filed on behalf of Alicia Charlie, Leona Garcia Lacey, Darrell Tsosie, and a minor child, represented by his guardian Gary Hicks. The lawsuit alleged Rehoboth McKinley Christian Health Care Services had failed to implement appropriate safeguards to prevent unauthorized access to their protected health information and also unnecessarily delayed issuing notifications to affected individuals.

The lawsuit alleged Rehoboth McKinley Christian Health Care Services violated New Mexico and Arizona consumer protection statutes, and included claims of negligence, intrusion upon seclusion, breach of implied contract, and breach of fiduciary duty, although the claims for intrusion upon seclusion, breach of implied contract, and a violation of the Arizona Consumer Fraud Act were rejected. Rehoboth McKinley Christian Health Care Services had argued that there was no actionable duty to protect the plaintiffs’ data, but U.S. District Court Judge Steven C. Yarbrough ruled that Rehoboth McKinley Christian Health Care Services owed the plaintiffs a duty of ordinary care concerning the storage of their private information and was unable to demonstrate that recovery of the lost time in response to the breach was not permitted under state law.

Under the terms of the settlement, the 191,009 individuals in the class may submit claims for up to $500 to recover ordinary out-of-pocket expenses, which can include up to 4 hours of lost time at $15 per hour. Ordinary expenses include bank fees, long-distance phone charges, cell phone and data charges, postage, gasoline for local travel, credit report fees, and credit monitoring and identity theft insurance services. Claims may also be submitted for documented extraordinary out-of-pocket expenses up to a maximum of $3,500. In contrast to many settlements which are paid pro rata based on the number of claims, this settlement will cover the full $4,000 for all class members. Class members will also be provided with 2 years of complimentary credit monitoring services. Rehoboth McKinley Christian Health Care Services has also agreed to enhance data security. A final fairness hearing has been scheduled for May 24, 2022.

The post Rehoboth McKinley Christian Health Care Patients to Be Compensated Up to $4,000 for Data Breach appeared first on HIPAA Journal.