Legal News

Nurse Sentenced to 37 Months in Jail for Tampering with and Stealing Medications

Posted by HIPAA Journal

A former nurse employed by the Roswell Park Comprehensive Cancer Center in Buffalo, NY, has been sentenced to 37 months in prison for tampering with and stealing controlled medications intended for cancer patients.

Kelsey A. Mulvey, 30, of Grand Island, NY, worked as a registered nurse at Roswell Park between February 2018 and June 2018. On June 27, 2018, Mulvey was observed accessing a medication dispensing machine in a room to which she was not assigned and left carrying a backpack. She was placed on administrative leave pending an investigation and later resigned. The investigation concluded Mulvey had stolen hydromorphone, methadone, oxycodone, and lorazepam from the automated medication dispensing systems.

In June and July 2018, six patients at Roswell Park became ill with waterborne infections. The investigation concluded that Mulvey had replaced the hydromorphone in the vials with water to hide the theft. Roswell Park has a zero-tolerance policy and immediately notified the New York State Department of Health, the NYS Department of Education, the Bureau of Narcotics and Tobacco Enforcement, U.S. Drug Enforcement Agency, and NYPORT about the drug theft and tampering. The U.S. Attorney’s Office charged Mulvey with tampering with a consumer product, acquiring controlled substances by fraud, and criminal violations of the Heath Insurance Portability and Accountability Act (HIPAA). Prosecutors said the drug thefts resulted in a failure to properly administer medications for 81 Roswell Park patients.

Mulvey faced a maximum jail term of 10 years for the offenses. She entered into a plea agreement and pleaded guilty to one count of tampering with a consumer product. The criminal HIPAA violations and other charges were dropped as part of the agreement. Mulvey also agreed to surrender her nursing license. Roswell Park said that after the theft was discovered, new surveillance systems were implemented, policies and procedures were reviewed and updated, and staff training and education were increased concerning drug diversion.

The post Nurse Sentenced to 37 Months in Jail for Tampering with and Stealing Medications appeared first on HIPAA Journal.

Nurse Sentenced to 37 Months in Jail for Tampering with and Stealing Medications

Posted by HIPAA Journal

A former nurse employed by the Roswell Park Comprehensive Cancer Center in Buffalo, NY, has been sentenced to 37 months in prison for tampering with and stealing controlled medications intended for cancer patients.

Kelsey A. Mulvey, 30, of Grand Island, NY, worked as a registered nurse at Roswell Park between February 2018 and June 2018. On June 27, 2018, Mulvey was observed accessing a medication dispensing machine in a room to which she was not assigned and left carrying a backpack. She was placed on administrative leave pending an investigation and later resigned. The investigation concluded Mulvey had stolen hydromorphone, methadone, oxycodone, and lorazepam from the automated medication dispensing systems.

In June and July 2018, six patients at Roswell Park became ill with waterborne infections. The investigation concluded that Mulvey had replaced the hydromorphone in the vials with water to hide the theft. Roswell Park has a zero-tolerance policy and immediately notified the New York State Department of Health, the NYS Department of Education, the Bureau of Narcotics and Tobacco Enforcement, U.S. Drug Enforcement Agency, and NYPORT about the drug theft and tampering. The U.S. Attorney’s Office charged Mulvey with tampering with a consumer product, acquiring controlled substances by fraud, and criminal violations of the Heath Insurance Portability and Accountability Act (HIPAA). Prosecutors said the drug thefts resulted in a failure to properly administer medications for 81 Roswell Park patients.

Mulvey faced a maximum jail term of 10 years for the offenses. She entered into a plea agreement and pleaded guilty to one count of tampering with a consumer product. The criminal HIPAA violations and other charges were dropped as part of the agreement. Mulvey also agreed to surrender her nursing license. Roswell Park said that after the theft was discovered, new surveillance systems were implemented, policies and procedures were reviewed and updated, and staff training and education were increased concerning drug diversion.

The post Nurse Sentenced to 37 Months in Jail for Tampering with and Stealing Medications appeared first on HIPAA Journal.

Sturdy Memorial Hospital & North Shore Pain Management Settle Data Breach Lawsuits

Posted by HIPAA Journal

Two healthcare organizations in Massachusetts have chosen to settle class action lawsuits that were filed by patients whose protected health information was stolen in cyberattacks.

Sturdy Memorial Hospital

Sturdy Memorial Hospital in Attleboro, MA, has agreed to settle a lawsuit filed in response to a September 2021 ransomware attack, where the attackers gained access to the data of approximately 60,000 patients, such as names, addresses, dates of birth, Social Security numbers, financial information, and health information. The attackers exfiltrated patient data and threatened to release the information publicly. The hospital chose to pay the ransom.

The lawsuit – Shedd, et al. v. Sturdy Memorial Hospital Inc. – alleged the hospital had maintained patient information in a reckless manner, as the information was stored on a system vulnerable to cyberattacks and the data was not encrypted. The lawsuit alleged the hospital did not follow Federal Trade Commission guidelines and violated Massachusetts laws by delaying sending notification letters to patients for almost 4 months.

Sturdy Memorial Hospital admitted no wrongdoing and chose to settle the lawsuit to avoid ongoing legal costs. Under the terms of the settlement, class members can claim up to $375 for ordinary losses, including out-of-pocket expenses and up to three hours of lost time at $20 per hour. Claims can also be submitted for documented extraordinary losses incurred between February 9 and February 14, 2021, up to a maximum of $5,000. The settlement also includes free credit monitoring services for class members.

Class members have until January 14, 2023, to exclude themselves from or object to the settlement. Claims must be submitted by February 14, 2023. The fairness hearing is scheduled for February 16. 2023.

North Shore Pain Management

North Shore Pain Management, which operates pain management clinics in Beverley and Woburn, MA, and its vendor, Revolve I.T. Inc, have chosen to settle a class action lawsuit filed in response to an April 2020 ransomware attack.

The attackers gained access to its network and exfiltrated patient data prior to encrypting files. The AKO ransomware gang claimed to have stolen 4GB of data, and that data was leaked when the ransom wasn’t paid. The stolen data included patient names, dates of birth, health insurance information, account balances, financial information, diagnosis and treatment information, and for certain patients, ultrasound and MRI images and/or Social Security numbers. 12,472 current and former patients were affected.

North Shore Pain Management and Revolve I.T. maintain they had implemented adequate defenses to protect against cyberattacks and denied any wrongdoing. The decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the settlement, a fund of $200,000 will be created to cover claims from class members for economic losses and lost time related to the data breach. Each class member may claim up to $150 for ordinary economic losses and lost time and claims up to a maximum of $1,500 are permitted for extraordinary losses. The settlement also includes 36 months of credit monitoring services or a $25 payment in lieu of the credit monitoring services and reimbursement of economic losses. Claims will be paid pro rata if the claims total exceeds $200,000.

Class members have until December 14, 2022, to exclude themselves from or object to the settlement. Claims must be submitted by January 13, 2023. The fairness hearing is scheduled for January 10, 2023.

The post Sturdy Memorial Hospital & North Shore Pain Management Settle Data Breach Lawsuits appeared first on HIPAA Journal.

$295,000 Settlement Proposed by Conway Regional Medical Center to Resolve Data Breach Lawsuit

Posted by HIPAA Journal

Conway Regional Medical Center, a non-profit healthcare system in north central Arkansas, has proposed a $295,000 settlement to resolve a class action lawsuit that was filed on behalf of individuals affected by a 2019 data breach.

The data breach in question occurred in June 2019. Email accounts containing the protected health information of patients were accessed by unauthorized individuals after employees responded to phishing emails. The review of the email accounts revealed they contained patient names, addresses, Social Security numbers, medical information, and health insurance information. Approximately 37,000 patients were affected and had their information exposed.

Following the breach, a lawsuit – Danielle Marshall v. Conway Regional Medical Center Inc – was filed in Faulkner County Circuit Court alleging Conway Regional was negligent for failing to implement appropriate safeguards to protect patient information, and that as a direct result of that negligence, the protected health information of the plaintiff and class members allowed that information to be accessed by criminals. Conway Regional maintains that it had implemented meritorious defenses against phishing and other cyber threats and was prepared to vigorously defend the lawsuit; however, the decision was taken to settle the lawsuit to end the litigation and prevent further legal costs. Conway Regional says the settlement has been proposed to resolve the disputed claims and is not an admission of any lawbreaking or wrongdoing.

Under the terms of the proposed settlement, class members will be eligible to receive two years of identity theft protection services through IDX. Instructions for signing up for those services are detailed in the settlement. In contrast to many settlements that allow claims to be submitted for documented losses, there are some caveats. A claim of up to $850 may be submitted for reimbursement of documented losses, but only by class members who have enrolled in the IDX services that have activated them per the instructions, and if a claim is first submitted through the IDX service and that claim is denied. Before submitting a claim, class members must also exhausted the IDX claim process. If IDX rejects the claim because it was not submitted within the allowed time frame or due to insufficient documentation, class members will not be eligible to claim for reimbursement under the settlement. Class members may also claim up to $40 for lost time fairly traceable to the data breach, independent of any claim for documented losses, and regardless of whether they have signed up for the IDX services.

To sign up for the IDX services, class members must complete the Election form before February 20, 2023. Claims for reimbursement of economic losses and lost time must also be submitted by February 20, 2023. The deadline for exclusion from or objection to the settlement is December 21, 2022. A fairness hearing has been scheduled for February 7, 2023.

The post $295,000 Settlement Proposed by Conway Regional Medical Center to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

FTC and HHS Update Online Compliance Tool for Mobile Health App Developers

Posted by HIPAA Journal

Developers of mobile health apps may be required to comply with certain federal laws such as the FTC Act, FTC Health Breach Notification Rule, Children’s Online Privacy Protection Act (COPPA), Health Insurance Portability and Accountability Act (HIPAA), Federal Food, Drug and Cosmetics Act (FD&C Act), the 21st Century Cures Act, and the ONC’s Information Blocking Regulations.

To help mobile health app developers avoid compliance missteps, the Federal Trade Commission (FTC), in conjunction with the Department of Health and Human Services’ Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA), developed an online tool to help developers determine which federal laws and regulations they need to comply with.

The online tool asks a series of questions about the nature of the app, the service it provides, the information it collects, and how that information is collected, shared, and used. Based on the answers to the questions, the tool will direct the developer to the relevant federal regulatory privacy, security, and breach notification laws and regulations that may apply.

The tool should be used by any developer of a mobile app that accesses, collects, shares, uses, or maintains information related to an individual’s past, present, or future health. Even if a health app has not been developed for use by a HIPAA-covered entity, there may be one or more federal laws or regulations that apply. The tool will point developers to resources where they can find out more information about their compliance obligations, along with best practices to help them deliver a safe and accurate service while ensuring the privacy and security of the health information of app users.

On December 7, 2022, the HHS announced that the online Mobile Health App Interactive Tool has been updated. The updated version can be found here.

The post FTC and HHS Update Online Compliance Tool for Mobile Health App Developers appeared first on HIPAA Journal.

New York Ambulance Service Facing Multiple Class Action Lawsuits over Ransomware Attack

Posted by HIPAA Journal

The New York ambulance service, Empress EMS, is facing multiple class action lawsuits over a ransomware attack that was detected on July 14, 2022. The Hive ransomware group was behind the attack, and as per the group’s modus operandi, after gaining access to the network, sensitive files were stolen, then files were encrypted.

According to the breach notifications sent by Empress EMS, the unnamed ransomware actors stole files that included names, dates of birth, demographic information, diagnosis and treatment information, medical record numbers, dates of service, insurance information, prescription information, and, for a small subset of individuals, Social Security numbers. Those files were stolen on July 13, 2022. The Hive ransomware group published some of the stolen data on their data leak site, but the data was promptly removed. According to databreaches.net, which contacted the Hive group, Empress EMS paid the ransom.

The breach investigation revealed the ransomware gang first gained access to the network on or around May 26, 2022. Notification letters were sent to affected individuals on September 9, 2022. The breach was reported to the HHS’ Office for Civil Rights as affecting up to 318,558 individuals. Individuals whose Social Security numbers were exposed or stolen were offered complimentary credit monitoring services.

The latest lawsuit, filed in Manhattan Federal court on behalf of plaintiff Robert D’Agostini and similarly situated individuals, alleges negligence for failing to adequately protect patient data, breach of implied contract, and violations of New York General Business law. The lawsuit also alleges Empress EMS violated HIPAA.

The lawsuit takes issue with the length of time it took Empress EMS to identify the intrusion – almost 2 months – and the length of time it took to notify affected individuals – more than 7 weeks. The lawsuit alleges Empress EMS unreasonably delayed issuing notifications. It should be pointed out that HIPAA allows regulated entities a maximum of 60 days to issue notifications from the date of discovery of a data breach, but states that notifications should be sent without unreasonable delay.

The lawsuit also claims that key information was omitted from the breach notification letters, specifically that the Hive ransomware gang was behind the attack – a group known to steal and publicly leak stolen data. The Hive group claimed to have stolen more than 100,000 Social Security numbers, which the lawsuit points out is not “a small subset of files.”

The lawsuit claims the plaintiffs and class members have had their privacy violated, their protected health information is in the hands of hackers, their PHI has been publicly leaked, and they face an imminent and ongoing risk of fraud and identity theft. The lawsuit seeks class action status, a jury trial, actual damages (or $50 per class member, whichever is higher), treble damages, and punitive damages. The lawsuit is one of at least 4 complaints that have been filed against Empress EMS over the data breach.

The post New York Ambulance Service Facing Multiple Class Action Lawsuits over Ransomware Attack appeared first on HIPAA Journal.

San Juan Regional Medical Center Settles Data Breach Lawsuit

Posted by HIPAA Journal

San Juan Regional Medical Center (SJRMC) in Farmington, New Mexico, has proposed a settlement to resolve a class action lawsuit filed in response to a September 2020 data breach that affected 68,792 patients.

On September 8, 2020, hackers gained access to the SJRMC network and exfiltrated files that contained patient information such as names, dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance information, diagnoses, treatment information, medical record numbers, and patient account numbers. San Juan Regional Medical Center stated at the time that this was a malware, rather than a ransomware attack. Complimentary credit monitoring services were offered to patients for a period of 12 months.

A lawsuit – Henderson, et al. v. San Juan Regional Medical Center – was filed on behalf of Jeremy Henderson, a patient of SJRMC and other patients similarly affected by the breach. The lawsuit alleged SJRMC was negligent for failing to adequately secure patient data. While legal action was not taken over a HIPAA violation, the lawsuit alleged the lack of appropriate safeguards constituted a HIPAA violation.

SJRMC chose to settle the lawsuit to prevent further legal costs and avoid the uncertainty of trial but has admitted no wrongdoing and accepts no liability for the cyberattack and data breach. The settlement covers all individuals whose personally identifiable information or protected health information was compromised as a result of the cyberattack, as well as a subclass of individuals who were notified by SJRMC that their Social Security, financial account, driver’s license, or passport numbers had potentially been compromised.

Under the terms of the settlement, all affected individuals are entitled to receive two years of complimentary credit monitoring and identity theft protection services, with the subclass also entitled to submit a claim for up to $2,500 as compensation for losses suffered in response to the breach. Those losses include reimbursement of out-of-pocket expenses, compensation for fees for credit reports, credit monitoring, or other identity-theft insurance products purchased after October 13, 2022, compensation at $17.50 per hour for lost time related to the cyberattack if at least one hour was lost dealing with the effects of the data breach, and compensation for documented monetary losses.

The final data for objection to or exclusion from the settlement is January 9, 2023. All claims must be submitted by February 8, 2023. A fairness hearing for the settlement has been scheduled for February 22, 2023.

The post San Juan Regional Medical Center Settles Data Breach Lawsuit appeared first on HIPAA Journal.

HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2

Posted by HIPAA Journal

The Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) have issued a Notice of Proposed Rulemaking (NPRM) detailing changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records (42 CFR Part 2) and HIPAA to increase care coordination and better align Part 2 with the HIPAA Privacy Rule, as required by Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

Part 2 protects patient privacy and records related to treatment for SUD and the HIPAA Privacy Rule is concerned with the privacy of protected health information (PHI); however, SUD records are treated differently from other types of PHI. The HIPAA Privacy Rule permits disclosures of protected health information without consent for treatment, payment, or healthcare operations, but Part 2 imposes greater restrictions on disclosures of SUD records. Generally, SUD records can only be disclosed by a SUD treatment provider if consent to do so is obtained from the patient. Further, even with a valid consent form, SUD treatment providers must include a written statement that the information cannot be redisclosed. This is because SUD records are particularly sensitive due to the stigma of substance abuse and the potential discrimination, which can potentially result in loss of insurance and employment.

Having to treat PHI and SUD records differently is problematic as it creates barriers to information sharing that is in the best interests of patients and the dual compliance obligations creates compliance challenges for regulated entities. “Varying requirements of privacy laws can slow treatment, inhibit care, and perpetuate negative stereotypes about people facing substance use challenges,” HHS Secretary Xavier Becerra, hence the need for better alignment of Part 2 with the HIPAA Privacy Rule. It is important, however, to ensure patient privacy, as any lessening of the protections for SUD records could deter individuals suffering from SUD from seeking treatment, which could have life-threatening consequences.

The proposed rule strikes a balance between the need for strong privacy protections and having the flexibility to allow information sharing to improve care coordination. “One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” said Miriam E. Delphin-Rittmon, Ph.D., the HHS Assistant Secretary for Mental Health and Substance Use and the leader of SAMHSA. “Bringing Part 2 requirements into closer alignment with HIPAA will support more effective coordination for people accessing care. At the same time, the proposed rule mitigates the discrimination and stigma that we know too often people with SUDs experience.”

The key changes in the NPRM are:

  • Permitted use and disclosure of Part 2 records will be based on a single patient consent. Once that consent is given, it covers all future uses and disclosures for treatment, payment, and healthcare operations.
  • Redisclosure of Part 2 records will be permitted – with certain exceptions – if redisclosure is permitted by the HIPAA Privacy Rule.
  • Patients are given new rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
  • Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have been expanded.
  • The HHS has new enforcement authority and can impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act
  • Part 2 programs must establish a process to receive complaints about Part 2 violations, those programs are prohibited from taking adverse action in response to complaints, and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • Breach notification requirements to the HHS and affected patients for Part 2 records will be aligned with the HIPAA Breach Notification Rule.
  • The HIPAA Privacy Rule Notice of Privacy Practices requirements have been updated to address uses and disclosures of Part 2 records and individual rights with respect to those records.

The HHS and SAMHSA are encouraging healthcare industry stakeholders and the public to submit comments on the proposed changes. To be considered, they must be submitted within 60 days of publication of the NPRM in the Federal Register. The expected publication date is 12/02/2022. A fact sheet on the proposed changes has been published on the HHS website.

The post HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2 appeared first on HIPAA Journal.

HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2

Posted by HIPAA Journal

The Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) have issued a Notice of Proposed Rulemaking (NPRM) detailing changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records (42 CFR Part 2) and HIPAA to increase care coordination and better align Part 2 with the HIPAA Privacy Rule, as required by Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

Part 2 protects patient privacy and records related to treatment for SUD and the HIPAA Privacy Rule is concerned with the privacy of protected health information (PHI); however, SUD records are treated differently from other types of PHI. The HIPAA Privacy Rule permits disclosures of protected health information without consent for treatment, payment, or healthcare operations, but Part 2 imposes greater restrictions on disclosures of SUD records. Generally, SUD records can only be disclosed by a SUD treatment provider if consent to do so is obtained from the patient. Further, even with a valid consent form, SUD treatment providers must include a written statement that the information cannot be redisclosed. This is because SUD records are particularly sensitive due to the stigma of substance abuse and the potential discrimination, which can potentially result in loss of insurance and employment.

Having to treat PHI and SUD records differently is problematic as it creates barriers to information sharing that is in the best interests of patients and the dual compliance obligations creates compliance challenges for regulated entities. “Varying requirements of privacy laws can slow treatment, inhibit care, and perpetuate negative stereotypes about people facing substance use challenges,” HHS Secretary Xavier Becerra, hence the need for better alignment of Part 2 with the HIPAA Privacy Rule. It is important, however, to ensure patient privacy, as any lessening of the protections for SUD records could deter individuals suffering from SUD from seeking treatment, which could have life-threatening consequences.

The proposed rule strikes a balance between the need for strong privacy protections and having the flexibility to allow information sharing to improve care coordination. “One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” said Miriam E. Delphin-Rittmon, Ph.D., the HHS Assistant Secretary for Mental Health and Substance Use and the leader of SAMHSA. “Bringing Part 2 requirements into closer alignment with HIPAA will support more effective coordination for people accessing care. At the same time, the proposed rule mitigates the discrimination and stigma that we know too often people with SUDs experience.”

The key changes in the NPRM are:

  • Permitted use and disclosure of Part 2 records will be based on a single patient consent. Once that consent is given, it covers all future uses and disclosures for treatment, payment, and healthcare operations.
  • Redisclosure of Part 2 records will be permitted – with certain exceptions – if redisclosure is permitted by the HIPAA Privacy Rule.
  • Patients are given new rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
  • Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have been expanded.
  • The HHS has new enforcement authority and can impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act
  • Part 2 programs must establish a process to receive complaints about Part 2 violations, those programs are prohibited from taking adverse action in response to complaints, and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • Breach notification requirements to the HHS and affected patients for Part 2 records will be aligned with the HIPAA Breach Notification Rule.
  • The HIPAA Privacy Rule Notice of Privacy Practices requirements have been updated to address uses and disclosures of Part 2 records and individual rights with respect to those records.

The HHS and SAMHSA are encouraging healthcare industry stakeholders and the public to submit comments on the proposed changes. To be considered, they must be submitted within 60 days of publication of the NPRM in the Federal Register. The expected publication date is 12/02/2022. A fact sheet on the proposed changes has been published on the HHS website.

The post HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2 appeared first on HIPAA Journal.