Legal News

SEC Sues SolarWinds over 2019 Cyberattack Alleging Company Defrauded Investors

In 2019, SolarWinds experienced one of the worst cyber espionage incidents in history. The company is now being sued by the U.S. Securities and Exchange Commission (SEC) which alleges it defrauded investors and failed to maintain adequate internal security controls for several years.

The Largest and Most Sophisticated Attack the World has Ever Seen

In 2019, the Austin, TX-based software vendor was targeted by a nation-state hacking group that Microsoft tracks as Nobelium. Nobelium is a highly skilled hacking group that is believed to be backed by the Russian Foreign Intelligence Service. The hackers conducted a supply chain attack by gaining access to the SolarWinds network and added malicious code to an IT performance monitoring system called Orion. More than 30,000 public and private sector organizations use the Orion software to manage their IT resources.

When SolarWinds delivered updated software, backdoor malware was delivered that compromised the networks, systems, and data of its customers. More than 18,000 customers applied the update and infected their networks including U.S. government agencies. While the malware was installed on thousands of customers’ systems, SolarWinds said the threat group appeared to only target a small subset of high-value customers such as federal government agencies, and concluded that fewer than 100 of its customers had been actively targeted. Victims of the “SUNBURST” attack included FireEye, Microsoft, Deloitte, Cisco Systems, Intel Corp, Nvidia, VMWare, Belkin International, the California Department of State Hospitals, and the Departments of Homeland Security, State, Commerce, and the Treasury.

The threat actors gained access to the SolarWinds network in September 2019, tested the initial Orion code injection in October 2019, injected their malicious code into Orion in February 2020, and the backdoor malware was unknowingly distributed by SolarWinds in software updates that started on March 26, 2020. FireEye was the first to disclose the breach in December 2020. The purpose of the attack has not been confirmed, although it appears to have been a large-scale Russian espionage operation. Russia denied any involvement in the attack. Microsoft President, Brad Smith, said the SolarWinds hack was “the largest and most sophisticated attack the world has ever seen.”

Securities and Exchange Commission Alleges Fraud and Internal Control Failures

After an extensive investigation, the SEC filed a lawsuit on Monday against SolarWinds Corp. and its Chief Information Security Officer (CISO), Timothy G. Brown, alleging SolarWinds committed fraud by making misrepresentations to its investors about its cybersecurity practices and understated known vulnerabilities in its systems.

The SEC alleges that SolarWinds only disclosed vague and hypothetical risks to its investors when internally the company had acknowledged that there were specific cybersecurity deficiencies and escalating risks. Evidence uncovered by the SEC included an internal presentation created by a SolarWinds engineer and shared in 2018 with Brown, that stated its remote access configuration was not very secure and vulnerabilities could be exploited resulting in “major reputation and financial loss”. Further presentations in 2018 and 2019 were presented as evidence, where Brown had expressed concerns about the company’s security posture.

Further communications in 2019 and 2020 questioned whether SolarWinds was able to protect its critical assets from cyberattacks, and Brown expressed concern in June 2020 that SolarWinds software could be targeted in a much larger attack on its clients. Brown was also notified in September 2020 that the volume of security issues identified in the previous month was greater than the capacity of its engineering teams. Some of the vulnerabilities known to SolarWinds, which were not disclosed to its investors, were exploited by Nobelium in the Orion supply chain attack.

The SEC alleges that SolarWinds was aware of the vulnerabilities and risks, that Brown failed to address them adequately, and that the company could not provide reasonable assurances that its most important assets were adequately protected. Further, in December 2020, the company failed to disclose complete information about the SUNBURST attack, resulting in a 25% drop in stock price within 2 days of the disclosure, and a 35% fall in its stock price by the end of the month.

“From at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks,” explained the SEC in a press release announcing the charges against SolarWinds.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company,’” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

The 68-page complaint was filed in the Southern District of New York and alleges violations of the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. The defendants are also alleged to have violated reporting and internal controls provisions of the Exchange Act, and that Brown aided and abetted the company’s violations. The SEC seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.

A spokesperson for SolarWinds provided a statement to The HIPAA Journal about the SEC lawsuit. “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments”

The post SEC Sues SolarWinds over 2019 Cyberattack Alleging Company Defrauded Investors appeared first on HIPAA Journal.

Doctors’ Management Services Settles OCR HIPAA Probe for $100,000

The HHS’ Office for Civil (OCR) has agreed to a $100,000 settlement with Doctors’ Management Services to resolve an investigation of a ransomware attack and data breach that uncovered multiple potential violations of the HIPAA Security Rule.

Doctors’ Management Services (DMS) is a Massachusetts-based medical management company whose services include medical billing and payor credentialing. DMS identified an intrusion on December 24, 2018, when GandCrab ransomware was used to encrypt files on its network. The forensic investigation confirmed the attackers first gained access to its network on April 1, 2017.

According to DMS, the threat actor gained access to its network via Remote Desktop Protocol (RDP) on one of its workstations and potentially obtained names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and diagnostic information. The breach was reported to OCR on April 22, 2019, as affecting up to 206,695 individuals.

OCR opened an investigation of the breach to determine whether DMS had complied with the HIPAA Rules and uncovered multiple potential violations of the HIPAA Rules. In addition to the impermissible disclosure of the protected health information of 206,695 individuals, OCR determined that DMS had failed to conduct an accurate and thorough risk analysis to assess technical, physical, and environmental risks and vulnerabilities associated with the handling of ePHI.

DMS was also found to have failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. OCR also determined that DMS had not implemented reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule.

DMS agreed to settle the investigation with no admission of liability. Under the terms of the settlement, DMS has agreed to pay a $100,000 financial penalty and implement a corrective action plan (CAP) to resolve the potential HIPAA violations identified by OCR. The CAP includes requirements to update its risk analysis, risk management program, HIPAA Privacy and Security Rule policies and procedures, and workforce HIPAA training. In its settlement announcement, OCR also recommended several cybersecurity best practices that all HIPAA-regulated entities should implement to prevent and mitigate cyber threats.

OCR said this is the first HIPAA settlement agreement it has reached in response to a ransomware attack. Given the number of ransomware attacks in the past five years, which have increased by 278% since 2018, it is likely to be the first of many. “Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches,” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

October is Cybersecurity Awareness Month, and in recognition, OCR released a cybersecurity video that explains how HIPAA Security Rule compliance can help healthcare organizations improve their defenses against cyberattacks and block the most common attack vectors. CISA and the HHS have also recently released a cybersecurity toolkit, which includes key cybersecurity tools, training material, and other resources for strengthening security posture and keeping up to date on the latest threats. This month, CISA released a log management tool to help under-resourced organizations reduce their log management burden and search for signs of compromise, and CISA, the NSA, FBI, and MS-ISAC have issued joint guidance on blocking phishing.

It has never been more important to ensure appropriate cybersecurity measures are in place, given the 239% increase in data breaches due to hacking in the past 4 years and the extent to which healthcare records are now being breached. Breached records are up 60% on last year and, at the time of writing, 88 million healthcare records are known to have been breached so far in 2023.

The post Doctors’ Management Services Settles OCR HIPAA Probe for $100,000 appeared first on HIPAA Journal.

HHS Publishes Proposed Rule Establishing Information Blocking Disincentives for Healthcare Providers

The Centers for Medicare and Medicaid Services (CMS) at the Department of Health and Human Services (HHS) has published a long-awaited proposed rule that establishes disincentives for healthcare providers that have committed information blocking, as called for by the 21st Century Cures Act. Information blocking is classed as knowingly or unreasonably interfering with the access, exchange, or use of electronic health information, except as required by law or covered by a regulatory exception.

The Cures Act requires the Office of Inspector General (OIG) to refer healthcare providers determined by OIG to have committed information blocking to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking. On June 27, 2023, the HHS OIG published its final rule that implemented information blocking penalties of $1 million per violation for health information technology (IT) developers of certified health IT and other entities offering certified health IT, health information exchanges, and health information networks. The penalties took effect on August 2, 2023.

The latest HHS proposed rule establishes penalties for healthcare providers found to have committed information blocking. The proposed disincentives are as follows:

  • Medicare Promoting Interoperability Program: An eligible hospital or critical access hospital (CAH) would not be a meaningful electronic health record (EHR) user in an applicable EHR reporting period. The impact on eligible hospitals would be the loss of 75 percent of the annual market basket increase; for CAHs, payment would be reduced to 100 percent of reasonable costs instead of 101 percent.
  • Promoting Interoperability performance category of the Merit-based Incentive Payment System (MIPS): An eligible clinician or group would not be a meaningful user of certified EHR technology in a performance period and would therefore receive a zero score in the Promoting Interoperability performance category of MIPS, if required to report on that category. The Promoting Interoperability performance category score typically can be a quarter of a clinician or group’s total MIPS score in a year.
  • Medicare Shared Savings Program: A health care provider that is an Accountable Care Organization (ACO), ACO participant, or ACO provider or supplier would be deemed ineligible to participate in the program for a period of at least one year. This may result in a healthcare provider being removed from an ACO or prevented from joining an ACO.

The proposed rule will be published in the Federal Register on November 1, 2023. A 60-day comment period will follow, with the comments made accessible for public inspection. Comments must be submitted by no later than January 2, 2024, at 11:59 p.m. The HHS will consider all comments before publishing the final rule, which is expected to be issued later in 2024. The Office of the National Coordinator for Health Information Technology (ONC) and the CMS will host an information session about the proposed rule in the coming weeks.

“HHS is committed to developing and implementing policies that discourage information blocking to help people and the health providers they allow to have access to their electronic health information,” said HHS Secretary Xavier Becerra. “We are confident the disincentives included in the proposed rule, if finalized, will further increase the appropriate sharing of electronic health information and establish a framework for potential additional disincentives in the future.”

The post HHS Publishes Proposed Rule Establishing Information Blocking Disincentives for Healthcare Providers appeared first on HIPAA Journal.

Wright & Filippis Proposes $2.9 Million Class Action Data Breach Settlement

Wright & Filippis, a Michigan-based provider of prosthetics, orthopedics, and accessibility solutions, has proposed a $2.9 million settlement to resolve claims it failed to protect the personal information of 877,584 individuals.

In January 2022, Wright & Filippis fell victim to a ransomware attack. Its security software detected the attack but was unable to prevent file encryption. The forensic investigation confirmed the attackers had access to parts of its network containing the protected health information of more than 877,500 individuals, including names, dates of birth, Social Security numbers, financial account numbers, and health insurance information.

Wright & Filippis discovered on or around May 2, 2023, that protected health information had been exposed, and issued notifications to the affected individuals. In the days and weeks following notification, 8 putative class action lawsuits were filed, which were later consolidated into a single lawsuit – In Re Wright & Filippis, LLC Data Security Breach Litigation – that was heard in the U.S. District Court for the Eastern District of Michigan, Southern Division.

The plaintiffs alleged that Wright & Filippis was negligent due to the failure to implement reasonable and appropriate security measures to protect patients’ sensitive data, and then unnecessarily delayed issuing breach notifications. Wright & Filippis denied the allegations. The plaintiffs alleged they had suffered an injury as a result of Wright & Filippis’s negligent acts, including theft of their information, identity theft, imminent injury from fraud,  damages from delayed notifications, out-of-pocket expenses, lost time mitigating the effects of the data breach, and increased costs related to reductions in their credit scores, including higher costs for borrowing and insurance.

Legal counsel for the defendant sought to have the case dismissed, and following the response of the plaintiffs, all parties agreed to mediate the case to see if an early resolution could be reached. A $2.9 million settlement was negotiated to cover administrative expenses, notice, costs, and fee and service awards. Under the terms of the settlement, class members can submit a claim for up to $5,000 to cover documented losses and a claim for credit monitoring services. Alternatively, class members can choose to receive a cash payment. The cash payment will come from whatever is left of the settlement fund after class benefits, settlement administration fees, attorneys’ fees and costs, and service awards have been paid. Lead plaintiffs will receive a service award of $1,500.

The settlement is awaiting preliminary approval from the court and a date for a final fairness hearing has been requested. The plaintiffs were represented by attorneys from the Miller Law Firm, Migliaccio & Rathod LLP, Shub & Johns LLC, Milberg Coleman Bryson Phillips Grossman PLLC, Sommers Schwartz, PC, Lynch Carpenter LLP, Adam Taub Assoc. Consumer Law Group, Mason LLP, Aronowitz Law Firm PLLC, Wilshire Law Firm PLC, Zimmerman Reed LLP, and The Johnson Firm.

The post Wright & Filippis Proposes $2.9 Million Class Action Data Breach Settlement appeared first on HIPAA Journal.

September 2023 Healthcare Data Breach Report

September was a much better month for healthcare data privacy, with the lowest number of reported healthcare data breaches since February 2023. In September, 48 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is well below the 12-month average of 57 data breaches a month.

For the second successive month, there was a fall in the number of breached records, which dropped 36.6% month-over-month. Across the 48 reported data breaches, the protected health information of 7,556,174 individuals was exposed or impermissibly disclosed. September’s total was below the 12-month average of 7,906,890 records per month, but this year has seen two particularly bad months for data breaches. More healthcare records were exposed in May and June than were exposed in all of 2020!

The high number of breached records can partly be attributed to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit solution, which is used by healthcare organizations and their business associates for transferring files. According to Emsisoft, which has been tracking the MOVEit data breaches, 2,553 organizations were affected by the attacks globally, and 19.2% of those were in the health sector. Most of these breaches are now believed to have been reported.

Largest Healthcare Data Breaches in September 2023

There were 16 data breaches reported in September that involved 10,000 or more records, four of which – including the largest data breach of the month – were due to the mass exploitation of the vulnerability that affected the MOVEit Transfer and MOVEit Cloud solutions (CVE-2023-34362). The healthcare industry continues to be targeted by ransomware and extortion gangs, including Clop, Rhysida, Money Message, NoEscape, Karakurt, Royal, and ALPHV (BlackCat). Three of the 10,000+ record data breaches were confirmed as ransomware attacks, although several more are likely to have involved ransomware or extortion. It is common for HIPAA-covered entities not to disclose details of hacking incidents.

While hacking incidents often dominate the headlines, the healthcare industry suffers more insider breaches than other sectors, and September saw a major insider breach at a business associate. An employee of the business associate Maximus was discovered to have emailed the protected health information of 1,229,333 health plan members to a personal email account.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Arietis Health, LLC FL Business Associate 1,975,066 Hacking/IT Incident MOVEit Hack (Clop)
Virginia Dept. of Medical Assistance Services VA Health Plan 1,229,333 Hacking/IT Incident Employee of a business associate (Maximus) emailed documents to a personal email account
Nuance Communications, Inc. MA Business Associate 1,225,054 Hacking/IT Incident MOVEit Hack (Clop)
International Business Machines Corporation NY Business Associate 630,755 Unauthorized Access/Disclosure MOVEit Hack (Clop)
Temple University Health System, Inc. PA Healthcare Provider 430,381 Hacking/IT Incident Hacking incident at business associate (no information released)
Prospect Medical Holdings, Inc. CA Business Associate 342,376 Hacking/IT Incident Rhysida ransomware attack
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 315,915 Unauthorized Access/Disclosure MOVEit Hack (Clop)
Oak Valley Hospital District CA Healthcare Provider 283,629 Hacking/IT Incident Hacked network server
Bienville Orthopaedic Specialists LLC MS Healthcare Provider 242,986 Hacking/IT Incident Hacked network server (data theft confirmed)
Amerita KS Healthcare Provider 219,707 Hacking/IT Incident Ransomware attack on parent company (PharMerica) by Money Message group
Community First Medical Center IL Healthcare Provider 216,047 Hacking/IT Incident Hacked network server
OrthoAlaska, LLC AK Healthcare Provider 176,203 Hacking/IT Incident Hacking incident (no information released)
Acadia Health, LLC d/b/a Just Kids Dental AL Healthcare Provider 129,463 Hacking/IT Incident Ransomware attack – Threat group confirmed data deletion
Founder Project Rx, Inc. TX Healthcare Provider 30,836 Hacking/IT Incident Unauthorized access to email account
Health First, Inc. FL Healthcare Provider 14,171 Hacking/IT Incident Unauthorized access to email account
MedMinder Systems, Inc. MA Healthcare Provider 12,146 Hacking/IT Incident Hacked network server

Data Breach Types and Data Locations

Hacking and other IT incidents continue to dominate the breach reports. In September, hacking/IT incidents accounted for 81.25% of all reported data breaches of 500 or more records (39 incidents) and 87.23% of the exposed or stolen records (6,591,496 records). The average data breach size was 169,013 records and the median data breach size was 4,194 records.

There were 9 data breaches classified as unauthorized access/disclosure incidents, across which 964,678 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 107,186 records and the median breach size was 2,834 records.

There were no reported incidents involving the loss or theft of paper records or electronic devices containing ePHI, and no reported incidents involving the improper disposal of PHI.

Given the large number of hacking incidents, it is no surprise that network servers were the most common location of breached protected health information. 7 incidents involved unauthorized access to email accounts.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in September, with 30 healthcare providers reporting data breaches. There were 11 data breaches reported by business associates and 7 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered a data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate.

To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.

Business associate data breaches are often severe as if a hacker gains access to the network of a business associate, they can access the data of all clients of that business associate. In September the average size of a business associate data breach was 5,864,823 records (median: 2,729 records). The average size of a healthcare provider data breach was 1,372,101 records (median: 7,267 records), and the average health plan data breach involved 319,250 records (median: 2,834 records).

Geographical Distribution of Data Breaches

Healthcare data breaches of 500 or more records were reported by HPAA-regulated entities in 24 states. California, Florida, and New York were the worst affected states with 4 breaches each.

State Breaches
California, Florida & New York 4
Georgia, Illinois & Texas 3
Alabama, Connecticut, Massachusetts, Minnesota, Mississippi, Missouri, New Jersey, Pennsylvania & Virginia 2
Arizona, Arkansas, Indiana, Kansas, Kentucky, Maryland, Nevada, North Carolina & Tennessee 1

HIPAA Enforcement Activity in September 2023

All healthcare data breaches of 500 or more records are investigated by OCR to determine whether they were the result of non-compliance with the HIPAA Rules. OCR has a backlog of investigations due to budgetary constraints, and HIPAA violation cases can take some time to be resolved. In September, OCR announced that one investigation had concluded and a settlement had been reached. The case dates back to March 2014, when an online media source reported that members of the health plan were able to access the PHI of other members via its online member portal. The breach was reported to OCR as affecting fewer than 500 plan members and OCR launched a compliance review in February 2016. Three years later, another breach was reported – a mailing error, this time affecting 1,498 plan members.

OCR investigated LA Care Health Plan again and found multiple violations of the HIPAA Rules – A risk analysis failure, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, and an impermissible disclosure of the ePHI of 1,498 individuals. The case was settled, and LA Care Health Plan agreed to adopt a corrective action plan and pay a $1,300,000 penalty.

State attorneys general are also authorized to investigate healthcare data breaches and fine organizations for HIPAA violations. From 2019 to 2022, there were relatively few financial penalties imposed for HIPAA violations or equivalent violations of state laws, but there has been a significant increase in enforcement actions in 2023. Between 2019 and 2022 there were 12 enforcement actions by state attorneys general that resulted in financial penalties. 11 penalties have been imposed so far in 2023.

In September, three settlements were announced by state attorneys general. The first, and the largest, was in California, which fined Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49 million. Kaiser was found to have violated state laws by improperly disposing of hazardous waste and violating HIPAA and state laws by disposing of protected health information in regular trash bins.

The Indiana Attorney General announced that a settlement had been reached with Schneck Medical Center following an investigation of a data breach involving the PHI of 89,707 Indiana residents. The settlement resolved alleged violations of violations of the HIPAA Privacy, Security, and Breach Notification Rules, the Indiana Disclosure of Security Breach Act, and the Indiana Deceptive Consumer Sales Act. Schneck Medical Center paid a $250,000 penalty and agreed to improve its security practices.

The Colorado Attorney General announced that a settlement had been reached with Broomfield Skilled Nursing and Rehabilitation Center over a breach of the protected health information of 677 residents. The settlement resolved alleged violations of HIPAA data encryption requirements, state data protection laws, and deceptive trading practices. A penalty of $60,000 was paid to resolve the alleged violations, with $25,000 suspended, provided corrective measures are implemented.

The post September 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million

Inmediata has agreed to a $1.4 million settlement to resolve a multi-state investigation of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and state breach notification laws.

On January 15, 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) notified the Puerto Rico-based healthcare clearinghouse that a server containing the protected health information that it maintained had not been properly secured, resulting in files being indexed by search engines that could be found, accessed, and downloaded by anyone with Internet access. The files on the server contained the protected health information of 1,565,338 individuals and some of those files dated as far back as May 2016.

The HIPAA Breach Notification Rule requires HIPAA-covered entities to issue notifications to individuals affected by a data breach without undue delay and no later than 60 days from the discovery of a data breach. Despite being notified about the breach by OCR, the primary HIPAA regulator, Inmediata waited three months to mail notification letters, and when notification letters were mailed, a mailing error occurred, resulting in letters being sent to incorrect addresses.

Many Americans are unaware of the services provided by healthcare clearinghouses as they do not have any direct contact with them. Healthcare clearinghouses such as Inmediata facilitate transactions between healthcare providers and insurers and are classed as HIPAA-covered entities, which means they must ensure they are fully compliant with the HIPAA Privacy, Security, and Breach Notification Rules. The multi-state investigation found the content of the letters to lack clarity which resulted in confusion for some consumers as to why Inmediata had their data and caused some individuals to dismiss the notification letters as illegitimate.

The multi-state investigation was led by the Indiana Attorney General, assisted by an Executive Committee consisting of the attorneys general in Connecticut, Michigan, and Tennessee. Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Tennessee, Utah, Washington, West Virginia and Wisconsin also participated.

The attorneys general alleged violations of the HIPAA Security Rule for failing to implement reasonable and appropriate data security safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, a failure to conduct a secure code review at any point prior to the data breach, and violations of the HIPAA Breach Notification Rule and state data breach notification laws for failing to provide the affected individuals with timely and complete information about the data breach.

The $1.4 million settlement will be divided among the participating states and Inmediata has also agreed to strengthen its data security and breach notification practices. The requirements include the implementation and maintenance of a comprehensive information security program, which must include secure code reviews and search engine crawling controls. An incident response plan must also be developed that includes specific policies and procedures regarding consumer notification letters, and Inmediata must undergo annual third-party security assessments for the next five years. Last year, Inmediata settled a class action lawsuit over the data breach for $1.125 million.

“Inmediata maintained some of our most sensitive and private health information and they had an obligation to keep it secure. Their coding error left sensitive patient information exposed on public online searches for months, with no notification to impacted patients. Their failures violated numerous state consumer protection laws, breach notification laws, and HIPAA requirements. Our multistate settlement forces Inmediata to pay a significant fine and requires strong security practices going forward to ensure these types of inexcusable security lapses never occur again,” said Connecticut Attorney General, William Tong.

The post Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million appeared first on HIPAA Journal.

Governor Newsom Signs California Delete Act into Law

On October 10, 2023, California Governor Gavin Newsom signed the Delete Act (Senate Bill 362) into law. The bill was introduced in April 2023 by Senator Josh Becker to give California residents greater control over their personal information and how it is used by data brokers. Data brokers sell millions of consumers’ data points to the highest bidder. That information includes purchasing data, which can be accessed by retailers and used to serve targeted ads. More sensitive information may also be collected and sold, such as geolocation information and even reproductive health information.

The new law will allow state residents to request that data brokers delete their personal data and/or forbid them from selling or sharing their personal data. Since 2018, Californians have had similar rights, but in order to exercise them they were required to make requests to each individual data broker. Since there are almost 500 data brokers operating in California, exercising those rights would be a time-consuming process.

The Delete Act simplifies that process, as it calls for the California Privacy Protection Agency (CPPA) to develop a mechanism for allowing California residents to exercise their rights, which should be made available on a single page on its website. Consumers will be able to submit a single request for all data brokers to delete their personal information and prohibit them from selling or sharing that information. The CPPA has been given until January 1, 2026, to implement the feature on its website.

By August 1, 2026, data brokers will be required to check for any new requests at least once every 45 days and process those requests. The bill will not prohibit a data broker from continuing to collect the personal data of consumers who have exercised their rights, but once a request has been made via the CPPA, the data broker will be required to delete any new data that is collected at least once every 45 days. The data broker would not be permitted to sell or share a consumer’s data once a request has been made.

The Delete Act takes the definition of data broker from the California Consumer Privacy Act of 2018, which classes data brokers as companies with gross revenues of more than $25 million in the previous year, that buy, sell, or share the personal information of 100,000 or more consumers or households each year, provided that at least 50% of the company’s annual revenue comes from the sale of personal information.

From January 1, 2028, and every 3 years thereafter, data brokers would be required to undergo an independent third-party audit to determine whether they are compliant with the Delete Act and submit the audit report to the CPPA on request. Any data broker found not to be compliant with the Delete Act would be liable for administrative fines, fees, expenses, and costs.

While the Delete Act will provide consumers with greater control over their personal data, the Delete Act has significant exemptions. The definitions used for data broker means some companies that collect and sell considerable amounts of consumer data would be exempt and not subject to any deletion requests. Data brokers are likely to have to overcome technological challenges to comply and critics say it will place an undue burden on data brokers and could even undermine California’s digital economy. If large numbers of California residents exercise their rights, it will make it hard for small businesses to find new customers as they will no longer be able to rely on data-driven advertising.

The signing of the bill has been welcomed by the CPPA. “We applaud Governor Newsom for signing SB 362, the California Delete Act, which the CPPA Board unanimously voted to support in July. SB 362 is consistent with CPPA’s mission to further Californians’ privacy by making it easier for consumers to exercise their rights,” said Ashkan Soltani, Executive Director of the CPPA. “Similar to the California Consumer Privacy Act’s existing requirement for businesses to honor opt-out preference signals, the ‘accessible deletion mechanism’ is another privacy innovation that further cements California’s leadership in technology policy and consumer protection.”

The post Governor Newsom Signs California Delete Act into Law appeared first on HIPAA Journal.

Patient Consent Not Required for Disclosures of PHI for Fundraising, Rules Minnesota Supreme Court

Healthcare organizations in Minnesota are permitted to use patient data for fundraising purposes without obtaining patient consent, according to Minnesota Supreme Court Chief Justice Natalie Hudson.

The Supreme Court was petitioned to review a lower court’s decision to dismiss a lawsuit against Children’s Health Care, which does business as Children’s Hospital and Clinics (Children’s). Legal action was taken against Children’s following a data breach at a third-party vendor that was used for fundraising purposes. The plaintiffs, Kelly and Evarist Schneider, were informed that their child’s name, age, date of birth, and treatment details were in the healthcare provider’s fundraising database and had potentially been compromised. They believed the hospital should have obtained permission before disclosing their child’s protected health information to the foundation’s fundraising database and argued that the disclosure violated the Minnesota Health Records Act (MHRA).

The case concerned the interpretation of the MHRA, which prohibits the disclosure of protected health information without “specific authorization in law.” Children’s moved to have the lawsuit dismissed and argued that the federal Health Insurance Portability and Accountability Act (HIPAA) is a specific authorization in law and that HIPAA permits the disclosure of protected health information for fundraising purposes without patient consent.

The district court denied Children’s motion to dismiss, as while HIPAA was determined to be a specific authorization in law under the MHRA, it was unclear whether Children’s had complied with the privacy notice requirements of the HIPAA Privacy Rule. Children’s moved for summary judgment, which the district court granted. The district court reiterated its conclusion that the disclosure was permitted under the MHRA and HIPAA and found there was no dispute about whether the required privacy practices had been provided. The court of appeals affirmed the district court’s ruling.

The plaintiffs argued that states are permitted to implement more stringent privacy regulations than HIPAA and that the MHRA preempted the HIPAA fundraising exception; however, the court of appeals rejected that argument as the MHRA was determined not to be more stringent than HIPAA with respect to disclosures of protected health information for fundraising purposes. The plaintiffs petitioned the Supreme Court for review on whether the MHRA’s reference to a “specific authorization in law” includes the fundraising exception in the HIPAA Privacy Rule. Chief Justice Hudson ruled that the HIPAA Privacy Rule permits a hospital to disclose a patient’s protected health information to a foundation or business associate for fundraising purposes without requiring patient consent and that HIPAA is a “specific authorization in law” under the Minnesota Health Records Act.

The post Patient Consent Not Required for Disclosures of PHI for Fundraising, Rules Minnesota Supreme Court appeared first on HIPAA Journal.

First Lawsuit Filed Over 23andMe Data Breach

On Friday, October 6, 2023, 23andMe, a direct-to-consumer genetic testing that offers ancestry and health reports, confirmed that it was investigating a cyberattack that resulted in unauthorized individuals gaining access to certain customer accounts. The announcement about the 23andMe data breach came a few days after stolen data started to be listed for sale on a dark net marketplace.

In the website announcement, 23andMe said it had launched an investigation and engaged third-party forensics experts to assist, and said the investigation is ongoing. The preliminary results suggest there has not been a breach of its systems, although 23andMe said in the breach notice that an unauthorized third party obtained certain information from users’ accounts, although did not mention in the website notice that stolen data had been listed for sale, although confirmed to certain media outlets that it is in the process of validating the listed data. The stolen data included names, sex, date of birth, genetic ancestry results, profile photos, and geographical location that had been gathered from the DNA Relatives feature but does not appear to have included any raw genetic data. The hacker claims to have obtained millions of data profiles that are being offered for sale. The listings were first identified by a researcher on October 4, 2023.

“While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” explained 23andMe in its website notice. “We believe the threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service.”

23andMe explained that it monitors accounts for unauthorized access and investigates suspicious activity, its security measures exceed industry data protection standards, has confirmed it has attained multiple ISO certifications, and has offered users of the service multifactor authentication since 2019. The website notice was updated on October 9, 2023. “We are reaching out to our customers to provide an update on the investigation and to encourage them to take additional actions to keep their account and password secure. Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA).

On Monday, October 9, 2023, a lawsuit – Santana v. 23andMe Inc. – was filed in the U.S. District Court for the Northern District of California on behalf of plaintiffs Monica Santana and Paula Kleynburd who allege negligence, invasion of privacy, unjust enrichment, and breach of implied contract. The plaintiffs are represented by the law firm, Edelsberg Law PA.

According to the lawsuit, “23andMe attempts to redirect the blame on to the criminal actors that gained access to Defendant’s customer accounts, in violation of their Terms of Service, while avoiding mention that their safeguards were inadequate,” and also alleges “23andME fails to state if they were able to contain or end the cybersecurity threat, leaving victims to fear whether the PII that 23andMe continues to maintain is secure and 23andMe fails to state how the breach itself occurred.”

The lawsuit alleges 23andMe was negligent for failing to implement reasonable and appropriate safeguards to protect sensitive user data, that it maintained users’ personally identifiable information in a reckless manner, did not protect its systems against unauthorized intrusions, did not take reasonable steps to prevent data breaches, did not provide adequate training to its staff, and despite publishing a notice on its website two days after a breach was known to have occurred, failed to provide timely notice of the data breach.

The lawsuit alleges the plaintiff and class members “suffered injury and ascertainable losses in the form of the present and imminent threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses, loss of value of their time reasonably incurred to remedy or mitigate the effects of the attack, and the loss of, and diminution in, value of their PII.” The lawsuit seeks class action certification, a jury trial, actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest.

The data breach highlights the risks of reusing passwords for multiple accounts. If there is a data breach on one platform, the stolen usernames and passwords can be used to access all other accounts where the login credentials have been used. These attacks are termed credential stuffing attacks, they are common and are one of the easiest ways that hackers can gain access to sensitive data. If a unique password is used for each account, these attacks can be prevented. Multifactor authentication adds an extra layer of security against these types of attacks, as an additional authentication factor must be provided in addition to a username and password for account access to be granted.

Setting strong and unique passwords and implementing multifactor authentication are the first two of the four cybersecurity measures being promoted this Cybersecurity Awareness Month. The 23andMe data breach clearly demonstrates why these two cybersecurity measures are so important.

The post First Lawsuit Filed Over 23andMe Data Breach appeared first on HIPAA Journal.