Legal News

California Legislature Passes Bill Prohibiting the Sharing of Information About Abortions

Posted by HIPAA Journal

The Californian legislature has passed a bill (AB-1242) that prohibits companies in the state from complying with warrants from other states that seek access to information about individuals seeking or providing abortions.

The decision of the U.S. Supreme Court to overturn Roe v. Wade removed the federal right to obtain an abortion. Several states had trigger laws in place that made abortion illegal in the event of Roe v. Wade being overturned. A dozen states have already made abortion illegal for state residents and several other states are considering implementing similar restrictions.

There are fears that legal action could be taken against individuals in those states if they seek access to abortions in other states, and that attempts may be made by state attorneys general and law enforcement to obtain information about individuals seeking abortion in states where abortion remains legal. Under the existing law in California, records of individuals must be provided if a search warrant is issued upon certain grounds. The law change prohibits the issuance of such a warrant related to investigations of individuals seeking abortions or individuals providing abortions. The new bill also prohibits local police from assisting with investigations into abortions, including providing cellphone location information of women who travel to California to obtain abortions.

Specifically, the bill prohibits “the issuance of an ex parte order authorizing interception of wire or other electronic communication or an order, or extension of an order, authorizing or approving the installation and use of a pen register or trap and trace device for the purpose of investigating or recovering evidence of a prohibited violation.”

Prohibited violations are defined as “a violation of a law that creates liability for, or arising out of, either prohibiting, facilitating, or obtaining an abortion or intending or attempting to provide, facilitate, or obtain an abortion that is lawful under California law.”

In the event that a state wishes to issue a search warrant seeking the identity of individuals or the content of their communications, those states would be required to attest that the information being sought is in no way related to investigations of abortions. If any Californian company chooses to comply with any such request, the state attorney general would be permitted to sue the company for a violation of state law.

The bill no awaits the signature of California Governor Gavin Newsom. Newsom has until September 30, 2022, to sign the bill into law.

The post California Legislature Passes Bill Prohibiting the Sharing of Information About Abortions appeared first on HIPAA Journal.

FTC Sues Kochava Over Unlawful Collection and Sale of Sensitive Geolocation Data

Posted by HIPAA Journal

The Federal Trade Commission (FTC) has sued the Idaho-based data broker Kochava for unlawfully collecting and selling the sensitive data of mobile users, in violation of the FTC Act. According to the lawsuit, Kochava has been collecting and selling consumers’ precise geolocation data along with information that allows individuals to be identified. The location data is accompanied by a Mobile Advertising ID (MAID), which is a unique identifier that is assigned to a consumer’s mobile device for advertising purposes. While it is possible for individuals to change the MAID, doing so requires a consumer to proactively reset the MAID on their mobile device.

Kochava’s customers can purchase a license to receive feeds of premium data that include timestamped latitude and longitude coordinates showing the location of mobile devices along with unique identifiers. The data is used for a variety of purposes, including for advertising and tracking foot traffic into retail outlets. While Kochava customers must pay a subscription to access the data, a sample of the data is provided free of charge that requires minimal steps to access – signing up for a free AWS account and receiving approval to access the sample from Kochava. No restrictions are placed on usage of the sample data. The sample spans a 7-day period, with the FTC stating in the lawsuit that one day’s worth of data in the free sample included 327,480,000 rows, 11 columns, and the data collected from more than 61,803,400 unique mobile devices.

“By plotting the latitude and longitude coordinates included in the Kochava data stream using publicly available map programs, it is possible to identify which consumers’ mobile devices visited reproductive health clinics,” said the FTC in the lawsuit. “Further, because each set of coordinates is time-stamped, it is also possible to identify when a mobile device visited the location. Similar methods may be used to trace consumers’ visits to other sensitive locations.” The FTC says some data brokers advertise services that match MAIDS with consumers’ names and physical addresses, although it would be possible to identify individuals without using those services based on the dwell time and frequency of visits to certain locations and from public records.

The FTC says Kochava has not implemented any technical controls to prohibit its customers from identifying consumers or tracking visits to sensitive locations, such as using blacklists to remove location data when individuals visit sensitive locations such as abortion clinics, mental healthcare providers, and addiction treatment centers. The FTC’s analysis of the data sample determined that one device had visited a women’s reproductive health center and revealed that individual’s family residence.

The FTC alleges that the sale of sensitive geolocation data represents an unwarranted intrusion on the private lives of consumers and is likely to cause substantial injury. The lawsuit alleges Kochava’s business practices constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45(a), and that consumers are suffering, have suffered, and will continue to suffer substantial injury as a result of Kochava’s FTC Act violations. The lawsuit is seeking an end to the sale of sensitive geolocation information and the deletion of all sensitive location data that Kochava has collected.

Earlier this month, Kochava filed a lawsuit in an attempt to counter the FTC lawsuit, in which the company stated that it had implemented a new feature on August 10, 2022, dubbed Privacy Block, which removes sensitive location data from its marketplace, including location data indicating visits to healthcare providers.

The post FTC Sues Kochava Over Unlawful Collection and Sale of Sensitive Geolocation Data appeared first on HIPAA Journal.

Avamere Holdings Facing Class Action Lawsuit Over 2022 Cyberattack

Posted by HIPAA Journal

The Wilsonville, OR-based home health care service provider and nursing home operator, Avamere Holdings, is facing a class action lawsuit over a major data breach that affected 96 senior living and healthcare facilities and resulted in the exposure of the protected health information of more than 380,000 individuals.

The breach occurred Avamere Health Services – a business associate of Avamere Holdings that provides information technology services. An unauthorized individual had access to the network of Avamere Health Services between January 19, 2022, and March 17, 2022, and exfiltrated files containing protected health information. While the nature of the attack was not disclosed, a ransomware group claimed credit for the attack and uploaded some of the stolen data to its data leak site.

The breach was reported to the Department of Health and Human Services as affecting 197,730 individuals, although some of the companies affected by the breach, such as Premere Infinity Rehab, issued their own breach notifications. At least 380,984 individuals are understood to have been affected by the data breach across more than 80 affiliated companies. Avamere Holdings has offered affected individuals complimentary credit monitoring services.

The class action lawsuit was filed by Portland, OR-based attorney, Nick Kahl, on behalf of a former Avamere employee, Kimberly Harvey Perry, who had her sensitive personal information exposed in the data breach.  The lawsuit alleges Avamere Holdings failed to implement adequate security measures to prevent cybercriminals from accessing and stealing sensitive employee data, despite being aware of the threat of cyberattacks due to many industry warnings.

The lawsuit also takes issue with the delay in issuing notifications to affected individuals. The breach was detected on or around March 17, 2022, yet Avamere waited until July 13, 2022, to issue notifications to affected individuals. The lawsuit alleges the sensitive information of the plaintiff and class members is now in the hands of cybercriminals, including their names, contact information, Social Security numbers, bank account information, and health information and they now face an imminent and future risk of identity theft and fraud.

The plaintiff and class members are alleged to have suffered the loss of value of their private information, loss of benefit of their contractual bargain, and out-of-pocket expenses mitigating the effects of the attack and protecting against identity theft and fraud.

The post Avamere Holdings Facing Class Action Lawsuit Over 2022 Cyberattack appeared first on HIPAA Journal.

Humana & Cotiviti Settle Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Humana & Cotiviti have agreed to settle a class action lawsuit to resolve claims from individuals affected by a 2020 data breach that exposed the PHI of 64,654 individuals.

Humana had contracted with Cotiviti to assist with medical record requests to verify the data it reports to the HHS’ Centers for Medicare and Medicaid Services. In order to provide those services, Cotiviti was provided with the protected health information of certain plan members. Cotiviti used a subcontractor, Visionary, to review the medical records that were collected.

Between October 12, 2020, and December 16, 2020, a former employee of Visionary accessed its systems and obtained plan members’ data, which was provided to others in connection with a personal coding business. The data disclosed included plan members’ names, partial or full social security numbers, dates of birth, addresses, phone numbers, email addresses, member identification numbers, subscriber information numbers, dates of service, dates of death, provider names, medical record numbers, treatment information, and medical images.

A lawsuit was filed in response to the data breach – Steven K. Farmer v. Humana Inc. and Cotiviti – that alleged the defendants failed to properly protect plan members’ data and that the data breach has placed the plaintiffs at risk of identity theft and fraud. The decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Humana and Cotiviti have not admitted any wrongdoing.

Under the terms of the settlement, class members will be entitled to submit claims for out-of-pocket losses incurred in response to the data breach, up to a maximum of $5,250. Up to $250 can be claimed for ordinary losses, including up to 3 hours at a rate of $20 per hour. Claims may be submitted for up to $5,000 for extraordinary losses, such as losses due to the misuse of their data. Class members will also be entitled to a two-year membership to a credit monitoring and identity theft protection service. Humana & Cotiviti have also agreed to implement additional security measures to better protect customer information.

Class members have until November 15, 2022, to object to the settlement or exclude themselves. The final approval hearing is scheduled for February 8, 2023.

The post Humana & Cotiviti Settle Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Digital Marketing and Analytics Company Files Lawsuit Against FTC Over Alleged Privacy Violations

Posted by HIPAA Journal

A lawsuit has been filed against the Federal Trade Commission by an Idaho-based digital marketing and analytics company, which is alleged to have violated the Federal Trade Commission (FTC) Act with its data practices.

Kochava’s primary business unit provides mobile advertising attribution through customizable software tools, which are provided under the software-as-a-service model. The software allows its customers to obtain data points and analytics for digital marketing campaigns and applications. The second business unit is an aggregator of third-party provided mobile device data, which Kochava makes available through its data marketplace, the Kochava Collective.

Following the Supreme Court’s decision to overturn Wade v. Roe, privacy advocates have voiced their concern about the potential for data brokers and law enforcement in some states to collect information about individuals who visit reproductive health clinics to seek advice about abortions.  Shortly after the Supreme Court’s decision, the FTC announced its commitment to fully enforce the law against the illegal use and sharing of highly sensitive data, such as the collection and use of consumer location data and illegal privacy practices with respect to reproductive healthcare data.

The Kochava Collective provides data feeds and audience targeting to clients for marketing purposes. The FTC alleges the Kochava Collective provides precise geolocation data that is associated with Mobile Advertising Identifiers (MAIDs), which means it is possible to identify and track consumers when they visit sensitive locations such as reproductive health clinics, therapist’s offices, medical facilities, and addiction recovery centers.  The FTC also alleges that the data is time-stamped, so it is possible to tell exactly when an individual visited a location and that there are no technical controls in place to prohibit Kochava’s customers from tracking consumers when they visit those locations. The collection of latitude and longitude, IP address, and mobile advertising identifier information associated with consumers’ devices is a violation of the FTC Act, according to the FTC, which is seeking a permanent injunction against Kochava to prevent future FTC Act violations.

Kochava denies that its data can be used by its customers to identify and track individuals and claims that the FTC has misunderstood the services it provides. Kochava maintains that while the FTC is correct with respect to the collection of latitude and longitude, IP addresses, and MAIDS associated with consumer devices, those data elements are not received until days afterward, and the specific locations and consumers associated with MAIDs are not linked. Further, Kochava explains in the lawsuit that the FTC is wrong in its view that there are no technical controls in place to prevent its customers from tracking consumers when they visit sensitive locations. Kochava said it introduced a new capability on August 10, 2022, called Privacy Block, which allows its clients to shut off the collection of sensitive location data such as visits to healthcare providers.

Kochava maintains that it “operates consistently and proactively in compliance with all rules and laws, including those specific to privacy,” and that the FTC has threatened the company with a District Court lawsuit and a proposed settlement when both the lawsuit and settlement are based on inaccurate information. Kochava also alleges the FTC is overstepping its legal authority to enforce the FTC Act and is attempting to make the company a scapegoat in order to set a precedent across the ad tech industry. Kochava files the lawsuit to get the Idaho Federal Court to intervene.

The post Digital Marketing and Analytics Company Files Lawsuit Against FTC Over Alleged Privacy Violations appeared first on HIPAA Journal.

Webinar Today: 12/6/2022: How to Complete Your 2022 Risk Assessment

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-covered entities and their business associates to complete a risk assessment. The purpose of the risk assessment is to identify and evaluate all risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). An annual risk assessment is also required by MACRA/MIPS.

Only by conducting a risk assessment is it possible to identify all risks to ePHI, evaluate them, prioritize them, and then subject them to the risk management process. Despite the importance of this element of HIPAA compliance, it is one of the most commonly cited HIPAA violations by the HHS’ Office for Civil Rights in its enforcement activities and HIPAA audits.

The risk assessment should not be viewed as a HIPAA compliance checkbox item to avoid financial penalties. Conducting a comprehensive HIPAA risk assessment will identify vulnerabilities before they are found and exploited by threat actors. Completing an annual HIPAA risk assessment will help HIPAA-regulated entities prevent costly data breaches as well as avoid regulatory fines.

To help you complete your 2022 HIPAA risk assessment and ensure you are fully compliant, Compliancy Group is hosting a webinar that provides an overview of everything you need to know about completing your 2022 risk assessment. Previous webinars have already helped many HIPAA-regulated entities ensure compliance with this important HIPAA requirement.

The 2022 deadline is approaching so covered entities must conduct their HIPAA risk assessment by the end of the year. Due to popular demand and the importance of the subject matter, this webinar is now being run again in December.

Mark the date in your calendar and register for the webinar using the form below.

2022 Deadline Approaching Fast

How to Complete your 2022 HIPAA Risk Assessment

December 7th @ 2:00 pm ET ¦ 1:00 pm CT ¦ 12:00 pm MT ¦ 11:00 am PT

 

The post Webinar Today: 12/6/2022: How to Complete Your 2022 Risk Assessment appeared first on HIPAA Journal.

Florida Orthopaedic Institute Proposes $4 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Florida Orthopaedic Institute has proposed a $4 million settlement to resolve claims from patients affected by a 2020 data breach. In April 2020, Musculoskeletal Institute, dba Florida Orthopaedic Institute, discovered an unauthorized third party had gained access to a server that contained patients’ protected health information (PHI) and used ransomware to encrypt files.

The forensic investigation determined the PHI of 640,000 individuals had been exposed and potentially stolen in the attack, including names, contact information, birth dates, Social Security numbers, health insurance information, medical information, and other types of data. Notifications were sent to affected individuals in July 2020 and a 12-month membership to a credit monitoring service was offered to affected individuals.

Shortly after sending notifications, a lawsuit – Stoll et al. v. Musculoskeletal Institute- was filed in the U.S. District Court for the Middle District of Florida that alleged Florida Orthopaedic Institute was “lackadaisical, cavalier, reckless, or in the very least, negligent” with respect to maintaining the privacy of its patients and had not followed basic cybersecurity best practices. The lawsuit also alleged invasion of privacy, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violation of Florida’s Deceptive and Unfair Trade Practices Act.

The lawsuit alleged the sensitive protected health information of patients was now in the hands of cybercriminals and patients now faced a substantial risk of identity theft and fraud. Florida Orthopaedic Institute has admitted no wrongdoing but decided to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the proposed settlement, current and former patients who were notified about the data breach are entitled to submit a claim for a cash payment of up to $15,000 to cover out-of-pocket expenses and up to 5 hours of time that was lost remedying the data breach at $25 per hour.

Attorneys argued that a 12-month membership to credit monitoring services was insufficient. All individuals affected by the data breach will now be eligible to receive 3 years of identity theft protection, credit monitoring, and identity restoration services, regardless of whether a claim is submitted. Parents or guardians of minors that have been affected by the data breach are entitled to enroll the affected children in these services for 3 years if their children are minors at the time of the settlement. These services include a $1,000,000 identity theft insurance policy. The services retail for around $196 per individual.

All claims must be submitted no later than September 16, 2022. The final approval hearing for the settlement is September 29, 2022.

The post Florida Orthopaedic Institute Proposes $4 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Novant Health Notifies Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal

Posted by HIPAA Journal

Novant Health has recently notified patients about a breach of their protected health information due to the incorrect configuration of Meta Pixel code on its patient portal.

Code Snippet Sending Sensitive Patient Data to Meta

Earlier this year, an investigation conducted by The Markup into the use of Meta Pixel code on healthcare providers’ websites revealed 33 of the top 100 hospitals in the United States had included Meta Pixel code on their websites, and 7 of those hospitals had added the code to their password-protected patient portals. The 7 hospitals discovered by The Markup to have installed Meta Pixel on their patient portals were Community Health Network, FastMed, Edward-Elmhurst Health, Piedmont, Renown Health, WakeMed, and Novant Health.

Meta Pixel is a snippet of JavaScript code that is used to track website visitors, and the information gathered is sent to Meta (Facebook), which may be used to serve targeted ads. Meta claims that organizations that use Meta Pixel are not supposed to send sensitive data. If Meta discovers it has been sent sensitive data by mistake, it is filtered out to prevent the information from being used to serve targeted ads. That process does not appear to be working, and even if that information is filtered out, it is still being sent to Meta.

In the weeks following the publication of the report, multiple lawsuits were filed on behalf of individuals whose personal and protected health information was disclosed to Meta via Meta Pixel code on healthcare provider websites. The lawsuits allege violations of federal and state privacy laws as the information was sent without obtaining express consent from patients.

A class action lawsuit was filed on behalf of a patient of Baltimore-based MedStar Health System, which alleges Meta Pixel has been used on the websites of at least 664 healthcare providers, allowing patient data to be sent to Meta in violation of the Health Insurance Portability and Accountability Act (HIPAA). Another lawsuit was filed against Meta and the University of California San Francisco and Dignity Health, with the lead plaintiff claiming to have been served targeted adverts following the disclosure of sensitive information about a health issue on the patient portal. Most recently, a similar lawsuit was filed against Meta and Northwestern Memorial Hospital in Chicago, IL.

Novant Health Notifies Patients About Meta Pixel Data Breach

Novant Health has recently notified an as-of-yet unspecified number of patients that some of their protected health information (PHI) has been sent to Meta. As far as HIPAA Journal has been able to establish, Novant Health is the first healthcare provider to issue breach notification letters to patients over the use of Meta Pixel code.

Novant Health explained in the breach notification letters that PHI was transferred to Meta due to “an incorrect configuration of [Meta] Pixel, an online tracking tool.” Novant Health said it wanted to be fully transparent over the data breach and the reasons for using the pixel code on its website.

“In May 2020, as our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goals of improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” explained Novant Health. “This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those advertisement efforts on Facebook; however, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”

When notified about the potential privacy violation, Novant Health immediately disabled and removed the pixel from the patient portal and launched an investigation to determine the extent to which information was being transferred to Meta. On June 17, 2022, Novant Health determined that PHI may have been inadvertently transferred based on the type of user activity on the patient portal. The information transferred would have varied from patient to patient, and may have included an individual’s email address, phone number, IP address, contact information entered into Emergency Contacts or Advanced Care Planning, appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes.

Novant Health said it has found no evidence that Meta or any other third party has acted upon the information provided. If an individual entered financial information or a Social Security number in free text boxes, that information may also have been sent to Meta. Novant Health said the individual notification letters would state if such information had been disclosed, and if so, complimentary credit monitoring services will be provided to affected individuals.

The post Novant Health Notifies Patients About Unauthorized Disclosure of PHI via Meta Pixel Code on Patient Portal appeared first on HIPAA Journal.

Salinas Valley Memorial Healthcare Settles Email Data Breach Lawsuit for $340K

Posted by HIPAA Journal

Salinas Valley Memorial Healthcare System in California has agreed to settle a class action lawsuit for $340,000 to resolve claims from patients affected by a breach of its email environment in 2020.

Between April 30, 2020, and June 5, 2020, unauthorized individuals gained access to the email accounts of four employees and a contractor following responses to phishing emails. Prompt action was taken to secure its email environment, but during the 5-week period of compromise, the attacker(s) had access to emails containing sensitive patient information including names, hospital account numbers, medical record numbers, dates of service, and other information.

Legal action was taken against Salinas Valley by a patient affected by the data breach. The plaintiff alleged that Salinas Valley acted unlawfully by failing to prevent the attack, did not fulfill its legal obligations to safeguard the personal and protected health information of the plaintiff and class members, and violated the California Confidential Medical Information Act, Civil Code §§ 56 et seq.

Salinas Valley maintains it was fully compliant with state laws and denied any wrongdoing related to the security breach; however, the decision was taken to settle the lawsuit to prevent ongoing legal costs and the uncertainty of trial.  Under the terms of the proposed settlement, a fund of $340,000 has been created to cover claims from individuals affected by the breach.

All patients who received a breach notification from Salinas Valley about the exposure of their personal and protected health information will be entitled to submit a claim for up $750 for out-of-pocket expenses and time spent remediating the data breach. Claims will be paid from the fund after attorneys’ fees, expenses, and other court-approved costs have been deducted. Claims will be paid pro rata if the claims total is greater than the settlement fund. The settlement has yet to receive court approval.

Salina valley has also committed to improving security, with the measures including undergoing third-party audits and regular penetration tests, maintaining firewalls and access controls, and providing regular security awareness training to the workforce.

Claims must be submitted no later than August 26, 2022. Any individual who objects to the settlement or wants to remove themselves from the class must do so by August 11, 2022.

The post Salinas Valley Memorial Healthcare Settles Email Data Breach Lawsuit for $340K appeared first on HIPAA Journal.