Legal News

Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers

Posted by HIPAA Journal

The U.S Department of Justice has announced that around $500,000 in Bitcoin has been seized from North Korean threat actors who were using Maui ransomware to attack healthcare organizations in the United States.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a security alert warning that North Korean hackers have been targeting the healthcare and public health sector in the United States using Maui ransomware since at least May 2021. The attacks have caused extensive disruption to IT systems and medical services and have put patient safety at risk.

The new ransomware variant was discovered during an investigation of a ransomware attack on a hospital in Kansas in May 2021. The attack was traced to a North Korean hacking group that is suspected of receiving backing from the state. The Kansas hospital had its servers encrypted, preventing access to essential IT systems for more than a week. The hospital paid a ransom of $100,000 for the keys to decrypt files and regain access to its servers and promptly notified the FBI about the attack and payment. The FBI was able to trace the payment, which was passed to money launderers in China, along with another payment of approximately $120,000 that was made by a healthcare provider in Colorado.

In May 2022, the FBI filed a seizure warrant in the District of Kansas to recover payments made in cryptocurrencies to the Maui ransomware gang, and ransom payments of approximately $500,000 were recovered from the seized cryptocurrency accounts. The funds have been forfeited by the ransomware gang and have been returned to healthcare providers in Kansas and Colorado.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Deputy Attorney General Lisa O. Monaco today at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

Microsoft has also recently reported that a North Korean hacking group that operates under the name HolyGhost has also been using ransomware attacks on SMBs in the United States. It is not clear if the attacks are being conducted by a state-sponsored hacking group or if individuals associated with the Lazarus Group are moonlighting and conducting the attacks independently.

“Today’s success demonstrates the result of reporting to the FBI and our partners as early as possible when you are a victim of a cyberattack; this provides law enforcement with the ability to best assist the victim,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We will continue to pursue these malicious cyber actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible.”

The post Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers appeared first on HIPAA Journal.

The Methodist Hospitals Settles Class Action Data Breach Lawsuit for $425,000

Posted by HIPAA Journal

The Methodist Hospitals Inc. has agreed to settle a class action lawsuit and has created a fund of $425,000 to cover claims from victims of a 2019 data breach that affected almost 70,000 current and former patients.

The Gary, IN-based healthcare provider reported an email security incident to the HHS’ Office for Civil Rights on April 4, 2019, that resulted in the exposure and potential theft of the protected health information of 68,039 patients. The investigation confirmed hackers gained access to two employee email accounts between March 13, 2019, and July 8, 2019, following responses to phishing emails and potentially exfiltrated patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, Medicare/Medicaid numbers, usernames, passwords, treatment and diagnosis information, and payment card information.

A lawsuit – Jones v. The Methodist Hospitals, Inc. – was filed in the Harris County District Court in Texas in the wake of the data breach that alleged The Methodist Hospitals was negligent for failing to adequately protect the protected health information of patients. Plaintiffs James Jones and Samantha L. Gordon, and members of the class allegedly suffered harm as a result of the data breach.

The Methodist Hospitals denied any wrongdoing and the OCR investigation was closed with no action taken; however, the decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the settlement, eligible class members are entitled to submit a claim for two additional years of credit monitoring and identity theft resolution services, reimbursement for economic losses, and reimbursement for time lost due to the data breach. Claims for reimbursement of documented economic losses of up to $3,000 can be submitted and/or claims of up to $300 can be submitted for reimbursement of lost time. Final approval of the settlement was received on June 13, 2022. Claims must be submitted by October 6, 2022.

The post The Methodist Hospitals Settles Class Action Data Breach Lawsuit for $425,000 appeared first on HIPAA Journal.

BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack

Posted by HIPAA Journal

BJC HealthCare has agreed to settle a class action lawsuit to resolve claims it failed to adequately protect patient data from phishing attacks. The nonprofit St. Louis-based hospital system reported a breach of its email system to the HHS’ Office for Civil Rights on May 5, 2020, that affected 287,876 individuals. The investigation confirmed that three email accounts had been compromised in March 2020 as a result of responses to phishing emails. While data theft could not be determined, the affected email accounts contained the protected health information of patients of 19 of its hospitals, including names, birth dates, health insurance information, Social Security numbers, driver’s license, and healthcare data.

The lawsuit, filed in the Circuit Court of the City of St. Louis State of Missouri, originally included 10 counts against the defendants and survived two motions to dismiss, with the lawsuit allowed to proceed on 8 of the 10 counts: unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, vicarious liability, and violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA).

BJC HealthCare agreed to settle the lawsuit with no admission of liability or wrongdoing. Under the terms of the settlement, BJC HealthCare will make funds available to cover claims from affected individuals up to a maximum of $5,000. Each individual affected may submit a claim for ordinary and extraordinary expenses incurred as a result of the data breach.

Claims can be submitted for ordinary expenses such as bank fees, interest, credit monitoring costs, postage, mileage, and up to 3 hours of lost time at $20 per hour. Ordinary claims are capped at $250 per person. Claims of up to $5,000 can be submitted for extraordinary expenses, including documented monetary losses and up to three hours of additional lost time at $20 per hour. BJC Healthcare has also agreed to cover the cost of two years of credit monitoring and identity theft protection services. Named plaintiffs will receive up to $2,000 and BJC HEalthCare will cover the plaintiffs’ legal costs. BJC HealthCare has committed $2.7 million to cover the cost of implementing multi-factor authentication for its email accounts to improve protection against phishing attacks.

Claims must be submitted by Dec. 14, 2022. The final approval hearing for the settlement is on Sept. 6, 2022.

In May 2022, BJC HealthCare reported another email breach to the HHS’ Office for Civil Rights. The incident was reported as affecting 500 individuals – a common placeholder used until the exact number of affected individuals is determined. The breach occurred two months previously.

The post BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack appeared first on HIPAA Journal.

Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit

Posted by HIPAA Journal

Tenet Healthcare and Baptist Health are facing a class action lawsuit over a recently reported data breach that affected 1.2 million patients. The breach was detected on April 20, 2022, with the forensic investigation confirming an unauthorized third-party had accessed the IT networks of Baptist Medical Center or Resolute Health Hospital between March 31 and April 24, 2022, and removed files containing sensitive patient data. The information potentially compromised included names, addresses, Social Security numbers, health insurance information, medical information, and billing and claims data.

Tenet Healthcare issued a public notification about the cyberattack and data breach on April 26, 2022, while the investigation into the breach was ongoing. Notifications were sent to affected individuals in mid-June, less than two months after the discovery of the cyberattack. Affected individuals were offered complimentary credit monitoring and identity theft protection services.

The lawsuit was filed in Dallas County and names Texas resident, Troy Contreras, as the lead plaintiff. The lawsuit alleges the defendants were negligent for failing to protect the privacy of patients by implementing appropriate safeguards that met industry standards, such as multi-layered security, malware detection software, and providing sufficient security awareness education to the workforce, and that the data security practices of the defendants were not aligned with the guidelines issued by the Federal Trade Commission. The lawsuit also alleges a failure to issue proper notifications.

The plaintiff claims to have spent a significant amount of time ensuring his personal and protected health information is safe and that he is protected against fraud, and will continue to have to spend time doing so in the future. The lawsuit does not allege any actual misuse of the plaintiff’s data. The lawsuit seeks damages in excess of $1 million.

San Francisco Settles Medical Data Breach Lawsuit

The city and county of San Francisco have settled a long-running class action data breach lawsuit – Jane Doe, et al. vs. The City and County of San Francisco, et al – and have agreed to make $400,000 available to cover claims from the 8,884 class members. The lawsuit was filed following the impermissible disclosure of the private medical information of patients of Zuckerberg San Francisco General Hospital and Trauma Center, whose medical records were kept by neurosurgeon Dr. Shirley Stiver.

The case was filed in April 2016 in San Francisco Superior Court over the disclosure of highly sensitive data such as names, medical records, diagnoses – including HIV diagnoses – surgical notes, consultation notes, and radiologic films. The disclosures occurred without written consent from patients. The lawsuit alleged violations of the Confidential Medical Information Act and the California Health & Safety Code.

Class members are entitled to submit claims for up to $599. Claims must be submitted by August 30, 2022. The final approval hearing has been scheduled for September 29, 2022.

The post Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit appeared first on HIPAA Journal.

Health Aid of Ohio Settles Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Health Aid of Ohio has agreed to settle a class action lawsuit to resolve claims that it failed to protect the sensitive personal information of its customers.

Health Aid of Ohio is a Parma, OH-based full-service home medical equipment provider. On February 19, 2021, Health Aid discovered hackers had gained access to its network and viewed and removed files containing sensitive customer information. The files contained information such as name, telephone number, Social Security number, date of birth, medical diagnosis, insurance information, and the type of equipment that was delivered or repaired. Notifications were issued to affected customers in May 2021. The data breach affected 141,149 individuals.

A lawsuit was filed on behalf of affected individuals, which alleged Health Aid had failed to implement reasonable cybersecurity measures to ensure the confidentiality of customer data. The lawsuit alleged negligence, unjust enrichment, invasion of privacy, and other claims.

Health Aid admitted no wrongdoing but decided to settle the lawsuit to resolve all claims related to the data breach. Under the terms of the settlement, any individual affected who had their Social Security number exposed is entitled to a cash payment of up to $250 and can submit a claim for out-of-pocket expenses, including credit monitoring costs, and up to four hours of lost time at $15 per hour. Documentation must be submitted to support any claim. Any individual who can provide documentation that proves they were a victim of fraud can submit a claim of up to $2,500. Claims must be submitted by August 22, 2022, and the deadline for exclusion or objection is July 22, 2022.

Regardless of the types of information exposed in the data breach, all class members are entitled to a 12-month complimentary membership to credit monitoring and identity theft restoration service. Health Aid has also agreed to implement a range of additional safeguards to better protect customer information in the future and will undergo annual security risk assessments in 2022 and 2023 to determine whether further security enhancements can be made.

The final approval hearing for the settlement has been scheduled for Sept. 20, 2022.

The post Health Aid of Ohio Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Multiple Class Action Lawsuits Filed Against MCG Health Over Data Breach

Posted by HIPAA Journal

Multiple class action lawsuits have been filed against the Seattle-based Hearst Health subsidiary, MCG Health, over a data breach that has affected at least 10 healthcare organizations including Indiana University Health, Lenoir Health Care, Phelps Health, and Jefferson County Health Center.

The data breach was reported to the HHS’ Office for Civil Rights on June 10 as affecting 793,283 individuals, but some affected healthcare organizations have self-reported the breach. The breach notification issued to the Maine Attorney General indicates the protected health information of up to 1.1 million patients was potentially obtained by an unauthorized third party in the attack.

MCG Health said it discovered on May 25, 2022, that files had been removed from its systems that included names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and genders. Notification letters were sent to affected individuals on June 10, 2022, and 2 years of complimentary credit monitoring and identity theft protection services have been offered to affected individuals.

So far at least five lawsuits have been filed against MCG Health in the District Court for the Western District of Washington over the data breach. The lawsuits make similar claims and allege negligence, invasion of privacy, bailment, breach of implied contract, breach of confidence, and a violation of the Washington Consumer Protection Act.

Strecker v. MCG Health, alleges the hackers had access to MCG Health systems for at least two weeks before the breach was detected; however, Booth v. MCG Health alleges the data breach occurred more than two years before it was detected by MCG Health, and that hackers gained access to MCG Health systems and exfiltrated data around February 25 to 26, 2020, and that the breach date of March 25, 2022, on the MCG Health notifications is when MCH Health discovered that sensitive files had been infiltrated. It then took more than 2 months for notifications to be issued to affected individuals.

The lawsuits allege the affected plaintiffs have suffered lost time, annoyance, interference, and inconvenience as a result of the data breach, and now that their protected health information is in the hands of criminals, they face a substantial present risk of identity theft and fraud, and that risk will continue to increase for years to come. Plaintiff Cynthia Strecker claims to have suffered anxiety and emotional distress due to the data breach and has increased concerns for the loss of her privacy. Similar claims are made in Thorbecke et al v. MCG Health, Saiki v. MCG Health, and Crawford et al v. MCG Health.

The lawsuits seek class action certification, compensatory and punitive damages, pre- and post-judgment interest, attorney’s fees and costs, and other relief, and call for MCG Health to make significant improvements to security, including encrypting all data, conducting regular penetration tests, employing data segmentation, improving logging and monitoring, appointing a third-party assessor to conduct annual SOC 2 Type 2 attestations for 10 years, and to cease storing personally identifiable patient information in cloud databases.

The post Multiple Class Action Lawsuits Filed Against MCG Health Over Data Breach appeared first on HIPAA Journal.

University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000

Posted by HIPAA Journal

University of Pittsburgh Medical Center has agreed to settle a class action data breach lawsuit and will make $450,000 available to cover claims from individuals who have suffered losses due to the theft and misuse of their protected health information.

The data breach affected approximately 36,000 patients and saw their protected health information accessed and stolen by an unauthorized third party between April 2020 and June 2020. The breach occurred at UPMC’s legal counsel, Charles J. Hilton PC, (CJH), which provided billing-related services. The compromised data was stored within the firm’s email environment and included names, birth dates, Social Security numbers, financial information ID numbers, signatures, insurance information, and medical information. The data breach was detected in June 2020; however, notifications were not sent to affected individuals until December 2020.

While many speculative lawsuits are filed against healthcare organizations and their business associates over the exposure of patient data, in this case, the plaintiff was defrauded soon after the breach, which was, on the balance of probability, due to his information being stolen in the data breach at CJH. An Amazon credit card account had been opened in his name. The plaintiff claimed he had to spend a considerable amount of time addressing the misuse of his personal and protected health information. The lawsuit alleged UPMC and CJH failed in their duty to protect patient data and had not implemented reasonable and appropriate safeguards to protect their private data.

Neither UPMC nor CJH admitted any wrongdoing or liability but agreed to settle the lawsuit. Under the terms of the settlement, class members are entitled to make a claim for a $250 cash payment as reimbursement for documented out-of-pocket expenses related to the data breach and may submit claims for up to $2,500 to recover fraudulent charges and costs related to identity theft, plus $30 for undocumented time spent dealing with the breach. 12 months of complimentary credit monitoring, identity theft, and dark web monitoring services will also be provided to class members. Claims must be submitted no later than September 3, 2022.

Last year, UPMC settled a long-running lawsuit for $2.65 million. The lawsuit was filed on behalf of 27,000 employees affected by a February 2014 data breach.

The post University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000 appeared first on HIPAA Journal.

Meta Sued over the Scraping of Patient Data from Hospital Websites

Posted by HIPAA Journal

A lawsuit has been filed against Meta that alleges the social media giant has been knowingly collecting patient data from hospital websites via the Meta Pixel tracking tool, and in doing so has violated the privacy of millions of patients.

The lawsuit was filed in the U.S. Northern District of California and alleges violations of state and federal laws related to the collection of patient data without consent. Last week, a report was released by The Markup/STAT on a study on the 100 top hospitals in the United States which found that one-third used the Meta Pixel tool on their websites. The Meta Pixel tool is a snippet of JavaScript code that is used to track visitor actions on websites, such as the forms they click and the options they select from dropdown menus. When the tool is included on healthcare providers’ websites, there is potential for the tool to transmit protected health information to Meta/Facebook, such as IP address, when a patient has scheduled an appointment and any information selected from menus, such as the medical condition that the appointment is about.

The study identified 7 hospital systems that had installed Meta Pixel on their patient portals behind password protection and the tool was transmitting sensitive data such as patient conditions, which could be tied to the patients through their IP addresses. The study found no evidence that Meta had entered into a business associate agreement with the hospitals, nor that consent to share patient data with Meta was obtained from patients by the hospitals and healthcare systems that used Meta Pixel.

The lawsuit was filed on behalf of patient John Doe, who is a user of Facebook and a patient of Medstar Health System in Maryland. The plaintiff said he uses the patient portal for making appointments, communicating with providers, and reviewing lab test results, and did not consent to information being shared with Meta/Facebook. Medstar Health said all patient data is secured and it does not use any Facebook/Meta technologies on its website. According to the lawsuit, at least 664 healthcare systems in the United States have added the Meta Pixel tool to their websites, which sends sensitive data to Meta.

Meta states on its website that “If Meta’s signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems.” However, the lawsuit claims, “Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook.” The lawsuit alleges the use of the tool on hospital websites without obtaining consent is a violation of the Health Insurance Portability and Accountability Act (HIPAA), as the data is collected without a business associate agreement. It should be noted that Meta/Facebook is not bound by HIPAA Rules; however, the hospitals that use the tool could be in violation of HIPAA for transferring the data without consent.

The lawsuit alleges a breach of the duty of good faith and fair dealing, and violations of federal and state laws, including the federal Electronic Communications Privacy Act and California’s Invasion of Privacy Act and Unfair Competition Law. The lawsuit seeks class action status, compensatory and punitive damages, and attorneys’ fees.

This is not the first lawsuit to be filed against Facebook over the collection of data from hospital websites. The same attorneys had a case against Facebook dismissed in 2018 – Smith et al v. Facebook – over the collection of browsing data from hospital websites. The decision was upheld by the U.S. Court of Appeals for the 9th Circuit, which ruled that the plaintiffs could not sue Facebook as they had agreed to Facebook’s contract terms.

A copy of the lawsuit was obtained by Reclaim the Net and is published here.

The post Meta Sued over the Scraping of Patient Data from Hospital Websites appeared first on HIPAA Journal.

Bill Seeks to Ban Data Brokers from Selling Health and Location Data

Posted by HIPAA Journal

A new bill has been introduced by Sen. Elizabeth Warren (D-MA) that seeks to ban data brokers from selling the health and location data of Americans. The bill, The Health and Location Data Protection Act, was co-sponsored by Sens. Ron Wyden (D-OR), Chair of the Senate Finance Committee; Patty Murray (D-WA), Chair of the Senate Health, Education, Labor, and Pensions Committee; Sheldon Whitehouse (D-RI); and Bernie Sanders (I-VT.), Chair of the Senate Budget Committee.

“Data brokers profit from the location data of millions of people, posing serious risks to Americans everywhere by selling their most private information,” said Senator Warren. “With this extremist Supreme Court poised to overturn Roe v. Wade and states seeking to criminalize essential health care, it is more crucial than ever for Congress to protect consumers’ sensitive data.”

Currently, data brokers are largely unregulated by federal law, yet they are collecting highly sensitive data from Americans, including their location. That information is gathered from a huge range of mobile apps and, in many cases, the data is collected without express user consent. That information is then sold for profit to virtually anyone willing to pay the price. That information has been used to circumvent the Fourth Amendment and stalk and harass individuals. In some cases, data brokers have been discovered to be selling cellphone-based location data of people visiting abortion clinics, which has placed the safety of women at risk who are seeking healthcare.

If passed, the Health and Location Data Protection Act will ban data brokers from selling or transferring the location and health data of Americans to rein in giant data brokers and implement long-overdue rules for this $200 billion industry. The bill calls for the Federal Trade Commission (FTC) to issue rules to implement the new law within 180 days and will empower the FTC, state attorneys general, and injured persons to sue data brokers to enforce the provisions of the law.  The bill will also ensure that the FTC is given $1 billion in funding over the next decade to ensure it can carry out its work and can enforce the law. The law will include exceptions for HIPAA-compliant activities, protected First Amendment speech, and validly authorized disclosures.

“When abortion is illegal, researching reproductive health care online, updating a period-tracking app, or bringing a phone to the doctor’s office all could be used to track and prosecute women across the U.S. It amounts to uterus surveillance. Congress must protect Americans’ privacy from abuse by far-right politicians who want to control women’s bodies. I’m proud to work with Senator Warren to introduce the Health and Location Data Protection Act,” said Sen Wyden.

The post Bill Seeks to Ban Data Brokers from Selling Health and Location Data appeared first on HIPAA Journal.