Legal News

Meta Sued over the Scraping of Patient Data from Hospital Websites

Posted by HIPAA Journal

A lawsuit has been filed against Meta that alleges the social media giant has been knowingly collecting patient data from hospital websites via the Meta Pixel tracking tool, and in doing so has violated the privacy of millions of patients.

The lawsuit was filed in the U.S. Northern District of California and alleges violations of state and federal laws related to the collection of patient data without consent. Last week, a report was released by The Markup/STAT on a study on the 100 top hospitals in the United States which found that one-third used the Meta Pixel tool on their websites. The Meta Pixel tool is a snippet of JavaScript code that is used to track visitor actions on websites, such as the forms they click and the options they select from dropdown menus. When the tool is included on healthcare providers’ websites, there is potential for the tool to transmit protected health information to Meta/Facebook, such as IP address, when a patient has scheduled an appointment and any information selected from menus, such as the medical condition that the appointment is about.

The study identified 7 hospital systems that had installed Meta Pixel on their patient portals behind password protection and the tool was transmitting sensitive data such as patient conditions, which could be tied to the patients through their IP addresses. The study found no evidence that Meta had entered into a business associate agreement with the hospitals, nor that consent to share patient data with Meta was obtained from patients by the hospitals and healthcare systems that used Meta Pixel.

The lawsuit was filed on behalf of patient John Doe, who is a user of Facebook and a patient of Medstar Health System in Maryland. The plaintiff said he uses the patient portal for making appointments, communicating with providers, and reviewing lab test results, and did not consent to information being shared with Meta/Facebook. Medstar Health said all patient data is secured and it does not use any Facebook/Meta technologies on its website. According to the lawsuit, at least 664 healthcare systems in the United States have added the Meta Pixel tool to their websites, which sends sensitive data to Meta.

Meta states on its website that “If Meta’s signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems.” However, the lawsuit claims, “Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook.” The lawsuit alleges the use of the tool on hospital websites without obtaining consent is a violation of the Health Insurance Portability and Accountability Act (HIPAA), as the data is collected without a business associate agreement. It should be noted that Meta/Facebook is not bound by HIPAA Rules; however, the hospitals that use the tool could be in violation of HIPAA for transferring the data without consent.

The lawsuit alleges a breach of the duty of good faith and fair dealing, and violations of federal and state laws, including the federal Electronic Communications Privacy Act and California’s Invasion of Privacy Act and Unfair Competition Law. The lawsuit seeks class action status, compensatory and punitive damages, and attorneys’ fees.

This is not the first lawsuit to be filed against Facebook over the collection of data from hospital websites. The same attorneys had a case against Facebook dismissed in 2018 – Smith et al v. Facebook – over the collection of browsing data from hospital websites. The decision was upheld by the U.S. Court of Appeals for the 9th Circuit, which ruled that the plaintiffs could not sue Facebook as they had agreed to Facebook’s contract terms.

A copy of the lawsuit was obtained by Reclaim the Net and is published here.

The post Meta Sued over the Scraping of Patient Data from Hospital Websites appeared first on HIPAA Journal.

Bill Seeks to Ban Data Brokers from Selling Health and Location Data

Posted by HIPAA Journal

A new bill has been introduced by Sen. Elizabeth Warren (D-MA) that seeks to ban data brokers from selling the health and location data of Americans. The bill, The Health and Location Data Protection Act, was co-sponsored by Sens. Ron Wyden (D-OR), Chair of the Senate Finance Committee; Patty Murray (D-WA), Chair of the Senate Health, Education, Labor, and Pensions Committee; Sheldon Whitehouse (D-RI); and Bernie Sanders (I-VT.), Chair of the Senate Budget Committee.

“Data brokers profit from the location data of millions of people, posing serious risks to Americans everywhere by selling their most private information,” said Senator Warren. “With this extremist Supreme Court poised to overturn Roe v. Wade and states seeking to criminalize essential health care, it is more crucial than ever for Congress to protect consumers’ sensitive data.”

Currently, data brokers are largely unregulated by federal law, yet they are collecting highly sensitive data from Americans, including their location. That information is gathered from a huge range of mobile apps and, in many cases, the data is collected without express user consent. That information is then sold for profit to virtually anyone willing to pay the price. That information has been used to circumvent the Fourth Amendment and stalk and harass individuals. In some cases, data brokers have been discovered to be selling cellphone-based location data of people visiting abortion clinics, which has placed the safety of women at risk who are seeking healthcare.

If passed, the Health and Location Data Protection Act will ban data brokers from selling or transferring the location and health data of Americans to rein in giant data brokers and implement long-overdue rules for this $200 billion industry. The bill calls for the Federal Trade Commission (FTC) to issue rules to implement the new law within 180 days and will empower the FTC, state attorneys general, and injured persons to sue data brokers to enforce the provisions of the law.  The bill will also ensure that the FTC is given $1 billion in funding over the next decade to ensure it can carry out its work and can enforce the law. The law will include exceptions for HIPAA-compliant activities, protected First Amendment speech, and validly authorized disclosures.

“When abortion is illegal, researching reproductive health care online, updating a period-tracking app, or bringing a phone to the doctor’s office all could be used to track and prosecute women across the U.S. It amounts to uterus surveillance. Congress must protect Americans’ privacy from abuse by far-right politicians who want to control women’s bodies. I’m proud to work with Senator Warren to introduce the Health and Location Data Protection Act,” said Sen Wyden.

The post Bill Seeks to Ban Data Brokers from Selling Health and Location Data appeared first on HIPAA Journal.

San Diego Family Care Agrees to $1 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by HIPAA Journal

San Diego Family Care, a Californian provider of medical, dental, & mental health services, has agreed to settle a class action lawsuit filed by patients affected by a data breach in 2020.

The data breach that sparked the lawsuit was announced by the healthcare provider in May 2021 and was reported to the HHS’ Office for Civil Rights (OCR) as affecting 125,500 patients, although the total was later revised to 154,513 patients. The compromised data included names, Social Security numbers, government identification numbers, financial account numbers, dates of birth, medical diagnosis or treatment information, health insurance information, and client identification numbers.

The security breach occurred in December 2020 at a technology provider and business associate, Netgain Technologies, and involved ransomware. Netgain Technologies reportedly paid a $2.3 million ransom for the keys to decrypt data and prevent any further disclosures of data. San Diego Family Care was one of several healthcare providers to have data compromised in the attack.

After notifying the affected individuals, two class action lawsuits were filed against San Diego Family Care over the data breach. While the ransomware attack was not conducted on San Diego Family Care, plaintiffs in the lawsuits alleged that San Diego Family Care had failed to protect patient information, had not implemented sufficient data security measures, and did not issue notification letters promptly. Netgain Technologies notified San Diego Family Care about the data breach in January 2021, but the notification letters were not sent to affected individuals until May.

San Diego Family Care has not accepted any wrongdoing and accepts no liability for the data breach but did agree to settle the lawsuit. The proposed settlement will see a fund of $1,000,000 created to cover claims from affected individuals. Claims may be submitted for a base payment of up to $100 per person, up to $1,000 for ordinary out-of-pocket expenses, and up to $5,000 for extraordinary out-of-pocket expenses.

Proof of losses and expenses should be submitted with claims, such as evidence of fraudulent charges, payments for credit monitoring services, and other expenses. Individuals will also be provided with complimentary identity theft protection services, the codes for activating those services will be sent to individuals who submit a claim. Valid claims must be submitted by July 15, 2022, and the final approval hearing for the settlement is scheduled for July 29, 2022.

The post San Diego Family Care Agrees to $1 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Class Action Lawsuit Filed Against Shields Health Care Group Over 2 Million-Record Data Breach

Posted by HIPAA Journal

A class action lawsuit has been filed against Shields Health Care Group over its recently announced 2 million-record data breach – the largest healthcare data breach to be reported so far this year.

Shields Health Care Group is the largest provider of MRI imaging services in New England and operates more than 40 facilities in the region. On May 27, 2022, the Massachusetts-based medical imaging service provider reported the data breach to the HHS’ Office for Civil Rights and confirmed that an unauthorized actor had access to some of its IT systems from March 7 to March 21, 2022. During that time, files were exfiltrated from its systems that included patient information such as names, addresses, birth dates,  Social Security numbers, diagnoses, billing information, insurance numbers and medical or treatment information.

A data breach of this scale is likely to see several lawsuits filed, with Keller Postman LLC and co-counsel Sweeney Merrigan Law LLP, and Finkelstein, Blankinship, Frei-Pearson, & Garber LLC the first to file.  The lawsuit, William Biscan v. Shields Health Care Group Inc.– was filed in the District Court for the District of Massachusetts and alleges the defendant negligently handled the private health information of the plaintiff and other similarly situated individuals.

The lawsuit alleges the defendant should have been aware of the risk of a data breach yet failed to implement reasonable and appropriate safeguards to keep patient data private and confidential and protect against unauthorized access and disclosure. As a result, the personal and protected health information of patients in “a dangerous and vulnerable condition” and failed to notify affected individuals in a timely manner.

As a result of those failures, the plaintiff claims he and other class members now face a heightened and imminent risk of fraud and identity theft and will continue to incur out-of-pocket costs for purchasing credit monitoring services, credit freezes, credit reports, and other protective measures to prevent and detect identity theft and fraud.

In addition to the negligence claim, the lawsuit alleges a breach of express contract, breach of implied contract, invasion of privacy by intrusion, breach of fiduciary duty, breach of confidence, unjust enrichment, and violations Massachusetts General Laws.

The lawsuit seeks class certification, monetary relief, actual and punitive damages, litigation fees, adequate credit monitoring and identity theft protection services, and an injunction requiring the defendant to improve security to prevent similar breaches in the future and undergo annual security audits.

The post Class Action Lawsuit Filed Against Shields Health Care Group Over 2 Million-Record Data Breach appeared first on HIPAA Journal.

Injured Workers Pharmacy Faces Class Action Lawsuit over Email Account Breach

Posted by HIPAA Journal

A class action lawsuit has been filed in the U.S. District Court for the District of Massachusetts by the law firm Morgan & Morgan against Injured Workers Pharmacy (IWP) over a breach of the personal information of 75,771 customers.

IWP is an Andover, MA-based pharmacy that serves employees who were injured at work and receive workers’ compensation benefits. On May 11, 2021, IWP discovered several employee email accounts had been accessed by an unauthorized individual, and those email accounts contained sensitive information such as names, addresses, and Social Security numbers. The first email accounts were compromised in January 2021, which allowed unauthorized access to the information in the accounts for 4 months before the breach was detected and the accounts were secured. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 24 months.

Plaintiffs Alexsis Webb and Marsclette Charley allege IWP failed to implement appropriate data security safeguards to ensure the privacy of their personal information and that of the class members, had not followed industry security best practices and had not provided security awareness training to the workforce. IWP failed to issue notification letters about the breach until February 2022, 9 months after the breach was detected. The lawsuit alleges negligence, negligence per se, breach of implied contract and fiduciary duty, invasion of privacy, and unjust enrichment.

The plaintiffs claim they face an imminent and ongoing risk of identity theft and fraud due to the exposure of their sensitive data to cybercriminals and have had to spend time and money protecting themselves against identity theft and fraud. The lawsuit seeks class action status, a jury trial, damages, reimbursement of out-of-pocket expenses, and legal costs.

IWP is no stranger to legal action. In 2020, IWP agreed to settle a case with Massachusetts Attorney General Maura Healey to resolve allegations the company played a role in shipping thousands of illegitimate opioid painkiller prescriptions across the United States between 2006 and 2012. The case was settled for $11 million.

The post Injured Workers Pharmacy Faces Class Action Lawsuit over Email Account Breach appeared first on HIPAA Journal.

New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing

Posted by HIPAA Journal

A class action lawsuit filed against NorthEast Radiology PC and Alliance HealthCare Services over a data breach that exposed the protected health information of more than 1.2 million individuals has been dismissed by a New York Federal Judge for lack of standing.

The lawsuit was filed in July 2021 on behalf of plaintiffs Jose Aponte II and Lisa Rosenberg, whose protected health information was exposed as a result of a misconfiguration of the companies’ Picture Archiving Communication System (PACS), which contained medical images and associated patient data. In late 2019, security researchers identified the exposed data and notified the affected companies, which included Northeast Radiology and its vendor, Alliance HealthCare Services.

According to the lawsuit, more than 61 million medical images were exposed along with the sensitive data of 1.2 million patients. Northeast Radiology reported the breach to the HHS’ Office for Civil Rights as affecting 298,532 individuals. The lawsuit alleged the defendants had implemented inadequate security safeguards to ensure the privacy of patient data, which allowed medical images and other protected health information to be accessed by unauthorized individuals between April 14, 2019, and January 7, 2020. The plaintiffs alleged that they face an ongoing and imminent risk of identity theft and fraud, as there is no way to cancel protected health information. They claim they now need to continuously monitor their accounts and use credit and identity theft monitoring services, and expend additional time and effort to prevent and mitigate against potential future losses.

It is now common for lawsuits to be filed against healthcare organizations following data breaches, but the lawsuits often do not succeed due to the failure to provide evidence that harm as a result of the exposure or theft of personal data, as was the case here. Judge Vincent L. Bricetti, Federal Judge for the Southern District of New York, dismissed the lawsuit as the plaintiffs failed to allege a cognizable injury. The judge ruled that the mere exposure of sensitive data did not establish the plaintiffs had been harmed by the incident, and that the risk of future harm from the exposure of their sensitive data was too speculative to establish standing.

While the data breach was reported to the HHS’ Office for Rights as affecting up to 298,532 individuals, NorthEast Radiology was only able to confirm that the data of 29 patients had definitely been subjected to unauthorized access, and the two plaintiffs named in the lawsuit were not part of that small group.

Judge Bricetti referred to the decision of the Second Circuit Court’s decision in McMorris v. Carlos Lopez & Associates, LLC, which established a three-factor test for determining whether allegations of an injury from a data breach gave rise to a cognizable Article III injury-in-fact:

“(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.”

Judge Bricetti rejected all of the plaintiffs’ claims for negligence, negligence per se, breach of contract, breach of implied contract, violations of New York General Business Law Section 349, and intrusion upon seclusion.

The post New York Judge Dismisses Class Action PACS Data Breach Lawsuit for Lack of Standing appeared first on HIPAA Journal.

Solara Medical Supplies $9.76 Million Data Breach Settlement Gets Preliminary Approval

Posted by HIPAA Journal

A $9.76 million settlement proposed by Solara Medical Supplies to resolve a class action lawsuit related to a 2019 data breach has received preliminary approval from the court.

Solara Medical Supplies, which provides products and services to help people manage their diabetes, was the victim of a phishing attack that saw employees’ Microsoft Office 365 email accounts accessed by unauthorized individuals between April 2, 2019, and June 20, 2019.

The email accounts contained the protected health information of patients and sensitive employee information, including names, dates of birth, billing and claims information, health insurance information, medical information, financial account information and credit card numbers, Social Security numbers, driver’s license numbers, state ID numbers, and Medicare/Medicaid IDs. The breach was reported to the HHS’ Office for Civil Rights as affecting 114,007 individuals.

Legal action was taken on behalf of the individuals affected by the breach, with the class including all individuals residing in the United States and its territories who were notified in November 2019 that their information had been exposed. The plaintiffs alleged Solara Medical Supplies was negligent for failing to prevent the breach.

Solara Medical Supplies denies any wrongdoing and liability and believes there are meritorious defenses and legal challenges to the plaintiffs’ claims; however, agreed to settle the lawsuit to prevent further legal costs and to avoid the uncertainty of litigation.

Under the terms of the settlement, a fund of $5.06 million will be created to cover costs associated with the administration of the settlement, attorneys’ fees, and payments to class members. All individuals who submit a valid claim will be eligible to receive a cash payment of $100, which may be adjusted up or down depending on the number of individuals who submit a claim.

Solara Medical Supplies has committed to taking steps to improve security to prevent further data breaches, such as implementing systems for detecting suspicious activity, multifactor authentication, improvements to email filtering, and other security measures, which have been estimated to cost $4.7 million over the next 5 years.

The settlement has received preliminary approval from the court and a final hearing for the settlement has been scheduled for September 12, 2022. The deadline for submitting a claim is August 8, 2022, and the deadline for objecting to the settlement or requesting to be excluded from the settlement is August 22, 2022.

The post Solara Medical Supplies $9.76 Million Data Breach Settlement Gets Preliminary Approval appeared first on HIPAA Journal.

Update to Indiana Data Breach Notification Law Shortens Timeline for Notifications

Posted by HIPAA Journal

On July 1, 2022, updated data breach notification laws (HB 1351) will take effect in Indiana that require notifications to be issued within 45 days of the discovery of a breach of the personally identifiable information (PII) of Indiana residents.

Currently, the data breach notification requirements are for notifications to be issued without unreasonable delay. The update has been made to ensure that individuals whose PII has been exposed are provided with timely notification. When PII has been exposed, individual notifications should still be issued without unreasonable delay.

A reasonable delay would be when one of the following conditions applies:

1) It is necessary to delay notification to restore the integrity of computer systems

2) It is necessary to delay notification to discover the scope of the breach

3) When there has been a request from the state attorney general or law enforcement to delay notifications to ensure criminal or civil investigations are not impeded, or when notifications have the potential to jeopardize national security.

In such cases, notifications should be issued when the integrity of computer systems has been restored, when the scope of the breach is known, or when law enforcement or the state attorney general advises the breached entity that there is no longer the need to delay notification as criminal/civil investigations will not be impeded or there is no longer a threat to national security.

The new law applies to breaches of the security of a system housing unencrypted PII, when PII is known to have been stolen or may have been stolen, and when encrypted PII has been exposed or stolen and an unauthorized person may have access to the encryption key to allow data to be decrypted.

Personal information is defined as a Social Security number, an individual’s first and last names, or first initial and last name, and one or more of the following data elements: driver’s license number; state identification card number; credit card number; financial account number or debit card number in combination with a security code, password, or access code.

Consumer reporting agencies must be notified if the breach affects more than 1,000 Indiana residents. Breaches must also be reported to the state attorney general. The failure to comply with the data breach notification requirements could see civil monetary penalties of up to $150,000 imposed by the state attorney general and reasonable attorney general costs to cover investigating and maintaining the action.

Entities exempt from the new law include those that maintain their own data security procedures as part of an information privacy policy, security policy, or compliance plan under:

  • The Gramm-Leach-Bliley Act
  • The Health Insurance Portability and Accountability Act (HIPAA)
  • The USA Patriot Act
  • Executive Order 13224
  • The Driver Privacy Protection Act
  • The Fair Credit Reporting Act

The post Update to Indiana Data Breach Notification Law Shortens Timeline for Notifications appeared first on HIPAA Journal.

Class Action Lawsuits Filed Against Partnership Health Plan & Oregon Anesthesiology Group over Ransomware Attacks

Posted by HIPAA Journal

Class action lawsuits have recently been filed against Partnership Health Plan in Northern California and Oregon Anesthesiology Group in response to ransomware attacks and the theft of sensitive patient/plan member data.

Partnership Health Plan of California

Partnership HealthPlan of California (PHC) is a non-profit community-based healthcare organization that serves over 550,000 Medi-Cal beneficiaries in Northern California. In March 2022, PHC announced that it was working with third-party forensic specialists to restore the functionality of its systems following a cyberattack.

The Hive ransomware group claimed responsibility for the attack and allegedly exfiltrated 400GB of data prior to encrypting files. Those files are alleged to contain the sensitive data of 850,000 individuals including names, dates of birth, addresses, and Social Security numbers. The ransomware gang claimed to have encrypted files on March 19, 2022, although removed the listing from its data leak site after a few days.

Last week, the law firms Whatley Kallas of San Diego and Janssen Malloy of Eureka filed a lawsuit against PHC on behalf of the anonymous plaintiff, John Doe, in the Superior Court of Humboldt County. The lawsuit alleges the healthcare organization was negligent for failing to implement and maintain appropriate cybersecurity measures to prevent ransomware attacks and data breaches. The lawsuit states that warnings had been issued to the healthcare sector about the threat of Hive ransomware attacks as early as June 2021.

The law firms are currently representing one plaintiff, but the action has been brought on behalf of others that have similarly been affected. Others are expected to join the lawsuit when breach notification letters are issued by PHC. As of April 29, 2022, notification letters had not been issued, although under HIPAA, covered entities such as PHC must issue notification letters within 60 days of the discovery of a data breach.

The lawsuit alleges violations of the Information Practices Act of 1977, Confidentiality of Medical Information Act, invasion of privacy, unlawful and unfair business practices, and seeks a jury trial and an order from the court for declaratory, equitable and/or injunctive relief. Damages have not been claimed by the plaintiff at this stage.

Oregon Anesthesiology Group

Portland, OR-based Oregon Anesthesiology Group (OAG) is facing a class action lawsuit over a cyberattack and data breach that affected hundreds of thousands of patients. In July 2021, OAG suffered a ransomware attack in which the protected health information of around 750,000 patients and 522 employees was compromised. Access to the network was gained on July 3, the breach was detected on July 11, and the attack was contained on July 15, 2021.

The FBI notified OAG in October 2021 that an account containing patient and employee files had been seized from the Ukrainian ransomware group, HelloKitty, and that the ransomware gang most likely exploited a vulnerability in its firewall to gain access to its systems. Notification letters were sent to affected individuals in December 2021.

OAG said the ransomware gang potentially obtained patient information such as names, addresses, date(s) of service, diagnosis and procedure codes with descriptions, medical record numbers, insurance provider names, and insurance ID numbers, and employee data including names, addresses, Social Security numbers and other details from W-2 forms. OAG has since upgraded its security systems, replaced its firewall, implemented multi-factor authentication, and has offered affected individuals 12 months of free credit monitoring and identify theft restoration services, which include a $1 million identity theft insurance policy.

On April 7, 2022, a lawsuit was filed against OAG on behalf of plaintiff Parke Eldred in Multnomah County Circuit Court that seeks class action status. The lawsuit alleges OAG was negligent for failing to protect the sensitive data of at least 750,000 individuals and claims the delay of 5 months in issuing notification letters was in violation of Oregon laws, which require notification letters to be issued within 60 days of the discovery of the breach.

The plaintiff claims to have identified suspicious activity in his bank account and incurred between $700 and $800 of fraudulent charges on a single day. The lawsuit seeks class certification, damages, reimbursement of out-of-pocket expenses, injunctive relief, and for OAG to cover the cost of at least 3 years of credit monitoring services.

The post Class Action Lawsuits Filed Against Partnership Health Plan & Oregon Anesthesiology Group over Ransomware Attacks appeared first on HIPAA Journal.